Search in sources :

Example 1 with TlsCertificate

use of org.openecard.bouncycastle.tls.crypto.TlsCertificate in project open-ecard by ecsec.

the class HostnameVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostOrIp) throws CertificateVerificationException {
    try {
        TlsCertificate tlsCert = chain.getCertificate().getCertificateAt(0);
        Certificate cert = Certificate.getInstance(tlsCert.getEncoded());
        validInt(cert, hostOrIp);
    } catch (IOException ex) {
        throw new CertificateVerificationException("Invalid certificate received from server.", ex);
    }
}
Also used : CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) IOException(java.io.IOException) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) Certificate(org.openecard.bouncycastle.asn1.x509.Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)

Example 2 with TlsCertificate

use of org.openecard.bouncycastle.tls.crypto.TlsCertificate in project open-ecard by ecsec.

the class KeyLengthVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
    try {
        boolean firstCert = true;
        for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
            Certificate x509 = Certificate.getInstance(next.getEncoded());
            boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
            // skip key comparison step if this is a root certificate, but still check self signed server certs
            boolean isRootCert = selfSigned && !firstCert;
            if (!isRootCert) {
                // get public key and determine minimum size for the actual type
                SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
                AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
                KeyTools.assertKeyLength(key);
                firstCert = false;
            }
        }
    } catch (IOException ex) {
        String msg = "Failed to extract public key from certificate.";
        throw new CertificateVerificationException(msg, ex);
    } catch (KeyLengthException ex) {
        String msg = "The key in the certificate does not satisfy the length requirements.";
        throw new CertificateVerificationException(msg, ex);
    }
}
Also used : AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter) CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) IOException(java.io.IOException) SubjectPublicKeyInfo(org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo) KeyLengthException(org.openecard.crypto.common.keystore.KeyLengthException) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) Certificate(org.openecard.bouncycastle.asn1.x509.Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)

Example 3 with TlsCertificate

use of org.openecard.bouncycastle.tls.crypto.TlsCertificate in project open-ecard by ecsec.

the class ExpirationVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostOrIP) throws CertificateVerificationException {
    try {
        Date now = new Date();
        for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
            Certificate c = Certificate.getInstance(next.getEncoded());
            Date expDate = c.getEndDate().getDate();
            if (now.after(expDate)) {
                String msg = String.format("The certificate '%s' expired at %s.", c.getSubject(), expDate);
                throw new CertificateVerificationException(msg);
            }
        }
    } catch (IOException ex) {
        throw new CertificateVerificationException("Invalid certificate received from server.", ex);
    }
}
Also used : CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) IOException(java.io.IOException) Date(java.util.Date) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)

Example 4 with TlsCertificate

use of org.openecard.bouncycastle.tls.crypto.TlsCertificate in project open-ecard by ecsec.

the class KeyTools method convertCertificates.

/**
 * Converts the given certificate chain to a JCA CertPath.
 *
 * @param chain BouncyCastle list of certificates.
 * @return CertPath instance with the exact same certificate chain.
 * @throws CertificateException Thrown in case the JCA has problems supporting X509 or one of the certificates.
 * @throws IOException Thrown in case there is en encoding error.
 */
public static CertPath convertCertificates(TlsCertificate... chain) throws CertificateException, IOException {
    final int numCerts = chain.length;
    ArrayList<java.security.cert.Certificate> result = new ArrayList<>(numCerts);
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    for (TlsCertificate next : chain) {
        byte[] nextData = next.getEncoded();
        ByteArrayInputStream nextDataStream = new ByteArrayInputStream(nextData);
        java.security.cert.Certificate nextConverted = cf.generateCertificate(nextDataStream);
        result.add(nextConverted);
    }
    return cf.generateCertPath(result);
}
Also used : ByteArrayInputStream(java.io.ByteArrayInputStream) ArrayList(java.util.ArrayList) CertificateFactory(java.security.cert.CertificateFactory) Certificate(org.openecard.bouncycastle.tls.Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)

Example 5 with TlsCertificate

use of org.openecard.bouncycastle.tls.crypto.TlsCertificate in project open-ecard by ecsec.

the class JavaSecVerifier method convertChain.

public static CertPath convertChain(TlsServerCertificate chain) throws CertificateException, IOException {
    final int numCerts = chain.getCertificate().getCertificateList().length;
    ArrayList<java.security.cert.Certificate> result = new ArrayList<>(numCerts);
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
        Certificate nextConverted = convertCertificateInt(cf, next);
        result.add(nextConverted);
    }
    return cf.generateCertPath(result);
}
Also used : ArrayList(java.util.ArrayList) CertificateFactory(java.security.cert.CertificateFactory) TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) Certificate(java.security.cert.Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)

Aggregations

TlsCertificate (org.openecard.bouncycastle.tls.crypto.TlsCertificate)5 TlsServerCertificate (org.openecard.bouncycastle.tls.TlsServerCertificate)4 IOException (java.io.IOException)3 Certificate (org.openecard.bouncycastle.asn1.x509.Certificate)3 CertificateVerificationException (org.openecard.crypto.tls.CertificateVerificationException)3 CertificateFactory (java.security.cert.CertificateFactory)2 ArrayList (java.util.ArrayList)2 ByteArrayInputStream (java.io.ByteArrayInputStream)1 Certificate (java.security.cert.Certificate)1 Date (java.util.Date)1 SubjectPublicKeyInfo (org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo)1 AsymmetricKeyParameter (org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter)1 Certificate (org.openecard.bouncycastle.tls.Certificate)1 KeyLengthException (org.openecard.crypto.common.keystore.KeyLengthException)1