Search in sources :

Example 21 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project documentproduction by qld-gov-au.

the class OcspHelper method generateOCSPRequest.

/**
 * Generates an OCSP request and generates the <code>CertificateID</code>.
 *
 * @return OCSP request, ready to fetch data
 * @throws OCSPException
 * @throws IOException
 */
private OCSPReq generateOCSPRequest() throws OCSPException, IOException {
    Security.addProvider(SecurityProvider.getProvider());
    // Generate the ID for the certificate we are looking for
    CertificateID certId;
    try {
        certId = new CertificateID(new SHA1DigestCalculator(), new JcaX509CertificateHolder(issuerCertificate), checkCertificate.getSerialNumber());
    } catch (CertificateEncodingException e) {
        throw new IOException("Error creating CertificateID with the Certificate encoding", e);
    }
    // https://tools.ietf.org/html/rfc2560#section-4.1.2
    // Support for any specific extension is OPTIONAL. The critical flag
    // SHOULD NOT be set for any of them.
    Extension responseExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_response, false, new DLSequence(OCSPObjectIdentifiers.id_pkix_ocsp_basic).getEncoded());
    encodedNonce = new DEROctetString(new DEROctetString(create16BytesNonce()));
    Extension nonceExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, encodedNonce);
    OCSPReqBuilder builder = new OCSPReqBuilder();
    builder.setRequestExtensions(new Extensions(new Extension[] { responseExtension, nonceExtension }));
    builder.addRequest(certId);
    return builder.build();
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) DLSequence(org.bouncycastle.asn1.DLSequence) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) CertificateEncodingException(java.security.cert.CertificateEncodingException) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 22 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project ph-commons by phax.

the class OCSPFuncTest method generateOCSPRequest.

@Nonnull
public static OCSPReq generateOCSPRequest(final X509Certificate aIssuerCert, final BigInteger aCheckSerialNumber) throws OCSPException {
    try {
        final DigestCalculatorProvider aDigestCalculatorProvider = new JcaDigestCalculatorProviderBuilder().setProvider(PBCProvider.getProvider()).build();
        final DigestCalculator aDigestCalculator = aDigestCalculatorProvider.get(CertificateID.HASH_SHA1);
        // CertID structure is used to uniquely identify certificates that are the
        // subject of an OCSP request or response and has an ASN.1 definition.
        // CertID structure is defined in RFC 2560
        final CertificateID aCertificateID = new JcaCertificateID(aDigestCalculator, aIssuerCert, aCheckSerialNumber);
        // create details for nonce extension. The nonce extension is used to bind
        // a request to a response to prevent replay attacks. As the name implies,
        // the nonce value is something that the client should only use once
        // within a reasonably small period.
        final BigInteger aNonce = BigInteger.valueOf(System.nanoTime());
        // to create the request Extension
        final Extensions aExtensions = new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(aNonce.toByteArray())));
        // basic request generation with nonce
        final OCSPReqBuilder aBuilder = new OCSPReqBuilder();
        aBuilder.addRequest(aCertificateID);
        // Extension to the whole request
        aBuilder.setRequestExtensions(aExtensions);
        return aBuilder.build();
    } catch (final OperatorCreationException | CertificateEncodingException ex) {
        throw new IllegalStateException(ex);
    }
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) JcaCertificateID(org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID) DigestCalculator(org.bouncycastle.operator.DigestCalculator) JcaCertificateID(org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID) CertificateEncodingException(java.security.cert.CertificateEncodingException) Extensions(org.bouncycastle.asn1.x509.Extensions) DEROctetString(org.bouncycastle.asn1.DEROctetString) Extension(org.bouncycastle.asn1.x509.Extension) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) BigInteger(java.math.BigInteger) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) Nonnull(javax.annotation.Nonnull)

Example 23 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project OpenUnison by TremoloSecurity.

the class OCSP method generateOcspRequest.

private OCSPReq generateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, CertificateEncodingException, OperatorCreationException, IOException {
    BcDigestCalculatorProvider util = new BcDigestCalculatorProvider();
    // Generate the id for the certificate we are looking for
    CertificateID id = new CertificateID(util.get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCert.getEncoded()), serialNumber);
    OCSPReqBuilder ocspGen = new OCSPReqBuilder();
    ocspGen.addRequest(id);
    BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
    Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray()));
    ocspGen.setRequestExtensions(new Extensions(new Extension[] { ext }));
    return ocspGen.build();
}
Also used : BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) Extension(org.bouncycastle.asn1.x509.Extension) X509Extension(org.bouncycastle.asn1.x509.X509Extension) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) X509Extensions(org.bouncycastle.asn1.x509.X509Extensions) Extensions(org.bouncycastle.asn1.x509.Extensions) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 24 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project ref-GemLibPki by gematik.

the class OcspRequestGenerator method generateSingleOcspRequest.

