Search in sources :

Example 1 with ApprovedCAInfo

use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.

the class KeyAndCertificateRequestServiceIntegrationTest method setup.

@Before
public void setup() throws Exception {
    TokenInfo token0 = new TokenTestUtils.TokenInfoBuilder().id(SOFTWARE_TOKEN_ID).type(TokenInfo.SOFTWARE_MODULE_TYPE).friendlyName("mock-token0").build();
    TokenInfo token1 = new TokenTestUtils.TokenInfoBuilder().id(OTHER_TOKEN_ID).type("mock-type").friendlyName("mock-token1").build();
    Map<String, TokenInfo> tokens = new HashMap<>();
    tokens.put(token0.getId(), token0);
    tokens.put(token1.getId(), token1);
    // mock related signer proxy methods
    when(signerProxyFacade.getTokens()).thenReturn(new ArrayList<>(tokens.values()));
    when(signerProxyFacade.getToken(any())).thenAnswer(invocation -> tokens.get(invocation.getArguments()[0]));
    when(signerProxyFacade.generateKey(any(), any())).thenAnswer(invocation -> {
        String tokenId = (String) invocation.getArguments()[0];
        String label = (String) invocation.getArguments()[1];
        // new keys start with usage = null
        KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder().id(label).keyUsageInfo(null).friendlyName(label).build();
        TokenInfo token = tokens.get(tokenId);
        token.getKeyInfo().add(keyInfo);
        return keyInfo;
    });
    when(signerProxyFacade.getTokenForKeyId(any())).thenAnswer(invocation -> {
        String keyId = (String) invocation.getArguments()[0];
        return getTokenWithKey(tokens, keyId);
    });
    when(signerProxyFacade.generateCertRequest(any(), any(), any(), any(), any())).thenAnswer(invocation -> {
        // keyInfo is immutable, so we need some work to replace KeyInfo with
        // one that has correct usage
        String keyId = (String) invocation.getArguments()[0];
        KeyUsageInfo keyUsage = (KeyUsageInfo) invocation.getArguments()[2];
        KeyInfo keyInfo = getKey(tokens, keyId);
        TokenInfo tokenInfo = getTokenWithKey(tokens, keyId);
        KeyInfo copy = new TokenTestUtils.KeyInfoBuilder().keyInfo(keyInfo).keyUsageInfo(keyUsage).build();
        tokenInfo.getKeyInfo().remove(keyInfo);
        tokenInfo.getKeyInfo().add(copy);
        return new SignerProxy.GeneratedCertRequestInfo(null, null, null, null, null);
    });
    when(globalConfFacade.getApprovedCAs(any())).thenReturn(Arrays.asList(new ApprovedCAInfo(MOCK_CA, false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider")));
    ClientId ownerId = ClientId.create("FI", "GOV", "M1");
    SecurityServerId ownerSsId = SecurityServerId.create(ownerId, "TEST-INMEM-SS");
    when(currentSecurityServerId.getServerId()).thenReturn(ownerSsId);
}
Also used : ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo) HashMap(java.util.HashMap) SecurityServerId(ee.ria.xroad.common.identifier.SecurityServerId) TokenTestUtils(org.niis.xroad.securityserver.restapi.util.TokenTestUtils) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) ClientId(ee.ria.xroad.common.identifier.ClientId) TokenInfo(ee.ria.xroad.signer.protocol.dto.TokenInfo) KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo) Before(org.junit.Before)

Example 2 with ApprovedCAInfo

use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.

the class CertificateAuthorityServiceTest method setup.

