Package org.apache.pdfbox.examples.signature.cert

Class OcspHelper

  • public class OcspHelper
extends java.lang.Object
    Helper Class for OCSP-Operations with bouncy castle.

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      private static class  OcspHelper.SHA1DigestCalculator
      Class to create SHA-1 Digest, used for creation of CertificateID.

    • Constructor Summary

      Constructors 
      Constructor Description
      OcspHelper​(java.security.cert.X509Certificate checkCertificate, java.util.Date signDate, java.security.cert.X509Certificate issuerCertificate, java.util.Set<java.security.cert.X509Certificate> additionalCerts, java.lang.String ocspUrl)  

    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      private boolean checkNonce​(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse)
      Checks if the nonce in the response matches.
      private void checkOcspResponseFresh​(org.bouncycastle.cert.ocsp.SingleResp resp)  
      private void checkOcspSignature​(java.security.cert.X509Certificate certificate, org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse)
      Checks whether the OCSP response is signed by the given certificate.
      private byte[] create16BytesNonce()  
      private void findResponderCertificateByKeyHash​(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse, byte[] keyHash)  
      private void findResponderCertificateByName​(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse, org.bouncycastle.asn1.x500.X500Name name)  
      private org.bouncycastle.cert.ocsp.OCSPReq generateOCSPRequest()
      Generates an OCSP request and generates the CertificateID.
      (package private) java.security.cert.X509Certificate getCertificateToCheck()
      Get the certificate to be OCSP-checked.
      private byte[] getKeyHashFromCertHolder​(org.bouncycastle.cert.X509CertificateHolder certHolder)  
      java.security.cert.X509Certificate getOcspResponderCertificate()
      Get responder certificate.
      org.bouncycastle.cert.ocsp.OCSPResp getResponseOcsp()
      Performs and verifies the OCSP-Request
      private org.bouncycastle.cert.ocsp.OCSPResp performRequest​(java.lang.String urlString)
      Performs the OCSP-Request, with given data.
      private void verifyOcspResponse​(org.bouncycastle.cert.ocsp.OCSPResp ocspResponse)
      Verifies the status and the response itself (including nonce), but not the signature.
      void verifyRespStatus​(org.bouncycastle.cert.ocsp.OCSPResp resp)
      Helper method to verify response status.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • LOG

        private static final org.apache.commons.logging.Log LOG

      • issuerCertificate

        private final java.security.cert.X509Certificate issuerCertificate

      • signDate

        private final java.util.Date signDate

      • certificateToCheck

        private final java.security.cert.X509Certificate certificateToCheck

      • additionalCerts

        private final java.util.Set<java.security.cert.X509Certificate> additionalCerts

      • ocspUrl

        private final java.lang.String ocspUrl

      • encodedNonce

        private org.bouncycastle.asn1.DEROctetString encodedNonce

      • ocspResponderCertificate

        private java.security.cert.X509Certificate ocspResponderCertificate

      • certificateConverter

        private final org.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter

      • RANDOM

        private static final java.util.Random RANDOM

    • Constructor Detail

      • OcspHelper

        public OcspHelper​(java.security.cert.X509Certificate checkCertificate,
                  java.util.Date signDate,
                  java.security.cert.X509Certificate issuerCertificate,
                  java.util.Set<java.security.cert.X509Certificate> additionalCerts,
                  java.lang.String ocspUrl)
        Parameters:
        checkCertificate - Certificate to be OCSP-checked
        signDate - the date when the signing took place
        issuerCertificate - Certificate of the issuer
        additionalCerts - Set of trusted root CA certificates that will be used as "trust anchors" and intermediate CA certificates that will be used as part of the certification chain. All self-signed certificates are considered to be trusted root CA certificates. All the rest are considered to be intermediate CA certificates.
        ocspUrl - where to fetch for OCSP

    • Method Detail

      • getCertificateToCheck

        java.security.cert.X509Certificate getCertificateToCheck()
        Get the certificate to be OCSP-checked.
        Returns:
        The certificate to be OCSP-checked.

      • getResponseOcsp

        public org.bouncycastle.cert.ocsp.OCSPResp getResponseOcsp()
                                                    throws java.io.IOException,
                                                           org.bouncycastle.cert.ocsp.OCSPException,
                                                           RevokedCertificateException,
                                                           java.net.URISyntaxException
        Performs and verifies the OCSP-Request
        Returns:
        the OCSPResp, when the request was successful, else a corresponding exception will be thrown. Never returns null.
        Throws:
        java.io.IOException
        org.bouncycastle.cert.ocsp.OCSPException
        RevokedCertificateException
        java.net.URISyntaxException

      • getOcspResponderCertificate

        public java.security.cert.X509Certificate getOcspResponderCertificate()
        Get responder certificate. This is available after getResponseOcsp() has been called. This method should be used instead of basicResponse.getCerts()[0]
        Returns:
        The certificate of the responder.

      • verifyOcspResponse

        private void verifyOcspResponse​(org.bouncycastle.cert.ocsp.OCSPResp ocspResponse)
                         throws org.bouncycastle.cert.ocsp.OCSPException,
                                RevokedCertificateException,
                                java.io.IOException
        Verifies the status and the response itself (including nonce), but not the signature.
        Parameters:
        ocspResponse - to be verified
        Throws:
        org.bouncycastle.cert.ocsp.OCSPException
        RevokedCertificateException
        java.io.IOException - if the default security provider can't be instantiated

      • getKeyHashFromCertHolder

        private byte[] getKeyHashFromCertHolder​(org.bouncycastle.cert.X509CertificateHolder certHolder)

      • findResponderCertificateByKeyHash

        private void findResponderCertificateByKeyHash​(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse,
                                               byte[] keyHash)
                                        throws java.io.IOException
        Throws:
        java.io.IOException

      • findResponderCertificateByName

        private void findResponderCertificateByName​(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse,
                                            org.bouncycastle.asn1.x500.X500Name name)

      • checkOcspResponseFresh

        private void checkOcspResponseFresh​(org.bouncycastle.cert.ocsp.SingleResp resp)
                             throws org.bouncycastle.cert.ocsp.OCSPException
        Throws:
        org.bouncycastle.cert.ocsp.OCSPException

      • checkOcspSignature

        private void checkOcspSignature​(java.security.cert.X509Certificate certificate,
                                org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse)
                         throws org.bouncycastle.cert.ocsp.OCSPException,
                                java.io.IOException
        Checks whether the OCSP response is signed by the given certificate.
        Parameters:
        certificate - the certificate to check the signature
        basicResponse - OCSP response containing the signature
        Throws:
        org.bouncycastle.cert.ocsp.OCSPException - when the signature is invalid or could not be checked
        java.io.IOException - if the default security provider can't be instantiated

      • checkNonce

        private boolean checkNonce​(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse)
                    throws org.bouncycastle.cert.ocsp.OCSPException
        Checks if the nonce in the response matches.
        Parameters:
        basicResponse - Response to be checked
        Returns:
        true if the nonce is present and matches, false if nonce is missing.
        Throws:
        org.bouncycastle.cert.ocsp.OCSPException - if the nonce is different

      • performRequest

        private org.bouncycastle.cert.ocsp.OCSPResp performRequest​(java.lang.String urlString)
                                                    throws java.io.IOException,
                                                           org.bouncycastle.cert.ocsp.OCSPException,
                                                           java.net.URISyntaxException
        Performs the OCSP-Request, with given data.
        Parameters:
        urlString - URL of OCSP service.
        Returns:
        the OCSPResp, that has been fetched from the ocspUrl
        Throws:
        java.io.IOException
        org.bouncycastle.cert.ocsp.OCSPException
        java.net.URISyntaxException

      • verifyRespStatus

        public void verifyRespStatus​(org.bouncycastle.cert.ocsp.OCSPResp resp)
                      throws org.bouncycastle.cert.ocsp.OCSPException
        Helper method to verify response status.
        Parameters:
        resp - OCSP response
        Throws:
        org.bouncycastle.cert.ocsp.OCSPException - if the response status is not ok

      • generateOCSPRequest

        private org.bouncycastle.cert.ocsp.OCSPReq generateOCSPRequest()
                                                        throws org.bouncycastle.cert.ocsp.OCSPException,
                                                               java.io.IOException
        Generates an OCSP request and generates the CertificateID.
        Returns:
        OCSP request, ready to fetch data
        Throws:
        org.bouncycastle.cert.ocsp.OCSPException
        java.io.IOException

      • create16BytesNonce

        private byte[] create16BytesNonce()