Search in sources :

Example 6 with CertificateVerificationException

use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.

the class HostnameVerifier method validInt.

private void validInt(Certificate cert, String hostOrIp) throws CertificateVerificationException {
    boolean success = false;
    boolean isIPAddr = IPAddress.isValid(hostOrIp);
    // check hostname against Subject CN
    if (!isIPAddr) {
        RDN[] cn = cert.getSubject().getRDNs(BCStrictStyle.CN);
        if (cn.length != 0) {
            // CN is always a string type
            String hostNameReference = cn[0].getFirst().getValue().toString();
            success = checkWildcardName(hostOrIp, hostNameReference);
        } else {
            LOG.debug("No CN entry in certificate's Subject.");
        }
    } else {
        LOG.debug("Given name is an IP Address. Validation relies solely on the SubjectAlternativeName.");
    }
    // stop execution when we found a valid name
    if (success) {
        return;
    }
    // evaluate subject alternative name
    Extensions ext = cert.getTBSCertificate().getExtensions();
    Extension subjAltExt = ext.getExtension(Extension.subjectAlternativeName);
    if (subjAltExt != null) {
        // extract SubjAltName from Extensions
        GeneralNames gns = GeneralNames.fromExtensions(ext, Extension.subjectAlternativeName);
        GeneralName[] names = gns.getNames();
        for (GeneralName name : names) {
            ASN1Encodable reference = name.getName();
            switch(name.getTagNo()) {
                case GeneralName.dNSName:
                    if (!isIPAddr) {
                        success = checkWildcardName(hostOrIp, reference.toString());
                    }
                    break;
                case GeneralName.iPAddress:
                    if (isIPAddr) {
                        // TODO: validate IP Addresses
                        LOG.warn("IP Address verification not supported.");
                    }
                    break;
                default:
                    LOG.debug("Unsupported GeneralName ({}) tag in SubjectAlternativeName.", name.getTagNo());
            }
            // stop execution when we found a valid name
            if (success) {
                return;
            }
        }
    }
    // evaluate result
    if (!success) {
        String errorMsg = "Hostname in certificate differs from actually requested host.";
        throw new CertificateVerificationException(errorMsg);
    }
}
Also used : Extension(org.openecard.bouncycastle.asn1.x509.Extension) GeneralNames(org.openecard.bouncycastle.asn1.x509.GeneralNames) CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) GeneralName(org.openecard.bouncycastle.asn1.x509.GeneralName) ASN1Encodable(org.openecard.bouncycastle.asn1.ASN1Encodable) Extensions(org.openecard.bouncycastle.asn1.x509.Extensions) RDN(org.openecard.bouncycastle.asn1.x500.RDN)

Example 7 with CertificateVerificationException

use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.

the class JavaSecVerifier method isValid.

@Override
public void isValid(TlsServerCertificate chain, String hostname) throws CertificateVerificationException {
    try {
        CertPath certPath = convertChain(chain);
        // create the parameters for the validator
        PKIXParameters params = new PKIXParameters(getTrustStore());
        if (checkRevocation) {
            params.setRevocationEnabled(true);
            System.setProperty("com.sun.security.enableCRLDP", "true");
        } else {
            // disable CRL checking since we are not supplying any CRLs yet
            params.setRevocationEnabled(false);
        }
        // validate - exception marks failure
        certPathValidator.validate(certPath, params);
    } catch (CertPathValidatorException ex) {
        throw new CertificateVerificationException(ex.getMessage());
    } catch (GeneralSecurityException ex) {
        throw new CertificateVerificationException(ex.getMessage());
    } catch (IOException ex) {
        throw new CertificateVerificationException("Error converting certificate chain to java.security format.");
    }
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) PKIXParameters(java.security.cert.PKIXParameters) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) CertPath(java.security.cert.CertPath)

Example 8 with CertificateVerificationException

use of org.openecard.crypto.tls.CertificateVerificationException in project open-ecard by ecsec.

the class SameCertVerifier method isValid.

@Override
public void isValid(TlsServerCertificate serverCertificate, String hostOrIP) throws CertificateVerificationException {
    if (firstCert == null) {
        firstCert = serverCertificate;
    } else {
        // we have a saved certificate, try to validate it by compariison
        if (serverCertificate == null) {
            String msg = "No server certificate transmitted. Test against first certificate is invalid.";
            LOG.error(msg);
            throw new CertificateVerificationException(msg);
        } else {
            // chains must be of equal length
            if (firstCert.getCertificate().getLength() != serverCertificate.getCertificate().getLength()) {
                String msg = "Server certificate changed during transaction..";
                LOG.error(msg);
                throw new CertificateVerificationException(msg);
            } else {
                // compare each certificate in the chain
                for (int i = 0; i < firstCert.getCertificate().getLength(); i++) {
                    byte[] first;
                    byte[] second;
                    try {
                        first = firstCert.getCertificate().getCertificateAt(i).getEncoded();
                        second = serverCertificate.getCertificate().getCertificateAt(i).getEncoded();
                    } catch (IOException ex) {
                        String msg = "Failed to serialize certificate";
                        LOG.error(msg);
                        throw new CertificateVerificationException(msg, ex);
                    }
                    if (!ByteUtils.compare(first, second)) {
                        String msg = "Certificates retransmitted by the server differ.";
                        LOG.error(msg);
                        throw new CertificateVerificationException(msg);
                    }
                }
            }
        }
    }
}
Also used : CertificateVerificationException(org.openecard.crypto.tls.CertificateVerificationException) IOException(java.io.IOException)

Aggregations

CertificateVerificationException (org.openecard.crypto.tls.CertificateVerificationException)8 IOException (java.io.IOException)6 TlsServerCertificate (org.openecard.bouncycastle.tls.TlsServerCertificate)4 Certificate (org.openecard.bouncycastle.asn1.x509.Certificate)3 TlsCertificate (org.openecard.bouncycastle.tls.crypto.TlsCertificate)3 GeneralSecurityException (java.security.GeneralSecurityException)2 CertPath (java.security.cert.CertPath)2 CertPathValidatorException (java.security.cert.CertPathValidatorException)2 PKIXParameters (java.security.cert.PKIXParameters)2 PKIXCertPathValidatorResult (java.security.cert.PKIXCertPathValidatorResult)1 PKIXRevocationChecker (java.security.cert.PKIXRevocationChecker)1 X509Certificate (java.security.cert.X509Certificate)1 ArrayList (java.util.ArrayList)1 Date (java.util.Date)1 HashSet (java.util.HashSet)1 X500Principal (javax.security.auth.x500.X500Principal)1 ASN1Encodable (org.openecard.bouncycastle.asn1.ASN1Encodable)1 RDN (org.openecard.bouncycastle.asn1.x500.RDN)1 Extension (org.openecard.bouncycastle.asn1.x509.Extension)1 Extensions (org.openecard.bouncycastle.asn1.x509.Extensions)1