Example 6 with RevokedStatus
use of org.bouncycastle.cert.ocsp.RevokedStatus in project nifi by apache.
the class OcspCertificateValidator method getOcspStatus.
/**
* Gets the OCSP status for the specified subject and issuer certificates.
*
* @param ocspStatusKey status key
* @return ocsp status
*/
private OcspStatus getOcspStatus(final OcspRequest ocspStatusKey) {
final X509Certificate subjectCertificate = ocspStatusKey.getSubjectCertificate();
final X509Certificate issuerCertificate = ocspStatusKey.getIssuerCertificate();
// initialize the default status
final OcspStatus ocspStatus = new OcspStatus();
ocspStatus.setVerificationStatus(VerificationStatus.Unknown);
ocspStatus.setValidationStatus(ValidationStatus.Unknown);
try {
// prepare the request
final BigInteger subjectSerialNumber = subjectCertificate.getSerialNumber();
final DigestCalculatorProvider calculatorProviderBuilder = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build();
final CertificateID certificateId = new CertificateID(calculatorProviderBuilder.get(CertificateID.HASH_SHA1), new X509CertificateHolder(issuerCertificate.getEncoded()), subjectSerialNumber);
// generate the request
final OCSPReqBuilder requestGenerator = new OCSPReqBuilder();
requestGenerator.addRequest(certificateId);
// Create a nonce to avoid replay attack
BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis());
Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray()));
requestGenerator.setRequestExtensions(new Extensions(new Extension[] { ext }));
final OCSPReq ocspRequest = requestGenerator.build();
// perform the request
final Response response = getClientResponse(ocspRequest);
// ensure the request was completed successfully
if (Response.Status.OK.getStatusCode() != response.getStatusInfo().getStatusCode()) {
logger.warn(String.format("OCSP request was unsuccessful (%s).", response.getStatus()));
return ocspStatus;
}
// interpret the response
OCSPResp ocspResponse = new OCSPResp(response.readEntity(InputStream.class));
// verify the response status
switch(ocspResponse.getStatus()) {
case OCSPRespBuilder.SUCCESSFUL:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Successful);
break;
case OCSPRespBuilder.INTERNAL_ERROR:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.InternalError);
break;
case OCSPRespBuilder.MALFORMED_REQUEST:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.MalformedRequest);
break;
case OCSPRespBuilder.SIG_REQUIRED:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.SignatureRequired);
break;
case OCSPRespBuilder.TRY_LATER:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.TryLater);
break;
case OCSPRespBuilder.UNAUTHORIZED:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unauthorized);
break;
default:
ocspStatus.setResponseStatus(OcspStatus.ResponseStatus.Unknown);
break;
}
// only proceed if the response was successful
if (ocspResponse.getStatus() != OCSPRespBuilder.SUCCESSFUL) {
logger.warn(String.format("OCSP request was unsuccessful (%s).", ocspStatus.getResponseStatus().toString()));
return ocspStatus;
}
// ensure the appropriate response object
final Object ocspResponseObject = ocspResponse.getResponseObject();
if (ocspResponseObject == null || !(ocspResponseObject instanceof BasicOCSPResp)) {
logger.warn(String.format("Unexpected OCSP response object: %s", ocspResponseObject));
return ocspStatus;
}
// get the response object
final BasicOCSPResp basicOcspResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
// attempt to locate the responder certificate
final X509CertificateHolder[] responderCertificates = basicOcspResponse.getCerts();
if (responderCertificates.length != 1) {
logger.warn(String.format("Unexpected number of OCSP responder certificates: %s", responderCertificates.length));
return ocspStatus;
}
// get the responder certificate
final X509Certificate trustedResponderCertificate = getTrustedResponderCertificate(responderCertificates[0], issuerCertificate);
if (trustedResponderCertificate != null) {
// verify the response
if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(trustedResponderCertificate.getPublicKey()))) {
ocspStatus.setVerificationStatus(VerificationStatus.Verified);
} else {
ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
}
} else {
ocspStatus.setVerificationStatus(VerificationStatus.Unverified);
}
// validate the response
final SingleResp[] responses = basicOcspResponse.getResponses();
for (SingleResp singleResponse : responses) {
final CertificateID responseCertificateId = singleResponse.getCertID();
final BigInteger responseSerialNumber = responseCertificateId.getSerialNumber();
if (responseSerialNumber.equals(subjectSerialNumber)) {
Object certStatus = singleResponse.getCertStatus();
// interpret the certificate status
if (CertificateStatus.GOOD == certStatus) {
ocspStatus.setValidationStatus(ValidationStatus.Good);
} else if (certStatus instanceof RevokedStatus) {
ocspStatus.setValidationStatus(ValidationStatus.Revoked);
} else {
ocspStatus.setValidationStatus(ValidationStatus.Unknown);
}
}
}
} catch (final OCSPException | IOException | ProcessingException | OperatorCreationException e) {
logger.error(e.getMessage(), e);
} catch (CertificateException e) {
e.printStackTrace();
}
return ocspStatus;
}
Also used :
CertificateException(java.security.cert.CertificateException)
Extensions(org.bouncycastle.asn1.x509.Extensions)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
ProcessingException(javax.ws.rs.ProcessingException)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
FileInputStream(java.io.FileInputStream)
InputStream(java.io.InputStream)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
Extension(org.bouncycastle.asn1.x509.Extension)
Response(javax.ws.rs.core.Response)
JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder)
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
BigInteger(java.math.BigInteger)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
Example 7 with RevokedStatus
use of org.bouncycastle.cert.ocsp.RevokedStatus in project pdfbox by apache.
the class OcspHelper method verifyOcspResponse.
