Search in sources :

Example 1 with ValidationResult

use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.

the class CertificateTreeValidationService method validate.

@Transactional(Transactional.TxType.REQUIRED)
public void validate(long trustAnchorId) {
    Map<URI, RpkiRepository> registeredRepositories = new HashMap<>();
    entityManager.setFlushMode(FlushModeType.COMMIT);
    TrustAnchor trustAnchor = trustAnchors.get(trustAnchorId);
    log.info("starting tree validation for {}", trustAnchor);
    CertificateTreeValidationRun validationRun = new CertificateTreeValidationRun(trustAnchor);
    validationRuns.add(validationRun);
    String trustAnchorLocation = trustAnchor.getLocations().get(0);
    ValidationResult validationResult = ValidationResult.withLocation(trustAnchorLocation);
    try {
        X509ResourceCertificate certificate = trustAnchor.getCertificate();
        validationResult.rejectIfNull(certificate, VALIDATOR_TRUST_ANCHOR_CERTIFICATE_AVAILABLE);
        if (certificate == null) {
            return;
        }
        CertificateRepositoryObjectValidationContext context = new CertificateRepositoryObjectValidationContext(URI.create(trustAnchorLocation), certificate);
        certificate.validate(trustAnchorLocation, context, null, null, VALIDATION_OPTIONS, validationResult);
        if (validationResult.hasFailureForCurrentLocation()) {
            return;
        }
        URI locationUri = Objects.firstNonNull(certificate.getRrdpNotifyUri(), certificate.getRepositoryUri());
        validationResult.warnIfNull(locationUri, VALIDATOR_TRUST_ANCHOR_CERTIFICATE_RRDP_NOTIFY_URI_OR_REPOSITORY_URI_PRESENT);
        if (locationUri == null) {
            return;
        }
        validationRun.getValidatedObjects().addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, context, validationResult));
        entityManager.setFlushMode(FlushModeType.AUTO);
        if (isValidationRunCompleted(validationResult)) {
            trustAnchor.markInitialCertificateTreeValidationRunCompleted();
            if (!settings.isInitialValidationRunCompleted() && trustAnchors.allInitialCertificateTreeValidationRunsCompleted()) {
                settings.markInitialValidationRunCompleted();
                log.info("All trust anchors have completed their initial certificate tree validation run, validator is now ready");
            }
        }
        validatedRpkiObjects.update(trustAnchor, validationRun.getValidatedObjects());
    } finally {
        validationRun.completeWith(validationResult);
        log.info("tree validation {} for {}", validationRun.getStatus(), trustAnchor);
    }
}
Also used : CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext) RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) ValidationString(net.ripe.rpki.commons.validation.ValidationString) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) URI(java.net.URI) Transactional(javax.transaction.Transactional)

Example 2 with ValidationResult

use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.

the class RrdpService method storeSnapshot.

void storeSnapshot(final Snapshot snapshot, final RpkiRepositoryValidationRun validationRun) {
    snapshot.asMap().forEach((objUri, value) -> {
        byte[] content = value.content;
        rpkiObjectRepository.findBySha256(Sha256.hash(content)).map(existing -> {
            existing.addLocation(objUri);
            return existing;
        }).orElseGet(() -> {
            final Either<ValidationResult, RpkiObject> maybeRpkiObject = createRpkiObject(objUri, content);
            if (maybeRpkiObject.isLeft()) {
                validationRun.addChecks(maybeRpkiObject.left().value());
                return null;
            } else {
                RpkiObject object = maybeRpkiObject.right().value();
                rpkiObjectRepository.add(object);
                validationRun.addRpkiObject(object);
                log.debug("added to database {}", object);
                return object;
            }
        });
    });
}
Also used : RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) Arrays(java.util.Arrays) CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) Transactional(javax.transaction.Transactional) RpkiRepositoryValidationRun(net.ripe.rpki.validator3.domain.RpkiRepositoryValidationRun) Hex(net.ripe.rpki.validator3.util.Hex) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) Autowired(org.springframework.beans.factory.annotation.Autowired) Collectors(java.util.stream.Collectors) CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory) ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) ByteArrayInputStream(java.io.ByteArrayInputStream) RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects) Service(org.springframework.stereotype.Service) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) Optional(java.util.Optional) BigInteger(java.math.BigInteger) Sha256(net.ripe.rpki.validator3.util.Sha256) Either(fj.data.Either) Comparator(java.util.Comparator) ValidationCheck(net.ripe.rpki.validator3.domain.ValidationCheck) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)

