Examples with OCSPReqBuilder org.bouncycastle.cert.ocsp.OCSPReqBuilder used on opensource projects

Search in sources :

Example 11 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project oxAuth by GluuFederation.

the class OCSPCertificateVerifier method generateOCSPRequest.

private OCSPReq generateOCSPRequest(CertificateID certificateId) throws OCSPException, OperatorCreationException, CertificateEncodingException {
    OCSPReqBuilder ocspReqGenerator = new OCSPReqBuilder();
    ocspReqGenerator.addRequest(certificateId);
    OCSPReq ocspReq = ocspReqGenerator.build();
    return ocspReq;
}
Also used : OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)

Example 12 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project nifi by apache.

the class OcspCertificateValidator method getOcspStatus.

/**
 * Gets the OCSP status for the specified subject and issuer certificates.
 *
 * @param ocspStatusKey status key
 * @return ocsp status
 */
private OcspStatus getOcspStatus(final OcspRequest ocspStatusKey) {
    final X509Certificate subjectCertificate = ocspStatusKey.getSubjectCertificate();
    final X509Certificate issuerCertificate = ocspStatusKey.getIssuerCertificate();
    // initialize the default status
    final OcspStatus ocspStatus = new OcspStatus();
    ocspStatus.setVerificationStatus(VerificationStatus.Unknown);
    ocspStatus.setValidationStatus(ValidationStatus.Unknown);
    try {
        // prepare the request
        final BigInteger subjectSerialNumber = subjectCertificate.getSerialNumber();
        final DigestCalculatorProvider calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build();
        final CertificateID certificateId = new CertificateID(calculatorProviderBuilder.get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCertificate.getEncoded()), subjectSerialNumber);
        // generate the request
        final OCSPReqBuilder requestGenerator = new OCSPReqBuilder();
        requestGenerator.addRequest(certificateId);
        // Create a nonce to avoid replay attack
        BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
        Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray()));
        requestGenerator.setRequestExtensions(new Extensions(new Extension[] { ext }));
        final OCSPReq ocspRequest = requestGenerator.build();
        // perform the request
        final Response response = getClientResponse(ocspRequest);
        // ensure the request was completed successfully
        if (Response.Status.OK.getStatusCode() != response.getStatusInfo().getStatusCode()) {
            logger.warn(String.format("OCSP request was unsuccessful (%s).", response.getStatus()));
            return ocspStatus;
        }
        // interpret the response
        OCSPResp ocspResponse = new OCSPResp(response.readEntity(InputStream.class));
        // verify the response status
        switch(ocspResponse.getStatus()) {
            case OCSPRespBuilder.SUCCESSFUL:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Successful);
                break;
            case OCSPRespBuilder.INTERNAL_ERROR:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.InternalError);
                break;
            case OCSPRespBuilder.MALFORMED_REQUEST:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.MalformedRequest);
                break;
            case OCSPRespBuilder.SIG_REQUIRED:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.SignatureRequired);
                break;
            case OCSPRespBuilder.TRY_LATER:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.TryLater);
                break;
            case OCSPRespBuilder.UNAUTHORIZED:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unauthorized);
                break;
            default:
                ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unknown);
                break;
        }
        // only proceed if the response was successful
        if (ocspResponse.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
            logger.warn(String.format("OCSP request was unsuccessful (%s).", ocspStatus.getResponseStatus().toString()));
            return ocspStatus;
        }
        // ensure the appropriate response object
        final Object ocspResponseObject = ocspResponse.getResponseObject();
        if (ocspResponseObject == null || !(ocspResponseObject instanceof BasicOCSPResp)) {
            logger.warn(String.format("Unexpected OCSP response object: %s", ocspResponseObject));
            return ocspStatus;
        }
        // get the response object
        final BasicOCSPResp basicOcspResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
        // attempt to locate the responder certificate
        final X509CertificateHolder[] responderCertificates = basicOcspResponse.getCerts();
        if (responderCertificates.length != 1) {
            logger.warn(String.format("Unexpected number of OCSP responder certificates: %s", responderCertificates.length));
            return ocspStatus;
        }
        // get the responder certificate
        final X509Certificate trustedResponderCertificate = getTrustedResponderCertificate(responderCertificates[0], issuerCertificate);
        if (trustedResponderCertificate != null) {
            // verify the response
            if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(trustedResponderCertificate.getPublicKey()))) {
                ocspStatus.setVerificationStatus(VerificationStatus.Verified);
            } else {
                ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
            }
        } else {
            ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
        }
        // validate the response
        final SingleResp[] responses = basicOcspResponse.getResponses();
        for (SingleResp singleResponse : responses) {
            final CertificateID responseCertificateId = singleResponse.getCertID();
            final BigInteger responseSerialNumber = responseCertificateId.getSerialNumber();
            if (responseSerialNumber.equals(subjectSerialNumber)) {
                Object certStatus = singleResponse.getCertStatus();
                // interpret the certificate status
                if (CertificateStatus.GOOD == certStatus) {
                    ocspStatus.setValidationStatus(ValidationStatus.Good);
                } else if (certStatus instanceof RevokedStatus) {
                    ocspStatus.setValidationStatus(ValidationStatus.Revoked);
                } else {
                    ocspStatus.setValidationStatus(ValidationStatus.Unknown);
                }
            }
        }
    } catch (final OCSPException | IOException | ProcessingException | OperatorCreationException e) {
        logger.error(e.getMessage(), e);
    } catch (CertificateException e) {
        e.printStackTrace();
    }
    return ocspStatus;
}
Also used : CertificateException(java.security.cert.CertificateException) Extensions(org.bouncycastle.asn1.x509.Extensions) DEROctetString(org.bouncycastle.asn1.DEROctetString) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) SingleResp(org.bouncycastle.cert.ocsp.SingleResp) ProcessingException(javax.ws.rs.ProcessingException) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) Extension(org.bouncycastle.asn1.x509.Extension) Response(javax.ws.rs.core.Response) JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder) RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp) BigInteger(java.math.BigInteger) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)

Example 13 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project netty by netty.

the class OcspRequestBuilder method build.

