Search in sources :

Example 31 with VCertException

use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.

the class TppConnector method getPolicy.

@Override
public PolicySpecification getPolicy(String policyName) throws VCertException {
    PolicySpecification policySpecification;
    try {
        TPPPolicy tppPolicy = getTPPPolicy(policyName);
        policySpecification = TPPPolicySpecificationConverter.INSTANCE.convertToPolicySpecification(tppPolicy);
    } catch (Exception e) {
        throw new VCertException(e);
    }
    return policySpecification;
}
Also used : TPPPolicy(com.venafi.vcert.sdk.policy.api.domain.TPPPolicy) PolicySpecification(com.venafi.vcert.sdk.policy.domain.PolicySpecification) VCertException(com.venafi.vcert.sdk.VCertException) RetrieveCertificateTimeoutException(com.venafi.vcert.sdk.connectors.ConnectorException.RetrieveCertificateTimeoutException) TppRequestCertificateNotAllowedException(com.venafi.vcert.sdk.connectors.ConnectorException.TppRequestCertificateNotAllowedException) CertificateDNOrThumbprintWasNotProvidedException(com.venafi.vcert.sdk.connectors.ConnectorException.CertificateDNOrThumbprintWasNotProvidedException) RenewFailureException(com.venafi.vcert.sdk.connectors.ConnectorException.RenewFailureException) CertificateNotFoundByThumbprintException(com.venafi.vcert.sdk.connectors.ConnectorException.CertificateNotFoundByThumbprintException) CSRNotProvidedByUserException(com.venafi.vcert.sdk.connectors.ConnectorException.CSRNotProvidedByUserException) MissingCredentialsException(com.venafi.vcert.sdk.connectors.ConnectorException.MissingCredentialsException) TppManualCSRNotEnabledException(com.venafi.vcert.sdk.connectors.ConnectorException.TppManualCSRNotEnabledException) CertificatePendingException(com.venafi.vcert.sdk.connectors.ConnectorException.CertificatePendingException) VCertException(com.venafi.vcert.sdk.VCertException) MoreThanOneCertificateWithSameThumbprintException(com.venafi.vcert.sdk.connectors.ConnectorException.MoreThanOneCertificateWithSameThumbprintException) AttemptToRetryException(com.venafi.vcert.sdk.connectors.ConnectorException.AttemptToRetryException) RevokeFailureException(com.venafi.vcert.sdk.connectors.ConnectorException.RevokeFailureException) CouldNotParseRevokeReasonException(com.venafi.vcert.sdk.connectors.ConnectorException.CouldNotParseRevokeReasonException) TppPingException(com.venafi.vcert.sdk.connectors.ConnectorException.TppPingException)

Example 32 with VCertException

use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.

the class PEMCollection method fromStringPEMCollection.

public static PEMCollection fromStringPEMCollection(String stringPemCollection, ChainOption chainOption, PrivateKey privateKey, String privateKeyPassword, DataFormat dataFormat) throws VCertException {
    List<X509Certificate> chain = new ArrayList<>();
    // 1. Extracting the Certificates and PrivateKey
    PEMParser pemParser = new PEMParser(new StringReader(stringPemCollection));
    JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
    try {
        Object object = pemParser.readObject();
        while (object != null) {
            if (object instanceof X509CertificateHolder) {
                Certificate certificate = certificateConverter.getCertificate((X509CertificateHolder) object);
                chain.add((X509Certificate) certificate);
            } else {
                privateKey = parsePrivateKey(object, privateKeyPassword);
            }
            object = pemParser.readObject();
        }
    } catch (IOException | CertificateException | PKCSException | OperatorCreationException e) {
        throw new VCertException("Unable to parse certificate from response", e);
    }
    // 2. Ordering the Certificates chain
    PEMCollection pemCollection;
    if (chain.size() > 0) {
        switch(chainOption) {
            case ChainOptionRootFirst:
                pemCollection = new PEMCollection();
                pemCollection.certificate(chain.get(chain.size() - 1));
                if (chain.size() > 1 && chainOption != ChainOption.ChainOptionIgnore) {
                    for (int i = 0; i < chain.size() - 1; i++) {
                        pemCollection.chain().add(chain.get(i));
                    }
                }
                break;
            default:
                pemCollection = new PEMCollection();
                pemCollection.certificate(chain.get(0));
                if (chain.size() > 1 && chainOption != ChainOption.ChainOptionIgnore) {
                    for (int i = 1; i < chain.size(); i++) {
                        pemCollection.chain().add(chain.get(i));
                    }
                }
                break;
        }
    } else {
        pemCollection = new PEMCollection();
    }
    pemCollection.privateKey(privateKey);
    pemCollection.privateKeyPassword(privateKeyPassword);
    pemCollection.dataFormat(dataFormat);
    return pemCollection;
}
Also used : ArrayList(java.util.ArrayList) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) PKCSException(org.bouncycastle.pkcs.PKCSException) X509Certificate(java.security.cert.X509Certificate) PEMParser(org.bouncycastle.openssl.PEMParser) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) VCertException(com.venafi.vcert.sdk.VCertException) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) StringReader(java.io.StringReader) PemObject(org.bouncycastle.util.io.pem.PemObject) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 33 with VCertException

