List of usage examples for org.bouncycastle.cert.ocsp OCSPResp UNAUTHORIZED
int UNAUTHORIZED
To view the source code for org.bouncycastle.cert.ocsp OCSPResp UNAUTHORIZED.
Click Source Link
From source file:org.cesecore.certificates.ocsp.standalone.StandaloneOcspResponseGeneratorSessionTest.java
License:Open Source License
/** * Request signature requirement: ANY certificate issued by a CA with caId=-1. * Request signature: By a known certificate issued by a CA with caId!=-1. * Expected outcome: 6 (OCSPResp.UNAUTHORIZED) *///from w ww.j a v a 2 s .c om @Test public void testSpecificIssuerSignatureRequiredWrongSignatureIssuer() throws Exception { // Issue a request authentication certificate while we still have the CA final String ocspAuthenticationUsername = Thread.currentThread().getStackTrace()[1].getMethodName(); final KeyPair ocspAuthenticationKeyPair = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA); final X509Certificate ocspAuthenticationCertificate = issueOcspAuthenticationCertificate( ocspAuthenticationUsername, ocspAuthenticationKeyPair.getPublic()); try { //Now delete the original CA, making this test completely standalone. OcspTestUtils.deleteCa(authenticationToken, x509ca); activateKeyBinding(internalKeyBindingId); // Configure the OcspKeyBinding to require a signature (by any certificate) final OcspKeyBinding ocspKeyBinding = (OcspKeyBinding) internalKeyBindingMgmtSession .getInternalKeyBinding(authenticationToken, internalKeyBindingId); ocspKeyBinding.setRequireTrustedSignature(true); // Trust signatures from CA with id -1 (should not exist) addTrustEntry(ocspKeyBinding, -1, null); internalKeyBindingMgmtSession.persistInternalKeyBinding(authenticationToken, ocspKeyBinding); ocspResponseGeneratorSession.reloadOcspSigningCache(); // Try to send a signed OCSP requests final OCSPReq ocspRequestSigned = buildOcspRequest(ocspAuthenticationCertificate, ocspAuthenticationKeyPair.getPrivate(), caCertificate, ocspSigningCertificate.getSerialNumber()); final OCSPResp ocspResponseSigned = sendRequest(ocspRequestSigned); assertEquals("We expected a 'Unauthorized' status code: ", OCSPResp.UNAUTHORIZED, ocspResponseSigned.getStatus()); assertNull("Unauthorized signed request did not generate null-response.", ocspResponseSigned.getResponseObject()); } finally { internalCertificateStoreSession.removeCertificate(ocspAuthenticationCertificate); } }
From source file:org.cesecore.certificates.ocsp.standalone.StandaloneOcspResponseGeneratorSessionTest.java
License:Open Source License
/** * Request signature requirement: A certificate issued by a our test CA with certificate serialnumer=0. * Request signature: By a known certificate issued by our test CA with certificate serialnumer!=0. * Expected outcome: 6 (OCSPResp.UNAUTHORIZED) *//* w w w .jav a2s .co m*/ @Test public void testSpecificSignerSignatureRequiredWrongSignatureCert() throws Exception { // Issue a request authentication certificate while we still have the CA final String ocspAuthenticationUsername = Thread.currentThread().getStackTrace()[1].getMethodName(); final KeyPair ocspAuthenticationKeyPair = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA); final X509Certificate ocspAuthenticationCertificate = issueOcspAuthenticationCertificate( ocspAuthenticationUsername, ocspAuthenticationKeyPair.getPublic()); try { //Now delete the original CA, making this test completely standalone. OcspTestUtils.deleteCa(authenticationToken, x509ca); activateKeyBinding(internalKeyBindingId); // Configure the OcspKeyBinding to require a signature (by any certificate) final OcspKeyBinding ocspKeyBinding = (OcspKeyBinding) internalKeyBindingMgmtSession .getInternalKeyBinding(authenticationToken, internalKeyBindingId); ocspKeyBinding.setRequireTrustedSignature(true); // Trust signatures from our test CA and certificate serial number "0" (that should be the one we are using) addTrustEntry(ocspKeyBinding, x509ca.getCAId(), new BigInteger("0")); internalKeyBindingMgmtSession.persistInternalKeyBinding(authenticationToken, ocspKeyBinding); ocspResponseGeneratorSession.reloadOcspSigningCache(); // Try