Example 11 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project X-Road by nordic-institute.
the class CertHelper method getOcspResponseForCert.
/**
* Finds the OCSP response from a list of OCSP responses
* for a given certificate.
* @param cert the certificate
* @param issuer the issuer of the certificate
* @param ocspResponses list of OCSP responses
* @return the OCSP response or null if not found
* @throws Exception if an error occurs
*/
public static OCSPResp getOcspResponseForCert(X509Certificate cert, X509Certificate issuer, List<OCSPResp> ocspResponses) throws Exception {
CertificateID certId = CryptoUtils.createCertId(cert, issuer);
for (OCSPResp resp : ocspResponses) {
BasicOCSPResp basicResp = (BasicOCSPResp) resp.getResponseObject();
SingleResp singleResp = basicResp.getResponses()[0];
if (certId.equals(singleResp.getCertID())) {
return resp;
}
}
return null;
}
Also used :
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
Example 12 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project eblocker by eblocker.
the class OcspCache method createOcspRequest.
private OCSPReq createOcspRequest(X509Certificate issuerCertificate, BigInteger serialNumber) throws OcspException {
try {
X509CertificateHolder holder = new X509CertificateHolder(issuerCertificate.getEncoded());
CertificateID id = new CertificateID(digestCalculatorProvider.get(CertificateID.HASH_SHA1), holder, serialNumber);
return new OCSPReqBuilder().addRequest(id).build();
} catch (CertificateEncodingException | OperatorCreationException | IOException | OCSPException e) {
throw new OcspException("creating ocsp request failed: ", e);
}
}
Also used :
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
Example 13 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.
the class OCSPVerifier method generateOCSPRequest.
/**
* This method generates an OCSP Request to be sent to an OCSP authority access endpoint.
*
* @param issuerCert the Issuer's certificate of the peer certificate we are interested in.
* @param serialNumber of the peer certificate.
* @return generated OCSP request.
* @throws CertificateVerificationException if any error occurs while generating ocsp request.
*/
public static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws CertificateVerificationException {
// Programatically adding Bouncy Castle as the security provider. So no need to manually set. Once the programme
// is over security provider will also be removed.
Security.addProvider(new BouncyCastleProvider());
try {
byte[] issuerCertEnc = issuerCert.getEncoded();
X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build();
// CertID structure is used to uniquely identify certificates that are the subject of
// an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560.
CertificateID id = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, serialNumber);
// basic request generation with nonce.
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(id);
// create details for nonce extension. The nonce extension is used to bind
// a request to a response to prevent re-play attacks. As the name implies,
// the nonce value is something that the client should only use once during a reasonably small period.
BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
// to create the request Extension
builder.setRequestExtensions(new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce.toByteArray()))));
return builder.build();
} catch (OCSPException | OperatorCreationException | IOException | CertificateEncodingException e) {
throw new CertificateVerificationException("Cannot generate OCSP Request with the given certificate", e);
}
}
Also used :
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
IOException(java.io.IOException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Extension(org.bouncycastle.asn1.x509.Extension)
DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider)
CertificateVerificationException(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 14 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.
the class Utils method generateOCSPResponse.
/**
* This method creates the OCSP response for the OCSP request. In here we are providing a non revoked certificate.
* The OCSP response will say that the certificate is GOOD.
*
* @param request OCSP request which asks if the certificate is revoked.
* @param caPrivateKey PrivateKey of the fake CA.
* @return Created OCSP response by the fake CA.
* @throws OCSPException If an error occurs when generating ocsp response.
* @throws OperatorCreationException If an error occurs when creating bouncy castle operator.
