Search in sources :

Example 21 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class IdentifierXmlNodeParser method getObjectType.

static XRoadObjectType getObjectType(Node node) throws Exception {
    Node objectType = null;
    NamedNodeMap attr = node.getAttributes();
    if (attr != null) {
        objectType = attr.getNamedItemNS(NS_IDENTIFIERS, "objectType");
    }
    if (objectType == null) {
        throw new CodedException(X_INVALID_XML, "Missing objectType attribute");
    }
    String typeName = objectType.getTextContent();
    if (typeName == null) {
        throw new CodedException(X_INVALID_XML, "ObjectType not specified");
    }
    try {
        return XRoadObjectType.valueOf(typeName);
    } catch (IllegalArgumentException e) {
        throw new CodedException(X_INVALID_XML, "Unknown objectType: %s", typeName);
    }
}
Also used : NamedNodeMap(org.w3c.dom.NamedNodeMap) CodedException(ee.ria.xroad.common.CodedException) Node(org.w3c.dom.Node)

Example 22 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class CertChainVerifier method verifyOcspResponses.

private void verifyOcspResponses(List<X509Certificate> certs, List<OCSPResp> ocspResponses, PKIXCertPathValidatorResult result, Date atDate) throws Exception {
    for (X509Certificate subject : certs) {
        X509Certificate issuer = GlobalConf.getCaCert(certChain.getInstanceIdentifier(), subject);
        OCSPResp response = getOcspResponseForCert(subject, issuer, ocspResponses);
        if (response == null) {
            throw new CodedException(X_CERT_VALIDATION, "Unable to find OCSP response for certificate " + subject.getSubjectX500Principal().getName());
        }
        OcspVerifier verifier = new OcspVerifier(GlobalConf.getOcspFreshnessSeconds(false), new OcspVerifierOptions(GlobalConfExtensions.getInstance().shouldVerifyOcspNextUpdate()));
        verifier.verifyValidityAndStatus(response, subject, issuer, atDate);
    }
}
Also used : CodedException(ee.ria.xroad.common.CodedException) OcspVerifierOptions(ee.ria.xroad.common.ocsp.OcspVerifierOptions) OcspVerifier(ee.ria.xroad.common.ocsp.OcspVerifier) X509Certificate(java.security.cert.X509Certificate) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)

Example 23 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class CertHelper method verifyAuthCert.

/**
 * Verifies that the certificate <code>cert</code> can be used for
 * authenticating as member <code>member</code>.
 * The <code>ocspResponsec</code> is used to verify validity of the
 * certificate.
 * @param chain the certificate chain
 * @param ocspResponses OCSP responses used in the cert chain
 * @param member the member
 * @throws Exception if verification fails.
 */
public static void verifyAuthCert(CertChain chain, List<OCSPResp> ocspResponses, ClientId member) throws Exception {
    X509Certificate cert = chain.getEndEntityCert();
    if (!CertUtils.isAuthCert(cert)) {
        throw new CodedException(X_SSL_AUTH_FAILED, "Peer certificate is not an authentication certificate");
    }
    log.debug("verifyAuthCert({}: {}, {})", new Object[] { cert.getSerialNumber(), cert.getSubjectX500Principal().getName(), member });
    // Verify certificate against CAs.
    try {
        new CertChainVerifier(chain).verify(ocspResponses, new Date());
    } catch (CodedException e) {
        // meaningful errors get SSL auth verification prefix
        throw e.withPrefix(X_SSL_AUTH_FAILED);
    }
    // to authenticate given member.
    if (!GlobalConf.authCertMatchesMember(cert, member)) {
        SecurityServerId serverId = GlobalConf.getServerId(cert);
        if (serverId != null) {
            throw new CodedException(X_SSL_AUTH_FAILED, "Client '%s' is not registered at security server %s", member, serverId);
        }
        throw new CodedException(X_SSL_AUTH_FAILED, "Authentication certificate %s is not associated " + "with any security server", cert.getSubjectX500Principal());
    }
}
Also used : CodedException(ee.ria.xroad.common.CodedException) SecurityServerId(ee.ria.xroad.common.identifier.SecurityServerId) X509Certificate(java.security.cert.X509Certificate) Date(java.util.Date)

Example 24 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class CertChainTest method invalidCaCertNoExtensions.

/**
 * Tests that verifying a chain with invalid CA certificate fails.
 * @throws Exception if an error occurs
 */
@Test
public void invalidCaCertNoExtensions() throws Exception {
    X509Certificate rootCa = TestCertUtil.getCertChainCert("root_ca.p12");
    X509Certificate interCa1 = TestCertUtil.getCertChainCert("ca_1.p12");
    X509Certificate interCa2 = TestCertUtil.getCertChainCert("ca_2.p12");
    X509Certificate interCa3 = TestCertUtil.getCertChainCert("ca_3.p12");
    // this CA cert has no extensions
    X509Certificate interCa4 = TestCertUtil.getCertChainCert("ca_4_no_ext.p12");
    X509Certificate userCert = TestCertUtil.getCertChainCert("user_4.p12");
    List<OCSPResp> ocsp = generateOcspResponses(Arrays.asList(interCa1, interCa2, interCa3, interCa4, userCert), CertificateStatus.GOOD);
    CertChain chain = new CertChain("EE", userCert, rootCa, Arrays.asList(interCa1, interCa2, interCa3, interCa4));
    try {
        verify(chain, ocsp, null);
        fail("Path creation should fail");
    } catch (CodedException e) {
        assertTrue(e.getCause() instanceof CertPathBuilderException);
    }
}
Also used : CodedException(ee.ria.xroad.common.CodedException) CertPathBuilderException(java.security.cert.CertPathBuilderException) X509Certificate(java.security.cert.X509Certificate) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp) Test(org.junit.Test)

Example 25 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class GlobalConfImpl method getCaCert.

@Override
public X509Certificate getCaCert(String instanceIdentifier, X509Certificate memberCert) throws Exception {
    if (memberCert == null) {
        throw new IllegalArgumentException("Member certificate must be present to find CA cert!");
    }
    X509CertificateHolder ch = new X509CertificateHolder(memberCert.getEncoded());
    String[] instances = instanceIdentifier != null ? new String[] { instanceIdentifier } : new String[] {};
    return getSharedParameters(instances).stream().map(p -> p.getSubjectsAndCaCerts().get(ch.getIssuer())).filter(Objects::nonNull).findFirst().orElseThrow(() -> new CodedException(X_INTERNAL_ERROR, "Certificate is not issued by approved " + "certification service provider."));
}
Also used : GlobalGroupId(ee.ria.xroad.common.identifier.GlobalGroupId) X509Certificate(java.security.cert.X509Certificate) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) Arrays(java.util.Arrays) SystemProperties.getConfigurationPath(ee.ria.xroad.common.SystemProperties.getConfigurationPath) CertUtils(ee.ria.xroad.common.util.CertUtils) CentralServiceId(ee.ria.xroad.common.identifier.CentralServiceId) SecurityCategoryId(ee.ria.xroad.common.identifier.SecurityCategoryId) ArrayUtils(org.apache.commons.lang3.ArrayUtils) CryptoUtils.certHash(ee.ria.xroad.common.util.CryptoUtils.certHash) CertificateProfileInfoProvider(ee.ria.xroad.common.certificateprofile.CertificateProfileInfoProvider) OcspInfoType(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.OcspInfoType) StringUtils(org.apache.commons.lang3.StringUtils) ArrayList(java.util.ArrayList) ServiceId(ee.ria.xroad.common.identifier.ServiceId) HashSet(java.util.HashSet) AuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo) X_INTERNAL_ERROR(ee.ria.xroad.common.ErrorCodes.X_INTERNAL_ERROR) CryptoUtils.readCertificate(ee.ria.xroad.common.util.CryptoUtils.readCertificate) SubsystemType(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.SubsystemType) BigInteger(java.math.BigInteger) CryptoUtils.encodeBase64(ee.ria.xroad.common.util.CryptoUtils.encodeBase64) ErrorCodes.translateException(ee.ria.xroad.common.ErrorCodes.translateException) OutputStream(java.io.OutputStream) CentralServiceType(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.CentralServiceType) ErrorCodes.translateWithPrefix(ee.ria.xroad.common.ErrorCodes.translateWithPrefix) Collection(java.util.Collection) Set(java.util.Set) SignCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.SignCertificateProfileInfo) GlobalGroupType(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.GlobalGroupType) Collectors(java.util.stream.Collectors) MemberType(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.MemberType) X_MALFORMED_GLOBALCONF(ee.ria.xroad.common.ErrorCodes.X_MALFORMED_GLOBALCONF) Objects(java.util.Objects) CodedException(ee.ria.xroad.common.CodedException) SecurityServerType(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.SecurityServerType) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) ApprovedTSAType(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.ApprovedTSAType) Paths(java.nio.file.Paths) ApprovedCATypeV2(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.ApprovedCATypeV2) SecurityServerId(ee.ria.xroad.common.identifier.SecurityServerId) CertChain(ee.ria.xroad.common.cert.CertChain) MemberClassType(ee.ria.xroad.common.conf.globalconf.sharedparameters.v2.MemberClassType) GetCertificateProfile(ee.ria.xroad.common.certificateprofile.GetCertificateProfile) ClientId(ee.ria.xroad.common.identifier.ClientId) CryptoUtils(ee.ria.xroad.common.util.CryptoUtils) Collections(java.util.Collections) CodedException(ee.ria.xroad.common.CodedException) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) Objects(java.util.Objects)

Aggregations

CodedException (ee.ria.xroad.common.CodedException)131 X509Certificate (java.security.cert.X509Certificate)28 IOException (java.io.IOException)17 ErrorCodes.translateException (ee.ria.xroad.common.ErrorCodes.translateException)15 SignerNotReachableException (org.niis.xroad.restapi.service.SignerNotReachableException)14 TokenInfo (ee.ria.xroad.signer.protocol.dto.TokenInfo)12 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)11 ServiceException (org.niis.xroad.restapi.service.ServiceException)11 ClientId (ee.ria.xroad.common.identifier.ClientId)10 ArrayList (java.util.ArrayList)10 Test (org.junit.Test)10 KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)8 InputStream (java.io.InputStream)8 URISyntaxException (java.net.URISyntaxException)7 Date (java.util.Date)7 SoapFault (ee.ria.xroad.common.message.SoapFault)6 ServiceId (ee.ria.xroad.common.identifier.ServiceId)5 Soap (ee.ria.xroad.common.message.Soap)5 SoapMessageImpl (ee.ria.xroad.common.message.SoapMessageImpl)5 ByteArrayInputStream (java.io.ByteArrayInputStream)5