Examples with X509CertRequest com.yahoo.athenz.zts.cert.X509CertRequest used on opensource projects

Search in sources :

Example 6 with X509CertRequest

use of com.yahoo.athenz.zts.cert.X509CertRequest in project athenz by yahoo.

the class ZTSImplTest method testValidateServiceX509RefreshRequestMismatchPublicKeys.

@Test
public void testValidateServiceX509RefreshRequestMismatchPublicKeys() throws IOException {
    ChangeLogStore structStore = new ZMSFileChangeLogStore("/tmp/zts_server_unit_tests/zts_root", privateKey, "0");
    DataStore store = new DataStore(structStore, null);
    ZTSImpl ztsImpl = new ZTSImpl(mockCloudStore, store);
    Path path = Paths.get("src/test/resources/valid_provider_refresh.csr");
    String csr = new String(Files.readAllBytes(path));
    X509CertRequest certReq = new X509CertRequest(csr);
    assertNotNull(certReq);
    certReq.setNormCsrPublicKey("mismatch-public-key");
    path = Paths.get("src/test/resources/valid_provider_refresh.pem");
    String pem = new String(Files.readAllBytes(path));
    X509Certificate cert = Crypto.loadX509Certificate(pem);
    SimplePrincipal principal = (SimplePrincipal) SimplePrincipal.create("athenz", "syncer", "v=S1,d=athenz;n=syncer;s=sig", 0, new CertificateAuthority());
    principal.setX509Certificate(cert);
    assertTrue(ztsImpl.validateServiceX509RefreshRequest(principal, certReq, "10.0.0.1") == ServiceX509RefreshRequestStatus.PUBLIC_KEY_MISMATCH);
}
Also used : Path(java.nio.file.Path) X509CertRequest(com.yahoo.athenz.zts.cert.X509CertRequest) ChangeLogStore(com.yahoo.athenz.zts.store.ChangeLogStore) MockZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore) ZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore) MockZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore) ZMSFileChangeLogStore(com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore) DataStore(com.yahoo.athenz.zts.store.DataStore) CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority) X509Certificate(java.security.cert.X509Certificate) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal) Test(org.testng.annotations.Test)

Example 7 with X509CertRequest

use of com.yahoo.athenz.zts.cert.X509CertRequest in project athenz by yahoo.

the class ZTSImpl method postInstanceRefreshRequest.

