Examples with CodedException ee.ria.xroad.common.CodedException used on opensource projects

Example 21 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class IdentifierXmlNodeParser method getObjectType.

static XRoadObjectType getObjectType(Node node) throws Exception {
    Node objectType = null;
    NamedNodeMap attr = node.getAttributes();
    if (attr != null) {
        objectType = attr.getNamedItemNS(NS_IDENTIFIERS, "objectType");
    }
    if (objectType == null) {
        throw new CodedException(X_INVALID_XML, "Missing objectType attribute");
    }
    String typeName = objectType.getTextContent();
    if (typeName == null) {
        throw new CodedException(X_INVALID_XML, "ObjectType not specified");
    }
    try {
        return XRoadObjectType.valueOf(typeName);
    } catch (IllegalArgumentException e) {
        throw new CodedException(X_INVALID_XML, "Unknown objectType: %s", typeName);
    }
}

Example 22 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class CertChainVerifier method verifyOcspResponses.

private void verifyOcspResponses(List<X509Certificate> certs, List<OCSPResp> ocspResponses, PKIXCertPathValidatorResult result, Date atDate) throws Exception {
    for (X509Certificate subject : certs) {
        X509Certificate issuer = GlobalConf.getCaCert(certChain.getInstanceIdentifier(), subject);
        OCSPResp response = getOcspResponseForCert(subject, issuer, ocspResponses);
        if (response == null) {
            throw new CodedException(X_CERT_VALIDATION, "Unable to find OCSP response for certificate " + subject.getSubjectX500Principal().getName());
        }
        OcspVerifier verifier = new OcspVerifier(GlobalConf.getOcspFreshnessSeconds(false), new OcspVerifierOptions(GlobalConfExtensions.getInstance().shouldVerifyOcspNextUpdate()));
        verifier.verifyValidityAndStatus(response, subject, issuer, atDate);
    }
}

Example 23 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class CertHelper method verifyAuthCert.

/**
 * Verifies that the certificate <code>cert</code> can be used for
 * authenticating as member <code>member</code>.
 * The <code>ocspResponsec</code> is used to verify validity of the
 * certificate.
 * @param chain the certificate chain
 * @param ocspResponses OCSP responses used in the cert chain
 * @param member the member
 * @throws Exception if verification fails.
 */
public static void verifyAuthCert(CertChain chain, List<OCSPResp> ocspResponses, ClientId member) throws Exception {
    X509Certificate cert = chain.getEndEntityCert();
    if (!CertUtils.isAuthCert(cert)) {
        throw new CodedException(X_SSL_AUTH_FAILED, "Peer certificate is not an authentication certificate");
    }
    log.debug("verifyAuthCert({}: {}, {})", new Object[] { cert.getSerialNumber(), cert.getSubjectX500Principal().getName(), member });
    // Verify certificate against CAs.
    try {
        new CertChainVerifier(chain).verify(ocspResponses, new Date());
    } catch (CodedException e) {
        // meaningful errors get SSL auth verification prefix
        throw e.withPrefix(X_SSL_AUTH_FAILED);
    }
    // to authenticate given member.
    if (!GlobalConf.authCertMatchesMember(cert, member)) {
        SecurityServerId serverId = GlobalConf.getServerId(cert);
        if (serverId != null) {
            throw new CodedException(X_SSL_AUTH_FAILED, "Client '%s' is not registered at security server %s", member, serverId);
        }
        throw new CodedException(X_SSL_AUTH_FAILED, "Authentication certificate %s is not associated " + "with any security server", cert.getSubjectX500Principal());
    }
}

Example 24 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class CertChainTest method invalidCaCertNoExtensions.

/**
 * Tests that verifying a chain with invalid CA certificate fails.
 * @throws Exception if an error occurs
 */
@Test
public void invalidCaCertNoExtensions() throws Exception {
    X509Certificate rootCa = TestCertUtil.getCertChainCert("root_ca.p12");
    X509Certificate interCa1 = TestCertUtil.getCertChainCert("ca_1.p12");
    X509Certificate interCa2 = TestCertUtil.getCertChainCert("ca_2.p12");
    X509Certificate interCa3 = TestCertUtil.getCertChainCert("ca_3.p12");
    // this CA cert has no extensions
    X509Certificate interCa4 = TestCertUtil.getCertChainCert("ca_4_no_ext.p12");
    X509Certificate userCert = TestCertUtil.getCertChainCert("user_4.p12");
    List<OCSPResp> ocsp = generateOcspResponses(Arrays.asList(interCa1, interCa2, interCa3, interCa4, userCert), CertificateStatus.GOOD);
    CertChain chain = new CertChain("EE", userCert, rootCa, Arrays.asList(interCa1, interCa2, interCa3, interCa4));
    try {
        verify(chain, ocsp, null);
        fail("Path creation should fail");
    } catch (CodedException e) {
        assertTrue(e.getCause() instanceof CertPathBuilderException);
    }
}

Example 25 with CodedException

use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.

the class GlobalConfImpl method getCaCert.

@Override
public X509Certificate getCaCert(String instanceIdentifier, X509Certificate memberCert) throws Exception {
    if (memberCert == null) {
        throw new IllegalArgumentException("Member certificate must be present to find CA cert!");
    }
    X509CertificateHolder ch = new X509CertificateHolder(memberCert.getEncoded());
    String[] instances = instanceIdentifier != null ? new String[] { instanceIdentifier } : new String[] {};
    return getSharedParameters(instances).stream().map(p -> p.getSubjectsAndCaCerts().get(ch.getIssuer())).filter(Objects::nonNull).findFirst().orElseThrow(() -> new CodedException(X_INTERNAL_ERROR, "Certificate is not issued by approved " + "certification service provider."));
}