Example 6 with OCSPReq
use of org.bouncycastle.cert.ocsp.OCSPReq in project ddf by codice.
the class OcspChecker method passesOcspCheck.
/**
* Checks whether the given {@param certs} are revoked or not against the configured OCSP server
* urls + the optionally given OCSP server url in the given {@param certs}.
*
* @param certs - an array of certificates to verify.
* @return true if the certificates are good or if they could not be properly checked against the
* OCSP server. Returns false if any of them are revoked.
*/
@Override
public boolean passesOcspCheck(X509Certificate[] certs) {
if (!ocspEnabled) {
LOGGER.debug("OCSP check is not enabled. Skipping.");
return true;
}
LOGGER.debug("OCSP check for {} certificate(s)", certs == null ? "0" : certs.length);
for (X509Certificate cert : certs) {
try {
Certificate certificate = convertToBouncyCastleCert(cert);
OCSPReq ocspRequest = generateOcspRequest(certificate);
Map<URI, CertificateStatus> ocspStatuses = sendOcspRequests(cert, ocspRequest);
URI revokedStatusUrl = getFirstRevokedStatusUrl(ocspStatuses);
if (revokedStatusUrl != null) {
securityLogger.audit("Certificate {} has been revoked by the OCSP server at URL {}.", cert, revokedStatusUrl);
LOGGER.warn("Certificate {} has been revoked by the OCSP server at URL {}.", cert, revokedStatusUrl);
return false;
}
LOGGER.debug("No certificates revoked by the OCSP server");
} catch (OcspCheckerException e) {
postErrorEvent(e.getMessage());
}
}
// An alert will be posted to the admin console.
return true;
}
Also used :
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
URI(java.net.URI)
X509Certificate(java.security.cert.X509Certificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 7 with OCSPReq
use of org.bouncycastle.cert.ocsp.OCSPReq in project ddf by codice.
the class OcspCheckerTest method testSendOcspRequestNoServerUrls.
@Test
public void testSendOcspRequestNoServerUrls() throws Exception {
brokenEndpoints.add(new URI(EMBEDDED_OCSP_SERVER_URL));
OcspChecker ocspChecker = new OcspChecker(factory, eventAdmin);
ocspChecker.setSecurityLogger(mock(SecurityLogger.class));
ocspChecker.setOcspEnabled(true);
OCSPReq ocspReq = ocspChecker.generateOcspRequest(trustedCertBc);
Map<URI, CertificateStatus> ocspStatuses = ocspChecker.sendOcspRequests(trustedCertX509, ocspReq);
assertStatuses(ocspStatuses);
}
Also used :
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
URI(java.net.URI)
SecurityLogger(ddf.security.audit.SecurityLogger)
Test(org.junit.Test)
Example 8 with OCSPReq
use of org.bouncycastle.cert.ocsp.OCSPReq in project ddf by codice.
the class OcspCheckerTest method testSendOcspRequestsUnknownEmbeddedUrl.
@Test
public void testSendOcspRequestsUnknownEmbeddedUrl() throws Exception {
unknownEndpoints.add(new URI("https://unknownurl:8993"));
unknownEndpoints.add(new URI("https://unknownurl2:8993"));
List<URI> ocspServerUrls = new ArrayList<>(unknownEndpoints);
unknownEndpoints.add(new URI(EMBEDDED_OCSP_SERVER_URL));
OcspChecker ocspChecker = new OcspChecker(factory, eventAdmin);
ocspChecker.setSecurityLogger(mock(SecurityLogger.class));
ocspChecker.setOcspEnabled(true);
ocspChecker.setOcspServerUrls(ocspServerUrls.stream().map(URI::toString).collect(Collectors.toList()));
OCSPReq ocspReq = ocspChecker.generateOcspRequest(trustedCertBc);
Map<URI, CertificateStatus> ocspStatuses = ocspChecker.sendOcspRequests(trustedCertX509, ocspReq);
assertStatuses(ocspStatuses);
}
Also used :
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
ArrayList(java.util.ArrayList)
URI(java.net.URI)
SecurityLogger(ddf.security.audit.SecurityLogger)
Test(org.junit.Test)
Example 9 with OCSPReq
use of org.bouncycastle.cert.ocsp.OCSPReq in project ddf by codice.
the class OcspCheckerTest method testSendOcspRequestsAllStatuses.