use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.

the class CloudConnector method retrieveCertificateAsPemCollectionFromCSRServiceGenerated.

private PEMCollection retrieveCertificateAsPemCollectionFromCSRServiceGenerated(CertificateRequest request, byte[] serverPublicKey, String chainOption) throws VCertException {
    String encodedMessage = null;
    try {
        byte[] cipherText = SealedBoxUtility.cryptoBoxSeal(serverPublicKey, request.keyPassword().getBytes());
        encodedMessage = Base64.getEncoder().encodeToString(cipherText);
    } catch (Exception e) {
        throw new VCertException(e);
    }
    KeystoreRequest keystoreRequest = new KeystoreRequest().exportFormat("PEM").encryptedPrivateKeyPassphrase(encodedMessage).encryptedKeystorePassphrase("").certificateLabel("");
    InputStream keyStoreAsStream = null;
    try {
        Response response = cloud.retrieveKeystore(request.certId(), keystoreRequest, auth.apiKey());
        keyStoreAsStream = response.body().asInputStream();
    } catch (IOException e) {
        throw new VCertException(e);
    }
    return CloudConnectorUtils.getPEMCollectionFromKeyStoreAsStream(keyStoreAsStream, request.certId(), request.chainOption(), request.keyPassword(), request.dataFormat());
}
Also used : ImportResponse(com.venafi.vcert.sdk.certificate.ImportResponse) Response(feign.Response) VCertException(com.venafi.vcert.sdk.VCertException) InputStream(java.io.InputStream) KeystoreRequest(com.venafi.vcert.sdk.connectors.cloud.endpoint.KeystoreRequest) IOException(java.io.IOException) VCertException(com.venafi.vcert.sdk.VCertException) ConnectorException(com.venafi.vcert.sdk.connectors.ConnectorException) IOException(java.io.IOException)

Example 34 with VCertException

use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.

the class CertificateRequest method checkCertificate.

