Example 16 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project module-ballerina-http by ballerina-platform.
the class OCSPVerifierTest method testOCSPVerifier.
/**
* A fake certificate signed by a fake CA is made as the revoked certificate. The created OCSP response to the
* OCSP request will say that that the fake peer certificate is revoked. the SingleResp derived from the OCSP
* response will be put into the cache against the serial number of the fake peer certificate. Since the SingleResp
* which corresponds to the revokedSerialNumber is in the cache, there will NOT be a call to a remote OCSP server.
* Note that the serviceUrl passed to cache.setCacheValue(..) is null since it is not needed.
*
* @throws Exception
*/
@Test
public void testOCSPVerifier() throws Exception {
// Add BouncyCastle as Security Provider.
Security.addProvider(new BouncyCastleProvider());
Utils utils = new Utils();
KeyPair caKeyPair = utils.generateRSAKeyPair();
X509Certificate caCert = utils.generateFakeRootCert(caKeyPair);
KeyPair peerKeyPair = utils.generateRSAKeyPair();
BigInteger revokedSerialNumber = BigInteger.valueOf(111);
X509Certificate revokedCertificate = utils.generateFakeCertificate(caCert, peerKeyPair.getPublic(), revokedSerialNumber, caKeyPair);
OCSPReq request = getOCSPRequest(caCert, revokedSerialNumber);
byte[] issuerCertEnc = caCert.getEncoded();
X509CertificateHolder certificateHolder = new X509CertificateHolder(issuerCertEnc);
DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(Constants.BOUNCY_CASTLE_PROVIDER).build();
// CertID structure is used to uniquely identify certificates that are the subject of
// an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560.
CertificateID revokedID = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), certificateHolder, revokedSerialNumber);
OCSPResp response = generateOCSPResponse(request, certificateHolder, caKeyPair.getPrivate(), revokedID);
SingleResp singleResp = ((BasicOCSPResp) response.getResponseObject()).getResponses()[0];
OCSPCache cache = OCSPCache.getCache();
cache.init(5, 5);
cache.setCacheValue(response, revokedSerialNumber, singleResp, request, null);
OCSPVerifier ocspVerifier = new OCSPVerifier(cache);
RevocationStatus status = ocspVerifier.checkRevocationStatus(revokedCertificate, caCert);
// the cache will have the SingleResponse derived from the create OCSP response and it will be checked to see
// if the fake certificate is revoked. So the status should be REVOKED.
assertTrue(status == RevocationStatus.REVOKED);
}
Also used :
KeyPair(java.security.KeyPair)
OCSPCache(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPCache)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
X509Certificate(java.security.cert.X509Certificate)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
RevocationStatus(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.RevocationStatus)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
OCSPVerifier(io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.ocsp.OCSPVerifier)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Test(org.testng.annotations.Test)
Example 17 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project carapaceproxy by diennea.
the class OcspRequestBuilder method build.
/**
* ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It contains a one-time nonce and CA's will (should) reject subsequent requests that have the same nonce value.
*/
public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
SecureRandom generator = checkNotNull(this.generator, "generator");
DigestCalculator calculator = checkNotNull(this.calculator, "calculator");
X509Certificate certificate = checkNotNull(this.certificate, "certificate");
X509Certificate issuer = checkNotNull(this.issuer, "issuer");
BigInteger serial = certificate.getSerialNumber();
CertificateID certId = new CertificateID(calculator, new X509CertificateHolder(issuer.getEncoded()), serial);
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(certId);
byte[] nonce = new byte[8];
generator.nextBytes(nonce);
Extension[] extensions = new Extension[] { new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)) };
builder.setRequestExtensions(new Extensions(extensions));
return builder.build();
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
SecureRandom(java.security.SecureRandom)
BigInteger(java.math.BigInteger)
Extensions(org.bouncycastle.asn1.x509.Extensions)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
X509Certificate(java.security.cert.X509Certificate)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 18 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project itext2 by albfernandez.
the class OcspClientBouncyCastle method generateOCSPRequest.
