/** * Verifies a single signature. * @param delta the payload that we're verifying the signature on. * @param signature the signature on the payload * @param domain the authority (domain name) that should have signed the * payload. * @throws SignatureException if the signature doesn't verify. */ private void verifySingleSignature(ByteStringMessage<ProtocolWaveletDelta> delta, ProtocolSignature signature, String domain) throws SignatureException, UnknownSignerException { verifier.verify(delta.getByteString().toByteArray(), signature, domain); }
/** * Verifies that the given certificate was issued to the given authority. * @param authority the authority to which the certificate was issued, * e.g., a domain name. * @param certificate the {@link X509Certificate} * @throws SignatureException if the authority doesn't match the certificate. */ private void verifyMatchingAuthority(String authority, X509Certificate certificate) throws SignatureException { String cn = getCommonNameFromDistinguishedName( certificate.getSubjectX500Principal().getName()); if (cn == null) { throw new SignatureException("no common name found in signer " + "certificate " + certificate.getSubjectDN().toString()); } if (cn.equals(authority)) { return; } if (authorityMatchesSubjectAlternativeNames(authority, certificate)) { return; } if (authorityMatchesWildcardCN(authority, cn)) { return; } throw new SignatureException("expected " + authority + " as CN or alternative name in cert, but didn't find it"); }
verifySignerInfo(signer); verifyMatchingAuthority(authority, cert);
@Override protected void setUp() throws Exception { super.setUp(); // Jan 31, 2009 FakeTimeSource timeSource = new FakeTimeSource(1233465103000L); DefaultCacheImpl cache = new DefaultCacheImpl(timeSource); CachedCertPathValidator validator = new CachedCertPathValidator(cache, timeSource, new FakeTrustRootsProvider(CertConstantUtil.CA_PUB_CERT)); store = new DefaultCertPathStore(); verifier = new WaveSignatureVerifier(validator, store); }
@Override public synchronized void storeSignerInfo(ProtocolSignerInfo signerInfo) throws SignatureException { verifier.verifySignerInfo(new SignerInfo(signerInfo)); certPathStore.putSignerInfo(signerInfo); }
@Override protected void setUp() throws Exception { super.setUp(); // Jan 31, 2009 FakeTimeSource timeSource = new FakeTimeSource(1233465103000L); DefaultCacheImpl cache = new DefaultCacheImpl(timeSource); CachedCertPathValidator validator = new CachedCertPathValidator(cache, timeSource, new FakeTrustRootsProvider(CertConstantUtil.CA_PUB_CERT)); store = new DefaultCertPathStore(); verifier = new WaveSignatureVerifier(validator, store); }
public void testSpeed() throws Exception { storeSignerInfo(ImmutableList.of(CertConstantUtil.SERVER_PUB_CERT, CertConstantUtil.INTERMEDIATE_PUB_CERT)); ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(deBase64(SIGNER_ID))) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); long start = System.currentTimeMillis(); long ops = 0; while (System.currentTimeMillis() < start + 1000L) { verifier.verify(MESSAGE, signature, AUTHORITY); ++ops; } long stop = System.currentTimeMillis(); System.out.println(String.format("%.2f ms per verification", (stop-start)/ (double)ops)); }
private WaveSignatureVerifier getRealVerifier(CertPathStore store) throws Exception { TrustRootsProvider trustRoots = new DefaultTrustRootsProvider(); VerifiedCertChainCache cache = new DefaultCacheImpl(getFakeTimeSource()); WaveCertPathValidator validator = new CachedCertPathValidator( cache, getFakeTimeSource(), trustRoots); return new WaveSignatureVerifier(validator, store); }
public void testSpeed() throws Exception { storeSignerInfo(ImmutableList.of(CertConstantUtil.SERVER_PUB_CERT, CertConstantUtil.INTERMEDIATE_PUB_CERT)); ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(deBase64(SIGNER_ID))) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); long start = System.currentTimeMillis(); long ops = 0; while (System.currentTimeMillis() < start + 1000L) { verifier.verify(MESSAGE, signature, AUTHORITY); ++ops; } long stop = System.currentTimeMillis(); System.out.println(String.format("%.2f ms per verification", (stop-start)/ (double)ops)); }
