Search in sources :

Example 61 with CertificateParsingException

use of java.security.cert.CertificateParsingException in project Spark by igniterealtime.

the class CertificateModel method extensionExtractHandler.

/**
 * Get values of the extension and format them into readable Strings.
 *
 * @param cert
 * @param oid
 */
private void extensionExtractHandler(X509Certificate cert, String oid, boolean critical) {
    try {
        ASN1Primitive primitive = JcaX509ExtensionUtils.parseExtensionValue(cert.getExtensionValue(oid));
        String value = Res.getString("cert.is.critical") + critical + "\n";
        boolean isSupported = true;
        if (oid.equals(Extension.subjectDirectoryAttributes.toString())) {
            value += subjectDirectoryAttributesExtractor(primitive);
        } else if (oid.equals(Extension.subjectKeyIdentifier.toString())) {
            value += subjectKeyIdentifierExtractor(primitive);
        } else if (oid.equals(Extension.keyUsage.toString())) {
            value += keyUsageExtractor(cert);
        } else if (oid.equals(Extension.subjectAlternativeName.toString())) {
            value += alternativeNameExtractor(cert.getSubjectAlternativeNames());
        } else if (oid.equals(Extension.issuerAlternativeName.toString())) {
            value += alternativeNameExtractor(cert.getIssuerAlternativeNames());
        } else if (oid.equals(Extension.basicConstraints.toString())) {
            value += basicConstraintsExtractor(primitive);
        } else if (oid.equals(Extension.nameConstraints.toString())) {
            value += NameConstraintsExtractor(primitive);
        } else if (oid.equals(Extension.cRLDistributionPoints.toString())) {
            value += CRLPointsExtractor(primitive);
        } else if (oid.equals(Extension.policyMappings.toString())) {
            value += policyMappingsExtractor(cert);
        } else if (oid.equals(Extension.authorityKeyIdentifier.toString())) {
            value += authorityKeyIdentifierExtractor(primitive);
        } else if (oid.equals(Extension.policyConstraints.toString())) {
            value += policyConstraintsExtractor(primitive);
        } else if (oid.equals(Extension.extendedKeyUsage.toString())) {
            value += extendedKeyUsageExtractor(cert);
        } else {
            addToUnsupported(critical, oid);
            isSupported = false;
        }
        if (isSupported) {
            extensions.put(oid, value);
        }
    } catch (NullPointerException | IOException | CertificateParsingException e) {
        Log.error("Couldn't extract " + oid + ": " + OIDTranslator.getDescription(oid) + "extension.", e);
        addToUnsupported(critical, oid);
    }
}
Also used : CertificateParsingException(java.security.cert.CertificateParsingException) ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString) IOException(java.io.IOException) ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)

Example 62 with CertificateParsingException

use of java.security.cert.CertificateParsingException in project Bytecoder by mirkosertic.

the class ClientHandshaker method isIdentityEquivalent.

