Search in sources :

Example 16 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.

the class OCSPVerifierTest method testOCSPVerifier.

/**
 * A fake certificate signed by a fake CA is made as the revoked certificate. The created OCSP response to the
 * OCSP request will say that that the fake peer certificate is revoked. the SingleResp derived from the OCSP
 * response will be put into the cache against the serial number of the fake peer certificate. Since the SingleResp
 * which corresponds to the revokedSerialNumber is in the cache, there will NOT be a call to a remote OCSP server.
 * Note that the serviceUrl passed to cache.setCacheValue(..) is null since it is not needed.
 *
 * @throws Exception
 */
@Test
public void testOCSPVerifier() throws Exception {
    // Add BouncyCastle as Security Provider.
    Security.addProvider(new BouncyCastleProvider());
    Utils utils = new Utils();
    KeyPair caKeyPair = utils.generateRSAKeyPair();
    X509Certificate caCert = utils.generateFakeRootCert(caKeyPair);
    KeyPair peerKeyPair = utils.generateRSAKeyPair();
    BigInteger revokedSerialNumber = BigInteger.valueOf(111);
    X509Certificate revokedCertificate = utils.generateFakeCertificate(caCert, peerKeyPair.getPublic(), revokedSerialNumber, caKeyPair);
    OCSPReq request = getOCSPRequest(caCert, revokedSerialNumber);
    byte[] issuerCertEnc = caCert.getEncoded();
    X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
    DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build();
    // CertID structure is used to uniquely identify certificates that are the subject of
    // an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560.
    CertificateID revokedID = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, revokedSerialNumber);
    OCSPResp response = generateOCSPResponse(request, certificateHolder, caKeyPair.getPrivate(), revokedID);
    SingleResp singleResp = ((BasicOCSPResp) response.getResponseObject()).getResponses()[0];
    OCSPCache cache = OCSPCache.getCache();
    cache.init(5, 5);
    cache.setCacheValue(response, revokedSerialNumber, singleResp, request, null);
    OCSPVerifier ocspVerifier = new OCSPVerifier(cache);
    RevocationStatus status = ocspVerifier.checkRevocationStatus(revokedCertificate, caCert);
    // the cache will have the SingleResponse derived from the create OCSP response and it will be checked to see
    // if the fake certificate is revoked. So the status should be REVOKED.
    assertTrue(status == RevocationStatus.REVOKED);
}
Also used : KeyPair(java.security.KeyPair) OCSPCache(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPCache) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) X509Certificate(java.security.cert.X509Certificate) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) RevocationStatus(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.RevocationStatus) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) OCSPVerifier(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Test(org.testng.annotations.Test)

Example 17 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project carapaceproxy by diennea.

the class OcspRequestBuilder method build.

/**
 * ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It contains a one-time nonce and CA's will (should) reject subsequent requests that have the same nonce value.
 */
public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
    SecureRandom generator = checkNotNull(this.generator, "generator");
    DigestCalculator calculator = checkNotNull(this.calculator, "calculator");
    X509Certificate certificate = checkNotNull(this.certificate, "certificate");
    X509Certificate issuer = checkNotNull(this.issuer, "issuer");
    BigInteger serial = certificate.getSerialNumber();
    CertificateID certId = new CertificateID(calculator, new X509CertificateHolder(issuer.getEncoded()), serial);
    OCSPReqBuilder builder = new OCSPReqBuilder();
    builder.addRequest(certId);
    byte[] nonce = new byte[8];
    generator.nextBytes(nonce);
    Extension[] extensions = new Extension[] { new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)) };
    builder.setRequestExtensions(new Extensions(extensions));
    return builder.build();
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) DigestCalculator(org.bouncycastle.operator.DigestCalculator) SecureRandom(java.security.SecureRandom) BigInteger(java.math.BigInteger) Extensions(org.bouncycastle.asn1.x509.Extensions) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) X509Certificate(java.security.cert.X509Certificate) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 18 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project itext2 by albfernandez.

the class OcspClientBouncyCastle method generateOCSPRequest.

