List of usage examples for org.bouncycastle.cert.ocsp OCSPReq isSignatureValid
public boolean isSignatureValid(ContentVerifierProvider verifierProvider) throws OCSPException
From source file:org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean.java
License:Open Source License
/** * Checks the signature on an OCSP request. Does not check for revocation of the signer certificate * //from ww w .j a v a 2 s . c o m * @param clientRemoteAddr The IP address or host name of the remote client that sent the request, can be null. * @param req The signed OCSPReq * @return X509Certificate which is the certificate that signed the OCSP request * @throws SignRequestSignatureException if signature verification fail, or if the signing certificate is not authorized * @throws SignRequestException if there is no signature on the OCSPReq * @throws OCSPException if the request can not be parsed to retrieve certificates * @throws NoSuchProviderException if the BC provider is not installed * @throws CertificateException if the certificate can not be parsed * @throws NoSuchAlgorithmException if the certificate contains an unsupported algorithm * @throws InvalidKeyException if the certificate, or CA key is invalid */ private X509Certificate checkRequestSignature(String clientRemoteAddr, OCSPReq req) throws SignRequestException, SignRequestSignatureException, CertificateException, NoSuchAlgorithmException { X509Certificate signercert = null; // Get all certificates embedded in the request (probably a certificate chain) try { final X509CertificateHolder[] certs = req.getCerts(); String signerSubjectDn = null; // We must find a certificate to verify the signature with... boolean verifyOK = false; for (int i = 0; i < certs.length; i++) { final X509Certificate certificate = certificateConverter.getCertificate(certs[i]); try { if (req.isSignatureValid( new JcaContentVerifierProviderBuilder().build(certificate.getPublicKey()))) { signercert = certificate; // if the request signature verifies by this certificate, this is the signer cert signerSubjectDn = CertTools.getSubjectDN(signercert); log.info(intres.getLocalizedMessage("ocsp.infosigner", signerSubjectDn)); verifyOK = true; // Check that the signer certificate can be verified by one of the CA-certificates that we answer for final X509Certificate signerca = CaCertificateCache.INSTANCE .findLatestBySubjectDN(HashID.getFromIssuerDN(signercert)); if (signerca != null) { try { signercert.verify(signerca.getPublicKey()); final Date now = new Date(); if (log.isDebugEnabled()) { log.debug("Checking validity. Now: " + now + ", signerNotAfter: " + signercert.getNotAfter()); } try { // Check validity of the request signing certificate CertTools.checkValidity(signercert, now); } catch (CertificateNotYetValidException e) { log.info(intres.getLocalizedMessage("ocsp.infosigner.certnotyetvalid", signerSubjectDn, CertTools.getIssuerDN(signercert), e.getMessage())); verifyOK = false; } catch (CertificateExpiredException e) { log.info(intres.getLocalizedMessage("ocsp.infosigner.certexpired", signerSubjectDn, CertTools.getIssuerDN(signercert), e.getMessage())); verifyOK = false; } try { // Check validity of the CA certificate CertTools.checkValidity(signerca, now); } catch (CertificateNotYetValidException e) { log.info(intres.getLocalizedMessage("ocsp.infosigner.certnotyetvalid", CertTools.getSubjectDN(signerca), CertTools.getIssuerDN(signerca), e.getMessage())); verifyOK = false; } catch (CertificateExpiredException e) { log.info(intres.getLocalizedMessage("ocsp.infosigner.certexpired", CertTools.getSubjectDN(signerca), CertTools.getIssuerDN(signerca), e.getMessage())); verifyOK = false; } } catch (SignatureException e) { log.info(intres.getLocalizedMessage("ocsp.infosigner.invalidcertsignature", signerSubjectDn, CertTools.getIssuerDN(signercert), e.getMessage())); verifyOK = false; } catch (InvalidKeyException e) { log.info(intres.getLocalizedMessage("ocsp.infosigner.invalidcertsignature", signerSubjectDn, CertTools.getIssuerDN(signercert), e.getMessage())); verifyOK = false; } } else { log.info(intres.getLocalizedMessage("ocsp.infosigner.nocacert", signerSubjectDn, CertTools.getIssuerDN(signercert))); verifyOK = false; } break; } } catch (OperatorCreationException e) { // Very fatal error throw new EJBException("Can not create Jca content signer: ", e); } } if (!verifyOK) { if (signerSubjectDn == null && certs.length > 0) { signerSubjectDn = CertTools.getSubjectDN(certificateConverter.getCertificate(certs[0])); } String errMsg = intres.getLocalizedMessage("ocsp.errorinvalidsignature", signerSubjectDn); log.info(errMsg); throw new SignRequestSignatureException(errMsg); } } catch (OCSPException e) { throw new CryptoProviderException("BouncyCastle was not initialized properly.", e); } catch (NoSuchProviderException e) { throw new CryptoProviderException("BouncyCastle was not found as a provider.", e); } return signercert; }
From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java
License:Open Source License
/** Checks the signature on an OCSP request and checks that it is signed by an allowed CA. * Does not check for revocation of the signer certificate * /*from w w w. j a va 2 s . co m*/ * @param clientRemoteAddr The ip address or hostname of the remote client that sent the request, can be null. * @param req The signed OCSPReq * @param cacerts a CertificateCache of Certificates, the authorized CA-certificates. The signer certificate must be issued by one of these. * @return X509Certificate which is the certificate that signed the OCSP request * @throws SignRequestSignatureException if signature verification fail, or if the signing certificate is not authorized * @throws SignRequestException if there is no signature on the OCSPReq * @throws OCSPException if the request can not be parsed to retrieve certificates * @throws NoSuchProviderException if the BC provider is not installed * @throws CertificateException if the certificate can not be parsed * @throws NoSuchAlgorithmException if the certificate contains an unsupported algorithm * @throws InvalidKeyException if the certificate, or CA key is invalid * @throws OperatorCreationException */ public static X509Certificate checkRequestSignature(String clientRemoteAddr, OCSPReq req, CaCertificateCache cacerts) throws SignRequestException, OCSPException, NoSuchProviderException, CertificateException, NoSuchAlgorithmException, InvalidKeyException, SignRequestSignatureException, OperatorCreationException { X509Certificate signercert = null; if (!req.isSigned()) { String infoMsg = intres.getLocalizedMessage("ocsp.errorunsignedreq", clientRemoteAddr); log.info(infoMsg); throw new SignRequestException(infoMsg); } // Get all certificates embedded in the request (probably a certificate chain) X509CertificateHolder[] certs = req.getCerts(); // Set, as a try, the signer to be the first certificate, so we have a name to log... String signer = null; JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); if (certs.length > 0) { signer = CertTools.getSubjectDN(converter.getCertificate(certs[0])); } // We must find a cert to verify the signature with... boolean verifyOK = false; for (int i = 0; i < certs.length; i++) { if (req.isSignatureValid(new JcaContentVerifierProviderBuilder().build(certs[i])) == true) { signercert = converter.getCertificate(certs[i]); signer = CertTools.getSubjectDN(signercert); Date now = new Date(); String signerissuer = CertTools.getIssuerDN(signercert); String infoMsg = intres.getLocalizedMessage("ocsp.infosigner", signer); log.info(infoMsg); verifyOK = true; // Also check that the signer certificate can be verified by one of the CA-certificates // that we answer for X509Certificate signerca = cacerts.findLatestBySubjectDN(HashID.getFromIssuerDN(certs[i])); String subject = signer; String issuer = signerissuer; if (signerca != null) { try { signercert.verify(signerca.getPublicKey()); if (log.isDebugEnabled()) { log.debug("Checking validity. Now: " + now + ", signerNotAfter: " + signercert.getNotAfter()); } CertTools.checkValidity(signercert, now); // Move the error message string to the CA cert subject = CertTools.getSubjectDN(signerca); issuer = CertTools.getIssuerDN(signerca); CertTools.checkValidity(signerca, now); } catch (SignatureException e) { infoMsg = intres.getLocalizedMessage("ocsp.infosigner.invalidcertsignature", subject, issuer, e.getMessage()); log.info(infoMsg); verifyOK = false; } catch (InvalidKeyException e) { infoMsg = intres.getLocalizedMessage("ocsp.infosigner.invalidcertsignature", subject, issuer, e.getMessage()); log.info(infoMsg); verifyOK = false; } catch (CertificateNotYetValidException e) { infoMsg = intres.getLocalizedMessage("ocsp.infosigner.certnotyetvalid", subject, issuer, e.getMessage()); log.info(infoMsg); verifyOK = false; } catch (CertificateExpiredException e) { infoMsg = intres.getLocalizedMessage("ocsp.infosigner.certexpired", subject, issuer, e.getMessage()); log.info(infoMsg); verifyOK = false; } } else { infoMsg = intres.getLocalizedMessage("ocsp.infosigner.nocacert", signer, signerissuer); log.info(infoMsg); verifyOK = false; } break; } } if (!verifyOK) { String errMsg = intres.getLocalizedMessage("ocsp.errorinvalidsignature", signer); log.info(errMsg); throw new SignRequestSignatureException(errMsg); } return signercert; }
From source file:org.jruby.ext.openssl.OCSPRequest.java
License:Common Public License
@JRubyMethod(name = "verify", rest = true) public IRubyObject verify(IRubyObject[] args) { Ruby runtime = getRuntime();// w w w. j a va2 s .com ThreadContext context = runtime.getCurrentContext(); int flags = 0; boolean ret = false; if (Arity.checkArgumentCount(runtime, args, 2, 3) == 3) { flags = RubyFixnum.fix2int((RubyFixnum) args[2]); } IRubyObject certificates = args[0]; IRubyObject store = args[1]; OCSPReq bcOCSPReq = getBCOCSPReq(); if (bcOCSPReq == null) { throw newOCSPError(runtime, new NullPointerException("Missing BC asn1bcReq. Missing certIDs or signature?")); } if (!bcOCSPReq.isSigned()) { return RubyBoolean.newBoolean(runtime, ret); } GeneralName genName = bcOCSPReq.getRequestorName(); if (genName.getTagNo() != 4) { return RubyBoolean.newBoolean(runtime, ret); } X500Name genX500Name = X500Name.getInstance(genName.getName()); X509StoreContext storeContext = null; JcaContentVerifierProviderBuilder jcacvpb = new JcaContentVerifierProviderBuilder(); jcacvpb.setProvider("BC"); try { java.security.cert.Certificate signer = findCertByName(genX500Name, certificates, flags); if (signer == null) return RubyBoolean.newBoolean(runtime, ret); if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOINTERN))) > 0 && ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_TRUSTOTHER))) > 0)) flags |= RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY)); if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOSIGS))) == 0) { PublicKey signerPubKey = signer.getPublicKey(); ContentVerifierProvider cvp = jcacvpb.build(signerPubKey); ret = bcOCSPReq.isSignatureValid(cvp); if (!ret) { return RubyBoolean.newBoolean(runtime, ret); } } if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOVERIFY))) == 0) { if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOCHAIN))) > 0) { storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), context.nil); } else { RubyArray certs = RubyArray.newEmptyArray(runtime); ASN1Sequence bcCerts = asn1bcReq.getOptionalSignature().getCerts(); if (bcCerts != null) { Iterator<ASN1Encodable> it = bcCerts.iterator(); while (it.hasNext()) { Certificate cert = Certificate.getInstance(it.next()); certs.add(X509Cert.wrap(runtime, new X509AuxCertificate(cert))); } } storeContext = X509StoreContext.newStoreContext(context, (X509Store) store, X509Cert.wrap(runtime, signer), certs); } storeContext.set_purpose(context, _X509(runtime).getConstant("PURPOSE_OCSP_HELPER")); storeContext.set_trust(context, _X509(runtime).getConstant("TRUST_OCSP_REQUEST")); ret = storeContext.verify(context).isTrue(); if (!ret) return RubyBoolean.newBoolean(runtime, false); } } catch (Exception e) { debugStackTrace(e); throw newOCSPError(runtime, e); } return RubyBoolean.newBoolean(getRuntime(), ret); }
From source file:org.xipki.ocsp.server.impl.OcspServer.java
License:Open Source License
