Example 1 with ValidationResult
use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationService method validate.
@Transactional(Transactional.TxType.REQUIRED)
public void validate(long trustAnchorId) {
Map<URI, RpkiRepository> registeredRepositories = new HashMap<>();
entityManager.setFlushMode(FlushModeType.COMMIT);
TrustAnchor trustAnchor = trustAnchors.get(trustAnchorId);
log.info("starting tree validation for {}", trustAnchor);
CertificateTreeValidationRun validationRun = new CertificateTreeValidationRun(trustAnchor);
validationRuns.add(validationRun);
String trustAnchorLocation = trustAnchor.getLocations().get(0);
ValidationResult validationResult = ValidationResult.withLocation(trustAnchorLocation);
try {
X509ResourceCertificate certificate = trustAnchor.getCertificate();
validationResult.rejectIfNull(certificate, VALIDATOR_TRUST_ANCHOR_CERTIFICATE_AVAILABLE);
if (certificate == null) {
return;
}
CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(URI.create(trustAnchorLocation), certificate);
certificate.validate(trustAnchorLocation, context, null, null, VALIDATION_OPTIONS, validationResult);
if (validationResult.hasFailureForCurrentLocation()) {
return;
}
URI locationUri = Objects.firstNonNull(certificate.getRrdpNotifyUri(), certificate.getRepositoryUri());
validationResult.warnIfNull(locationUri, VALIDATOR_TRUST_ANCHOR_CERTIFICATE_RRDP_NOTIFY_URI_OR_REPOSITORY_URI_PRESENT);
if (locationUri == null) {
return;
}
validationRun.getValidatedObjects().addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, context, validationResult));
entityManager.setFlushMode(FlushModeType.AUTO);
if (isValidationRunCompleted(validationResult)) {
trustAnchor.markInitialCertificateTreeValidationRunCompleted();
if (!settings.isInitialValidationRunCompleted() && trustAnchors.allInitialCertificateTreeValidationRunsCompleted()) {
settings.markInitialValidationRunCompleted();
log.info("All trust anchors have completed their initial certificate tree validation run, validator is now ready");
}
}
validatedRpkiObjects.update(trustAnchor, validationRun.getValidatedObjects());
} finally {
validationRun.completeWith(validationResult);
log.info("tree validation {} for {}", validationRun.getStatus(), trustAnchor);
}
}
Also used :
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun)
TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
URI(java.net.URI)
Transactional(javax.transaction.Transactional)
Example 2 with ValidationResult
use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.
the class RrdpService method storeSnapshot.
void storeSnapshot(final Snapshot snapshot, final RpkiRepositoryValidationRun validationRun) {
snapshot.asMap().forEach((objUri, value) -> {
byte[] content = value.content;
rpkiObjectRepository.findBySha256(Sha256.hash(content)).map(existing -> {
existing.addLocation(objUri);
return existing;
}).orElseGet(() -> {
final Either<ValidationResult, RpkiObject> maybeRpkiObject = createRpkiObject(objUri, content);
if (maybeRpkiObject.isLeft()) {
validationRun.addChecks(maybeRpkiObject.left().value());
return null;
} else {
RpkiObject object = maybeRpkiObject.right().value();
rpkiObjectRepository.add(object);
validationRun.addRpkiObject(object);
log.debug("added to database {}", object);
return object;
}
});
});
}
Also used :
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
Arrays(java.util.Arrays)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
Transactional(javax.transaction.Transactional)
RpkiRepositoryValidationRun(net.ripe.rpki.validator3.domain.RpkiRepositoryValidationRun)
Hex(net.ripe.rpki.validator3.util.Hex)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
Autowired(org.springframework.beans.factory.annotation.Autowired)
Collectors(java.util.stream.Collectors)
CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory)
ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
ByteArrayInputStream(java.io.ByteArrayInputStream)
RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects)
Service(org.springframework.stereotype.Service)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Optional(java.util.Optional)
BigInteger(java.math.BigInteger)
Sha256(net.ripe.rpki.validator3.util.Sha256)
Either(fj.data.Either)
Comparator(java.util.Comparator)
ValidationCheck(net.ripe.rpki.validator3.domain.ValidationCheck)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Example 3 with ValidationResult
use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.
the class EncodedRpkiObject method get.
public <T extends CertificateRepositoryObject> Optional<T> get(final Class<T> clazz, final String location) {
ValidationResult temporary = ValidationResult.withLocation(location);
ValidationResult ignored = ValidationResult.withLocation(location);
CertificateRepositoryObject candidate = CertificateRepositoryObjectFactory.createCertificateRepositoryObject(encoded, // Ignore any parse errors, as all stored objects must be parsable
ignored);
temporary.rejectIfNull(candidate, "rpki.object.parsable");
if (temporary.hasFailureForCurrentLocation()) {
return Optional.empty();
}
temporary.rejectIfFalse(clazz.isInstance(candidate), "rpki.object.type.matches", clazz.getSimpleName(), candidate.getClass().getSimpleName());
if (temporary.hasFailureForCurrentLocation()) {
return Optional.empty();
}
return Optional.of(clazz.cast(candidate));
}
Also used :
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Example 4 with ValidationResult
use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationService method validateCertificateAuthority.
