Example 1 with SFPair
use of net.snowflake.client.util.SFPair in project snowflake-jdbc by snowflakedb.
the class SFTrustManager method getPairIssuerSubject.
/**
* Creates a pair of Issuer and Subject certificates
*
* @param bcChain a list of bouncy castle Certificate
* @return a list of paif of Issuer and Subject certificates
*/
private List<SFPair<Certificate, Certificate>> getPairIssuerSubject(List<Certificate> bcChain) throws CertificateException {
List<SFPair<Certificate, Certificate>> pairIssuerSubject = new ArrayList<>();
for (int i = 0, len = bcChain.size(); i < len; ++i) {
Certificate bcCert = bcChain.get(i);
if (bcCert.getIssuer().equals(bcCert.getSubject())) {
// skipping ROOT CA
continue;
}
if (i < len - 1) {
pairIssuerSubject.add(SFPair.of(bcChain.get(i + 1), bcChain.get(i)));
} else {
// no root CA certificate is attached in the certificate chain, so
// getting one from the root CA from JVM.
Certificate issuer = ROOT_CA.get(bcCert.getIssuer().hashCode());
if (issuer == null) {
throw new CertificateException("Failed to find the root CA.", new SFOCSPException(OCSPErrorCode.NO_ROOTCA_FOUND, "Failed to find the root CA."));
}
pairIssuerSubject.add(SFPair.of(issuer, bcChain.get(i)));
}
}
return pairIssuerSubject;
}
Also used :
CertificateException(java.security.cert.CertificateException)
SFPair(net.snowflake.client.util.SFPair)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 2 with SFPair
use of net.snowflake.client.util.SFPair in project snowflake-jdbc by snowflakedb.
the class SFTrustManager method validateRevocationStatus.
/**
* Certificate Revocation checks
*
* @param chain chain of certificates attached.
* @param peerHost Hostname of the server
* @throws CertificateException if any certificate validation fails
*/
void validateRevocationStatus(X509Certificate[] chain, String peerHost) throws CertificateException {
final List<Certificate> bcChain = convertToBouncyCastleCertificate(chain);
final List<SFPair<Certificate, Certificate>> pairIssuerSubjectList = getPairIssuerSubject(bcChain);
if (peerHost.startsWith("ocspssd")) {
return;
}
if (ocspCacheServer.new_endpoint_enabled) {
ocspCacheServer.resetOCSPResponseCacheServer(peerHost);
}
setOCSPResponseCacheServerURL();
boolean isCached = isCached(pairIssuerSubjectList);
if (useOCSPResponseCacheServer() && !isCached) {
if (!ocspCacheServer.new_endpoint_enabled) {
LOGGER.debug("Downloading OCSP response cache from the server. URL: {}", SF_OCSP_RESPONSE_CACHE_SERVER_URL_VALUE);
} else {
LOGGER.debug("Downloading OCSP response cache from the server. URL: {}", ocspCacheServer.SF_OCSP_RESPONSE_CACHE_SERVER);
}
try {
readOcspResponseCacheServer();
} catch (SFOCSPException ex) {
LOGGER.debug("Error downloading OCSP Response from cache server : {}." + "OCSP Responses will be fetched directly from the CA OCSP" + "Responder ", ex.getMessage());
}
// if the cache is downloaded from the server, it should be written
// to the file cache at all times.
}
executeRevocationStatusChecks(pairIssuerSubjectList, peerHost);
if (WAS_CACHE_UPDATED.getAndSet(false)) {
JsonNode input = encodeCacheToJSON();
fileCacheManager.writeCacheFile(input);
}
}
Also used :
JsonNode(com.fasterxml.jackson.databind.JsonNode)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
SFPair(net.snowflake.client.util.SFPair)
Example 3 with SFPair
use of net.snowflake.client.util.SFPair in project snowflake-jdbc by snowflakedb.
the class SFTrustManager method encodeCacheToJSON.
/**
* Encode OCSP Response Cache to JSON
*
* @return JSON object
*/
private static ObjectNode encodeCacheToJSON() {
try {
ObjectNode out = OBJECT_MAPPER.createObjectNode();
for (Map.Entry<OcspResponseCacheKey, SFPair<Long, String>> elem : OCSP_RESPONSE_CACHE.entrySet()) {
OcspResponseCacheKey key = elem.getKey();
SFPair<Long, String> value0 = elem.getValue();
long currentTimeSecond = value0.left;
DigestCalculator digest = new SHA1DigestCalculator();
AlgorithmIdentifier algo = digest.getAlgorithmIdentifier();
ASN1OctetString nameHash = ASN1OctetString.getInstance(key.nameHash);
ASN1OctetString keyHash = ASN1OctetString.getInstance(key.keyHash);
ASN1Integer serialNumber = new ASN1Integer(key.serialNumber);
CertID cid = new CertID(algo, nameHash, keyHash, serialNumber);
ArrayNode vout = OBJECT_MAPPER.createArrayNode();
vout.add(currentTimeSecond);
vout.add(value0.right);
out.set(Base64.encodeBase64String(cid.toASN1Primitive().getEncoded()), vout);
}
return out;
} catch (IOException ex) {
LOGGER.debug("Failed to encode ASN1 object.");
}
return null;
}
Also used :
ObjectNode(com.fasterxml.jackson.databind.node.ObjectNode)
CertID(org.bouncycastle.asn1.ocsp.CertID)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
IOException(java.io.IOException)
SFPair(net.snowflake.client.util.SFPair)
ArrayNode(com.fasterxml.jackson.databind.node.ArrayNode)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Aggregations
SFPair (net.snowflake.client.util.SFPair)3
X509Certificate (java.security.cert.X509Certificate)2
Certificate (org.bouncycastle.asn1.x509.Certificate)2
JsonNode (com.fasterxml.jackson.databind.JsonNode)1
ArrayNode (com.fasterxml.jackson.databind.node.ArrayNode)1
ObjectNode (com.fasterxml.jackson.databind.node.ObjectNode)1
IOException (java.io.IOException)1
CertificateException (java.security.cert.CertificateException)1
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1
CertID (org.bouncycastle.asn1.ocsp.CertID)1
DigestCalculator (org.bouncycastle.operator.DigestCalculator)1
