I have the response for the validation of revocation of a certificate like a
org.bouncycastle.cert.ocsp.BasicOCSPResp
then with this code:
X509Certificate ocspCert = (X509Certificate) keyStore.getCertificate(alias);
ContentVerifierProvider jcp = new JcaContentVerifierProviderBuilder().setProvider("BC").build(ocspCert.getPublicKey());
boolean isValid = basicResponse.isSignatureValid(jcp);
if (!isValid)
throw new OCSPException("invalid");
I'm trying to do that validation but I got only a false, how could I get the trace or the cause for the validation to fail?
Related
I currently use the following snippet to include my SSL certificate file into the http client:
final List<int>? _certBytes; //I read it from .cer file included in the project
(_dio.httpClientAdapter as DefaultHttpClientAdapter).onHttpClientCreate =
(client) {
if (_certBytes != null) {
SecurityContext sc = SecurityContext();
sc.setTrustedCertificatesBytes(_certBytes!);
HttpClient httpClient = HttpClient(context: sc);
return httpClient;
} else {
client.badCertificateCallback =
((X509Certificate cert, String host, int port) => true);
return client;
}
};
while this code works well, it will stop working if the certificate is expired, which means that I need to add a new certificate file into the app and upload again to the app stores, so I decided to host the certificate as a hashed string in Firebase's Remote Config and read it upon app launch, so I can change the certificate remotely without building new versions for the app, but couldn't find a way to set the SecurityContext with a certificate hashed string in the Dio's HTTPClient
I'm new in Jboss, and using rest easy client for connection in my jboss code. Below is the code -
---
import org.jboss.resteasy.client.ClientRequest;
import org.jboss.resteasy.client.ClientResponse;
---
public String login() throws Exception {
---
String URL = "https://IP//service/perform.do?operationId=XXXXX";
ClientRequest restClient = new ClientRequest(URL);
restClient.accept(MediaType.APPLICATION_JSON);
restClient.body(MediaType.APPLICATION_JSON, hmap);
ClientResponse < String > resp = restClient.post(String.class);
if (resp.getStatus() != 201) {
throw new RuntimeException("Failed : HTTPS error code : " + resp.getStatus());
}
BufferedReader br = new BufferedReader(new InputStreamReader(
new ByteArrayInputStream(resp.getEntity().getBytes())));
String output;
System.out.println("Output from Server .... \n");
while ((output = br.readLine()) != null) {
System.out.println(output);
}
return output;
}
While connecting with SSL enabled server, getting certificate error "HTTP Status 500 - org.jboss.resteasy.spi.UnhandledException: javax.net.ssl.SSLException: hostname in certificate didn't match".
We can't change certificate at this moment, but is there any way to trust any certificate? I googled many posts, but nothing helped.
Anyone can tell me what is the solution of this issue.
I have simple app that is trying to do a http web request to a server that requires SAML authentication. Authenticated users will get a http response header with a special token, which is what I need to ultimately get.
My app is .net based and does a pretty simple http web request. It does the request then parses the response header. I later traverse the header for the specific token I need:
...
try
{
WindowsIdentity identity = HttpContext.User.Identity as WindowsIdentity;
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(url);
req.UseDefaultCredentials = true;
req.AllowAutoRedirect = true;
req.Timeout = 30000;
HttpWebResponse response = (HttpWebResponse)req.GetResponse();
if (response == null)
{
throw new Exception("No HTTP Response");
}
StringBuilder sb = new StringBuilder();
Byte[] buffer = new byte[8192];
Stream rStream = response.GetResponseStream();
int count = 1;
do
{
count = rStream.Read(buffer, 0, buffer.Length);
if (count != 0)
{
sb.Append(Encoding.UTF8.GetString(buffer, 0, count));
}
} while (count > 0);
...
The problem is that the server I'm requesting requires SAML authentication. It redirects to an ADFS server upon request. My app server currently uses kerberos authentication but I can enable it to do SAML as well. Both servers use the same IdP (ADFS) and are in the same enterprise.
My question is - since my app can also do SAML on the same IdP, is there anyway I could get the necessary claims to connect directly into the destination server?
