/** * Checks if the nonce in the response matches. * * @param basicResponse Response to be checked * @return true if the nonce is present and matches, false if nonce is missing. * @throws OCSPException if the nonce is different */ private boolean checkNonce(BasicOCSPResp basicResponse) throws OCSPException { Extension nonceExt = basicResponse.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (nonceExt != null) { DEROctetString responseNonceString = (DEROctetString) nonceExt.getExtnValue(); if (!responseNonceString.equals(encodedNonce)) { throw new OCSPException("Different nonce found in response!"); } else { LOG.info("Nonce is good"); return true; } } // https://tools.ietf.org/html/rfc5019 // Clients that opt to include a nonce in the // request SHOULD NOT reject a corresponding OCSPResponse solely on the // basis of the nonexistent expected nonce, but MUST fall back to // validating the OCSPResponse based on time. return false; }
protected void checkNonce(BasicOCSPResp response, Extension expectedNonceExtension) { Extension extension = response.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); DEROctetString expectedNonce = (DEROctetString) expectedNonceExtension.getExtnValue(); DEROctetString receivedNonce = (DEROctetString) extension.getExtnValue(); if (!receivedNonce.equals(expectedNonce)) { throw new DigiDoc4JException( String.format("The OCSP request was the victim of replay attack (nonce sent <%s>, nonce received <%s>)", expectedNonce, receivedNonce)); } }
private void checkNonce(BasicOCSPResp basicOCSPResp, Extension expectedNonceExtension) { final Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); final DEROctetString expectedNonce = (DEROctetString) expectedNonceExtension.getExtnValue(); final DEROctetString receivedNonce = (DEROctetString) extension.getExtnValue(); if (!receivedNonce.equals(expectedNonce)) { throw new InvalidOcspNonceException("The OCSP request was the victim of replay attack: nonce[sent:" + expectedNonce + "," + " received:" + receivedNonce); } }
protected ASN1OctetString createExtnValueSubjectInfoAccess() throws BadInputException { return isEmpty(subjectInfoAccesses) ? null : X509Util.createExtnSubjectInfoAccess(subjectInfoAccesses, false).getExtnValue(); }
protected ASN1OctetString createExtnValueSubjectAltName() throws BadInputException { return isEmpty(subjectAltNames) ? null : X509Util.createExtnSubjectAltName(subjectAltNames, false).getExtnValue(); }
public byte[] getExtensionValue(String oid) { Extension ext = getExtension(new ASN1ObjectIdentifier(oid)); if (ext != null) { try { return ext.getExtnValue().getEncoded(); } catch (Exception e) { throw new RuntimeException("error encoding " + e.toString()); } } return null; }
public byte[] getExtensionValue(String oid) { Extension ext = getExtension(new ASN1ObjectIdentifier(oid)); if (ext != null) { try { return ext.getExtnValue().getEncoded(); } catch (Exception e) { throw new IllegalStateException("Exception encoding: " + e.toString()); } } return null; }
private byte[] getExpectedExtValue(final ASN1ObjectIdentifier type, final Extensions requestedExtensions, final ExtensionControl extControl) { if (constantExtensions != null && constantExtensions.containsKey(type)) { return constantExtensions.get(type).value(); } else if (requestedExtensions != null && extControl.isRequest()) { Extension reqExt = requestedExtensions.getExtension(type); if (reqExt != null) { return reqExt.getExtnValue().getOctets(); } } return null; } // getExpectedExtValue
private boolean isOcspExtensionValid(Extension extension) { try { ASN1OctetString ev = extension.getExtnValue(); byte[] octets = ev.getOctets(); byte[] signatureDigestValue = getSignatureDigestValue(octets); ASN1Sequence seq = ASN1Sequence.getInstance(octets); byte[] foundHash = ((DEROctetString) seq.getObjectAt(1)).getOctets(); boolean extensionHashMatchesSignatureHash = Arrays.equals(foundHash, signatureDigestValue); logger.debug("OCSP extension contains valid signature digest: " + extensionHashMatchesSignatureHash); return extensionHashMatchesSignatureHash; } catch (Exception e) { logger.error("Invalid nonce format: " + e.getMessage()); return false; } }
