Search in sources :

Example 1 with RevocationManager

use of org.nhindirect.stagent.cert.RevocationManager in project nhin-d by DirectProject.

the class CRLManagerTest method testCrlManager.

/**
     * Test the CRLManager class with normal and non-normal input.
     */
public void testCrlManager() {
    String tmp = this.getClass().getClassLoader().getResource("crl/certs.crl").getPath();
    final String workingDir = tmp.substring(0, tmp.lastIndexOf("/") + 1).replaceAll("%20", " ");
    String internalKeystoreFile = workingDir + "keystore";
    KeyStoreCertificateStore service = new KeyStoreCertificateStore(internalKeystoreFile, KEY_STORE_PASSWORD, PRIVATE_KEY_PASSWORD);
    RevocationManager crlManager = new CRLRevocationManager() {

        @Override
        protected String getNameString(String generalNameString) {
            String s = super.getNameString(generalNameString);
            return s.replace("http://JUNIT", "file://" + workingDir);
        }
    };
    assertEquals("Output does not match expected", false, crlManager.isRevoked(null));
    assertEquals("Output does not match expected", false, crlManager.isRevoked(service.getByAlias("valid")));
    assertEquals("Output does not match expected", true, crlManager.isRevoked(service.getByAlias("revoked")));
    assertEquals("Output does not match expected", false, crlManager.isRevoked(service.getByAlias("gm2552")));
    assertEquals("Output does not match expected", false, crlManager.isRevoked(service.getByAlias("missing")));
    // Hit cache
    assertEquals("Output does not match expected", false, crlManager.isRevoked(null));
    assertEquals("Output does not match expected", false, crlManager.isRevoked(service.getByAlias("valid")));
    assertEquals("Output does not match expected", true, crlManager.isRevoked(service.getByAlias("revoked")));
    assertEquals("Output does not match expected", false, crlManager.isRevoked(service.getByAlias("gm2552")));
    assertEquals("Output does not match expected", false, crlManager.isRevoked(service.getByAlias("missing")));
}
Also used : KeyStoreCertificateStore(org.nhindirect.stagent.cert.impl.KeyStoreCertificateStore) CRLRevocationManager(org.nhindirect.stagent.cert.impl.CRLRevocationManager) RevocationManager(org.nhindirect.stagent.cert.RevocationManager) CRLRevocationManager(org.nhindirect.stagent.cert.impl.CRLRevocationManager)

Example 2 with RevocationManager

use of org.nhindirect.stagent.cert.RevocationManager in project nhin-d by DirectProject.

the class TrustModel method findTrustedSignature.

protected DefaultMessageSignatureImpl findTrustedSignature(IncomingMessage message, InternetAddress recipient, Collection<X509Certificate> anchors) {
    NHINDAddress sender = message.getSender();
    Collection<DefaultMessageSignatureImpl> signatures = message.getSenderSignatures();
    DefaultMessageSignatureImpl lastTrustedSignature = null;
    final RevocationManager revocationManager = CRLRevocationManager.getInstance();
    for (DefaultMessageSignatureImpl signature : signatures) {
        // before checking for cert chain validation, make sure we aren't dealing with a revoked certificate
        if (revocationManager.isRevoked(signature.getSignerCert()))
            continue;
        boolean certTrustedAndInPolicy = certChainValidator.isTrusted(signature.getSignerCert(), anchors) && signature.checkSignature();
        if (certTrustedAndInPolicy && recipient != null) {
            certTrustedAndInPolicy = this.isCertPolicyCompliant(recipient, signature.getSignerCert());
        }
        if (certTrustedAndInPolicy) {
            if (!sender.hasCertificates())
                // Can't really check thumbprints etc. So, this is about as good as its going to get
                return signature;
            if (signature.checkThumbprint(sender)) {
                return signature;
            }
            //
            // We'll save this guy, but keep looking for a signer whose thumbprint we can verify
            // If we can't find one, we'll use the last trusted signer we found.. and just mark the recipient's trust
            // enforcement status as Success_ThumbprintMismatch
            //    
            lastTrustedSignature = signature;
        }
    }
    return lastTrustedSignature;
}
Also used : NHINDAddress(org.nhindirect.stagent.NHINDAddress) DefaultMessageSignatureImpl(org.nhindirect.stagent.DefaultMessageSignatureImpl) CRLRevocationManager(org.nhindirect.stagent.cert.impl.CRLRevocationManager) RevocationManager(org.nhindirect.stagent.cert.RevocationManager)

Aggregations

RevocationManager (org.nhindirect.stagent.cert.RevocationManager)2 CRLRevocationManager (org.nhindirect.stagent.cert.impl.CRLRevocationManager)2 DefaultMessageSignatureImpl (org.nhindirect.stagent.DefaultMessageSignatureImpl)1 NHINDAddress (org.nhindirect.stagent.NHINDAddress)1 KeyStoreCertificateStore (org.nhindirect.stagent.cert.impl.KeyStoreCertificateStore)1