use of de.trustable.ca3s.core.domain.CSR in project ca3sCore by kuehne-trustable-de.
the class CSRResourceIT method updateCSR.
@Test
@Transactional
public void updateCSR() throws Exception {
// Initialize the database
cSRService.save(cSR);
int databaseSizeBeforeUpdate = cSRRepository.findAll().size();
// Update the cSR
CSR updatedCSR = cSRRepository.findById(cSR.getId()).get();
// Disconnect from session so that the updates on updatedCSR are not directly saved in db
em.detach(updatedCSR);
updatedCSR.csrBase64(UPDATED_CSR_BASE_64).subject(UPDATED_SUBJECT).sans(UPDATED_SANS).requestedOn(UPDATED_REQUESTED_ON).requestedBy(UPDATED_REQUESTED_BY).pipelineType(UPDATED_PIPELINE_TYPE).status(UPDATED_STATUS).administeredBy(UPDATED_ADMINISTERED_BY).approvedOn(UPDATED_APPROVED_ON).rejectedOn(UPDATED_REJECTED_ON).rejectionReason(UPDATED_REJECTION_REASON).processInstanceId(UPDATED_PROCESS_INSTANCE_ID).signingAlgorithm(UPDATED_SIGNING_ALGORITHM).isCSRValid(UPDATED_IS_CSR_VALID).x509KeySpec(UPDATED_X_509_KEY_SPEC).publicKeyAlgorithm(UPDATED_PUBLIC_KEY_ALGORITHM).keyAlgorithm(UPDATED_KEY_ALGORITHM).keyLength(UPDATED_KEY_LENGTH).publicKeyHash(UPDATED_PUBLIC_KEY_HASH).serversideKeyGeneration(UPDATED_SERVERSIDE_KEY_GENERATION).subjectPublicKeyInfoBase64(UPDATED_SUBJECT_PUBLIC_KEY_INFO_BASE_64).requestorComment(UPDATED_REQUESTOR_COMMENT).administrationComment(UPDATED_ADMINISTRATION_COMMENT);
restCSRMockMvc.perform(put("/api/csrs").contentType(TestUtil.APPLICATION_JSON_UTF8).content(TestUtil.convertObjectToJsonBytes(updatedCSR))).andExpect(status().isOk());
// Validate the CSR in the database
List<CSR> cSRList = cSRRepository.findAll();
assertThat(cSRList).hasSize(databaseSizeBeforeUpdate);
CSR testCSR = cSRList.get(cSRList.size() - 1);
assertThat(testCSR.getCsrBase64()).isEqualTo(UPDATED_CSR_BASE_64);
assertThat(testCSR.getSubject()).isEqualTo(UPDATED_SUBJECT);
assertThat(testCSR.getSans()).isEqualTo(UPDATED_SANS);
assertThat(testCSR.getRequestedOn()).isEqualTo(UPDATED_REQUESTED_ON);
assertThat(testCSR.getRequestedBy()).isEqualTo(UPDATED_REQUESTED_BY);
assertThat(testCSR.getPipelineType()).isEqualTo(UPDATED_PIPELINE_TYPE);
assertThat(testCSR.getStatus()).isEqualTo(UPDATED_STATUS);
assertThat(testCSR.getAdministeredBy()).isEqualTo(UPDATED_ADMINISTERED_BY);
assertThat(testCSR.getApprovedOn()).isEqualTo(UPDATED_APPROVED_ON);
assertThat(testCSR.getRejectedOn()).isEqualTo(UPDATED_REJECTED_ON);
assertThat(testCSR.getRejectionReason()).isEqualTo(UPDATED_REJECTION_REASON);
assertThat(testCSR.getProcessInstanceId()).isEqualTo(UPDATED_PROCESS_INSTANCE_ID);
assertThat(testCSR.getSigningAlgorithm()).isEqualTo(UPDATED_SIGNING_ALGORITHM);
assertThat(testCSR.isIsCSRValid()).isEqualTo(UPDATED_IS_CSR_VALID);
assertThat(testCSR.getx509KeySpec()).isEqualTo(UPDATED_X_509_KEY_SPEC);
assertThat(testCSR.getPublicKeyAlgorithm()).isEqualTo(UPDATED_PUBLIC_KEY_ALGORITHM);
assertThat(testCSR.getKeyAlgorithm()).isEqualTo(UPDATED_KEY_ALGORITHM);
assertThat(testCSR.getKeyLength()).isEqualTo(UPDATED_KEY_LENGTH);
assertThat(testCSR.getPublicKeyHash()).isEqualTo(UPDATED_PUBLIC_KEY_HASH);
assertThat(testCSR.isServersideKeyGeneration()).isEqualTo(UPDATED_SERVERSIDE_KEY_GENERATION);
assertThat(testCSR.getSubjectPublicKeyInfoBase64()).isEqualTo(UPDATED_SUBJECT_PUBLIC_KEY_INFO_BASE_64);
assertThat(testCSR.getRequestorComment()).isEqualTo(UPDATED_REQUESTOR_COMMENT);
assertThat(testCSR.getAdministrationComment()).isEqualTo(UPDATED_ADMINISTRATION_COMMENT);
}
use of de.trustable.ca3s.core.domain.CSR in project ca3sCore by kuehne-trustable-de.
