use of org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier in project wso2-synapse by wso2.
the class RevocationVerificationManager method verifyRevocationStatus.
/**
* This method first tries to verify the given certificate chain using OCSP since OCSP verification is
* faster. If that fails it tries to do the verification using CRL.
* @param peerCertificates javax.security.cert.X509Certificate[] array of peer certificate chain from peer/client.
* @throws CertificateVerificationException
*/
public void verifyRevocationStatus(javax.security.cert.X509Certificate[] peerCertificates) throws CertificateVerificationException {
X509Certificate[] convertedCertificates = convert(peerCertificates);
long start = System.currentTimeMillis();
OCSPCache ocspCache = OCSPCache.getCache();
ocspCache.init(cacheSize, cacheDelayMins);
CRLCache crlCache = CRLCache.getCache();
crlCache.init(cacheSize, cacheDelayMins);
RevocationVerifier[] verifiers = { new OCSPVerifier(ocspCache), new CRLVerifier(crlCache) };
for (RevocationVerifier verifier : verifiers) {
try {
CertificatePathValidator pathValidator = new CertificatePathValidator(convertedCertificates, verifier);
pathValidator.validatePath();
log.info("Path verification Successful. Took " + (System.currentTimeMillis() - start) + " ms.");
return;
} catch (Exception e) {
log.info(verifier.getClass().getSimpleName() + " failed.");
log.debug("Certificate verification with " + verifier.getClass().getSimpleName() + " failed. ", e);
}
}
throw new CertificateVerificationException("Path Verification Failed for both OCSP and CRL");
}
use of org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier in project wso2-synapse by wso2.
the class CRLVerifierTest method getCRLDistributionPointUrl.
/**
* This will use Reflection to call getCrlDistributionPoints() private method in CRLVerifier.
* @param certificate is a certificate with a proper CRLDistributionPoints extension.
* @return the extracted cRLDistributionPointUrl.
* @throws Exception
*/
private String getCRLDistributionPointUrl(X509Certificate certificate) throws Exception {
CRLVerifier crlVerifier = new CRLVerifier(null);
// use reflection since getCrlDistributionPoints() is private.
Class<? extends CRLVerifier> crlVerifierClass = crlVerifier.getClass();
Method getCrlDistributionPoints = crlVerifierClass.getDeclaredMethod("getCrlDistributionPoints", X509Certificate.class);
getCrlDistributionPoints.setAccessible(true);
// getCrlDistributionPoints(..) returns a list of urls. Get the first one.
List<String> distPoints = (List<String>) getCrlDistributionPoints.invoke(crlVerifier, certificate);
return distPoints.get(0);
}
use of org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier in project wso2-synapse by wso2.
the class CRLVerifierTest method testRevokedCertificate.
/**
* To test CRLVerifier behaviour when a revoked certificate is given, a fake certificate will be created, signed
* by a fake root certificate. To make our life easy, the CrlDistributionPoint extension will be extracted from
* the real peer certificate in resources directory and copied to the fake certificate as a certificate extension.
* So the criDistributionPointURL in the fake certificate will be the same as in the real certificate.
* The created X509CRL object will be put to CRLCache against the criDistributionPointURL. Since the crl is in the
* cache, there will NOT be a remote call to the CRL server at criDistributionPointURL.
* @throws Exception
*/
public void testRevokedCertificate() throws Exception {
// Add BouncyCastle as Security Provider.
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
Utils utils = new Utils();
// Create X509Certificate from the real certificate file in resource folder.
X509Certificate realPeerCertificate = utils.getRealPeerCertificate();
// Extract crlDistributionPointUrl from the real peer certificate.
String crlDistributionPointUrl = getCRLDistributionPointUrl(realPeerCertificate);
// Create fake CA certificate.
KeyPair caKeyPair = utils.generateRSAKeyPair();
X509Certificate fakeCACert = utils.generateFakeRootCert(caKeyPair);
// Create fake peer certificate signed by the fake CA private key. This will be a revoked certificate.
KeyPair peerKeyPair = utils.generateRSAKeyPair();
BigInteger revokedSerialNumber = BigInteger.valueOf(111);
X509Certificate fakeRevokedCertificate = generateFakePeerCert(revokedSerialNumber, peerKeyPair.getPublic(), caKeyPair.getPrivate(), fakeCACert, realPeerCertificate);
// Create a crl with fakeRevokedCertificate marked as revoked.
X509CRL x509CRL = createCRL(fakeCACert, caKeyPair.getPrivate(), revokedSerialNumber);
CRLCache cache = CRLCache.getCache();
cache.init(5, 5);
cache.setCacheValue(crlDistributionPointUrl, x509CRL);
CRLVerifier crlVerifier = new CRLVerifier(cache);
RevocationStatus status = crlVerifier.checkRevocationStatus(fakeRevokedCertificate, null);
// the fake crl we created will be checked if the fake certificate is revoked. So the status should be REVOKED.
assertTrue(status == RevocationStatus.REVOKED);
}
use of org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier in project wso2-synapse by wso2.
the class RevocationVerificationTest method crlPathValidation.
private void crlPathValidation(X509Certificate[] certChain) throws Exception {
CRLCache crlCache = CRLCache.getCache();
crlCache.init(5, 5);
RevocationVerifier verifier = new CRLVerifier(crlCache);
CertificatePathValidator pathValidator = new CertificatePathValidator(certChain, verifier);
pathValidator.validatePath();
}
Aggregations