@Before
public void setup() throws Exception {
    // start with empty cache
    evictCache();
    List<ApprovedCAInfo> approvedCAInfos = new ArrayList<>();
    approvedCAInfos.add(new ApprovedCAInfo("fi-not-auth-only", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
    approvedCAInfos.add(new ApprovedCAInfo("est-auth-only", true, "ee.ria.xroad.common.certificateprofile.impl.SkEsteIdCertificateProfileInfoProvider"));
    approvedCAInfos.add(new ApprovedCAInfo("mock-top-ca", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
    approvedCAInfos.add(new ApprovedCAInfo("mock-intermediate-ca", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
    when(globalConfFacade.getApprovedCAs(any())).thenReturn(approvedCAInfos);
    List<X509Certificate> caCerts = new ArrayList<>();
    caCerts.add(CertificateTestUtils.getMockCertificate());
    caCerts.add(CertificateTestUtils.getMockAuthCertificate());
    caCerts.add(CertificateTestUtils.getMockTopCaCertificate());
    caCerts.add(CertificateTestUtils.getMockIntermediateCaCertificate());
    when(globalConfFacade.getAllCaCerts(any())).thenReturn(caCerts);
    when(globalConfFacade.getApprovedCA(any(), any())).thenAnswer(invocation -> {
        X509Certificate cert = (X509Certificate) invocation.getArguments()[1];
        for (int i = 0; i < caCerts.size(); i++) {
            if (caCerts.get(i) == cert) {
                return approvedCAInfos.get(i);
            }
        }
        throw new RuntimeException("approved ca info not found");
    });
    // ocsp responses are not fetched for all CAs
    // see CertificateAuthorityService#getCertificateAuthorities implementation
    Map<String, String> subjectsToIssuers = caCerts.stream().collect(Collectors.toMap(x509 -> x509.getSubjectDN().getName(), x509 -> x509.getIssuerDN().getName()));
    List<X509Certificate> filteredCerts = caCerts.stream().filter(cert -> subjectsToIssuers.containsKey(cert.getIssuerDN().getName())).collect(Collectors.toList());
    String[] ocspResponses = filteredCerts.stream().map(cert -> {
        try {
            byte[] bytes = CertificateTestUtils.generateOcspBytes(cert, CertificateStatus.GOOD);
            return CryptoUtils.encodeBase64(bytes);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }).collect(Collectors.toList()).toArray(new String[] {});
    doReturn(ocspResponses).when(signerProxyFacade).getOcspResponses(any());
    when(clientRepository.getClient(any())).thenReturn(new ClientType());
}
Also used : X509Certificate(java.security.cert.X509Certificate) ArgumentMatchers.any(org.mockito.ArgumentMatchers.any) Arrays(java.util.Arrays) ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo) Autowired(org.springframework.beans.factory.annotation.Autowired) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) AuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo) KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo) CacheManager(org.springframework.cache.CacheManager) FiVRKSignCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKSignCertificateProfileInfo) Map(java.util.Map) Assert.fail(org.junit.Assert.fail) ClientType(ee.ria.xroad.common.conf.serverconf.model.ClientType) Mockito.doReturn(org.mockito.Mockito.doReturn) Before(org.junit.Before) CertificateStatus(org.bouncycastle.cert.ocsp.CertificateStatus) CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo) ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto) Assert.assertTrue(org.junit.Assert.assertTrue) Test(org.junit.Test) Mockito.times(org.mockito.Mockito.times) Mockito.when(org.mockito.Mockito.when) Collectors(java.util.stream.Collectors) Mockito.verify(org.mockito.Mockito.verify) List(java.util.List) OffsetDateTime(java.time.OffsetDateTime) FiVRKAuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo) Assert.assertFalse(org.junit.Assert.assertFalse) CryptoUtils(ee.ria.xroad.common.util.CryptoUtils) Collections(java.util.Collections) CertificateTestUtils(org.niis.xroad.securityserver.restapi.util.CertificateTestUtils) Assert.assertEquals(org.junit.Assert.assertEquals) ClientType(ee.ria.xroad.common.conf.serverconf.model.ClientType) ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) Before(org.junit.Before)

Example 3 with ApprovedCAInfo

use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.

the class CertificateAuthorityServiceTest method getCertificateAuthorityInfo.

