Example 1 with DnFieldValue
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class DnFieldHelperTest method processDnParameters.
@Test
public void processDnParameters() throws Exception {
DnFieldDescription field1ReadOnly = new DnFieldDescriptionImpl(FIELD_1, "x", FIELD_1_DEFAULT).setReadOnly(true);
DnFieldDescription field2Editable = new DnFieldDescriptionImpl(FIELD_2, "x", FIELD_2_DEFAULT).setReadOnly(false);
// read only
// no param
List<DnFieldValue> values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), new HashMap<>());
assertTrue(values.size() == 1);
assertEquals(new DnFieldValueImpl(FIELD_1, FIELD_1_DEFAULT), values.iterator().next());
// attempt to set param is ignored
values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), ImmutableMap.of(FIELD_1, "bar"));
assertTrue(values.size() == 1);
assertEquals(new DnFieldValueImpl(FIELD_1, FIELD_1_DEFAULT), values.iterator().next());
// extra param
try {
helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), ImmutableMap.of("foo", "bar"));
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
// no param
try {
helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), new HashMap<>());
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
// set param
values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of(FIELD_2, "bar"));
assertTrue(values.size() == 1);
assertEquals(new DnFieldValueImpl(FIELD_2, "bar"), values.iterator().next());
// extra param 1
try {
helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of("foo", "bar"));
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
// extra param 2
try {
helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of(FIELD_2, "bar", "foo", "bar2"));
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
// invalid param
try {
values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, false), ImmutableMap.of(FIELD_2, "bar"));
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
}
Also used :
DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue)
DnFieldDescription(ee.ria.xroad.common.certificateprofile.DnFieldDescription)
DnFieldValueImpl(ee.ria.xroad.common.certificateprofile.impl.DnFieldValueImpl)
DnFieldDescriptionImpl(ee.ria.xroad.common.certificateprofile.impl.DnFieldDescriptionImpl)
Test(org.junit.Test)
Example 2 with DnFieldValue
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class TokenCertificateService method generateCertRequest.
/**
* Create a CSR
* @param keyId
* @param memberId
* @param keyUsage
* @param caName
* @param subjectFieldValues user-submitted parameters for subject DN
* @param format
* @return GeneratedCertRequestInfo containing details and bytes of the cert request
* @throws CertificateAuthorityNotFoundException if ca authority with name {@code caName} does not exist
* @throws ClientNotFoundException if client with {@code memberId} id was not found
* @throws KeyNotFoundException if key with {@code keyId} was not found
* @throws WrongKeyUsageException if keyUsage param did not match the key's usage type
* @throws DnFieldHelper.InvalidDnParameterException if required dn parameters were missing, or if there
* were some extra parameters
* @throws ActionNotPossibleException if generate csr was not possible for this key
*/
public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId memberId, KeyUsageInfo keyUsage, String caName, Map<String, String> subjectFieldValues, CertificateRequestFormat format) throws CertificateAuthorityNotFoundException, ClientNotFoundException, WrongKeyUsageException, KeyNotFoundException, DnFieldHelper.InvalidDnParameterException, ActionNotPossibleException {
// validate key and memberId existence
TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
auditDataHelper.put(tokenInfo);
KeyInfo key = keyService.getKey(tokenInfo, keyId);
auditDataHelper.put(key);
auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsage);
auditDataHelper.put(memberId);
if (keyUsage == KeyUsageInfo.SIGNING) {
// validate that the member exists or has a subsystem on this server
if (!clientService.getLocalClientMemberIds().contains(memberId)) {
throw new ClientNotFoundException("client with id " + memberId + ", or subsystem for it, " + NOT_FOUND);
}
}
// check that keyUsage is allowed
if (key.getUsage() != null) {
if (key.getUsage() != keyUsage) {
throw new WrongKeyUsageException();
}
}
// validate that generate csr is possible
if (keyUsage == KeyUsageInfo.SIGNING) {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_SIGN_CSR, tokenInfo, key);
} else {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_AUTH_CSR, tokenInfo, key);
}
CertificateProfileInfo profile = null;
try {
profile = certificateAuthorityService.getCertificateProfile(caName, keyUsage, memberId, false);
} catch (CertificateProfileInstantiationException e) {
throw new DeviationAwareRuntimeException(e, e.getErrorDeviation());
}
List<DnFieldValue> dnFieldValues = dnFieldHelper.processDnParameters(profile, subjectFieldValues);
String subjectName = dnFieldHelper.createSubjectName(dnFieldValues);
auditDataHelper.put(RestApiAuditProperty.SUBJECT_NAME, subjectName);
auditDataHelper.put(RestApiAuditProperty.CERTIFICATION_SERVICE_NAME, caName);
auditDataHelper.put(RestApiAuditProperty.CSR_FORMAT, format);
try {
return signerProxyFacade.generateCertRequest(keyId, memberId, keyUsage, subjectName, format);
} catch (CodedException e) {
throw e;
} catch (Exception e) {
throw new SignerNotReachableException("Generate cert request failed", e);
}
}
Also used :
DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue)
DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException)
CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)
InternalServerErrorException(org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException)
SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException)
ServiceException(org.niis.xroad.restapi.service.ServiceException)
DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException)
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
CodedException(ee.ria.xroad.common.CodedException)
CodedException(ee.ria.xroad.common.CodedException)
KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo)
TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo)
SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException)
Example 3 with DnFieldValue
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class DnFieldHelper method processDnParameters.
/**
* Read dn parameters from dnParameters map, match them to DnFieldDescription
* definitions (consider readOnly, required, etc) and validate that all parameters
* are fine.
