use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project documentproduction by qld-gov-au.
the class OcspHelper method generateOCSPRequest.
/**
* Generates an OCSP request and generates the <code>CertificateID</code>.
*
* @return OCSP request, ready to fetch data
* @throws OCSPException
* @throws IOException
*/
private OCSPReq generateOCSPRequest() throws OCSPException, IOException {
Security.addProvider(SecurityProvider.getProvider());
// Generate the ID for the certificate we are looking for
CertificateID certId;
try {
certId = new CertificateID(new SHA1DigestCalculator(), new JcaX509CertificateHolder(issuerCertificate), checkCertificate.getSerialNumber());
} catch (CertificateEncodingException e) {
throw new IOException("Error creating CertificateID with the Certificate encoding", e);
}
// https://tools.ietf.org/html/rfc2560#section-4.1.2
// Support for any specific extension is OPTIONAL. The critical flag
// SHOULD NOT be set for any of them.
Extension responseExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_response, false, new DLSequence(OCSPObjectIdentifiers.id_pkix_ocsp_basic).getEncoded());
encodedNonce = new DEROctetString(new DEROctetString(create16BytesNonce()));
Extension nonceExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, encodedNonce);
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.setRequestExtensions(new Extensions(new Extension[] { responseExtension, nonceExtension }));
builder.addRequest(certId);
return builder.build();
}
use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project ph-commons by phax.
the class OCSPFuncTest method generateOCSPRequest.
@Nonnull
public static OCSPReq generateOCSPRequest(final X509Certificate aIssuerCert, final BigInteger aCheckSerialNumber) throws OCSPException {
try {
final DigestCalculatorProvider aDigestCalculatorProvider = new JcaDigestCalculatorProviderBuilder().setProvider(PBCProvider.getProvider()).build();
final DigestCalculator aDigestCalculator = aDigestCalculatorProvider.get(CertificateID.HASH_SHA1);
// CertID structure is used to uniquely identify certificates that are the
// subject of an OCSP request or response and has an ASN.1 definition.
// CertID structure is defined in RFC 2560
final CertificateID aCertificateID = new JcaCertificateID(aDigestCalculator, aIssuerCert, aCheckSerialNumber);
// create details for nonce extension. The nonce extension is used to bind
// a request to a response to prevent replay attacks. As the name implies,
// the nonce value is something that the client should only use once
// within a reasonably small period.
final BigInteger aNonce = BigInteger.valueOf(System.nanoTime());
// to create the request Extension
final Extensions aExtensions = new Extensions(new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(aNonce.toByteArray())));
// basic request generation with nonce
final OCSPReqBuilder aBuilder = new OCSPReqBuilder();
aBuilder.addRequest(aCertificateID);
// Extension to the whole request
aBuilder.setRequestExtensions(aExtensions);
return aBuilder.build();
} catch (final OperatorCreationException | CertificateEncodingException ex) {
throw new IllegalStateException(ex);
}
}
use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project OpenUnison by TremoloSecurity.
the class OCSP method generateOcspRequest.
private OCSPReq generateOcspRequest(X509Certificate issuerCert, BigInteger serialNumber) throws OCSPException, CertificateEncodingException, OperatorCreationException, IOException {
BcDigestCalculatorProvider util = new BcDigestCalculatorProvider();
// Generate the id for the certificate we are looking for
CertificateID id = new CertificateID(util.get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCert.getEncoded()), serialNumber);
OCSPReqBuilder ocspGen = new OCSPReqBuilder();
ocspGen.addRequest(id);
BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray()));
ocspGen.setRequestExtensions(new Extensions(new Extension[] { ext }));
return ocspGen.build();
}
use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project ref-GemLibPki by gematik.
the class OcspRequestGenerator method generateSingleOcspRequest.
/**
* Generates an OCSP request using BouncyCastle.
*
* @param x509EeCert end-entity certificate
* @param x509IssuerCert issuer of end-entity certificate
* @return OCSP request for a single certificate
* @throws GemPkiException if the ocsp request cannot be generated
*/
public static OCSPReq generateSingleOcspRequest(@NonNull final X509Certificate x509EeCert, @NonNull final X509Certificate x509IssuerCert) throws GemPkiException {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
final JcaDigestCalculatorProviderBuilder digestCalculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder();
final DigestCalculatorProvider digestCalculatorProvider;
try {
digestCalculatorProvider = digestCalculatorProviderBuilder.build();
final DigestCalculator digestCalculator = digestCalculatorProvider.get(CertificateID.HASH_SHA1);
// Generate the id for the certificate we are looking for
final CertificateID id = new CertificateID(digestCalculator, new JcaX509CertificateHolder(x509IssuerCert), x509EeCert.getSerialNumber());
// basic request generation with nonce
final OCSPReqBuilder gen = new OCSPReqBuilder();
gen.addRequest(id);
return gen.build();
} catch (final OperatorCreationException | CertificateEncodingException | OCSPException e) {
throw new GemPkiException(ErrorCode.OCSP, "OCSP request Erzeugung fehlgeschlagen", e);
}
}
use of org.bouncycastle.cert.ocsp.OCSPReqBuilder in project mercury by yellow013.
the class OcspRequestBuilder method build.
/**
* ATTENTION: The returned {@link OCSPReq} is not re-usable/cacheable! It
* contains a one-time nonce and CA's will (should) reject subsequent requests
* that have the same nonce value.
*/
public OCSPReq build() throws OCSPException, IOException, CertificateEncodingException {
SecureRandom generator = checkNotNull(this.generator, "generator");
DigestCalculator calculator = checkNotNull(this.calculator, "calculator");
X509Certificate certificate = checkNotNull(this.certificate, "certificate");
X509Certificate issuer = checkNotNull(this.issuer, "issuer");
BigInteger serial = certificate.getSerialNumber();
CertificateID certId = new CertificateID(calculator, new X509CertificateHolder(issuer.getEncoded()), serial);
OCSPReqBuilder builder = new OCSPReqBuilder();
builder.addRequest(certId);
byte[] nonce = new byte[8];
generator.nextBytes(nonce);
Extension[] extensions = new Extension[] { new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)) };
builder.setRequestExtensions(new Extensions(extensions));
return builder.build();
}
Aggregations