to send a signed OCSP requests final OCSPReq ocspRequestSigned = buildOcspRequest(ocspAuthenticationCertificate, ocspAuthenticationKeyPair.getPrivate(), caCertificate, ocspSigningCertificate.getSerialNumber()); final OCSPResp ocspResponseSigned = sendRequest(ocspRequestSigned); assertEquals("We expected a 'Unauthorized' status code: ", OCSPResp.UNAUTHORIZED, ocspResponseSigned.getStatus()); assertNull("Unauthorized signed request did not generate null-response.", ocspResponseSigned.getResponseObject()); } finally { internalCertificateStoreSession.removeCertificate(ocspAuthenticationCertificate); } }
From source file:org.cesecore.certificates.ocsp.standalone.StandaloneOcspResponseGeneratorSessionTest.java
License:Open Source License
/** * Request signature requirement: A certificate issued by a our test CA with the certificate's serialnumber. * Request signature: By the required certificate, which happens to be revoked. * Expected outcome: UNAUTHORIZED */// ww w. jav a 2 s . c o m @Test public void testSpecificSignerSignatureRequiredRevokedSignatureCert() throws Exception { //Create a special issuer. X509CA signatureIssuerCa = CryptoTokenTestUtils.createTestCAWithSoftCryptoToken(authenticationToken, "CN=RevokedSignatureIssuer"); int cryptoTokenId = signatureIssuerCa.getCAToken().getCryptoTokenId(); cryptoTokenManagementSession.createKeyPair(authenticationToken, cryptoTokenId, "signKeyAlias", "1024"); X509Certificate signerIssuerCaCertificate = (X509Certificate) signatureIssuerCa.getCACertificate(); //Store the CA Certificate. certificateStoreSession.storeCertificate(authenticationToken, signerIssuerCaCertificate, "foo", "1234", CertificateConstants.CERT_ACTIVE, CertificateConstants.CERTTYPE_ROOTCA, CertificateProfileConstants.CERTPROFILE_FIXED_ROOTCA, "footag", new Date().getTime()); final String signatureRequired = cesecoreConfigurationProxySession .getConfigurationValue(OcspConfiguration.SIGNATUREREQUIRED); cesecoreConfigurationProxySession.setConfigurationValue(OcspConfiguration.SIGNATUREREQUIRED, "true"); try { final String ocspAuthenticationUsername = Thread.currentThread().getStackTrace()[1].getMethodName(); final KeyPair ocspAuthenticationKeyPair = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA); final X509Certificate ocspAuthenticationCertificate = issueOcspAuthenticationCertificate( signatureIssuerCa.getCAId(), ocspAuthenticationUsername, ocspAuthenticationKeyPair.getPublic()); try { //Now delete the original CA, making this test completely standalone. OcspTestUtils.deleteCa(authenticationToken, x509ca); activateKeyBinding(internalKeyBindingId); // Configure the OcspKeyBinding to require a signature final OcspKeyBinding ocspKeyBinding = (OcspKeyBinding) internalKeyBindingMgmtSession .getInternalKeyBinding(authenticationToken, internalKeyBindingId); ocspKeyBinding.setRequireTrustedSignature(true); // Trust signatures from our test CA and the certificate serial number from our auth cert addTrustEntry(ocspKeyBinding, x509ca.getCAId(), ocspAuthenticationCertificate.getSerialNumber()); internalKeyBindingMgmtSession.persistInternalKeyBinding(authenticationToken, ocspKeyBinding); ocspResponseGeneratorSession.reloadOcspSigningCache(); internalCertificateStoreSession.reloadCaCertificateCache(); // Try to send a signed OCSP requests final OCSPReq ocspRequestSigned = buildOcspRequest(ocspAuthenticationCertificate, ocspAuthenticationKeyPair.getPrivate(), (X509Certificate) x509ca.getCACertificate(), ocspSigningCertificate.getSerialNumber()); certificateStoreSession.setRevokeStatus(authenticationToken, ocspAuthenticationCertificate, RevokedCertInfo.REVOCATION_REASON_KEYCOMPROMISE, null); final OCSPResp ocspResponseSigned = sendRequest(ocspRequestSigned); assertEquals("We expected an 'UNAUTHORIZED' status code: ", OCSPResp.UNAUTHORIZED, ocspResponseSigned.getStatus()); // validateSuccessfulResponse((BasicOCSPResp) ocspResponseSigned.getResponseObject(), ocspSigningCertificate.getPublicKey()); } finally { internalCertificateStoreSession.removeCertificate(ocspAuthenticationCertificate); } } finally { cesecoreConfigurationProxySession.setConfigurationValue(OcspConfiguration.SIGNATUREREQUIRED, signatureRequired); OcspTestUtils.deleteCa(authenticationToken, signatureIssuerCa); } }
From source file:org.cesecore.certificates.ocsp.standalone.StandaloneOcspResponseGeneratorSessionTest.java
License:Open Source License
/** * Request signature requirement: Multiple options. * Request signature: By a known certificate issued by our test CA, not matching any of the configured trust entries. * Expected outcome: 6 (OCSPResp.UNAUTHORIZED) *//*w w w .j a v a2s .c o m*/ @Test public void testOneOfManySignatureRequiredWrongSignatureCert() throws Exception { // Issue a request authentication certificate while we still have the CA final String ocspAuthenticationUsername = Thread.currentThread().getStackTrace()[1].getMethodName(); final KeyPair ocspAuthenticationKeyPair = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA); final X509Certificate ocspAuthenticationCertificate = issueOcspAuthenticationCertificate( ocspAuthenticationUsername, ocspAuthenticationKeyPair.getPublic()); try { //Now delete the original CA, making this test completely standalone. OcspTestUtils.deleteCa(authenticationToken, x509ca); activateKeyBinding(internalKeyBindingId); // Configure the OcspKeyBinding to require a signature final OcspKeyBinding ocspKeyBinding = (OcspKeyBinding) internalKeyBindingMgmtSession .getInternalKeyBinding(authenticationToken, internalKeyBindingId); ocspKeyBinding.setRequireTrustedSignature(true); // Trust signatures from our test CA and the certificate serial number from our auth cert addTrustEntry(ocspKeyBinding, -1, ocspAuthenticationCertificate.getSerialNumber()); addTrustEntry(ocspKeyBinding, -2, null); addTrustEntry(ocspKeyBinding, x509ca.getCAId(), new BigInteger("0")); internalKeyBindingMgmtSession.persistInternalKeyBinding(authenticationToken, ocspKeyBinding); ocspResponseGeneratorSession.reloadOcspSigningCache(); // Try to send a signed OCSP requests final OCSPReq ocspRequestSigned = buildOcspRequest(ocspAuthenticationCertificate, ocspAuthenticationKeyPair.getPrivate(), caCertificate, ocspSigningCertificate.getSerialNumber()); final OCSPResp ocspResponseSigned = sendRequest(ocspRequestSigned); assertEquals("We expected a 'Unauthorized' status code: ", OCSPResp.UNAUTHORIZED, ocspResponseSigned.getStatus()); assertNull("Unauthorized signed request did not generate null-response.", ocspResponseSigned.getResponseObject()); } finally { internalCertificateStoreSession.removeCertificate(ocspAuthenticationCertificate); } }
From source file:org.cesecore.certificates.ocsp.standalone.StandaloneOcspResponseGeneratorSessionTest.java
License:Open Source License
/** * Tests the case where signature is required, but requester is not authorized to make it. *//*from w w w . j a v a 2s. c o m*/ @Test public void testUnauthorizedRequester() throws Exception { // Issue a request authentication certificate while we still have the CA final String ocspAuthenticationUsername = Thread.currentThread().getStackTrace()[1].getMethodName(); final KeyPair ocspAuthenticationKeyPair = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA); final X509Certificate ocspAuthenticationCertificate = issueOcspAuthenticationCertificate( ocspAuthenticationUsername, ocspAuthenticationKeyPair.getPublic()); try { //Now delete the original CA, making this test completely standalone. OcspTestUtils.deleteCa(authenticationToken, x509ca); activateKeyBinding(internalKeyBindingId); // Configure the OcspKeyBinding to require a signature final OcspKeyBinding ocspKeyBinding = (OcspKeyBinding) internalKeyBindingMgmtSession .getInternalKeyBinding(authenticationToken, internalKeyBindingId); ocspKeyBinding.setRequireTrustedSignature(true); // Trust signatures from our test CA and the certificate serial number from our auth cert addTrustEntry(ocspKeyBinding, 4711, new