public boolean checkCertificate(Certificate certificate) throws VCertException {
    PublicKeyAlgorithm publicKeyAlgorithm = KeyType.from(certificate.getPublicKey().getAlgorithm()).X509Type();
    if (keyPair != null && keyPair.getPublic() != null && keyPair.getPrivate() != null) {
        keyType = keyType == null ? KeyType.defaultKeyType() : keyType;
        if (keyType.X509Type() != publicKeyAlgorithm) {
            throw new VCertException(format("unmatched key type: %s, %s", keyType.X509Type(), publicKeyAlgorithm.name()));
        }
        switch(publicKeyAlgorithm) {
            case RSA:
                RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
                RSAPublicKey reqPublicKey = (RSAPublicKey) keyPair.getPublic();
                // TODO can be equals?
                if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
                    throw new VCertException("unmatched key modules");
                }
                break;
            case ECDSA:
                ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
                ECPublicKey reqEcPublicKey = (ECPublicKey) keyPair.getPublic();
                // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
                java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
                java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
                java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
                if (// 
                certSpec != csrSpec && (// 
                certSpec.getCofactor() != csrSpec.getCofactor() || // 
                !certSpec.getOrder().equals(csrSpec.getOrder()) || // 
                !certSpec.getGenerator().equals(csrSpec.getGenerator()) || // 
                certCurve != csrCurve && (// 
                !certCurve.getA().equals(csrCurve.getA()) || // 
                !certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
                    throw new VCertException("unmatched parameters for elliptic keys");
                }
                break;
            default:
                throw new VCertException(format("unknown key algorithm %s", publicKeyAlgorithm.name()));
        }
    } else if (Objects.nonNull(csr) && csr.length != 0) {
        try {
            PemReader pemReader = new PemReader(new StringReader(new String(csr)));
            PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemReader.readPemObject().getContent());
            pemReader.close();
            AlgorithmNameFinder nameFinder = new DefaultAlgorithmNameFinder();
            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
            PublicKeyAlgorithm csrPublicKeyAlgorithm = PublicKeyAlgorithm.valueOf(String.valueOf(nameFinder.getAlgorithmName(csr.getSubjectPublicKeyInfo().getAlgorithm())));
            if (publicKeyAlgorithm != csrPublicKeyAlgorithm) {
                throw new VCertException(format("unmatched key type: %s, %s", publicKeyAlgorithm, csrPublicKeyAlgorithm));
            }
            switch(csrPublicKeyAlgorithm) {
                case RSA:
                    RSAPublicKey certPublicKey = (RSAPublicKey) certificate.getPublicKey();
                    RSAPublicKey reqPublicKey = (RSAPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
                    if (certPublicKey.getModulus().compareTo(reqPublicKey.getModulus()) != 0) {
                        throw new VCertException("unmatched key modules");
                    }
                    break;
                case ECDSA:
                    ECPublicKey certEcPublicKey = (ECPublicKey) certificate.getPublicKey();
                    ECPublicKey reqEcPublicKey = (ECPublicKey) converter.getPublicKey(csr.getSubjectPublicKeyInfo());
                    // https://stackoverflow.com/questions/24121801/how-to-verify-if-the-private-key-matches-with-the-certificate
                    java.security.spec.ECParameterSpec certSpec = certEcPublicKey.getParams(), csrSpec = reqEcPublicKey.getParams();
                    java.security.spec.EllipticCurve certCurve = certSpec.getCurve(), csrCurve = csrSpec.getCurve();
                    java.security.spec.ECField certField = certCurve.getField(), csrField = csrCurve.getField();
                    if (// 
                    certSpec != csrSpec && (// 
                    certSpec.getCofactor() != csrSpec.getCofactor() || // 
                    !certSpec.getOrder().equals(csrSpec.getOrder()) || // 
                    !certSpec.getGenerator().equals(csrSpec.getGenerator()) || // 
                    certCurve != csrCurve && (// 
                    !certCurve.getA().equals(csrCurve.getA()) || // 
                    !certCurve.getB().equals(csrCurve.getB()) || certField.getFieldSize() != csrField.getFieldSize()))) {
                        throw new VCertException("unmatched parameters for elliptic keys");
                    }
                    break;
            }
        } catch (IOException e) {
            throw new VCertException(format("bad csr: %s", e.getMessage()), e);
        }
    }
    return true;
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) DefaultAlgorithmNameFinder(org.bouncycastle.operator.DefaultAlgorithmNameFinder) JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter) DEROctetString(org.bouncycastle.asn1.DEROctetString) IOException(java.io.IOException) DefaultAlgorithmNameFinder(org.bouncycastle.operator.DefaultAlgorithmNameFinder) AlgorithmNameFinder(org.bouncycastle.operator.AlgorithmNameFinder) PemReader(org.bouncycastle.util.io.pem.PemReader) RSAPublicKey(java.security.interfaces.RSAPublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) VCertException(com.venafi.vcert.sdk.VCertException) StringReader(java.io.StringReader)

Example 35 with VCertException

use of com.venafi.vcert.sdk.VCertException in project vcert-java by Venafi.

the class TppConnectorUtils method populatePolicy.

public static TPPPolicy populatePolicy(TPPPolicy tppPolicy, TppAPI tppAPI) throws VCertException {
    GetPolicyResponse getPolicyResponse;
    try {
        getPolicyResponse = tppAPI.getPolicy(new GetPolicyRequest(tppPolicy.policyName()));
    } catch (Exception e) {
        throw new VCertException(e);
    }
    if (getPolicyResponse != null && getPolicyResponse.error() != null)
        throw new VCertException(getPolicyResponse.error());
    PolicyResponse policyResponse = getPolicyResponse.policy();
    if (policyResponse != null) {
        // Domain suffix white list
        tppPolicy.domainSuffixWhiteList(policyResponse.whitelistedDomains());
        // Prohibited wildcard
        tppPolicy.prohibitWildcard(policyResponse.wildcardsAllowed() ? 0 : 1);
        // Certificate authority
        tppPolicy.certificateAuthority(policyResponse.certificateAuthority() != null ? policyResponse.certificateAuthority().value() : null);
        // management type
        if (policyResponse.managementType() != null)
            tppPolicy.managementType(policyResponse.managementType().value(), policyResponse.managementType().locked());
        // Subject
        SubjectResponse subjectResponse = policyResponse.subject();
        if (subjectResponse != null) {
            // Organization
            if (subjectResponse.organization() != null)
                tppPolicy.organization(subjectResponse.organization().value(), subjectResponse.organization().locked());
            // Org Unit
            if (subjectResponse.organizationalUnit() != null)
                tppPolicy.organizationalUnit(subjectResponse.organizationalUnit().values(), subjectResponse.organizationalUnit().locked());
            // City
            if (subjectResponse.city() != null)
                tppPolicy.city(subjectResponse.city().value(), subjectResponse.city().locked());
            // State
            if (subjectResponse.state() != null)
                tppPolicy.state(subjectResponse.state().value(), subjectResponse.state().locked());
            // country
            if (subjectResponse.country() != null)
                tppPolicy.country(subjectResponse.country().value(), subjectResponse.country().locked());
        }
        // KeyPair
        KeyPairResponse keyPairResponse = policyResponse.keyPair();
        if (keyPairResponse != null) {
            // KeyAlgorithm
            if (keyPairResponse.keyAlgorithm() != null)
                tppPolicy.keyAlgorithm(keyPairResponse.keyAlgorithm().value(), keyPairResponse.keyAlgorithm().locked());
            // Key Bit Strength
            if (keyPairResponse.keySize() != null)
                tppPolicy.keyBitStrength(keyPairResponse.keySize().value().toString(), keyPairResponse.keySize().locked());
            // Elliptic Curve
            if (keyPairResponse.ellipticCurve() != null)
                tppPolicy.ellipticCurve(keyPairResponse.ellipticCurve().value(), keyPairResponse.ellipticCurve().locked());
        }
        // Manual Csr
        if (policyResponse.csrGeneration() != null)
            if (policyResponse.csrGeneration().value().equals("ServiceGenerated"))
                tppPolicy.manualCsr("0", policyResponse.csrGeneration().locked());
            else if (policyResponse.csrGeneration().value().equals("UserProvided"))
                tppPolicy.manualCsr("1", policyResponse.csrGeneration().locked());
        // AllowPrivate Key Reuse
        tppPolicy.allowPrivateKeyReuse(policyResponse.privateKeyReuseAllowed() ? "1" : "0", true);
        // TppWantRenewal
        tppPolicy.wantRenewal(policyResponse.privateKeyReuseAllowed() ? "1" : "0", true);
        // Prohibited SAN Types
        setProhibitedSANTypes(tppPolicy, policyResponse);
    }
    return tppPolicy;
}
Also used : VCertException(com.venafi.vcert.sdk.VCertException) VCertException(com.venafi.vcert.sdk.VCertException)

Aggregations

VCertException (com.venafi.vcert.sdk.VCertException)68 PolicySpecification (com.venafi.vcert.sdk.policy.domain.PolicySpecification)49 DisplayName (org.junit.jupiter.api.DisplayName)48 Test (org.junit.jupiter.api.Test)48 IOException (java.io.IOException)34 CertificateNotFoundByThumbprintException (com.venafi.vcert.sdk.connectors.ConnectorException.CertificateNotFoundByThumbprintException)26 CertificateDNOrThumbprintWasNotProvidedException (com.venafi.vcert.sdk.connectors.ConnectorException.CertificateDNOrThumbprintWasNotProvidedException)25 MoreThanOneCertificateWithSameThumbprintException (com.venafi.vcert.sdk.connectors.ConnectorException.MoreThanOneCertificateWithSameThumbprintException)25 FeignException (feign.FeignException)25 FailedToRevokeTokenException (com.venafi.vcert.sdk.connectors.ConnectorException.FailedToRevokeTokenException)23 Authentication (com.venafi.vcert.sdk.endpoint.Authentication)23 StringReader (java.io.StringReader)7 CertificateRequest (com.venafi.vcert.sdk.certificate.CertificateRequest)5 PEMCollection (com.venafi.vcert.sdk.certificate.PEMCollection)5 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5 CsrOriginOption (com.venafi.vcert.sdk.certificate.CsrOriginOption)4 DataFormat (com.venafi.vcert.sdk.certificate.DataFormat)4 ImportResponse (com.venafi.vcert.sdk.certificate.ImportResponse)4 RenewalRequest (com.venafi.vcert.sdk.certificate.RenewalRequest)4 RevocationRequest (com.venafi.vcert.sdk.certificate.RevocationRequest)4