Example 1 with CertificateRepositoryObject
use of net.ripe.rpki.commons.crypto.CertificateRepositoryObject in project rpki-validator-3 by RIPE-NCC.
the class EncodedRpkiObject method get.
public <T extends CertificateRepositoryObject> Optional<T> get(final Class<T> clazz, final String location) {
ValidationResult temporary = ValidationResult.withLocation(location);
ValidationResult ignored = ValidationResult.withLocation(location);
CertificateRepositoryObject candidate = CertificateRepositoryObjectFactory.createCertificateRepositoryObject(encoded, // Ignore any parse errors, as all stored objects must be parsable
ignored);
temporary.rejectIfNull(candidate, "rpki.object.parsable");
if (temporary.hasFailureForCurrentLocation()) {
return Optional.empty();
}
temporary.rejectIfFalse(clazz.isInstance(candidate), "rpki.object.type.matches", clazz.getSimpleName(), candidate.getClass().getSimpleName());
if (temporary.hasFailureForCurrentLocation()) {
return Optional.empty();
}
return Optional.of(clazz.cast(candidate));
}
Also used :
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Example 2 with CertificateRepositoryObject
use of net.ripe.rpki.commons.crypto.CertificateRepositoryObject in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationService method validateCertificateAuthority.
private List<RpkiObject> validateCertificateAuthority(TrustAnchor trustAnchor, Map<URI, RpkiRepository> registeredRepositories, CertificateRepositoryObjectValidationContext context, ValidationResult validationResult) {
final List<RpkiObject> validatedObjects = new ArrayList<>();
ValidationLocation certificateLocation = validationResult.getCurrentLocation();
ValidationResult temporary = ValidationResult.withLocation(certificateLocation);
try {
RpkiRepository rpkiRepository = registerRepository(trustAnchor, registeredRepositories, context);
temporary.warnIfTrue(rpkiRepository.isPending(), VALIDATOR_RPKI_REPOSITORY_PENDING, rpkiRepository.getLocationUri());
if (rpkiRepository.isPending()) {
return validatedObjects;
}
X509ResourceCertificate certificate = context.getCertificate();
URI manifestUri = certificate.getManifestUri();
temporary.setLocation(new ValidationLocation(manifestUri));
Optional<RpkiObject> manifestObject = rpkiObjects.findLatestByTypeAndAuthorityKeyIdentifier(RpkiObject.Type.MFT, context.getSubjectKeyIdentifier());
if (!manifestObject.isPresent()) {
if (rpkiRepository.getStatus() == RpkiRepository.Status.FAILED) {
temporary.error(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
} else {
temporary.error(ValidationString.VALIDATOR_NO_LOCAL_MANIFEST_NO_MANIFEST_IN_REPOSITORY, rpkiRepository.getLocationUri());
}
}
Optional<ManifestCms> maybeManifest = manifestObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), ManifestCms.class, temporary));
temporary.rejectIfTrue(manifestObject.isPresent() && rpkiRepository.getStatus() == RpkiRepository.Status.FAILED && maybeManifest.isPresent() && maybeManifest.get().isPastValidityTime(), ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
ManifestCms manifest = maybeManifest.get();
List<Map.Entry<String, byte[]>> crlEntries = manifest.getFiles().entrySet().stream().filter((entry) -> RepositoryObjectType.parse(entry.getKey()) == RepositoryObjectType.Crl).collect(toList());
temporary.rejectIfFalse(crlEntries.size() == 1, VALIDATOR_MANIFEST_CONTAINS_ONE_CRL_ENTRY, String.valueOf(crlEntries.size()));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
Map.Entry<String, byte[]> crlEntry = crlEntries.get(0);
URI crlUri = manifestUri.resolve(crlEntry.getKey());
Optional<RpkiObject> crlObject = rpkiObjects.findBySha256(crlEntry.getValue());
temporary.rejectIfFalse(crlObject.isPresent(), VALIDATOR_CRL_FOUND, crlUri.toASCIIString());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(crlUri));
Optional<X509Crl> crl = crlObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), X509Crl.class, temporary));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
crl.get().validate(crlUri.toASCIIString(), context, null, VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(manifestUri));
manifest.validate(manifestUri.toASCIIString(), context, crl.get(), manifest.getCrlUri(), VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
validatedObjects.add(manifestObject.get());
Map<URI, RpkiObject> manifestEntries = retrieveManifestEntries(manifest, manifestUri, temporary);
manifestEntries.forEach((location, obj) -> {
temporary.setLocation(new ValidationLocation(location));
Optional<CertificateRepositoryObject> maybeCertificateRepositoryObject = rpkiObjects.findCertificateRepositoryObject(obj.getId(), CertificateRepositoryObject.class, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return;
}
maybeCertificateRepositoryObject.ifPresent(certificateRepositoryObject -> {
certificateRepositoryObject.validate(location.toASCIIString(), context, crl.get(), crlUri, VALIDATION_OPTIONS, temporary);
if (!temporary.hasFailureForCurrentLocation()) {
validatedObjects.add(obj);
}
if (certificateRepositoryObject instanceof X509ResourceCertificate && ((X509ResourceCertificate) certificateRepositoryObject).isCa() && !temporary.hasFailureForCurrentLocation()) {
CertificateRepositoryObjectValidationContext childContext = context.createChildContext(location, (X509ResourceCertificate) certificateRepositoryObject);
