List of usage examples for org.bouncycastle.cert.ocsp OCSPResp SIG_REQUIRED
int SIG_REQUIRED
To view the source code for org.bouncycastle.cert.ocsp OCSPResp SIG_REQUIRED.
Click Source Link
From source file:org.cesecore.certificates.ocsp.standalone.StandaloneOcspResponseGeneratorSessionTest.java
License:Open Source License
/** * Request signature requirement: ANY known certificate. * Request signature: None./*from ww w .j a va 2 s.c om*/ * Expected outcome: 5 (OCSPResp.SIG_REQUIRED) */ @Test public void testAnySignatureRequiredNoSignature() throws Exception { //Now delete the original CA, making this test completely standalone. OcspTestUtils.deleteCa(authenticationToken, x509ca); activateKeyBinding(internalKeyBindingId); // Configure the OcspKeyBinding to require a signature (by any certificate) final OcspKeyBinding ocspKeyBinding = (OcspKeyBinding) internalKeyBindingMgmtSession .getInternalKeyBinding(authenticationToken, internalKeyBindingId); ocspKeyBinding.setRequireTrustedSignature(true); internalKeyBindingMgmtSession.persistInternalKeyBinding(authenticationToken, ocspKeyBinding); ocspResponseGeneratorSession.reloadOcspSigningCache(); // Try to send an unsigned OCSP requests final OCSPReq ocspRequestUnsigned = buildOcspRequest(null, null, caCertificate, ocspSigningCertificate.getSerialNumber()); final OCSPResp ocspResponseUnsigned = sendRequest(ocspRequestUnsigned); assertEquals("We expected a 'Signature Required' status code: ", OCSPResp.SIG_REQUIRED, ocspResponseUnsigned.getStatus()); assertNull("We expected the response object to be null when 'Signature Required' is recieved.", ocspResponseUnsigned.getResponseObject()); }
From source file:org.keycloak.common.util.OCSPUtils.java
License:Apache License
/** * Requests certificate revocation status using OCSP. * @param cert the certificate to be checked * @param issuerCertificate the issuer certificate * @param responderURIs the OCSP responder URIs * @param responderCert the OCSP responder certificate * @param date if null, the current time is used. * @return a revocation status//www .j ava2 s .co m * @throws CertPathValidatorException */ private static OCSPRevocationStatus check(X509Certificate cert, X509Certificate issuerCertificate, List<URI> responderURIs, X509Certificate responderCert, Date date) throws CertPathValidatorException { if (responderURIs == null || responderURIs.size() == 0) throw new IllegalArgumentException("Need at least one responder"); try { DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); JcaCertificateID certificateID = new JcaCertificateID(digCalc, issuerCertificate, cert.getSerialNumber()); // Create a nounce extension to protect against replay attacks SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); BigInteger nounce = BigInteger.valueOf(Math.abs(random.nextInt())); DEROctetString derString = new DEROctetString(nounce.toByteArray()); Extension nounceExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, derString); Extensions extensions = new Extensions(nounceExtension); OCSPReq ocspReq = new OCSPReqBuilder().addRequest(certificateID, extensions).build(); URI responderURI = responderURIs.get(0); logger.log(Level.INFO, "OCSP Responder {0}", responderURI); try { OCSPResp resp = getResponse(ocspReq, responderURI); logger.log(Level.FINE, "Received a response from OCSP responder {0}, the response status is {1}", new Object[] { responderURI, resp.getStatus() }); switch (resp.getStatus()) { case OCSPResp.SUCCESSFUL: if (resp.getResponseObject() instanceof BasicOCSPResp) { return processBasicOCSPResponse(issuerCertificate, responderCert, date, certificateID, nounce, (BasicOCSPResp) resp.getResponseObject()); } else { throw new CertPathValidatorException( "OCSP responder returned an invalid or unknown OCSP response."); } case OCSPResp.INTERNAL_ERROR: case OCSPResp.TRY_LATER: throw new CertPathValidatorException( "Internal error/try later. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS); case OCSPResp.SIG_REQUIRED: throw new CertPathValidatorException( "Invalid or missing signature. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.INVALID_SIGNATURE); case OCSPResp.UNAUTHORIZED: throw new CertPathValidatorException( "Unauthorized request. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED); case OCSPResp.MALFORMED_REQUEST: default: throw new CertPathValidatorException( "OCSP request is malformed. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED); } } catch (IOException e) { logger.log(Level.FINE, "OCSP Responder \"{0}\" failed to return a valid OCSP response\n{1}", new Object[] { responderURI, e.getMessage() }); throw new CertPathValidatorException("OCSP check failed", e); } } catch (CertificateNotYetValidException | CertificateExpiredException | OperatorCreationException | OCSPException | CertificateEncodingException | NoSuchAlgorithmException | NoSuchProviderException e) { logger.log(Level.FINE, e.getMessage()); throw new CertPathValidatorException(e.getMessage(), e); } }