@Override
public Identity postInstanceRefreshRequest(ResourceContext ctx, String domain, String service, InstanceRefreshRequest req) {
    final String caller = "postinstancerefreshrequest";
    final String callerTiming = "postinstancerefreshrequest_timing";
    metric.increment(HTTP_POST);
    logPrincipal(ctx);
    validateRequest(ctx.request(), caller);
    validate(domain, TYPE_DOMAIN_NAME, caller);
    validate(service, TYPE_SIMPLE_NAME, caller);
    validate(req, TYPE_INSTANCE_REFRESH_REQUEST, caller);
    // for consistent handling of all requests, we're going to convert
    // all incoming object values into lower case (e.g. domain, role,
    // policy, service, etc name)
    domain = domain.toLowerCase();
    service = service.toLowerCase();
    Object timerMetric = metric.startTiming(callerTiming, domain);
    metric.increment(HTTP_REQUEST, domain);
    metric.increment(caller, domain);
    // make sure the credentials match to whatever the request is
    Principal principal = ((RsrcCtxWrapper) ctx).principal();
    String fullServiceName = domain + "." + service;
    final String principalName = principal.getFullName();
    boolean userRequest = false;
    if (!fullServiceName.equals(principalName)) {
        try {
            userRequest = authorizer.access("update", domain + ":service", principal, null);
        } catch (ResourceException ex) {
            LOGGER.error("postInstanceRefreshRequest: access check failure for {}: {}", principalName, ex.getMessage());
        }
        if (!userRequest) {
            throw requestError("Principal mismatch: " + fullServiceName + " vs. " + principalName, caller, domain);
        }
    }
    if (userDomain.equalsIgnoreCase(domain)) {
        throw requestError("TLS Certificates require ServiceTokens: " + fullServiceName, caller, domain);
    }
    // determine if this is a refresh or initial request
    final Authority authority = principal.getAuthority();
    boolean refreshOperation = (!userRequest && (authority instanceof CertificateAuthority));
    // retrieve the public key for the request for verification
    final String keyId = userRequest || refreshOperation ? req.getKeyId() : principal.getKeyId();
    String publicKey = getPublicKey(domain, service, keyId);
    if (publicKey == null) {
        throw requestError("Unable to retrieve public key for " + fullServiceName + " with key id: " + keyId, caller, domain);
    }
    // validate that the cn and public key match to the provided details
    X509CertRequest x509CertReq = null;
    try {
        x509CertReq = new X509CertRequest(req.getCsr());
    } catch (CryptoException ex) {
        throw requestError("Unable to parse PKCS10 certificate request", caller, domain);
    }
    final PKCS10CertificationRequest certReq = x509CertReq.getCertReq();
    if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, null)) {
        throw requestError("Invalid CSR - data mismatch", caller, domain);
    }
    if (!x509CertReq.comparePublicKeys(publicKey)) {
        throw requestError("Invalid CSR - public key mismatch", caller, domain);
    }
    if (refreshOperation) {
        final String ipAddress = ServletRequestUtil.getRemoteAddress(ctx.request());
        ServiceX509RefreshRequestStatus status = validateServiceX509RefreshRequest(principal, x509CertReq, ipAddress);
        if (status == ServiceX509RefreshRequestStatus.IP_NOT_ALLOWED) {
            throw forbiddenError("IP not allowed for refresh: " + ipAddress, caller, domain);
        }
        if (status != ServiceX509RefreshRequestStatus.SUCCESS) {
            throw requestError("Request valiation failed: " + status, caller, domain);
        }
    }
    // generate identity with the certificate
    int expiryTime = req.getExpiryTime() != null ? req.getExpiryTime() : 0;
    Identity identity = ZTSUtils.generateIdentity(certSigner, req.getCsr(), fullServiceName, null, expiryTime);
    if (identity == null) {
        throw serverError("Unable to generate identity", caller, domain);
    }
    // create our audit log entry
    AuditLogMsgBuilder msgBldr = getAuditLogMsgBuilder(ctx, domain, caller, HTTP_POST);
    msgBldr.whatEntity(fullServiceName);
    X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
    StringBuilder auditLogDetails = new StringBuilder(512);
    auditLogDetails.append("Provider: ").append(ZTSConsts.ZTS_SERVICE).append(" Domain: ").append(domain).append(" Service: ").append(service).append(" Serial: ").append(newCert.getSerialNumber().toString()).append(" Principal: ").append(principalName).append(" Type: x509");
    msgBldr.whatDetails(auditLogDetails.toString());
    auditLogger.log(msgBldr);
    metric.stopTiming(timerMetric);
    return identity;
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) AuditLogMsgBuilder(com.yahoo.athenz.common.server.log.AuditLogMsgBuilder) Authority(com.yahoo.athenz.auth.Authority) CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority) X509Certificate(java.security.cert.X509Certificate) X509CertRequest(com.yahoo.athenz.zts.cert.X509CertRequest) CertificateAuthority(com.yahoo.athenz.auth.impl.CertificateAuthority) CryptoException(com.yahoo.athenz.auth.util.CryptoException) SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal) Principal(com.yahoo.athenz.auth.Principal)

Aggregations

X509CertRequest (com.yahoo.athenz.zts.cert.X509CertRequest)7 X509Certificate (java.security.cert.X509Certificate)7 SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)6 CertificateAuthority (com.yahoo.athenz.auth.impl.CertificateAuthority)5 ChangeLogStore (com.yahoo.athenz.zts.store.ChangeLogStore)4 DataStore (com.yahoo.athenz.zts.store.DataStore)4 MockZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.MockZMSFileChangeLogStore)4 ZMSFileChangeLogStore (com.yahoo.athenz.zts.store.impl.ZMSFileChangeLogStore)4 Path (java.nio.file.Path)4 Test (org.testng.annotations.Test)4 CryptoException (com.yahoo.athenz.auth.util.CryptoException)3 AuditLogMsgBuilder (com.yahoo.athenz.common.server.log.AuditLogMsgBuilder)3 Principal (com.yahoo.athenz.auth.Principal)2 PrincipalToken (com.yahoo.athenz.auth.token.PrincipalToken)2 InstanceConfirmation (com.yahoo.athenz.instance.provider.InstanceConfirmation)2 InstanceProvider (com.yahoo.athenz.instance.provider.InstanceProvider)2 Date (java.util.Date)2 Authority (com.yahoo.athenz.auth.Authority)1 X509CertRecord (com.yahoo.athenz.zts.cert.X509CertRecord)1 UnsupportedEncodingException (java.io.UnsupportedEncodingException)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial