BasicOCSPResp brep = (BasicOCSPResp) ocspResponse.getResponseObject(); try { if( ! brep.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(responderCert.getPublicKey()))) { throw new CertPathValidatorException("OCSP response is not verified");
if (trustedResponderCertificate != null) { if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(trustedResponderCertificate.getPublicKey()))) { ocspStatus.setVerificationStatus(VerificationStatus.Verified); } else {
/** * Checks whether the OCSP response is signed by the given certificate. * * @param certificate the certificate to check the signature * @param basicResponse OCSP response containing the signature * @throws OCSPException when the signature is invalid or could not be checked * @throws IOException if the default security provider can't be instantiated */ private void checkOcspSignature(X509Certificate certificate, BasicOCSPResp basicResponse) throws OCSPException, IOException { try { ContentVerifierProvider verifier = new JcaContentVerifierProviderBuilder() .setProvider(SecurityProvider.getProvider()).build(certificate); if (!basicResponse.isSignatureValid(verifier)) { throw new OCSPException("OCSP-Signature is not valid!"); } } catch (OperatorCreationException e) { throw new OCSPException("Error checking Ocsp-Signature", e); } }
static boolean isSignatureValid(BasicOCSPResp validator, Certificate certStoreX509, String provider) throws OperatorCreationException, OCSPException { if (provider == null) provider = "BC"; return validator.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(provider).build(certStoreX509.getPublicKey())); }
static boolean isSignatureValid(BasicOCSPResp validator, Certificate certStoreX509, String provider) throws OperatorCreationException, OCSPException { if (provider == null) provider = "BC"; return validator.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(provider).build(certStoreX509.getPublicKey())); }
private static boolean verifySignature(BasicOCSPResp basicOcspResponse, X509Certificate cert) { try { ContentVerifierProvider contentVerifier = new JcaContentVerifierProviderBuilder() .setProvider("BC").build(cert.getPublicKey()); return basicOcspResponse.isSignatureValid(contentVerifier); } catch (OperatorCreationException e) { logger.log(Level.FINE, "Unable to construct OCSP content signature verifier\n{0}", e.getMessage()); } catch (OCSPException e) { logger.log(Level.FINE, "Unable to validate OCSP response signature\n{0}", e.getMessage()); } return false; }
@Override protected boolean checkIsSignedBy(final CertificateToken candidate) { if (basicOCSPResp == null) { return false; } try { signatureInvalidityReason = ""; JcaContentVerifierProviderBuilder jcaContentVerifierProviderBuilder = new JcaContentVerifierProviderBuilder(); jcaContentVerifierProviderBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME); ContentVerifierProvider contentVerifierProvider = jcaContentVerifierProviderBuilder.build(candidate.getPublicKey()); signatureValid = basicOCSPResp.isSignatureValid(contentVerifierProvider); } catch (Exception e) { signatureInvalidityReason = e.getClass().getSimpleName() + " - " + e.getMessage(); signatureValid = false; } return signatureValid; }
/** * Checks if an OCSP response is genuine * @param ocspResp the OCSP response * @param responderCert the responder certificate * @return true if the OCSP response verifies against the responder certificate */ public boolean isSignatureValid(BasicOCSPResp ocspResp, Certificate responderCert) { try { ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder() .setProvider("BC").build(responderCert.getPublicKey()); return ocspResp.isSignatureValid(verifierProvider); } catch (OperatorCreationException e) { return false; } catch (OCSPException e) { return false; } }
/** * Verifies an OCSP response against a KeyStore. * @param ocsp the OCSP response * @param keystore the <CODE>KeyStore</CODE> * @param provider the provider or <CODE>null</CODE> to use the BouncyCastle provider * @return <CODE>true</CODE> is a certificate was found */ public static boolean verifyOcspCertificates(BasicOCSPResp ocsp, KeyStore keystore, String provider) { if (provider == null) provider = "BC"; try { for (Enumeration<String> aliases = keystore.aliases(); aliases.hasMoreElements();) { try { String alias = aliases.nextElement(); if (!keystore.isCertificateEntry(alias)) continue; X509Certificate certStoreX509 = (X509Certificate)keystore.getCertificate(alias); if (ocsp.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider(provider).build(certStoreX509.getPublicKey()))) return true; } catch (Exception ex) { } } } catch (Exception e) { } return false; }