@Test
public void getCertificateAuthorityInfo() throws Exception {
    ApprovedCAInfo caInfo = certificateAuthorityService.getCertificateAuthorityInfo("fi-not-auth-only");
    assertEquals("ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider", caInfo.getCertificateProfileInfo());
    try {
        certificateAuthorityService.getCertificateAuthorityInfo("does-not-exist");
        fail("should have thrown exception");
    } catch (CertificateAuthorityNotFoundException expected) {
    }
}
Also used : ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo) Test(org.junit.Test)

Example 4 with ApprovedCAInfo

use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.

the class CertificateAuthorityServiceTest method getCertificateProfile.

@Test
public void getCertificateProfile() throws Exception {
    ClientType client = new ClientType();
    client.setIdentifier(COMMON_OWNER_ID);
    when(clientRepository.getAllLocalClients()).thenReturn(Collections.singletonList(client));
    // test handling of profile info parameters:
    // private final SecurityServerId serverId;
    // private final ClientId clientId; (sign only)
    // private final String memberName;
    CertificateProfileInfo profile = certificateAuthorityService.getCertificateProfile("fi-not-auth-only", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
    assertTrue(profile instanceof FiVRKSignCertificateProfileInfo);
    assertEquals("FI/SS1/GOV", profile.getSubjectFields()[2].getDefaultValue());
    assertEquals("M1", profile.getSubjectFields()[3].getDefaultValue());
    assertTrue(profile.getSubjectFields()[3].isReadOnly());
    profile = certificateAuthorityService.getCertificateProfile("fi-not-auth-only", KeyUsageInfo.AUTHENTICATION, COMMON_OWNER_ID, false);
    assertTrue(profile instanceof FiVRKAuthCertificateProfileInfo);
    assertEquals("FI/SS1/GOV", profile.getSubjectFields()[2].getDefaultValue());
    assertEquals("", profile.getSubjectFields()[3].getDefaultValue());
    assertFalse(profile.getSubjectFields()[3].isReadOnly());
    profile = certificateAuthorityService.getCertificateProfile("est-auth-only", KeyUsageInfo.AUTHENTICATION, COMMON_OWNER_ID, false);
    assertTrue(profile instanceof AuthCertificateProfileInfo);
    assertEquals(0, profile.getSubjectFields().length);
    // exceptions
    try {
        certificateAuthorityService.getCertificateProfile("est-auth-only", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
        fail("should have thrown exception");
    } catch (WrongKeyUsageException expected) {
    }
    try {
        certificateAuthorityService.getCertificateProfile("this-does-not-exist", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
        fail("should have thrown exception");
    } catch (CertificateAuthorityNotFoundException expected) {
    }
    // cant instantiate
    List<ApprovedCAInfo> approvedCAInfos = new ArrayList<>();
    approvedCAInfos.add(new ApprovedCAInfo("provider-class-does-not-exist", false, "ee.ria.xroad.common.certificateprofile.impl.NonExistentProvider"));
    when(globalConfFacade.getApprovedCAs(any())).thenReturn(approvedCAInfos);
    try {
        certificateAuthorityService.getCertificateProfile("provider-class-does-not-exist", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
        fail("should have thrown exception");
    } catch (CertificateProfileInstantiationException expected) {
    }
}
Also used : ClientType(ee.ria.xroad.common.conf.serverconf.model.ClientType) ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo) ArrayList(java.util.ArrayList) AuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo) FiVRKSignCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKSignCertificateProfileInfo) CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo) FiVRKAuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo) FiVRKSignCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKSignCertificateProfileInfo) FiVRKAuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo) AuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo) FiVRKAuthCertificateProfileInfo(ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo) Test(org.junit.Test)

Example 5 with ApprovedCAInfo

use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.

the class CertificateAuthorityService method buildCertificateAuthorityDto.

