Example 1 with ApprovedCAInfo
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class KeyAndCertificateRequestServiceIntegrationTest method setup.
@Before
public void setup() throws Exception {
TokenInfo token0 = new TokenTestUtils.TokenInfoBuilder().id(SOFTWARE_TOKEN_ID).type(TokenInfo.SOFTWARE_MODULE_TYPE).friendlyName("mock-token0").build();
TokenInfo token1 = new TokenTestUtils.TokenInfoBuilder().id(OTHER_TOKEN_ID).type("mock-type").friendlyName("mock-token1").build();
Map<String, TokenInfo> tokens = new HashMap<>();
tokens.put(token0.getId(), token0);
tokens.put(token1.getId(), token1);
// mock related signer proxy methods
when(signerProxyFacade.getTokens()).thenReturn(new ArrayList<>(tokens.values()));
when(signerProxyFacade.getToken(any())).thenAnswer(invocation -> tokens.get(invocation.getArguments()[0]));
when(signerProxyFacade.generateKey(any(), any())).thenAnswer(invocation -> {
String tokenId = (String) invocation.getArguments()[0];
String label = (String) invocation.getArguments()[1];
// new keys start with usage = null
KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder().id(label).keyUsageInfo(null).friendlyName(label).build();
TokenInfo token = tokens.get(tokenId);
token.getKeyInfo().add(keyInfo);
return keyInfo;
});
when(signerProxyFacade.getTokenForKeyId(any())).thenAnswer(invocation -> {
String keyId = (String) invocation.getArguments()[0];
return getTokenWithKey(tokens, keyId);
});
when(signerProxyFacade.generateCertRequest(any(), any(), any(), any(), any())).thenAnswer(invocation -> {
// keyInfo is immutable, so we need some work to replace KeyInfo with
// one that has correct usage
String keyId = (String) invocation.getArguments()[0];
KeyUsageInfo keyUsage = (KeyUsageInfo) invocation.getArguments()[2];
KeyInfo keyInfo = getKey(tokens, keyId);
TokenInfo tokenInfo = getTokenWithKey(tokens, keyId);
KeyInfo copy = new TokenTestUtils.KeyInfoBuilder().keyInfo(keyInfo).keyUsageInfo(keyUsage).build();
tokenInfo.getKeyInfo().remove(keyInfo);
tokenInfo.getKeyInfo().add(copy);
return new SignerProxy.GeneratedCertRequestInfo(null, null, null, null, null);
});
when(globalConfFacade.getApprovedCAs(any())).thenReturn(Arrays.asList(new ApprovedCAInfo(MOCK_CA, false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider")));
ClientId ownerId = ClientId.create("FI", "GOV", "M1");
SecurityServerId ownerSsId = SecurityServerId.create(ownerId, "TEST-INMEM-SS");
when(currentSecurityServerId.getServerId()).thenReturn(ownerSsId);
}
Also used :
ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)
HashMap(java.util.HashMap)
SecurityServerId(ee.ria.xroad.common.identifier.SecurityServerId)
TokenTestUtils(org.niis.xroad.securityserver.restapi.util.TokenTestUtils)
KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo)
ClientId(ee.ria.xroad.common.identifier.ClientId)
TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo)
KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)
Before(org.junit.Before)
Example 2 with ApprovedCAInfo
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method setup.
@Before
public void setup() throws Exception {
// start with empty cache
evictCache();
List<ApprovedCAInfo> approvedCAInfos = new ArrayList<>();
approvedCAInfos.add(new ApprovedCAInfo("fi-not-auth-only", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
approvedCAInfos.add(new ApprovedCAInfo("est-auth-only", true, "ee.ria.xroad.common.certificateprofile.impl.SkEsteIdCertificateProfileInfoProvider"));
approvedCAInfos.add(new ApprovedCAInfo("mock-top-ca", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
approvedCAInfos.add(new ApprovedCAInfo("mock-intermediate-ca", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
when(globalConfFacade.getApprovedCAs(any())).thenReturn(approvedCAInfos);
List<X509Certificate> caCerts = new ArrayList<>();
caCerts.add(CertificateTestUtils.getMockCertificate());
caCerts.add(CertificateTestUtils.getMockAuthCertificate());
caCerts.add(CertificateTestUtils.getMockTopCaCertificate());
caCerts.add(CertificateTestUtils.getMockIntermediateCaCertificate());
when(globalConfFacade.getAllCaCerts(any())).thenReturn(caCerts);
when(globalConfFacade.getApprovedCA(any(), any())).thenAnswer(invocation -> {
X509Certificate cert = (X509Certificate) invocation.getArguments()[1];
for (int i = 0; i < caCerts.size(); i++) {
if (caCerts.get(i) == cert) {
return approvedCAInfos.get(i);
}
}
throw new RuntimeException("approved ca info not found");
});
// ocsp responses are not fetched for all CAs
// see CertificateAuthorityService#getCertificateAuthorities implementation
Map<String, String> subjectsToIssuers = caCerts.stream().collect(Collectors.toMap(x509 -> x509.getSubjectDN().getName(), x509 -> x509.getIssuerDN().getName()));
List<X509Certificate> filteredCerts = caCerts.stream().filter(cert -> subjectsToIssuers.containsKey(cert.getIssuerDN().getName())).collect(Collectors.toList());
String[] ocspResponses = filteredCerts.stream().map(cert -> {
try {
byte[] bytes = CertificateTestUtils.generateOcspBytes(cert, CertificateStatus.GOOD);
return CryptoUtils.encodeBase64(bytes);
} catch (Exception e) {
throw new RuntimeException(e);
}
}).collect(Collectors.toList()).toArray(new String[] {});
doReturn(ocspResponses).when(signerProxyFacade).getOcspResponses(any());
when(clientRepository.getClient(any())).thenReturn(new ClientType());
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
ArgumentMatchers.any(org.mockito.ArgumentMatchers.any)
Arrays(java.util.Arrays)
ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)
Autowired(org.springframework.beans.factory.annotation.Autowired)
