List of usage examples for org.bouncycastle.cert.ocsp OCSPReqBuilder addRequest
public OCSPReqBuilder addRequest(CertificateID certId, Extensions singleRequestExtensions)
From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java
License:Open Source License
/** * This test tests that the OCSP response contains is signed by the preferred signature algorithm specified in the request. * /* www. j a v a2 s . com*/ * @throws Exception */ @Test @Deprecated // This test verifies legacy behavior from EJBCA 6.1.0 and should be removed when we no longer need to support it public void testSigAlgExtensionLegacy() throws Exception { loadUserCert(this.caid); // Try sending a request where the preferred signature algorithm in the extension is expected to be used to sign the response. // set ocsp configuration Map<String, String> map = new HashMap<String, String>(); map.put("ocsp.signaturealgorithm", AlgorithmConstants.SIGALG_SHA256_WITH_RSA + ";" + AlgorithmConstants.SIGALG_SHA1_WITH_RSA); this.helper.alterConfig(map); ASN1EncodableVector algVec = new ASN1EncodableVector(); algVec.add(X9ObjectIdentifiers.ecdsa_with_SHA256); algVec.add(PKCSObjectIdentifiers.sha1WithRSAEncryption); ASN1Sequence algSeq = new DERSequence(algVec); ExtensionsGenerator extgen = new ExtensionsGenerator(); // RFC 6960: id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } extgen.addExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"), false, algSeq); Extensions exts = extgen.generate(); assertNotNull(exts); OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert, ocspTestCert.getSerialNumber()), exts); gen.setRequestExtensions(exts); OCSPReq req = gen.build(); assertTrue(req.hasExtensions()); BasicOCSPResp response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200); assertNotNull("Could not retrieve response, test could not continue.", response); assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption, response.getSignatureAlgOID()); // Try sending a request where the preferred signature algorithm is not compatible with the signing key, but // the configured algorithm is. Expected a response signed using the first configured algorithm algVec = new ASN1EncodableVector(); algVec.add(X9ObjectIdentifiers.ecdsa_with_SHA256); algSeq = new DERSequence(algVec); extgen = new ExtensionsGenerator(); extgen.addExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"), false, algSeq); exts = extgen.generate(); assertNotNull(exts); gen = new OCSPReqBuilder(); gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert, ocspTestCert.getSerialNumber()), exts); gen.setRequestExtensions(exts); req = gen.build(); assertTrue(req.hasExtensions()); response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200); assertNotNull("Could not retrieve response, test could not continue.", response); assertEquals(PKCSObjectIdentifiers.sha256WithRSAEncryption, response.getSignatureAlgOID()); }
From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java
License:Open Source License
/** * This test tests that the OCSP response does not contain the signing cert if Ejbca is configured that way. * /*from w w w .ja v a 2 s . c om*/ * @throws Exception */ @Test public void testSignCertNotIncludedInResponse() throws Exception { loadUserCert(this.caid); // set OCSP configuration Map<String, String> map = new HashMap<String, String>(); map.put(OcspConfiguration.INCLUDE_SIGNING_CERT, "false"); helper.alterConfig(map); // This setting is part of the OCSP signing cache so a reload of the cache is required helper.reloadKeys(); // Build the OCSP request OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert, ocspTestCert.getSerialNumber()), null); OCSPReq req = gen.build(); // Send and verify the OCSP request BasicOCSPResp response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200, false, cacert); assertNotNull("Could not retrieve response, test could not continue.", response); assertTrue("Response does contain certificates", response.getCerts().length == 0); }
From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java
License:Open Source License
/** * This test tests that the OCSP response does not contain the root CA cert in the included certificate chain. * //from www.j a v a 2 s . c o m * @throws Exception */ @Test public void testRootCACertNotIncludedInResponse() throws Exception { log.trace(">testRootCACertNotIncludedInResponse()"); // Create a subCA and a subsubCA String subcaDN = "CN=SubTestCA"; createSubCA(subcaDN, caid); String subSubCaDN = "CN=SubSubTestCA"; X509Certificate subSubCaCert = createSubCA(subSubCaDN, subcaDN.hashCode()); // set OCSP configuration Map<String, String> map = new HashMap<String, String>(); map.put(OcspConfiguration.INCLUDE_CERT_CHAIN, "true"); GlobalOcspConfiguration ocspConfiguration = (GlobalOcspConfiguration) globalConfigurationSession .getCachedConfiguration(GlobalOcspConfiguration.OCSP_CONFIGURATION_ID); ocspConfiguration.setOcspDefaultResponderReference(subSubCaDN); globalConfigurationSession.saveConfiguration(admin, ocspConfiguration); this.helper.alterConfig(map); helper.reloadKeys(); // Expects an OCSP response including a certchain that contains only the 2 subCAs and not their rootCA. try { loadUserCert(subSubCaDN.hashCode()); OCSPReqBuilder gen = new OCSPReqBuilder(); gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), subSubCaCert, ocspTestCert.getSerialNumber()), null); OCSPReq req = gen.build(); BasicOCSPResp response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200); assertNotNull("Could not retrieve response, test could not continue.", response); assertTrue("Response contains more that 2 certificate", response.getCerts().length == 2); X509CertificateHolder[] includedCerts = response.getCerts(); assertEquals(subSubCaDN, includedCerts[0].getSubject().toString()); assertEquals(subcaDN, includedCerts[1].getSubject().toString()); } finally { try { endEntityManagementSession.deleteUser(admin, "ocsptest"); } catch (Exception e) { log.error("", e); } try { int cryptoTokenId = caSession.getCAInfo(admin, subSubCaDN.hashCode()).getCAToken() .getCryptoTokenId(); CryptoTokenTestUtils.removeCryptoToken(admin, cryptoTokenId); cryptoTokenId = caSession.getCAInfo(admin, subcaDN.hashCode()).getCAToken().getCryptoTokenId(); CryptoTokenTestUtils.removeCryptoToken(admin, cryptoTokenId); } catch (Exception e) { log.error("", e); } try { caSession.removeCA(admin, subSubCaDN.hashCode()); caSession.removeCA(admin, subcaDN.hashCode()); } catch (Exception e) { log.info("Could not remove CA with SubjectDN " + subSubCaDN); } } log.trace("<testRootCACertNotIncludedInResponse()"); }