use of net.ripe.rpki.commons.validation.ValidationLocation in project rpki-validator-3 by RIPE-NCC.
the class ValidationRun method completeWith.
public void completeWith(ValidationResult validationResult) {
for (ValidationLocation location : validationResult.getValidatedLocations()) {
for (net.ripe.rpki.commons.validation.ValidationCheck check : validationResult.getAllValidationChecksForLocation(location)) {
if (check.getStatus() != ValidationStatus.PASSED) {
ValidationCheck validationCheck = new ValidationCheck(this, location.getName(), check);
addCheck(validationCheck);
}
}
}
if (!isFailed()) {
setSucceeded();
}
}
use of net.ripe.rpki.commons.validation.ValidationLocation in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationService method retrieveManifestEntries.
private Map<URI, RpkiObject> retrieveManifestEntries(ManifestCms manifest, URI manifestUri, ValidationResult validationResult) {
Map<URI, RpkiObject> result = new LinkedHashMap<>();
for (Map.Entry<String, byte[]> entry : manifest.getFiles().entrySet()) {
URI location = manifestUri.resolve(entry.getKey());
validationResult.setLocation(new ValidationLocation(location));
Optional<RpkiObject> object = rpkiObjects.findBySha256(entry.getValue());
validationResult.rejectIfFalse(object.isPresent(), VALIDATOR_MANIFEST_ENTRY_FOUND, manifestUri.toASCIIString());
object.ifPresent(obj -> {
boolean hashMatches = Arrays.equals(obj.getSha256(), entry.getValue());
validationResult.rejectIfFalse(hashMatches, VALIDATOR_MANIFEST_ENTRY_HASH_MATCHES, entry.getKey());
if (!hashMatches) {
return;
}
result.put(location, obj);
});
}
return result;
}
use of net.ripe.rpki.commons.validation.ValidationLocation in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationService method validateCertificateAuthority.
private List<RpkiObject> validateCertificateAuthority(TrustAnchor trustAnchor, Map<URI, RpkiRepository> registeredRepositories, CertificateRepositoryObjectValidationContext context, ValidationResult validationResult) {
final List<RpkiObject> validatedObjects = new ArrayList<>();
ValidationLocation certificateLocation = validationResult.getCurrentLocation();
ValidationResult temporary = ValidationResult.withLocation(certificateLocation);
try {
RpkiRepository rpkiRepository = registerRepository(trustAnchor, registeredRepositories, context);
temporary.warnIfTrue(rpkiRepository.isPending(), VALIDATOR_RPKI_REPOSITORY_PENDING, rpkiRepository.getLocationUri());
if (rpkiRepository.isPending()) {
return validatedObjects;
}
X509ResourceCertificate certificate = context.getCertificate();
URI manifestUri = certificate.getManifestUri();
temporary.setLocation(new ValidationLocation(manifestUri));
Optional<RpkiObject> manifestObject = rpkiObjects.findLatestByTypeAndAuthorityKeyIdentifier(RpkiObject.Type.MFT, context.getSubjectKeyIdentifier());
if (!manifestObject.isPresent()) {
if (rpkiRepository.getStatus() == RpkiRepository.Status.FAILED) {
temporary.error(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
} else {
temporary.error(ValidationString.VALIDATOR_NO_LOCAL_MANIFEST_NO_MANIFEST_IN_REPOSITORY, rpkiRepository.getLocationUri());
}
}
Optional<ManifestCms> maybeManifest = manifestObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), ManifestCms.class, temporary));
temporary.rejectIfTrue(manifestObject.isPresent() && rpkiRepository.getStatus() == RpkiRepository.Status.FAILED && maybeManifest.isPresent() && maybeManifest.get().isPastValidityTime(), ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
ManifestCms manifest = maybeManifest.get();
List<Map.Entry<String, byte[]>> crlEntries = manifest.getFiles().entrySet().stream().filter((entry) -> RepositoryObjectType.parse(entry.getKey()) == RepositoryObjectType.Crl).collect(toList());
temporary.rejectIfFalse(crlEntries.size() == 1, VALIDATOR_MANIFEST_CONTAINS_ONE_CRL_ENTRY, String.valueOf(crlEntries.size()));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
Map.Entry<String, byte[]> crlEntry = crlEntries.get(0);
URI crlUri = manifestUri.resolve(crlEntry.getKey());
Optional<RpkiObject> crlObject = rpkiObjects.findBySha256(crlEntry.getValue());
temporary.rejectIfFalse(crlObject.isPresent(), VALIDATOR_CRL_FOUND, crlUri.toASCIIString());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(crlUri));
Optional<X509Crl> crl = crlObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), X509Crl.class, temporary));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
crl.get().validate(crlUri.toASCIIString(), context, null, VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(manifestUri));
manifest.validate(manifestUri.toASCIIString(), context, crl.get(), manifest.getCrlUri(), VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
validatedObjects.add(manifestObject.get());
Map<URI, RpkiObject> manifestEntries = retrieveManifestEntries(manifest, manifestUri, temporary);
manifestEntries.forEach((location, obj) -> {
temporary.setLocation(new ValidationLocation(location));
Optional<CertificateRepositoryObject> maybeCertificateRepositoryObject = rpkiObjects.findCertificateRepositoryObject(obj.getId(), CertificateRepositoryObject.class, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return;
}
maybeCertificateRepositoryObject.ifPresent(certificateRepositoryObject -> {
certificateRepositoryObject.validate(location.toASCIIString(), context, crl.get(), crlUri, VALIDATION_OPTIONS, temporary);
if (!temporary.hasFailureForCurrentLocation()) {
validatedObjects.add(obj);
}
if (certificateRepositoryObject instanceof X509ResourceCertificate && ((X509ResourceCertificate) certificateRepositoryObject).isCa() && !temporary.hasFailureForCurrentLocation()) {
CertificateRepositoryObjectValidationContext childContext = context.createChildContext(location, (X509ResourceCertificate) certificateRepositoryObject);
validatedObjects.addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, childContext, temporary));
}
});
});
} catch (Exception e) {
log.debug("e", e);
validationResult.error(ErrorCodes.UNHANDLED_EXCEPTION, e.toString(), ExceptionUtils.getStackTrace(e));
} finally {
validationResult.addAll(temporary);
}
return validatedObjects;
}
Aggregations