@Test
public void testSendOcspRequestsAllStatuses() throws Exception {
unknownEndpoints.add(new URI("https://unknownurl:8993"));
unknownEndpoints.add(new URI("https://unknownurl2:8993"));
goodEndpoints.add(new URI("https://goodurl:8993"));
goodEndpoints.add(new URI("https://goodurl2:8993"));
revokedEndpoints.add(new URI("https://revokedurl:8993"));
revokedEndpoints.add(new URI("https://revokedurl2:8993"));
brokenEndpoints.add(new URI(EMBEDDED_OCSP_SERVER_URL));
List<URI> ocspServerUrls = new ArrayList<>();
ocspServerUrls.addAll(unknownEndpoints);
ocspServerUrls.addAll(revokedEndpoints);
ocspServerUrls.addAll(goodEndpoints);
OcspChecker ocspChecker = new OcspChecker(factory, eventAdmin);
ocspChecker.setSecurityLogger(mock(SecurityLogger.class));
ocspChecker.setOcspEnabled(true);
ocspChecker.setOcspServerUrls(ocspServerUrls.stream().map(URI::toString).collect(Collectors.toList()));
OCSPReq ocspReq = ocspChecker.generateOcspRequest(trustedCertBc);
Map<URI, CertificateStatus> ocspStatuses = ocspChecker.sendOcspRequests(trustedCertX509, ocspReq);
assertStatuses(ocspStatuses);
}
Also used :
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
ArrayList(java.util.ArrayList)
URI(java.net.URI)
SecurityLogger(ddf.security.audit.SecurityLogger)
Test(org.junit.Test)
Example 10 with OCSPReq
use of org.bouncycastle.cert.ocsp.OCSPReq in project oxAuth by GluuFederation.
the class OCSPCertificateVerifier method validate.
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.OCSP, CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
String ocspUrl = getOCSPUrl(certificate);
if (ocspUrl == null) {
log.error("OCSP URL for '" + subjectX500Principal + "' is empty");
return status;
}
log.debug("OCSP URL for '" + subjectX500Principal + "' is '" + ocspUrl + "'");
DigestCalculator digestCalculator = new JcaDigestCalculatorProviderBuilder().build().get(CertificateID.HASH_SHA1);
CertificateID certificateId = new CertificateID(digestCalculator, new JcaX509CertificateHolder(certificate), certificate.getSerialNumber());
// Generate OCSP request
OCSPReq ocspReq = generateOCSPRequest(certificateId);
// Get OCSP response from server
OCSPResp ocspResp = requestOCSPResponse(ocspUrl, ocspReq);
if (ocspResp.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
log.error("OCSP response is invalid!");
status.setValidity(CertificateValidity.INVALID);
return status;
}
boolean foundResponse = false;
BasicOCSPResp basicOCSPResp = (BasicOCSPResp) ocspResp.getResponseObject();
SingleResp[] singleResps = basicOCSPResp.getResponses();
for (SingleResp singleResp : singleResps) {
CertificateID responseCertificateId = singleResp.getCertID();
if (!certificateId.equals(responseCertificateId)) {
continue;
}
foundResponse = true;
log.debug("OCSP validationDate: " + validationDate);
log.debug("OCSP thisUpdate: " + singleResp.getThisUpdate());
log.debug("OCSP nextUpdate: " + singleResp.getNextUpdate());
status.setRevocationObjectIssuingTime(basicOCSPResp.getProducedAt());
Object certStatus = singleResp.getCertStatus();
if (certStatus == CertificateStatus.GOOD) {
log.debug("OCSP status is valid for '" + certificate.getSubjectX500Principal() + "'");
status.setValidity(CertificateValidity.VALID);
} else {
if (singleResp.getCertStatus() instanceof RevokedStatus) {
log.warn("OCSP status is revoked for: " + subjectX500Principal);
if (validationDate.before(((RevokedStatus) singleResp.getCertStatus()).getRevocationTime())) {
log.warn("OCSP revocation time after the validation date, the certificate '" + subjectX500Principal + "' was valid at " + validationDate);
status.setValidity(CertificateValidity.VALID);
} else {
Date revocationDate = ((RevokedStatus) singleResp.getCertStatus()).getRevocationTime();
log.info("OCSP for certificate '" + subjectX500Principal + "' is revoked since " + revocationDate);
status.setRevocationDate(revocationDate);
status.setRevocationObjectIssuingTime(singleResp.getThisUpdate());
status.setValidity(CertificateValidity.REVOKED);
}
}
}
}
if (!foundResponse) {
log.error("There is no matching OCSP response entries");
}
} catch (Exception ex) {
log.error("OCSP exception: ", ex);
}
return status;
}
Also used :
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
MalformedURLException(java.net.MalformedURLException)
IOException(java.io.IOException)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
ValidationStatus(org.xdi.oxauth.cert.validation.model.ValidationStatus)
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
ASN1TaggedObject(org.bouncycastle.asn1.ASN1TaggedObject)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
Principal(java.security.Principal)
Aggregations
OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)23
CertificateStatus (org.bouncycastle.cert.ocsp.CertificateStatus)12
URI (java.net.URI)11
SecurityLogger (ddf.security.audit.SecurityLogger)10
Test (org.junit.Test)10
X509Certificate (java.security.cert.X509Certificate)8
ArrayList (java.util.ArrayList)8
BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)7
OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)7
IOException (java.io.IOException)6
CertificateID (org.bouncycastle.cert.ocsp.CertificateID)6
OCSPReqBuilder (org.bouncycastle.cert.ocsp.OCSPReqBuilder)5
SingleResp (org.bouncycastle.cert.ocsp.SingleResp)5
JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)5
BigInteger (java.math.BigInteger)4
Date (java.util.Date)4
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)4
RevokedStatus (org.bouncycastle.cert.ocsp.RevokedStatus)4
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)4
InputStream (java.io.InputStream)3
