List of usage examples for org.bouncycastle.cert.ocsp.jcajce JcaRespID JcaRespID
public JcaRespID(X500Principal name)
From source file:org.cesecore.certificates.ocsp.cache.OcspSigningCacheEntry.java
License:Open Source License
public OcspSigningCacheEntry(X509Certificate issuerCaCertificate, CertificateStatus issuerCaCertificateStatus, List<X509Certificate> signingCaCertificateChain, X509Certificate ocspSigningCertificate, PrivateKey privateKey, String signatureProviderName, OcspKeyBinding ocspKeyBinding, int responderIdType) { this.caCertificateChain = signingCaCertificateChain; this.ocspSigningCertificate = ocspSigningCertificate; if (ocspSigningCertificate == null) { // We will sign with a CA key fullCertificateChain = signingCaCertificateChain; } else {/*from w w w .j a v a 2s .c o m*/ // We will sign with an OCSP Key Binding fullCertificateChain = new ArrayList<X509Certificate>(); fullCertificateChain.add(ocspSigningCertificate); fullCertificateChain.addAll(signingCaCertificateChain); } if (fullCertificateChain == null) { // This is just a placeholder cache entry signingCertificate = null; } else { // Get the certificate that corresponds to the private key signingCertificate = fullCertificateChain.get(0); } this.privateKey = privateKey; this.signatureProviderName = signatureProviderName; this.ocspKeyBinding = ocspKeyBinding; this.issuerCaCertificate = issuerCaCertificate; this.certificateID = OcspSigningCache.getCertificateIDFromCertificate(issuerCaCertificate); this.issuerCaCertificateStatus = issuerCaCertificateStatus; this.responderIdType = responderIdType; if (signingCertificate == null) { // This is just a placeholder cache entry respId = null; signingCertificateForOcspSigning = true; } else { // Pre-calculate the Responder ID if (responderIdType == OcspConfiguration.RESPONDERIDTYPE_NAME) { respId = new JcaRespID(signingCertificate.getSubjectX500Principal()); } else { try { respId = new JcaRespID(signingCertificate.getPublicKey(), SHA1DigestCalculator.buildSha1Instance()); } catch (OCSPException e) { log.warn( "Unable to contruct responder Id of type 'hash', falling back to using 'name' as responder Id.", e); respId = new JcaRespID(signingCertificate.getSubjectX500Principal()); } } if (ocspSigningCertificate == null) { signingCertificateForOcspSigning = true; // CA cert } else { signingCertificateForOcspSigning = CertTools.isOCSPCert(signingCertificate); } } if (fullCertificateChain == null) { responseCertChain = null; } else { responseCertChain = getResponseCertChain(fullCertificateChain.toArray(new X509Certificate[0])); } }
From source file:org.ejbca.core.protocol.ocsp.OCSPUnidClient.java
License:Open Source License
private OCSPUnidResponse sendOCSPRequest(byte[] ocspPackage, X509Certificate knownTrustAnchor, boolean useGet) throws IOException, OCSPException, OperatorCreationException, CertificateException, UnrecoverableKeyException, KeyManagementException, NoSuchAlgorithmException, KeyStoreException { final HttpURLConnection con; if (useGet) { String b64 = new String(Base64.encode(ocspPackage, false)); URL url = new URL(httpReqPath + '/' + b64); con = (HttpURLConnection) url.openConnection(); } else {//from w w w .jav a 2 s. c o m // POST the OCSP request URL url = new URL(httpReqPath); con = (HttpURLConnection) getUrlConnection(url); // we are going to do a POST con.setDoOutput(true); con.setRequestMethod("POST"); // POST it con.setRequestProperty("Content-Type", "application/ocsp-request"); OutputStream os = null; try { os = con.getOutputStream(); os.write(ocspPackage); } finally { if (os != null) { os.close(); } } } final OCSPUnidResponse ret = new OCSPUnidResponse(); ret.setHttpReturnCode(con.getResponseCode()); if (ret.getHttpReturnCode() != 200) { if (ret.getHttpReturnCode() == 401) { ret.setErrorCode(OCSPUnidResponse.ERROR_UNAUTHORIZED); } else { ret.setErrorCode(OCSPUnidResponse.ERROR_UNKNOWN); } return ret; } final OCSPResp response; { final InputStream in = con.getInputStream(); if (in != null) { try { response = new OCSPResp(IOUtils.toByteArray(in)); } finally { in.close(); } } else { response = null; } } if (response == null) { ret.setErrorCode(OCSPUnidResponse.ERROR_NO_RESPONSE); return ret; } ret.setResp(response); final BasicOCSPResp brep = (BasicOCSPResp) response.getResponseObject(); if (brep == null) { ret.setErrorCode(OCSPUnidResponse.ERROR_NO_RESPONSE); return ret; } // Compare nonces to see if the server sent the same nonce as we sent final byte[] noncerep = brep.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce).getExtnValue() .getEncoded(); if (noncerep != null) { ASN1InputStream ain = new ASN1InputStream(noncerep); ASN1OctetString oct = ASN1OctetString.getInstance(ain.readObject()); ain.close(); boolean eq = ArrayUtils.isEquals(this.nonce, oct.getOctets()); if (!eq) { ret.setErrorCode(OCSPUnidResponse.ERROR_INVALID_NONCE); return ret; } } final RespID id = brep.getResponderId(); final DERTaggedObject to = (DERTaggedObject) id.toASN1Object().toASN1Primitive(); final RespID respId; final X509CertificateHolder[] chain = brep.getCerts(); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); X509Certificate signerCertificate = converter.getCertificate(chain[0]); final PublicKey signerPub = signerCertificate.getPublicKey(); if (to.getTagNo() == 1) { // This is Name respId = new JcaRespID(signerCertificate.getSubjectX500Principal()); } else { // This is KeyHash respId = new JcaRespID(signerPub, SHA1DigestCalculator.buildSha1Instance()); } if (!id.equals(respId)) { // Response responderId does not match signer certificate responderId! ret.setErrorCode(OCSPUnidResponse.ERROR_INVALID_SIGNERID); } if (!brep.isSignatureValid(new JcaContentVerifierProviderBuilder().build(signerPub))) { ret.setErrorCode(OCSPUnidResponse.ERROR_INVALID_SIGNATURE); return ret; } /* * Okay, at this point we have three different variables and six different possible valid use cases. These * variables are: * 1. If the OCSP reply is from a CA (integrated) or an OCSP responder (standalone) * 2. If it was from a CA, then if that CA is self signed or a subCA * 3. If the server (in the integrated case) or keybinding (standalone case) was set to include the certificate chain */ //If we have a chain, verify it if (chain.length > 1) { // end at one shortof chain.length, because the root certificate is (usually) not included in the OCSP response // TODO: improve this when we can pass in the root cert from parameter to properly validate the whole chain for (int i = 0; i + 1 < chain.length; i++) { final X509Certificate cert1 = converter.getCertificate(chain[i]); final X509Certificate cert2 = converter.getCertificate(chain[Math.min(i + 1, chain.length - 1)]); try { cert1.verify(cert2.getPublicKey()); } catch (GeneralSecurityException e) { m_log.info("Verifying problem with", e); m_log.info("Certificate to be verified: " + cert1); m_log.info("Verifying certificate: " + cert2); ret.setErrorCode(OCSPUnidResponse.ERROR_INVALID_SIGNERCERT); return ret; } } } if (CertTools.isCA(signerCertificate)) { //Verify that the signer certificate was the same as the trust anchor if (!signerCertificate.getSerialNumber().equals(knownTrustAnchor.getSerialNumber())) { m_log.info("Signing certificate for integrated OCSP was not the provided trust anchor."); ret.setErrorCode(OCSPUnidResponse.ERROR_INVALID_SIGNERCERT); return ret; } } else if (CertTools.isOCSPCert(signerCertificate)) { //If an OCSP certificate was used to sign try { signerCertificate.verify(knownTrustAnchor.getPublicKey()); } catch (GeneralSecurityException e) { m_log.info("Signing certificate was not signed by known trust anchor."); ret.setErrorCode(OCSPUnidResponse.ERROR_INVALID_SIGNERCERT); return ret; } } else { m_log.info("Signing certificate was not an OCSP certificate."); ret.setErrorCode(OCSPUnidResponse.ERROR_INVALID_SIGNERCERT); return ret; } String fnr = getFnr(brep); if (fnr != null) { ret.setFnr(fnr); } return ret; }
