mirror of
https://github.com/corda/corda.git
synced 2024-12-18 20:47:57 +00:00
Better cert path validation exception message for PartyAndCertificate.verify (#2976)
This commit is contained in:
parent
7db48de2b8
commit
a684507553
@ -2,6 +2,7 @@ package net.corda.core.identity
|
||||
|
||||
import net.corda.core.internal.CertRole
|
||||
import net.corda.core.internal.uncheckedCast
|
||||
import net.corda.core.internal.validate
|
||||
import net.corda.core.serialization.CordaSerializable
|
||||
import java.security.PublicKey
|
||||
import java.security.cert.*
|
||||
@ -40,9 +41,7 @@ class PartyAndCertificate(val certPath: CertPath) {
|
||||
|
||||
/** Verify the certificate path is valid. */
|
||||
fun verify(trustAnchor: TrustAnchor): PKIXCertPathValidatorResult {
|
||||
val parameters = PKIXParameters(setOf(trustAnchor)).apply { isRevocationEnabled = false }
|
||||
val validator = CertPathValidator.getInstance("PKIX")
|
||||
val result = validator.validate(certPath, parameters) as PKIXCertPathValidatorResult
|
||||
val result = certPath.validate(trustAnchor)
|
||||
// Apply Corda-specific validity rules to the chain. This only applies to chains with any roles present, so
|
||||
// an all-null chain is in theory valid.
|
||||
var parentRole: CertRole? = CertRole.extract(result.trustAnchor.trustedCert)
|
||||
|
@ -44,7 +44,7 @@ import java.nio.file.attribute.FileTime
|
||||
import java.security.KeyPair
|
||||
import java.security.PrivateKey
|
||||
import java.security.PublicKey
|
||||
import java.security.cert.X509Certificate
|
||||
import java.security.cert.*
|
||||
import java.time.Duration
|
||||
import java.time.temporal.Temporal
|
||||
import java.util.*
|
||||
@ -386,6 +386,22 @@ fun ExecutorService.join() {
|
||||
}
|
||||
}
|
||||
|
||||
fun CertPath.validate(trustAnchor: TrustAnchor): PKIXCertPathValidatorResult {
|
||||
val parameters = PKIXParameters(setOf(trustAnchor)).apply { isRevocationEnabled = false }
|
||||
try {
|
||||
return CertPathValidator.getInstance("PKIX").validate(this, parameters) as PKIXCertPathValidatorResult
|
||||
} catch (e: CertPathValidatorException) {
|
||||
throw CertPathValidatorException(
|
||||
"""Cert path failed to validate against trust anchor.
|
||||
Reason: ${e.reason}
|
||||
Offending cert index: ${e.index}
|
||||
Cert path: $this
|
||||
|
||||
Trust anchor:
|
||||
$trustAnchor""", e, this, e.index)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the underlying X.500 name from this Corda-safe X.500 name. These are guaranteed to have a consistent
|
||||
* ordering, such that their `toString()` function returns the same value every time for the same [CordaX500Name].
|
||||
|
@ -104,20 +104,7 @@ object X509Utilities {
|
||||
}
|
||||
|
||||
fun validateCertPath(trustedRoot: X509Certificate, certPath: CertPath) {
|
||||
val params = PKIXParameters(setOf(TrustAnchor(trustedRoot, null)))
|
||||
params.isRevocationEnabled = false
|
||||
try {
|
||||
CertPathValidator.getInstance("PKIX").validate(certPath, params)
|
||||
} catch (e: CertPathValidatorException) {
|
||||
throw CertPathValidatorException(
|
||||
"""Cert path failed to validate against root certificate.
|
||||
Reason: ${e.reason}
|
||||
Offending cert index: ${e.index}
|
||||
Cert path: $certPath
|
||||
|
||||
Root certificate:
|
||||
$trustedRoot""", e, certPath, e.index)
|
||||
}
|
||||
certPath.validate(TrustAnchor(trustedRoot, null))
|
||||
}
|
||||
|
||||
/**
|
||||
|
Loading…
Reference in New Issue
Block a user