/**
 * Build a single {@code ApprovedCaDto} object using given parameters
 * @param certificate CA certificate
 * @param base64EncodedOcspResponse OCSP response
 * @param subjectsToIssuers map linking all CA subject DNs to corresponding issuer DNs
 * @return approved CA DTO
 * @throws InconsistentCaDataException if required CA data could not be extracted, for example due to OCSP
 * responses not being valid
 */
private ApprovedCaDto buildCertificateAuthorityDto(X509Certificate certificate, String base64EncodedOcspResponse, Map<String, String> subjectsToIssuers) throws InconsistentCaDataException {
    ApprovedCAInfo approvedCAInfo = globalConfService.getApprovedCAForThisInstance(certificate);
    if (approvedCAInfo == null) {
        throw new InconsistentCaDataException("approved ca info not found");
    }
    // properties from ApprovedCAInfo
    ApprovedCaDto.ApprovedCaDtoBuilder builder = ApprovedCaDto.builder();
    builder.authenticationOnly(Boolean.TRUE.equals(approvedCAInfo.getAuthenticationOnly()));
    builder.name(approvedCAInfo.getName());
    // properties from X509Certificate
    builder.notAfter(FormatUtils.fromDateToOffsetDateTime(certificate.getNotAfter()));
    builder.issuerDistinguishedName(certificate.getIssuerDN().getName());
    String subjectName = certificate.getSubjectDN().getName();
    builder.subjectDistinguishedName(subjectName);
    // properties from ocsp response
    String ocspResponseStatus = null;
    try {
        ocspResponseStatus = OcspUtils.getOcspResponseStatus(base64EncodedOcspResponse);
    } catch (OcspUtils.OcspStatusExtractionException e) {
        throw new InconsistentCaDataException(e);
    }
    if (ocspResponseStatus == null) {
        builder.ocspResponse(OCSP_RESPONSE_NOT_AVAILABLE);
    } else {
        builder.ocspResponse(ocspResponseStatus);
    }
    // path and is-top-ca info
    List<String> subjectDnPath = buildPath(certificate, subjectsToIssuers);
    builder.subjectDnPath(subjectDnPath);
    if (subjectDnPath.size() > 1 || !subjectName.equals(subjectDnPath.get(0))) {
        builder.topCa(false);
    } else {
        builder.topCa(true);
    }
    return builder.build();
}
Also used : OcspUtils(org.niis.xroad.securityserver.restapi.util.OcspUtils) ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo) ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)

Aggregations

ApprovedCAInfo (ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)6 Test (org.junit.Test)3 AuthCertificateProfileInfo (ee.ria.xroad.common.certificateprofile.AuthCertificateProfileInfo)2 CertificateProfileInfo (ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)2 FiVRKAuthCertificateProfileInfo (ee.ria.xroad.common.certificateprofile.impl.FiVRKAuthCertificateProfileInfo)2 FiVRKSignCertificateProfileInfo (ee.ria.xroad.common.certificateprofile.impl.FiVRKSignCertificateProfileInfo)2 ClientType (ee.ria.xroad.common.conf.serverconf.model.ClientType)2 SecurityServerId (ee.ria.xroad.common.identifier.SecurityServerId)2 KeyUsageInfo (ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)2 ArrayList (java.util.ArrayList)2 HashMap (java.util.HashMap)2 Before (org.junit.Before)2 ApprovedCaDto (org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)2 CertificateProfileInfoProvider (ee.ria.xroad.common.certificateprofile.CertificateProfileInfoProvider)1 GetCertificateProfile (ee.ria.xroad.common.certificateprofile.GetCertificateProfile)1 AuthCertificateProfileInfoParameters (ee.ria.xroad.common.certificateprofile.impl.AuthCertificateProfileInfoParameters)1 SignCertificateProfileInfoParameters (ee.ria.xroad.common.certificateprofile.impl.SignCertificateProfileInfoParameters)1 ClientId (ee.ria.xroad.common.identifier.ClientId)1 CryptoUtils (ee.ria.xroad.common.util.CryptoUtils)1 KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)1