use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class CGJavaSecVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
CertPath certPath = convertChain(chain);
// create the parameters for the validator
PKIXParameters params = new PKIXParameters(getTrustStore());
params.setRevocationEnabled(false);
if (checkRevocation) {
PKIXRevocationChecker revChecker = (PKIXRevocationChecker) certPathValidator.getRevocationChecker();
Set<PKIXRevocationChecker.Option> revOpts = new HashSet<>();
// revOpts.add(PKIXRevocationChecker.Option.ONLY_END_ENTITY);
revChecker.setOptions(revOpts);
// TODO: add OCSP responses
// revChecker.setOcspResponses(responses);
params.setCertPathCheckers(null);
params.addCertPathChecker(revChecker);
}
// validate - exception marks failure
PKIXCertPathValidatorResult r = (PKIXCertPathValidatorResult) certPathValidator.validate(certPath, params);
if (ChipGatewayProperties.isUseApiEndpointWhitelist()) {
X509Certificate cert = (X509Certificate) certPath.getCertificates().get(0);
X500Principal subj = cert.getSubjectX500Principal();
if (!AllowedApiEndpoints.instance().isInSubjects(subj)) {
String msg = "The certificate used in the signature has an invalid subject: " + subj.getName();
throw new CertificateVerificationException(msg);
}
}
} catch (CertPathValidatorException ex) {
throw new CertificateVerificationException(ex.getMessage());
} catch (GeneralSecurityException ex) {
throw new CertificateVerificationException(ex.getMessage());
} catch (IOException ex) {
if (ex instanceof CertificateVerificationException) {
throw (CertificateVerificationException) ex;
}
throw new CertificateVerificationException("Error converting certificate chain to java.security format.");
}
}
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class HostnameVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIp) throws CertificateVerificationException {
try {
TlsCertificate tlsCert = chain.getCertificate().getCertificateAt(0);
Certificate cert = Certificate.getInstance(tlsCert.getEncoded());
validInt(cert, hostOrIp);
} catch (IOException ex) {
throw new CertificateVerificationException("Invalid certificate received from server.", ex);
}
}
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class KeyLengthVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
boolean firstCert = true;
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate x509 = Certificate.getInstance(next.getEncoded());
boolean selfSigned = x509.getIssuer().equals(x509.getSubject());
// skip key comparison step if this is a root certificate, but still check self signed server certs
boolean isRootCert = selfSigned && !firstCert;
if (!isRootCert) {
// get public key and determine minimum size for the actual type
SubjectPublicKeyInfo pkInfo = x509.getSubjectPublicKeyInfo();
AsymmetricKeyParameter key = PublicKeyFactory.createKey(pkInfo);
KeyTools.assertKeyLength(key);
firstCert = false;
}
}
} catch (IOException ex) {
String msg = "Failed to extract public key from certificate.";
throw new CertificateVerificationException(msg, ex);
} catch (KeyLengthException ex) {
String msg = "The key in the certificate does not satisfy the length requirements.";
throw new CertificateVerificationException(msg, ex);
}
}
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class CertificateVerifierBuilder method buildInternal.
private CertificateVerifier buildInternal() {
// copy and elements so that further modification of the builder does not affect the validation
final Collection<CertificateVerifier> andCopy = Collections.unmodifiableCollection(andList);
// convert OR builder to verifier
final ArrayList<CertificateVerifier> orCopy = new ArrayList<>(orChilds.size());
for (CertificateVerifierBuilder next : orChilds) {
orCopy.add(next.buildInternal());
}
return new CertificateVerifier() {
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
if (!andCopy.isEmpty()) {
// process each AND check and pass if none failed
for (CertificateVerifier cv : andCopy) {
cv.isValid(chain, hostname);
}
} else if (!orCopy.isEmpty()) {
// process all OR values and fail if none passed
boolean noSuccess = true;
for (CertificateVerifier cv : orCopy) {
try {
cv.isValid(chain, hostname);
// a successful outcome means we passed, so break the loop
break;
} catch (CertificateVerificationException ex) {
noSuccess = false;
}
}
if (noSuccess) {
String msg = "None of the possible validation paths succeeded.";
throw new CertificateVerificationException(msg);
}
}
}
};
}
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class ExpirationVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostOrIP) throws CertificateVerificationException {
try {
Date now = new Date();
for (TlsCertificate next : chain.getCertificate().getCertificateList()) {
Certificate c = Certificate.getInstance(next.getEncoded());
Date expDate = c.getEndDate().getDate();
if (now.after(expDate)) {
String msg = String.format("The certificate '%s' expired at %s.", c.getSubject(), expDate);
throw new CertificateVerificationException(msg);
}
}
} catch (IOException ex) {
throw new CertificateVerificationException("Invalid certificate received from server.", ex);
}
}
Aggregations