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
AuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo)
KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)
CacheManager(org.springframework.cache.CacheManager)
FiVRKSignCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKSignCertificateProfileInfo)
Map(java.util.Map)
Assert.fail(org.junit.Assert.fail)
ClientType(ee.ria.xroad.common.conf.serverconf.model.ClientType)
Mockito.doReturn(org.mockito.Mockito.doReturn)
Before(org.junit.Before)
CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus)
CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
Assert.assertTrue(org.junit.Assert.assertTrue)
Test(org.junit.Test)
Mockito.times(org.mockito.Mockito.times)
Mockito.when(org.mockito.Mockito.when)
Collectors(java.util.stream.Collectors)
Mockito.verify(org.mockito.Mockito.verify)
List(java.util.List)
OffsetDateTime(java.time.OffsetDateTime)
FiVRKAuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo)
Assert.assertFalse(org.junit.Assert.assertFalse)
CryptoUtils(ee.ria.xroad.common.util.CryptoUtils)
Collections(java.util.Collections)
CertificateTestUtils(org.niis.xroad.securityserver.restapi.util.CertificateTestUtils)
Assert.assertEquals(org.junit.Assert.assertEquals)
ClientType(ee.ria.xroad.common.conf.serverconf.model.ClientType)
ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)
ArrayList(java.util.ArrayList)
X509Certificate(java.security.cert.X509Certificate)
Before(org.junit.Before)
Example 3 with ApprovedCAInfo
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method getCertificateAuthorityInfo.
@Test
public void getCertificateAuthorityInfo() throws Exception {
ApprovedCAInfo caInfo = certificateAuthorityService.getCertificateAuthorityInfo("fi-not-auth-only");
assertEquals("ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider", caInfo.getCertificateProfileInfo());
try {
certificateAuthorityService.getCertificateAuthorityInfo("does-not-exist");
fail("should have thrown exception");
} catch (CertificateAuthorityNotFoundException expected) {
}
}
Also used :
ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)
Test(org.junit.Test)
Example 4 with ApprovedCAInfo
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method getCertificateProfile.
@Test
public void getCertificateProfile() throws Exception {
ClientType client = new ClientType();
client.setIdentifier(COMMON_OWNER_ID);
when(clientRepository.getAllLocalClients()).thenReturn(Collections.singletonList(client));
// test handling of profile info parameters:
// private final SecurityServerId serverId;
// private final ClientId clientId; (sign only)
// private final String memberName;
CertificateProfileInfo profile = certificateAuthorityService.getCertificateProfile("fi-not-auth-only", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
assertTrue(profile instanceof FiVRKSignCertificateProfileInfo);
assertEquals("FI/SS1/GOV", profile.getSubjectFields()[2].getDefaultValue());
assertEquals("M1", profile.getSubjectFields()[3].getDefaultValue());
assertTrue(profile.getSubjectFields()[3].isReadOnly());
profile = certificateAuthorityService.getCertificateProfile("fi-not-auth-only", KeyUsageInfo.AUTHENTICATION, COMMON_OWNER_ID, false);
assertTrue(profile instanceof FiVRKAuthCertificateProfileInfo);
assertEquals("FI/SS1/GOV", profile.getSubjectFields()[2].getDefaultValue());
assertEquals("", profile.getSubjectFields()[3].getDefaultValue());
assertFalse(profile.getSubjectFields()[3].isReadOnly());
profile = certificateAuthorityService.getCertificateProfile("est-auth-only", KeyUsageInfo.AUTHENTICATION, COMMON_OWNER_ID, false);
assertTrue(profile instanceof AuthCertificateProfileInfo);
assertEquals(0, profile.getSubjectFields().length);
// exceptions
try {
certificateAuthorityService.getCertificateProfile("est-auth-only", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
fail("should have thrown exception");
} catch (WrongKeyUsageException expected) {
}
try {
certificateAuthorityService.getCertificateProfile("this-does-not-exist", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
fail("should have thrown exception");
} catch (CertificateAuthorityNotFoundException expected) {
}
// cant instantiate
List<ApprovedCAInfo> approvedCAInfos = new ArrayList<>();
approvedCAInfos.add(new ApprovedCAInfo("provider-class-does-not-exist", false, "ee.ria.xroad.common.certificateprofile.impl.NonExistentProvider"));
when(globalConfFacade.getApprovedCAs(any())).thenReturn(approvedCAInfos);
try {
certificateAuthorityService.getCertificateProfile("provider-class-does-not-exist", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
fail("should have thrown exception");
} catch (CertificateProfileInstantiationException expected) {
}
}
Also used :
ClientType(ee.ria.xroad.common.conf.serverconf.model.ClientType)
ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)
ArrayList(java.util.ArrayList)
AuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo)
FiVRKSignCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKSignCertificateProfileInfo)
CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)
FiVRKAuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo)
FiVRKSignCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKSignCertificateProfileInfo)
FiVRKAuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo)
AuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo)
FiVRKAuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo)
Test(org.junit.Test)
Example 5 with ApprovedCAInfo
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class CertificateAuthorityService method buildCertificateAuthorityDto.
