Examples of OCSPReq

org.bouncycastle.cert.ocsp.OCSPReq

org.bouncycastle.ocsp.OCSPReq

 OCSPRequest     ::=     SEQUENCE { tbsRequest                  TBSRequest, optionalSignature   [0]     EXPLICIT Signature OPTIONAL } TBSRequest      ::=     SEQUENCE { version             [0]     EXPLICIT Version DEFAULT v1, requestorName       [1]     EXPLICIT GeneralName OPTIONAL, requestList                 SEQUENCE OF Request, requestExtensions   [2]     EXPLICIT Extensions OPTIONAL } Signature       ::=     SEQUENCE { signatureAlgorithm      AlgorithmIdentifier, signature               BIT STRING, certs               [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL} Version         ::=             INTEGER  {  v1(0) } Request         ::=     SEQUENCE { reqCert                     CertID, singleRequestExtensions     [0] EXPLICIT Extensions OPTIONAL } CertID          ::=     SEQUENCE { hashAlgorithm       AlgorithmIdentifier, issuerNameHash      OCTET STRING, -- Hash of Issuer's DN issuerKeyHash       OCTET STRING, -- Hash of Issuers public key serialNumber        CertificateSerialNumber }

@deprecated use classes in org.bouncycastle.cert.ocsp.

Examples of org.bouncycastle.ocsp.OCSPReq

        OCSPReqGenerator gen = new OCSPReqGenerator();


        gen.addRequest(
            new CertificateID(CertificateID.HASH_SHA1, testCert, BigInteger.valueOf(1)));


        OCSPReq req = gen.generate();


        if (req.isSigned())
        {
            fail("signed but shouldn't be");
        }


        X509Certificate[] certs = req.getCerts("BC");


        if (certs != null)
        {
            fail("null certs expected, but not found");
        }


        Req[] requests = req.getRequestList();


        if (!requests[0].getCertID().equals(id))
        {
            fail("Failed isFor test");
        }


        //
        // request generation with signing
        //
        X509Certificate[] chain = new X509Certificate[1];


        gen = new OCSPReqGenerator();


        gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));


        gen.addRequest(
            new CertificateID(CertificateID.HASH_SHA1, testCert, BigInteger.valueOf(1)));


        chain[0] = testCert;


        req = gen.generate("SHA1withRSA", signKP.getPrivate(), chain, "BC");


        if (!req.isSigned())
        {
            fail("not signed but should be");
        }


        if (!req.verify(signKP.getPublic(), "BC"))
        {
            fail("signature failed to verify");
        }


        requests = req.getRequestList();


        if (!requests[0].getCertID().equals(id))
        {
            fail("Failed isFor test");
        }


        certs = req.getCerts("BC");


        if (certs == null)
        {
            fail("null certs found");
        }


        if (certs.length != 1 || !certs[0].equals(testCert))
        {
            fail("incorrect certs found in request");
        }


        //
        // encoding test
        //
        byte[] reqEnc = req.getEncoded();


        OCSPReq newReq = new OCSPReq(reqEnc);


        if (!newReq.verify(signKP.getPublic(), "BC"))
        {
            fail("newReq signature failed to verify");
        }


        //

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq

        OCSPReqGenerator    gen = new OCSPReqGenerator();


        gen.addRequest(
                new CertificateID(CertificateID.HASH_SHA1, testCert, BigInteger.valueOf(1)));


        OCSPReq         req = gen.generate();


        if (req.isSigned())
        {
            fail("signed but shouldn't be");
        }


        X509Certificate[] certs = req.getCerts("BC");


        if (certs != null)
        {
            fail("null certs expected, but not found");
        }


        Req[]           requests = req.getRequestList();


        if (!requests[0].getCertID().equals(id))
        {
            fail("Failed isFor test");
        }


        //
        // request generation with signing
        //
        X509Certificate[]   chain = new X509Certificate[1];


        gen = new OCSPReqGenerator();


        gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));


        gen.addRequest(
                new CertificateID(CertificateID.HASH_SHA1, testCert, BigInteger.valueOf(1)));


        chain[0] = testCert;


        req = gen.generate("SHA1withECDSA", signKP.getPrivate(), chain, "BC");


        if (!req.isSigned())
        {
            fail("not signed but should be");
        }


        if (!req.verify(signKP.getPublic(), "BC"))
        {
            fail("signature failed to verify");
        }


        requests = req.getRequestList();


        if (!requests[0].getCertID().equals(id))
        {
            fail("Failed isFor test");
        }


        certs = req.getCerts("BC");


        if (certs == null)
        {
            fail("null certs found");
        }


        if (certs.length != 1 || !certs[0].equals(testCert))
        {
            fail("incorrect certs found in request");
        }


