mirror of
https://github.com/nsacyber/HIRS.git
synced 2025-01-14 00:39:46 +00:00
Add BC validator for validation. Clean up log messages.
This commit is contained in:
parent
ecc6ee6d04
commit
efe2bbf9b4
@ -50,7 +50,15 @@ import java.io.InputStream;
|
|||||||
import java.io.UnsupportedEncodingException;
|
import java.io.UnsupportedEncodingException;
|
||||||
import java.nio.file.Files;
|
import java.nio.file.Files;
|
||||||
import java.nio.file.Paths;
|
import java.nio.file.Paths;
|
||||||
import java.security.*;
|
import java.security.InvalidKeyException;
|
||||||
|
import java.security.Key;
|
||||||
|
import java.security.KeyException;
|
||||||
|
import java.security.MessageDigest;
|
||||||
|
import java.security.NoSuchAlgorithmException;
|
||||||
|
import java.security.NoSuchProviderException;
|
||||||
|
import java.security.PublicKey;
|
||||||
|
import java.security.Security;
|
||||||
|
import java.security.SignatureException;
|
||||||
import java.security.cert.CertificateException;
|
import java.security.cert.CertificateException;
|
||||||
import java.security.cert.CertificateFactory;
|
import java.security.cert.CertificateFactory;
|
||||||
import java.security.cert.X509Certificate;
|
import java.security.cert.X509Certificate;
|
||||||
@ -184,6 +192,7 @@ public class ReferenceManifestValidator {
|
|||||||
*/
|
*/
|
||||||
public ReferenceManifestValidator() {
|
public ReferenceManifestValidator() {
|
||||||
try {
|
try {
|
||||||
|
Security.addProvider(new BouncyCastleProvider());
|
||||||
InputStream is = ReferenceManifestValidator.class
|
InputStream is = ReferenceManifestValidator.class
|
||||||
.getClassLoader().getResourceAsStream(SCHEMA_URL);
|
.getClassLoader().getResourceAsStream(SCHEMA_URL);
|
||||||
SchemaFactory schemaFactory = SchemaFactory.newInstance(SCHEMA_LANGUAGE);
|
SchemaFactory schemaFactory = SchemaFactory.newInstance(SCHEMA_LANGUAGE);
|
||||||
@ -410,7 +419,6 @@ public class ReferenceManifestValidator {
|
|||||||
*/
|
*/
|
||||||
private void whySignatureInvalid(final XMLSignature signature, final DOMValidateContext context)
|
private void whySignatureInvalid(final XMLSignature signature, final DOMValidateContext context)
|
||||||
throws XMLSignatureException{
|
throws XMLSignatureException{
|
||||||
log.error("Verifying xml signature:");
|
|
||||||
boolean cryptoValidity = signature.getSignatureValue().validate(context);
|
boolean cryptoValidity = signature.getSignatureValue().validate(context);
|
||||||
if (cryptoValidity) {
|
if (cryptoValidity) {
|
||||||
log.error("Signature value is valid.");
|
log.error("Signature value is valid.");
|
||||||
@ -448,13 +456,12 @@ public class ReferenceManifestValidator {
|
|||||||
throw new Exception("Truststore is empty");
|
throw new Exception("Truststore is empty");
|
||||||
}
|
}
|
||||||
|
|
||||||
final String INT_CA_ERROR = "Intermediate CA found, searching for root CA";
|
|
||||||
String errorMessage = "";
|
String errorMessage = "";
|
||||||
X509Certificate chainCert = cert;
|
X509Certificate chainCert = cert;
|
||||||
boolean isChainCertValid;
|
boolean isChainCertValid;
|
||||||
do {
|
do {
|
||||||
isChainCertValid = false;
|
isChainCertValid = false;
|
||||||
log.error("Validating " + chainCert.getSubjectX500Principal().getName());
|
log.info("Validating " + chainCert.getSubjectX500Principal().getName());
|
||||||
for (X509Certificate trustedCert : trustStore) {
|
for (X509Certificate trustedCert : trustStore) {
|
||||||
boolean isIssuer = areYouMyIssuer(chainCert, trustedCert);
|
boolean isIssuer = areYouMyIssuer(chainCert, trustedCert);
|
||||||
boolean isSigner = areYouMySigner(chainCert, trustedCert);
|
boolean isSigner = areYouMySigner(chainCert, trustedCert);
|
||||||
@ -479,7 +486,7 @@ public class ReferenceManifestValidator {
|
|||||||
} while (isChainCertValid);
|
} while (isChainCertValid);
|
||||||
|
|
||||||
log.error("CA chain validation failed to validate "
|
log.error("CA chain validation failed to validate "
|
||||||
+ chainCert.getSubjectX500Principal().getName());
|
+ chainCert.getSubjectX500Principal().getName() + ", " + errorMessage);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -525,7 +532,7 @@ public class ReferenceManifestValidator {
|
|||||||
+ System.lineSeparator()
|
+ System.lineSeparator()
|
||||||
+ "Certificate needed for verification is missing: "
|
+ "Certificate needed for verification is missing: "
|
||||||
+ signer.getSubjectX500Principal().getName();
|
+ signer.getSubjectX500Principal().getName();
|
||||||
log.error(error);
|
log.info(error);
|
||||||
} catch (CertificateException e) {
|
} catch (CertificateException e) {
|
||||||
throw new Exception("Encoding error: " + e.getMessage());
|
throw new Exception("Encoding error: " + e.getMessage());
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user