Example 3 with ValidationResult

use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.

the class EncodedRpkiObject method get.

public <T extends CertificateRepositoryObject> Optional<T> get(final Class<T> clazz, final String location) {
    ValidationResult temporary = ValidationResult.withLocation(location);
    ValidationResult ignored = ValidationResult.withLocation(location);
    CertificateRepositoryObject candidate = CertificateRepositoryObjectFactory.createCertificateRepositoryObject(encoded, // Ignore any parse errors, as all stored objects must be parsable
    ignored);
    temporary.rejectIfNull(candidate, "rpki.object.parsable");
    if (temporary.hasFailureForCurrentLocation()) {
        return Optional.empty();
    }
    temporary.rejectIfFalse(clazz.isInstance(candidate), "rpki.object.type.matches", clazz.getSimpleName(), candidate.getClass().getSimpleName());
    if (temporary.hasFailureForCurrentLocation()) {
        return Optional.empty();
    }
    return Optional.of(clazz.cast(candidate));
}
Also used : CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)

Example 4 with ValidationResult

use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.

the class CertificateTreeValidationService method validateCertificateAuthority.

private List<RpkiObject> validateCertificateAuthority(TrustAnchor trustAnchor, Map<URI, RpkiRepository> registeredRepositories, CertificateRepositoryObjectValidationContext context, ValidationResult validationResult) {
    final List<RpkiObject> validatedObjects = new ArrayList<>();
    ValidationLocation certificateLocation = validationResult.getCurrentLocation();
    ValidationResult temporary = ValidationResult.withLocation(certificateLocation);
    try {
        RpkiRepository rpkiRepository = registerRepository(trustAnchor, registeredRepositories, context);
        temporary.warnIfTrue(rpkiRepository.isPending(), VALIDATOR_RPKI_REPOSITORY_PENDING, rpkiRepository.getLocationUri());
        if (rpkiRepository.isPending()) {
            return validatedObjects;
        }
        X509ResourceCertificate certificate = context.getCertificate();
        URI manifestUri = certificate.getManifestUri();
        temporary.setLocation(new ValidationLocation(manifestUri));
        Optional<RpkiObject> manifestObject = rpkiObjects.findLatestByTypeAndAuthorityKeyIdentifier(RpkiObject.Type.MFT, context.getSubjectKeyIdentifier());
        if (!manifestObject.isPresent()) {
            if (rpkiRepository.getStatus() == RpkiRepository.Status.FAILED) {
                temporary.error(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
            } else {
                temporary.error(ValidationString.VALIDATOR_NO_LOCAL_MANIFEST_NO_MANIFEST_IN_REPOSITORY, rpkiRepository.getLocationUri());
            }
        }
        Optional<ManifestCms> maybeManifest = manifestObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), ManifestCms.class, temporary));
        temporary.rejectIfTrue(manifestObject.isPresent() && rpkiRepository.getStatus() == RpkiRepository.Status.FAILED && maybeManifest.isPresent() && maybeManifest.get().isPastValidityTime(), ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        ManifestCms manifest = maybeManifest.get();
        List<Map.Entry<String, byte[]>> crlEntries = manifest.getFiles().entrySet().stream().filter((entry) -> RepositoryObjectType.parse(entry.getKey()) == RepositoryObjectType.Crl).collect(toList());
        temporary.rejectIfFalse(crlEntries.size() == 1, VALIDATOR_MANIFEST_CONTAINS_ONE_CRL_ENTRY, String.valueOf(crlEntries.size()));
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        Map.Entry<String, byte[]> crlEntry = crlEntries.get(0);
        URI crlUri = manifestUri.resolve(crlEntry.getKey());
        Optional<RpkiObject> crlObject = rpkiObjects.findBySha256(crlEntry.getValue());
        temporary.rejectIfFalse(crlObject.isPresent(), VALIDATOR_CRL_FOUND, crlUri.toASCIIString());
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        temporary.setLocation(new ValidationLocation(crlUri));
        Optional<X509Crl> crl = crlObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), X509Crl.class, temporary));
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        crl.get().validate(crlUri.toASCIIString(), context, null, VALIDATION_OPTIONS, temporary);