private WaveSignatureVerifier getRealVerifier(CertPathStore store) throws Exception { TrustRootsProvider trustRoots = new DefaultTrustRootsProvider(); VerifiedCertChainCache cache = new DefaultCacheImpl(getFakeTimeSource()); WaveCertPathValidator validator = new CachedCertPathValidator( cache, getFakeTimeSource(), trustRoots); return new WaveSignatureVerifier(validator, store); }
public void testVerify() throws Exception { storeSignerInfo(ImmutableList.of(CertConstantUtil.SERVER_PUB_CERT, CertConstantUtil.INTERMEDIATE_PUB_CERT)); ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(deBase64(SIGNER_ID))) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); verifier.verify(MESSAGE, signature, AUTHORITY); }
private WaveSignatureVerifier getVerifier(CertPathStore store, boolean disableSignerVerification) { VerifiedCertChainCache cache = new DefaultCacheImpl(getFakeTimeSource()); WaveCertPathValidator validator; if (disableSignerVerification) { validator = new DisabledCertPathValidator(); } else { validator = new CachedCertPathValidator( cache, getFakeTimeSource(), getTrustRootsProvider()); } return new WaveSignatureVerifier(validator, store); }
public void testVerify() throws Exception { storeSignerInfo(ImmutableList.of(CertConstantUtil.SERVER_PUB_CERT, CertConstantUtil.INTERMEDIATE_PUB_CERT)); ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(deBase64(SIGNER_ID))) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); verifier.verify(MESSAGE, signature, AUTHORITY); }
private WaveSignatureVerifier getVerifier(CertPathStore store, boolean disableSignerVerification) { VerifiedCertChainCache cache = new DefaultCacheImpl(getFakeTimeSource()); WaveCertPathValidator validator; if (disableSignerVerification) { validator = new DisabledCertPathValidator(); } else { validator = new CachedCertPathValidator( cache, getFakeTimeSource(), getTrustRootsProvider()); } return new WaveSignatureVerifier(validator, store); }
public void testVerify_tamperedPayload() throws Exception { storeSignerInfo(ImmutableList.of(CertConstantUtil.SERVER_PUB_CERT, CertConstantUtil.INTERMEDIATE_PUB_CERT)); ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(deBase64(SIGNER_ID))) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); try { verifier.verify("hullo".getBytes(), signature, AUTHORITY); fail("expected exception, but didn't get it"); } catch (SignatureException e) { // expected } }
public void testVerify_tamperedPayload() throws Exception { storeSignerInfo(ImmutableList.of(CertConstantUtil.SERVER_PUB_CERT, CertConstantUtil.INTERMEDIATE_PUB_CERT)); ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(deBase64(SIGNER_ID))) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); try { verifier.verify("hullo".getBytes(), signature, AUTHORITY); fail("expected exception, but didn't get it"); } catch (SignatureException e) { // expected } }
public void testVerify_badCertChain() throws Exception { byte[] id = storeSignerInfo(ImmutableList.of( CertConstantUtil.SERVER_PUB_CERT)); // missing the intermediate cert ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(id)) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); try { verifier.verify(MESSAGE, signature, AUTHORITY); fail("expected exception, but didn't get it"); } catch (SignatureException e) { // expected } }
public void testVerify_badCertChain() throws Exception { byte[] id = storeSignerInfo(ImmutableList.of( CertConstantUtil.SERVER_PUB_CERT)); // missing the intermediate cert ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(id)) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); try { verifier.verify(MESSAGE, signature, AUTHORITY); fail("expected exception, but didn't get it"); } catch (SignatureException e) { // expected } }
public void testVerify_signerNotInStore() throws Exception { ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(deBase64(SIGNER_ID))) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); try { verifier.verify(MESSAGE, signature, AUTHORITY); fail("expected exception, but didn't get it"); } catch (UnknownSignerException e) { // expected } }
public void testVerify_signerNotInStore() throws Exception { ProtocolSignature signature = ProtocolSignature.newBuilder() .setSignatureBytes(ByteString.copyFrom(deBase64(SIGNATURE))) .setSignerId(ByteString.copyFrom(deBase64(SIGNER_ID))) .setSignatureAlgorithm(SignatureAlgorithm.SHA1_RSA) .build(); try { verifier.verify(MESSAGE, signature, AUTHORITY); fail("expected exception, but didn't get it"); } catch (UnknownSignerException e) { // expected } }