Search in sources :

Example 86 with Certificate

use of com.google.cloud.security.privateca.v1.Certificate in project TLS-Scanner by RUB-NDS.

the class TrustAnchorManager method getFullCaCertificateSet.

private Set<Certificate> getFullCaCertificateSet() {
    Set<Certificate> certificateSet = new HashSet<>();
    for (CertificateEntry entry : trustAnchors.values()) {
        InputStream resourceAsStream = TrustAnchorManager.class.getClassLoader().getResourceAsStream("trust/" + entry.getFingerprint() + ".pem");
        try {
            org.bouncycastle.crypto.tls.Certificate cert = PemUtil.readCertificate(resourceAsStream);
            certificateSet.add(cert.getCertificateAt(0));
        } catch (IOException | CertificateException ex) {
            LOGGER.error("Could not load Certificate:" + entry.getSubjectName() + "/" + entry.getFingerprint(), ex);
        }
    }
    return certificateSet;
}
Also used : BufferedInputStream(java.io.BufferedInputStream) InputStream(java.io.InputStream) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) HashSet(java.util.HashSet)

Example 87 with Certificate

use of com.google.cloud.security.privateca.v1.Certificate in project cloud-security-xsuaa-integration by SAP.

the class SecurityContext method clearCertificate.

/**
 * Clears the current Certificate from thread wide storage.
 */
private static void clearCertificate() {
    final Certificate certificate = certificateStorage.get();
    if (certificate != null) {
        LOGGER.debug("Certificate removed from SecurityContext (thread-locally).");
        certificateStorage.remove();
    }
}
Also used : Certificate(com.sap.cloud.security.x509.Certificate)

Example 88 with Certificate

use of com.google.cloud.security.privateca.v1.Certificate in project jruby-openssl by jruby.

the class OCSPRequest method findCertByName.

private java.security.cert.Certificate findCertByName(ASN1Encodable genX500Name, IRubyObject certificates, int flags) throws CertificateException, IOException {
    Ruby runtime = getRuntime();
    if ((flags & RubyFixnum.fix2int(_OCSP(runtime).getConstant(OCSP_NOINTERN))) == 0) {
        ASN1Sequence certs = asn1bcReq.getOptionalSignature().getCerts();
        if (certs != null) {
            Iterator<ASN1Encodable> it = certs.iterator();
            while (it.hasNext()) {
                Certificate cert = Certificate.getInstance(it.next());
                if (genX500Name.equals(cert.getSubject()))
                    return new X509AuxCertificate(cert);
            }
        }
    }
    @SuppressWarnings("unchecked") List<X509Certificate> certList = (RubyArray) certificates;
    for (X509Certificate cert : certList) {
        if (genX500Name.equals(X500Name.getInstance(cert.getSubjectX500Principal().getEncoded())))
            return new X509AuxCertificate(cert);
    }
    return null;
}
Also used : ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence) RubyArray(org.jruby.RubyArray) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate) Ruby(org.jruby.Ruby) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) X509AuxCertificate(org.jruby.ext.openssl.x509store.X509AuxCertificate)

Example 89 with Certificate

use of com.google.cloud.security.privateca.v1.Certificate in project cloud-security-xsuaa-integration by SAP.

the class JwtX5tValidator method validate.

/**
 * Validates the cnf thumbprint of X509 certificate against trusted
 * certificate's thumbprint.
 *
 * In case audience contains only a single value, thumbprint comparison is not
 * performed and request is validated. To guarantee that this single audience is
 * trusted, use this validator in combination with {@link JwtAudienceValidator}
 *
 * @param token
 *            token to be validated
 * @return validation result. Result is valid when both thumbprints match in
 *         case of multiple audiences.
 */
@Override
public ValidationResult validate(Token token) {
    if (token == null) {
        return ValidationResults.createInvalid("No token passed to validate certificate thumbprint");
    }
    String tokenX5t = extractCnfThumbprintFromToken(token);
    if (tokenX5t == null) {
        return ValidationResults.createInvalid("Token doesn't contain certificate thumbprint confirmation method");
    }
    Certificate clientCertificate = SecurityContext.getClientCertificate();
    if (clientCertificate == null) {
        return ValidationResults.createInvalid("Client certificate missing from SecurityContext");
    }
    String clientCertificateX5t = clientCertificate.getThumbprint();
    if (clientCertificateX5t.equals(tokenX5t)) {
        return ValidationResults.createValid();
    }
    return ValidationResults.createInvalid("Certificate thumbprint validation failed with Token 'cnf' thumbprint: {} != {}", tokenX5t, clientCertificateX5t);
}
Also used : Certificate(com.sap.cloud.security.x509.Certificate)

Example 90 with Certificate

use of com.google.cloud.security.privateca.v1.Certificate in project ddf by codice.

the class OcspCheckerTest method testConvertingX509CertificatesToBcCertificates.

@Test
public void testConvertingX509CertificatesToBcCertificates() throws Exception {
    OcspChecker ocspChecker = new OcspChecker(factory, eventAdmin);
    ocspChecker.setSecurityLogger(mock(SecurityLogger.class));
    Certificate certificate = ocspChecker.convertToBouncyCastleCert(trustedCertX509);
    assertThat(certificate, is(notNullValue()));
    assertThat(trustedCertX509.getSerialNumber(), equalTo(certificate.getSerialNumber().getValue()));
    assertThat(trustedCertX509.getNotAfter(), equalTo(certificate.getEndDate().getDate()));
    assertThat(trustedCertX509.getNotBefore(), equalTo(certificate.getStartDate().getDate()));
    X500Principal subjectX500Principal = trustedCertX509.getSubjectX500Principal();
    X500Name x500name = new X500Name(subjectX500Principal.getName(X500Principal.RFC1779));
    assertThat(x500name, equalTo(certificate.getSubject()));
}
Also used : X500Principal(javax.security.auth.x500.X500Principal) X500Name(org.bouncycastle.asn1.x500.X500Name) SecurityLogger(ddf.security.audit.SecurityLogger) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) Test(org.junit.Test)

Aggregations

Certificate (org.bouncycastle.asn1.x509.Certificate)53 IOException (java.io.IOException)40 X509Certificate (java.security.cert.X509Certificate)37 CertificateException (java.security.cert.CertificateException)27 CertificateAuthorityServiceClient (com.google.cloud.security.privateca.v1.CertificateAuthorityServiceClient)24 Test (org.junit.Test)14 Operation (com.google.longrunning.Operation)13 File (java.io.File)11 BigInteger (java.math.BigInteger)9 CertificateEncodingException (java.security.cert.CertificateEncodingException)9 TBSCertificate (org.bouncycastle.asn1.x509.TBSCertificate)9 Test (org.junit.jupiter.api.Test)9 Certificate (com.google.cloud.security.privateca.v1.Certificate)8 SQLException (java.sql.SQLException)8 X500Name (org.bouncycastle.asn1.x500.X500Name)8 ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7 Certificate (com.beanit.asn1bean.compiler.pkix1explicit88.Certificate)6 Extension (org.bouncycastle.asn1.x509.Extension)6 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)6 Date (java.util.Date)5