Examples with OcspVerifierOptions ee.ria.xroad.common.ocsp.OcspVerifierOptions used on opensource projects

Example 1 with OcspVerifierOptions

use of ee.ria.xroad.common.ocsp.OcspVerifierOptions in project X-Road by nordic-institute.

the class ManagementRequestHandler method verifyCertificate.

private static void verifyCertificate(X509Certificate memberCert, OCSPResp memberCertOcsp) throws Exception {
    try {
        memberCert.checkValidity();
    } catch (Exception e) {
        throw new CodedException(X_CERT_VALIDATION, "Member (owner/client) sign certificate is invalid: %s", e.getMessage());
    }
    X509Certificate issuer = GlobalConf.getCaCert(GlobalConf.getInstanceIdentifier(), memberCert);
    new OcspVerifier(GlobalConf.getOcspFreshnessSeconds(false), new OcspVerifierOptions(GlobalConfExtensions.getInstance().shouldVerifyOcspNextUpdate())).verifyValidityAndStatus(memberCertOcsp, memberCert, issuer);
}

Example 2 with OcspVerifierOptions

use of ee.ria.xroad.common.ocsp.OcspVerifierOptions in project X-Road by nordic-institute.

the class TestSuiteKeyConf method getOcspResponse.

@Override
public OCSPResp getOcspResponse(X509Certificate cert) {
    String certHash;
    try {
        certHash = calculateCertHexHash(cert);
    } catch (Exception e) {
        throw ErrorCodes.translateException(e);
    }
    if (!ocspResponses.containsKey(certHash)) {
        try {
            Date thisUpdate = Date.from(Instant.now().plus(1, ChronoUnit.DAYS));
            OCSPResp resp = OcspTestUtils.createOCSPResponse(cert, GlobalConf.getCaCert("EE", cert), getOcspSignerCert(), getOcspRequestKey(), CertificateStatus.GOOD, thisUpdate, null);
            OcspVerifier verifier = new OcspVerifier(GlobalConf.getOcspFreshnessSeconds(false), new OcspVerifierOptions(true));
            verifier.verifyValidityAndStatus(resp, cert, GlobalConf.getCaCert("EE", cert));
            ocspResponses.put(certHash, resp);
        } catch (Exception e) {
            log.error("Error when creating OCSP response", e);
        }
    }
    return ocspResponses.get(certHash);
}

Example 3 with OcspVerifierOptions

use of ee.ria.xroad.common.ocsp.OcspVerifierOptions in project X-Road by nordic-institute.

the class OcspClientTest method queryAndUpdateCertStatus.

private void queryAndUpdateCertStatus(OcspClientWorker client, X509Certificate subject) throws Exception {
    OCSPResp response = client.queryCertStatus(subject, new OcspVerifierOptions(true));
    String subjectHash = calculateCertHexHash(subject);
    OCSP_RESPONSES.put(subjectHash, response);
}

Example 4 with OcspVerifierOptions

use of ee.ria.xroad.common.ocsp.OcspVerifierOptions in project X-Road by nordic-institute.

the class CertChainVerifier method verifyOcspResponses.

private void verifyOcspResponses(List<X509Certificate> certs, List<OCSPResp> ocspResponses, PKIXCertPathValidatorResult result, Date atDate) throws Exception {
    for (X509Certificate subject : certs) {
        X509Certificate issuer = GlobalConf.getCaCert(certChain.getInstanceIdentifier(), subject);
        OCSPResp response = getOcspResponseForCert(subject, issuer, ocspResponses);
        if (response == null) {
            throw new CodedException(X_CERT_VALIDATION, "Unable to find OCSP response for certificate " + subject.getSubjectX500Principal().getName());
        }
        OcspVerifier verifier = new OcspVerifier(GlobalConf.getOcspFreshnessSeconds(false), new OcspVerifierOptions(GlobalConfExtensions.getInstance().shouldVerifyOcspNextUpdate()));
        verifier.verifyValidityAndStatus(response, subject, issuer, atDate);
    }
}

Example 5 with OcspVerifierOptions

use of ee.ria.xroad.common.ocsp.OcspVerifierOptions in project X-Road by nordic-institute.

the class GetAuthKeyRequestHandler method authCertValid.

private boolean authCertValid(CertificateInfo certInfo, SecurityServerId securityServer) throws Exception {
    X509Certificate cert = readCertificate(certInfo.getCertificateBytes());
    if (!certInfo.isActive()) {
        log.trace("Ignoring inactive authentication certificate {}", CertUtils.identify(cert));
        return false;
    }
    if (!isRegistered(certInfo.getStatus())) {
        log.trace("Ignoring non-registered ({}) authentication certificate" + " {}", certInfo.getStatus(), CertUtils.identify(cert));
        return false;
    }
    SecurityServerId serverIdFromConf = GlobalConf.getServerId(cert);
    try {
        cert.checkValidity();
        if (securityServer.equals(serverIdFromConf)) {
            verifyOcspResponse(securityServer.getXRoadInstance(), cert, certInfo.getOcspBytes(), new OcspVerifierOptions(GlobalConfExtensions.getInstance().shouldVerifyOcspNextUpdate()));
            return true;
        }
    } catch (Exception e) {
        log.warn("Ignoring authentication certificate '{}' because: ", cert.getSubjectX500Principal().getName(), e);
        return false;
    }
    log.trace("Ignoring authentication certificate {} because it does " + "not belong to security server {} " + "(server id from global conf: {})", new Object[] { CertUtils.identify(cert), securityServer, serverIdFromConf });
    return false;
}