Example 26 with Certificate
use of org.apache.harmony.security.x509.Certificate in project open-ecard by ecsec.
the class HostnameVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIp) throws CertificateVerificationException {
try {
TlsCertificate tlsCert = chain.getCertificate().getCertificateAt(0);
Certificate cert = Certificate.getInstance(tlsCert.getEncoded());
validInt(cert, hostOrIp);
} catch (IOException ex) {
throw new CertificateVerificationException("Invalid certificate received from server.", ex);
}
}
Also used :
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Example 27 with Certificate
use of org.apache.harmony.security.x509.Certificate in project open-ecard by ecsec.
the class KeyLengthVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
boolean firstCert = true;
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate x509 = Certificate.getInstance(next.getEncoded());
boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
// skip key comparison step if this is a root certificate, but still check self signed server certs
boolean isRootCert = selfSigned && !firstCert;
if (!isRootCert) {
// get public key and determine minimum size for the actual type
SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
KeyTools.assertKeyLength(key);
firstCert = false;
}
}
} catch (IOException ex) {
String msg = "Failed to extract public key from certificate.";
throw new CertificateVerificationException(msg, ex);
} catch (KeyLengthException ex) {
String msg = "The key in the certificate does not satisfy the length requirements.";
throw new CertificateVerificationException(msg, ex);
}
}
Also used :
AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter)
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
SubjectPublicKeyInfo(org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
KeyLengthException(org.openecard.crypto.common.keystore.KeyLengthException)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Example 28 with Certificate
use of org.apache.harmony.security.x509.Certificate in project open-ecard by ecsec.
the class ExpirationVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIP) throws CertificateVerificationException {
try {
Date now = new Date();
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate c = Certificate.getInstance(next.getEncoded());
Date expDate = c.getEndDate().getDate();
if (now.after(expDate)) {
String msg = String.format("The certificate '%s' expired at %s.", c.getSubject(), expDate);
throw new CertificateVerificationException(msg);
}
}
} catch (IOException ex) {
throw new CertificateVerificationException("Invalid certificate received from server.", ex);
}
}
Also used :
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
Date(java.util.Date)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
Example 29 with Certificate
use of org.apache.harmony.security.x509.Certificate in project ddf by codice.
the class OcspChecker method passesOcspCheck.
/**
* Checks whether the given {@param certs} are revoked or not against the configured OCSP server
* urls + the optionally given OCSP server url in the given {@param certs}.
*
* @param certs - an array of certificates to verify.
* @return true if the certificates are good or if they could not be properly checked against the
* OCSP server. Returns false if any of them are revoked.
*/
@Override
public boolean passesOcspCheck(X509Certificate[] certs) {
if (!ocspEnabled) {
LOGGER.debug("OCSP check is not enabled. Skipping.");
return true;
}
LOGGER.debug("OCSP check for {} certificate(s)", certs == null ? "0" : certs.length);
for (X509Certificate cert : certs) {
try {
Certificate certificate = convertToBouncyCastleCert(cert);
OCSPReq ocspRequest = generateOcspRequest(certificate);
Map<URI, CertificateStatus> ocspStatuses = sendOcspRequests(cert, ocspRequest);
URI revokedStatusUrl = getFirstRevokedStatusUrl(ocspStatuses);
if (revokedStatusUrl != null) {
securityLogger.audit("Certificate {} has been revoked by the OCSP server at URL {}.", cert, revokedStatusUrl);
LOGGER.warn("Certificate {} has been revoked by the OCSP server at URL {}.", cert, revokedStatusUrl);
return false;
}
LOGGER.debug("No certificates revoked by the OCSP server");
} catch (OcspCheckerException e) {
postErrorEvent(e.getMessage());
}
}
// An alert will be posted to the admin console.
return true;
}
Also used :
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
URI(java.net.URI)
X509Certificate(java.security.cert.X509Certificate)
X509Certificate(java.security.cert.X509Certificate)
Certificate(org.bouncycastle.asn1.x509.Certificate)
Example 30 with Certificate
use of org.apache.harmony.security.x509.Certificate in project ddf by codice.
the class OcspChecker method getStatusFromOcspResponse.
/**
* Gets the {@link CertificateStatus} from the given {@param ocspResponse}.
*
* @param ocspResponse - the {@link OCSPResp} to get the {@link CertificateStatus} from.
* @return the {@link CertificateStatus} from the given {@param ocspResponse}. Returns an {@link
* UnknownStatus} if the status could not be found.
