/** * Checks if the nonce in the response matches. * * @param basicResponse Response to be checked * @return true if the nonce is present and matches, false if nonce is missing. * @throws OCSPException if the nonce is different */ private boolean checkNonce(BasicOCSPResp basicResponse) throws OCSPException { Extension nonceExt = basicResponse.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (nonceExt != null) { DEROctetString responseNonceString = (DEROctetString) nonceExt.getExtnValue(); if (!responseNonceString.equals(encodedNonce)) { throw new OCSPException("Different nonce found in response!"); } else { LOG.info("Nonce is good"); return true; } } // https://tools.ietf.org/html/rfc5019 // Clients that opt to include a nonce in the // request SHOULD NOT reject a corresponding OCSPResponse solely on the // basis of the nonexistent expected nonce, but MUST fall back to // validating the OCSPResponse based on time. return false; }
protected void checkNonce(BasicOCSPResp response, Extension expectedNonceExtension) { Extension extension = response.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); DEROctetString expectedNonce = (DEROctetString) expectedNonceExtension.getExtnValue(); DEROctetString receivedNonce = (DEROctetString) extension.getExtnValue(); if (!receivedNonce.equals(expectedNonce)) { throw new DigiDoc4JException( String.format("The OCSP request was the victim of replay attack (nonce sent <%s>, nonce received <%s>)", expectedNonce, receivedNonce)); } }
protected void checkNonce(String dssIdAsString, BasicOCSPResp basicOCSPResp, NonceContainer nonceContainer) throws DSSException { if (ADD_NONCE) { final Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); final DEROctetString receivedNonce = (DEROctetString) extension.getExtnValue(); if (!receivedNonce.equals(nonceContainer.nonce)) { throw new DSSException( "The OCSP request for " + dssIdAsString + " was the victim of replay attack: nonce[sent:" + nonceContainer.nonce + ", received:" + receivedNonce); } } }
/** * Checks if the nonce in the response matches. * * @param basicResponse Response to be checked * @return true if the nonce is present and matches, false if nonce is missing. * @throws OCSPException if the nonce is different */ private boolean checkNonce(BasicOCSPResp basicResponse) throws OCSPException { Extension nonceExt = basicResponse.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (nonceExt != null) { DEROctetString responseNonceString = (DEROctetString) nonceExt.getExtnValue(); if (!responseNonceString.equals(encodedNonce)) { throw new OCSPException("Different nonce found in response!"); } else { LOG.info("Nonce is good"); return true; } } // https://tools.ietf.org/html/rfc5019 // Clients that opt to include a nonce in the // request SHOULD NOT reject a corresponding OCSPResponse solely on the // basis of the nonexistent expected nonce, but MUST fall back to // validating the OCSPResponse based on time. return false; }
private void checkNonce(BasicOCSPResp basicOCSPResp, Extension expectedNonceExtension) { final Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); final DEROctetString expectedNonce = (DEROctetString) expectedNonceExtension.getExtnValue(); final DEROctetString receivedNonce = (DEROctetString) extension.getExtnValue(); if (!receivedNonce.equals(expectedNonce)) { throw new InvalidOcspNonceException("The OCSP request was the victim of replay attack: nonce[sent:" + expectedNonce + "," + " received:" + receivedNonce); } }