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        temporary.setLocation(new ValidationLocation(manifestUri));
        manifest.validate(manifestUri.toASCIIString(), context, crl.get(), manifest.getCrlUri(), VALIDATION_OPTIONS, temporary);
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        validatedObjects.add(manifestObject.get());
        Map<URI, RpkiObject> manifestEntries = retrieveManifestEntries(manifest, manifestUri, temporary);
        manifestEntries.forEach((location, obj) -> {
            temporary.setLocation(new ValidationLocation(location));
            Optional<CertificateRepositoryObject> maybeCertificateRepositoryObject = rpkiObjects.findCertificateRepositoryObject(obj.getId(), CertificateRepositoryObject.class, temporary);
            if (temporary.hasFailureForCurrentLocation()) {
                return;
            }
            maybeCertificateRepositoryObject.ifPresent(certificateRepositoryObject -> {
                certificateRepositoryObject.validate(location.toASCIIString(), context, crl.get(), crlUri, VALIDATION_OPTIONS, temporary);
                if (!temporary.hasFailureForCurrentLocation()) {
                    validatedObjects.add(obj);
                }
                if (certificateRepositoryObject instanceof X509ResourceCertificate && ((X509ResourceCertificate) certificateRepositoryObject).isCa() && !temporary.hasFailureForCurrentLocation()) {
                    CertificateRepositoryObjectValidationContext childContext = context.createChildContext(location, (X509ResourceCertificate) certificateRepositoryObject);
                    validatedObjects.addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, childContext, temporary));
                }
            });
        });
    } catch (Exception e) {
        log.debug("e", e);
        validationResult.error(ErrorCodes.UNHANDLED_EXCEPTION, e.toString(), ExceptionUtils.getStackTrace(e));
    } finally {
        validationResult.addAll(temporary);
    }
    return validatedObjects;
}
Also used : RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns) Arrays(java.util.Arrays) CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) Autowired(org.springframework.beans.factory.annotation.Autowired) FlushModeType(javax.persistence.FlushModeType) HashMap(java.util.HashMap) ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes) ArrayList(java.util.ArrayList) ValidationOptions(net.ripe.rpki.commons.validation.ValidationOptions) LinkedHashMap(java.util.LinkedHashMap) RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories) CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects) Service(org.springframework.stereotype.Service) Map(java.util.Map) URI(java.net.URI) Objects(com.google.common.base.Objects) CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) ValidationStatus(net.ripe.rpki.commons.validation.ValidationStatus) ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects) Transactional(javax.transaction.Transactional) TrustAnchors(net.ripe.rpki.validator3.domain.TrustAnchors) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) EntityManager(javax.persistence.EntityManager) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) RepositoryObjectType(net.ripe.rpki.commons.util.RepositoryObjectType) ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) Collectors.toList(java.util.stream.Collectors.toList) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) Optional(java.util.Optional) Settings(net.ripe.rpki.validator3.domain.Settings) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) ValidationString(net.ripe.rpki.commons.validation.ValidationString) ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext) RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) ArrayList(java.util.ArrayList) ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation) ValidationString(net.ripe.rpki.commons.validation.ValidationString) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) URI(java.net.URI) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map)

Example 5 with ValidationResult

use of net.ripe.rpki.commons.validation.ValidationResult in project rpki-validator-3 by RIPE-NCC.

the class TrustAnchorValidationService method validate.