From source file:org.signserver.validationservice.server.ValidationUtils.java
License:Open Source License
/** * Sends a request to the OCSP responder and returns the results. * * Note: Based on code from the EJBCA ValidationTool. * * @param url of the OCSP responder/*w ww. ja v a 2 s . c o m*/ * @param request to send * @return An OCSPResponse object filled with information about the response * @throws IOException in case of networking related errors * @throws OCSPException in case of error parsing the response */ public static OCSPResponse queryOCSPResponder(URL url, OCSPReq request) throws IOException, OCSPException { final OCSPResponse result = new OCSPResponse(); final HttpURLConnection con; final URLConnection urlCon = url.openConnection(); if (!(urlCon instanceof HttpURLConnection)) { throw new IOException("Unsupported protocol in URL: " + url); } con = (HttpURLConnection) urlCon; // POST the OCSP request con.setDoOutput(true); con.setRequestMethod("POST"); // POST it con.setRequestProperty("Content-Type", "application/ocsp-request"); OutputStream os = null; try { os = con.getOutputStream(); os.write(request.getEncoded()); } finally { if (os != null) { os.close(); } } result.setHttpReturnCode(con.getResponseCode()); if (result.getHttpReturnCode() != 200) { if (result.getHttpReturnCode() == 401) { result.setError(OCSPResponse.Error.httpUnauthorized); } else { result.setError(OCSPResponse.Error.unknown); } return result; } OCSPResp response = null; InputStream in = null; try { in = con.getInputStream(); if (in != null) { ByteArrayOutputStream bout = new ByteArrayOutputStream(); int b; while ((b = in.read()) != -1) { bout.write(b); } response = new OCSPResp(bout.toByteArray()); } } finally { if (in != null) { try { in.close(); } catch (IOException ignored) { } // NOPMD } } if (response == null) { result.setError(OCSPResponse.Error.noResponse); return result; } result.setResp(response); if (response.getStatus() != OCSPResponseStatus.SUCCESSFUL) { result.setError(OCSPResponse.Error.fromBCOCSPResponseStatus(response.getStatus())); return result; } final BasicOCSPResp brep = (BasicOCSPResp) response.getResponseObject(); result.setResponseObject(brep); if (brep == null) { result.setError(OCSPResponse.Error.noResponse); return result; } final RespID id = brep.getResponderId(); final DERTaggedObject to = (DERTaggedObject) id.toASN1Object().toASN1Object(); final RespID respId; final X509CertificateHolder[] chain = brep.getCerts(); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); X509Certificate signerCertificate; try { signerCertificate = converter.getCertificate(chain[0]); } catch (CertificateException ex) { throw new IOException("Could not convert certificate: " + ex.getMessage()); } result.setSignerCertificate(signerCertificate); if (to.getTagNo() == 1) { // This is Name respId = new JcaRespID(signerCertificate.getSubjectX500Principal()); } else { // This is KeyHash final PublicKey signerPub = signerCertificate.getPublicKey(); try { respId = new JcaRespID(signerPub, new JcaDigestCalculatorProviderBuilder().build().get(RespID.HASH_SHA1)); } catch (OperatorCreationException ex) { throw new IOException("Could not create respId: " + ex.getMessage()); } } if (!id.equals(respId)) { // Response responderId does not match signer certificate responderId! result.setError(OCSPResponse.Error.invalidSignerId); } result.setIssuerDN(signerCertificate.getIssuerX500Principal()); if (result.getError() == null) { result.setError(OCSPResponse.Error.responseSuccess); } return result; }