Example 21 with OCSPResp
use of org.bouncycastle.cert.ocsp.OCSPResp in project netty by netty.
the class OcspServerExample method main.
public static void main(String[] args) throws Exception {
// We assume there's a private key.
PrivateKey privateKey = null;
// Step 1: Load the certificate chain for netty.io. We'll need the certificate
// and the issuer's certificate and we don't need any of the intermediate certs.
// The array is assumed to be a certain order to keep things simple.
X509Certificate[] keyCertChain = parseCertificates(OcspServerExample.class, "netty_io_chain.pem");
X509Certificate certificate = keyCertChain[0];
X509Certificate issuer = keyCertChain[keyCertChain.length - 1];
// Step 2: We need the URL of the CA's OCSP responder server. It's somewhere encoded
// into the certificate! Notice that it's an HTTP URL.
URI uri = OcspUtils.ocspUri(certificate);
System.out.println("OCSP Responder URI: " + uri);
if (uri == null) {
throw new IllegalStateException("The CA/certificate doesn't have an OCSP responder");
}
// Step 3: Construct the OCSP request
OCSPReq request = new OcspRequestBuilder().certificate(certificate).issuer(issuer).build();
// Step 4: Do the request to the CA's OCSP responder
OCSPResp response = OcspUtils.request(uri, request, 5L, TimeUnit.SECONDS);
if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) {
throw new IllegalStateException("response-status=" + response.getStatus());
}
// Step 5: Is my certificate any good or has the CA revoked it?
BasicOCSPResp basicResponse = (BasicOCSPResp) response.getResponseObject();
SingleResp first = basicResponse.getResponses()[0];
CertificateStatus status = first.getCertStatus();
System.out.println("Status: " + (status == CertificateStatus.GOOD ? "Good" : status));
System.out.println("This Update: " + first.getThisUpdate());
System.out.println("Next Update: " + first.getNextUpdate());
if (status != null) {
throw new IllegalStateException("certificate-status=" + status);
}
BigInteger certSerial = certificate.getSerialNumber();
BigInteger ocspSerial = first.getCertID().getSerialNumber();
if (!certSerial.equals(ocspSerial)) {
throw new IllegalStateException("Bad Serials=" + certSerial + " vs. " + ocspSerial);
}
if (!OpenSsl.isAvailable()) {
throw new IllegalStateException("OpenSSL is not available!");
}
if (!OpenSsl.isOcspSupported()) {
throw new IllegalStateException("OCSP is not supported!");
}
if (privateKey == null) {
throw new IllegalStateException("Because we don't have a PrivateKey we can't continue past this point.");
}
ReferenceCountedOpenSslContext context = (ReferenceCountedOpenSslContext) SslContextBuilder.forServer(privateKey, keyCertChain).sslProvider(SslProvider.OPENSSL).enableOcsp(true).build();
try {
ServerBootstrap bootstrap = new ServerBootstrap().childHandler(newServerHandler(context, response));
// so on and so forth...
} finally {
context.release();
}
}
Also used :
PrivateKey(java.security.PrivateKey)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
URI(java.net.URI)
X509Certificate(java.security.cert.X509Certificate)
ServerBootstrap(io.netty.bootstrap.ServerBootstrap)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
ReferenceCountedOpenSslContext(io.netty.handler.ssl.ReferenceCountedOpenSslContext)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
BigInteger(java.math.BigInteger)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
Example 22 with OCSPResp
use of org.bouncycastle.cert.ocsp.OCSPResp in project oxAuth by GluuFederation.
the class OCSPCertificateVerifier method requestOCSPResponse.
public OCSPResp requestOCSPResponse(String url, OCSPReq ocspReq) throws IOException, MalformedURLException {
byte[] ocspReqData = ocspReq.getEncoded();
HttpURLConnection con = (HttpURLConnection) new URL(url).openConnection();
try {
con.setRequestProperty("Content-Type", "application/ocsp-request");
con.setRequestProperty("Accept", "application/ocsp-response");
con.setDoInput(true);
con.setDoOutput(true);
con.setUseCaches(false);
OutputStream out = con.getOutputStream();
try {
IOUtils.write(ocspReqData, out);
out.flush();
} finally {
IOUtils.closeQuietly(out);
}
byte[] responseBytes = IOUtils.toByteArray(con.getInputStream());
OCSPResp ocspResp = new OCSPResp(responseBytes);
return ocspResp;
} finally {
if (con != null) {
con.disconnect();
}
}
}
Also used :
HttpURLConnection(java.net.HttpURLConnection)
OutputStream(java.io.OutputStream)
URL(java.net.URL)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
Example 23 with OCSPResp
use of org.bouncycastle.cert.ocsp.OCSPResp in project jruby-openssl by jruby.
the class OCSPResponse method create.