/** * Does the given CSR have a valid signature on it? * i.e., was it signed by the private key corresponding to the public key * included in the CSR? * * @param csr The certificate request. * @return {@code true} if the CSR has a valid signature, {@code false} otherwise. * * @throws OperatorCreationException * @throws PKCSException */ public static boolean isSignatureValid(PKCS10CertificationRequest csr) throws OperatorCreationException, PKCSException { // Implementation references: // http://www.bouncycastle.org/wiki/display/JA1/BC+Version+2+APIs#BCVersion2APIs-VerifyingaSignature // http://stackoverflow.com/questions/3711754/why-java-security-nosuchproviderexception-no-such-provider-bc JcaContentVerifierProviderBuilder builder = new JcaContentVerifierProviderBuilder().setProvider(new BouncyCastleProvider()); return csr.isSignatureValid(builder.build(csr.getSubjectPublicKeyInfo())); }
/** * Does the given CSR have a valid signature on it? * i.e., was it signed by the private key corresponding to the public key * included in the CSR? * * @param csr The certificate request. * @return {@code true} if the CSR has a valid signature, {@code false} otherwise. * * @throws OperatorCreationException * @throws PKCSException */ public static boolean isSignatureValid(PKCS10CertificationRequest csr) throws OperatorCreationException, PKCSException { // Implementation references: // http://www.bouncycastle.org/wiki/display/JA1/BC+Version+2+APIs#BCVersion2APIs-VerifyingaSignature // http://stackoverflow.com/questions/3711754/why-java-security-nosuchproviderexception-no-such-provider-bc JcaContentVerifierProviderBuilder builder = new JcaContentVerifierProviderBuilder().setProvider(new BouncyCastleProvider()); return csr.isSignatureValid(builder.build(csr.getSubjectPublicKeyInfo())); }
@Override public boolean isSignedBy(final CertificateToken issuerToken) { if (this.issuerToken != null) { return this.issuerToken.equals(issuerToken); } try { signatureInvalidityReason = ""; JcaContentVerifierProviderBuilder jcaContentVerifierProviderBuilder = new JcaContentVerifierProviderBuilder(); jcaContentVerifierProviderBuilder.setProvider("BC"); final PublicKey publicKey = issuerToken.getCertificate().getPublicKey(); ContentVerifierProvider contentVerifierProvider = jcaContentVerifierProviderBuilder.build(publicKey); signatureValid = basicOCSPResp.isSignatureValid(contentVerifierProvider); if (signatureValid) { this.issuerToken = issuerToken; } issuerX500Principal = issuerToken.getSubjectX500Principal(); } catch (OCSPException e) { signatureInvalidityReason = e.getClass().getSimpleName() + " - " + e.getMessage(); signatureValid = false; } catch (OperatorCreationException e) { signatureInvalidityReason = e.getClass().getSimpleName() + " - " + e.getMessage(); signatureValid = false; } return signatureValid; }
/** * Verify a PKCS #10 certificate signing request (CSR). * * @param csr The certificate signing request * @return True if successfully verified * @throws CryptoException * If there was a problem verifying the CSR */ public static boolean verifyCsr(PKCS10CertificationRequest csr) throws CryptoException { try { PublicKey pubKey = new JcaPKCS10CertificationRequest(csr).getPublicKey(); ContentVerifierProvider contentVerifierProvider = new JcaContentVerifierProviderBuilder().setProvider("BC").build(pubKey); return csr.isSignatureValid(contentVerifierProvider); } catch (InvalidKeyException | OperatorCreationException | NoSuchAlgorithmException | PKCSException e) { throw new CryptoException(res.getString("NoVerifyPkcs10Csr.exception.message"), e); } }
private void verifyResponse(BasicOCSPResp response) throws IOException { List<X509CertificateHolder> holders = Arrays.asList(response.getCerts()); if (CollectionUtils.isNotEmpty(holders)) { for (X509CertificateHolder holder : holders) { CertificateToken token = DSSUtils.loadCertificate(holder.getEncoded()); List<CertificateToken> tokens = this.configuration.getTSL().get( token.getCertificate().getSubjectX500Principal()); if (CollectionUtils.isEmpty(tokens) || tokens.size() != 1) { throw new SignatureVerificationException(String.format("OCSP response certificate <%s> match is not found " + "in TSL (<%s> results in total)", token.getDSSIdAsString(), tokens.size())); } else { try { ContentVerifierProvider provider = new JcaContentVerifierProviderBuilder().setProvider("BC").build(new X509CertificateHolder(tokens.get(0).getEncoded())); if (!response.isSignatureValid(provider)) { throw new SignatureVerificationException("OCSP response signature is invalid"); } } catch (SignatureVerificationException e) { throw e; } catch (Exception e) { throw new SignatureVerificationException("Unable to verify response signature", e); } } } } else { if (!this.configuration.isTest()) { LOGGER.warn("OCSP response signature will not be verified. No response certificates has been found"); } } }
