Examples with CRLDistributionPointRevocationChecker org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker used on opensource projects

Example 1 with CRLDistributionPointRevocationChecker

use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker in project cas by apereo.

the class CRLDistributionPointRevocationCheckerTests method getTestParameters.

/**
     * Gets the unit test parameters.
     *
     * @return Test parameter data.
     */
@Parameters
public static Collection<Object[]> getTestParameters() throws Exception {
    CacheManager.getInstance().removeAllCaches();
    final Collection<Object[]> params = new ArrayList<>();
    Cache cache;
    final ThresholdExpiredCRLRevocationPolicy defaultPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    // Test case #0
    // Valid certificate on valid CRL data with encoded url
    cache = new Cache("crlCache-0", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "uservalid-encoded-crl.crt" }, "test ca.crl", null });
    // Test case #1
    // Valid certificate on valid CRL data
    cache = new Cache("crlCache-1", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null, true), new String[] { "user-valid-distcrl.crt" }, "userCA-valid.crl", null });
    // Test case #2
    // Revoked certificate on valid CRL data
    cache = new Cache("crlCache-2", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1")) });
    // Test case #3
    // Valid certificate on expired CRL data
    cache = new Cache("crlCache-3", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, zeroThresholdPolicy, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", new ExpiredCRLException("test", ZonedDateTime.now(ZoneOffset.UTC)) });
    // Test case #4
    // Valid certificate on expired CRL data with custom expiration
    // policy to always allow expired CRL data
    cache = new Cache("crlCache-4", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, crl -> {
    }, null), new String[] { "user-valid-distcrl.crt" }, "userCA-expired.crl", null });
    // Test case #5
    // Valid certificate with no CRL distribution points defined but with
    // "AllowRevocationPolicy" set to allow unavailable CRL data
    cache = new Cache("crlCache-5", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    final CRLDistributionPointRevocationChecker checker5 = new CRLDistributionPointRevocationChecker(cache, defaultPolicy, new AllowRevocationPolicy());
    params.add(new Object[] { checker5, new String[] { "user-valid.crt" }, "userCA-expired.crl", null });
    // Test case #6
    // EJBCA test case
    // Revoked certificate with CRL distribution point URI that is technically
    // not a valid URI since the issuer DN in the query string is not encoded per
    // the escaping of reserved characters in RFC 2396.
    // Make sure we can convert given URI to valid URI and confirm it's revoked
    cache = new Cache("crlCache-6", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    params.add(new Object[] { new CRLDistributionPointRevocationChecker(cache, defaultPolicy, null), new String[] { "user-revoked-distcrl2.crt" }, "userCA-valid.crl", new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), new BigInteger("1")) });
    return params;
}

Example 2 with CRLDistributionPointRevocationChecker

use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker in project cas by apereo.

the class X509AuthenticationConfiguration method x509CredentialsAuthenticationHandler.

@Bean
@RefreshScope
public AuthenticationHandler x509CredentialsAuthenticationHandler() {
    final X509Properties x509 = casProperties.getAuthn().getX509();
    final RevocationChecker revChecker;
    switch(x509.getRevocationChecker().trim().toLowerCase()) {
        case "resource":
            revChecker = resourceCrlRevocationChecker();
            break;
        case "crl":
            revChecker = crlDistributionPointRevocationChecker();
            break;
        case "none":
        default:
            revChecker = noOpRevocationChecker();
            break;
    }
    return new X509CredentialsAuthenticationHandler(x509.getName(), servicesManager, x509PrincipalFactory(), StringUtils.isNotBlank(x509.getRegExTrustedIssuerDnPattern()) ? RegexUtils.createPattern(x509.getRegExTrustedIssuerDnPattern()) : null, x509.getMaxPathLength(), x509.isMaxPathLengthAllowUnspecified(), x509.isCheckKeyUsage(), x509.isRequireKeyUsage(), StringUtils.isNotBlank(x509.getRegExSubjectDnPattern()) ? RegexUtils.createPattern(x509.getRegExSubjectDnPattern()) : null, revChecker);
}

Example 3 with CRLDistributionPointRevocationChecker

use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker in project cas by apereo.

the class LdaptiveResourceCRLFetcherTests method getCrlFromLdapWithNoCaching.

@Test
public void getCrlFromLdapWithNoCaching() throws Exception {
    for (int i = 0; i < 10; i++) {
        CacheManager.getInstance().removeAllCaches();
        final Cache cache = new Cache("crlCache-1", 100, false, false, 20, 10);
        CacheManager.getInstance().addCache(cache);
        final CRLDistributionPointRevocationChecker checker = new CRLDistributionPointRevocationChecker(false, new AllowRevocationPolicy(), null, cache, fetcher, true);
        final X509Certificate cert = CertUtils.readCertificate(new ClassPathResource("ldap-crl.crt"));
        checker.check(cert);
    }
}

Example 4 with CRLDistributionPointRevocationChecker

use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker in project cas by apereo.

the class LdaptiveResourceCRLFetcherTests method getCrlFromLdap.

@Test
public void getCrlFromLdap() throws Exception {
    CacheManager.getInstance().removeAllCaches();
    final Cache cache = new Cache("crlCache-1", 100, false, false, 20, 10);
    CacheManager.getInstance().addCache(cache);
    for (int i = 0; i < 10; i++) {
        final CRLDistributionPointRevocationChecker checker = new CRLDistributionPointRevocationChecker(false, new AllowRevocationPolicy(), null, cache, fetcher, true);
        final X509Certificate cert = CertUtils.readCertificate(new ClassPathResource("ldap-crl.crt"));
        checker.check(cert);
    }
}

Example 5 with CRLDistributionPointRevocationChecker

use of org.apereo.cas.adaptors.x509.authentication.revocation.checker.CRLDistributionPointRevocationChecker in project cas by apereo.

the class X509AuthenticationConfiguration method crlDistributionPointRevocationChecker.

@Bean
public RevocationChecker crlDistributionPointRevocationChecker() {
    final X509Properties x509 = casProperties.getAuthn().getX509();
    final Cache cache = new Cache("CRL".concat(UUID.randomUUID().toString()), x509.getCacheMaxElementsInMemory(), x509.isCacheDiskOverflow(), x509.isCacheEternal(), x509.getCacheTimeToLiveSeconds(), x509.getCacheTimeToIdleSeconds());
    return new CRLDistributionPointRevocationChecker(x509.isCheckAll(), getRevocationPolicy(x509.getCrlUnavailablePolicy()), getRevocationPolicy(x509.getCrlExpiredPolicy()), cache, crlFetcher(), x509.isThrowOnFetchFailure());
}