/**
 * Generates an OCSP request using BouncyCastle.
 *
 * @param x509EeCert     end-entity certificate
 * @param x509IssuerCert issuer of end-entity certificate
 * @return OCSP request for a single certificate
 * @throws GemPkiException if the ocsp request cannot be generated
 */
public static OCSPReq generateSingleOcspRequest(@NonNull final X509Certificate x509EeCert, @NonNull final X509Certificate x509IssuerCert) throws GemPkiException {
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    final JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
    final DigestCalculatorProvider digestCalculatorProvider;
    try {
        digestCalculatorProvider = digestCalculatorProviderBuilder.build();
        final DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
        // Generate the id for the certificate we are looking for
        final CertificateID id = new CertificateID(digestCalculator, new JcaX509CertificateHolder(x509IssuerCert), x509EeCert.getSerialNumber());
        // basic request generation with nonce
        final OCSPReqBuilder gen = new OCSPReqBuilder();
        gen.addRequest(id);
        return gen.build();
    } catch (final OperatorCreationException | CertificateEncodingException | OCSPException e) {
        throw new GemPkiException(ErrorCode.OCSP, "OCSP request Erzeugung fehlgeschlagen", e);
    }
}
Also used : CertificateID(org.bouncycastle.cert.ocsp.CertificateID) DigestCalculator(org.bouncycastle.operator.DigestCalculator) CertificateEncodingException(java.security.cert.CertificateEncodingException) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) GemPkiException(de.gematik.pki.exception.GemPkiException) DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider) OCSPException(org.bouncycastle.cert.ocsp.OCSPException) JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)

Example 25 with OCSPReqBuilder

use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project mercury by yellow013.

the class OcspRequestBuilder method build.

/**
 * ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It
 * contains a one-time nonce and CA's will (should) reject subsequent requests
 * that have the same nonce value.
 */
public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
    SecureRandom generator = checkNotNull(this.generator, "generator");
    DigestCalculator calculator = checkNotNull(this.calculator, "calculator");
    X509Certificate certificate = checkNotNull(this.certificate, "certificate");
    X509Certificate issuer = checkNotNull(this.issuer, "issuer");
    BigInteger serial = certificate.getSerialNumber();
    CertificateID certId = new CertificateID(calculator, new X509CertificateHolder(issuer.getEncoded()), serial);
    OCSPReqBuilder builder = new OCSPReqBuilder();
    builder.addRequest(certId);
    byte[] nonce = new byte[8];
    generator.nextBytes(nonce);
    Extension[] extensions = new Extension[] { new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)) };
    builder.setRequestExtensions(new Extensions(extensions));
    return builder.build();
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) CertificateID(org.bouncycastle.cert.ocsp.CertificateID) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) DigestCalculator(org.bouncycastle.operator.DigestCalculator) SecureRandom(java.security.SecureRandom) BigInteger(java.math.BigInteger) Extensions(org.bouncycastle.asn1.x509.Extensions) OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder) X509Certificate(java.security.cert.X509Certificate) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Aggregations

OCSPReqBuilder (org.bouncycastle.cert.ocsp.OCSPReqBuilder)25 CertificateID (org.bouncycastle.cert.ocsp.CertificateID)22 Extension (org.bouncycastle.asn1.x509.Extension)14 Extensions (org.bouncycastle.asn1.x509.Extensions)14 DEROctetString (org.bouncycastle.asn1.DEROctetString)13 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)12 IOException (java.io.IOException)11 BigInteger (java.math.BigInteger)11 JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)9 DigestCalculator (org.bouncycastle.operator.DigestCalculator)8 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)8 CertificateEncodingException (java.security.cert.CertificateEncodingException)7 OCSPException (org.bouncycastle.cert.ocsp.OCSPException)7 DigestCalculatorProvider (org.bouncycastle.operator.DigestCalculatorProvider)7 X509Certificate (java.security.cert.X509Certificate)6 JcaX509CertificateHolder (org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)5 OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)5 SecureRandom (java.security.SecureRandom)3 CertificateException (java.security.cert.CertificateException)3 ArrayList (java.util.ArrayList)3