use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class ImportCertRequestHandler method verifyCertChain.
private void verifyCertChain(X509Certificate cert) {
if (CertUtils.isSelfSigned(cert)) {
// do not verify self-signed certs
return;
}
GlobalConf.verifyValidity();
try {
CertChain chain = CertChain.create(GlobalConf.getInstanceIdentifier(), cert, null);
new CertChainVerifier(chain).verifyChainOnly(new Date());
} catch (Exception e) {
log.error("Failed to import certificate", e);
throw CodedException.tr(X_CERT_IMPORT_FAILED, "cert_import_failed", "%s", "Certificate is not valid");
}
}
use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class ServerRestMessageProcessor method verifySslClientCert.
private void verifySslClientCert() throws Exception {
if (requestMessage.getOcspResponses().isEmpty()) {
throw new CodedException(X_SSL_AUTH_FAILED, "Cannot verify TLS certificate, corresponding OCSP response is missing");
}
String instanceIdentifier = requestMessage.getRest().getClientId().getXRoadInstance();
X509Certificate trustAnchor = GlobalConf.getCaCert(instanceIdentifier, clientSslCerts[clientSslCerts.length - 1]);
if (trustAnchor == null) {
throw new Exception("Unable to find trust anchor");
}
try {
CertChain chain = CertChain.create(instanceIdentifier, (X509Certificate[]) ArrayUtils.add(clientSslCerts, trustAnchor));
CertHelper.verifyAuthCert(chain, requestMessage.getOcspResponses(), requestMessage.getRest().getClientId());
} catch (Exception e) {
throw new CodedException(X_SSL_AUTH_FAILED, e);
}
}
use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class SignatureVerifier method verifyCertificateChain.
private void verifyCertificateChain(Date atDate, ClientId signer, X509Certificate signingCert) {
CertChain certChain = CertChain.create(signer.getXRoadInstance(), signingCert, signature.getExtraCertificates());
new CertChainVerifier(certChain).verify(signature.getOcspResponses(), atDate);
}
use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class AuthKeyManager method getCertificateChain.
@Override
public X509Certificate[] getCertificateChain(String alias) {
log.trace("getCertificateChain {}", alias);
CertChain certChain = KeyConf.getAuthKey().getCertChain();
List<X509Certificate> allCerts = certChain.getAllCertsWithoutTrustedRoot();
return allCerts.toArray(new X509Certificate[allCerts.size()]);
}
use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.
the class KeyConfImpl method getAuthKey.
@Override
public AuthKey getAuthKey() {
PrivateKey pkey = null;
CertChain certChain = null;
try {
SecurityServerId serverId = ServerConf.getIdentifier();
log.debug("Retrieving authentication info for security " + "server '{}'", serverId);
AuthKeyInfo keyInfo = SignerClient.execute(new GetAuthKey(serverId));
pkey = loadAuthPrivateKey(keyInfo);
if (pkey == null) {
log.warn("Failed to read authentication key");
}
certChain = getAuthCertChain(serverId.getXRoadInstance(), keyInfo.getCert().getCertificateBytes());
if (certChain == null) {
log.warn("Failed to read authentication certificate");
}
} catch (Exception e) {
log.error("Failed to get authentication key", e);
}
return new AuthKey(certChain, pkey);
}
Aggregations