Example 46 with CertificateExpiredException
use of java.security.cert.CertificateExpiredException in project oxAuth by GluuFederation.
the class GenericCertificateVerifier method validate.
@Override
public ValidationStatus validate(X509Certificate certificate, List<X509Certificate> issuers, Date validationDate) {
X509Certificate issuer = issuers.get(0);
ValidationStatus status = new ValidationStatus(certificate, issuer, validationDate, ValidatorSourceType.APP, CertificateValidity.UNKNOWN);
try {
Principal subjectX500Principal = certificate.getSubjectX500Principal();
try {
log.debug("Validity status is valid for '" + subjectX500Principal + "'");
certificate.checkValidity(validationDate);
status.setValidity(CertificateValidity.VALID);
} catch (CertificateExpiredException ex) {
log.debug("Validity status is expied for '" + subjectX500Principal + "'");
} catch (CertificateNotYetValidException ex) {
log.warn("Validity status is not yet valid for '" + subjectX500Principal + "'");
}
} catch (Exception ex) {
log.error("CRL exception: ", ex);
}
return status;
}
Also used :
ValidationStatus(org.gluu.oxauth.cert.validation.model.ValidationStatus)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
X509Certificate(java.security.cert.X509Certificate)
Principal(java.security.Principal)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
Example 47 with CertificateExpiredException
use of java.security.cert.CertificateExpiredException in project cloudstack by apache.
the class RootCACustomTrustManager method checkClientTrusted.
@Override
public void checkClientTrusted(final X509Certificate[] certificates, final String s) throws CertificateException {
if (LOG.isDebugEnabled()) {
printCertificateChain(certificates, s);
}
final X509Certificate primaryClientCertificate = (certificates != null && certificates.length > 0 && certificates[0] != null) ? certificates[0] : null;
String exceptionMsg = "";
if (authStrictness && primaryClientCertificate == null) {
throw new CertificateException("In strict auth mode, certificate(s) are expected from client:" + clientAddress);
} else if (primaryClientCertificate == null) {
LOG.info("No certificate was received from client, but continuing since strict auth mode is disabled");
return;
}
// Revocation check
final BigInteger serialNumber = primaryClientCertificate.getSerialNumber();
if (serialNumber == null || crlDao.findBySerial(serialNumber) != null) {
final String errorMsg = String.format("Client is using revoked certificate of serial=%x, subject=%s from address=%s", primaryClientCertificate.getSerialNumber(), primaryClientCertificate.getSubjectDN(), clientAddress);
LOG.error(errorMsg);
exceptionMsg = (StringUtils.isEmpty(exceptionMsg)) ? errorMsg : (exceptionMsg + ". " + errorMsg);
}
// Validity check
try {
primaryClientCertificate.checkValidity();
} catch (final CertificateExpiredException | CertificateNotYetValidException e) {
final String errorMsg = String.format("Client certificate has expired with serial=%x, subject=%s from address=%s", primaryClientCertificate.getSerialNumber(), primaryClientCertificate.getSubjectDN(), clientAddress);
LOG.error(errorMsg);
if (!allowExpiredCertificate) {
throw new CertificateException(errorMsg);
}
}
// Ownership check
boolean certMatchesOwnership = false;
if (primaryClientCertificate.getSubjectAlternativeNames() != null) {
for (final List<?> list : primaryClientCertificate.getSubjectAlternativeNames()) {
if (list != null && list.size() == 2 && list.get(1) instanceof String) {
final String alternativeName = (String) list.get(1);
if (clientAddress.equals(alternativeName)) {
certMatchesOwnership = true;
}
}
}
}
if (!certMatchesOwnership) {
final String errorMsg = "Certificate ownership verification failed for client: " + clientAddress;
LOG.error(errorMsg);
exceptionMsg = (StringUtils.isEmpty(exceptionMsg)) ? errorMsg : (exceptionMsg + ". " + errorMsg);
}
if (authStrictness && StringUtils.isNotEmpty(exceptionMsg)) {
throw new CertificateException(exceptionMsg);
}
if (LOG.isDebugEnabled()) {
if (authStrictness) {
LOG.debug("Client/agent connection from ip=" + clientAddress + " has been validated and trusted.");
} else {
LOG.debug("Client/agent connection from ip=" + clientAddress + " accepted without certificate validation.");
}
}
if (primaryClientCertificate != null && activeCertMap != null && StringUtils.isNotEmpty(clientAddress)) {
activeCertMap.put(clientAddress, primaryClientCertificate);
}
}
Also used :
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
BigInteger(java.math.BigInteger)
CertificateException(java.security.cert.CertificateException)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
CertificateExpiredException (java.security.cert.CertificateExpiredException)47
X509Certificate (java.security.cert.X509Certificate)33
CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)29
CertificateException (java.security.cert.CertificateException)15
Certificate (java.security.cert.Certificate)7
ArrayList (java.util.ArrayList)7
GeneralSecurityException (java.security.GeneralSecurityException)6
InvalidKeyException (java.security.InvalidKeyException)6
Date (java.util.Date)6
IOException (java.io.IOException)5
KeyStore (java.security.KeyStore)5
KeyStoreException (java.security.KeyStoreException)5
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)5
SuppressLint (android.annotation.SuppressLint)4
Calendar (java.util.Calendar)4
Test (org.junit.Test)4
FileNotFoundException (java.io.FileNotFoundException)3
Principal (java.security.Principal)3
CertificateFactory (java.security.cert.CertificateFactory)3
X509TrustManager (javax.net.ssl.X509TrustManager)3