/*
     * Whether the certificates can represent the same identity?
     *
     * The certificates can be used to represent the same identity:
     *     1. If the subject alternative names of IP address are present in
     *        both certificates, they should be identical; otherwise,
     *     2. if the subject alternative names of DNS name are present in
     *        both certificates, they should be identical; otherwise,
     *     3. if the subject fields are present in both certificates, the
     *        certificate subjects and issuers should be identical.
     */
private static boolean isIdentityEquivalent(X509Certificate thisCert, X509Certificate prevCert) {
    if (thisCert.equals(prevCert)) {
        return true;
    }
    // check subject alternative names
    Collection<List<?>> thisSubjectAltNames = null;
    try {
        thisSubjectAltNames = thisCert.getSubjectAlternativeNames();
    } catch (CertificateParsingException cpe) {
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("Attempt to obtain subjectAltNames extension failed!");
        }
    }
    Collection<List<?>> prevSubjectAltNames = null;
    try {
        prevSubjectAltNames = prevCert.getSubjectAlternativeNames();
    } catch (CertificateParsingException cpe) {
        if (debug != null && Debug.isOn("handshake")) {
            System.out.println("Attempt to obtain subjectAltNames extension failed!");
        }
    }
    if ((thisSubjectAltNames != null) && (prevSubjectAltNames != null)) {
        // check the iPAddress field in subjectAltName extension
        Collection<String> thisSubAltIPAddrs = getSubjectAltNames(thisSubjectAltNames, ALTNAME_IP);
        Collection<String> prevSubAltIPAddrs = getSubjectAltNames(prevSubjectAltNames, ALTNAME_IP);
        if ((thisSubAltIPAddrs != null) && (prevSubAltIPAddrs != null) && (isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs))) {
            return true;
        }
        // check the dNSName field in subjectAltName extension
        Collection<String> thisSubAltDnsNames = getSubjectAltNames(thisSubjectAltNames, ALTNAME_DNS);
        Collection<String> prevSubAltDnsNames = getSubjectAltNames(prevSubjectAltNames, ALTNAME_DNS);
        if ((thisSubAltDnsNames != null) && (prevSubAltDnsNames != null) && (isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames))) {
            return true;
        }
    }
    // check the certificate subject and issuer
    X500Principal thisSubject = thisCert.getSubjectX500Principal();
    X500Principal prevSubject = prevCert.getSubjectX500Principal();
    X500Principal thisIssuer = thisCert.getIssuerX500Principal();
    X500Principal prevIssuer = prevCert.getIssuerX500Principal();
    if (!thisSubject.getName().isEmpty() && !prevSubject.getName().isEmpty() && thisSubject.equals(prevSubject) && thisIssuer.equals(prevIssuer)) {
        return true;
    }
    return false;
}
Also used : CertificateParsingException(java.security.cert.CertificateParsingException) X500Principal(javax.security.auth.x500.X500Principal)

Example 63 with CertificateParsingException

use of java.security.cert.CertificateParsingException in project ddf by codice.

the class SignerConditionTest method testIsSatisfiedBrokenSan.

@Test
public void testIsSatisfiedBrokenSan() throws CertificateException {
    Bundle bundle = mock(Bundle.class);
    Map<X509Certificate, List<X509Certificate>> trustedCerts = new HashMap<>();
    X509Certificate key = mock(X509Certificate.class);
    X500Principal principal = new X500Principal("CN=test, OU=Dev, O=DDF, ST=AZ, C=US");
    when(key.getSubjectX500Principal()).thenReturn(principal);
    when(key.getSubjectAlternativeNames()).thenThrow(new CertificateParsingException("boom"));
    trustedCerts.put(key, new ArrayList<>());
    when(bundle.getSignerCertificates(Bundle.SIGNERS_TRUSTED)).thenReturn(trustedCerts);
    SignerCondition principalCondition = new SignerCondition(bundle, new ConditionInfo(SignerCondition.class.getName(), new String[] { "test" }));
    boolean satisfied = principalCondition.isSatisfied();
    assertThat(satisfied, is(true));
}
Also used : ConditionInfo(org.osgi.service.condpermadmin.ConditionInfo) CertificateParsingException(java.security.cert.CertificateParsingException) HashMap(java.util.HashMap) Bundle(org.osgi.framework.Bundle) X500Principal(javax.security.auth.x500.X500Principal) ArrayList(java.util.ArrayList) List(java.util.List) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 64 with CertificateParsingException

use of java.security.cert.CertificateParsingException in project cas by apereo.

the class X509SubjectAlternativeNameRFC822EmailPrincipalResolver method resolvePrincipalInternal.

