Search in sources :

Example 1 with CRLVerifier

use of org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier in project wso2-synapse by wso2.

the class RevocationVerificationManager method verifyRevocationStatus.

/**
 * This method first tries to verify the given certificate chain using OCSP since OCSP verification is
 * faster. If that fails it tries to do the verification using CRL.
 * @param peerCertificates  javax.security.cert.X509Certificate[] array of peer certificate chain from peer/client.
 * @throws CertificateVerificationException
 */
public void verifyRevocationStatus(javax.security.cert.X509Certificate[] peerCertificates) throws CertificateVerificationException {
    X509Certificate[] convertedCertificates = convert(peerCertificates);
    long start = System.currentTimeMillis();
    OCSPCache ocspCache = OCSPCache.getCache();
    ocspCache.init(cacheSize, cacheDelayMins);
    CRLCache crlCache = CRLCache.getCache();
    crlCache.init(cacheSize, cacheDelayMins);
    RevocationVerifier[] verifiers = { new OCSPVerifier(ocspCache), new CRLVerifier(crlCache) };
    for (RevocationVerifier verifier : verifiers) {
        try {
            CertificatePathValidator pathValidator = new CertificatePathValidator(convertedCertificates, verifier);
            pathValidator.validatePath();
            log.info("Path verification Successful. Took " + (System.currentTimeMillis() - start) + " ms.");
            return;
        } catch (Exception e) {
            log.info(verifier.getClass().getSimpleName() + " failed.");
            log.debug("Certificate verification with " + verifier.getClass().getSimpleName() + " failed. ", e);
        }
    }
    throw new CertificateVerificationException("Path Verification Failed for both OCSP and CRL");
}
Also used : CertificatePathValidator(org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator) OCSPCache(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache) X509Certificate(java.security.cert.X509Certificate) CRLCache(org.apache.synapse.transport.certificatevalidation.crl.CRLCache) OCSPVerifier(org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier) CRLVerifier(org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)

Example 2 with CRLVerifier

use of org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier in project wso2-synapse by wso2.

the class CRLVerifierTest method getCRLDistributionPointUrl.

/**
 * This will use Reflection to call getCrlDistributionPoints() private method in CRLVerifier.
 * @param certificate is a certificate with a proper CRLDistributionPoints extension.
 * @return the extracted cRLDistributionPointUrl.
 * @throws Exception
 */
private String getCRLDistributionPointUrl(X509Certificate certificate) throws Exception {
    CRLVerifier crlVerifier = new CRLVerifier(null);
    // use reflection since getCrlDistributionPoints() is private.
    Class<? extends CRLVerifier> crlVerifierClass = crlVerifier.getClass();
    Method getCrlDistributionPoints = crlVerifierClass.getDeclaredMethod("getCrlDistributionPoints", X509Certificate.class);
    getCrlDistributionPoints.setAccessible(true);
    // getCrlDistributionPoints(..) returns a list of urls. Get the first one.
    List<String> distPoints = (List<String>) getCrlDistributionPoints.invoke(crlVerifier, certificate);
    return distPoints.get(0);
}
Also used : List(java.util.List) Method(java.lang.reflect.Method) CRLVerifier(org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)

Example 3 with CRLVerifier

use of org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier in project wso2-synapse by wso2.

the class CRLVerifierTest method testRevokedCertificate.

/**
 * To test CRLVerifier behaviour when a revoked certificate is given, a fake certificate will be created, signed
 * by a fake root certificate. To make our life easy, the CrlDistributionPoint extension will be extracted from
 * the real peer certificate in resources directory and copied to the fake certificate as a certificate extension.
 * So the criDistributionPointURL in the fake certificate will be the same as in the real certificate.
 * The created X509CRL object will be put to CRLCache against the criDistributionPointURL. Since the crl is in the
 * cache, there will NOT be a remote call to the CRL server at criDistributionPointURL.
 * @throws Exception
 */
public void testRevokedCertificate() throws Exception {
    // Add BouncyCastle as Security Provider.
    Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
    Utils utils = new Utils();
    // Create X509Certificate from the real certificate file in resource folder.
    X509Certificate realPeerCertificate = utils.getRealPeerCertificate();
    // Extract crlDistributionPointUrl from the real peer certificate.
    String crlDistributionPointUrl = getCRLDistributionPointUrl(realPeerCertificate);
    // Create fake CA certificate.
    KeyPair caKeyPair = utils.generateRSAKeyPair();
    X509Certificate fakeCACert = utils.generateFakeRootCert(caKeyPair);
    // Create fake peer certificate signed by the fake CA private key. This will be a revoked certificate.
    KeyPair peerKeyPair = utils.generateRSAKeyPair();
    BigInteger revokedSerialNumber = BigInteger.valueOf(111);
    X509Certificate fakeRevokedCertificate = generateFakePeerCert(revokedSerialNumber, peerKeyPair.getPublic(), caKeyPair.getPrivate(), fakeCACert, realPeerCertificate);
    // Create a crl with fakeRevokedCertificate marked as revoked.
    X509CRL x509CRL = createCRL(fakeCACert, caKeyPair.getPrivate(), revokedSerialNumber);
    CRLCache cache = CRLCache.getCache();
    cache.init(5, 5);
    cache.setCacheValue(crlDistributionPointUrl, x509CRL);
    CRLVerifier crlVerifier = new CRLVerifier(cache);
    RevocationStatus status = crlVerifier.checkRevocationStatus(fakeRevokedCertificate, null);
    // the fake crl we created will be checked if the fake certificate is revoked. So the status should be REVOKED.
    assertTrue(status == RevocationStatus.REVOKED);
}
Also used : KeyPair(java.security.KeyPair) X509CRL(java.security.cert.X509CRL) JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) BigInteger(java.math.BigInteger) X509Certificate(java.security.cert.X509Certificate) CRLCache(org.apache.synapse.transport.certificatevalidation.crl.CRLCache) CRLVerifier(org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)

Example 4 with CRLVerifier

use of org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier in project wso2-synapse by wso2.

the class RevocationVerificationTest method crlPathValidation.

private void crlPathValidation(X509Certificate[] certChain) throws Exception {
    CRLCache crlCache = CRLCache.getCache();
    crlCache.init(5, 5);
    RevocationVerifier verifier = new CRLVerifier(crlCache);
    CertificatePathValidator pathValidator = new CertificatePathValidator(certChain, verifier);
    pathValidator.validatePath();
}
Also used : CertificatePathValidator(org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator) CRLCache(org.apache.synapse.transport.certificatevalidation.crl.CRLCache) CRLVerifier(org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)

Aggregations

CRLVerifier (org.apache.synapse.transport.certificatevalidation.crl.CRLVerifier)4 CRLCache (org.apache.synapse.transport.certificatevalidation.crl.CRLCache)3 X509Certificate (java.security.cert.X509Certificate)2 CertificatePathValidator (org.apache.synapse.transport.certificatevalidation.pathvalidation.CertificatePathValidator)2 Method (java.lang.reflect.Method)1 BigInteger (java.math.BigInteger)1 KeyPair (java.security.KeyPair)1 X509CRL (java.security.cert.X509CRL)1 List (java.util.List)1 OCSPCache (org.apache.synapse.transport.certificatevalidation.ocsp.OCSPCache)1 OCSPVerifier (org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier)1 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)1