protected boolean verify() throws SODException { try { /* verificar caminho de certificação sem ocsp/crl, aqui não é local para essas considerações */ X509CertificateHolder holder = (X509CertificateHolder) cms.getCertificates().getMatches(null).iterator().next(); // apenas o primeiro certificado (só tem 1) X509Certificate cert = (X509Certificate) get(holder.getEncoded()); SignerInformationStore signerInformationStore = cms.getSignerInfos(); SignerInformation signerInformation = (SignerInformation) signerInformationStore.getSigners().iterator().next(); // apenas 1 assinatura (só tem 1) if (!Util.isLeafCertificateValid(keystore, cert)){ return false; } /* verificar assinatura do cms */ ContentVerifierProvider contentVerifierProvider = new JcaContentVerifierProviderBuilder().setProvider(new BouncyCastleProvider()).build(cert); DigestCalculatorProvider digestCalculatorProvider = new JcaDigestCalculatorProviderBuilder().setProvider(new BouncyCastleProvider()).build(); SignatureAlgorithmIdentifierFinder signatureAlgorithmIdentifierFinder = new DefaultSignatureAlgorithmIdentifierFinder(); CMSSignatureAlgorithmNameGenerator signatureAlgorithmNameGenerator = new DefaultCMSSignatureAlgorithmNameGenerator(); SignerInformationVerifier signerInformationVerifier = new SignerInformationVerifier(signatureAlgorithmNameGenerator, signatureAlgorithmIdentifierFinder, contentVerifierProvider, digestCalculatorProvider); return signerInformation.verify(signerInformationVerifier); } catch (LeafCertificateValidationException | IOException | CertificateException | OperatorCreationException | CMSException ex) { throw new SODException("Não foi possivel verificar o SOD ("+ex.getMessage()+")", ex); } }
if (!basicResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(issuer))){ if (!certHolder.isValidOn(Date.from(Instant.now()))){ throw new OCSPValidationException("Certificado não é válido na data atual"); if (!certHolder.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(issuer))){ throw new OCSPValidationException("Certificado não é assinado pelo mesmo issuer"); if (!basicResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(certHolder))){ throw new OCSPValidationException("Não foi possivel validar resposta ocsp");
.setProvider(BouncyCastleProvider.PROVIDER_NAME).build(certificate.getPublicKey()); boolean verificationResult = basicOCSPResp.isSignatureValid(contentVerifierProvider); if (false == verificationResult) { .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(ocspResponderCertificate);
/** * Checks whether the OCSP response is signed by the given certificate. * * @param certificate the certificate to check the signature * @param basicResponse OCSP response containing the signature * @throws OCSPException when the signature is invalid or could not be checked * @throws IOException if the default security provider can't be instantiated */ private void checkOcspSignature(X509Certificate certificate, BasicOCSPResp basicResponse) throws OCSPException, IOException { try { ContentVerifierProvider verifier = new JcaContentVerifierProviderBuilder() .setProvider(SecurityProvider.getProvider()).build(certificate); if (!basicResponse.isSignatureValid(verifier)) { throw new OCSPException("OCSP-Signature is not valid!"); } } catch (OperatorCreationException e) { throw new OCSPException("Error checking Ocsp-Signature", e); } }
if(cert != null) { X509CertificateHolder ch = new X509CertificateHolder(cert.getEncoded()); bOk = isSignatureValid(basResp, new JcaContentVerifierProviderBuilder().setProvider("BC").build(ch)); } else bOk = false; if(m_logger.isDebugEnabled()) if(rCert != null) { X509CertificateHolder ch = new X509CertificateHolder(rCert.getEncoded()); bOk = isSignatureValid(basResp, new JcaContentVerifierProviderBuilder().setProvider("BC").build(ch)); if(m_logger.isDebugEnabled()) m_logger.debug("OCSP resp: " + ((basResp != null) ? responderIDtoString(basResp) : "NULL") +
if (trustedResponderCertificate != null) { if (basicOcspResponse.isSignatureValid(new JcaContentVerifierProviderBuilder().setProvider("BC").build(trustedResponderCertificate.getPublicKey()))) { ocspStatus.setVerificationStatus(VerificationStatus.Verified); } else {