Search in sources :

Example 1 with CertificateVerificationException

use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.

the class CGJavaSecVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
    try {
        CertPath certPath = convertChain(chain);
        // create the parameters for the validator
        PKIXParameters params = new PKIXParameters(getTrustStore());
        params.setRevocationEnabled(false);
        if (checkRevocation) {
            PKIXRevocationChecker revChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
            Set<PKIXRevocationChecker.Option> revOpts = new HashSet<>();
            // revOpts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
            revChecker.setOptions(revOpts);
            // TODO: add OCSP responses
            // revChecker.setOcspResponses(responses);
            params.setCertPathCheckers(null);
            params.addCertPathChecker(revChecker);
        }
        // validate - exception marks failure
        PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, params);
        if (ChipGatewayProperties.isUseApiEndpointWhitelist()) {
            X509Certificate cert = (X509Certificate) certPath.getCertificates().get(0);
            X500Principal subj = cert.getSubjectX500Principal();
            if (!AllowedApiEndpoints.instance().isInSubjects(subj)) {
                String msg = "The certificate used in the signature has an invalid subject: " + subj.getName();
                throw new CertificateVerificationException(msg);
            }
        }
    } catch (CertPathValidatorException ex) {
        throw new CertificateVerificationException(ex.getMessage());
    } catch (GeneralSecurityException ex) {
        throw new CertificateVerificationException(ex.getMessage());
    } catch (IOException ex) {
        if (ex instanceof CertificateVerificationException) {
            throw (CertificateVerificationException) ex;
        }
        throw new CertificateVerificationException("Error converting certificate chain to java.security format.");
    }
}
Also used : GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) CertPathValidatorException(java.security.cert.CertPathValidatorException) CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) PKIXParameters(java.security.cert.PKIXParameters) PKIXCertPathValidatorResult(java.security.cert.PKIXCertPathValidatorResult) PKIXRevocationChecker(java.security.cert.PKIXRevocationChecker) X500Principal(javax.security.auth.x500.X500Principal) CertPath(java.security.cert.CertPath) HashSet(java.util.HashSet)

Example 2 with CertificateVerificationException

use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.

the class HostnameVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostOrIp) throws CertificateVerificationException {
    try {
        TlsCertificate tlsCert = chain.getCertificate().getCertificateAt(0);
        Certificate cert = Certificate.getInstance(tlsCert.getEncoded());
        validInt(cert, hostOrIp);
    } catch (IOException ex) {
        throw new CertificateVerificationException("Invalid certificate received from server.", ex);
    }
}
Also used : CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) IOException(java.io.IOException) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) Certificate(org.openecard.bouncycastle.asn1.x509.Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)

Example 3 with CertificateVerificationException

use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.

the class KeyLengthVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
    try {
        boolean firstCert = true;
        for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
            Certificate x509 = Certificate.getInstance(next.getEncoded());
            boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
            // skip key comparison step if this is a root certificate, but still check self signed server certs
            boolean isRootCert = selfSigned && !firstCert;
            if (!isRootCert) {
                // get public key and determine minimum size for the actual type
                SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
                AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
                KeyTools.assertKeyLength(key);
                firstCert = false;
            }
        }
    } catch (IOException ex) {
        String msg = "Failed to extract public key from certificate.";
        throw new CertificateVerificationException(msg, ex);
    } catch (KeyLengthException ex) {
        String msg = "The key in the certificate does not satisfy the length requirements.";
        throw new CertificateVerificationException(msg, ex);
    }
}
Also used : AsymmetricKeyParameter(org.openecard.bouncycastle.crypto.params.AsymmetricKeyParameter) CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) IOException(java.io.IOException) SubjectPublicKeyInfo(org.openecard.bouncycastle.asn1.x509.SubjectPublicKeyInfo) KeyLengthException(org.openecard.crypto.common.keystore.KeyLengthException) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) Certificate(org.openecard.bouncycastle.asn1.x509.Certificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate)

Example 4 with CertificateVerificationException

use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.

the class CertificateVerifierBuilder method buildInternal.

private CertificateVerifier buildInternal() {
    // copy and elements so that further modification of the builder does not affect the validation
    final Collection<CertificateVerifier> andCopy = Collections.unmodifiableCollection(andList);
    // convert OR builder to verifier
    final ArrayList<CertificateVerifier> orCopy = new ArrayList<>(orChilds.size());
    for (CertificateVerifierBuilder next : orChilds) {
        orCopy.add(next.buildInternal());
    }
    return new CertificateVerifier() {

        @Override
        public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
            if (!andCopy.isEmpty()) {
                // process each AND check and pass if none failed
                for (CertificateVerifier cv : andCopy) {
                    cv.isValid(chain, hostname);
                }
            } else if (!orCopy.isEmpty()) {
                // process all OR values and fail if none passed
                boolean noSuccess = true;
                for (CertificateVerifier cv : orCopy) {
                    try {
                        cv.isValid(chain, hostname);
                        // a successful outcome means we passed, so break the loop
                        break;
                    } catch (CertificateVerificationException ex) {
                        noSuccess = false;
                    }
                }
                if (noSuccess) {
                    String msg = "None of the possible validation paths succeeded.";
                    throw new CertificateVerificationException(msg);
                }
            }
        }
    };
}
Also used : TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) CertificateVerifier(org.openecard.crypto.tls.CertificateVerifier) ArrayList(java.util.ArrayList)

Example 5 with CertificateVerificationException

use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.

the class ExpirationVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostOrIP) throws CertificateVerificationException {
    try {
        Date now = new Date();
        for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
            Certificate c = Certificate.getInstance(next.getEncoded());
            Date expDate = c.getEndDate().getDate();
            if (now.after(expDate)) {
                String msg = String.format("The certificate '%s' expired at %s.", c.getSubject(), expDate);
                throw new CertificateVerificationException(msg);
            }
        }
    } catch (IOException ex) {
        throw new CertificateVerificationException("Invalid certificate received from server.", ex);
    }
}
Also used : CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) IOException(java.io.IOException) Date(java.util.Date) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) TlsServerCertificate(org.openecard.bouncycastle.tls.TlsServerCertificate) TlsCertificate(org.openecard.bouncycastle.tls.crypto.TlsCertificate) Certificate(org.openecard.bouncycastle.asn1.x509.Certificate)

Aggregations

CertificateVerificationException (org.openecard.crypto.tls.CertificateVerificationException)8 IOException (java.io.IOException)6 TlsServerCertificate (org.openecard.bouncycastle.tls.TlsServerCertificate)4 Certificate (org.openecard.bouncycastle.asn1.x509.Certificate)3 TlsCertificate (org.openecard.bouncycastle.tls.crypto.TlsCertificate)3 GeneralSecurityException (java.security.GeneralSecurityException)2 CertPath (java.security.cert.CertPath)2 CertPathValidatorException (java.security.cert.CertPathValidatorException)2 PKIXParameters (java.security.cert.PKIXParameters)2 PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)1 PKIXRevocationChecker (java.security.cert.PKIXRevocationChecker)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 HashSet (java.util.HashSet)1 X500Principal (javax.security.auth.x500.X500Principal)1 ASN1Encodable (org.openecard.bouncycastle.asn1.ASN1Encodable)1 RDN (org.openecard.bouncycastle.asn1.x500.RDN)1 Extension (org.openecard.bouncycastle.asn1.x509.Extension)1 Extensions (org.openecard.bouncycastle.asn1.x509.Extensions)1