/**
 * ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It contains a one-time nonce
 * and CA's will (should) reject subsequent requests that have the same nonce value.
 */
public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
    SecureRandom generator = checkNotNull(this.generator, "generator");
    DigestCalculator calculator = checkNotNull(this.calculator, "calculator");
    X509Certificate certificate = checkNotNull(this.certificate, "certificate");
    X509Certificate issuer = checkNotNull(this.issuer, "issuer");
    BigInteger serial = certificate.getSerialNumber();
    CertificateID certId = new CertificateID(calculator, new X509CertificateHolder(issuer.getEncoded()), serial);
    OCSPReqBuilder builder = new OCSPReqBuilder();
    builder.addRequest(certId);
    byte[] nonce = new byte[8];
    generator.nextBytes(nonce);
    Extension[] extensions = new Extension[] { new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)) };
    builder.setRequestExtensions(new Extensions(extensions));
    return builder.build();
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) DigestCalculator(org.bouncycastle.operator.DigestCalculator) SecureRandom(java.security.SecureRandom) BigInteger(java.math.BigInteger) Extensions(org.bouncycastle.asn1.x509.Extensions) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) X509Certificate(java.security.cert.X509Certificate) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 14 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project oxAuth by GluuFederation.

the class OCSPCertificateVerifier method generateOCSPRequest.

private OCSPReq generateOCSPRequest(CertificateID certificateId) throws OCSPException, OperatorCreationException, CertificateEncodingException {
    OCSPReqBuilder ocspReqGenerator = new OCSPReqBuilder();
    ocspReqGenerator.addRequest(certificateId);
    OCSPReq ocspReq = ocspReqGenerator.build();
    return ocspReq;
}
Also used : OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)

Example 15 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project xipki by xipki.

the class OcspBenchRequestor method buildRequest.

// method ask
private byte[] buildRequest(BigInteger[] serialNumbers) throws OcspRequestorException {
    boolean canCache = (serialNumbers.length == 1) && !requestOptions.isUseNonce();
    if (canCache) {
        byte[] request = requests.get(serialNumbers[0]);
        if (request != null) {
            return request;
        }
    }
    OCSPReqBuilder reqBuilder = new OCSPReqBuilder();
    if (requestOptions.isUseNonce() || extensions != null) {
        List<Extension> extns = new ArrayList<>(2);
        if (requestOptions.isUseNonce()) {
            Extension extn = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nextNonce(requestOptions.getNonceLen())));
            extns.add(extn);
        }
        if (extensions != null) {
            for (Extension extn : extensions) {
                extns.add(extn);
            }
        }
        reqBuilder.setRequestExtensions(new Extensions(extns.toArray(extnType)));
    }
    try {
        for (BigInteger serialNumber : serialNumbers) {
            CertID certId = new CertID(issuerhashAlg, issuerNameHash, issuerKeyHash, new ASN1Integer(serialNumber));
            reqBuilder.addRequest(new CertificateID(certId));
        }
        byte[] request = reqBuilder.build().getEncoded();
        if (canCache) {
            requests.put(serialNumbers[0], request);
        }
        return request;
    } catch (OCSPException | IOException ex) {
        throw new OcspRequestorException(ex.getMessage(), ex);
    }
}
Also used : OcspRequestorException(org.xipki.ocsp.client.api.OcspRequestorException) CertID(org.bouncycastle.asn1.ocsp.CertID) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) ArrayList(java.util.ArrayList) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) DEROctetString(org.bouncycastle.asn1.DEROctetString) Extension(org.bouncycastle.asn1.x509.Extension) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) BigInteger(java.math.BigInteger) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)

Aggregations

OCSPReqBuilder (org.bouncycastle.cert.ocsp.OCSPReqBuilder)24 CertificateID (org.bouncycastle.cert.ocsp.CertificateID)21 Extension (org.bouncycastle.asn1.x509.Extension)13 Extensions (org.bouncycastle.asn1.x509.Extensions)13 DEROctetString (org.bouncycastle.asn1.DEROctetString)12 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)12 IOException (java.io.IOException)11 BigInteger (java.math.BigInteger)10 JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)8 OCSPException (org.bouncycastle.cert.ocsp.OCSPException)7 DigestCalculator (org.bouncycastle.operator.DigestCalculator)7 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)7 CertificateEncodingException (java.security.cert.CertificateEncodingException)6 X509Certificate (java.security.cert.X509Certificate)6 DigestCalculatorProvider (org.bouncycastle.operator.DigestCalculatorProvider)6 JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)5 OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)5 SecureRandom (java.security.SecureRandom)3 CertificateException (java.security.cert.CertificateException)3 ArrayList (java.util.ArrayList)3
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial