Package org.apache.pdfbox.examples.signature.cert

Class OcspHelper

java.lang.Object
org.apache.pdfbox.examples.signature.cert.OcspHelper
public class OcspHelper extends Object
Helper Class for OCSP-Operations with bouncy castle.

  • Field Details

    • LOG

      private static final org.apache.commons.logging.Log LOG

    • issuerCertificate

      private final X509Certificate issuerCertificate

    • signDate

      private final Date signDate

    • certificateToCheck

      private final X509Certificate certificateToCheck

    • additionalCerts

      private final Set<X509Certificate> additionalCerts

    • ocspUrl

      private final String ocspUrl

    • encodedNonce

      private org.bouncycastle.asn1.DEROctetString encodedNonce

    • ocspResponderCertificate

      private X509Certificate ocspResponderCertificate

    • certificateConverter

      private final org.bouncycastle.cert.jcajce.JcaX509CertificateConverter certificateConverter

    • RANDOM

      private static final Random RANDOM

  • Constructor Details

    • OcspHelper

      public OcspHelper(X509Certificate checkCertificate, Date signDate, X509Certificate issuerCertificate, Set<X509Certificate> additionalCerts, String ocspUrl)
      Parameters:
      checkCertificate - Certificate to be OCSP-checked
      signDate - the date when the signing took place
      issuerCertificate - Certificate of the issuer
      additionalCerts - Set of trusted root CA certificates that will be used as "trust anchors" and intermediate CA certificates that will be used as part of the certification chain. All self-signed certificates are considered to be trusted root CA certificates. All the rest are considered to be intermediate CA certificates.
      ocspUrl - where to fetch for OCSP

  • Method Details

    • getCertificateToCheck

      X509Certificate getCertificateToCheck()
      Get the certificate to be OCSP-checked.
      Returns:
      The certificate to be OCSP-checked.

    • getResponseOcsp

      public org.bouncycastle.cert.ocsp.OCSPResp getResponseOcsp() throws IOException, org.bouncycastle.cert.ocsp.OCSPException, RevokedCertificateException, URISyntaxException
      Performs and verifies the OCSP-Request
      Returns:
      the OCSPResp, when the request was successful, else a corresponding exception will be thrown. Never returns null.
      Throws:
      IOException
      org.bouncycastle.cert.ocsp.OCSPException
      RevokedCertificateException
      URISyntaxException

    • getOcspResponderCertificate

      public X509Certificate getOcspResponderCertificate()
      Get responder certificate. This is available after getResponseOcsp() has been called. This method should be used instead of basicResponse.getCerts()[0]
      Returns:
      The certificate of the responder.

    • verifyOcspResponse

      private void verifyOcspResponse(org.bouncycastle.cert.ocsp.OCSPResp ocspResponse) throws org.bouncycastle.cert.ocsp.OCSPException, RevokedCertificateException, IOException
      Verifies the status and the response itself (including nonce), but not the signature.
      Parameters:
      ocspResponse - to be verified
      Throws:
      org.bouncycastle.cert.ocsp.OCSPException
      RevokedCertificateException
      IOException - if the default security provider can't be instantiated

    • getKeyHashFromCertHolder

      private byte[] getKeyHashFromCertHolder(org.bouncycastle.cert.X509CertificateHolder certHolder)

    • findResponderCertificateByKeyHash

      private void findResponderCertificateByKeyHash(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse, byte[] keyHash) throws IOException
      Throws:
      IOException

    • findResponderCertificateByName

      private void findResponderCertificateByName(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse, org.bouncycastle.asn1.x500.X500Name name)

    • checkOcspResponseFresh

      private void checkOcspResponseFresh(org.bouncycastle.cert.ocsp.SingleResp resp) throws org.bouncycastle.cert.ocsp.OCSPException
      Throws:
      org.bouncycastle.cert.ocsp.OCSPException

    • checkOcspSignature

      private void checkOcspSignature(X509Certificate certificate, org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse) throws org.bouncycastle.cert.ocsp.OCSPException, IOException
      Checks whether the OCSP response is signed by the given certificate.
      Parameters:
      certificate - the certificate to check the signature
      basicResponse - OCSP response containing the signature
      Throws:
      org.bouncycastle.cert.ocsp.OCSPException - when the signature is invalid or could not be checked
      IOException - if the default security provider can't be instantiated

    • checkNonce

      private boolean checkNonce(org.bouncycastle.cert.ocsp.BasicOCSPResp basicResponse) throws org.bouncycastle.cert.ocsp.OCSPException
      Checks if the nonce in the response matches.
      Parameters:
      basicResponse - Response to be checked
      Returns:
      true if the nonce is present and matches, false if nonce is missing.
      Throws:
      org.bouncycastle.cert.ocsp.OCSPException - if the nonce is different

    • performRequest

      private org.bouncycastle.cert.ocsp.OCSPResp performRequest(String urlString) throws IOException, org.bouncycastle.cert.ocsp.OCSPException, URISyntaxException
      Performs the OCSP-Request, with given data.
      Parameters:
      urlString - URL of OCSP service.
      Returns:
      the OCSPResp, that has been fetched from the ocspUrl
      Throws:
      IOException
      org.bouncycastle.cert.ocsp.OCSPException
      URISyntaxException

    • verifyRespStatus

      public void verifyRespStatus(org.bouncycastle.cert.ocsp.OCSPResp resp) throws org.bouncycastle.cert.ocsp.OCSPException
      Helper method to verify response status.
      Parameters:
      resp - OCSP response
      Throws:
      org.bouncycastle.cert.ocsp.OCSPException - if the response status is not ok

    • generateOCSPRequest

      private org.bouncycastle.cert.ocsp.OCSPReq generateOCSPRequest() throws org.bouncycastle.cert.ocsp.OCSPException, IOException
      Generates an OCSP request and generates the CertificateID.
      Returns:
      OCSP request, ready to fetch data
      Throws:
      org.bouncycastle.cert.ocsp.OCSPException
      IOException

    • create16BytesNonce

      private byte[] create16BytesNonce()