use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class IdentifierXmlNodeParser method getObjectType.
static XRoadObjectType getObjectType(Node node) throws Exception {
Node objectType = null;
NamedNodeMap attr = node.getAttributes();
if (attr != null) {
objectType = attr.getNamedItemNS(NS_IDENTIFIERS, "objectType");
}
if (objectType == null) {
throw new CodedException(X_INVALID_XML, "Missing objectType attribute");
}
String typeName = objectType.getTextContent();
if (typeName == null) {
throw new CodedException(X_INVALID_XML, "ObjectType not specified");
}
try {
return XRoadObjectType.valueOf(typeName);
} catch (IllegalArgumentException e) {
throw new CodedException(X_INVALID_XML, "Unknown objectType: %s", typeName);
}
}
use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class CertChainVerifier method verifyOcspResponses.
private void verifyOcspResponses(List<X509Certificate> certs, List<OCSPResp> ocspResponses, PKIXCertPathValidatorResult result, Date atDate) throws Exception {
for (X509Certificate subject : certs) {
X509Certificate issuer = GlobalConf.getCaCert(certChain.getInstanceIdentifier(), subject);
OCSPResp response = getOcspResponseForCert(subject, issuer, ocspResponses);
if (response == null) {
throw new CodedException(X_CERT_VALIDATION, "Unable to find OCSP response for certificate " + subject.getSubjectX500Principal().getName());
}
OcspVerifier verifier = new OcspVerifier(GlobalConf.getOcspFreshnessSeconds(false), new OcspVerifierOptions(GlobalConfExtensions.getInstance().shouldVerifyOcspNextUpdate()));
verifier.verifyValidityAndStatus(response, subject, issuer, atDate);
}
}
use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class CertHelper method verifyAuthCert.
/**
* Verifies that the certificate <code>cert</code> can be used for
* authenticating as member <code>member</code>.
* The <code>ocspResponsec</code> is used to verify validity of the
* certificate.
* @param chain the certificate chain
* @param ocspResponses OCSP responses used in the cert chain
* @param member the member
* @throws Exception if verification fails.
*/
public static void verifyAuthCert(CertChain chain, List<OCSPResp> ocspResponses, ClientId member) throws Exception {
X509Certificate cert = chain.getEndEntityCert();
if (!CertUtils.isAuthCert(cert)) {
throw new CodedException(X_SSL_AUTH_FAILED, "Peer certificate is not an authentication certificate");
}
log.debug("verifyAuthCert({}: {}, {})", new Object[] { cert.getSerialNumber(), cert.getSubjectX500Principal().getName(), member });
// Verify certificate against CAs.
try {
new CertChainVerifier(chain).verify(ocspResponses, new Date());
} catch (CodedException e) {
// meaningful errors get SSL auth verification prefix
throw e.withPrefix(X_SSL_AUTH_FAILED);
}
// to authenticate given member.
if (!GlobalConf.authCertMatchesMember(cert, member)) {
SecurityServerId serverId = GlobalConf.getServerId(cert);
if (serverId != null) {
throw new CodedException(X_SSL_AUTH_FAILED, "Client '%s' is not registered at security server %s", member, serverId);
}
throw new CodedException(X_SSL_AUTH_FAILED, "Authentication certificate %s is not associated " + "with any security server", cert.getSubjectX500Principal());
}
}
use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class CertChainTest method invalidCaCertNoExtensions.
/**
* Tests that verifying a chain with invalid CA certificate fails.
* @throws Exception if an error occurs
*/
@Test
public void invalidCaCertNoExtensions() throws Exception {
X509Certificate rootCa = TestCertUtil.getCertChainCert("root_ca.p12");
X509Certificate interCa1 = TestCertUtil.getCertChainCert("ca_1.p12");
X509Certificate interCa2 = TestCertUtil.getCertChainCert("ca_2.p12");
X509Certificate interCa3 = TestCertUtil.getCertChainCert("ca_3.p12");
// this CA cert has no extensions
X509Certificate interCa4 = TestCertUtil.getCertChainCert("ca_4_no_ext.p12");
X509Certificate userCert = TestCertUtil.getCertChainCert("user_4.p12");
List<OCSPResp> ocsp = generateOcspResponses(Arrays.asList(interCa1, interCa2, interCa3, interCa4, userCert), CertificateStatus.GOOD);
CertChain chain = new CertChain("EE", userCert, rootCa, Arrays.asList(interCa1, interCa2, interCa3, interCa4));
try {
verify(chain, ocsp, null);
fail("Path creation should fail");
} catch (CodedException e) {
assertTrue(e.getCause() instanceof CertPathBuilderException);
}
}
use of ee.ria.xroad.common.CodedException in project X-Road by nordic-institute.
the class GlobalConfImpl method getCaCert.
@Override
public X509Certificate getCaCert(String instanceIdentifier, X509Certificate memberCert) throws Exception {
if (memberCert == null) {
throw new IllegalArgumentException("Member certificate must be present to find CA cert!");
}
X509CertificateHolder ch = new X509CertificateHolder(memberCert.getEncoded());
String[] instances = instanceIdentifier != null ? new String[] { instanceIdentifier } : new String[] {};
return getSharedParameters(instances).stream().map(p -> p.getSubjectsAndCaCerts().get(ch.getIssuer())).filter(Objects::nonNull).findFirst().orElseThrow(() -> new CodedException(X_INTERNAL_ERROR, "Certificate is not issued by approved " + "certification service provider."));
}
Aggregations