        //
        // encoding test
        //
        byte[] reqEnc = req.getEncoded();


        OCSPReq newReq = new OCSPReq(reqEnc);


        if (!newReq.verify(signKP.getPublic(), "BC"))
        {
            fail("newReq signature failed to verify");
        }


        //

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq

        OCSPReqGenerator    gen = new OCSPReqGenerator();


        gen.addRequest(
                new CertificateID(CertificateID.HASH_SHA1, testCert, BigInteger.valueOf(1)));


        OCSPReq         req = gen.generate();


        if (req.isSigned())
        {
            fail("signed but shouldn't be");
        }


        X509Certificate[] certs = req.getCerts("BC");
        
        if (certs != null)
        {
            fail("null certs expected, but not found");
        }
        
        Req[]           requests = req.getRequestList();


        if (!requests[0].getCertID().equals(id))
        {
            fail("Failed isFor test");
        }


        //
        // request generation with signing
        //
        X509Certificate[]   chain = new X509Certificate[1];


        gen = new OCSPReqGenerator();


        gen.setRequestorName(new GeneralName(GeneralName.directoryName, new X509Principal("CN=fred")));
        
        gen.addRequest(
                new CertificateID(CertificateID.HASH_SHA1, testCert, BigInteger.valueOf(1)));


        chain[0] = testCert;


        req = gen.generate("SHA1withRSA", signKP.getPrivate(), chain, "BC");


        if (!req.isSigned())
        {
            fail("not signed but should be");
        }


        if (!req.verify(signKP.getPublic(), "BC"))
        {
            fail("signature failed to verify");
        }


        requests = req.getRequestList();


        if (!requests[0].getCertID().equals(id))
        {
            fail("Failed isFor test");
        }
        
        certs = req.getCerts("BC");
        
        if (certs == null)
        {
            fail("null certs found");
        }
        
        if (certs.length != 1 || !certs[0].equals(testCert))
        {
            fail("incorrect certs found in request");
        }


        //
        // encoding test
        //
        byte[] reqEnc = req.getEncoded();
        
        OCSPReq newReq = new OCSPReq(reqEnc);
        
        if (!newReq.verify(signKP.getPublic(), "BC"))
        {
            fail("newReq signature failed to verify");
        }
        
        //

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq

        byte[] reqBytes = checkAndGetRequestBytes(request);
        // Start logging process time after we have received the request
        transactionLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IAuditLogger.OCSPREQUEST, new String (Hex.encode(reqBytes)));
        OCSPReq req = null;
        try {
          req = new OCSPReq(reqBytes);          
        } catch (Exception e) {
          // When not being able to parse the request, we want to send a MalformedRequest back
          throw new MalformedRequestException(e);
        }
        if (req.getRequestorName() == null) {
          m_log.debug("Requestorname is null"); 
        } else {
          if (m_log.isDebugEnabled()) {
            m_log.debug("Requestorname is: "+req.getRequestorName().toString());            
          }
          transactionLogger.paramPut(ITransactionLogger.REQ_NAME, req.getRequestorName().toString());
        }
        // Make sure our signature keys are updated
        loadPrivateKeys(this.data.m_adm, null);


        /**
         * check the signature if contained in request.
         * if the request does not contain a signature
         * and the servlet is configured in the way 
         * the a signature is required we send back
         * 'sigRequired' response.
         */
        if (m_log.isDebugEnabled()) {
          m_log.debug("Incoming OCSP request is signed : " + req.isSigned());
        }
        if (req.isSigned()) {
          X509Certificate signercert = OCSPUtil.checkRequestSignature(request.getRemoteAddr(), req, this.data.m_caCertCache);
          String signercertIssuerName = CertTools.getIssuerDN(signercert);
          BigInteger signercertSerNo = CertTools.getSerialNumber(signercert);
          String signercertSubjectName = CertTools.getSubjectDN(signercert);
          transactionLogger.paramPut(ITransactionLogger.SIGN_ISSUER_NAME_DN, signercertIssuerName);
          transactionLogger.paramPut(ITransactionLogger.SIGN_SERIAL_NO, signercert.getSerialNumber().toByteArray());
          transactionLogger.paramPut(ITransactionLogger.SIGN_SUBJECT_NAME, signercertSubjectName);
          transactionLogger.paramPut(IPatternLogger.REPLY_TIME, ITransactionLogger.REPLY_TIME);
          if (OcspConfiguration.getEnforceRequestSigning()) {
            // If it verifies OK, check if it is revoked
            final CertificateStatus status = this.data.certificateStoreSession.getStatus(CertTools.getIssuerDN(signercert), CertTools.getSerialNumber(signercert));
            // If rci == null it means the certificate does not exist in database, we then treat it as ok,
            // because it may be so that only revoked certificates is in the (external) OCSP database.
            if ( status.equals(CertificateStatus.REVOKED) ) {
              String serno = signercertSerNo.toString(16);
              String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.revoked", signercertSubjectName, signercertIssuerName, serno);
              m_log.info(infoMsg);
              throw new SignRequestSignatureException(infoMsg);
            }


            if (m_reqRestrictSignatures) {
              loadTrustDir();
              if ( m_reqRestrictMethod == OcspConfiguration.RESTRICTONSIGNER) {
                if (!OCSPUtil.checkCertInList(signercert, mTrustedReqSigSigners)) {
                  String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.notallowed", signercertSubjectName, signercertIssuerName, signercertSerNo.toString(16));
                  m_log.info(infoMsg);
                  throw new SignRequestSignatureException(infoMsg);
                }
              } else if (m_reqRestrictMethod == OcspConfiguration.RESTRICTONISSUER) {
                X509Certificate signerca = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(signercertIssuerName));
                if ((signerca == null) || (!OCSPUtil.checkCertInList(signerca, mTrustedReqSigIssuers)) ) {
                  String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.notallowed", signercertSubjectName, signercertIssuerName, signercertSerNo.toString(16));
                  m_log.info(infoMsg);
                  throw new SignRequestSignatureException(infoMsg);
                }
              } else {
                throw new Exception("m_reqRestrictMethod="+m_reqRestrictMethod); // there must be an internal error. We do not want to send a response, just to be safe.
              }
            }
          }
        } else {
          if (OcspConfiguration.getEnforceRequestSigning()) {
            // Signature required
            throw new SignRequestException("Signature required");
          }
        }
        
        // Get the certificate status requests that are inside this OCSP req
        Req[] requests = req.getRequestList();
        transactionLogger.paramPut(ITransactionLogger.NUM_CERT_ID, requests.length);
        if (requests.length <= 0) {
          String infoMsg = intres.getLocalizedMessage("ocsp.errornoreqentities");
          m_log.info(infoMsg);
          {
            // All this just so we can create an error response
            cacert = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(this.data.m_defaultResponderId));
          }
          throw new MalformedRequestException(infoMsg);
        }
        int maxRequests = 100;
        if (requests.length > maxRequests) {
          String infoMsg = intres.getLocalizedMessage("ocsp.errortoomanyreqentities", maxRequests);
          m_log.info(infoMsg);
          {
            // All this just so we can create an error response
            cacert = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(this.data.m_defaultResponderId));
          }
          throw new MalformedRequestException(infoMsg);
        }


        if (m_log.isDebugEnabled()) {
          m_log.debug("The OCSP request contains " + requests.length + " simpleRequests.");
        }


        // Add standard response extensions
        Hashtable responseExtensions = OCSPUtil.getStandardResponseExtensions(req);
              transactionLogger.paramPut(ITransactionLogger.STATUS, OCSPRespGenerator.SUCCESSFUL);
              auditLogger.paramPut(IAuditLogger.STATUS, OCSPRespGenerator.SUCCESSFUL);
        // Look over the status requests
        ArrayList responseList = new ArrayList();
        for (int i = 0; i < requests.length; i++) {
          CertificateID certId = requests[i].getCertID();
          // now some Logging
          transactionLogger.paramPut(ITransactionLogger.SERIAL_NOHEX, certId.getSerialNumber().toByteArray());
          transactionLogger.paramPut(ITransactionLogger.DIGEST_ALGOR, certId.getHashAlgOID()); //todo, find text version of this or find out if it should be something else                    
          transactionLogger.paramPut(ITransactionLogger.ISSUER_NAME_HASH, certId.getIssuerNameHash());
          transactionLogger.paramPut(ITransactionLogger.ISSUER_KEY, certId.getIssuerKeyHash());
          auditLogger.paramPut(IAuditLogger.ISSUER_KEY, certId.getIssuerKeyHash());
          auditLogger.paramPut(IAuditLogger.SERIAL_NOHEX, certId.getSerialNumber().toByteArray());
          auditLogger.paramPut(IAuditLogger.ISSUER_NAME_HASH, certId.getIssuerNameHash());
           byte[] hashbytes = certId.getIssuerNameHash();
          String hash = null;
          if (hashbytes != null) {
            hash = new String(Hex.encode(hashbytes));                      
          }
          String infoMsg = intres.getLocalizedMessage("ocsp.inforeceivedrequest", certId.getSerialNumber().toString(16), hash, request.getRemoteAddr());
          m_log.info(infoMsg);
          boolean unknownCA = false; 
          // if the certId was issued by an unknown CA
          // The algorithm here:
          // We will sign the response with the CA that issued the first 
          // certificate(certId) in the request. If the issuing CA is not available
          // on this server, we sign the response with the default responderId (from params in web.xml).
          // We have to look up the ca-certificate for each certId in the request though, as we will check
          // for revocation on the ca-cert as well when checking for revocation on the certId. 
          cacert = this.data.m_caCertCache.findByOcspHash(certId);  // Get the issuer of certId
          if (cacert == null) {
            // We could not find certificate for this request so get certificate for default responder
            cacert = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(this.data.m_defaultResponderId));
            unknownCA = true;
          }
          if (cacert == null) {
            String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacert", new String(Hex.encode(certId.getIssuerNameHash())), this.data.m_defaultResponderId);
            m_log.error(errMsg);
            continue;
          }
          if (unknownCA == true) {
            String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacertusedefault", new String(Hex.encode(certId.getIssuerNameHash())));
            m_log.info(errMsg);
            // If we can not find the CA, answer UnknowStatus
            responseList.add(new OCSPResponseItem(certId, new UnknownStatus(), nextUpdate));
            transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_UNKNOWN); 
            transactionLogger.writeln();
            continue;
          } else {
            transactionLogger.paramPut(ITransactionLogger.ISSUER_NAME_DN, cacert.getSubjectDN().getName());
          }
          /*
           * Implement logic according to
           * chapter 2.7 in RFC2560
           * 
           * 2.7  CA Key Compromise
           *    If an OCSP responder knows that a particular CA's private key has
           *    been compromised, it MAY return the revoked state for all
           *    certificates issued by that CA.
           */
          final org.bouncycastle.ocsp.CertificateStatus certStatus;
          transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_GOOD); // it seems to be correct
                    // Check if the cacert (or the default responderid) is revoked
                    final CertificateStatus cacertStatus = this.data.certificateStoreSession.getStatus(CertTools.getIssuerDN(cacert), CertTools.getSerialNumber(cacert));
          if ( !cacertStatus.equals(CertificateStatus.REVOKED) ) {
            // Check if cert is revoked
            final CertificateStatus status = this.data.certificateStoreSession.getStatus(cacert.getSubjectDN().getName(), certId.getSerialNumber());
            // If we have different maxAge and untilNextUpdate for different certificate profiles, we have to fetch these
            // values now that we have fetched the certificate status, that includes certificate profile.
                        nextUpdate = OcspConfiguration.getUntilNextUpdate(status.certificateProfileId);
                        maxAge = OcspConfiguration.getMaxAge(status.certificateProfileId);
                        if (m_log.isDebugEnabled()) {
                          m_log.debug("Set nextUpdate="+nextUpdate+", and maxAge="+maxAge+" for certificateProfileId="+status.certificateProfileId);
                        }


                        final String sStatus;
            if (status.equals(CertificateStatus.NOT_AVAILABLE)) {
              // No revocation info available for this cert, handle it
              if (m_log.isDebugEnabled()) {
                m_log.debug("Unable to find revocation information for certificate with serial '"
                    + certId.getSerialNumber().toString(16) + "'"
                    + " from issuer '" + cacert.getSubjectDN().getName() + "'");                                
              }
              // If we do not treat non existing certificates as good 
              // OR
              // we don't actually handle requests for the CA issuing the certificate asked about
              // then we return unknown
              if ( (!m_nonExistingIsGood) || (this.data.m_caCertCache.findByOcspHash(certId) == null) ) {
                sStatus = "unknown";
                certStatus = new UnknownStatus();
                transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_UNKNOWN);
              } else {
                                sStatus = "good";
                                certStatus = null; // null means "good" in OCSP
                                transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_GOOD); 
                            }
            } else if ( status.equals(CertificateStatus.REVOKED) ) {
                // Revocation info available for this cert, handle it
                sStatus ="revoked";
                certStatus = new RevokedStatus(new RevokedInfo(new DERGeneralizedTime(status.revocationDate),
                                                               new CRLReason(status.revocationReason)));
                transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_REVOKED); //1 = revoked
            } else {
                sStatus = "good";
                certStatus = null;
                transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_GOOD); 
            }
                        infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", sStatus, certId.getSerialNumber().toString(16), cacert.getSubjectDN().getName());
                        m_log.info(infoMsg);
                        responseList.add(new OCSPResponseItem(certId, certStatus, nextUpdate));
                        transactionLogger.writeln();
          } else {
            certStatus = new RevokedStatus(new RevokedInfo(new DERGeneralizedTime(cacertStatus.revocationDate),
                new CRLReason(cacertStatus.revocationReason)));
            infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", "revoked", certId.getSerialNumber().toString(16), cacert.getSubjectDN().getName());
            m_log.info(infoMsg);
            responseList.add(new OCSPResponseItem(certId, certStatus, nextUpdate));
            transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_REVOKED);
            transactionLogger.writeln();
          }
          // Look for extension OIDs
          Iterator iter = m_extensionOids.iterator();
          while (iter.hasNext()) {
            String oidstr = (String)iter.next();
            DERObjectIdentifier oid = new DERObjectIdentifier(oidstr);
            X509Extensions reqexts = req.getRequestExtensions();
            if (reqexts != null) {
              X509Extension ext = reqexts.getExtension(oid);
              if (null != ext) {
                // We found an extension, call the extenstion class
                if (m_log.isDebugEnabled()) {

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq

        gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, racert.getSerialNumber()));
        Hashtable exts = new Hashtable();
        X509Extension ext = new X509Extension(false, new DEROctetString("123456789".getBytes()));
        exts.put(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, ext);
        gen.setRequestExtensions(new X509Extensions(exts));
        OCSPReq req = gen.generate();


        // A response to create
    ArrayList responseList = new ArrayList();
    CertificateID certId = req.getRequestList()[0].getCertID();
    responseList.add(new OCSPResponseItem(certId, new UnknownStatus(), 0));


    // First check that the whole chain is included and the responderId is keyHash
    OCSPCAServiceRequest ocspServiceReq = new OCSPCAServiceRequest(req, responseList, null, "SHA1WithRSA;SHA1WithDSA;SHA1WithECDSA", true);
    ocspServiceReq.setRespIdType(OcspConfiguration.RESPONDERIDTYPE_KEYHASH);

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq


        // And an OCSP request
        OCSPReqGenerator gen = new OCSPReqGenerator();
        final X509Certificate ocspTestCert = getTestCert(false);
        gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, getCaCert(ocspTestCert), ocspTestCert.getSerialNumber()));
        OCSPReq req = gen.generate();


        // Send the request and receive a singleResponse
        SingleResp[] singleResps = helper.sendOCSPPost(req.getEncoded(), null, 0, 200);
        assertEquals("No of SingResps should be 1.", 1, singleResps.length);
        SingleResp singleResp = singleResps[0];


        CertificateID certId = singleResp.getCertID();
        assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq

        log.trace(">test03OcspRevoked()");
        final X509Certificate ocspTestCert = getTestCert(true);
        // And an OCSP request
        OCSPReqGenerator gen = new OCSPReqGenerator();
        gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, getCaCert(ocspTestCert), ocspTestCert.getSerialNumber()));
        OCSPReq req = gen.generate();


        // Send the request and receive a singleResponse
        SingleResp[] singleResps = helper.sendOCSPPost(req.getEncoded(), null, 0, 200);
        assertEquals("No of SingResps should be 1.", 1, singleResps.length);
        SingleResp singleResp = singleResps[0];


