Exemplo n.º 1
0
  private BasicOCSPResp buildBasicOCSPResp() throws OCSPResponseBuilderException {
    try {
      BasicOCSPRespBuilder gen =
          new BasicOCSPRespBuilder(new RespID(new X500Name(getResponderName())));

      if (getNonce() != null) {
        extensions.add(
            new OcspExt(
                OCSPObjectIdentifiers.id_pkix_ocsp_nonce, false, new DEROctetString(nonce)));
      }

      Extension[] extArray = new Extension[extensions.size()];
      int i = 0;
      for (OcspExt ext : extensions) {
        extArray[i++] = new Extension(ext.getOid(), ext.isIsCritical(), ext.getValue());
      }
      if (extArray.length > 0) {
        gen.setResponseExtensions(new Extensions(extArray));
      }

      for (OcspRespObject r : responses) {
        gen.addResponse(
            r.getCertId(),
            r.getCertStatus(),
            r.getThisUpdate(),
            r.getNextUpdate(),
            r.getExtensions());
      }

      ContentSigner contentSigner = /*new BufferingContentSigner(*/
          new JcaContentSignerBuilder(getSignatureAlgorithm())
              .setProvider("BC")
              .build(getIssuerPrivateKey()); // , 20480);

      BasicOCSPResp response = gen.build(contentSigner, getChain(), getProducedAt());
      return response;
    } catch (OCSPException ex) {
      throw new OCSPResponseBuilderException(ex);
    } catch (NoSuchAlgorithmException ex) {
      throw new OCSPResponseBuilderException(ex);
    } catch (NoSuchProviderException ex) {
      throw new OCSPResponseBuilderException(ex);
    } catch (OperatorCreationException ex) {
      throw new OCSPResponseBuilderException(ex);
    }
  }
Exemplo n.º 2
0
  private void testRSA() throws Exception {
    String signDN = "O=Bouncy Castle, C=AU";
    KeyPair signKP = OCSPTestUtil.makeKeyPair();
    X509CertificateHolder testCert =
        new JcaX509CertificateHolder(OCSPTestUtil.makeCertificate(signKP, signDN, signKP, signDN));
    DigestCalculatorProvider digCalcProv =
        new JcaDigestCalculatorProviderBuilder().setProvider(BC).build();

    String origDN = "CN=Eric H. Echidna, [email protected], O=Bouncy Castle, C=AU";
    GeneralName origName = new GeneralName(new X509Name(origDN));

    //
    // general id value for our test issuer cert and a serial number.
    //
    CertificateID id =
        new CertificateID(
            digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1));

    //
    // basic request generation
    //
    OCSPReqBuilder gen = new OCSPReqBuilder();

    gen.addRequest(
        new CertificateID(
            digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));

    OCSPReq req = gen.build();

    if (req.isSigned()) {
      fail("signed but shouldn't be");
    }

    X509CertificateHolder[] certs = req.getCerts();

    if (certs.length != 0) {
      fail("0 certs expected, but not found");
    }

    Req[] requests = req.getRequestList();

    if (!requests[0].getCertID().equals(id)) {
      fail("Failed isFor test");
    }

    //
    // request generation with signing
    //
    X509CertificateHolder[] chain = new X509CertificateHolder[1];

    gen = new OCSPReqBuilder();

    gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));

    gen.addRequest(
        new CertificateID(
            digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));

    chain[0] = testCert;

    req =
        gen.build(
            new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
            chain);

    if (!req.isSigned()) {
      fail("not signed but should be");
    }

    if (!req.isSignatureValid(
        new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
      fail("signature failed to verify");
    }

    requests = req.getRequestList();

    if (!requests[0].getCertID().equals(id)) {
      fail("Failed isFor test");
    }

    certs = req.getCerts();

    if (certs == null) {
      fail("null certs found");
    }

    if (certs.length != 1 || !certs[0].equals(testCert)) {
      fail("incorrect certs found in request");
    }

    //
    // encoding test
    //
    byte[] reqEnc = req.getEncoded();

    OCSPReq newReq = new OCSPReq(reqEnc);

    if (!newReq.isSignatureValid(
        new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
      fail("newReq signature failed to verify");
    }

    //
    // request generation with signing and nonce
    //
    chain = new X509CertificateHolder[1];

    gen = new OCSPReqBuilder();

    Vector oids = new Vector();
    Vector values = new Vector();
    byte[] sampleNonce = new byte[16];
    Random rand = new Random();

    rand.nextBytes(sampleNonce);

    gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));

    oids.addElement(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);
    values.addElement(
        new X509Extension(false, new DEROctetString(new DEROctetString(sampleNonce))));

    gen.setRequestExtensions(new X509Extensions(oids, values));

    gen.addRequest(
        new CertificateID(
            digCalcProv.get(CertificateID.HASH_SHA1), testCert, BigInteger.valueOf(1)));

    chain[0] = testCert;

    req =
        gen.build(
            new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
            chain);

    if (!req.isSigned()) {
      fail("not signed but should be");
    }

    if (!req.isSignatureValid(
        new JcaContentVerifierProviderBuilder().setProvider(BC).build(signKP.getPublic()))) {
      fail("signature failed to verify");
    }

    //
    // extension check.
    //
    Set extOids = req.getCriticalExtensionOIDs();

    if (extOids.size() != 0) {
      fail("wrong number of critical extensions in OCSP request.");
    }

    extOids = req.getNonCriticalExtensionOIDs();

    if (extOids.size() != 1) {
      fail("wrong number of non-critical extensions in OCSP request.");
    }

    X509Extension ext = req.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce);

    ASN1Encodable extObj = ext.getParsedValue();

    if (!(extObj instanceof ASN1OctetString)) {
      fail("wrong extension type found.");
    }

    if (!areEqual(((ASN1OctetString) extObj).getOctets(), sampleNonce)) {
      fail("wrong extension value found.");
    }

    //
    // request list check
    //
    requests = req.getRequestList();

    if (!requests[0].getCertID().equals(id)) {
      fail("Failed isFor test");
    }

    //
    // response generation
    //
    BasicOCSPRespBuilder respGen =
        new JcaBasicOCSPRespBuilder(signKP.getPublic(), digCalcProv.get(RespID.HASH_SHA1));

    respGen.addResponse(id, CertificateStatus.GOOD);

    BasicOCSPResp resp =
        respGen.build(
            new JcaContentSignerBuilder("SHA1withRSA").setProvider(BC).build(signKP.getPrivate()),
            chain,
            new Date());
    OCSPRespBuilder rGen = new OCSPRespBuilder();

    byte[] enc = rGen.build(OCSPRespBuilder.SUCCESSFUL, resp).getEncoded();
  }