use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class HostnameVerifier method validInt.
private void validInt(Certificate cert, String hostOrIp) throws CertificateVerificationException {
boolean success = false;
boolean isIPAddr = IPAddress.isValid(hostOrIp);
// check hostname against Subject CN
if (!isIPAddr) {
RDN[] cn = cert.getSubject().getRDNs(BCStrictStyle.CN);
if (cn.length != 0) {
// CN is always a string type
String hostNameReference = cn[0].getFirst().getValue().toString();
success = checkWildcardName(hostOrIp, hostNameReference);
} else {
LOG.debug("No CN entry in certificate's Subject.");
}
} else {
LOG.debug("Given name is an IP Address. Validation relies solely on the SubjectAlternativeName.");
}
// stop execution when we found a valid name
if (success) {
return;
}
// evaluate subject alternative name
Extensions ext = cert.getTBSCertificate().getExtensions();
Extension subjAltExt = ext.getExtension(Extension.subjectAlternativeName);
if (subjAltExt != null) {
// extract SubjAltName from Extensions
GeneralNames gns = GeneralNames.fromExtensions(ext, Extension.subjectAlternativeName);
GeneralName[] names = gns.getNames();
for (GeneralName name : names) {
ASN1Encodable reference = name.getName();
switch(name.getTagNo()) {
case GeneralName.dNSName:
if (!isIPAddr) {
success = checkWildcardName(hostOrIp, reference.toString());
}
break;
case GeneralName.iPAddress:
if (isIPAddr) {
// TODO: validate IP Addresses
LOG.warn("IP Address verification not supported.");
}
break;
default:
LOG.debug("Unsupported GeneralName ({}) tag in SubjectAlternativeName.", name.getTagNo());
}
// stop execution when we found a valid name
if (success) {
return;
}
}
}
// evaluate result
if (!success) {
String errorMsg = "Hostname in certificate differs from actually requested host.";
throw new CertificateVerificationException(errorMsg);
}
}
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class JavaSecVerifier method isValid.
@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
try {
CertPath certPath = convertChain(chain);
// create the parameters for the validator
PKIXParameters params = new PKIXParameters(getTrustStore());
if (checkRevocation) {
params.setRevocationEnabled(true);
System.setProperty("com.sun.security.enableCRLDP", "true");
} else {
// disable CRL checking since we are not supplying any CRLs yet
params.setRevocationEnabled(false);
}
// validate - exception marks failure
certPathValidator.validate(certPath, params);
} catch (CertPathValidatorException ex) {
throw new CertificateVerificationException(ex.getMessage());
} catch (GeneralSecurityException ex) {
throw new CertificateVerificationException(ex.getMessage());
} catch (IOException ex) {
throw new CertificateVerificationException("Error converting certificate chain to java.security format.");
}
}
use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.
the class SameCertVerifier method isValid.
@Override
public void isValid(TlsServerCertificate serverCertificate, String hostOrIP) throws CertificateVerificationException {
if (firstCert == null) {
firstCert = serverCertificate;
} else {
// we have a saved certificate, try to validate it by compariison
if (serverCertificate == null) {
String msg = "No server certificate transmitted. Test against first certificate is invalid.";
LOG.error(msg);
throw new CertificateVerificationException(msg);
} else {
// chains must be of equal length
if (firstCert.getCertificate().getLength() != serverCertificate.getCertificate().getLength()) {
String msg = "Server certificate changed during transaction..";
LOG.error(msg);
throw new CertificateVerificationException(msg);
} else {
// compare each certificate in the chain
for (int i = 0; i < firstCert.getCertificate().getLength(); i++) {
byte[] first;
byte[] second;
try {
first = firstCert.getCertificate().getCertificateAt(i).getEncoded();
second = serverCertificate.getCertificate().getCertificateAt(i).getEncoded();
} catch (IOException ex) {
String msg = "Failed to serialize certificate";
LOG.error(msg);
throw new CertificateVerificationException(msg, ex);
}
if (!ByteUtils.compare(first, second)) {
String msg = "Certificates retransmitted by the server differ.";
LOG.error(msg);
throw new CertificateVerificationException(msg);
}
}
}
}
}
}
Aggregations