Example 6 with TlsServerCertificate
use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.
the class KeyLengthVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
boolean firstCert = true;
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate x509 = Certificate.getInstance(next.getEncoded());
boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
// skip key comparison step if this is a root certificate, but still check self signed server certs
boolean isRootCert = selfSigned && !firstCert;
if (!isRootCert) {
// get public key and determine minimum size for the actual type
SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
KeyTools.assertKeyLength(key);
firstCert = false;
}
}
} catch (IOException ex) {
String msg = "Failed to extract public key from certificate.";
throw new CertificateVerificationException(msg, ex);
} catch (KeyLengthException ex) {
String msg = "The key in the certificate does not satisfy the length requirements.";
throw new CertificateVerificationException(msg, ex);
}
}
Also used :
AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter)
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
SubjectPublicKeyInfo(org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
KeyLengthException(org.openecard.crypto.common.keystore.KeyLengthException)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Example 7 with TlsServerCertificate
use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.
the class DefaultTlsClientImpl method getAuthentication.
@Override
public TlsAuthentication getAuthentication() throws IOException {
return new TlsAuthentication() {
@Override
public void notifyServerCertificate(TlsServerCertificate crtfct) throws IOException {
JavaSecVerifier v = new JavaSecVerifier();
CertificateVerifier cv = new CertificateVerifierBuilder().and(new HostnameVerifier()).and(v).and(new KeyLengthVerifier()).build();
cv.isValid(crtfct, serverNames.get(0).toString());
}
@Override
public TlsCredentials getClientCredentials(CertificateRequest cr) throws IOException {
throw new UnsupportedOperationException("Not supported yet.");
}
};
}
Also used :
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
TlsAuthentication(org.openecard.bouncycastle.tls.TlsAuthentication)
CertificateVerifier(org.openecard.crypto.tls.CertificateVerifier)
CertificateRequest(org.openecard.bouncycastle.tls.CertificateRequest)
Example 8 with TlsServerCertificate
use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.
the class CertificateVerifierBuilder method buildInternal.
private CertificateVerifier buildInternal() {
// copy and elements so that further modification of the builder does not affect the validation
final Collection<CertificateVerifier> andCopy = Collections.unmodifiableCollection(andList);
// convert OR builder to verifier
final ArrayList<CertificateVerifier> orCopy = new ArrayList<>(orChilds.size());
for (CertificateVerifierBuilder next : orChilds) {
orCopy.add(next.buildInternal());
}
return new CertificateVerifier() {
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
if (!andCopy.isEmpty()) {
// process each AND check and pass if none failed
for (CertificateVerifier cv : andCopy) {
cv.isValid(chain, hostname);
}
} else if (!orCopy.isEmpty()) {
// process all OR values and fail if none passed
boolean noSuccess = true;
for (CertificateVerifier cv : orCopy) {
try {
cv.isValid(chain, hostname);
// a successful outcome means we passed, so break the loop
break;
} catch (CertificateVerificationException ex) {
noSuccess = false;
}
}
if (noSuccess) {
String msg = "None of the possible validation paths succeeded.";
throw new CertificateVerificationException(msg);
}
}
}
};
}
Also used :
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
CertificateVerifier(org.openecard.crypto.tls.CertificateVerifier)
ArrayList(java.util.ArrayList)
Example 9 with TlsServerCertificate
use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.
the class ExpirationVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIP) throws CertificateVerificationException {
try {
Date now = new Date();
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate c = Certificate.getInstance(next.getEncoded());
Date expDate = c.getEndDate().getDate();
if (now.after(expDate)) {
String msg = String.format("The certificate '%s' expired at %s.", c.getSubject(), expDate);
throw new CertificateVerificationException(msg);
}
}
} catch (IOException ex) {
throw new CertificateVerificationException("Invalid certificate received from server.", ex);
}
}
Also used :
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
Date(java.util.Date)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
Example 10 with TlsServerCertificate
use of org.openecard.bouncycastle.tls.TlsServerCertificate in project open-ecard by ecsec.
the class JavaSecVerifier method convertChain.
public static CertPath convertChain(TlsServerCertificate chain) throws CertificateException, IOException {
final int numCerts = chain.getCertificate().getCertificateList().length;
ArrayList<java.security.cert.Certificate> result = new ArrayList<>(numCerts);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate nextConverted = convertCertificateInt(cf, next);
result.add(nextConverted);
}
return cf.generateCertPath(result);
}
Also used :
ArrayList(java.util.ArrayList)
CertificateFactory(java.security.cert.CertificateFactory)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
Certificate(java.security.cert.Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Aggregations
TlsServerCertificate (org.openecard.bouncycastle.tls.TlsServerCertificate)11
IOException (java.io.IOException)5
URL (java.net.URL)5
Pair (org.openecard.common.util.Pair)5
TlsCertificate (org.openecard.bouncycastle.tls.crypto.TlsCertificate)4
CertificateVerificationException (org.openecard.crypto.tls.CertificateVerificationException)4
Certificate (org.openecard.bouncycastle.asn1.x509.Certificate)3
ArrayList (java.util.ArrayList)2
InvalidAddressException (org.openecard.binding.tctoken.ex.InvalidAddressException)2
SecurityViolationException (org.openecard.binding.tctoken.ex.SecurityViolationException)2
DynamicContext (org.openecard.common.DynamicContext)2
CertificateVerifier (org.openecard.crypto.tls.CertificateVerifier)2
MalformedURLException (java.net.MalformedURLException)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
Certificate (java.security.cert.Certificate)1
CertificateFactory (java.security.cert.CertificateFactory)1
Date (java.util.Date)1
AuthServerException (org.openecard.binding.tctoken.ex.AuthServerException)1
InvalidRedirectUrlException (org.openecard.binding.tctoken.ex.InvalidRedirectUrlException)1