/**
* Generates an OCSP request using BouncyCastle.
* @param issuerCert certificate of the issues
* @param serialNumber serial number
* @return an OCSP request
* @throws OCSPException
* @throws IOException
*/
private static OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, IOException, OperatorException, CertificateEncodingException {
// Add provider BC
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();
DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
// Generate the id for the certificate we are looking for
CertificateID id = new CertificateID(digestCalculator, new JcaX509CertificateHolder(issuerCert), serialNumber);
// basic request generation with nonce
OCSPReqBuilder gen = new OCSPReqBuilder();
gen.addRequest(id);
// create details for nonce extension
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(new DEROctetString(PdfEncryption.createDocumentId()).getEncoded()));
gen.setRequestExtensions(new Extensions(new Extension[] { ext }));
return gen.build();
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
Extensions(org.bouncycastle.asn1.x509.Extensions)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 19 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project itext2 by albfernandez.
the class PdfPKCS7 method isRevocationValid.
/**
* Checks if OCSP revocation refers to the document signing certificate.
* @return true if it checks false otherwise
* @since 2.1.6
*/
public boolean isRevocationValid() {
if (basicResp == null)
return false;
if (signCerts.size() < 2)
return false;
try {
X509Certificate[] cs = (X509Certificate[]) getSignCertificateChain();
SingleResp sr = basicResp.getResponses()[0];
CertificateID cid = sr.getCertID();
X509Certificate sigcer = getSigningCertificate();
X509Certificate isscer = cs[1];
CertificateID tis = new CertificateID(new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(isscer), sigcer.getSerialNumber());
return tis.equals(cid);
} catch (Exception ex) {
}
return false;
}
Also used :
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
X509Certificate(java.security.cert.X509Certificate)
SignatureException(java.security.SignatureException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateParsingException(java.security.cert.CertificateParsingException)
IOException(java.io.IOException)
NoSuchProviderException(java.security.NoSuchProviderException)
Example 20 with CertificateID
use of org.bouncycastle.cert.ocsp.CertificateID in project ddf by codice.
the class OcspChecker method generateOcspRequest.
/**
* Creates an {@link OCSPReq} to send to the OCSP server for the given certificate.
*
* @param cert - the certificate to verify
* @return the created OCSP request
* @throws OcspCheckerException after posting an alert to the admin console, if any error occurs
*/
@VisibleForTesting
OCSPReq generateOcspRequest(Certificate cert) throws OcspCheckerException {
try {
X509CertificateHolder issuerCert = resolveIssuerCertificate(cert);
JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
DigestCalculatorProvider digestCalculatorProvider = digestCalculatorProviderBuilder.build();
DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
CertificateID certId = new CertificateID(digestCalculator, issuerCert, cert.getSerialNumber().getValue());
OCSPReqBuilder ocspReqGenerator = new OCSPReqBuilder();
ocspReqGenerator.addRequest(certId);
return ocspReqGenerator.build();
} catch (OCSPException | OperatorCreationException e) {
throw new OcspCheckerException("Unable to create an OCSP request." + NOT_VERIFIED_MSG, e);
}
}
Also used :
DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Aggregations
CertificateID (org.bouncycastle.cert.ocsp.CertificateID)45
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)23
OCSPReqBuilder (org.bouncycastle.cert.ocsp.OCSPReqBuilder)21
Extension (org.bouncycastle.asn1.x509.Extension)20
IOException (java.io.IOException)19
Extensions (org.bouncycastle.asn1.x509.Extensions)17
BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)17
SingleResp (org.bouncycastle.cert.ocsp.SingleResp)16
BigInteger (java.math.BigInteger)15
X509Certificate (java.security.cert.X509Certificate)15
JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)15
DEROctetString (org.bouncycastle.asn1.DEROctetString)13
OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)13
DigestCalculator (org.bouncycastle.operator.DigestCalculator)13
Date (java.util.Date)12
OCSPException (org.bouncycastle.cert.ocsp.OCSPException)12
OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)12
JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)11
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)11
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)9