        CertificateID certId = singleResp.getCertID();
        assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq

    public void test17VerifyHttpGetHeaders() throws Exception {
        final X509Certificate ocspTestCert = getTestCert(false);
        // An OCSP request, ocspTestCert is already created in earlier tests
        OCSPReqGenerator gen = new OCSPReqGenerator();
        gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, ocspTestCert.getSerialNumber()));
        OCSPReq req = gen.generate();
        String reqString = new String(Base64.encode(req.getEncoded(), false));
        URL url = new URL(httpReqPath + '/' + resourceOcsp + '/' + URLEncoder.encode(reqString, "UTF-8"));
        HttpURLConnection con = (HttpURLConnection) url.openConnection();
        assertEquals("Response code did not match. ", 200, con.getResponseCode());
        // Some appserver (Weblogic) responds with
        // "application/ocsp-response; charset=UTF-8"

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq

    public void test18NextUpdateThisUpdate() throws Exception {
        final X509Certificate ocspTestCert = getTestCert(false);
        // And an OCSP request
        OCSPReqGenerator gen = new OCSPReqGenerator();
        gen.addRequest(new CertificateID(CertificateID.HASH_SHA1, cacert, ocspTestCert.getSerialNumber()));
        OCSPReq req = gen.generate();
        // POST the request and receive a singleResponse
        URL url = new URL(httpReqPath + '/' + resourceOcsp);
        HttpURLConnection con = (HttpURLConnection) url.openConnection();
        con.setDoOutput(true);
        con.setRequestMethod("POST");
        con.setRequestProperty("Content-Type", "application/ocsp-request");
        OutputStream os = con.getOutputStream();
        os.write(req.getEncoded());
        os.close();
        assertEquals("Response code", 200, con.getResponseCode());
        // Some appserver (Weblogic) responds with
        // "application/ocsp-response; charset=UTF-8"
        assertNotNull(con.getContentType());

View Full Code Here

Examples of org.bouncycastle.ocsp.OCSPReq

        gen.setRequestExtensions(new X509Extensions(exts));
        X509Certificate chain[] = new X509Certificate[2];
        chain[0] = ocspTestCert;
        chain[1] = cacert;
        gen.setRequestorName(ocspTestCert.getSubjectX500Principal());
        OCSPReq req = gen.generate("SHA1WithRSA", keys.getPrivate(), chain, "BC");
        //OCSPReq req = gen.generate();


        // Send the request and receive a singleResponse
        SingleResp[] singleResps = helper.sendOCSPPost(req.getEncoded(), "123456789", OCSPResponseStatus.SUCCESSFUL, 200);
        assertEquals("Number of of SingResps should be 1.", 1, singleResps.length);
        SingleResp singleResp = singleResps[0];
        
        CertificateID certId = singleResp.getCertID();
        assertEquals("Serno in response does not match serno in request.", certId.getSerialNumber(), ocspTestCert.getSerialNumber());
        Object status = singleResp.getCertStatus();
        assertEquals("Status is not null (good)", status, null);
        
        // Try with an unsigned request, we should get a status code 5 back from the server (signature required)
        req = gen.generate();
        // Send the request and receive a singleResponse, this response should have error code SIGNATURE_REQUIRED
        singleResps = helper.sendOCSPPost(req.getEncoded(), "123456789", OCSPResponseStatus.SIG_REQUIRED, 200);
        assertNull(singleResps);


        // sign with a keystore where the CA-certificate is not known
        KeyStore store = KeyStore.getInstance("PKCS12", "BC");
        ByteArrayInputStream fis = new ByteArrayInputStream(ks3);
        store.load(fis, "foo123".toCharArray());
        Certificate[] certs = KeyTools.getCertChain(store, "privateKey");
        chain[0] = (X509Certificate)certs[0];
        chain[1] = (X509Certificate)certs[1];
        PrivateKey pk = (PrivateKey)store.getKey("privateKey", "foo123".toCharArray());
        req = gen.generate("SHA1WithRSA", pk, chain, "BC");
        // Send the request and receive a singleResponse, this response should have error code UNAUTHORIZED (6)
        singleResps = helper.sendOCSPPost(req.getEncoded(), "123456789", OCSPResponseStatus.UNAUTHORIZED, 200);
        assertNull(singleResps);


        log.trace("<test01OcspGood()");
    }

View Full Code Here

0 1 2 3 4 5

TOP

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.