Search in sources :

Example 1 with JcaCertificateID

use of org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID in project keycloak by keycloak.

the class OCSPUtils method check.

/**
 * Requests certificate revocation status using OCSP.
 * @param cert the certificate to be checked
 * @param issuerCertificate the issuer certificate
 * @param responderURIs the OCSP responder URIs
 * @param responderCert the OCSP responder certificate
 * @param date if null, the current time is used.
 * @return a revocation status
 * @throws CertPathValidatorException
 */
private static OCSPRevocationStatus check(KeycloakSession session, X509Certificate cert, X509Certificate issuerCertificate, List<URI> responderURIs, X509Certificate responderCert, Date date) throws CertPathValidatorException {
    if (responderURIs == null || responderURIs.size() == 0)
        throw new IllegalArgumentException("Need at least one responder");
    try {
        DigestCalculator digCalc = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
        JcaCertificateID certificateID = new JcaCertificateID(digCalc, issuerCertificate, cert.getSerialNumber());
        // Create a nounce extension to protect against replay attacks
        SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
        BigInteger nounce = BigInteger.valueOf(Math.abs(random.nextInt()));
        DEROctetString derString = new DEROctetString(nounce.toByteArray());
        Extension nounceExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, derString);
        Extensions extensions = new Extensions(nounceExtension);
        OCSPReq ocspReq = new OCSPReqBuilder().addRequest(certificateID, extensions).build();
        URI responderURI = responderURIs.get(0);
        logger.log(Level.INFO, "OCSP Responder {0}", responderURI);
        try {
            OCSPResp resp = getResponse(session, ocspReq, responderURI);
            logger.log(Level.FINE, "Received a response from OCSP responder {0}, the response status is {1}", new Object[] { responderURI, resp.getStatus() });
            switch(resp.getStatus()) {
                case OCSPResp.SUCCESSFUL:
                    if (resp.getResponseObject() instanceof BasicOCSPResp) {
                        return processBasicOCSPResponse(issuerCertificate, responderCert, date, certificateID, nounce, (BasicOCSPResp) resp.getResponseObject());
                    } else {
                        throw new CertPathValidatorException("OCSP responder returned an invalid or unknown OCSP response.");
                    }
                case OCSPResp.INTERNAL_ERROR:
                case OCSPResp.TRY_LATER:
                    throw new CertPathValidatorException("Internal error/try later. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS);
                case OCSPResp.SIG_REQUIRED:
                    throw new CertPathValidatorException("Invalid or missing signature. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.INVALID_SIGNATURE);
                case OCSPResp.UNAUTHORIZED:
                    throw new CertPathValidatorException("Unauthorized request. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED);
                case OCSPResp.MALFORMED_REQUEST:
                default:
                    throw new CertPathValidatorException("OCSP request is malformed. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED);
            }
        } catch (IOException e) {
            logger.log(Level.FINE, "OCSP Responder \"{0}\" failed to return a valid OCSP response\n{1}", new Object[] { responderURI, e.getMessage() });
            throw new CertPathValidatorException("OCSP check failed", e);
        }
    } catch (CertificateNotYetValidException | CertificateExpiredException | OperatorCreationException | OCSPException | CertificateEncodingException | NoSuchAlgorithmException | NoSuchProviderException e) {
        logger.log(Level.FINE, e.getMessage());
        throw new CertPathValidatorException(e.getMessage(), e);
    }
}
Also used : DigestCalculator(org.bouncycastle.operator.DigestCalculator) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Extensions(org.bouncycastle.asn1.x509.Extensions) URI(java.net.URI) DEROctetString(org.bouncycastle.asn1.DEROctetString) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) JcaCertificateID(org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID) SecureRandom(java.security.SecureRandom) IOException(java.io.IOException) Extension(org.bouncycastle.asn1.x509.Extension) BigInteger(java.math.BigInteger) NoSuchProviderException(java.security.NoSuchProviderException)

Aggregations

IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 URI (java.net.URI)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 NoSuchProviderException (java.security.NoSuchProviderException)1 SecureRandom (java.security.SecureRandom)1 DEROctetString (org.bouncycastle.asn1.DEROctetString)1 AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)1 Extension (org.bouncycastle.asn1.x509.Extension)1 Extensions (org.bouncycastle.asn1.x509.Extensions)1 JcaCertificateID (org.bouncycastle.cert.ocsp.jcajce.JcaCertificateID)1 DigestCalculator (org.bouncycastle.operator.DigestCalculator)1 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)1 BcDigestCalculatorProvider (org.bouncycastle.operator.bc.BcDigestCalculatorProvider)1