Better cert path validation exception message for PartyAndCertificate.verify (#2976)

This commit is contained in:
Shams Asari 2018-04-18 17:27:03 +01:00 committed by GitHub
parent 7db48de2b8
commit a684507553
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 18 deletions

View File

@ -2,6 +2,7 @@ package net.corda.core.identity
import net.corda.core.internal.CertRole
import net.corda.core.internal.uncheckedCast
import net.corda.core.internal.validate
import net.corda.core.serialization.CordaSerializable
import java.security.PublicKey
import java.security.cert.*
@ -40,9 +41,7 @@ class PartyAndCertificate(val certPath: CertPath) {
/** Verify the certificate path is valid. */
fun verify(trustAnchor: TrustAnchor): PKIXCertPathValidatorResult {
val parameters = PKIXParameters(setOf(trustAnchor)).apply { isRevocationEnabled = false }
val validator = CertPathValidator.getInstance("PKIX")
val result = validator.validate(certPath, parameters) as PKIXCertPathValidatorResult
val result = certPath.validate(trustAnchor)
// Apply Corda-specific validity rules to the chain. This only applies to chains with any roles present, so
// an all-null chain is in theory valid.
var parentRole: CertRole? = CertRole.extract(result.trustAnchor.trustedCert)

View File

@ -44,7 +44,7 @@ import java.nio.file.attribute.FileTime
import java.security.KeyPair
import java.security.PrivateKey
import java.security.PublicKey
import java.security.cert.X509Certificate
import java.security.cert.*
import java.time.Duration
import java.time.temporal.Temporal
import java.util.*
@ -386,6 +386,22 @@ fun ExecutorService.join() {
}
}
fun CertPath.validate(trustAnchor: TrustAnchor): PKIXCertPathValidatorResult {
val parameters = PKIXParameters(setOf(trustAnchor)).apply { isRevocationEnabled = false }
try {
return CertPathValidator.getInstance("PKIX").validate(this, parameters) as PKIXCertPathValidatorResult
} catch (e: CertPathValidatorException) {
throw CertPathValidatorException(
"""Cert path failed to validate against trust anchor.
Reason: ${e.reason}
Offending cert index: ${e.index}
Cert path: $this
Trust anchor:
$trustAnchor""", e, this, e.index)
}
}
/**
* Return the underlying X.500 name from this Corda-safe X.500 name. These are guaranteed to have a consistent
* ordering, such that their `toString()` function returns the same value every time for the same [CordaX500Name].

View File

@ -104,20 +104,7 @@ object X509Utilities {
}
fun validateCertPath(trustedRoot: X509Certificate, certPath: CertPath) {
val params = PKIXParameters(setOf(TrustAnchor(trustedRoot, null)))
params.isRevocationEnabled = false
try {
CertPathValidator.getInstance("PKIX").validate(certPath, params)
} catch (e: CertPathValidatorException) {
throw CertPathValidatorException(
"""Cert path failed to validate against root certificate.
Reason: ${e.reason}
Offending cert index: ${e.index}
Cert path: $certPath
Root certificate:
$trustedRoot""", e, certPath, e.index)
}
certPath.validate(TrustAnchor(trustedRoot, null))
}
/**