Examples with CertificateVerificationException io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException used on opensource projects

Example 6 with CertificateVerificationException

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException in project module-ballerina-http by ballerina-platform.

the class RevocationVerificationTest method testCRLPathValidationWithFakeCerts.

/**
 * Tests CRL path validation with fake certificates. The path validation should fail since they are fake and do not
 * contain proper information.
 *
 * @throws Exception
 */
@Test
public void testCRLPathValidationWithFakeCerts() throws Exception {
    // Add BouncyCastle as Security Provider.
    Security.addProvider(new BouncyCastleProvider());
    Utils utils = new Utils();
    X509Certificate[] fakeCertificates = utils.getFakeCertificateChain();
    Throwable throwable = null;
    try {
        crlPathValidation(fakeCertificates);
    } catch (CertificateVerificationException e) {
        // Path Verification Should fail. So this catch block should be called.
        throwable = e;
    }
    assertNotNull(throwable);
}

Example 7 with CertificateVerificationException

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException in project module-ballerina-http by ballerina-platform.

the class RevocationVerificationTest method testCRLPathValidation.

/**
 * Tests CRL Path Validation with the use of a real certificate chain. The verification process will make
 * HTTP calls to remote CRL server URLs extracted from the certificates in the chain. Usually these certificates
 * will not be revoked. So the path validation must be successful to pass the test. In case they are revoked
 * or expired, new certificates should be added to the resources directory and Constants should be modified
 * accordingly. See the interface Constants for expiry dates of the certificates.
 *
 * @throws Exception
 */
@Test
public void testCRLPathValidation() throws Exception {
    // Add BouncyCastle as Security Provider.
    Security.addProvider(new BouncyCastleProvider());
    Utils utils = new Utils();
    X509Certificate[] certificates = utils.getRealCertificateChain();
    Throwable throwable = null;
    try {
        crlPathValidation(certificates);
    } catch (CertificateVerificationException e) {
        // Path Verification Should Pass. This catch block should not be called.
        throwable = e;
    }
    assertNull(throwable);
}

Example 8 with CertificateVerificationException

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException in project module-ballerina-http by ballerina-platform.

the class RevocationVerificationTest method testOCSPPathValidationWithFakeCerts.

/**
 * Tests OCSP path validation with a chain of fake certificates. In order to pass the test, the path validation
 * should fail since the certificates are fake and do not contain right information.
 *
 * @throws Exception
 */
@Test
public void testOCSPPathValidationWithFakeCerts() throws Exception {
    Security.addProvider(new BouncyCastleProvider());
    Utils utils = new Utils();
    X509Certificate[] fackeCertificates = utils.getFakeCertificateChain();
    Throwable throwable = null;
    try {
        ocspPathValidation(fackeCertificates);
    } catch (CertificateVerificationException e) {
        // Path Verification Should fail. So this catch block should be called.
        throwable = e;
    }
    assertNotNull(throwable);
}

Example 9 with CertificateVerificationException

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException in project module-ballerina-http by ballerina-platform.

the class OCSPResponseBuilder method getOCSPResponse.

/**
 * Get OCSP response from cache.
 *
 * @param locations       CA locations
 * @param request         OCSP request
 * @param userCertificate User's certificate
 * @param ocspCache       cache to store ocsp responses
 * @return Ocsp response
 * @throws CertificateVerificationException If an error occurs while getting the response.
 */
public static OCSPResp getOCSPResponse(List<String> locations, OCSPReq request, X509Certificate userCertificate, OCSPCache ocspCache) throws CertificateVerificationException {
    SingleResp[] responses;
    BasicOCSPResp basicResponse;
    CertificateStatus certificateStatus;
    for (String serviceUrl : locations) {
        OCSPResp response;
        try {
            response = OCSPVerifier.getOCSPResponce(serviceUrl, request);
            if (OCSPResponseStatus.SUCCESSFUL != response.getStatus()) {
                // Server didn't give the correct response.
                continue;
            }
            basicResponse = (BasicOCSPResp) response.getResponseObject();
            responses = (basicResponse == null) ? null : basicResponse.getResponses();
        } catch (OCSPException | CertificateVerificationException e) {
            LOG.debug("OCSP response failed for url{}. Hence trying the next url", serviceUrl);
            continue;
        }
        if (responses != null && responses.length == 1) {
            SingleResp singleResponse = responses[0];
            certificateStatus = singleResponse.getCertStatus();
            if (certificateStatus != null) {
                throw new IllegalStateException("certificate-status=" + certificateStatus);
            }
            // User certificates serial number and response coming from CA needs to be same.
            if (!userCertificate.getSerialNumber().equals(singleResponse.getCertID().getSerialNumber())) {
                throw new IllegalStateException("Bad Serials=" + userCertificate.getSerialNumber() + " vs. " + singleResponse.getCertID().getSerialNumber());
            }
            // If the response state is successful we cache the response.
            ocspCache.setCacheValue(response, userCertificate.getSerialNumber(), singleResponse, request, serviceUrl);
            return response;
        }
    }
    throw new CertificateVerificationException("Could not get revocation status from OCSP.");
}

Example 10 with CertificateVerificationException

use of io.ballerina.stdlib.http.transport.contractimpl.common.certificatevalidation.CertificateVerificationException in project module-ballerina-http by ballerina-platform.

the class OCSPVerifier method getOCSPResponce.

/**
 * Gets an ASN.1 encoded OCSP response (as defined in RFC 2560) from the given service URL. Currently supports
 * only HTTP.
 *
 * @param serviceUrl URL of the OCSP endpoint.
 * @param request An OCSP request object.
 * @return OCSP response encoded in ASN.1 structure.
 * @throws CertificateVerificationException if any error occurs while trying to get a response from the CA.
 */
public static OCSPResp getOCSPResponce(String serviceUrl, OCSPReq request) throws CertificateVerificationException {
    try {
        byte[] array = request.getEncoded();
        if (serviceUrl.startsWith("http")) {
            HttpURLConnection connection;
            URL url = new URL(serviceUrl);
            connection = (HttpURLConnection) url.openConnection();
            connection.setRequestProperty("Content-Type", "application/ocsp-request");
            connection.setRequestProperty("Accept", "application/ocsp-response");
            connection.setDoOutput(true);
            try (OutputStream out = connection.getOutputStream();
                DataOutputStream dataOut = new DataOutputStream(new BufferedOutputStream(out))) {
                dataOut.write(array);
                dataOut.flush();
                // Check errors in response:
                if (connection.getResponseCode() / 100 != 2) {
                    throw new CertificateVerificationException("Error getting ocsp response." + "Response code is " + connection.getResponseCode());
                }
                // Get Response.
                InputStream in = (InputStream) connection.getContent();
                return new OCSPResp(in);
            }
        } else {
            throw new CertificateVerificationException("Only http is supported for OCSP calls");
        }
    } catch (IOException e) {
        throw new CertificateVerificationException("Cannot get OCSP Response from url: " + serviceUrl, e);
    }
}