private List<RpkiObject> validateCertificateAuthority(TrustAnchor trustAnchor, Map<URI, RpkiRepository> registeredRepositories, CertificateRepositoryObjectValidationContext context, ValidationResult validationResult) {
final List<RpkiObject> validatedObjects = new ArrayList<>();
ValidationLocation certificateLocation = validationResult.getCurrentLocation();
ValidationResult temporary = ValidationResult.withLocation(certificateLocation);
try {
RpkiRepository rpkiRepository = registerRepository(trustAnchor, registeredRepositories, context);
temporary.warnIfTrue(rpkiRepository.isPending(), VALIDATOR_RPKI_REPOSITORY_PENDING, rpkiRepository.getLocationUri());
if (rpkiRepository.isPending()) {
return validatedObjects;
}
X509ResourceCertificate certificate = context.getCertificate();
URI manifestUri = certificate.getManifestUri();
temporary.setLocation(new ValidationLocation(manifestUri));
Optional<RpkiObject> manifestObject = rpkiObjects.findLatestByTypeAndAuthorityKeyIdentifier(RpkiObject.Type.MFT, context.getSubjectKeyIdentifier());
if (!manifestObject.isPresent()) {
if (rpkiRepository.getStatus() == RpkiRepository.Status.FAILED) {
temporary.error(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
} else {
temporary.error(ValidationString.VALIDATOR_NO_LOCAL_MANIFEST_NO_MANIFEST_IN_REPOSITORY, rpkiRepository.getLocationUri());
}
}
Optional<ManifestCms> maybeManifest = manifestObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), ManifestCms.class, temporary));
temporary.rejectIfTrue(manifestObject.isPresent() && rpkiRepository.getStatus() == RpkiRepository.Status.FAILED && maybeManifest.isPresent() && maybeManifest.get().isPastValidityTime(), ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
ManifestCms manifest = maybeManifest.get();
List<Map.Entry<String, byte[]>> crlEntries = manifest.getFiles().entrySet().stream().filter((entry) -> RepositoryObjectType.parse(entry.getKey()) == RepositoryObjectType.Crl).collect(toList());
temporary.rejectIfFalse(crlEntries.size() == 1, VALIDATOR_MANIFEST_CONTAINS_ONE_CRL_ENTRY, String.valueOf(crlEntries.size()));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
Map.Entry<String, byte[]> crlEntry = crlEntries.get(0);
URI crlUri = manifestUri.resolve(crlEntry.getKey());
Optional<RpkiObject> crlObject = rpkiObjects.findBySha256(crlEntry.getValue());
temporary.rejectIfFalse(crlObject.isPresent(), VALIDATOR_CRL_FOUND, crlUri.toASCIIString());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(crlUri));
Optional<X509Crl> crl = crlObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), X509Crl.class, temporary));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
crl.get().validate(crlUri.toASCIIString(), context, null, VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(manifestUri));
manifest.validate(manifestUri.toASCIIString(), context, crl.get(), manifest.getCrlUri(), VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
validatedObjects.add(manifestObject.get());
Map<URI, RpkiObject> manifestEntries = retrieveManifestEntries(manifest, manifestUri, temporary);
manifestEntries.forEach((location, obj) -> {
temporary.setLocation(new ValidationLocation(location));
Optional<CertificateRepositoryObject> maybeCertificateRepositoryObject = rpkiObjects.findCertificateRepositoryObject(obj.getId(), CertificateRepositoryObject.class, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return;
}
maybeCertificateRepositoryObject.ifPresent(certificateRepositoryObject -> {
certificateRepositoryObject.validate(location.toASCIIString(), context, crl.get(), crlUri, VALIDATION_OPTIONS, temporary);
if (!temporary.hasFailureForCurrentLocation()) {
validatedObjects.add(obj);
}
if (certificateRepositoryObject instanceof X509ResourceCertificate && ((X509ResourceCertificate) certificateRepositoryObject).isCa() && !temporary.hasFailureForCurrentLocation()) {
CertificateRepositoryObjectValidationContext childContext = context.createChildContext(location, (X509ResourceCertificate) certificateRepositoryObject);
validatedObjects.addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, childContext, temporary));
}
});
});
} catch (Exception e) {
log.debug("e", e);
validationResult.error(ErrorCodes.UNHANDLED_EXCEPTION, e.toString(), ExceptionUtils.getStackTrace(e));
} finally {
validationResult.addAll(temporary);
}
return validatedObjects;
}
Also used :
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns)
Arrays(java.util.Arrays)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
Autowired(org.springframework.beans.factory.annotation.Autowired)
FlushModeType(javax.persistence.FlushModeType)
HashMap(java.util.HashMap)
ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes)
ArrayList(java.util.ArrayList)
ValidationOptions(net.ripe.rpki.commons.validation.ValidationOptions)
LinkedHashMap(java.util.LinkedHashMap)
RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories)
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects)
Service(org.springframework.stereotype.Service)
Map(java.util.Map)
URI(java.net.URI)
Objects(com.google.common.base.Objects)
CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun)
TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor)
ValidationStatus(net.ripe.rpki.commons.validation.ValidationStatus)
ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects)
Transactional(javax.transaction.Transactional)
TrustAnchors(net.ripe.rpki.validator3.domain.TrustAnchors)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
EntityManager(javax.persistence.EntityManager)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
RepositoryObjectType(net.ripe.rpki.commons.util.RepositoryObjectType)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
Collectors.toList(java.util.stream.Collectors.toList)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Optional(java.util.Optional)
Settings(net.ripe.rpki.validator3.domain.Settings)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ArrayList(java.util.ArrayList)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
URI(java.net.URI)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Map(java.util.Map)
Example 5 with ValidationResult
use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.
