Search in sources :

Example 1 with HandshakeException

use of org.eclipse.californium.scandium.dtls.HandshakeException in project hono by eclipse.

the class DeviceRegistryBasedCertificateVerifier method verifyCertificate.

@Override
public CertificateVerificationResult verifyCertificate(final ConnectionId cid, final ServerNames serverName, final Boolean clientUsage, final boolean truncateCertificatePath, final CertificateMessage message, final DTLSSession session) {
    try {
        final CertPath certChain = message.getCertificateChain();
        if (certChain == null) {
            final AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, session.getPeer());
            throw new HandshakeException("RPK not supported", alert);
        }
        final var certificates = certChain.getCertificates();
        if (certificates.isEmpty()) {
            final AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, session.getPeer());
            throw new HandshakeException("client certificate chain must not be empty", alert);
        }
        if (clientUsage != null) {
            final Certificate clientCertificate = certificates.get(0);
            if (clientCertificate instanceof X509Certificate && !CertPathUtil.canBeUsedForAuthentication((X509Certificate) clientCertificate, clientUsage)) {
                final AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, session.getPeer());
                throw new HandshakeException("certificate cannot be used for client authentication", alert);
            }
        }
        adapter.runOnContext((v) -> validateCertificateAndLoadDevice(cid, certChain, session));
        return null;
    } catch (HandshakeException e) {
        LOG.debug("certificate validation failed", e);
        return new CertificateVerificationResult(cid, e, null);
    }
}
Also used : CertPath(java.security.cert.CertPath) HandshakeException(org.eclipse.californium.scandium.dtls.HandshakeException) AlertMessage(org.eclipse.californium.scandium.dtls.AlertMessage) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate) CertificateVerificationResult(org.eclipse.californium.scandium.dtls.CertificateVerificationResult)

Example 2 with HandshakeException

use of org.eclipse.californium.scandium.dtls.HandshakeException in project hono by eclipse.

the class DeviceRegistryBasedCertificateVerifier method validateCertificateAndLoadDevice.

/**
 * Validates a device's client certificate and completes the DTLS handshake result handler.
 *
 * @param cid the connection id to report the result.
 * @param certPath certificate path.
 * @param session session.
 * @see #setResultHandler(HandshakeResultHandler)
 */
private void validateCertificateAndLoadDevice(final ConnectionId cid, final CertPath certPath, final DTLSSession session) {
    LOG.debug("validating client's X.509 certificate");
    final Span span = tracer.buildSpan("validate client certificate").withTag(Tags.SPAN_KIND.getKey(), Tags.SPAN_KIND_CLIENT).withTag(Tags.COMPONENT.getKey(), adapter.getTypeName()).start();
    validateCertificateAndLoadDevice(session, certPath, span).map(info -> {
        // set AdditionalInfo as customArgument here
        return new CertificateVerificationResult(cid, certPath, info);
    }).otherwise(t -> {
        TracingHelper.logError(span, "could not validate X509 for device", t);
        LOG.debug("error validating X509", t);
        final AlertMessage alert = new AlertMessage(AlertLevel.FATAL, AlertDescription.BAD_CERTIFICATE, session.getPeer());
        return new CertificateVerificationResult(cid, new HandshakeException("error validating X509", alert), null);
    }).onSuccess(result -> {
        span.finish();
        californiumResultHandler.apply(result);
    });
}
Also used : HttpURLConnection(java.net.HttpURLConnection) X509Certificate(java.security.cert.X509Certificate) X500Principal(javax.security.auth.x500.X500Principal) LoggerFactory(org.slf4j.LoggerFactory) CertificateType(org.eclipse.californium.scandium.dtls.CertificateType) ClientErrorException(org.eclipse.hono.client.ClientErrorException) AlertDescription(org.eclipse.californium.scandium.dtls.AlertMessage.AlertDescription) Tags(io.opentracing.tag.Tags) CertificateMessage(org.eclipse.californium.scandium.dtls.CertificateMessage) ServerName(org.eclipse.californium.scandium.util.ServerName) DeviceCredentials(org.eclipse.hono.adapter.auth.device.DeviceCredentials) HandshakeException(org.eclipse.californium.scandium.dtls.HandshakeException) CertPathUtil(org.eclipse.californium.elements.util.CertPathUtil) ServerNames(org.eclipse.californium.scandium.util.ServerNames) StreamSupport(java.util.stream.StreamSupport) NewAdvancedCertificateVerifier(org.eclipse.californium.scandium.dtls.x509.NewAdvancedCertificateVerifier) TracingHelper(org.eclipse.hono.tracing.TracingHelper) X509Authentication(org.eclipse.hono.adapter.auth.device.X509Authentication) Logger(org.slf4j.Logger) NameType(org.eclipse.californium.scandium.util.ServerName.NameType) Tracer(io.opentracing.Tracer) TenantServiceBasedX509Authentication(org.eclipse.hono.adapter.auth.device.TenantServiceBasedX509Authentication) AlertLevel(org.eclipse.californium.scandium.dtls.AlertMessage.AlertLevel) AdditionalInfo(org.eclipse.californium.elements.auth.AdditionalInfo) Promise(io.vertx.core.Promise) HandshakeResultHandler(org.eclipse.californium.scandium.dtls.HandshakeResultHandler) CertPath(java.security.cert.CertPath) Collectors(java.util.stream.Collectors) Future(io.vertx.core.Future) Device(org.eclipse.hono.auth.Device) Objects(java.util.Objects) DTLSSession(org.eclipse.californium.scandium.dtls.DTLSSession) List(java.util.List) Certificate(java.security.cert.Certificate) TenantTraceSamplingHelper(org.eclipse.hono.tracing.TenantTraceSamplingHelper) DeviceCredentialsAuthProvider(org.eclipse.hono.adapter.auth.device.DeviceCredentialsAuthProvider) X509AuthProvider(org.eclipse.hono.adapter.auth.device.X509AuthProvider) ConnectionId(org.eclipse.californium.scandium.dtls.ConnectionId) CertificateVerificationResult(org.eclipse.californium.scandium.dtls.CertificateVerificationResult) Optional(java.util.Optional) AlertMessage(org.eclipse.californium.scandium.dtls.AlertMessage) Span(io.opentracing.Span) SubjectDnCredentials(org.eclipse.hono.adapter.auth.device.SubjectDnCredentials) Span(io.opentracing.Span) HandshakeException(org.eclipse.californium.scandium.dtls.HandshakeException) AlertMessage(org.eclipse.californium.scandium.dtls.AlertMessage) CertificateVerificationResult(org.eclipse.californium.scandium.dtls.CertificateVerificationResult)

Aggregations

CertPath (java.security.cert.CertPath)2 Certificate (java.security.cert.Certificate)2 X509Certificate (java.security.cert.X509Certificate)2 AlertMessage (org.eclipse.californium.scandium.dtls.AlertMessage)2 CertificateVerificationResult (org.eclipse.californium.scandium.dtls.CertificateVerificationResult)2 HandshakeException (org.eclipse.californium.scandium.dtls.HandshakeException)2 Span (io.opentracing.Span)1 Tracer (io.opentracing.Tracer)1 Tags (io.opentracing.tag.Tags)1 Future (io.vertx.core.Future)1 Promise (io.vertx.core.Promise)1 HttpURLConnection (java.net.HttpURLConnection)1 List (java.util.List)1 Objects (java.util.Objects)1 Optional (java.util.Optional)1 Collectors (java.util.stream.Collectors)1 StreamSupport (java.util.stream.StreamSupport)1 X500Principal (javax.security.auth.x500.X500Principal)1 AdditionalInfo (org.eclipse.californium.elements.auth.AdditionalInfo)1 CertPathUtil (org.eclipse.californium.elements.util.CertPathUtil)1