Search in sources :

Example 1 with DnFieldValue

use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.

the class DnFieldHelperTest method processDnParameters.

@Test
public void processDnParameters() throws Exception {
    DnFieldDescription field1ReadOnly = new DnFieldDescriptionImpl(FIELD_1, "x", FIELD_1_DEFAULT).setReadOnly(true);
    DnFieldDescription field2Editable = new DnFieldDescriptionImpl(FIELD_2, "x", FIELD_2_DEFAULT).setReadOnly(false);
    // read only
    // no param
    List<DnFieldValue> values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), new HashMap<>());
    assertTrue(values.size() == 1);
    assertEquals(new DnFieldValueImpl(FIELD_1, FIELD_1_DEFAULT), values.iterator().next());
    // attempt to set param is ignored
    values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), ImmutableMap.of(FIELD_1, "bar"));
    assertTrue(values.size() == 1);
    assertEquals(new DnFieldValueImpl(FIELD_1, FIELD_1_DEFAULT), values.iterator().next());
    // extra param
    try {
        helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field1ReadOnly, true), ImmutableMap.of("foo", "bar"));
        fail("should throw exception");
    } catch (DnFieldHelper.InvalidDnParameterException expected) {
    }
    // no param
    try {
        helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), new HashMap<>());
        fail("should throw exception");
    } catch (DnFieldHelper.InvalidDnParameterException expected) {
    }
    // set param
    values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of(FIELD_2, "bar"));
    assertTrue(values.size() == 1);
    assertEquals(new DnFieldValueImpl(FIELD_2, "bar"), values.iterator().next());
    // extra param 1
    try {
        helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of("foo", "bar"));
        fail("should throw exception");
    } catch (DnFieldHelper.InvalidDnParameterException expected) {
    }
    // extra param 2
    try {
        helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, true), ImmutableMap.of(FIELD_2, "bar", "foo", "bar2"));
        fail("should throw exception");
    } catch (DnFieldHelper.InvalidDnParameterException expected) {
    }
    // invalid param
    try {
        values = helper.processDnParameters(new DnFieldTestCertificateProfileInfo(field2Editable, false), ImmutableMap.of(FIELD_2, "bar"));
        fail("should throw exception");
    } catch (DnFieldHelper.InvalidDnParameterException expected) {
    }
}
Also used : DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue) DnFieldDescription(ee.ria.xroad.common.certificateprofile.DnFieldDescription) DnFieldValueImpl(ee.ria.xroad.common.certificateprofile.impl.DnFieldValueImpl) DnFieldDescriptionImpl(ee.ria.xroad.common.certificateprofile.impl.DnFieldDescriptionImpl) Test(org.junit.Test)

Example 2 with DnFieldValue

use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.

the class TokenCertificateService method generateCertRequest.

