Examples with CertificateID org.bouncycastle.cert.ocsp.CertificateID used on opensource projects

Search in sources :

Example 26 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project pdfbox by apache.

the class OcspHelper method generateOCSPRequest.

/**
 * Generates an OCSP request and generates the <code>CertificateID</code>.
 *
 * @return OCSP request, ready to fetch data
 * @throws OCSPException
 * @throws IOException
 */
private OCSPReq generateOCSPRequest() throws OCSPException, IOException {
    Security.addProvider(SecurityProvider.getProvider());
    // Generate the ID for the certificate we are looking for
    CertificateID certId;
    try {
        certId = new CertificateID(new SHA1DigestCalculator(), new JcaX509CertificateHolder(issuerCertificate), certificateToCheck.getSerialNumber());
    } catch (CertificateEncodingException e) {
        throw new IOException("Error creating CertificateID with the Certificate encoding", e);
    }
    // https://tools.ietf.org/html/rfc2560#section-4.1.2
    // Support for any specific extension is OPTIONAL. The critical flag
    // SHOULD NOT be set for any of them.
    Extension responseExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_response, false, new DLSequence(OCSPObjectIdentifiers.id_pkix_ocsp_basic).getEncoded());
    encodedNonce = new DEROctetString(new DEROctetString(create16BytesNonce()));
    Extension nonceExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, encodedNonce);
    OCSPReqBuilder builder = new OCSPReqBuilder();
    builder.setRequestExtensions(new Extensions(new Extension[] { responseExtension, nonceExtension }));
    builder.addRequest(certId);
    return builder.build();
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) DLSequence(org.bouncycastle.asn1.DLSequence) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 27 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project OpenPDF by LibrePDF.

the class PdfPKCS7 method isRevocationValid.

/**
 * Checks if OCSP revocation refers to the document signing certificate.
 *
 * @return true if it checks false otherwise
 * @since 2.1.6
 */
public boolean isRevocationValid() {
    if (basicResp == null)
        return false;
    if (signCerts.size() < 2)
        return false;
    try {
        X509Certificate[] cs = (X509Certificate[]) getSignCertificateChain();
        SingleResp sr = basicResp.getResponses()[0];
        CertificateID cid = sr.getCertID();
        X509Certificate sigcer = getSigningCertificate();
        X509Certificate isscer = cs[1];
        // OJO... Modificacion de
        // Felix--------------------------------------------------
        // CertificateID tis = new CertificateID(CertificateID.HASH_SHA1, isscer,
        // sigcer.getSerialNumber());
        DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder().setProvider(provider).build();
        CertificateID id = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(isscer), sigcer.getSerialNumber());
        return id.equals(cid);
    // ******************************************************************************
    } catch (Exception ignored) {
    }
    return false;
}
Also used : DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) X509Certificate(java.security.cert.X509Certificate) SignatureException(java.security.SignatureException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) IOException(java.io.IOException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 28 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project X-Road by nordic-institute.

the class OcspVerifier method verifyResponseValidity.

private SingleResp verifyResponseValidity(OCSPResp response, X509Certificate subject, X509Certificate issuer) throws Exception {
    BasicOCSPResp basicResp = (BasicOCSPResp) response.getResponseObject();
    SingleResp singleResp = basicResp.getResponses()[0];
    CertificateID requestCertId = createCertId(subject, issuer);
    // that which was identified in the corresponding request;
    if (!singleResp.getCertID().equals(requestCertId)) {
        throw new CodedException(X_INCORRECT_VALIDATION_INFO, "OCSP response does not apply to certificate (sn = %s)", subject.getSerialNumber());
    }
    X509Certificate ocspCert = getOcspCert(basicResp);
    if (ocspCert == null) {
        throw new CodedException(X_INCORRECT_VALIDATION_INFO, "Could not find OCSP certificate for responder ID");
    }
    if (!verifySignature(basicResp, ocspCert)) {
        throw new CodedException(X_INCORRECT_VALIDATION_INFO, "Signature on OCSP response is not valid");
    }
    // 4. The signer is currently authorized to sign the response.
    if (!isAuthorizedOcspSigner(ocspCert, issuer)) {
        throw new CodedException(X_INCORRECT_VALIDATION_INFO, "OCSP responder is not authorized for given CA");
    }
    return singleResp;
}
Also used : CodedException(ee.ria.xroad.common.CodedException) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) X509Certificate(java.security.cert.X509Certificate)

