use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class DnFieldHelperTest method processDnParameters.
@Test
public void processDnParameters() throws Exception {
DnFieldDescription field1ReadOnly = new DnFieldDescriptionImpl(FIELD_1, "x", FIELD_1_DEFAULT).setReadOnly(true);
DnFieldDescription field2Editable = new DnFieldDescriptionImpl(FIELD_2, "x", FIELD_2_DEFAULT).setReadOnly(false);
// read only
// no param
List<DnFieldValue> values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), new HashMap<>());
assertTrue(values.size() == 1);
assertEquals(new DnFieldValueImpl(FIELD_1, FIELD_1_DEFAULT), values.iterator().next());
// attempt to set param is ignored
values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), ImmutableMap.of(FIELD_1, "bar"));
assertTrue(values.size() == 1);
assertEquals(new DnFieldValueImpl(FIELD_1, FIELD_1_DEFAULT), values.iterator().next());
// extra param
try {
helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), ImmutableMap.of("foo", "bar"));
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
// no param
try {
helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), new HashMap<>());
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
// set param
values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of(FIELD_2, "bar"));
assertTrue(values.size() == 1);
assertEquals(new DnFieldValueImpl(FIELD_2, "bar"), values.iterator().next());
// extra param 1
try {
helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of("foo", "bar"));
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
// extra param 2
try {
helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of(FIELD_2, "bar", "foo", "bar2"));
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
// invalid param
try {
values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, false), ImmutableMap.of(FIELD_2, "bar"));
fail("should throw exception");
} catch (DnFieldHelper.InvalidDnParameterException expected) {
}
}
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class TokenCertificateService method generateCertRequest.
/**
* Create a CSR
* @param keyId
* @param memberId
* @param keyUsage
* @param caName
* @param subjectFieldValues user-submitted parameters for subject DN
* @param format
* @return GeneratedCertRequestInfo containing details and bytes of the cert request
* @throws CertificateAuthorityNotFoundException if ca authority with name {@code caName} does not exist
* @throws ClientNotFoundException if client with {@code memberId} id was not found
* @throws KeyNotFoundException if key with {@code keyId} was not found
* @throws WrongKeyUsageException if keyUsage param did not match the key's usage type
* @throws DnFieldHelper.InvalidDnParameterException if required dn parameters were missing, or if there
* were some extra parameters
* @throws ActionNotPossibleException if generate csr was not possible for this key
*/
public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId memberId, KeyUsageInfo keyUsage, String caName, Map<String, String> subjectFieldValues, CertificateRequestFormat format) throws CertificateAuthorityNotFoundException, ClientNotFoundException, WrongKeyUsageException, KeyNotFoundException, DnFieldHelper.InvalidDnParameterException, ActionNotPossibleException {
// validate key and memberId existence
TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
auditDataHelper.put(tokenInfo);
KeyInfo key = keyService.getKey(tokenInfo, keyId);
auditDataHelper.put(key);
auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsage);
auditDataHelper.put(memberId);
if (keyUsage == KeyUsageInfo.SIGNING) {
// validate that the member exists or has a subsystem on this server
if (!clientService.getLocalClientMemberIds().contains(memberId)) {
throw new ClientNotFoundException("client with id " + memberId + ", or subsystem for it, " + NOT_FOUND);
}
}
// check that keyUsage is allowed
if (key.getUsage() != null) {
if (key.getUsage() != keyUsage) {
throw new WrongKeyUsageException();
}
}
// validate that generate csr is possible
if (keyUsage == KeyUsageInfo.SIGNING) {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_SIGN_CSR, tokenInfo, key);
} else {
possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_AUTH_CSR, tokenInfo, key);
}
CertificateProfileInfo profile = null;
try {
profile = certificateAuthorityService.getCertificateProfile(caName, keyUsage, memberId, false);
} catch (CertificateProfileInstantiationException e) {
throw new DeviationAwareRuntimeException(e, e.getErrorDeviation());
}
List<DnFieldValue> dnFieldValues = dnFieldHelper.processDnParameters(profile, subjectFieldValues);
String subjectName = dnFieldHelper.createSubjectName(dnFieldValues);
auditDataHelper.put(RestApiAuditProperty.SUBJECT_NAME, subjectName);
auditDataHelper.put(RestApiAuditProperty.CERTIFICATION_SERVICE_NAME, caName);
auditDataHelper.put(RestApiAuditProperty.CSR_FORMAT, format);
try {
return signerProxyFacade.generateCertRequest(keyId, memberId, keyUsage, subjectName, format);
} catch (CodedException e) {
throw e;
} catch (Exception e) {
throw new SignerNotReachableException("Generate cert request failed", e);
}
}
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class DnFieldHelper method processDnParameters.