/**
* Verifies the status and the response itself (including nonce), but not the signature.
*
* @param ocspResponse to be verified
* @throws OCSPException
* @throws RevokedCertificateException
*/
private void verifyOcspResponse(OCSPResp ocspResponse) throws OCSPException, RevokedCertificateException {
verifyRespStatus(ocspResponse);
BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
if (basicResponse != null) {
checkOcspSignature(basicResponse.getCerts()[0], basicResponse);
checkNonce(basicResponse);
SingleResp[] responses = basicResponse.getResponses();
if (responses.length == 1) {
SingleResp resp = responses[0];
Object status = resp.getCertStatus();
if (status instanceof RevokedStatus) {
throw new RevokedCertificateException("OCSP: Certificate is revoked.");
} else if (status != CertificateStatus.GOOD) {
throw new OCSPException("OCSP: Status of Cert is unknown");
}
} else {
throw new OCSPException("OCSP: Recieved " + responses.length + " responses instead of 1!");
}
}
}
Also used :
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
Example 8 with RevokedStatus
use of org.bouncycastle.cert.ocsp.RevokedStatus in project wso2-synapse by wso2.
the class OCSPVerifierTest method generateOCSPResponse.
/**
* This makes the corresponding OCSP response to the OCSP request which is sent to the fake CA. If the request
* has a certificateID which is marked as revoked by the CA, the OCSP response will say that the certificate
* which is referred to by the request, is revoked.
*
* @param request the OCSP request which asks if the certificate is revoked.
* @param caPrivateKey privateKey of the fake CA.
* @param caPublicKey publicKey of the fake CA
* @param revokedID the ID at fake CA which is checked against the certificateId in the request.
* @return the created OCSP response by the fake CA.
* @throws NoSuchProviderException
* @throws OCSPException
* @throws OperatorCreationException
*/
private OCSPResp generateOCSPResponse(OCSPReq request, X509CertificateHolder certificateHolder, PrivateKey caPrivateKey, PublicKey caPublicKey, CertificateID revokedID) throws NoSuchProviderException, OCSPException, OperatorCreationException {
BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(new RespID(certificateHolder.getSubject()));
Extension extension = request.getExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp.getId()));
if (extension != null) {
basicOCSPRespBuilder.setResponseExtensions(new Extensions(extension));
}
Req[] requests = request.getRequestList();
for (Req req : requests) {
CertificateID certID = req.getCertID();
if (certID.equals(revokedID)) {
RevokedStatus revokedStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn);
Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD);
basicOCSPRespBuilder.addResponse(certID, revokedStatus, nextUpdate, (Extensions) null);
} else {
basicOCSPRespBuilder.addResponse(certID, CertificateStatus.GOOD);
}
}
X509CertificateHolder[] chain = { certificateHolder };
ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(caPrivateKey);
BasicOCSPResp basicResp = basicOCSPRespBuilder.build(signer, chain, new Date());
OCSPRespBuilder builder = new OCSPRespBuilder();
return builder.build(OCSPRespBuilder.SUCCESSFUL, basicResp);
}
Also used :
BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder)
OCSPRespBuilder(org.bouncycastle.cert.ocsp.OCSPRespBuilder)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
Extensions(org.bouncycastle.asn1.x509.Extensions)
Date(java.util.Date)
Extension(org.bouncycastle.asn1.x509.Extension)
BasicOCSPRespBuilder(org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder)
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
RespID(org.bouncycastle.cert.ocsp.RespID)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Req(org.bouncycastle.cert.ocsp.Req)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
Aggregations
RevokedStatus (org.bouncycastle.cert.ocsp.RevokedStatus)8
BasicOCSPResp (org.bouncycastle.cert.ocsp.BasicOCSPResp)7
CertificateID (org.bouncycastle.cert.ocsp.CertificateID)7
Date (java.util.Date)6
Extension (org.bouncycastle.asn1.x509.Extension)5
OCSPReq (org.bouncycastle.cert.ocsp.OCSPReq)5
SingleResp (org.bouncycastle.cert.ocsp.SingleResp)5
X509Certificate (java.security.cert.X509Certificate)4
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)4
OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)4
JcaDigestCalculatorProviderBuilder (org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)4
IOException (java.io.IOException)3
BigInteger (java.math.BigInteger)3
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)3
Extensions (org.bouncycastle.asn1.x509.Extensions)3
CertificateStatus (org.bouncycastle.cert.ocsp.CertificateStatus)3
OCSPException (org.bouncycastle.cert.ocsp.OCSPException)3
DigestCalculator (org.bouncycastle.operator.DigestCalculator)3
MalformedURLException (java.net.MalformedURLException)2
MessageDigest (java.security.MessageDigest)2