* @return valid DnFieldValue objects
* @throws InvalidDnParameterException if there were invalid parameters
*/
public List<DnFieldValue> processDnParameters(CertificateProfileInfo profile, Map<String, String> dnParameters) throws InvalidDnParameterException {
Set<String> unprocessedParameters = new HashSet<>(dnParameters.keySet());
List<DnFieldValue> dnValues = new ArrayList<>();
// match all dn fields with either default values or actual parameters
for (DnFieldDescription description : profile.getSubjectFields()) {
String fieldValue = null;
boolean parameterIsMissing = StringUtils.isBlank(dnParameters.get(description.getId()));
if (description.isRequired() && (!description.isReadOnly()) && parameterIsMissing) {
throw new InvalidDnParameterException("missing parameter: " + description.getId());
}
if (description.isReadOnly() || parameterIsMissing) {
fieldValue = description.getDefaultValue();
} else {
fieldValue = dnParameters.get(description.getId());
}
dnValues.add(new DnFieldValueImpl(description.getId(), fieldValue));
unprocessedParameters.remove(description.getId());
}
if (!unprocessedParameters.isEmpty()) {
throw new InvalidDnParameterException("extraneous parameters: " + unprocessedParameters);
}
// validate
for (DnFieldValue dnValue : dnValues) {
try {
profile.validateSubjectField(dnValue);
} catch (Exception e) {
throw new InvalidDnParameterException(e);
}
}
return dnValues;
}
Also used :
DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue)
DnFieldDescription(ee.ria.xroad.common.certificateprofile.DnFieldDescription)
DnFieldValueImpl(ee.ria.xroad.common.certificateprofile.impl.DnFieldValueImpl)
ArrayList(java.util.ArrayList)
ServiceException(org.niis.xroad.restapi.service.ServiceException)
HashSet(java.util.HashSet)
Example 4 with DnFieldValue
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class CertificateAuthoritiesApiControllerTest method setUp.
@Before
public void setUp() throws Exception {
KeyInfo signKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_SIGN_KEY_ID).keyUsageInfo(KeyUsageInfo.SIGNING).build();
KeyInfo authKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_AUTH_KEY_ID).keyUsageInfo(KeyUsageInfo.AUTHENTICATION).build();
doAnswer(invocation -> {
Object[] args = invocation.getArguments();
String keyId = (String) args[0];
if (keyId.equals(GOOD_AUTH_KEY_ID)) {
return authKeyInfo;
} else if (keyId.equals(GOOD_SIGN_KEY_ID)) {
return signKeyInfo;
} else {
throw new KeyNotFoundException("foo");
}
}).when(keyService).getKey(any());
List<ApprovedCaDto> approvedCAInfos = new ArrayList<>();
approvedCAInfos.add(ApprovedCaDto.builder().name(GENERAL_PURPOSE_CA_NAME).authenticationOnly(false).build());
when(certificateAuthorityService.getCertificateAuthorities(any())).thenReturn(approvedCAInfos);
when(certificateAuthorityService.getCertificateProfile(any(), any(), any(), anyBoolean())).thenReturn(new CertificateProfileInfo() {
@Override
public DnFieldDescription[] getSubjectFields() {
return new DnFieldDescription[0];
}
@Override
public X500Principal createSubjectDn(DnFieldValue[] values) {
return null;
}
@Override
public void validateSubjectField(DnFieldValue field) throws Exception {
}
});
}
Also used :
DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue)
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
ArrayList(java.util.ArrayList)
TokenTestUtils(org.niis.xroad.securityserver.restapi.util.TokenTestUtils)
CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
KeyNotFoundException(org.niis.xroad.securityserver.restapi.service.KeyNotFoundException)
KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo)
X500Principal(javax.security.auth.x500.X500Principal)
KeyNotFoundException(org.niis.xroad.securityserver.restapi.service.KeyNotFoundException)
Before(org.junit.Before)
Example 5 with DnFieldValue
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class DnFieldHelperTest method createSubjectName.
@Test
public void createSubjectName() {
List<DnFieldValue> fieldValues = Arrays.asList(new DnFieldValueImpl("O", "foo"), new DnFieldValueImpl("CN", "bar"));
assertEquals("O=foo, CN=bar", helper.createSubjectName(fieldValues));
}
Also used :
DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue)
DnFieldValueImpl(ee.ria.xroad.common.certificateprofile.impl.DnFieldValueImpl)
Test(org.junit.Test)
Aggregations
DnFieldValue (ee.ria.xroad.common.certificateprofile.DnFieldValue)5
DnFieldValueImpl (ee.ria.xroad.common.certificateprofile.impl.DnFieldValueImpl)3
CertificateProfileInfo (ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)2
DnFieldDescription (ee.ria.xroad.common.certificateprofile.DnFieldDescription)2
KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)2
ArrayList (java.util.ArrayList)2
Test (org.junit.Test)2
ServiceException (org.niis.xroad.restapi.service.ServiceException)2
AccessDeniedException (org.springframework.security.access.AccessDeniedException)2
CodedException (ee.ria.xroad.common.CodedException)1
DnFieldDescriptionImpl (ee.ria.xroad.common.certificateprofile.impl.DnFieldDescriptionImpl)1
TokenInfo (ee.ria.xroad.signer.protocol.dto.TokenInfo)1
HashSet (java.util.HashSet)1
X500Principal (javax.security.auth.x500.X500Principal)1
Before (org.junit.Before)1
DeviationAwareRuntimeException (org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException)1
SignerNotReachableException (org.niis.xroad.restapi.service.SignerNotReachableException)1
ApprovedCaDto (org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)1
InternalServerErrorException (org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException)1
KeyNotFoundException (org.niis.xroad.securityserver.restapi.service.KeyNotFoundException)1
