Search in sources :

Example 1 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class HealthChecksTest method createMockProviderWithOcspStatus.

private static KeyConfProvider createMockProviderWithOcspStatus(int status) throws Exception {
    X509Certificate mockCertificate = mock(X509Certificate.class);
    when(mockCertificate.getSubjectX500Principal()).thenReturn(new X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US"));
    CertChain mockCertChain = mock(CertChain.class);
    when(mockCertChain.getEndEntityCert()).thenReturn(mockCertificate);
    AuthKey authKey = new AuthKey(mockCertChain, null);
    KeyConfProvider mockKeyConfProvider = mock(KeyConfProvider.class);
    when(mockKeyConfProvider.getAuthKey()).thenReturn(authKey);
    OCSPResp mockResponse = mock(OCSPResp.class);
    when(mockResponse.getStatus()).thenReturn(status);
    when(mockKeyConfProvider.getOcspResponse((X509Certificate) notNull())).thenReturn(mockResponse);
    return mockKeyConfProvider;
}
Also used : CertChain(ee.ria.xroad.common.cert.CertChain) AuthKey(ee.ria.xroad.common.conf.globalconf.AuthKey) X500Principal(javax.security.auth.x500.X500Principal) KeyConfProvider(ee.ria.xroad.proxy.conf.KeyConfProvider) X509Certificate(java.security.cert.X509Certificate) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)

Example 2 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class HealthChecksTest method checkAuthKeyOcspStatusShouldFailWhenEndEntityCertNotAvailable.

@Test
public void checkAuthKeyOcspStatusShouldFailWhenEndEntityCertNotAvailable() {
    // prepare
    CertChain mockCertChain = mock(CertChain.class);
    when(mockCertChain.getEndEntityCert()).thenReturn(null);
    AuthKey authKey = new AuthKey(mockCertChain, null);
    KeyConfProvider mockKeyConfProvider = mock(KeyConfProvider.class);
    when(mockKeyConfProvider.getAuthKey()).thenReturn(authKey);
    KeyConf.reload(mockKeyConfProvider);
    // execute
    HealthCheckProvider testedProvider = HealthChecks.checkAuthKeyOcspStatus();
    HealthCheckResult checkedResult = testedProvider.get();
    // verify
    assertTrue("health check result should be a failure", !checkedResult.isOk());
    assertThat(checkedResult.getErrorMessage(), containsString("No end entity certificate available"));
}
Also used : CertChain(ee.ria.xroad.common.cert.CertChain) AuthKey(ee.ria.xroad.common.conf.globalconf.AuthKey) KeyConfProvider(ee.ria.xroad.proxy.conf.KeyConfProvider) Test(org.junit.Test)

Example 3 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class GlobalConfTest method getCertChain.

/**
 * Tests getting the certificate chain for an organization.
 *
 * @throws Exception if an error occurs
 */
@Test
public void getCertChain() throws Exception {
    X509Certificate org = getCertChainCert("user_3.p12");
    assertNotNull(org);
    CertChain certChain = GlobalConf.getCertChain("EE", org);
    List<X509Certificate> chain = certChain.getAllCerts();
    assertEquals(5, chain.size());
    assertEquals(getCertChainCert("root_ca.p12"), chain.get(4));
    assertEquals(getCertChainCert("ca_1.p12"), chain.get(3));
    assertEquals(getCertChainCert("ca_2.p12"), chain.get(2));
    assertEquals(getCertChainCert("ca_3.p12"), chain.get(1));
    assertEquals(getCertChainCert("user_3.p12"), chain.get(0));
}
Also used : CertChain(ee.ria.xroad.common.cert.CertChain) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 4 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class ServerMessageProcessor method verifySslClientCert.

private void verifySslClientCert() throws Exception {
    log.trace("verifySslClientCert()");
    if (requestMessage.getOcspResponses().isEmpty()) {
        throw new CodedException(X_SSL_AUTH_FAILED, "Cannot verify TLS certificate, corresponding OCSP response is missing");
    }
    String instanceIdentifier = requestMessage.getSoap().getClient().getXRoadInstance();
    X509Certificate trustAnchor = GlobalConf.getCaCert(instanceIdentifier, clientSslCerts[clientSslCerts.length - 1]);
    if (trustAnchor == null) {
        throw new Exception("Unable to find trust anchor");
    }
    try {
        CertChain chain = CertChain.create(instanceIdentifier, (X509Certificate[]) ArrayUtils.add(clientSslCerts, trustAnchor));
        CertHelper.verifyAuthCert(chain, requestMessage.getOcspResponses(), requestMessage.getSoap().getClient());
    } catch (Exception e) {
        throw new CodedException(X_SSL_AUTH_FAILED, e);
    }
}
Also used : CodedException(ee.ria.xroad.common.CodedException) CertChain(ee.ria.xroad.common.cert.CertChain) X509Certificate(java.security.cert.X509Certificate) URISyntaxException(java.net.URISyntaxException) ErrorCodes.translateException(ee.ria.xroad.common.ErrorCodes.translateException) CodedException(ee.ria.xroad.common.CodedException)

Example 5 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class CachingKeyConfImpl method getAuthKeyInfo.

protected AuthKeyInfo getAuthKeyInfo(SecurityServerId serverId) throws Exception {
    log.debug("Retrieving authentication info for security server '{}'", serverId);
    ee.ria.xroad.signer.protocol.dto.AuthKeyInfo keyInfo = SignerClient.execute(new GetAuthKey(serverId));
    CertChain certChain = getAuthCertChain(serverId.getXRoadInstance(), keyInfo.getCert().getCertificateBytes());
    List<OCSPResp> ocspResponses = getOcspResponses(certChain.getAdditionalCerts());
    ocspResponses.add(new OCSPResp(keyInfo.getCert().getOcspBytes()));
    PrivateKey key = loadAuthPrivateKey(keyInfo);
    return new AuthKeyInfo(key, certChain, ocspResponses);
}
Also used : PrivateKey(java.security.PrivateKey) GetAuthKey(ee.ria.xroad.signer.protocol.message.GetAuthKey) CertChain(ee.ria.xroad.common.cert.CertChain) OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)

Aggregations

CertChain (ee.ria.xroad.common.cert.CertChain)11 X509Certificate (java.security.cert.X509Certificate)6 CodedException (ee.ria.xroad.common.CodedException)5 AuthKey (ee.ria.xroad.common.conf.globalconf.AuthKey)3 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)3 CertChainVerifier (ee.ria.xroad.common.cert.CertChainVerifier)2 KeyConfProvider (ee.ria.xroad.proxy.conf.KeyConfProvider)2 GetAuthKey (ee.ria.xroad.signer.protocol.message.GetAuthKey)2 PrivateKey (java.security.PrivateKey)2 Test (org.junit.Test)2 ErrorCodes.translateException (ee.ria.xroad.common.ErrorCodes.translateException)1 SecurityServerId (ee.ria.xroad.common.identifier.SecurityServerId)1 AuthKeyInfo (ee.ria.xroad.signer.protocol.dto.AuthKeyInfo)1 URISyntaxException (java.net.URISyntaxException)1 Date (java.util.Date)1 X500Principal (javax.security.auth.x500.X500Principal)1