@Transactional(Transactional.TxType.REQUIRED)
public void validate(long trustAnchorId) {
    TrustAnchor trustAnchor = trustAnchorRepository.get(trustAnchorId);
    log.debug("trust anchor {} located at {} with subject public key info {}", trustAnchor.getName(), trustAnchor.getLocations(), trustAnchor.getSubjectPublicKeyInfo());
    TrustAnchorValidationRun validationRun = new TrustAnchorValidationRun(trustAnchor);
    validationRunRepository.add(validationRun);
    try {
        boolean updated = false;
        URI trustAnchorCertificateURI = URI.create(validationRun.getTrustAnchorCertificateURI()).normalize();
        ValidationResult validationResult = ValidationResult.withLocation(trustAnchorCertificateURI);
        File targetFile = fetchTrustAnchorCertificate(trustAnchorCertificateURI, validationResult);
        if (!validationResult.hasFailureForCurrentLocation()) {
            long trustAnchorCertificateSize = targetFile.length();
            if (trustAnchorCertificateSize < RpkiObject.MIN_SIZE) {
                validationResult.error(ErrorCodes.REPOSITORY_OBJECT_MINIMUM_SIZE, trustAnchorCertificateURI.toASCIIString(), String.valueOf(trustAnchorCertificateSize), String.valueOf(RpkiObject.MIN_SIZE));
            } else if (trustAnchorCertificateSize > RpkiObject.MAX_SIZE) {
                validationResult.error(ErrorCodes.REPOSITORY_OBJECT_MAXIMUM_SIZE, trustAnchorCertificateURI.toASCIIString(), String.valueOf(trustAnchorCertificateSize), String.valueOf(RpkiObject.MAX_SIZE));
            } else {
                X509ResourceCertificate certificate = parseCertificate(trustAnchor, targetFile, validationResult);
                if (!validationResult.hasFailureForCurrentLocation()) {
                    // validity time?
                    int comparedSerial = trustAnchor.getCertificate() == null ? 1 : trustAnchor.getCertificate().getSerialNumber().compareTo(certificate.getSerialNumber());
                    validationResult.warnIfTrue(comparedSerial < 0, "repository.object.is.older.than.previous.object", trustAnchorCertificateURI.toASCIIString());
                    if (comparedSerial > 0) {
                        trustAnchor.setCertificate(certificate);
                        updated = true;
                    }
                }
            }
        }
        validationRun.completeWith(validationResult);
        if (updated) {
            validationRunRepository.runCertificateTreeValidation(trustAnchor);
        }
    } catch (CommandExecutionException | IOException e) {
        log.error("validation run for trust anchor {} failed", trustAnchor, e);
        validationRun.addCheck(new ValidationCheck(validationRun, validationRun.getTrustAnchorCertificateURI(), ValidationCheck.Status.ERROR, ErrorCodes.UNHANDLED_EXCEPTION, e.toString()));
        validationRun.setFailed();
    }
}
Also used : CommandExecutionException(net.ripe.rpki.commons.rsync.CommandExecutionException) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) IOException(java.io.IOException) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) URI(java.net.URI) File(java.io.File) Transactional(javax.transaction.Transactional)

Aggregations

ValidationResult (net.ripe.rpki.commons.validation.ValidationResult)10 RpkiRepository (net.ripe.rpki.validator3.domain.RpkiRepository)6 Transactional (javax.transaction.Transactional)5 CertificateRepositoryObject (net.ripe.rpki.commons.crypto.CertificateRepositoryObject)5 RpkiObject (net.ripe.rpki.validator3.domain.RpkiObject)5 URI (java.net.URI)4 File (java.io.File)3 IOException (java.io.IOException)3 HashMap (java.util.HashMap)3 Slf4j (lombok.extern.slf4j.Slf4j)3 X509ResourceCertificate (net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)3 ErrorCodes (net.ripe.rpki.validator3.domain.ErrorCodes)3 RpkiObjects (net.ripe.rpki.validator3.domain.RpkiObjects)3 RpkiRepositoryValidationRun (net.ripe.rpki.validator3.domain.RpkiRepositoryValidationRun)3 TrustAnchor (net.ripe.rpki.validator3.domain.TrustAnchor)3 Autowired (org.springframework.beans.factory.annotation.Autowired)3 Service (org.springframework.stereotype.Service)3 Arrays (java.util.Arrays)2 LinkedHashMap (java.util.LinkedHashMap)2 List (java.util.List)2