*/
private CertificateStatus getStatusFromOcspResponse(OCSPResp ocspResponse, X509Certificate certificate) {
try {
BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
if (basicResponse == null) {
return new UnknownStatus();
}
SingleResp[] singleResps = basicResponse.getResponses();
if (singleResps == null) {
return new UnknownStatus();
}
SingleResp response = Arrays.stream(singleResps).filter(singleResp -> singleResp.getCertID() != null).filter(singleResp -> singleResp.getCertID().getSerialNumber().equals(certificate.getSerialNumber())).findFirst().orElse(null);
if (response == null) {
LOGGER.debug("Certificate status from OCSP response is unknown.");
return new UnknownStatus();
}
if (response.getCertStatus() == null) {
LOGGER.debug("Certificate status from OCSP response is good.");
return CertificateStatus.GOOD;
}
return response.getCertStatus();
} catch (OCSPException e) {
return new UnknownStatus();
}
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
Req(org.bouncycastle.cert.ocsp.Req)
Arrays(java.util.Arrays)
AccessDescription(org.bouncycastle.asn1.x509.AccessDescription)
Enumeration(java.util.Enumeration)
Extension(org.bouncycastle.asn1.x509.Extension)
URISyntaxException(java.net.URISyntaxException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
LoggerFactory(org.slf4j.LoggerFactory)
KeyStoreException(java.security.KeyStoreException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
OCSPReq(org.bouncycastle.cert.ocsp.OCSPReq)
Map(java.util.Map)
URI(java.net.URI)
X509ExtensionUtil(org.bouncycastle.x509.extension.X509ExtensionUtil)
ClientBuilderFactory(org.codice.ddf.cxf.client.ClientBuilderFactory)
OcspService(org.codice.ddf.security.OcspService)
OCSPReqBuilder(org.bouncycastle.cert.ocsp.OCSPReqBuilder)
NoticePriority(org.codice.ddf.system.alerts.NoticePriority)
Set(java.util.Set)
KeyStore(java.security.KeyStore)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
ClientBuilder(org.codice.ddf.cxf.client.ClientBuilder)
PrivilegedAction(java.security.PrivilegedAction)
Collectors(java.util.stream.Collectors)
Objects(java.util.Objects)
List(java.util.List)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Response(javax.ws.rs.core.Response)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Entry(java.util.Map.Entry)
ProcessingException(javax.ws.rs.ProcessingException)
SecureCxfClientFactory(org.codice.ddf.cxf.client.SecureCxfClientFactory)
AccessController(java.security.AccessController)
Certificate(org.bouncycastle.asn1.x509.Certificate)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
EventAdmin(org.osgi.service.event.EventAdmin)
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess)
HashMap(java.util.HashMap)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
ArrayList(java.util.ArrayList)
HashSet(java.util.HashSet)
CertificateID(org.bouncycastle.cert.ocsp.CertificateID)
SecurityConstants(ddf.security.SecurityConstants)
Nullable(javax.annotation.Nullable)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
JcaDigestCalculatorProviderBuilder(org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder)
Logger(org.slf4j.Logger)
SecurityLogger(ddf.security.audit.SecurityLogger)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
UnknownStatus(org.bouncycastle.cert.ocsp.UnknownStatus)
WebClient(org.apache.cxf.jaxrs.client.WebClient)
OCSPResp(org.bouncycastle.cert.ocsp.OCSPResp)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
IOException(java.io.IOException)
FileInputStream(java.io.FileInputStream)
CertificateException(java.security.cert.CertificateException)
BasicOCSPResponse(org.bouncycastle.asn1.ocsp.BasicOCSPResponse)
SystemNotice(org.codice.ddf.system.alerts.SystemNotice)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
StringUtils.isBlank(org.apache.commons.lang3.StringUtils.isBlank)
DigestCalculatorProvider(org.bouncycastle.operator.DigestCalculatorProvider)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
Event(org.osgi.service.event.Event)
InputStream(java.io.InputStream)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
UnknownStatus(org.bouncycastle.cert.ocsp.UnknownStatus)
Aggregations
Certificate (org.bouncycastle.asn1.x509.Certificate)35
X509Certificate (java.security.cert.X509Certificate)29
IOException (java.io.IOException)23
CertificateException (java.security.cert.CertificateException)18
ArrayList (java.util.ArrayList)11
Date (java.util.Date)11
BigInteger (java.math.BigInteger)9
List (java.util.List)9
X500Name (org.bouncycastle.asn1.x500.X500Name)9
File (java.io.File)7
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)7
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7
GeneralName (org.apache.harmony.security.x509.GeneralName)6
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)6
TBSCertificate (org.bouncycastle.asn1.x509.TBSCertificate)6
DEROctetString (org.bouncycastle.asn1.DEROctetString)5
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)5
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)5
EOFException (java.io.EOFException)4
X509CRL (java.security.cert.X509CRL)4
