List of usage examples for org.bouncycastle.cert.ocsp CertificateStatus GOOD
CertificateStatus GOOD
To view the source code for org.bouncycastle.cert.ocsp CertificateStatus GOOD.
Click Source Link
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked, X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate, PrivateKey ocspResponderPrivateKey, String signatureAlgorithm) throws Exception { // request/*from w ww. j ava2 s . co m*/ OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); ocspReqBuilder.addRequest(certId); OCSPReq ocspReq = ocspReqBuilder.build(); BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder( ocspResponderCertificate.getPublicKey(), digCalcProv.get(CertificateID.HASH_SHA1)); // request processing Req[] requestList = ocspReq.getRequestList(); for (Req ocspRequest : requestList) { CertificateID certificateID = ocspRequest.getCertID(); CertificateStatus certificateStatus; if (revoked) { certificateStatus = new RevokedStatus(new Date(), CRLReason.unspecified); } else { certificateStatus = CertificateStatus.GOOD; } basicOCSPRespBuilder.addResponse(certificateID, certificateStatus); } // basic response generation X509CertificateHolder[] chain = null; if (!ocspResponderCertificate.equals(issuerCertificate)) { chain = new X509CertificateHolder[] { new X509CertificateHolder(ocspResponderCertificate.getEncoded()), new X509CertificateHolder(issuerCertificate.getEncoded()) }; } ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm) .build(ocspResponderPrivateKey); BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date()); // response generation OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp); return ocspResp; }
From source file:be.fedict.trust.test.PKITestUtils.java
License:Open Source License
public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked, X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate, PrivateKey ocspResponderPrivateKey, String signatureAlgorithm, List<X509Certificate> ocspResponderCertificateChain) throws Exception { // request// w ww . j a va 2s. c o m OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); DigestCalculatorProvider digCalcProv = new JcaDigestCalculatorProviderBuilder() .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(); CertificateID certId = new CertificateID(digCalcProv.get(CertificateID.HASH_SHA1), new JcaX509CertificateHolder(issuerCertificate), certificate.getSerialNumber()); ocspReqBuilder.addRequest(certId); OCSPReq ocspReq = ocspReqBuilder.build(); BasicOCSPRespBuilder basicOCSPRespBuilder = new JcaBasicOCSPRespBuilder( ocspResponderCertificate.getPublicKey(), digCalcProv.get(CertificateID.HASH_SHA1)); // request processing Req[] requestList = ocspReq.getRequestList(); for (Req ocspRequest : requestList) { CertificateID certificateID = ocspRequest.getCertID(); CertificateStatus certificateStatus; if (revoked) { certificateStatus = new RevokedStatus(new Date(), CRLReason.unspecified); } else { certificateStatus = CertificateStatus.GOOD; } basicOCSPRespBuilder.addResponse(certificateID, certificateStatus); } // basic response generation X509CertificateHolder[] chain; if (ocspResponderCertificateChain.isEmpty()) { chain = null; } else { chain = new X509CertificateHolder[ocspResponderCertificateChain.size()]; for (int idx = 0; idx < chain.length; idx++) { chain[idx] = new X509CertificateHolder(ocspResponderCertificateChain.get(idx).getEncoded()); } } ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").build(ocspResponderPrivateKey); BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date()); // response generation OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp); return ocspResp; }
From source file:com.itextpdf.signatures.OcspClientBouncyCastle.java
License:Open Source License