the class UnauthorizedException method buildPKCS12Response.
private ResponseEntity<byte[]> buildPKCS12Response(Certificate certDao, final String alias, final HttpHeaders headers) throws GeneralSecurityException {
LOG.info("building PKCS12 container response");
String entryAlias = "entry";
if (alias != null && !alias.trim().isEmpty()) {
entryAlias = alias;
}
CSR csr = certDao.getCsr();
if (csr == null) {
throw new GeneralSecurityException("problem downloading keystore content for cert id " + certDao.getId() + ": no csr object available ");
}
if (SecurityUtils.isCurrentUserInRole(AuthoritiesConstants.ADMIN) || SecurityUtils.isCurrentUserInRole(AuthoritiesConstants.RA_OFFICER)) {
LOG.debug("Admins and RA Officers are allowed to download P12 files");
} else if (SecurityUtils.isCurrentUserInRole(AuthoritiesConstants.DOMAIN_RA_OFFICER)) {
LOG.debug("Admins and RA Officers are allowed to download P12 files");
} else {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String userName = auth.getName();
if (userName == null) {
throw new GeneralSecurityException("problem downloading keystore content for csr id " + csr.getId() + ": user name not available");
}
if (!userName.equals(csr.getRequestedBy())) {
throw new AccessControlException("problem downloading keystore content for csr id " + csr.getId() + ": user does not match initial requestor");
}
}
if (!csr.isServersideKeyGeneration()) {
throw new GeneralSecurityException("problem downloading keystore content for csr id " + csr.getId() + ": key not generated serverside");
}
List<ProtectedContent> protContentList = protContentUtil.retrieveProtectedContent(ProtectedContentType.PASSWORD, ContentRelationType.CSR, csr.getId());
if (protContentList.size() == 0) {
throw new GeneralSecurityException("problem downloading keystore content for csr id " + csr.getId() + ": no keystore passphrase available ");
}
PrivateKey key = certUtil.getPrivateKey(ProtectedContentType.KEY, ContentRelationType.CSR, csr.getId());
boolean keyEx = false;
List<String> keyExHeaderList = headers.get("X_keyEx");
if (keyExHeaderList != null && !keyExHeaderList.isEmpty()) {
keyEx = Boolean.parseBoolean(keyExHeaderList.get(0));
}
LOG.info("PKCS12: keyEx flag: {} ", keyEx);
String passwordProtectionAlgo = cryptoConfiguration.getDefaultPBEAlgo();
List<String> algoHeaderList = headers.get("X_pbeAlgo");
if (algoHeaderList != null && !algoHeaderList.isEmpty()) {
String reqAlgo = algoHeaderList.get(0).trim();
if (cryptoConfiguration.isPBEAlgoAllowed(reqAlgo)) {
passwordProtectionAlgo = reqAlgo;
} else {
LOG.info("requested PKCS12 pbe algo '{}' not in list of valid algos, using default '{}' ", reqAlgo, passwordProtectionAlgo);
}
}
LOG.info("PKCS12: using algo {} ", passwordProtectionAlgo);
byte[] salt = new byte[20];
new SecureRandom().nextBytes(salt);
char[] passphraseChars = protContentUtil.unprotectString(protContentList.get(0).getContentBase64()).toCharArray();
try {
KeyStore p12 = KeyStore.getInstance("pkcs12");
p12.load(null, passphraseChars);
X509Certificate[] chain = certUtil.getX509CertificateChain(certDao);
Set<KeyStore.Entry.Attribute> privateKeyAttributes = new HashSet<>();
p12.setEntry(entryAlias, new KeyStore.PrivateKeyEntry(key, chain, privateKeyAttributes), new KeyStore.PasswordProtection(passphraseChars, passwordProtectionAlgo, new PBEParameterSpec(salt, 100000)));
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
p12.store(baos, passphraseChars);
ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
KeyStore store = KeyStore.getInstance("pkcs12");
store.load(bais, passphraseChars);
java.security.cert.Certificate cert = store.getCertificate(entryAlias);
LOG.debug("retrieved cert " + cert);
byte[] contentBytes = baos.toByteArray();
headers.set("content-length", String.valueOf(contentBytes.length));
return ResponseEntity.ok().contentType(ACMEController.APPLICATION_PKCS12).headers(headers).body(contentBytes);
}
} catch (IOException gse) {
throw new GeneralSecurityException("problem downloading keystore content for cert id " + certDao.getId());
}
}
use of de.trustable.ca3s.core.domain.CSR in project ca3sCore by kuehne-trustable-de.