@Override public byte[] getExtensionValue(String oid) { Extension ext = this.extensions.getExtension(new ASN1ObjectIdentifier(oid)); if (ext == null) { return null; } return ext.getExtnValue().getOctets(); }
public boolean equals( Object o) { if (!(o instanceof Extension)) { return false; } Extension other = (Extension)o; return other.getExtnId().equals(this.getExtnId()) && other.getExtnValue().equals(this.getExtnValue()) && (other.isCritical() == this.isCritical()); }
public boolean equals( Object o) { if (!(o instanceof Extension)) { return false; } Extension other = (Extension)o; return other.getExtnId().equals(this.getExtnId()) && other.getExtnValue().equals(this.getExtnValue()) && (other.isCritical() == this.isCritical()); }
protected void checkNonce(String dssIdAsString, BasicOCSPResp basicOCSPResp, NonceContainer nonceContainer) throws DSSException { if (ADD_NONCE) { final Extension extension = basicOCSPResp.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); final DEROctetString receivedNonce = (DEROctetString) extension.getExtnValue(); if (!receivedNonce.equals(nonceContainer.nonce)) { throw new DSSException( "The OCSP request for " + dssIdAsString + " was the victim of replay attack: nonce[sent:" + nonceContainer.nonce + ", received:" + receivedNonce); } } }
public int hashCode() { if (this.isCritical()) { return this.getExtnValue().hashCode() ^ this.getExtnId().hashCode(); } return ~(this.getExtnValue().hashCode() ^ this.getExtnId().hashCode()); }
public int hashCode() { if (this.isCritical()) { return this.getExtnValue().hashCode() ^ this.getExtnId().hashCode(); } return ~(this.getExtnValue().hashCode() ^ this.getExtnId().hashCode()); }
public static byte[] getCoreExtValue(X509AttributeCertificateHolder cert, ASN1ObjectIdentifier type) throws CertificateEncodingException { Args.notNull(cert, "cert"); Args.notNull(type, "type"); Extension ext = cert.getExtension(type); if (ext == null) { return null; } return ext.getExtnValue().getOctets(); }
public static byte[] getCoreExtValue(final X509AttributeCertificateHolder cert, final ASN1ObjectIdentifier type) throws CertificateEncodingException { ParamUtil.requireNonNull("cert", cert); ParamUtil.requireNonNull("type", type); Extension ext = cert.getExtension(type); if (ext == null) { return null; } return ext.getExtnValue().getOctets(); }
private void checkExtensionIssuerAltNames(final StringBuilder failureMsg, final byte[] extensionValue, final X509IssuerInfo issuerInfo) { Extension caSubjectAltExtension = issuerInfo.bcCert().getTBSCertificate().getExtensions() .getExtension(Extension.subjectAlternativeName); if (caSubjectAltExtension == null) { failureMsg.append("issuerAlternativeName is present but expected 'none'; "); return; } byte[] caSubjectAltExtensionValue = caSubjectAltExtension.getExtnValue().getOctets(); if (!Arrays.equals(caSubjectAltExtensionValue, extensionValue)) { addViolation(failureMsg, "issuerAltNames", hex(extensionValue), hex(caSubjectAltExtensionValue)); } } // method checkExtensionIssuerAltNames
private byte[] getExtensionBytes(String oid) { Extensions exts = c.getTBSCertificate().getExtensions(); if (exts != null) { Extension ext = exts.getExtension(new ASN1ObjectIdentifier(oid)); if (ext != null) { return ext.getExtnValue().getOctets(); } } return null; }
private byte[] getExtensionBytes(String oid) { Extensions exts = c.getTBSCertificate().getExtensions(); if (exts != null) { Extension ext = exts.getExtension(new ASN1ObjectIdentifier(oid)); if (ext != null) { return ext.getExtnValue().getOctets(); } } return null; }