Example 1 with RevokedCertificateException
use of org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException in project cas by apereo.
the class CRLDistributionPointRevocationCheckerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
*/
@Parameters
public static Collection<Object[]> getTestParameters() throws Exception {
CacheManager.getInstance().removeAllCaches();
final Collection<Object[]> params = new ArrayList<>();
Cache cache;
final ThresholdExpiredCRLRevocationPolicy defaultPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
// Test case #0
// Valid certificate on valid CRL data with encoded url
cache = new Cache("crlCache-0", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "uservalid-encoded-crl.crt" }, "test ca.crl", null });
// Test case #1
// Valid certificate on valid CRL data
cache = new Cache("crlCache-1", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null, true), new String[] { "user-valid-distcrl.crt" }, "userCA-valid.crl", null });
// Test case #2
// Revoked certificate on valid CRL data
cache = new Cache("crlCache-2", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1")) });
// Test case #3
// Valid certificate on expired CRL data
cache = new Cache("crlCache-3", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, zeroThresholdPolicy, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)) });
// Test case #4
// Valid certificate on expired CRL data with custom expiration
// policy to always allow expired CRL data
cache = new Cache("crlCache-4", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, crl -> {
}, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", null });
// Test case #5
// Valid certificate with no CRL distribution points defined but with
// "AllowRevocationPolicy" set to allow unavailable CRL data
cache = new Cache("crlCache-5", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
final CRLDistributionPointRevocationChecker checker5 = new CRLDistributionPointRevocationChecker(cache, defaultPolicy, new AllowRevocationPolicy());
params.add(new Object[] { checker5, new String[] { "user-valid.crt" }, "userCA-expired.crl", null });
// Test case #6
// EJBCA test case
// Revoked certificate with CRL distribution point URI that is technically
// not a valid URI since the issuer DN in the query string is not encoded per
// the escaping of reserved characters in RFC 2396.
// Make sure we can convert given URI to valid URI and confirm it's revoked
cache = new Cache("crlCache-6", 100, false, false, 20, 10);
CacheManager.getInstance().addCache(cache);
params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl2.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1")) });
return params;
}
Also used :
ZonedDateTime(java.time.ZonedDateTime)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
CacheManager(net.sf.ehcache.CacheManager)
RunWith(org.junit.runner.RunWith)
Parameters(org.junit.runners.Parameterized.Parameters)
LoggerFactory(org.slf4j.LoggerFactory)
ClassPathResource(org.springframework.core.io.ClassPathResource)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
ArrayList(java.util.ArrayList)
GeneralSecurityException(java.security.GeneralSecurityException)
RevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker)
After(org.junit.After)
BigInteger(java.math.BigInteger)
ZoneOffset(java.time.ZoneOffset)
Parameterized(org.junit.runners.Parameterized)
Before(org.junit.Before)
MockWebServer(org.apereo.cas.adaptors.x509.util.MockWebServer)
OutputStream(java.io.OutputStream)
AfterClass(org.junit.AfterClass)
Logger(org.slf4j.Logger)
Collection(java.util.Collection)
FileSystemResource(org.springframework.core.io.FileSystemResource)
FileOutputStream(java.io.FileOutputStream)
File(java.io.File)
CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker)
IOUtils(org.apache.commons.io.IOUtils)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
AllowRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy)
Cache(net.sf.ehcache.Cache)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
CRLDistributionPointRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
AllowRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.AllowRevocationPolicy)
ArrayList(java.util.ArrayList)
BigInteger(java.math.BigInteger)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
Cache(net.sf.ehcache.Cache)
Parameters(org.junit.runners.Parameterized.Parameters)
Example 2 with RevokedCertificateException
use of org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException in project cas by apereo.
the class ResourceCRLRevocationCheckerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
*/
@Parameters
public static Collection<Object[]> getTestParameters() {
final Collection<Object[]> params = new ArrayList<>();
final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
// Test case #1
// Valid certificate on valid CRL data
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt" }, null });
// Test case #2
// Revoked certificate on valid CRL data
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl"), new ClassPathResource("intermediateCA-valid.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-revoked.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1")) });
// Test case #3
// Valid certificate on expired CRL data for head cert
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-expired.crl"), new ClassPathResource("intermediateCA-valid.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)) });
// Test case #4
// Valid certificate on expired CRL data for intermediate cert
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-valid.crl"), new ClassPathResource("intermediateCA-expired.crl"), new ClassPathResource("rootCA-valid.crl") }, zeroThresholdPolicy), new String[] { "user-valid.crt", "userCA.crt", "intermediateCA.crt", "rootCA.crt" }, new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)) });
// Test case #5
// Valid certificate on expired CRL data with custom expiration
// policy to always allow expired CRL data
params.add(new Object[] { new ResourceCRLRevocationChecker(new ClassPathResource[] { new ClassPathResource("userCA-expired.crl") }, crl -> {
}), new String[] { "user-valid.crt" }, null });
return params;
}
Also used :
ZonedDateTime(java.time.ZonedDateTime)
Collection(java.util.Collection)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
RunWith(org.junit.runner.RunWith)
Parameters(org.junit.runners.Parameterized.Parameters)
ClassPathResource(org.springframework.core.io.ClassPathResource)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
ArrayList(java.util.ArrayList)
GeneralSecurityException(java.security.GeneralSecurityException)
RevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
BigInteger(java.math.BigInteger)
ZoneOffset(java.time.ZoneOffset)
Parameterized(org.junit.runners.Parameterized)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
ArrayList(java.util.ArrayList)
BigInteger(java.math.BigInteger)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
ClassPathResource(org.springframework.core.io.ClassPathResource)
Parameters(org.junit.runners.Parameterized.Parameters)
Example 3 with RevokedCertificateException
use of org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException in project cas by apereo.
the class X509CredentialsAuthenticationHandlerTests method getTestParameters.
/**
* Gets the unit test parameters.
*
* @return Test parameter data.
* @throws Exception On test data setup errors.
*/
@Parameters
public static Collection<Object[]> getTestParameters() throws Exception {
final Collection<Object[]> params = new ArrayList<>();
X509CredentialsAuthenticationHandler handler;
X509CertificateCredential credential;
// Test case #1: Unsupported credential type
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(new Object[] { handler, new UsernamePasswordCredential(), false, null });
// Test case #2:Valid certificate
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #3: Expired certificate
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-expired.crt")), true, new CertificateExpiredException() });
// Test case #4: Untrusted issuer
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"), true, false, false);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
// Test case #5: Disallowed subject
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), true, RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
// Test case #6: Check key usage on a cert without keyUsage extension
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, false);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #7: Require key usage on a cert without keyUsage extension
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new FailedLoginException() });
// Test case #8: Require key usage on a cert with acceptable keyUsage extension values
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
credential = new X509CertificateCredential(createCertificates("user-valid-keyUsage.crt"));
params.add(new Object[] { handler, credential, true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #9: Require key usage on a cert with unacceptable keyUsage extension values
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-invalid-keyUsage.crt")), true, new FailedLoginException() });
//===================================
// Revocation tests
//===================================
ResourceCRLRevocationChecker checker;
// Test case #10: Valid certificate with CRL checking
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new DefaultHandlerResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
// Test case #11: Revoked end user certificate
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-revoked.crt")), true, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), null) });
// Test case #12: Valid certificate on expired CRL data
final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-expired.crl"), null, zeroThresholdPolicy);
checker.init();
handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new ExpiredCRLException(null, ZonedDateTime.now(ZoneOffset.UTC)) });
return params;
}
Also used :
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
ArrayList(java.util.ArrayList)
DefaultPrincipalFactory(org.apereo.cas.authentication.principal.DefaultPrincipalFactory)
ClassPathResource(org.springframework.core.io.ClassPathResource)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)
ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)
DefaultHandlerResult(org.apereo.cas.authentication.DefaultHandlerResult)
UsernamePasswordCredential(org.apereo.cas.authentication.UsernamePasswordCredential)
Parameters(org.junit.runners.Parameterized.Parameters)
Example 4 with RevokedCertificateException
use of org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException in project cas by apereo.
the class AbstractCRLRevocationChecker method check.
@Override
public void check(final X509Certificate cert) throws GeneralSecurityException {
if (cert == null) {
throw new IllegalArgumentException("Certificate cannot be null.");
}
LOGGER.debug("Evaluating certificate revocation status for [{}]", CertUtils.toString(cert));
final Collection<X509CRL> crls = getCRLs(cert);
if (crls == null || crls.isEmpty()) {
LOGGER.warn("CRL data is not available for [{}]", CertUtils.toString(cert));
this.unavailableCRLPolicy.apply(null);
return;
}
final List<X509CRL> expiredCrls = new ArrayList<>();
final List<X509CRLEntry> revokedCrls;
crls.stream().filter(CertUtils::isExpired).forEach(crl -> {
LOGGER.warn("CRL data expired on [{}]", crl.getNextUpdate());
expiredCrls.add(crl);
});
if (crls.size() == expiredCrls.size()) {
LOGGER.warn("All CRLs retrieved have expired. Applying CRL expiration policy...");
for (final X509CRL crl : expiredCrls) {
this.expiredCRLPolicy.apply(crl);
}
} else {
crls.removeAll(expiredCrls);
LOGGER.debug("Valid CRLs [{}] found that are not expired yet", crls);
revokedCrls = crls.stream().map(crl -> crl.getRevokedCertificate(cert)).filter(Objects::nonNull).collect(Collectors.toList());
if (revokedCrls.size() == crls.size()) {
final X509CRLEntry entry = revokedCrls.get(0);
LOGGER.warn("All CRL entries have been revoked. Rejecting the first entry [{}]", entry);
throw new RevokedCertificateException(entry);
}
}
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
RevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.RevocationPolicy)
X509CRLEntry(java.security.cert.X509CRLEntry)
Logger(org.slf4j.Logger)
Collection(java.util.Collection)
LoggerFactory(org.slf4j.LoggerFactory)
X509CRL(java.security.cert.X509CRL)
Collectors(java.util.stream.Collectors)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
ArrayList(java.util.ArrayList)
Objects(java.util.Objects)
List(java.util.List)
DenyRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.DenyRevocationPolicy)
GeneralSecurityException(java.security.GeneralSecurityException)
CertUtils(org.apereo.cas.adaptors.x509.util.CertUtils)
ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)
X509CRLEntry(java.security.cert.X509CRLEntry)
X509CRL(java.security.cert.X509CRL)
RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)
ArrayList(java.util.ArrayList)
Objects(java.util.Objects)
Aggregations
ArrayList (java.util.ArrayList)4
RevokedCertificateException (org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException)4
ThresholdExpiredCRLRevocationPolicy (org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy)4
GeneralSecurityException (java.security.GeneralSecurityException)3
Collection (java.util.Collection)3
ExpiredCRLException (org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException)3
Parameters (org.junit.runners.Parameterized.Parameters)3
ClassPathResource (org.springframework.core.io.ClassPathResource)3
BigInteger (java.math.BigInteger)2
ZoneOffset (java.time.ZoneOffset)2
ZonedDateTime (java.time.ZonedDateTime)2
ResourceCRLRevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker)2
RevocationChecker (org.apereo.cas.adaptors.x509.authentication.revocation.checker.RevocationChecker)2
RunWith (org.junit.runner.RunWith)2
Parameterized (org.junit.runners.Parameterized)2
Logger (org.slf4j.Logger)2
LoggerFactory (org.slf4j.LoggerFactory)2
File (java.io.File)1
FileOutputStream (java.io.FileOutputStream)1
OutputStream (java.io.OutputStream)1