/**
* Build a single {@code ApprovedCaDto} object using given parameters
* @param certificate CA certificate
* @param base64EncodedOcspResponse OCSP response
* @param subjectsToIssuers map linking all CA subject DNs to corresponding issuer DNs
* @return approved CA DTO
* @throws InconsistentCaDataException if required CA data could not be extracted, for example due to OCSP
* responses not being valid
*/
private ApprovedCaDto buildCertificateAuthorityDto(X509Certificate certificate, String base64EncodedOcspResponse, Map<String, String> subjectsToIssuers) throws InconsistentCaDataException {
ApprovedCAInfo approvedCAInfo = globalConfService.getApprovedCAForThisInstance(certificate);
if (approvedCAInfo == null) {
throw new InconsistentCaDataException("approved ca info not found");
}
// properties from ApprovedCAInfo
ApprovedCaDto.ApprovedCaDtoBuilder builder = ApprovedCaDto.builder();
builder.authenticationOnly(Boolean.TRUE.equals(approvedCAInfo.getAuthenticationOnly()));
builder.name(approvedCAInfo.getName());
// properties from X509Certificate
builder.notAfter(FormatUtils.fromDateToOffsetDateTime(certificate.getNotAfter()));
builder.issuerDistinguishedName(certificate.getIssuerDN().getName());
String subjectName = certificate.getSubjectDN().getName();
builder.subjectDistinguishedName(subjectName);
// properties from ocsp response
String ocspResponseStatus = null;
try {
ocspResponseStatus = OcspUtils.getOcspResponseStatus(base64EncodedOcspResponse);
} catch (OcspUtils.OcspStatusExtractionException e) {
throw new InconsistentCaDataException(e);
}
if (ocspResponseStatus == null) {
builder.ocspResponse(OCSP_RESPONSE_NOT_AVAILABLE);
} else {
builder.ocspResponse(ocspResponseStatus);
}
// path and is-top-ca info
List<String> subjectDnPath = buildPath(certificate, subjectsToIssuers);
builder.subjectDnPath(subjectDnPath);
if (subjectDnPath.size() > 1 || !subjectName.equals(subjectDnPath.get(0))) {
builder.topCa(false);
} else {
builder.topCa(true);
}
return builder.build();
}
Also used :
OcspUtils(org.niis.xroad.securityserver.restapi.util.OcspUtils)
ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
Aggregations
ApprovedCAInfo (ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)6
Test (org.junit.Test)3
AuthCertificateProfileInfo (ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo)2
CertificateProfileInfo (ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)2
FiVRKAuthCertificateProfileInfo (ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo)2
FiVRKSignCertificateProfileInfo (ee.ria.xroad.common.certificateprofile.impl.FiVRKSignCertificateProfileInfo)2
ClientType (ee.ria.xroad.common.conf.serverconf.model.ClientType)2
SecurityServerId (ee.ria.xroad.common.identifier.SecurityServerId)2
KeyUsageInfo (ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)2
ArrayList (java.util.ArrayList)2
HashMap (java.util.HashMap)2
Before (org.junit.Before)2
ApprovedCaDto (org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)2
CertificateProfileInfoProvider (ee.ria.xroad.common.certificateprofile.CertificateProfileInfoProvider)1
GetCertificateProfile (ee.ria.xroad.common.certificateprofile.GetCertificateProfile)1
AuthCertificateProfileInfoParameters (ee.ria.xroad.common.certificateprofile.impl.AuthCertificateProfileInfoParameters)1
SignCertificateProfileInfoParameters (ee.ria.xroad.common.certificateprofile.impl.SignCertificateProfileInfoParameters)1
ClientId (ee.ria.xroad.common.identifier.ClientId)1
CryptoUtils (ee.ria.xroad.common.util.CryptoUtils)1
KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)1