private OcspRespWithCacheInfo checkSignature(final OCSPReq request, final RequestOption requestOption, final AuditEvent auditEvent) throws OCSPException, CertificateParsingException, InvalidAlgorithmParameterException, OcspResponderException { if (request.isSigned() == false) { if (requestOption.isSignatureRequired() == false) { return null; }//from ww w. j av a 2 s . c o m String message = "signature in request required"; LOG.warn(message); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.INFO, AuditStatus.FAILED, message); } return createUnsuccessfullOCSPResp(OcspResponseStatus.sigRequired); } if (requestOption.isValidateSignature() == false) { return null; } X509CertificateHolder[] certs = request.getCerts(); if (certs == null || certs.length < 1) { String message = "no certificate found in request to verify the signature"; LOG.warn(message); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.INFO, AuditStatus.FAILED, message); } return createUnsuccessfullOCSPResp(OcspResponseStatus.unauthorized); } ContentVerifierProvider cvp; try { cvp = securityFactory.getContentVerifierProvider(certs[0]); } catch (InvalidKeyException e) { LOG.warn("securityFactory.getContentVerifierProvider, InvalidKeyException: {}", e.getMessage()); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.ERROR, AuditStatus.FAILED, e.getMessage()); } return createUnsuccessfullOCSPResp(OcspResponseStatus.unauthorized); } boolean sigValid = request.isSignatureValid(cvp); if (sigValid == false) { String message = "request signature is invalid"; LOG.warn(message); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.INFO, AuditStatus.FAILED, message); } return createUnsuccessfullOCSPResp(OcspResponseStatus.unauthorized); } // validate the certPath Date referenceTime = new Date(); if (canBuildCertpath(certs, requestOption, referenceTime)) { return null; } String message = "could not build certpath for the request's signer certifcate"; LOG.warn(message); if (auditEvent != null) { fillAuditEvent(auditEvent, AuditLevel.INFO, AuditStatus.FAILED, message); } return createUnsuccessfullOCSPResp(OcspResponseStatus.unauthorized); }
From source file:org.xipki.pki.ocsp.server.impl.OcspServer.java
License:Open Source License
private OcspRespWithCacheInfo checkSignature(final OCSPReq request, final RequestOption requestOption, final AuditEvent event) throws OCSPException, CertificateParsingException, InvalidAlgorithmParameterException, OcspResponderException { if (!request.isSigned()) { if (!requestOption.isSignatureRequired()) { return null; }/*w w w.jav a 2 s .co m*/ String message = "signature in request required"; LOG.warn(message); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message); return createUnsuccessfulOcspResp(OcspResponseStatus.sigRequired); } if (!requestOption.isValidateSignature()) { return null; } X509CertificateHolder[] certs = request.getCerts(); if (certs == null || certs.length < 1) { String message = "no certificate found in request to verify the signature"; LOG.warn(message); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message); return createUnsuccessfulOcspResp(OcspResponseStatus.unauthorized); } ContentVerifierProvider cvp; try { cvp = securityFactory.getContentVerifierProvider(certs[0]); } catch (InvalidKeyException ex) { LOG.warn("securityFactory.getContentVerifierProvider, InvalidKeyException: {}", ex.getMessage()); fillAuditEvent(event, AuditLevel.ERROR, AuditStatus.FAILED, ex.getMessage()); return createUnsuccessfulOcspResp(OcspResponseStatus.unauthorized); } boolean sigValid = request.isSignatureValid(cvp); if (!sigValid) { String message = "request signature is invalid"; LOG.warn(message); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message); return createUnsuccessfulOcspResp(OcspResponseStatus.unauthorized); } // validate the certPath Date referenceTime = new Date(); if (canBuildCertpath(certs, requestOption, referenceTime)) { return null; } String message = "could not build certpath for the request's signer certificate"; LOG.warn(message); fillAuditEvent(event, AuditLevel.INFO, AuditStatus.FAILED, message); return createUnsuccessfulOcspResp(OcspResponseStatus.unauthorized); }