/**
 * Create a CSR
 * @param keyId
 * @param memberId
 * @param keyUsage
 * @param caName
 * @param subjectFieldValues user-submitted parameters for subject DN
 * @param format
 * @return GeneratedCertRequestInfo containing details and bytes of the cert request
 * @throws CertificateAuthorityNotFoundException if ca authority with name {@code caName} does not exist
 * @throws ClientNotFoundException if client with {@code memberId} id was not found
 * @throws KeyNotFoundException if key with {@code keyId} was not found
 * @throws WrongKeyUsageException if keyUsage param did not match the key's usage type
 * @throws DnFieldHelper.InvalidDnParameterException if required dn parameters were missing, or if there
 * were some extra parameters
 * @throws ActionNotPossibleException if generate csr was not possible for this key
 */
public GeneratedCertRequestInfo generateCertRequest(String keyId, ClientId memberId, KeyUsageInfo keyUsage, String caName, Map<String, String> subjectFieldValues, CertificateRequestFormat format) throws CertificateAuthorityNotFoundException, ClientNotFoundException, WrongKeyUsageException, KeyNotFoundException, DnFieldHelper.InvalidDnParameterException, ActionNotPossibleException {
    // validate key and memberId existence
    TokenInfo tokenInfo = tokenService.getTokenForKeyId(keyId);
    auditDataHelper.put(tokenInfo);
    KeyInfo key = keyService.getKey(tokenInfo, keyId);
    auditDataHelper.put(key);
    auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsage);
    auditDataHelper.put(memberId);
    if (keyUsage == KeyUsageInfo.SIGNING) {
        // validate that the member exists or has a subsystem on this server
        if (!clientService.getLocalClientMemberIds().contains(memberId)) {
            throw new ClientNotFoundException("client with id " + memberId + ", or subsystem for it, " + NOT_FOUND);
        }
    }
    // check that keyUsage is allowed
    if (key.getUsage() != null) {
        if (key.getUsage() != keyUsage) {
            throw new WrongKeyUsageException();
        }
    }
    // validate that generate csr is possible
    if (keyUsage == KeyUsageInfo.SIGNING) {
        possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_SIGN_CSR, tokenInfo, key);
    } else {
        possibleActionsRuleEngine.requirePossibleKeyAction(PossibleActionEnum.GENERATE_AUTH_CSR, tokenInfo, key);
    }
    CertificateProfileInfo profile = null;
    try {
        profile = certificateAuthorityService.getCertificateProfile(caName, keyUsage, memberId, false);
    } catch (CertificateProfileInstantiationException e) {
        throw new DeviationAwareRuntimeException(e, e.getErrorDeviation());
    }
    List<DnFieldValue> dnFieldValues = dnFieldHelper.processDnParameters(profile, subjectFieldValues);
    String subjectName = dnFieldHelper.createSubjectName(dnFieldValues);
    auditDataHelper.put(RestApiAuditProperty.SUBJECT_NAME, subjectName);
    auditDataHelper.put(RestApiAuditProperty.CERTIFICATION_SERVICE_NAME, caName);
    auditDataHelper.put(RestApiAuditProperty.CSR_FORMAT, format);
    try {
        return signerProxyFacade.generateCertRequest(keyId, memberId, keyUsage, subjectName, format);
    } catch (CodedException e) {
        throw e;
    } catch (Exception e) {
        throw new SignerNotReachableException("Generate cert request failed", e);
    }
}
Also used : DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo) InternalServerErrorException(org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException) ServiceException(org.niis.xroad.restapi.service.ServiceException) DeviationAwareRuntimeException(org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException) AccessDeniedException(org.springframework.security.access.AccessDeniedException) CodedException(ee.ria.xroad.common.CodedException) CodedException(ee.ria.xroad.common.CodedException) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo) SignerNotReachableException(org.niis.xroad.restapi.service.SignerNotReachableException)

Example 3 with DnFieldValue

use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.

the class DnFieldHelper method processDnParameters.

/**
 * Read dn parameters from dnParameters map, match them to DnFieldDescription
 * definitions (consider readOnly, required, etc) and validate that all parameters
 * are fine.
 * @return valid DnFieldValue objects
 * @throws InvalidDnParameterException if there were invalid parameters
 */
public List<DnFieldValue> processDnParameters(CertificateProfileInfo profile, Map<String, String> dnParameters) throws InvalidDnParameterException {
    Set<String> unprocessedParameters = new HashSet<>(dnParameters.keySet());
    List<DnFieldValue> dnValues = new ArrayList<>();
    // match all dn fields with either default values or actual parameters
    for (DnFieldDescription description : profile.getSubjectFields()) {
        String fieldValue = null;
        boolean parameterIsMissing = StringUtils.isBlank(dnParameters.get(description.getId()));
        if (description.isRequired() && (!description.isReadOnly()) && parameterIsMissing) {
            throw new InvalidDnParameterException("missing parameter: " + description.getId());
        }
        if (description.isReadOnly() || parameterIsMissing) {
            fieldValue = description.getDefaultValue();
        } else {
            fieldValue = dnParameters.get(description.getId());
        }
        dnValues.add(new DnFieldValueImpl(description.getId(), fieldValue));
        unprocessedParameters.remove(description.getId());
    }
    if (!unprocessedParameters.isEmpty()) {
        throw new InvalidDnParameterException("extraneous parameters: " + unprocessedParameters);
    }
    // validate
    for (DnFieldValue dnValue : dnValues) {
        try {
            profile.validateSubjectField(dnValue);
        } catch (Exception e) {
            throw new InvalidDnParameterException(e);
        }
    }
    return dnValues;
}
Also used : DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue) DnFieldDescription(ee.ria.xroad.common.certificateprofile.DnFieldDescription) DnFieldValueImpl(ee.ria.xroad.common.certificateprofile.impl.DnFieldValueImpl) ArrayList(java.util.ArrayList) ServiceException(org.niis.xroad.restapi.service.ServiceException) HashSet(java.util.HashSet)

Example 4 with DnFieldValue

use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.

the class CertificateAuthoritiesApiControllerTest method setUp.