*/
private static OCSPResp generateOCSPResponse(OCSPReq request, X509CertificateHolder certificateHolder, PrivateKey caPrivateKey) throws OCSPException, OperatorCreationException {
BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(new RespID(certificateHolder.getSubject()));
Extension extension = request.getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp.getId()));
if (extension != null) {
basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
}
Req[] requests = request.getRequestList();
for (Req req : requests) {
CertificateID certID = req.getCertID();
Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD);
Date thisUpdate = new Date(new Date().getTime());
basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD, thisUpdate, nextUpdate);
}
X509CertificateHolder[] chain = { certificateHolder };
ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider(BOUNCY_CASTLE_PROVIDER).build(caPrivateKey);
BasicOCSPResp basicResp = basicOCSPRespBuilder.build(signer, chain, new Date());
OCSPRespBuilder builder = new OCSPRespBuilder();
return builder.build(OCSPRespBuilder.SUCCESSFUL, basicResp);
}
Also used :
BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder)
OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
Extensions(org.bouncycastle.asn1.x509.Extensions)
Date(java.util.Date)
Extension(org.bouncycastle.asn1.x509.Extension)
BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
RespID(org.bouncycastle.cert.ocsp.RespID)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Req(org.bouncycastle.cert.ocsp.Req)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
Example 15 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.
the class OCSPVerifierTest method generateOCSPResponse.
/**
* This makes the corresponding OCSP response to the OCSP request which is sent to the fake CA. If the request
* has a certificateID which is marked as revoked by the CA, the OCSP response will say that the certificate
* which is referred by the request, is revoked.
*
* @param request OCSP request which asks if the certificate is revoked.
* @param caPrivateKey PrivateKey of the fake CA.
* @param revokedID ID in fake CA which is checked against the certificateId in the request.
* @return Created OCSP response by the fake CA.
* @throws NoSuchProviderException
* @throws OCSPException
* @throws OperatorCreationException
*/
public OCSPResp generateOCSPResponse(OCSPReq request, X509CertificateHolder certificateHolder, PrivateKey caPrivateKey, CertificateID revokedID) throws NoSuchProviderException, OCSPException, OperatorCreationException {
BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(new RespID(certificateHolder.getSubject()));
Extension extension = request.getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp.getId()));
if (extension != null) {
basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
}
Req[] requests = request.getRequestList();
for (Req req : requests) {
CertificateID certID = req.getCertID();
if (certID.equals(revokedID)) {
RevokedStatus revokedStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);
Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD);
Date thisUpdate = new Date(new Date().getTime());
basicOCSPRespBuilder.addResponse(certID, revokedStatus, thisUpdate, nextUpdate);
} else {
basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD);
}
}
X509CertificateHolder[] chain = { certificateHolder };
ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build(caPrivateKey);
BasicOCSPResp basicResp = basicOCSPRespBuilder.build(signer, chain, new Date());
OCSPRespBuilder builder = new OCSPRespBuilder();
return builder.build(OCSPRespBuilder.SUCCESSFUL, basicResp);
}
Also used :
BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder)
OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
Extensions(org.bouncycastle.asn1.x509.Extensions)
Date(java.util.Date)
Extension(org.bouncycastle.asn1.x509.Extension)
BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder)
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
RespID(org.bouncycastle.cert.ocsp.RespID)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Req(org.bouncycastle.cert.ocsp.Req)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
Aggregations
CertificateID (org.bouncycastle.cert.ocsp.CertificateID)45
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)23
OCSPReqBuilder (org.bouncycastle.cert.ocsp.OCSPReqBuilder)21
Extension (org.bouncycastle.asn1.x509.Extension)20
IOException (java.io.IOException)19
Extensions (org.bouncycastle.asn1.x509.Extensions)17
BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)17
SingleResp (org.bouncycastle.cert.ocsp.SingleResp)16
BigInteger (java.math.BigInteger)15
X509Certificate (java.security.cert.X509Certificate)15
JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)15
DEROctetString (org.bouncycastle.asn1.DEROctetString)13
OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)13
DigestCalculator (org.bouncycastle.operator.DigestCalculator)13
Date (java.util.Date)12
OCSPException (org.bouncycastle.cert.ocsp.OCSPException)12
OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)12
JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)11
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)11
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)9
