List of usage examples for org.bouncycastle.asn1.ocsp BasicOCSPResponse getSignature
public DERBitString getSignature()
From source file:support.revocation.OCSP.java
License:Apache License
/** * Processes the given OCSP response for a certificate that was issued by * the issuer which the given issuer certificate is issued for * @return the parsed OCSP result/*from ww w .j a v a 2 s.c o m*/ * @param response * @param issuerCertificate * @throws IOException * @throws GeneralSecurityException */ private static Response processOCSPResponse(OCSPResponse response, X509Certificate issuerCertificate) throws IOException, GeneralSecurityException { CertificateFactory factory = CertificateFactory.getInstance("X.509"); try { if (response.getResponseBytes() == null) return new Response(false, null); // create basic response object BasicOCSPResponse basicResponse = BasicOCSPResponse .getInstance(parseASN1(response.getResponseBytes().getResponse())); // create signature object // is creating signatures from OIDs a well-defined process? String algorithm = basicResponse.getSignatureAlgorithm().getAlgorithm().getId(); Signature signature = Signature.getInstance(algorithm); // set signature algorithm parameters ASN1Encodable encodableParams = basicResponse.getSignatureAlgorithm().getParameters(); if (encodableParams != null && !encodableParams.equals(org.bouncycastle.asn1.DERNull.INSTANCE)) { ASN1Primitive primitiveParams = encodableParams.toASN1Primitive(); if (primitiveParams != null && !primitiveParams.equals(org.bouncycastle.asn1.DERNull.INSTANCE)) { AlgorithmParameters params = AlgorithmParameters.getInstance(algorithm); params.init(primitiveParams.getEncoded()); signature.setParameter(params.getParameterSpec(AlgorithmParameterSpec.class)); } } // validate and use the certificate supplied by the OCSP response // where necessary ASN1Sequence certs = basicResponse.getCerts(); if (certs != null && !certs.equals(org.bouncycastle.asn1.DERNull.INSTANCE)) { List<X509Certificate> certList = new ArrayList<>(); for (int i = 0; i < certs.size(); i++) { X509Certificate cert = (X509Certificate) factory.generateCertificate( new ByteArrayInputStream(certs.getObjectAt(0).toASN1Primitive().getEncoded())); cert.checkValidity(); certList.add(cert); } CertPath path = factory.generateCertPath(certList); PKIXParameters params = new PKIXParameters( Collections.singleton(new TrustAnchor(issuerCertificate, null))); params.setRevocationEnabled(false); CertPathValidator validator = CertPathValidator.getInstance("PKIX"); PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) validator.validate(path, params); if (result.getTrustAnchor().getTrustedCert() == null) throw new CertPathValidatorException( "Validation failed for certificate supplied by OCSP response", null, path, -1, PKIXReason.NO_TRUST_ANCHOR); issuerCertificate = certList.get(0); } // verify OCSP response signature signature.initVerify(issuerCertificate.getPublicKey()); signature.update(basicResponse.getTbsResponseData().getEncoded()); if (!signature.verify(basicResponse.getSignature().getBytes())) throw new SignatureException("OCSP signature verification failed"); // process response ASN1Sequence responses = basicResponse.getTbsResponseData().getResponses(); if (responses.size() != 1) throw new GeneralSecurityException("OCSP response mismatch"); SingleResponse singleResponse = SingleResponse.getInstance(responses.getObjectAt(0)); // single response choices // good [0] IMPLICIT NULL // revoked [1] IMPLICIT RevokedInfo // unknown [2] IMPLICIT UnknownInfo return new Response(singleResponse.getCertStatus().getTagNo() == 1, singleResponse.getNextUpdate() != null ? singleResponse.getNextUpdate().getDate() : null); } catch (ClassCastException | IllegalArgumentException | ParseException e) { throw new IOException(e); } }