Example 29 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project X-Road by nordic-institute.

the class OcspClient method createRequest.

private static OCSPReq createRequest(X509Certificate subjectCert, X509Certificate issuerCert, PrivateKey signerKey, X509Certificate signerCert, String signAlgoId) throws Exception {
    OCSPReqBuilder requestBuilder = new OCSPReqBuilder();
    CertificateID id = CryptoUtils.createCertId(subjectCert, issuerCert);
    requestBuilder.addRequest(id);
    if (signerKey != null && signerCert != null) {
        X509CertificateHolder signerCertHolder = new X509CertificateHolder(signerCert.getEncoded());
        ContentSigner contentSigner = CryptoUtils.createContentSigner(signAlgoId, signerKey);
        log.trace("Creating signed OCSP request for certificate '{}' (signed by {})", subjectCert.getSubjectX500Principal(), signerCertHolder.getSubject());
        // needs to be set when generating signed requests
        requestBuilder.setRequestorName(signerCertHolder.getSubject());
        return requestBuilder.build(contentSigner, new X509CertificateHolder[] { signerCertHolder });
    }
    log.trace("Creating unsigned OCSP request for certificate '{}'", subjectCert.getSubjectX500Principal());
    return requestBuilder.build();
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) ContentSigner(org.bouncycastle.operator.ContentSigner) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)

Example 30 with CertificateID

use of org.bouncycastle.cert.ocsp.CertificateID in project X-Road by nordic-institute.

the class OcspTestUtils method createOCSPResponse.

/**
 * Creates an OCSP response for the subject's certificate with the given status.
 * @param subject the subject certificate
 * @param issuer certificate of the subject certificate issuer
 * @param signer certificate of the OCSP response signer
 * @param signerKey key of the OCSP response signer
 * @param certStatus OCSP response status
 * @param thisUpdate date this response was valid on
 * @param nextUpdate date when next update should be requested
 * @return OCSPResp
 * @throws Exception in case of any errors
 */
public static OCSPResp createOCSPResponse(X509Certificate subject, X509Certificate issuer, X509Certificate signer, PrivateKey signerKey, CertificateStatus certStatus, Date thisUpdate, Date nextUpdate) throws Exception {
    BasicOCSPRespBuilder builder = new BasicOCSPRespBuilder(new RespID(new X500Name(signer.getSubjectX500Principal().getName())));
    CertificateID cid = CryptoUtils.createCertId(subject, issuer);
    if (thisUpdate != null) {
        builder.addResponse(cid, certStatus, thisUpdate, nextUpdate, null);
    } else {
        builder.addResponse(cid, certStatus);
    }
    ContentSigner contentSigner = CryptoUtils.createContentSigner(subject.getSigAlgName(), signerKey);
    X509CertificateHolder[] chain = { new X509CertificateHolder(signer.getEncoded()) };
    Object responseObject = builder.build(contentSigner, chain, new Date());
    OCSPResp resp = new OCSPRespBuilder().build(OCSPRespBuilder.SUCCESSFUL, responseObject);
    return resp;
}
Also used : BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder) BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder) OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) ContentSigner(org.bouncycastle.operator.ContentSigner) RespID(org.bouncycastle.cert.ocsp.RespID) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)

Aggregations

CertificateID (org.bouncycastle.cert.ocsp.CertificateID)49 OCSPReqBuilder (org.bouncycastle.cert.ocsp.OCSPReqBuilder)24 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)23 Extension (org.bouncycastle.asn1.x509.Extension)22 IOException (java.io.IOException)21 Extensions (org.bouncycastle.asn1.x509.Extensions)19 JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)18 BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)17 SingleResp (org.bouncycastle.cert.ocsp.SingleResp)17 BigInteger (java.math.BigInteger)16 X509Certificate (java.security.cert.X509Certificate)16 DEROctetString (org.bouncycastle.asn1.DEROctetString)16 JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)14 DigestCalculator (org.bouncycastle.operator.DigestCalculator)14 OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)13 Date (java.util.Date)12 OCSPException (org.bouncycastle.cert.ocsp.OCSPException)12 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)12 DigestCalculatorProvider (org.bouncycastle.operator.DigestCalculatorProvider)12 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)12
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial