use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class HealthChecksTest method createMockProviderWithOcspStatus.
private static KeyConfProvider createMockProviderWithOcspStatus(int status) throws Exception {
X509Certificate mockCertificate = mock(X509Certificate.class);
when(mockCertificate.getSubjectX500Principal()).thenReturn(new X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US"));
CertChain mockCertChain = mock(CertChain.class);
when(mockCertChain.getEndEntityCert()).thenReturn(mockCertificate);
AuthKey authKey = new AuthKey(mockCertChain, null);
KeyConfProvider mockKeyConfProvider = mock(KeyConfProvider.class);
when(mockKeyConfProvider.getAuthKey()).thenReturn(authKey);
OCSPResp mockResponse = mock(OCSPResp.class);
when(mockResponse.getStatus()).thenReturn(status);
when(mockKeyConfProvider.getOcspResponse((X509Certificate) notNull())).thenReturn(mockResponse);
return mockKeyConfProvider;
}
use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class HealthChecksTest method checkAuthKeyOcspStatusShouldFailWhenEndEntityCertNotAvailable.
@Test
public void checkAuthKeyOcspStatusShouldFailWhenEndEntityCertNotAvailable() {
// prepare
CertChain mockCertChain = mock(CertChain.class);
when(mockCertChain.getEndEntityCert()).thenReturn(null);
AuthKey authKey = new AuthKey(mockCertChain, null);
KeyConfProvider mockKeyConfProvider = mock(KeyConfProvider.class);
when(mockKeyConfProvider.getAuthKey()).thenReturn(authKey);
KeyConf.reload(mockKeyConfProvider);
// execute
HealthCheckProvider testedProvider = HealthChecks.checkAuthKeyOcspStatus();
HealthCheckResult checkedResult = testedProvider.get();
// verify
assertTrue("health check result should be a failure", !checkedResult.isOk());
assertThat(checkedResult.getErrorMessage(), containsString("No end entity certificate available"));
}
use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class GlobalConfTest method getCertChain.
/**
* Tests getting the certificate chain for an organization.
*
* @throws Exception if an error occurs
*/
@Test
public void getCertChain() throws Exception {
X509Certificate org = getCertChainCert("user_3.p12");
assertNotNull(org);
CertChain certChain = GlobalConf.getCertChain("EE", org);
List<X509Certificate> chain = certChain.getAllCerts();
assertEquals(5, chain.size());
assertEquals(getCertChainCert("root_ca.p12"), chain.get(4));
assertEquals(getCertChainCert("ca_1.p12"), chain.get(3));
assertEquals(getCertChainCert("ca_2.p12"), chain.get(2));
assertEquals(getCertChainCert("ca_3.p12"), chain.get(1));
assertEquals(getCertChainCert("user_3.p12"), chain.get(0));
}
use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class ServerMessageProcessor method verifySslClientCert.
private void verifySslClientCert() throws Exception {
log.trace("verifySslClientCert()");
if (requestMessage.getOcspResponses().isEmpty()) {
throw new CodedException(X_SSL_AUTH_FAILED, "Cannot verify TLS certificate, corresponding OCSP response is missing");
}
String instanceIdentifier = requestMessage.getSoap().getClient().getXRoadInstance();
X509Certificate trustAnchor = GlobalConf.getCaCert(instanceIdentifier, clientSslCerts[clientSslCerts.length - 1]);
if (trustAnchor == null) {
throw new Exception("Unable to find trust anchor");
}
try {
CertChain chain = CertChain.create(instanceIdentifier, (X509Certificate[]) ArrayUtils.add(clientSslCerts, trustAnchor));
CertHelper.verifyAuthCert(chain, requestMessage.getOcspResponses(), requestMessage.getSoap().getClient());
} catch (Exception e) {
throw new CodedException(X_SSL_AUTH_FAILED, e);
}
}
use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class CachingKeyConfImpl method getAuthKeyInfo.
protected AuthKeyInfo getAuthKeyInfo(SecurityServerId serverId) throws Exception {
log.debug("Retrieving authentication info for security server '{}'", serverId);
ee.ria.xroad.signer.protocol.dto.AuthKeyInfo keyInfo = SignerClient.execute(new GetAuthKey(serverId));
CertChain certChain = getAuthCertChain(serverId.getXRoadInstance(), keyInfo.getCert().getCertificateBytes());
List<OCSPResp> ocspResponses = getOcspResponses(certChain.getAdditionalCerts());
ocspResponses.add(new OCSPResp(keyInfo.getCert().getOcspBytes()));
PrivateKey key = loadAuthPrivateKey(keyInfo);
return new AuthKeyInfo(key, certChain, ocspResponses);
}
Aggregations