the class TrustAnchorValidationService method validate.
@Transactional(Transactional.TxType.REQUIRED)
public void validate(long trustAnchorId) {
TrustAnchor trustAnchor = trustAnchorRepository.get(trustAnchorId);
log.debug("trust anchor {} located at {} with subject public key info {}", trustAnchor.getName(), trustAnchor.getLocations(), trustAnchor.getSubjectPublicKeyInfo());
TrustAnchorValidationRun validationRun = new TrustAnchorValidationRun(trustAnchor);
validationRunRepository.add(validationRun);
try {
boolean updated = false;
URI trustAnchorCertificateURI = URI.create(validationRun.getTrustAnchorCertificateURI()).normalize();
ValidationResult validationResult = ValidationResult.withLocation(trustAnchorCertificateURI);
File targetFile = fetchTrustAnchorCertificate(trustAnchorCertificateURI, validationResult);
if (!validationResult.hasFailureForCurrentLocation()) {
long trustAnchorCertificateSize = targetFile.length();
if (trustAnchorCertificateSize < RpkiObject.MIN_SIZE) {
validationResult.error(ErrorCodes.REPOSITORY_OBJECT_MINIMUM_SIZE, trustAnchorCertificateURI.toASCIIString(), String.valueOf(trustAnchorCertificateSize), String.valueOf(RpkiObject.MIN_SIZE));
} else if (trustAnchorCertificateSize > RpkiObject.MAX_SIZE) {
validationResult.error(ErrorCodes.REPOSITORY_OBJECT_MAXIMUM_SIZE, trustAnchorCertificateURI.toASCIIString(), String.valueOf(trustAnchorCertificateSize), String.valueOf(RpkiObject.MAX_SIZE));
} else {
X509ResourceCertificate certificate = parseCertificate(trustAnchor, targetFile, validationResult);
if (!validationResult.hasFailureForCurrentLocation()) {
// validity time?
int comparedSerial = trustAnchor.getCertificate() == null ? 1 : trustAnchor.getCertificate().getSerialNumber().compareTo(certificate.getSerialNumber());
validationResult.warnIfTrue(comparedSerial < 0, "repository.object.is.older.than.previous.object", trustAnchorCertificateURI.toASCIIString());
if (comparedSerial > 0) {
trustAnchor.setCertificate(certificate);
updated = true;
}
}
}
}
validationRun.completeWith(validationResult);
if (updated) {
validationRunRepository.runCertificateTreeValidation(trustAnchor);
}
} catch (CommandExecutionException | IOException e) {
log.error("validation run for trust anchor {} failed", trustAnchor, e);
validationRun.addCheck(new ValidationCheck(validationRun, validationRun.getTrustAnchorCertificateURI(), ValidationCheck.Status.ERROR, ErrorCodes.UNHANDLED_EXCEPTION, e.toString()));
validationRun.setFailed();
}
}
Also used :
CommandExecutionException(net.ripe.rpki.commons.rsync.CommandExecutionException)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
IOException(java.io.IOException)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
URI(java.net.URI)
File(java.io.File)
Transactional(javax.transaction.Transactional)
Aggregations
ValidationResult (net.ripe.rpki.commons.validation.ValidationResult)10
RpkiRepository (net.ripe.rpki.validator3.domain.RpkiRepository)6
Transactional (javax.transaction.Transactional)5
CertificateRepositoryObject (net.ripe.rpki.commons.crypto.CertificateRepositoryObject)5
RpkiObject (net.ripe.rpki.validator3.domain.RpkiObject)5
URI (java.net.URI)4
File (java.io.File)3
IOException (java.io.IOException)3
HashMap (java.util.HashMap)3
Slf4j (lombok.extern.slf4j.Slf4j)3
X509ResourceCertificate (net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)3
ErrorCodes (net.ripe.rpki.validator3.domain.ErrorCodes)3
RpkiObjects (net.ripe.rpki.validator3.domain.RpkiObjects)3
RpkiRepositoryValidationRun (net.ripe.rpki.validator3.domain.RpkiRepositoryValidationRun)3
TrustAnchor (net.ripe.rpki.validator3.domain.TrustAnchor)3
Autowired (org.springframework.beans.factory.annotation.Autowired)3
Service (org.springframework.stereotype.Service)3
Arrays (java.util.Arrays)2
LinkedHashMap (java.util.LinkedHashMap)2
List (java.util.List)2