/**
* Read dn parameters from dnParameters map, match them to DnFieldDescription
* definitions (consider readOnly, required, etc) and validate that all parameters
* are fine.
* @return valid DnFieldValue objects
* @throws InvalidDnParameterException if there were invalid parameters
*/
public List<DnFieldValue> processDnParameters(CertificateProfileInfo profile, Map<String, String> dnParameters) throws InvalidDnParameterException {
Set<String> unprocessedParameters = new HashSet<>(dnParameters.keySet());
List<DnFieldValue> dnValues = new ArrayList<>();
// match all dn fields with either default values or actual parameters
for (DnFieldDescription description : profile.getSubjectFields()) {
String fieldValue = null;
boolean parameterIsMissing = StringUtils.isBlank(dnParameters.get(description.getId()));
if (description.isRequired() && (!description.isReadOnly()) && parameterIsMissing) {
throw new InvalidDnParameterException("missing parameter: " + description.getId());
}
if (description.isReadOnly() || parameterIsMissing) {
fieldValue = description.getDefaultValue();
} else {
fieldValue = dnParameters.get(description.getId());
}
dnValues.add(new DnFieldValueImpl(description.getId(), fieldValue));
unprocessedParameters.remove(description.getId());
}
if (!unprocessedParameters.isEmpty()) {
throw new InvalidDnParameterException("extraneous parameters: " + unprocessedParameters);
}
// validate
for (DnFieldValue dnValue : dnValues) {
try {
profile.validateSubjectField(dnValue);
} catch (Exception e) {
throw new InvalidDnParameterException(e);
}
}
return dnValues;
}
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class CertificateAuthoritiesApiControllerTest method setUp.
@Before
public void setUp() throws Exception {
KeyInfo signKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_SIGN_KEY_ID).keyUsageInfo(KeyUsageInfo.SIGNING).build();
KeyInfo authKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_AUTH_KEY_ID).keyUsageInfo(KeyUsageInfo.AUTHENTICATION).build();
doAnswer(invocation -> {
Object[] args = invocation.getArguments();
String keyId = (String) args[0];
if (keyId.equals(GOOD_AUTH_KEY_ID)) {
return authKeyInfo;
} else if (keyId.equals(GOOD_SIGN_KEY_ID)) {
return signKeyInfo;
} else {
throw new KeyNotFoundException("foo");
}
}).when(keyService).getKey(any());
List<ApprovedCaDto> approvedCAInfos = new ArrayList<>();
approvedCAInfos.add(ApprovedCaDto.builder().name(GENERAL_PURPOSE_CA_NAME).authenticationOnly(false).build());
when(certificateAuthorityService.getCertificateAuthorities(any())).thenReturn(approvedCAInfos);
when(certificateAuthorityService.getCertificateProfile(any(), any(), any(), anyBoolean())).thenReturn(new CertificateProfileInfo() {
@Override
public DnFieldDescription[] getSubjectFields() {
return new DnFieldDescription[0];
}
@Override
public X500Principal createSubjectDn(DnFieldValue[] values) {
return null;
}
@Override
public void validateSubjectField(DnFieldValue field) throws Exception {
}
});
}
use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.
the class DnFieldHelperTest method createSubjectName.
@Test
public void createSubjectName() {
List<DnFieldValue> fieldValues = Arrays.asList(new DnFieldValueImpl("O", "foo"), new DnFieldValueImpl("CN", "bar"));
assertEquals("O=foo, CN=bar", helper.createSubjectName(fieldValues));
}
Aggregations