BigInteger("4711")); internalKeyBindingMgmtSession.persistInternalKeyBinding(authenticationToken, ocspKeyBinding); ocspResponseGeneratorSession.reloadOcspSigningCache(); internalCertificateStoreSession.reloadCaCertificateCache(); // Try to send a signed OCSP requests final OCSPReq ocspRequestSigned = buildOcspRequest(ocspAuthenticationCertificate, ocspAuthenticationKeyPair.getPrivate(), caCertificate, ocspSigningCertificate.getSerialNumber()); final OCSPResp ocspResponseSigned = sendRequest(ocspRequestSigned); assertEquals("We expected a 'Unauthorized' status code: ", OCSPResp.UNAUTHORIZED, ocspResponseSigned.getStatus()); } finally { internalCertificateStoreSession.removeCertificate(ocspAuthenticationCertificate); } }
From source file:org.keycloak.common.util.OCSPUtils.java
License:Apache License
/** * Requests certificate revocation status using OCSP. * @param cert the certificate to be checked * @param issuerCertificate the issuer certificate * @param responderURIs the OCSP responder URIs * @param responderCert the OCSP responder certificate * @param date if null, the current time is used. * @return a revocation status//w w w . java2 s. com * @throws CertPathValidatorException */ private static OCSPRevocationStatus check(X509Certificate cert, X509Certificate issuerCertificate, List<URI> responderURIs, X509Certificate responderCert, Date date) throws CertPathValidatorException { if (responderURIs == null || responderURIs.size() == 0) throw new IllegalArgumentException("Need at least one responder"); try { DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); JcaCertificateID certificateID = new JcaCertificateID(digCalc, issuerCertificate, cert.getSerialNumber()); // Create a nounce extension to protect against replay attacks SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); BigInteger nounce = BigInteger.valueOf(Math.abs(random.nextInt())); DEROctetString derString = new DEROctetString(nounce.toByteArray()); Extension nounceExtension = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, derString); Extensions extensions = new Extensions(nounceExtension); OCSPReq ocspReq = new OCSPReqBuilder().addRequest(certificateID, extensions).build(); URI responderURI = responderURIs.get(0); logger.log(Level.INFO, "OCSP Responder {0}", responderURI); try { OCSPResp resp = getResponse(ocspReq, responderURI); logger.log(Level.FINE, "Received a response from OCSP responder {0}, the response status is {1}", new Object[] { responderURI, resp.getStatus() }); switch (resp.getStatus()) { case OCSPResp.SUCCESSFUL: if (resp.getResponseObject() instanceof BasicOCSPResp) { return processBasicOCSPResponse(issuerCertificate, responderCert, date, certificateID, nounce, (BasicOCSPResp) resp.getResponseObject()); } else { throw new CertPathValidatorException( "OCSP responder returned an invalid or unknown OCSP response."); } case OCSPResp.INTERNAL_ERROR: case OCSPResp.TRY_LATER: throw new CertPathValidatorException( "Internal error/try later. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNDETERMINED_REVOCATION_STATUS); case OCSPResp.SIG_REQUIRED: throw new CertPathValidatorException( "Invalid or missing signature. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.INVALID_SIGNATURE); case OCSPResp.UNAUTHORIZED: throw new CertPathValidatorException( "Unauthorized request. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED); case OCSPResp.MALFORMED_REQUEST: default: throw new CertPathValidatorException( "OCSP request is malformed. OCSP response error: " + resp.getStatus(), (Throwable) null, (CertPath) null, -1, CertPathValidatorException.BasicReason.UNSPECIFIED); } } catch (IOException e) { logger.log(Level.FINE, "OCSP Responder \"{0}\" failed to return a valid OCSP response\n{1}", new Object[] { responderURI, e.getMessage() }); throw new CertPathValidatorException("OCSP check failed", e); } } catch (CertificateNotYetValidException | CertificateExpiredException | OperatorCreationException | OCSPException | CertificateEncodingException | NoSuchAlgorithmException | NoSuchProviderException e) { logger.log(Level.FINE, e.getMessage()); throw new CertPathValidatorException(e.getMessage(), e); } }