validatedObjects.addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, childContext, temporary));
}
});
});
} catch (Exception e) {
log.debug("e", e);
validationResult.error(ErrorCodes.UNHANDLED_EXCEPTION, e.toString(), ExceptionUtils.getStackTrace(e));
} finally {
validationResult.addAll(temporary);
}
return validatedObjects;
}
Also used :
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns)
Arrays(java.util.Arrays)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
Autowired(org.springframework.beans.factory.annotation.Autowired)
FlushModeType(javax.persistence.FlushModeType)
HashMap(java.util.HashMap)
ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes)
ArrayList(java.util.ArrayList)
ValidationOptions(net.ripe.rpki.commons.validation.ValidationOptions)
LinkedHashMap(java.util.LinkedHashMap)
RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories)
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects)
Service(org.springframework.stereotype.Service)
Map(java.util.Map)
URI(java.net.URI)
Objects(com.google.common.base.Objects)
CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun)
TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor)
ValidationStatus(net.ripe.rpki.commons.validation.ValidationStatus)
ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects)
Transactional(javax.transaction.Transactional)
TrustAnchors(net.ripe.rpki.validator3.domain.TrustAnchors)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
EntityManager(javax.persistence.EntityManager)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
RepositoryObjectType(net.ripe.rpki.commons.util.RepositoryObjectType)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
Collectors.toList(java.util.stream.Collectors.toList)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Optional(java.util.Optional)
Settings(net.ripe.rpki.validator3.domain.Settings)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ArrayList(java.util.ArrayList)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
URI(java.net.URI)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Map(java.util.Map)
Example 3 with CertificateRepositoryObject
use of net.ripe.rpki.commons.crypto.CertificateRepositoryObject in project rpki-validator-3 by RIPE-NCC.
the class TrustAnchorValidationService method parseCertificate.
private X509ResourceCertificate parseCertificate(TrustAnchor trustAnchor, File certificateFile, ValidationResult validationResult) throws IOException {
CertificateRepositoryObject trustAnchorCertificate = CertificateRepositoryObjectFactory.createCertificateRepositoryObject(Files.toByteArray(certificateFile), validationResult);
validationResult.rejectIfFalse(trustAnchorCertificate instanceof X509ResourceCertificate, ErrorCodes.REPOSITORY_OBJECT_IS_TRUST_ANCHOR_CERTIFICATE, trustAnchor.getRsyncPrefetchUri());
if (validationResult.hasFailureForCurrentLocation()) {
return null;
}
X509ResourceCertificate certificate = (X509ResourceCertificate) trustAnchorCertificate;
String encodedSubjectPublicKeyInfo = X509CertificateUtil.getEncodedSubjectPublicKeyInfo(certificate.getCertificate());
validationResult.rejectIfFalse(encodedSubjectPublicKeyInfo.equals(trustAnchor.getSubjectPublicKeyInfo()), "trust.anchor.subject.key.matches.locator");
boolean signatureValid;
try {
certificate.getCertificate().verify(certificate.getPublicKey());
signatureValid = true;
} catch (GeneralSecurityException e) {
signatureValid = false;
}
validationResult.rejectIfFalse(signatureValid, ErrorCodes.TRUST_ANCHOR_SIGNATURE, trustAnchor.getRsyncPrefetchUri(), trustAnchor.getSubjectPublicKeyInfo());
return certificate;
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
Example 4 with CertificateRepositoryObject
use of net.ripe.rpki.commons.crypto.CertificateRepositoryObject in project rpki-validator-3 by RIPE-NCC.
the class RrdpService method createRpkiObject.
private Either<ValidationResult, RpkiObject> createRpkiObject(final String uri, final byte[] content) {
ValidationResult validationResult = ValidationResult.withLocation(uri);
CertificateRepositoryObject repositoryObject = CertificateRepositoryObjectFactory.createCertificateRepositoryObject(content, validationResult);
if (validationResult.hasFailures()) {
return Either.left(validationResult);
} else {
return Either.right(new RpkiObject(uri, repositoryObject));
}
}
Also used :
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Aggregations
CertificateRepositoryObject (net.ripe.rpki.commons.crypto.CertificateRepositoryObject)4
ValidationResult (net.ripe.rpki.commons.validation.ValidationResult)3
X509ResourceCertificate (net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)2
RpkiObject (net.ripe.rpki.validator3.domain.RpkiObject)2
Objects (com.google.common.base.Objects)1
URI (java.net.URI)1
GeneralSecurityException (java.security.GeneralSecurityException)1
ArrayList (java.util.ArrayList)1
Arrays (java.util.Arrays)1
HashMap (java.util.HashMap)1
LinkedHashMap (java.util.LinkedHashMap)1
List (java.util.List)1
Map (java.util.Map)1
Optional (java.util.Optional)1
Collectors.toList (java.util.stream.Collectors.toList)1
EntityManager (javax.persistence.EntityManager)1
FlushModeType (javax.persistence.FlushModeType)1
Transactional (javax.transaction.Transactional)1
Slf4j (lombok.extern.slf4j.Slf4j)1
ManifestCms (net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)1
