Example usage for org.bouncycastle.cert.ocsp OCSPReqBuilder addRequest

List of usage examples for org.bouncycastle.cert.ocsp OCSPReqBuilder addRequest

  1. HOME
  2. Java
  3. org.bouncycastle
  4. org.bouncycastle.cert.ocsp.*
  5. OCSPReqBuilder
  6. addRequest

Introduction

In this page you can find the example usage for org.bouncycastle.cert.ocsp OCSPReqBuilder addRequest.

Prototype

public OCSPReqBuilder addRequest(CertificateID certId, Extensions singleRequestExtensions)

Source Link

Document

Add a request with extensions

Usage

From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java

License:Open Source License

/**
 * This test tests that the OCSP response contains is signed by the preferred signature algorithm specified in the request.
 * /* www. j a v a2  s  .  com*/
 * @throws Exception
*/
@Test
@Deprecated // This test verifies legacy behavior from EJBCA 6.1.0 and should be removed when we no longer need to support it
public void testSigAlgExtensionLegacy() throws Exception {
    loadUserCert(this.caid);

    // Try sending a request where the preferred signature algorithm in the extension is expected to be used to sign the response.

    // set ocsp configuration
    Map<String, String> map = new HashMap<String, String>();
    map.put("ocsp.signaturealgorithm",
            AlgorithmConstants.SIGALG_SHA256_WITH_RSA + ";" + AlgorithmConstants.SIGALG_SHA1_WITH_RSA);
    this.helper.alterConfig(map);

    ASN1EncodableVector algVec = new ASN1EncodableVector();
    algVec.add(X9ObjectIdentifiers.ecdsa_with_SHA256);
    algVec.add(PKCSObjectIdentifiers.sha1WithRSAEncryption);
    ASN1Sequence algSeq = new DERSequence(algVec);
    ExtensionsGenerator extgen = new ExtensionsGenerator();
    // RFC 6960: id-pkix-ocsp-pref-sig-algs   OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } 
    extgen.addExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"), false, algSeq);
    Extensions exts = extgen.generate();
    assertNotNull(exts);

    OCSPReqBuilder gen = new OCSPReqBuilder();
    gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert,
            ocspTestCert.getSerialNumber()), exts);
    gen.setRequestExtensions(exts);
    OCSPReq req = gen.build();
    assertTrue(req.hasExtensions());

    BasicOCSPResp response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200);
    assertNotNull("Could not retrieve response, test could not continue.", response);
    assertEquals(PKCSObjectIdentifiers.sha1WithRSAEncryption, response.getSignatureAlgOID());

    // Try sending a request where the preferred signature algorithm is not compatible with the signing key, but 
    // the configured algorithm is. Expected a response signed using the first configured algorithm

    algVec = new ASN1EncodableVector();
    algVec.add(X9ObjectIdentifiers.ecdsa_with_SHA256);
    algSeq = new DERSequence(algVec);

    extgen = new ExtensionsGenerator();
    extgen.addExtension(new ASN1ObjectIdentifier(OCSPObjectIdentifiers.id_pkix_ocsp + ".8"), false, algSeq);
    exts = extgen.generate();
    assertNotNull(exts);

    gen = new OCSPReqBuilder();
    gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert,
            ocspTestCert.getSerialNumber()), exts);
    gen.setRequestExtensions(exts);
    req = gen.build();
    assertTrue(req.hasExtensions());

    response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200);
    assertNotNull("Could not retrieve response, test could not continue.", response);
    assertEquals(PKCSObjectIdentifiers.sha256WithRSAEncryption, response.getSignatureAlgOID());
}