/**
 * Generates an OCSP request using BouncyCastle.
 * @param issuerCert	certificate of the issues
 * @param serialNumber	serial number
 * @return	an OCSP request
 * @throws OCSPException
 * @throws IOException
 */
private static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, IOException, OperatorException, CertificateEncodingException {
    // Add provider BC
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
    DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();
    DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
    // Generate the id for the certificate we are looking for
    CertificateID id = new CertificateID(digestCalculator, new JcaX509CertificateHolder(issuerCert), serialNumber);
    // basic request generation with nonce
    OCSPReqBuilder gen = new OCSPReqBuilder();
    gen.addRequest(id);
    // create details for nonce extension
    Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(new DEROctetString(PdfEncryption.createDocumentId()).getEncoded()));
    gen.setRequestExtensions(new Extensions(new Extension[] { ext }));
    return gen.build();
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) DigestCalculator(org.bouncycastle.operator.DigestCalculator) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) Extensions(org.bouncycastle.asn1.x509.Extensions) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 19 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project itext2 by albfernandez.

the class PdfPKCS7 method isRevocationValid.

/**
 * Checks if OCSP revocation refers to the document signing certificate.
 * @return true if it checks false otherwise
 * @since	2.1.6
 */
public boolean isRevocationValid() {
    if (basicResp == null)
        return false;
    if (signCerts.size() < 2)
        return false;
    try {
        X509Certificate[] cs = (X509Certificate[]) getSignCertificateChain();
        SingleResp sr = basicResp.getResponses()[0];
        CertificateID cid = sr.getCertID();
        X509Certificate sigcer = getSigningCertificate();
        X509Certificate isscer = cs[1];
        CertificateID tis = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(isscer), sigcer.getSerialNumber());
        return tis.equals(cid);
    } catch (Exception ex) {
    }
    return false;
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) X509Certificate(java.security.cert.X509Certificate) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) CertificateParsingException(java.security.cert.CertificateParsingException) IOException(java.io.IOException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 20 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project ddf by codice.

the class OcspChecker method generateOcspRequest.

/**
 * Creates an {@link OCSPReq} to send to the OCSP server for the given certificate.
 *
 * @param cert - the certificate to verify
 * @return the created OCSP request
 * @throws OcspCheckerException after posting an alert to the admin console, if any error occurs
 */
@VisibleForTesting
OCSPReq generateOcspRequest(Certificate cert) throws OcspCheckerException {
    try {
        X509CertificateHolder issuerCert = resolveIssuerCertificate(cert);
        JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
        DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();
        DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
        CertificateID certId = new CertificateID(digestCalculator, issuerCert, cert.getSerialNumber().getValue());
        OCSPReqBuilder ocspReqGenerator = new OCSPReqBuilder();
        ocspReqGenerator.addRequest(certId);
        return ocspReqGenerator.build();
    } catch (OCSPException | OperatorCreationException e) {
        throw new OcspCheckerException("Unable to create an OCSP request." + NOT_VERIFIED_MSG, e);
    }
}
Also used : DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) DigestCalculator(org.bouncycastle.operator.DigestCalculator) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Aggregations

CertificateID (org.bouncycastle.cert.ocsp.CertificateID)45 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)23 OCSPReqBuilder (org.bouncycastle.cert.ocsp.OCSPReqBuilder)21 Extension (org.bouncycastle.asn1.x509.Extension)20 IOException (java.io.IOException)19 Extensions (org.bouncycastle.asn1.x509.Extensions)17 BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)17 SingleResp (org.bouncycastle.cert.ocsp.SingleResp)16 BigInteger (java.math.BigInteger)15 X509Certificate (java.security.cert.X509Certificate)15 JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)15 DEROctetString (org.bouncycastle.asn1.DEROctetString)13 OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)13 DigestCalculator (org.bouncycastle.operator.DigestCalculator)13 Date (java.util.Date)12 OCSPException (org.bouncycastle.cert.ocsp.OCSPException)12 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)12 JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)11 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)11 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)9