/** * Gets an encoded byte array with OCSP validation. The method should not throw an exception. * * @param checkCert to certificate to check * @param rootCert the parent certificate * @param url to get the verification. It it's null it will be taken * from the check cert or from other implementation specific source * @return a byte array with the validation or null if the validation could not be obtained *//* w w w. j a v a 2 s .c o m*/ public byte[] getEncoded(X509Certificate checkCert, X509Certificate rootCert, String url) { try { BasicOCSPResp basicResponse = getBasicOCSPResp(checkCert, rootCert, url); if (basicResponse != null) { SingleResp[] responses = basicResponse.getResponses(); if (responses.length == 1) { SingleResp resp = responses[0]; Object status = resp.getCertStatus(); if (status == CertificateStatus.GOOD) { return basicResponse.getEncoded(); } else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) { throw new java.io.IOException(LogMessageConstant.OCSP_STATUS_IS_REVOKED); } else { throw new java.io.IOException(LogMessageConstant.OCSP_STATUS_IS_UNKNOWN); } } } } catch (Exception ex) { LOGGER.error(ex.getMessage()); } return null; }
From source file:com.itextpdf.signatures.OCSPVerifier.java
License:Open Source License
/** * Verifies a certificate against a single OCSP response * @param ocspResp the OCSP response// w ww . j a v a 2s . c om * @param signCert the certificate that needs to be checked * @param issuerCert the certificate of CA * @param signDate sign date * @return {@code true}, in case successful check, otherwise false. * @throws GeneralSecurityException * @throws IOException */ public boolean verify(BasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException, IOException { if (ocspResp == null) return false; // Getting the responses SingleResp[] resp = ocspResp.getResponses(); for (int i = 0; i < resp.length; i++) { // check if the serial number corresponds if (!signCert.getSerialNumber().equals(resp[i].getCertID().getSerialNumber())) { continue; } // check if the issuer matches try { if (issuerCert == null) issuerCert = signCert; if (!SignUtils.checkIfIssuersMatch(resp[i].getCertID(), issuerCert)) { LOGGER.info("OCSP: Issuers doesn't match."); continue; } } catch (OCSPException e) { continue; } // check if the OCSP response was valid at the time of signing if (resp[i].getNextUpdate() == null) { Date nextUpdate = SignUtils.add180Sec(resp[i].getThisUpdate()); LOGGER.info(MessageFormat.format("No 'next update' for OCSP Response; assuming {0}", nextUpdate)); if (signDate.after(nextUpdate)) { LOGGER.info(MessageFormat.format("OCSP no longer valid: {0} after {1}", signDate, nextUpdate)); continue; } } else { if (signDate.after(resp[i].getNextUpdate())) { LOGGER.info(MessageFormat.format("OCSP no longer valid: {0} after {1}", signDate, resp[i].getNextUpdate())); continue; } } // check the status of the certificate Object status = resp[i].getCertStatus(); if (status == CertificateStatus.GOOD) { // check if the OCSP response was genuine isValidResponse(ocspResp, issuerCert); return true; } } return false; }
From source file:com.itextpdf.signatures.OCSPVerifier.java
License:Open Source License
/** * Gets an OCSP response online and returns it if the status is GOOD * (without further checking!).//from w w w . j a va 2 s . c o m * @param signCert the signing certificate * @param issuerCert the issuer certificate * @return an OCSP response */ public BasicOCSPResp getOcspResponse(X509Certificate signCert, X509Certificate issuerCert) { if (signCert == null && issuerCert == null) { return null; } OcspClientBouncyCastle ocsp = new OcspClientBouncyCastle(null); BasicOCSPResp ocspResp = ocsp.getBasicOCSPResp(signCert, issuerCert, null); if (ocspResp == null) { return null; } SingleResp[] resps = ocspResp.getResponses(); for (SingleResp resp : resps) { Object status = resp.getCertStatus(); if (status == CertificateStatus.GOOD) { return ocspResp; } } return null; }
From source file:com.itextpdf.text.pdf.security.OcspClientBouncyCastle.java
License:Open Source License