@JRubyMethod(name = "create", meta = true)
public static IRubyObject create(final ThreadContext context, final IRubyObject self, IRubyObject status) {
Ruby runtime = context.runtime;
OCSPRespBuilder builder = new OCSPRespBuilder();
OCSPResp tmpResp;
OCSPResponse ret = new OCSPResponse(runtime);
try {
tmpResp = builder.build(RubyFixnum.fix2int((RubyFixnum) status), null);
ret.initialize(context, new IRubyObject[] { RubyString.newString(runtime, tmpResp.getEncoded()) });
} catch (Exception e) {
throw newOCSPError(runtime, e);
}
return ret;
}
Also used :
OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder)
Ruby(org.jruby.Ruby)
RaiseException(org.jruby.exceptions.RaiseException)
IOException(java.io.IOException)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
JRubyMethod(org.jruby.anno.JRubyMethod)
Example 24 with OCSPResp
use of org.bouncycastle.cert.ocsp.OCSPResp in project keycloak by keycloak.
the class OcspHandler method handleRequest.
@Override
public void handleRequest(final HttpServerExchange exchange) throws Exception {
if (exchange.isInIoThread()) {
exchange.dispatch(this);
return;
}
final byte[] buffy = new byte[16384];
try (InputStream requestStream = exchange.getInputStream()) {
requestStream.read(buffy);
}
final OCSPReq request = new OCSPReq(buffy);
final Req[] requested = request.getRequestList();
final Extension nonce = request.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
final DigestCalculator sha1Calculator = new JcaDigestCalculatorProviderBuilder().build().get(AlgorithmIdentifier.getInstance(RespID.HASH_SHA1));
final BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder(subjectPublicKeyInfo, sha1Calculator);
if (nonce != null) {
responseBuilder.setResponseExtensions(new Extensions(nonce));
}
for (final Req req : requested) {
final CertificateID certId = req.getCertID();
final BigInteger certificateSerialNumber = certId.getSerialNumber();
responseBuilder.addResponse(certId, REVOKED_CERTIFICATES_STATUS.get(certificateSerialNumber));
}
final ContentSigner contentSigner = new BcRSAContentSignerBuilder(new AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption), new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256)).build(privateKey);
final OCSPResp response = new OCSPRespBuilder().build(OCSPResp.SUCCESSFUL, responseBuilder.build(contentSigner, chain, new Date()));
final byte[] responseBytes = response.getEncoded();
final HeaderMap responseHeaders = exchange.getResponseHeaders();
responseHeaders.put(Headers.CONTENT_TYPE, "application/ocsp-response");
final Sender responseSender = exchange.getResponseSender();
responseSender.send(ByteBuffer.wrap(responseBytes));
exchange.endExchange();
}
Also used :
BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder)
OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder)
InputStream(java.io.InputStream)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
ContentSigner(org.bouncycastle.operator.ContentSigner)
Extensions(org.bouncycastle.asn1.x509.Extensions)
Date(java.util.Date)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
Extension(org.bouncycastle.asn1.x509.Extension)
Sender(io.undertow.io.Sender)
BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)
BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder)
HeaderMap(io.undertow.util.HeaderMap)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
BigInteger(java.math.BigInteger)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
Req(org.bouncycastle.cert.ocsp.Req)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
Aggregations
OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)24
BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)19
IOException (java.io.IOException)13
X509Certificate (java.security.cert.X509Certificate)10
OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)10
CertificateID (org.bouncycastle.cert.ocsp.CertificateID)9
BigInteger (java.math.BigInteger)8
SingleResp (org.bouncycastle.cert.ocsp.SingleResp)8
JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)8
InputStream (java.io.InputStream)6
URL (java.net.URL)6
OCSPException (org.bouncycastle.cert.ocsp.OCSPException)6
OutputStream (java.io.OutputStream)5
HttpURLConnection (java.net.HttpURLConnection)5
Extension (org.bouncycastle.asn1.x509.Extension)5
RevokedStatus (org.bouncycastle.cert.ocsp.RevokedStatus)5
DigestCalculator (org.bouncycastle.operator.DigestCalculator)5
CertificateEncodingException (java.security.cert.CertificateEncodingException)4
ArrayList (java.util.ArrayList)4
Date (java.util.Date)4
