private BasicOCSPResp buildBasicOCSPResp() throws OCSPResponseBuilderException {
try {
BasicOCSPRespBuilder gen =
new BasicOCSPRespBuilder(new RespID(new X500Name(getResponderName())));
if (getNonce() != null) {
extensions.add(
new OcspExt(
OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)));
}
Extension[] extArray = new Extension[extensions.size()];
int i = 0;
for (OcspExt ext : extensions) {
extArray[i++] = new Extension(ext.getOid(), ext.isIsCritical(), ext.getValue());
}
if (extArray.length > 0) {
gen.setResponseExtensions(new Extensions(extArray));
}
for (OcspRespObject r : responses) {
gen.addResponse(
r.getCertId(),
r.getCertStatus(),
r.getThisUpdate(),
r.getNextUpdate(),
r.getExtensions());
}
ContentSigner contentSigner = /*new BufferingContentSigner(*/
new JcaContentSignerBuilder(getSignatureAlgorithm())
.setProvider("BC")
.build(getIssuerPrivateKey()); // , 20480);
BasicOCSPResp response = gen.build(contentSigner, getChain(), getProducedAt());
return response;
} catch (OCSPException ex) {
throw new OCSPResponseBuilderException(ex);
} catch (NoSuchAlgorithmException ex) {
throw new OCSPResponseBuilderException(ex);
} catch (NoSuchProviderException ex) {
throw new OCSPResponseBuilderException(ex);
} catch (OperatorCreationException ex) {
throw new OCSPResponseBuilderException(ex);
}
}
private void testRSA() throws Exception {
String signDN = "O=Bouncy Castle, C=AU";
KeyPair signKP = OCSPTestUtil.makeKeyPair();
X509CertificateHolder testCert =
new JcaX509CertificateHolder(OCSPTestUtil.makeCertificate(signKP, signDN, signKP, signDN));
DigestCalculatorProvider digCalcProv =
new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();
String origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
GeneralName origName = new GeneralName(new X509Name(origDN));
//
// general id value for our test issuer cert and a serial number.
//
CertificateID id =
new CertificateID(
digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1));
//
// basic request generation
//
OCSPReqBuilder gen = new OCSPReqBuilder();
gen.addRequest(
new CertificateID(
digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));
OCSPReq req = gen.build();
if (req.isSigned()) {
fail("signed but shouldn't be");
}
X509CertificateHolder[] certs = req.getCerts();
if (certs.length != 0) {
fail("0 certs expected, but not found");
}
Req[] requests = req.getRequestList();
if (!requests[0].getCertID().equals(id)) {
fail("Failed isFor test");
}
//
// request generation with signing
//
X509CertificateHolder[] chain = new X509CertificateHolder[1];
gen = new OCSPReqBuilder();
gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));
gen.addRequest(
new CertificateID(
digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));
chain[0] = testCert;
req =
gen.build(
new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
chain);
if (!req.isSigned()) {
fail("not signed but should be");
}
if (!req.isSignatureValid(
new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
fail("signature failed to verify");
}
requests = req.getRequestList();
if (!requests[0].getCertID().equals(id)) {
fail("Failed isFor test");
}
certs = req.getCerts();
if (certs == null) {
fail("null certs found");
}
if (certs.length != 1 || !certs[0].equals(testCert)) {
fail("incorrect certs found in request");
}
//
// encoding test
//
byte[] reqEnc = req.getEncoded();
OCSPReq newReq = new OCSPReq(reqEnc);
if (!newReq.isSignatureValid(
new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
fail("newReq signature failed to verify");
}
//
// request generation with signing and nonce
//
chain = new X509CertificateHolder[1];
gen = new OCSPReqBuilder();
Vector oids = new Vector();
Vector values = new Vector();
byte[] sampleNonce = new byte[16];
Random rand = new Random();
rand.nextBytes(sampleNonce);
gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));
oids.addElement(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
values.addElement(
new X509Extension(false, new DEROctetString(new DEROctetString(sampleNonce))));
gen.setRequestExtensions(new X509Extensions(oids, values));
gen.addRequest(
new CertificateID(
digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));
chain[0] = testCert;
req =
gen.build(
new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
chain);
if (!req.isSigned()) {
fail("not signed but should be");
}
if (!req.isSignatureValid(
new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
fail("signature failed to verify");
}
//
// extension check.
//
Set extOids = req.getCriticalExtensionOIDs();
if (extOids.size() != 0) {
fail("wrong number of critical extensions in OCSP request.");
}
extOids = req.getNonCriticalExtensionOIDs();
if (extOids.size() != 1) {
fail("wrong number of non-critical extensions in OCSP request.");
}
X509Extension ext = req.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
ASN1Encodable extObj = ext.getParsedValue();
if (!(extObj instanceof ASN1OctetString)) {
fail("wrong extension type found.");
}
if (!areEqual(((ASN1OctetString) extObj).getOctets(), sampleNonce)) {
fail("wrong extension value found.");
}
//
// request list check
//
requests = req.getRequestList();
if (!requests[0].getCertID().equals(id)) {
fail("Failed isFor test");
}
//
// response generation
//
BasicOCSPRespBuilder respGen =
new JcaBasicOCSPRespBuilder(signKP.getPublic(), digCalcProv.get(RespID.HASH_SHA1));
respGen.addResponse(id, CertificateStatus.GOOD);
BasicOCSPResp resp =
respGen.build(
new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
chain,
new Date());
OCSPRespBuilder rGen = new OCSPRespBuilder();
byte[] enc = rGen.build(OCSPRespBuilder.SUCCESSFUL, resp).getEncoded();
}