use of org.eclipse.californium.scandium.dtls.HandshakeException in project hono by eclipse.
the class DeviceRegistryBasedCertificateVerifier method verifyCertificate.
@Override
public CertificateVerificationResult verifyCertificate(final ConnectionId cid, final ServerNames serverName, final Boolean clientUsage, final boolean truncateCertificatePath, final CertificateMessage message, final DTLSSession session) {
try {
final CertPath certChain = message.getCertificateChain();
if (certChain == null) {
final AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, session.getPeer());
throw new HandshakeException("RPK not supported", alert);
}
final var certificates = certChain.getCertificates();
if (certificates.isEmpty()) {
final AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, session.getPeer());
throw new HandshakeException("client certificate chain must not be empty", alert);
}
if (clientUsage != null) {
final Certificate clientCertificate = certificates.get(0);
if (clientCertificate instanceof X509Certificate && !CertPathUtil.canBeUsedForAuthentication((X509Certificate) clientCertificate, clientUsage)) {
final AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, session.getPeer());
throw new HandshakeException("certificate cannot be used for client authentication", alert);
}
}
adapter.runOnContext((v) -> validateCertificateAndLoadDevice(cid, certChain, session));
return null;
} catch (HandshakeException e) {
LOG.debug("certificate validation failed", e);
return new CertificateVerificationResult(cid, e, null);
}
}
use of org.eclipse.californium.scandium.dtls.HandshakeException in project hono by eclipse.
the class DeviceRegistryBasedCertificateVerifier method validateCertificateAndLoadDevice.
/**
* Validates a device's client certificate and completes the DTLS handshake result handler.
*
* @param cid the connection id to report the result.
* @param certPath certificate path.
* @param session session.
* @see #setResultHandler(HandshakeResultHandler)
*/
private void validateCertificateAndLoadDevice(final ConnectionId cid, final CertPath certPath, final DTLSSession session) {
LOG.debug("validating client's X.509 certificate");
final Span span = tracer.buildSpan("validate client certificate").withTag(Tags.SPAN_KIND.getKey(), Tags.SPAN_KIND_CLIENT).withTag(Tags.COMPONENT.getKey(), adapter.getTypeName()).start();
validateCertificateAndLoadDevice(session, certPath, span).map(info -> {
// set AdditionalInfo as customArgument here
return new CertificateVerificationResult(cid, certPath, info);
}).otherwise(t -> {
TracingHelper.logError(span, "could not validate X509 for device", t);
LOG.debug("error validating X509", t);
final AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, session.getPeer());
return new CertificateVerificationResult(cid, new HandshakeException("error validating X509", alert), null);
}).onSuccess(result -> {
span.finish();
californiumResultHandler.apply(result);
});
}
Aggregations