Examples with TlsServerCertificate org.openecard.bouncycastle.tls.TlsServerCertificate used on opensource projects

Example 1 with TlsServerCertificate

use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.

the class PACEStep method checkTCTokenServerCertificates.

private boolean checkTCTokenServerCertificates(CertificateDescription certDescription, DynamicContext dynCtx) {
    List<Pair<URL, TlsServerCertificate>> certificates;
    certificates = (List<Pair<URL, TlsServerCertificate>>) dynCtx.get(TR03112Keys.TCTOKEN_SERVER_CERTIFICATES);
    if (certificates != null) {
        for (Pair<URL, TlsServerCertificate> cert : certificates) {
            if (cert instanceof Pair) {
                URL u = cert.p1;
                String host = u.getProtocol() + "://" + u.getHost() + (u.getPort() == -1 ? "" : (":" + u.getPort()));
                TlsServerCertificate bcCert = cert.p2;
                if (!TR03112Utils.isInCommCertificates(bcCert, certDescription.getCommCertificates(), host)) {
                    return false;
                }
            }
        }
        return true;
    } else {
        LOG.error("No TC Token server certificates set in Dynamic Context.");
        return false;
    }
}

Example 2 with TlsServerCertificate

use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.

the class TCTokenContext method generateTCToken.

private static TCTokenContext generateTCToken(String data, ResourceContext base) throws InvalidTCTokenException, AuthServerException, InvalidRedirectUrlException, InvalidTCTokenElement, InvalidTCTokenUrlException, SecurityViolationException, UserCancellationException {
    // correct common TCToken shortcomings
    data = TCTokenHacks.fixPathSecurityParameters(data);
    LOG.debug("Cleaned up TCToken:\n{}", data);
    // Parse the TCToken
    TCTokenParser parser = new TCTokenParser();
    List<TCToken> tokens = parser.parse(data);
    if (tokens.isEmpty()) {
        throw new InvalidTCTokenException(NO_TCTOKEN_IN_DATA);
    }
    // Verify the TCToken
    TCToken token = tokens.get(0);
    TCTokenVerifier ver = new TCTokenVerifier(token, base);
    if (ver.isErrorToken()) {
        String minor = ResultMinor.CLIENT_ERROR;
        throw new AuthServerException(token.getComErrorAddressWithParams(minor), ESERVICE_ERROR);
    }
    DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
    List<Pair<URL, TlsServerCertificate>> resultPoints = base.getCerts();
    // probably just for tests
    if (!resultPoints.isEmpty()) {
        Pair<URL, TlsServerCertificate> last = resultPoints.get(0);
        dynCtx.put(TR03112Keys.TCTOKEN_URL, last.p1);
    }
    ver.verifyUrlToken();
    return new TCTokenContext(token, base);
}

Example 3 with TlsServerCertificate

use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.

the class TCTokenHandler method determineRefreshURL.

/**
 * Follow the URL in the RefreshAddress and update it in the response.
 * The redirect is followed as long as the response is a redirect (302, 303 or 307) AND is a
 * https-URL AND the hash of the retrieved server certificate is contained in the CertificateDescrioption, else
 * return 400. If the URL and the subjectURL in the CertificateDescription conform to the SOP we reached our final
 * destination.
 *
 * @param request TCToken request used to determine which security checks to perform.
 * @param response The TCToken response in which the original refresh address is defined and where it will be
 *	 updated.
 * @return Modified response with the final address the browser should be redirected to.
 * @throws InvalidRedirectUrlException Thrown in case no redirect URL could be determined.
 */
private static TCTokenResponse determineRefreshURL(TCTokenRequest request, TCTokenResponse response) throws InvalidRedirectUrlException, SecurityViolationException {
    try {
        String endpointStr = response.getRefreshAddress();
        URL endpoint = new URL(endpointStr);
        DynamicContext dynCtx = DynamicContext.getInstance(TR03112Keys.INSTANCE_KEY);
        // omit checks completely if this is an object tag activation
        Object objectActivation = dynCtx.get(TR03112Keys.OBJECT_ACTIVATION);
        if (objectActivation instanceof Boolean && ((Boolean) objectActivation) == true) {
            return response;
        }
        // disable certificate checks according to BSI TR03112-7 in some situations
        boolean redirectChecks = isPerformTR03112Checks(request);
        RedirectCertificateValidator verifier = new RedirectCertificateValidator(redirectChecks);
        ResourceContext ctx = ResourceContext.getStream(endpoint, verifier);
        ctx.closeStream();
        // using this verifier no result must be present, meaning no status code different than a redirect occurred
        // if (result.p1 != null) {
        // // TODO: this error is expected according the spec, handle it in a different way
        // String msg = "Return-To-Websession yielded a non-redirect response.";
        // throw new IOException(msg);
        // }
        // determine redirect
        List<Pair<URL, TlsServerCertificate>> resultPoints = ctx.getCerts();
        Pair<URL, TlsServerCertificate> last = resultPoints.get(resultPoints.size() - 1);
        endpoint = last.p1;
        dynCtx.put(TR03112Keys.IS_REFRESH_URL_VALID, true);
        LOG.debug("Setting redirect address to '{}'.", endpoint);
        response.setRefreshAddress(endpoint.toString());
        return response;
    } catch (MalformedURLException ex) {
        throw new IllegalStateException(LANG_TR.translationForKey(REFRESH_URL_ERROR), ex);
    } catch (ResourceException | InvalidAddressException | ValidationError | IOException ex) {
        String code = ECardConstants.Minor.App.COMMUNICATION_ERROR;
        String communicationErrorAddress = response.getTCToken().getComErrorAddressWithParams(code);
        if (communicationErrorAddress != null && !communicationErrorAddress.isEmpty()) {
            throw new SecurityViolationException(communicationErrorAddress, REFRESH_DETERMINATION_FAILED, ex);
        }
        throw new InvalidRedirectUrlException(REFRESH_DETERMINATION_FAILED, ex);
    }
}

Example 4 with TlsServerCertificate

use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.

the class TCTokenVerifier method assertSameChannel.

private void assertSameChannel(String name, String address) throws InvalidRedirectUrlException, InvalidTCTokenUrlException, SecurityViolationException {
    // check that everything can be handled over the same channel
    // TR-03124-1 does not mention that redirects on the TCToken address are possible and it also states that there
    // are only two channels. So I guess we should force this here as well.
    URL paosUrl = assertURL(name, address);
    List<Pair<URL, TlsServerCertificate>> urls = ctx.getCerts();
    for (Pair<URL, TlsServerCertificate> next : urls) {
        if (!TR03112Utils.checkSameOriginPolicy(paosUrl, next.p1)) {
            String minor = ResultMinor.COMMUNICATION_ERROR;
            String errorUrl = token.getComErrorAddressWithParams(minor);
            throw new SecurityViolationException(errorUrl, FAILED_SOP);
        }
    }
}

Example 5 with TlsServerCertificate

use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.

the class HostnameVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostOrIp) throws CertificateVerificationException {
    try {
        TlsCertificate tlsCert = chain.getCertificate().getCertificateAt(0);
        Certificate cert = Certificate.getInstance(tlsCert.getEncoded());
        validInt(cert, hostOrIp);
    } catch (IOException ex) {
        throw new CertificateVerificationException("Invalid certificate received from server.", ex);
    }
}