the class OrderController method startCertificateCreationProcess.
private Certificate startCertificateCreationProcess(AcmeOrder orderDao, Pipeline pipeline, final String requestorName, final String csrAsPem) {
List<String> messageList = new ArrayList<>();
NamedValues[] nvArr = new NamedValues[0];
CSR csr = cpUtil.buildCSR(csrAsPem, requestorName, AuditService.AUDIT_ACME_CERTIFICATE_REQUESTED, "", pipeline, nvArr, messageList);
if (csr == null) {
LOG.info("building CSR failed");
String msg = "";
if (!messageList.isEmpty()) {
msg = messageList.get(0);
}
final ProblemDetail problem = new ProblemDetail(ACMEUtil.BAD_CSR, msg, BAD_REQUEST, "", ACMEController.NO_INSTANCE);
throw new AcmeProblemException(problem);
}
orderDao.setCsr(csr);
Certificate cert = cpUtil.processCertificateRequest(csr, requestorName, AuditService.AUDIT_ACME_CERTIFICATE_CREATED, pipeline);
if (cert == null) {
orderDao.setCertificate(cert);
orderDao.setStatus(AcmeOrderStatus.INVALID);
LOG.warn("creation of certificate by ACME order {} failed ", orderDao.getOrderId());
} else {
LOG.debug("updating order id {} with new certificate id {}", orderDao.getOrderId(), cert.getId());
orderDao.setCertificate(cert);
orderDao.setStatus(AcmeOrderStatus.VALID);
LOG.debug("adding certificate attribute 'ACME_ACCOUNT_ID' {} for certificate id {}", orderDao.getAccount().getAccountId(), cert.getId());
certUtil.setCertAttribute(cert, CertificateAttribute.ATTRIBUTE_ACME_ACCOUNT_ID, orderDao.getAccount().getAccountId());
certUtil.setCertAttribute(cert, CertificateAttribute.ATTRIBUTE_ACME_ORDER_ID, orderDao.getOrderId());
}
return cert;
}
use of de.trustable.ca3s.core.domain.CSR in project ca3sCore by kuehne-trustable-de.
the class CSRAdministration method withdrawOwnRequest.
/**
* {@code POST /withdrawOwnRequest} : Withdraw own request .
*
* @param adminData a structure holding some crypto-related content, e.g. CSR, certificate, P12 container
* @return the {@link ResponseEntity} .
*/
@PostMapping("/withdrawOwnRequest")
@Transactional
public ResponseEntity<Long> withdrawOwnRequest(@Valid @RequestBody CSRAdministrationData adminData) {
LOG.debug("REST request to withdraw CSR : {}", adminData);
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String userName = auth.getName();
Optional<CSR> optCSR = csrRepository.findById(adminData.getCsrId());
if (optCSR.isPresent()) {
CSR csr = optCSR.get();
if (userName == null || !userName.equals(csr.getRequestedBy())) {
LOG.debug("REST request by '{}' to withdraw CSR '{}' rejected ", userName, adminData.getCsrId());
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
csr.setAdministeredBy(userName);
updateComment(adminData, csr);
csrUtil.setStatusAndRejectionReason(csr, CsrStatus.REJECTED, adminData.getRejectionReason());
csrRepository.save(csr);
auditService.saveAuditTrace(auditService.createAuditTraceCsrRejected(csr));
return new ResponseEntity<>(adminData.getCsrId(), HttpStatus.OK);
} else {
return ResponseEntity.notFound().build();
}
}
use of de.trustable.ca3s.core.domain.CSR in project ca3sCore by kuehne-trustable-de.
the class CSRAdministration method selfAdministerRequest.
/**
* {@code POST /selfAdministerRequest} : update own request .
*
* @param adminData a structure holding some crypto-related content, e.g. CSR, certificate, P12 container
* @return the {@link ResponseEntity} .
*/
@PostMapping("/selfAdministerRequest")
@Transactional
public ResponseEntity<Long> selfAdministerRequest(@Valid @RequestBody CSRAdministrationData adminData) {
LOG.debug("REST request to update CSR : {}", adminData);
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String userName = auth.getName();
Optional<CSR> optCSR = csrRepository.findById(adminData.getCsrId());
if (optCSR.isPresent()) {
CSR csr = optCSR.get();
if (userName == null || !userName.equals(csr.getRequestedBy())) {
LOG.debug("REST request by '{}' to update CSR '{}' rejected ", userName, adminData.getCsrId());
return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
}
csr.setAdministeredBy(userName);
updateComment(adminData, csr);
updateARAttributes(adminData, csr);
csrRepository.save(csr);
return new ResponseEntity<>(adminData.getCsrId(), HttpStatus.OK);
} else {
return ResponseEntity.notFound().build();
}
}
Aggregations