I'm trying validate the certificate path and signature using bouncy castle APIs.
And i'm getting the following exception. I have verified that the signature algorithm 'SHA256WithRSAEncryption' is same in my certificates and the issuer certificate.
Any help would be much appreciated.
Exception in thread "main" org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate signature.
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:250)
Caused by: java.security.cert.CertificateException: signature algorithm in TBS cert not same as outer cert
at org.bouncycastle.jce.provider.X509CertificateObject.checkSignature(Unknown Source)
at org.bouncycastle.jce.provider.X509CertificateObject.verify(Unknown Source)
at org.bouncycastle.jce.provider.CertPathValidatorUtilities.verifyX509Certificate(Unknown Source)
... 6 more
signing:
public byte[] sign(byte[] data) throws GeneralSecurityException, CMSException, IOException {
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
generator.addSigner(pk, (X509Certificate) cert,
CMSSignedDataGenerator.DIGEST_SHA1); //Also tried DIGEST_SHA256
generator.addCertificatesAndCRLs(getCertStore());
CMSProcessable content = new CMSProcessableByteArray(data);
CMSSignedData signedData = generator.generate(content, true, "BC");
return signedData.getEncoded();
}
Verification :
CollectionCertStoreParameters params = new CollectionCertStoreParameters(list);
CertStore store = CertStore.getInstance("Collection", params, "BC");
//create certificate path
CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC");
List<X509Certificate> certChain = new ArrayList<X509Certificate>();
//Create the certificate chain
for( int i = 0; i < list.size(); i++)
certChain.add(list.get(i));
//Create the chain of certificates
CertPath certPath = fact.generateCertPath(certChain);
Set<TrustAnchor> trust = Collections.singleton(new TrustAnchor(rootX509cert, null));
//Get the certificate path validator
CertPathValidator validator = CertPathValidator.getInstance("PKIX", "BC");
PKIXParameters param = new PKIXParameters(trust);
param.setRevocationEnabled(false);
param.addCertStore(store);
param.setDate(new Date());
param.addCertPathChecker(new PathChecker());
//Validate the certificate path
validator.validate(certPath, param);
I am not sure this is a problem of your CMS structure or your cert path validation. I think one of your certificates is erroneous.
The exception states that in a X509Certificate (my guess is your signer certificate or in its chain) the value of Certificate signatureAlgorithm is not the same as TBSCertificate signature.
See https://www.rfc-editor.org/rfc/rfc5280#section-4.1:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier, <--
signatureValue BIT STRING }
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier, <--
issuer Name,
...
Every once in a while Paypal is returning a 500 error code to my .net applications ipn script. It is returning that code in the response to the verification request
Here's the error that is logged:
System.Net.WebException
The remote server returned an error: (500) Internal Server Error.
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> System.Net.WebException: The remote server returned an error: (500) Internal Server Error.
at System.Net.HttpWebRequest.GetResponse()
at ASP.ipn_aspx.Page_Load(Object sender, EventArgs e)
The code that Im using for the call is:
endPoint = "https://www.paypal.com/cgi-bin/webscr";
HttpWebRequest req = (HttpWebRequest)WebRequest.Create(endPoint);
//Set values for the request back
req.Method = "POST";
req.ContentType = "application/x-www-form-urlencoded";
byte[] param = Request.BinaryRead(HttpContext.Current.Request.ContentLength);
string strRequest = Encoding.ASCII.GetString(param);
strRequest += "&cmd=_notify-validate";
req.ContentLength = strRequest.Length;
//Send the request to PayPal and get the response
StreamWriter streamOut = new StreamWriter(req.GetRequestStream(), System.Text.Encoding.ASCII);
streamOut.Write(strRequest);
streamOut.Close();
StreamReader streamIn = new StreamReader(req.GetResponse().GetResponseStream());
string strResponse = streamIn.ReadToEnd();
streamIn.Close();
This probably happens about once per day and PayPal doesn't retry the ipn message. The other 95% of the PayPal ipn transactions are working fine. Any ideas?