/** * Gets an encoded byte array with OCSP validation. The method should not throw an exception. * @param checkCert to certificate to check * @param rootCert the parent certificate * @param the url to get the verification. It it's null it will be taken * from the check cert or from other implementation specific source * @return a byte array with the validation or null if the validation could not be obtained *//*from w w w .j a v a 2 s. co m*/ public byte[] getEncoded(X509Certificate checkCert, X509Certificate rootCert, String url) { try { BasicOCSPResp basicResponse = getBasicOCSPResp(checkCert, rootCert, url); if (basicResponse != null) { SingleResp[] responses = basicResponse.getResponses(); if (responses.length == 1) { SingleResp resp = responses[0]; Object status = resp.getCertStatus(); if (status == CertificateStatus.GOOD) { return basicResponse.getEncoded(); } else if (status instanceof org.bouncycastle.ocsp.RevokedStatus) { throw new IOException(MessageLocalization.getComposedMessage("ocsp.status.is.revoked")); } else { throw new IOException(MessageLocalization.getComposedMessage("ocsp.status.is.unknown")); } } } } catch (Exception ex) { if (LOGGER.isLogging(Level.ERROR)) LOGGER.error(ex.getMessage()); } return null; }
From source file:com.itextpdf.text.pdf.security.OCSPVerifier.java
License:Open Source License
/** * Verifies a certificate against a single OCSP response * @param ocspResp the OCSP response/*from ww w. j ava 2s .c o m*/ * @param serialNumber the serial number of the certificate that needs to be checked * @param issuerCert * @param signDate * @return * @throws GeneralSecurityException * @throws IOException */ public boolean verify(BasicOCSPResp ocspResp, X509Certificate signCert, X509Certificate issuerCert, Date signDate) throws GeneralSecurityException, IOException { if (ocspResp == null) return false; // Getting the responses SingleResp[] resp = ocspResp.getResponses(); for (int i = 0; i < resp.length; i++) { // check if the serial number corresponds if (!signCert.getSerialNumber().equals(resp[i].getCertID().getSerialNumber())) { continue; } // check if the issuer matches try { if (issuerCert == null) issuerCert = signCert; if (!resp[i].getCertID().matchesIssuer(new X509CertificateHolder(issuerCert.getEncoded()), new BcDigestCalculatorProvider())) { LOGGER.info("OCSP: Issuers doesn't match."); continue; } } catch (OCSPException e) { continue; } // check if the OCSP response was valid at the time of signing Date nextUpdate = resp[i].getNextUpdate(); if (nextUpdate == null) { nextUpdate = new Date(resp[i].getThisUpdate().getTime() + 180000l); LOGGER.info(String.format("No 'next update' for OCSP Response; assuming %s", nextUpdate)); } if (signDate.after(nextUpdate)) { LOGGER.info(String.format("OCSP no longer valid: %s after %s", signDate, nextUpdate)); continue; } // check the status of the certificate Object status = resp[i].getCertStatus(); if (status == CertificateStatus.GOOD) { // check if the OCSP response was genuine isValidResponse(ocspResp, issuerCert); return true; } } return false; }
From source file:com.itextpdf.text.pdf.security.OCSPVerifier.java
License:Open Source License
/** * Gets an OCSP response online and returns it if the status is GOOD * (without further checking).//from www . j a v a 2 s. c o m * @param signCert the signing certificate * @param issuerCert the issuer certificate * @return an OCSP response */ public BasicOCSPResp getOcspResponse(X509Certificate signCert, X509Certificate issuerCert) { if (signCert == null && issuerCert == null) { return null; } OcspClientBouncyCastle ocsp = new OcspClientBouncyCastle(); BasicOCSPResp ocspResp = ocsp.getBasicOCSPResp(signCert, issuerCert, null); if (ocspResp == null) { return null; } SingleResp[] resp = ocspResp.getResponses(); for (int i = 0; i < resp.length; i++) { Object status = resp[i].getCertStatus(); if (status == CertificateStatus.GOOD) { return ocspResp; } } return null; }
From source file:Controllers.OCSPController.java
License:Apache License