@Override
protected String resolvePrincipalInternal(final X509Certificate certificate) {
    LOGGER.debug("Resolving principal from Subject Alternative Name RFC8222 type (email) for [{}]", certificate);
    try {
        val subjectAltNames = certificate.getSubjectAlternativeNames();
        val email = X509ExtractorUtils.getRFC822EmailAddress(subjectAltNames);
        if (email.isPresent()) {
            return email.get();
        }
    } catch (final CertificateParsingException e) {
        LoggingUtils.error(LOGGER, e);
    }
    return getAlternatePrincipal(certificate);
}
Also used : lombok.val(lombok.val) CertificateParsingException(java.security.cert.CertificateParsingException)

Example 65 with CertificateParsingException

use of java.security.cert.CertificateParsingException in project jmeter by apache.

the class JmeterKeyStore method logDetailsOnKeystore.

@SuppressWarnings("JdkObsolete")
private void logDetailsOnKeystore(KeyStore keystore) {
    Enumeration<String> aliases;
    try {
        aliases = keystore.aliases();
    } catch (KeyStoreException e) {
        log.debug("Problem reading the aliases from the store {}", keystore, e);
        return;
    }
    int i = 1;
    while (aliases.hasMoreElements()) {
        String alias = aliases.nextElement();
        log.debug("Certificate at index {} with alias {}", i++, alias);
        X509Certificate cert;
        try {
            cert = (X509Certificate) keystore.getCertificate(alias);
        } catch (KeyStoreException e) {
            log.debug("Can't read certificate for alias {}", alias, e);
            continue;
        }
        log.debug("Subject DN: {}", cert.getSubjectX500Principal());
        log.debug("Issuer DN: {}", cert.getIssuerX500Principal());
        log.debug("Not valid before: {}", cert.getNotBefore().toInstant());
        log.debug("Not valid after: {}", cert.getNotAfter().toInstant());
        try {
            final Collection<List<?>> subjectAlternativeNames = cert.getSubjectAlternativeNames();
            if (!(subjectAlternativeNames == null || subjectAlternativeNames.isEmpty())) {
                log.debug("SAN: {}", decodeSanList(subjectAlternativeNames));
            }
        } catch (CertificateParsingException e) {
            log.debug("Problem parsing SAN for alias {}", alias, e);
        }
        List<String> extendedKeyUsage;
        try {
            extendedKeyUsage = cert.getExtendedKeyUsage();
            if (extendedKeyUsage != null) {
                for (String keyUsage : extendedKeyUsage) {
                    log.debug("EKU: {} ({})", EXTENDED_KEY_USAGES.getOrDefault(keyUsage, keyUsage), keyUsage);
                }
            }
        } catch (CertificateParsingException e) {
            log.debug("Can't get EKU for alias {}", alias, e);
        }
    }
}
Also used : CertificateParsingException(java.security.cert.CertificateParsingException) ArrayList(java.util.ArrayList) List(java.util.List) KeyStoreException(java.security.KeyStoreException) X509Certificate(java.security.cert.X509Certificate)

Aggregations

CertificateParsingException (java.security.cert.CertificateParsingException)75 List (java.util.List)27 IOException (java.io.IOException)18 ArrayList (java.util.ArrayList)18 X509Certificate (java.security.cert.X509Certificate)16 CertificateException (java.security.cert.CertificateException)14 Collection (java.util.Collection)13 X500Principal (javax.security.auth.x500.X500Principal)13 BigInteger (java.math.BigInteger)8 InvalidKeyException (java.security.InvalidKeyException)7 HashMap (java.util.HashMap)7 DERIA5String (org.bouncycastle.asn1.DERIA5String)7 DEROctetString (org.bouncycastle.asn1.DEROctetString)7 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6 NoSuchProviderException (java.security.NoSuchProviderException)6 SignatureException (java.security.SignatureException)6 CertificateEncodingException (java.security.cert.CertificateEncodingException)6 CertificateExpiredException (java.security.cert.CertificateExpiredException)6 CertificateNotYetValidException (java.security.cert.CertificateNotYetValidException)6 GeneralName (org.bouncycastle.asn1.x509.GeneralName)6