Example 1 with CertificateVerificationException
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class CGJavaSecVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
CertPath certPath = convertChain(chain);
// create the parameters for the validator
PKIXParameters params = new PKIXParameters(getTrustStore());
params.setRevocationEnabled(false);
if (checkRevocation) {
PKIXRevocationChecker revChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
Set<PKIXRevocationChecker.Option> revOpts = new HashSet<>();
// revOpts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
revChecker.setOptions(revOpts);
// TODO: add OCSP responses
// revChecker.setOcspResponses(responses);
params.setCertPathCheckers(null);
params.addCertPathChecker(revChecker);
}
// validate - exception marks failure
PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, params);
if (ChipGatewayProperties.isUseApiEndpointWhitelist()) {
X509Certificate cert = (X509Certificate) certPath.getCertificates().get(0);
X500Principal subj = cert.getSubjectX500Principal();
if (!AllowedApiEndpoints.instance().isInSubjects(subj)) {
String msg = "The certificate used in the signature has an invalid subject: " + subj.getName();
throw new CertificateVerificationException(msg);
}
}
} catch (CertPathValidatorException ex) {
throw new CertificateVerificationException(ex.getMessage());
} catch (GeneralSecurityException ex) {
throw new CertificateVerificationException(ex.getMessage());
} catch (IOException ex) {
if (ex instanceof CertificateVerificationException) {
throw (CertificateVerificationException) ex;
}
throw new CertificateVerificationException("Error converting certificate chain to java.security format.");
}
}
Also used :
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
X509Certificate(java.security.cert.X509Certificate)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
PKIXParameters(java.security.cert.PKIXParameters)
PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult)
PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker)
X500Principal(javax.security.auth.x500.X500Principal)
CertPath(java.security.cert.CertPath)
HashSet(java.util.HashSet)
Example 2 with CertificateVerificationException
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class HostnameVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIp) throws CertificateVerificationException {
try {
TlsCertificate tlsCert = chain.getCertificate().getCertificateAt(0);
Certificate cert = Certificate.getInstance(tlsCert.getEncoded());
validInt(cert, hostOrIp);
} catch (IOException ex) {
throw new CertificateVerificationException("Invalid certificate received from server.", ex);
}
}
Also used :
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Example 3 with CertificateVerificationException
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class KeyLengthVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
boolean firstCert = true;
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate x509 = Certificate.getInstance(next.getEncoded());
boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
// skip key comparison step if this is a root certificate, but still check self signed server certs
boolean isRootCert = selfSigned && !firstCert;
if (!isRootCert) {
// get public key and determine minimum size for the actual type
SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
KeyTools.assertKeyLength(key);
firstCert = false;
}
}
} catch (IOException ex) {
String msg = "Failed to extract public key from certificate.";
throw new CertificateVerificationException(msg, ex);
} catch (KeyLengthException ex) {
String msg = "The key in the certificate does not satisfy the length requirements.";
throw new CertificateVerificationException(msg, ex);
}
}
Also used :
AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter)
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
SubjectPublicKeyInfo(org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
KeyLengthException(org.openecard.crypto.common.keystore.KeyLengthException)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Example 4 with CertificateVerificationException
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class CertificateVerifierBuilder method buildInternal.
private CertificateVerifier buildInternal() {
// copy and elements so that further modification of the builder does not affect the validation
final Collection<CertificateVerifier> andCopy = Collections.unmodifiableCollection(andList);
// convert OR builder to verifier
final ArrayList<CertificateVerifier> orCopy = new ArrayList<>(orChilds.size());
for (CertificateVerifierBuilder next : orChilds) {
orCopy.add(next.buildInternal());
}
return new CertificateVerifier() {
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
if (!andCopy.isEmpty()) {
// process each AND check and pass if none failed
for (CertificateVerifier cv : andCopy) {
cv.isValid(chain, hostname);
}
} else if (!orCopy.isEmpty()) {
// process all OR values and fail if none passed
boolean noSuccess = true;
for (CertificateVerifier cv : orCopy) {
try {
cv.isValid(chain, hostname);
// a successful outcome means we passed, so break the loop
break;
} catch (CertificateVerificationException ex) {
noSuccess = false;
}
}
if (noSuccess) {
String msg = "None of the possible validation paths succeeded.";
throw new CertificateVerificationException(msg);
}
}
}
};
}
Also used :
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
CertificateVerifier(org.openecard.crypto.tls.CertificateVerifier)
ArrayList(java.util.ArrayList)
Example 5 with CertificateVerificationException
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class ExpirationVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIP) throws CertificateVerificationException {
try {
Date now = new Date();
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate c = Certificate.getInstance(next.getEncoded());
Date expDate = c.getEndDate().getDate();
if (now.after(expDate)) {
String msg = String.format("The certificate '%s' expired at %s.", c.getSubject(), expDate);
throw new CertificateVerificationException(msg);
}
}
} catch (IOException ex) {
throw new CertificateVerificationException("Invalid certificate received from server.", ex);
}
}
Also used :
CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException)
IOException(java.io.IOException)
Date(java.util.Date)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate)
TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)
Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)
Aggregations
CertificateVerificationException (org.openecard.crypto.tls.CertificateVerificationException)8
IOException (java.io.IOException)6
TlsServerCertificate (org.openecard.bouncycastle.tls.TlsServerCertificate)4
Certificate (org.openecard.bouncycastle.asn1.x509.Certificate)3
TlsCertificate (org.openecard.bouncycastle.tls.crypto.TlsCertificate)3
GeneralSecurityException (java.security.GeneralSecurityException)2
CertPath (java.security.cert.CertPath)2
CertPathValidatorException (java.security.cert.CertPathValidatorException)2
PKIXParameters (java.security.cert.PKIXParameters)2
PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)1
PKIXRevocationChecker (java.security.cert.PKIXRevocationChecker)1
X509Certificate (java.security.cert.X509Certificate)1
ArrayList (java.util.ArrayList)1
Date (java.util.Date)1
HashSet (java.util.HashSet)1
X500Principal (javax.security.auth.x500.X500Principal)1
ASN1Encodable (org.openecard.bouncycastle.asn1.ASN1Encodable)1
RDN (org.openecard.bouncycastle.asn1.x500.RDN)1
Extension (org.openecard.bouncycastle.asn1.x509.Extension)1
Extensions (org.openecard.bouncycastle.asn1.x509.Extensions)1