/** * Method to do OCSP response to client. * * @param requestBytes//from w ww .jav a 2 s . co m * @param mode * * @return * * @throws NotImplementedException */ private byte[] processOcspRequest(byte[] requestBytes, OCSP_PROCESS_MODE mode) throws NotImplementedException { try { // get request info OCSPReq ocspRequest = new OCSPReq(requestBytes); X509CertificateHolder[] requestCerts = ocspRequest.getCerts(); Req[] requestList = ocspRequest.getRequestList(); // setup response BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder( new RespID(x509CertificateHolder.getSubject())); LOG.info("OCSP request version: " + ocspRequest.getVersionNumber() + ", Requester name: " + ocspRequest.getRequestorName() + ", is signed: " + ocspRequest.isSigned() + ", has extensions: " + ocspRequest.hasExtensions() + ", number of additional certificates: " + requestCerts.length + ", number of certificate ids to verify: " + requestList.length); int ocspResult = OCSPRespBuilder.SUCCESSFUL; switch (mode) { case AUTO: LOG.error("Auto OCSP server is not implemented in this version."); throw new NotImplementedException(); case GOOD: LOG.warn("Mocked mode, server will always return Good ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); CertificateStatus certificateStatus = CertificateStatus.GOOD; Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; case REVOKED: LOG.warn("Mocked mode, server will always return REVOKED ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); Calendar cal = new GregorianCalendar(); cal.add(Calendar.DAY_OF_MONTH, -7);//Set revoked 7 days ago. CertificateStatus certificateStatus = new RevokedStatus(cal.getTime(), 16); Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; case UNKNOWN: LOG.warn("Mocked mode, server will always return Known ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); CertificateStatus certificateStatus = new UnknownStatus(); Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; } // process nonce Extension extNonce = ocspRequest.getExtension(new ASN1ObjectIdentifier("1.3.6.1.5.5.7.48.1.2")); if (extNonce != null) { LOG.debug("Nonce is present in the request"); responseBuilder.setResponseExtensions(new Extensions(extNonce)); } else { LOG.info("Nonce is not present in the request"); if (bRequireNonce) { LOG.info("Nonce is required, fail the request"); ocspResult = OCSPRespBuilder.UNAUTHORIZED; } } X509CertificateHolder[] chain = { x509CertificateHolder }; ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(privateKey); BasicOCSPResp ocspResponse = responseBuilder.build(signer, chain, Calendar.getInstance().getTime()); OCSPRespBuilder ocspResponseBuilder = new OCSPRespBuilder(); byte[] encoded = ocspResponseBuilder.build(ocspResult, ocspResponse).getEncoded(); LOG.info("Sending OCSP response to client, size: " + encoded.length); return encoded; } catch (Exception e) { LOG.error("Exception during processing OCSP request: " + e.getMessage()); e.printStackTrace(); } return null; }
From source file:ee.ria.xroad.common.cert.CertChainTest.java
License:Open Source License
/** * Tests that verifying a chain with invalid CA certificate fails. * @throws Exception if an error occurs//from w w w . j a va 2s .c o m */ @Test public void invalidCaCertNoExtensions() throws Exception { X509Certificate rootCa = TestCertUtil.getCertChainCert("root_ca.p12"); X509Certificate interCa1 = TestCertUtil.getCertChainCert("ca_1.p12"); X509Certificate interCa2 = TestCertUtil.getCertChainCert("ca_2.p12"); X509Certificate interCa3 = TestCertUtil.getCertChainCert("ca_3.p12"); // this CA cert has no extensions X509Certificate interCa4 = TestCertUtil.getCertChainCert("ca_4_no_ext.p12"); X509Certificate userCert = TestCertUtil.getCertChainCert("user_4.p12"); List<OCSPResp> ocsp = generateOcspResponses(Arrays.asList(interCa1, interCa2, interCa3, interCa4, userCert), CertificateStatus.GOOD); CertChain chain = new CertChain("EE", userCert, rootCa, Arrays.asList(interCa1, interCa2, interCa3, interCa4)); try { verify(chain, ocsp, null); fail("Path creation should fail"); } catch (CodedException e) { assertTrue(e.getCause() instanceof CertPathBuilderException); } }