List of usage examples for org.bouncycastle.cert.ocsp BasicOCSPResp getResponderId
public RespID getResponderId()
From source file:org.xipki.pki.ocsp.qa.OcspQa.java
License:Open Source License
public ValidationResult checkOcsp(final OCSPResp response, final IssuerHash issuerHash, final List<BigInteger> serialNumbers, final Map<BigInteger, byte[]> encodedCerts, final OcspError expectedOcspError, final Map<BigInteger, OcspCertStatus> expectedOcspStatuses, final OcspResponseOption responseOption) { ParamUtil.requireNonNull("response", response); ParamUtil.requireNonEmpty("serialNumbers", serialNumbers); ParamUtil.requireNonEmpty("expectedOcspStatuses", expectedOcspStatuses); ParamUtil.requireNonNull("responseOption", responseOption); List<ValidationIssue> resultIssues = new LinkedList<ValidationIssue>(); int status = response.getStatus(); // Response status ValidationIssue issue = new ValidationIssue("OCSP.STATUS", "response.status"); resultIssues.add(issue);//from w w w . j av a2s. com if (expectedOcspError != null) { if (status != expectedOcspError.getStatus()) { issue.setFailureMessage( "is '" + status + "', but expected '" + expectedOcspError.getStatus() + "'"); } } else { if (status != 0) { issue.setFailureMessage("is '" + status + "', but expected '0'"); } } if (status != 0) { return new ValidationResult(resultIssues); } ValidationIssue encodingIssue = new ValidationIssue("OCSP.ENCODING", "response encoding"); resultIssues.add(encodingIssue); BasicOCSPResp basicResp; try { basicResp = (BasicOCSPResp) response.getResponseObject(); } catch (OCSPException ex) { encodingIssue.setFailureMessage(ex.getMessage()); return new ValidationResult(resultIssues); } SingleResp[] singleResponses = basicResp.getResponses(); issue = new ValidationIssue("OCSP.RESPONSES.NUM", "number of single responses"); resultIssues.add(issue); if (singleResponses == null || singleResponses.length == 0) { issue.setFailureMessage("received no status from server"); return new ValidationResult(resultIssues); } final int n = singleResponses.length; if (n != serialNumbers.size()) { issue.setFailureMessage("is '" + n + "', but expected '" + serialNumbers.size() + "'"); return new ValidationResult(resultIssues); } boolean hasSignature = basicResp.getSignature() != null; // check the signature if available issue = new ValidationIssue("OCSP.SIG", "signature presence"); resultIssues.add(issue); if (!hasSignature) { issue.setFailureMessage("response is not signed"); } if (hasSignature) { // signature algorithm issue = new ValidationIssue("OCSP.SIG.ALG", "signature algorithm"); resultIssues.add(issue); String expectedSigalgo = responseOption.getSignatureAlgName(); if (expectedSigalgo != null) { AlgorithmIdentifier sigAlg = basicResp.getSignatureAlgorithmID(); try { String sigAlgName = AlgorithmUtil.getSignatureAlgoName(sigAlg); if (!AlgorithmUtil.equalsAlgoName(sigAlgName, expectedSigalgo)) { issue.setFailureMessage("is '" + sigAlgName + "', but expected '" + expectedSigalgo + "'"); } } catch (NoSuchAlgorithmException ex) { issue.setFailureMessage("could not extract the signature algorithm"); } } // end if (expectedSigalgo != null) // signer certificate ValidationIssue sigSignerCertIssue = new ValidationIssue("OCSP.SIGNERCERT", "signer certificate"); resultIssues.add(sigSignerCertIssue); // signature validation ValidationIssue sigValIssue = new ValidationIssue("OCSP.SIG.VALIDATION", "signature validation"); resultIssues.add(sigValIssue); X509CertificateHolder respSigner = null; X509CertificateHolder[] responderCerts = basicResp.getCerts(); if (responderCerts == null || responderCerts.length < 1) { sigSignerCertIssue.setFailureMessage("no responder certificate is contained in the response"); sigValIssue.setFailureMessage("could not find certificate to validate signature"); } else { ResponderID respId = basicResp.getResponderId().toASN1Primitive(); X500Name respIdByName = respId.getName(); byte[] respIdByKey = respId.getKeyHash(); for (X509CertificateHolder cert : responderCerts) { if (respIdByName != null) { if (cert.getSubject().equals(respIdByName)) { respSigner = cert; } } else { byte[] spkiSha1 = HashAlgoType.SHA1 .hash(cert.getSubjectPublicKeyInfo().getPublicKeyData().getBytes()); if (Arrays.equals(respIdByKey, spkiSha1)) { respSigner = cert; } } if (respSigner != null) { break; } } if (respSigner == null) { sigSignerCertIssue.setFailureMessage("no responder certificate match the ResponderId"); sigValIssue.setFailureMessage( "could not find certificate matching the" + " ResponderId to validate signature"); } } if (respSigner != null) { issue = new ValidationIssue("OCSP.SIGNERCERT.TRUST", "signer certificate validation"); resultIssues.add(issue); for (int i = 0; i < singleResponses.length; i++) { SingleResp singleResp = singleResponses[i]; if (!respSigner.isValidOn(singleResp.getThisUpdate())) { issue.setFailureMessage( String.format("responder certificate is not valid on the thisUpdate[%d]: %s", i, singleResp.getThisUpdate())); } } // end for X509Certificate respIssuer = responseOption.getRespIssuer(); if (!issue.isFailed() && respIssuer != null) { X509Certificate jceRespSigner; try { jceRespSigner = X509Util.toX509Cert(respSigner.toASN1Structure()); if (X509Util.issues(respIssuer, jceRespSigner)) { jceRespSigner.verify(respIssuer.getPublicKey()); } else { issue.setFailureMessage("responder signer is not trusted"); } } catch (Exception ex) { issue.setFailureMessage("responder signer is not trusted"); } } try { PublicKey responderPubKey = KeyUtil.generatePublicKey(respSigner.getSubjectPublicKeyInfo()); ContentVerifierProvider cvp = securityFactory.getContentVerifierProvider(responderPubKey); boolean sigValid = basicResp.isSignatureValid(cvp); if (!sigValid) { sigValIssue.setFailureMessage("signature is invalid"); } } catch (Exception ex) { sigValIssue.setFailureMessage("could not validate signature"); } } // end if } // end if (hasSignature) // nonce Extension nonceExtn = basicResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); resultIssues.add(checkOccurrence("OCSP.NONCE", nonceExtn, responseOption.getNonceOccurrence())); boolean extendedRevoke = basicResp.getExtension(ObjectIdentifiers.id_pkix_ocsp_extendedRevoke) != null; for (int i = 0; i < singleResponses.length; i++) { SingleResp singleResp = singleResponses[i]; BigInteger serialNumber = singleResp.getCertID().getSerialNumber(); OcspCertStatus expectedStatus = expectedOcspStatuses.get(serialNumber); byte[] encodedCert = null; if (encodedCerts != null) { encodedCert = encodedCerts.get(serialNumber); } List<ValidationIssue> issues = checkSingleCert(i, singleResp, issuerHash, expectedStatus, encodedCert, extendedRevoke, responseOption.getNextUpdateOccurrence(), responseOption.getCerthashOccurrence(), responseOption.getCerthashAlgId()); resultIssues.addAll(issues); } // end for return new ValidationResult(resultIssues); }