use of org.bouncycastle.cert.ocsp.CertificateID in project X-Road by nordic-institute.
the class CertHelper method getOcspResponseForCert.
/**
* Finds the OCSP response from a list of OCSP responses
* for a given certificate.
* @param cert the certificate
* @param issuer the issuer of the certificate
* @param ocspResponses list of OCSP responses
* @return the OCSP response or null if not found
* @throws Exception if an error occurs
*/
public static OCSPResp getOcspResponseForCert(X509Certificate cert, X509Certificate issuer, List<OCSPResp> ocspResponses) throws Exception {
CertificateID certId = CryptoUtils.createCertId(cert, issuer);
for (OCSPResp resp : ocspResponses) {
BasicOCSPResp basicResp = (BasicOCSPResp) resp.getResponseObject();
SingleResp singleResp = basicResp.getResponses()[0];
if (certId.equals(singleResp.getCertID())) {
return resp;
}
}
return null;
}
use of org.bouncycastle.cert.ocsp.CertificateID in project eblocker by eblocker.
the class OcspCache method createOcspRequest.
private OCSPReq createOcspRequest(X509Certificate issuerCertificate, BigInteger serialNumber) throws OcspException {
try {
X509CertificateHolder holder = new X509CertificateHolder(issuerCertificate.getEncoded());
CertificateID id = new CertificateID(digestCalculatorProvider.get(CertificateID.HASH_SHA1), holder, serialNumber);
return new OCSPReqBuilder().addRequest(id).build();
} catch (CertificateEncodingException | OperatorCreationException | IOException | OCSPException e) {
throw new OcspException("creating ocsp request failed: ", e);
}
}
use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.
the class OCSPVerifier method generateOCSPRequest.
/**
* This method generates an OCSP Request to be sent to an OCSP authority access endpoint.
*
* @param issuerCert the Issuer's certificate of the peer certificate we are interested in.
* @param serialNumber of the peer certificate.
* @return generated OCSP request.
* @throws CertificateVerificationException if any error occurs while generating ocsp request.
*/
public static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws CertificateVerificationException {
// Programatically adding Bouncy Castle as the security provider. So no need to manually set. Once the programme
// is over security provider will also be removed.
Security.addProvider(new BouncyCastleProvider());
try {
byte[] issuerCertEnc = issuerCert.getEncoded();
X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build();
// CertID structure is used to uniquely identify certificates that are the subject of
// an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560.
CertificateID id = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, serialNumber);
// basic request generation with nonce.
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(id);
// create details for nonce extension. The nonce extension is used to bind
// a request to a response to prevent re-play attacks. As the name implies,
// the nonce value is something that the client should only use once during a reasonably small period.
BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
// to create the request Extension
builder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce.toByteArray()))));
return builder.build();
} catch (OCSPException | OperatorCreationException | IOException | CertificateEncodingException e) {
throw new CertificateVerificationException("Cannot generate OCSP Request with the given certificate", e);
}
}
use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.
the class Utils method generateOCSPResponse.
/**
* This method creates the OCSP response for the OCSP request. In here we are providing a non revoked certificate.
* The OCSP response will say that the certificate is GOOD.
*
* @param request OCSP request which asks if the certificate is revoked.
* @param caPrivateKey PrivateKey of the fake CA.
* @return Created OCSP response by the fake CA.
* @throws OCSPException If an error occurs when generating ocsp response.
* @throws OperatorCreationException If an error occurs when creating bouncy castle operator.
*/
private static OCSPResp generateOCSPResponse(OCSPReq request, X509CertificateHolder certificateHolder, PrivateKey caPrivateKey) throws OCSPException, OperatorCreationException {
BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(new RespID(certificateHolder.getSubject()));
Extension extension = request.getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp.getId()));
if (extension != null) {
basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
}
Req[] requests = request.getRequestList();
for (Req req : requests) {
CertificateID certID = req.getCertID();
Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD);
Date thisUpdate = new Date(new Date().getTime());
basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD, thisUpdate, nextUpdate);
}
X509CertificateHolder[] chain = { certificateHolder };
ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider(BOUNCY_CASTLE_PROVIDER).build(caPrivateKey);
BasicOCSPResp basicResp = basicOCSPRespBuilder.build(signer, chain, new Date());
OCSPRespBuilder builder = new OCSPRespBuilder();
return builder.build(OCSPRespBuilder.SUCCESSFUL, basicResp);
}
use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.
the class OCSPVerifierTest method generateOCSPResponse.
/**
* This makes the corresponding OCSP response to the OCSP request which is sent to the fake CA. If the request
* has a certificateID which is marked as revoked by the CA, the OCSP response will say that the certificate
* which is referred by the request, is revoked.
*
* @param request OCSP request which asks if the certificate is revoked.
* @param caPrivateKey PrivateKey of the fake CA.
* @param revokedID ID in fake CA which is checked against the certificateId in the request.
* @return Created OCSP response by the fake CA.
* @throws NoSuchProviderException
* @throws OCSPException
* @throws OperatorCreationException
*/
public OCSPResp generateOCSPResponse(OCSPReq request, X509CertificateHolder certificateHolder, PrivateKey caPrivateKey, CertificateID revokedID) throws NoSuchProviderException, OCSPException, OperatorCreationException {
BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(new RespID(certificateHolder.getSubject()));
Extension extension = request.getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp.getId()));
if (extension != null) {
basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
}
Req[] requests = request.getRequestList();
for (Req req : requests) {
CertificateID certID = req.getCertID();
if (certID.equals(revokedID)) {
RevokedStatus revokedStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);
Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD);
Date thisUpdate = new Date(new Date().getTime());
basicOCSPRespBuilder.addResponse(certID, revokedStatus, thisUpdate, nextUpdate);
} else {
basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD);
}
}
X509CertificateHolder[] chain = { certificateHolder };
ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build(caPrivateKey);
BasicOCSPResp basicResp = basicOCSPRespBuilder.build(signer, chain, new Date());
OCSPRespBuilder builder = new OCSPRespBuilder();
return builder.build(OCSPRespBuilder.SUCCESSFUL, basicResp);
}
Aggregations