From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java

License:Open Source License

/**
 * This test tests that the OCSP response does not contain the signing cert if Ejbca is configured that way.
 * /*from  w w  w .ja v  a 2 s . c om*/
 * @throws Exception
 */
@Test
public void testSignCertNotIncludedInResponse() throws Exception {
    loadUserCert(this.caid);
    // set OCSP configuration
    Map<String, String> map = new HashMap<String, String>();
    map.put(OcspConfiguration.INCLUDE_SIGNING_CERT, "false");
    helper.alterConfig(map);
    // This setting is part of the OCSP signing cache so a reload of the cache is required
    helper.reloadKeys();
    // Build the OCSP request
    OCSPReqBuilder gen = new OCSPReqBuilder();
    gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), cacert,
            ocspTestCert.getSerialNumber()), null);
    OCSPReq req = gen.build();
    // Send and verify the OCSP request
    BasicOCSPResp response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200, false,
            cacert);
    assertNotNull("Could not retrieve response, test could not continue.", response);
    assertTrue("Response does contain certificates", response.getCerts().length == 0);
}

From source file:org.ejbca.core.protocol.ocsp.ProtocolOcspHttpTest.java

License:Open Source License

/**
 * This test tests that the OCSP response does not contain the root CA cert in the included certificate chain.
 * //from   www.j a  v  a  2  s .  c  o  m
 * @throws Exception
 */
@Test
public void testRootCACertNotIncludedInResponse() throws Exception {
    log.trace(">testRootCACertNotIncludedInResponse()");

    // Create a subCA and a subsubCA
    String subcaDN = "CN=SubTestCA";
    createSubCA(subcaDN, caid);

    String subSubCaDN = "CN=SubSubTestCA";
    X509Certificate subSubCaCert = createSubCA(subSubCaDN, subcaDN.hashCode());

    // set OCSP configuration
    Map<String, String> map = new HashMap<String, String>();
    map.put(OcspConfiguration.INCLUDE_CERT_CHAIN, "true");
    GlobalOcspConfiguration ocspConfiguration = (GlobalOcspConfiguration) globalConfigurationSession
            .getCachedConfiguration(GlobalOcspConfiguration.OCSP_CONFIGURATION_ID);
    ocspConfiguration.setOcspDefaultResponderReference(subSubCaDN);
    globalConfigurationSession.saveConfiguration(admin, ocspConfiguration);
    this.helper.alterConfig(map);
    helper.reloadKeys();

    // Expects an OCSP response including a certchain that contains only the 2 subCAs and not their rootCA.
    try {
        loadUserCert(subSubCaDN.hashCode());

        OCSPReqBuilder gen = new OCSPReqBuilder();
        gen.addRequest(new JcaCertificateID(SHA1DigestCalculator.buildSha1Instance(), subSubCaCert,
                ocspTestCert.getSerialNumber()), null);
        OCSPReq req = gen.build();

        BasicOCSPResp response = helper.sendOCSPGet(req.getEncoded(), null, OCSPRespBuilder.SUCCESSFUL, 200);
        assertNotNull("Could not retrieve response, test could not continue.", response);
        assertTrue("Response contains more that 2 certificate", response.getCerts().length == 2);

        X509CertificateHolder[] includedCerts = response.getCerts();
        assertEquals(subSubCaDN, includedCerts[0].getSubject().toString());
        assertEquals(subcaDN, includedCerts[1].getSubject().toString());

    } finally {
        try {
            endEntityManagementSession.deleteUser(admin, "ocsptest");
        } catch (Exception e) {
            log.error("", e);
        }

        try {
            int cryptoTokenId = caSession.getCAInfo(admin, subSubCaDN.hashCode()).getCAToken()
                    .getCryptoTokenId();
            CryptoTokenTestUtils.removeCryptoToken(admin, cryptoTokenId);

            cryptoTokenId = caSession.getCAInfo(admin, subcaDN.hashCode()).getCAToken().getCryptoTokenId();
            CryptoTokenTestUtils.removeCryptoToken(admin, cryptoTokenId);
        } catch (Exception e) {
            log.error("", e);
        }

        try {
            caSession.removeCA(admin, subSubCaDN.hashCode());
            caSession.removeCA(admin, subcaDN.hashCode());
        } catch (Exception e) {
            log.info("Could not remove CA with SubjectDN " + subSubCaDN);
        }
    }

    log.trace("<testRootCACertNotIncludedInResponse()");
}