@Before
public void setUp() throws Exception {
    KeyInfo signKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_SIGN_KEY_ID).keyUsageInfo(KeyUsageInfo.SIGNING).build();
    KeyInfo authKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_AUTH_KEY_ID).keyUsageInfo(KeyUsageInfo.AUTHENTICATION).build();
    doAnswer(invocation -> {
        Object[] args = invocation.getArguments();
        String keyId = (String) args[0];
        if (keyId.equals(GOOD_AUTH_KEY_ID)) {
            return authKeyInfo;
        } else if (keyId.equals(GOOD_SIGN_KEY_ID)) {
            return signKeyInfo;
        } else {
            throw new KeyNotFoundException("foo");
        }
    }).when(keyService).getKey(any());
    List<ApprovedCaDto> approvedCAInfos = new ArrayList<>();
    approvedCAInfos.add(ApprovedCaDto.builder().name(GENERAL_PURPOSE_CA_NAME).authenticationOnly(false).build());
    when(certificateAuthorityService.getCertificateAuthorities(any())).thenReturn(approvedCAInfos);
    when(certificateAuthorityService.getCertificateProfile(any(), any(), any(), anyBoolean())).thenReturn(new CertificateProfileInfo() {

        @Override
        public DnFieldDescription[] getSubjectFields() {
            return new DnFieldDescription[0];
        }

        @Override
        public X500Principal createSubjectDn(DnFieldValue[] values) {
            return null;
        }

        @Override
        public void validateSubjectField(DnFieldValue field) throws Exception {
        }
    });
}
Also used : DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue) ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto) ArrayList(java.util.ArrayList) TokenTestUtils(org.niis.xroad.securityserver.restapi.util.TokenTestUtils) CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo) AccessDeniedException(org.springframework.security.access.AccessDeniedException) KeyNotFoundException(org.niis.xroad.securityserver.restapi.service.KeyNotFoundException) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) X500Principal(javax.security.auth.x500.X500Principal) KeyNotFoundException(org.niis.xroad.securityserver.restapi.service.KeyNotFoundException) Before(org.junit.Before)

Example 5 with DnFieldValue

use of ee.ria.xroad.common.certificateprofile.DnFieldValue in project X-Road by nordic-institute.

the class DnFieldHelperTest method createSubjectName.

@Test
public void createSubjectName() {
    List<DnFieldValue> fieldValues = Arrays.asList(new DnFieldValueImpl("O", "foo"), new DnFieldValueImpl("CN", "bar"));
    assertEquals("O=foo, CN=bar", helper.createSubjectName(fieldValues));
}
Also used : DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue) DnFieldValueImpl(ee.ria.xroad.common.certificateprofile.impl.DnFieldValueImpl) Test(org.junit.Test)

Aggregations

DnFieldValue (ee.ria.xroad.common.certificateprofile.DnFieldValue)5 DnFieldValueImpl (ee.ria.xroad.common.certificateprofile.impl.DnFieldValueImpl)3 CertificateProfileInfo (ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)2 DnFieldDescription (ee.ria.xroad.common.certificateprofile.DnFieldDescription)2 KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)2 ArrayList (java.util.ArrayList)2 Test (org.junit.Test)2 ServiceException (org.niis.xroad.restapi.service.ServiceException)2 AccessDeniedException (org.springframework.security.access.AccessDeniedException)2 CodedException (ee.ria.xroad.common.CodedException)1 DnFieldDescriptionImpl (ee.ria.xroad.common.certificateprofile.impl.DnFieldDescriptionImpl)1 TokenInfo (ee.ria.xroad.signer.protocol.dto.TokenInfo)1 HashSet (java.util.HashSet)1 X500Principal (javax.security.auth.x500.X500Principal)1 Before (org.junit.Before)1 DeviationAwareRuntimeException (org.niis.xroad.restapi.exceptions.DeviationAwareRuntimeException)1 SignerNotReachableException (org.niis.xroad.restapi.service.SignerNotReachableException)1 ApprovedCaDto (org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)1 InternalServerErrorException (org.niis.xroad.securityserver.restapi.openapi.InternalServerErrorException)1 KeyNotFoundException (org.niis.xroad.securityserver.restapi.service.KeyNotFoundException)1