use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.
the class OCSPVerifierTest method testOCSPVerifier.
/**
* A fake certificate signed by a fake CA is made as the revoked certificate. The created OCSP response to the
* OCSP request will say that that the fake peer certificate is revoked. the SingleResp derived from the OCSP
* response will be put into the cache against the serial number of the fake peer certificate. Since the SingleResp
* which corresponds to the revokedSerialNumber is in the cache, there will NOT be a call to a remote OCSP server.
* Note that the serviceUrl passed to cache.setCacheValue(..) is null since it is not needed.
*
* @throws Exception
*/
@Test
public void testOCSPVerifier() throws Exception {
// Add BouncyCastle as Security Provider.
Security.addProvider(new BouncyCastleProvider());
Utils utils = new Utils();
KeyPair caKeyPair = utils.generateRSAKeyPair();
X509Certificate caCert = utils.generateFakeRootCert(caKeyPair);
KeyPair peerKeyPair = utils.generateRSAKeyPair();
BigInteger revokedSerialNumber = BigInteger.valueOf(111);
X509Certificate revokedCertificate = utils.generateFakeCertificate(caCert, peerKeyPair.getPublic(), revokedSerialNumber, caKeyPair);
OCSPReq request = getOCSPRequest(caCert, revokedSerialNumber);
byte[] issuerCertEnc = caCert.getEncoded();
X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build();
// CertID structure is used to uniquely identify certificates that are the subject of
// an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560.
CertificateID revokedID = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, revokedSerialNumber);
OCSPResp response = generateOCSPResponse(request, certificateHolder, caKeyPair.getPrivate(), revokedID);
SingleResp singleResp = ((BasicOCSPResp) response.getResponseObject()).getResponses()[0];
OCSPCache cache = OCSPCache.getCache();
cache.init(5, 5);
cache.setCacheValue(response, revokedSerialNumber, singleResp, request, null);
OCSPVerifier ocspVerifier = new OCSPVerifier(cache);
RevocationStatus status = ocspVerifier.checkRevocationStatus(revokedCertificate, caCert);
// the cache will have the SingleResponse derived from the create OCSP response and it will be checked to see
// if the fake certificate is revoked. So the status should be REVOKED.
assertTrue(status == RevocationStatus.REVOKED);
}
use of org.bouncycastle.cert.ocsp.CertificateID in project carapaceproxy by diennea.
the class OcspRequestBuilder method build.
/**
* ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It contains a one-time nonce and CA's will (should) reject subsequent requests that have the same nonce value.
*/
public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
SecureRandom generator = checkNotNull(this.generator, "generator");
DigestCalculator calculator = checkNotNull(this.calculator, "calculator");
X509Certificate certificate = checkNotNull(this.certificate, "certificate");
X509Certificate issuer = checkNotNull(this.issuer, "issuer");
BigInteger serial = certificate.getSerialNumber();
CertificateID certId = new CertificateID(calculator, new X509CertificateHolder(issuer.getEncoded()), serial);
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(certId);
byte[] nonce = new byte[8];
generator.nextBytes(nonce);
Extension[] extensions = new Extension[] { new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)) };
builder.setRequestExtensions(new Extensions(extensions));
return builder.build();
}
use of org.bouncycastle.cert.ocsp.CertificateID in project itext2 by albfernandez.
the class OcspClientBouncyCastle method generateOCSPRequest.
/**
* Generates an OCSP request using BouncyCastle.
* @param issuerCert certificate of the issues
* @param serialNumber serial number
* @return an OCSP request
* @throws OCSPException
* @throws IOException
*/
private static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, IOException, OperatorException, CertificateEncodingException {
// Add provider BC
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();
DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
// Generate the id for the certificate we are looking for
CertificateID id = new CertificateID(digestCalculator, new JcaX509CertificateHolder(issuerCert), serialNumber);
// basic request generation with nonce
OCSPReqBuilder gen = new OCSPReqBuilder();
gen.addRequest(id);
// create details for nonce extension
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(new DEROctetString(PdfEncryption.createDocumentId()).getEncoded()));
gen.setRequestExtensions(new Extensions(new Extension[] { ext }));
return gen.build();
}
use of org.bouncycastle.cert.ocsp.CertificateID in project itext2 by albfernandez.
the class PdfPKCS7 method isRevocationValid.
/**
* Checks if OCSP revocation refers to the document signing certificate.
* @return true if it checks false otherwise
* @since 2.1.6
*/
public boolean isRevocationValid() {
if (basicResp == null)
return false;
if (signCerts.size() < 2)
return false;
try {
X509Certificate[] cs = (X509Certificate[]) getSignCertificateChain();
SingleResp sr = basicResp.getResponses()[0];
CertificateID cid = sr.getCertID();
X509Certificate sigcer = getSigningCertificate();
X509Certificate isscer = cs[1];
CertificateID tis = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(isscer), sigcer.getSerialNumber());
return tis.equals(cid);
} catch (Exception ex) {
}
return false;
}
use of org.bouncycastle.cert.ocsp.CertificateID in project ddf by codice.
the class OcspChecker method generateOcspRequest.
/**
* Creates an {@link OCSPReq} to send to the OCSP server for the given certificate.
*
* @param cert - the certificate to verify
* @return the created OCSP request
* @throws OcspCheckerException after posting an alert to the admin console, if any error occurs
*/
@VisibleForTesting
OCSPReq generateOcspRequest(Certificate cert) throws OcspCheckerException {
try {
X509CertificateHolder issuerCert = resolveIssuerCertificate(cert);
JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();
DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
CertificateID certId = new CertificateID(digestCalculator, issuerCert, cert.getSerialNumber().getValue());
OCSPReqBuilder ocspReqGenerator = new OCSPReqBuilder();
ocspReqGenerator.addRequest(certId);
return ocspReqGenerator.build();
} catch (OCSPException | OperatorCreationException e) {
throw new OcspCheckerException("Unable to create an OCSP request." + NOT_VERIFIED_MSG, e);
}
}
Aggregations