Search in sources :

Example 6 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class ImportCertRequestHandler method verifyCertChain.

private void verifyCertChain(X509Certificate cert) {
    if (CertUtils.isSelfSigned(cert)) {
        // do not verify self-signed certs
        return;
    }
    GlobalConf.verifyValidity();
    try {
        CertChain chain = CertChain.create(GlobalConf.getInstanceIdentifier(), cert, null);
        new CertChainVerifier(chain).verifyChainOnly(new Date());
    } catch (Exception e) {
        log.error("Failed to import certificate", e);
        throw CodedException.tr(X_CERT_IMPORT_FAILED, "cert_import_failed", "%s", "Certificate is not valid");
    }
}
Also used : CertChain(ee.ria.xroad.common.cert.CertChain) CertChainVerifier(ee.ria.xroad.common.cert.CertChainVerifier) Date(java.util.Date) CodedException(ee.ria.xroad.common.CodedException)

Example 7 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class ServerRestMessageProcessor method verifySslClientCert.

private void verifySslClientCert() throws Exception {
    if (requestMessage.getOcspResponses().isEmpty()) {
        throw new CodedException(X_SSL_AUTH_FAILED, "Cannot verify TLS certificate, corresponding OCSP response is missing");
    }
    String instanceIdentifier = requestMessage.getRest().getClientId().getXRoadInstance();
    X509Certificate trustAnchor = GlobalConf.getCaCert(instanceIdentifier, clientSslCerts[clientSslCerts.length - 1]);
    if (trustAnchor == null) {
        throw new Exception("Unable to find trust anchor");
    }
    try {
        CertChain chain = CertChain.create(instanceIdentifier, (X509Certificate[]) ArrayUtils.add(clientSslCerts, trustAnchor));
        CertHelper.verifyAuthCert(chain, requestMessage.getOcspResponses(), requestMessage.getRest().getClientId());
    } catch (Exception e) {
        throw new CodedException(X_SSL_AUTH_FAILED, e);
    }
}
Also used : CodedException(ee.ria.xroad.common.CodedException) CertChain(ee.ria.xroad.common.cert.CertChain) X509Certificate(java.security.cert.X509Certificate) CodedException(ee.ria.xroad.common.CodedException)

Example 8 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class SignatureVerifier method verifyCertificateChain.

private void verifyCertificateChain(Date atDate, ClientId signer, X509Certificate signingCert) {
    CertChain certChain = CertChain.create(signer.getXRoadInstance(), signingCert, signature.getExtraCertificates());
    new CertChainVerifier(certChain).verify(signature.getOcspResponses(), atDate);
}
Also used : CertChain(ee.ria.xroad.common.cert.CertChain) CertChainVerifier(ee.ria.xroad.common.cert.CertChainVerifier)

Example 9 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class AuthKeyManager method getCertificateChain.

@Override
public X509Certificate[] getCertificateChain(String alias) {
    log.trace("getCertificateChain {}", alias);
    CertChain certChain = KeyConf.getAuthKey().getCertChain();
    List<X509Certificate> allCerts = certChain.getAllCertsWithoutTrustedRoot();
    return allCerts.toArray(new X509Certificate[allCerts.size()]);
}
Also used : CertChain(ee.ria.xroad.common.cert.CertChain) X509Certificate(java.security.cert.X509Certificate)

Example 10 with CertChain

use of ee.ria.xroad.common.cert.CertChain in project X-Road by nordic-institute.

the class KeyConfImpl method getAuthKey.

@Override
public AuthKey getAuthKey() {
    PrivateKey pkey = null;
    CertChain certChain = null;
    try {
        SecurityServerId serverId = ServerConf.getIdentifier();
        log.debug("Retrieving authentication info for security " + "server '{}'", serverId);
        AuthKeyInfo keyInfo = SignerClient.execute(new GetAuthKey(serverId));
        pkey = loadAuthPrivateKey(keyInfo);
        if (pkey == null) {
            log.warn("Failed to read authentication key");
        }
        certChain = getAuthCertChain(serverId.getXRoadInstance(), keyInfo.getCert().getCertificateBytes());
        if (certChain == null) {
            log.warn("Failed to read authentication certificate");
        }
    } catch (Exception e) {
        log.error("Failed to get authentication key", e);
    }
    return new AuthKey(certChain, pkey);
}
Also used : AuthKeyInfo(ee.ria.xroad.signer.protocol.dto.AuthKeyInfo) PrivateKey(java.security.PrivateKey) CertChain(ee.ria.xroad.common.cert.CertChain) GetAuthKey(ee.ria.xroad.signer.protocol.message.GetAuthKey) SecurityServerId(ee.ria.xroad.common.identifier.SecurityServerId) AuthKey(ee.ria.xroad.common.conf.globalconf.AuthKey) GetAuthKey(ee.ria.xroad.signer.protocol.message.GetAuthKey) CodedException(ee.ria.xroad.common.CodedException)

Aggregations

CertChain (ee.ria.xroad.common.cert.CertChain)11 X509Certificate (java.security.cert.X509Certificate)6 CodedException (ee.ria.xroad.common.CodedException)5 AuthKey (ee.ria.xroad.common.conf.globalconf.AuthKey)3 OCSPResp (org.bouncycastle.cert.ocsp.OCSPResp)3 CertChainVerifier (ee.ria.xroad.common.cert.CertChainVerifier)2 KeyConfProvider (ee.ria.xroad.proxy.conf.KeyConfProvider)2 GetAuthKey (ee.ria.xroad.signer.protocol.message.GetAuthKey)2 PrivateKey (java.security.PrivateKey)2 Test (org.junit.Test)2 ErrorCodes.translateException (ee.ria.xroad.common.ErrorCodes.translateException)1 SecurityServerId (ee.ria.xroad.common.identifier.SecurityServerId)1 AuthKeyInfo (ee.ria.xroad.signer.protocol.dto.AuthKeyInfo)1 URISyntaxException (java.net.URISyntaxException)1 Date (java.util.Date)1 X500Principal (javax.security.auth.x500.X500Principal)1