use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class KeyAndCertificateRequestServiceIntegrationTest method setup.
@Before
public void setup() throws Exception {
TokenInfo token0 = new TokenTestUtils.TokenInfoBuilder().id(SOFTWARE_TOKEN_ID).type(TokenInfo.SOFTWARE_MODULE_TYPE).friendlyName("mock-token0").build();
TokenInfo token1 = new TokenTestUtils.TokenInfoBuilder().id(OTHER_TOKEN_ID).type("mock-type").friendlyName("mock-token1").build();
Map<String, TokenInfo> tokens = new HashMap<>();
tokens.put(token0.getId(), token0);
tokens.put(token1.getId(), token1);
// mock related signer proxy methods
when(signerProxyFacade.getTokens()).thenReturn(new ArrayList<>(tokens.values()));
when(signerProxyFacade.getToken(any())).thenAnswer(invocation -> tokens.get(invocation.getArguments()[0]));
when(signerProxyFacade.generateKey(any(), any())).thenAnswer(invocation -> {
String tokenId = (String) invocation.getArguments()[0];
String label = (String) invocation.getArguments()[1];
// new keys start with usage = null
KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder().id(label).keyUsageInfo(null).friendlyName(label).build();
TokenInfo token = tokens.get(tokenId);
token.getKeyInfo().add(keyInfo);
return keyInfo;
});
when(signerProxyFacade.getTokenForKeyId(any())).thenAnswer(invocation -> {
String keyId = (String) invocation.getArguments()[0];
return getTokenWithKey(tokens, keyId);
});
when(signerProxyFacade.generateCertRequest(any(), any(), any(), any(), any())).thenAnswer(invocation -> {
// keyInfo is immutable, so we need some work to replace KeyInfo with
// one that has correct usage
String keyId = (String) invocation.getArguments()[0];
KeyUsageInfo keyUsage = (KeyUsageInfo) invocation.getArguments()[2];
KeyInfo keyInfo = getKey(tokens, keyId);
TokenInfo tokenInfo = getTokenWithKey(tokens, keyId);
KeyInfo copy = new TokenTestUtils.KeyInfoBuilder().keyInfo(keyInfo).keyUsageInfo(keyUsage).build();
tokenInfo.getKeyInfo().remove(keyInfo);
tokenInfo.getKeyInfo().add(copy);
return new SignerProxy.GeneratedCertRequestInfo(null, null, null, null, null);
});
when(globalConfFacade.getApprovedCAs(any())).thenReturn(Arrays.asList(new ApprovedCAInfo(MOCK_CA, false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider")));
ClientId ownerId = ClientId.create("FI", "GOV", "M1");
SecurityServerId ownerSsId = SecurityServerId.create(ownerId, "TEST-INMEM-SS");
when(currentSecurityServerId.getServerId()).thenReturn(ownerSsId);
}
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method setup.
@Before
public void setup() throws Exception {
// start with empty cache
evictCache();
List<ApprovedCAInfo> approvedCAInfos = new ArrayList<>();
approvedCAInfos.add(new ApprovedCAInfo("fi-not-auth-only", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
approvedCAInfos.add(new ApprovedCAInfo("est-auth-only", true, "ee.ria.xroad.common.certificateprofile.impl.SkEsteIdCertificateProfileInfoProvider"));
approvedCAInfos.add(new ApprovedCAInfo("mock-top-ca", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
approvedCAInfos.add(new ApprovedCAInfo("mock-intermediate-ca", false, "ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider"));
when(globalConfFacade.getApprovedCAs(any())).thenReturn(approvedCAInfos);
List<X509Certificate> caCerts = new ArrayList<>();
caCerts.add(CertificateTestUtils.getMockCertificate());
caCerts.add(CertificateTestUtils.getMockAuthCertificate());
caCerts.add(CertificateTestUtils.getMockTopCaCertificate());
caCerts.add(CertificateTestUtils.getMockIntermediateCaCertificate());
when(globalConfFacade.getAllCaCerts(any())).thenReturn(caCerts);
when(globalConfFacade.getApprovedCA(any(), any())).thenAnswer(invocation -> {
X509Certificate cert = (X509Certificate) invocation.getArguments()[1];
for (int i = 0; i < caCerts.size(); i++) {
if (caCerts.get(i) == cert) {
return approvedCAInfos.get(i);
}
}
throw new RuntimeException("approved ca info not found");
});
// ocsp responses are not fetched for all CAs
// see CertificateAuthorityService#getCertificateAuthorities implementation
Map<String, String> subjectsToIssuers = caCerts.stream().collect(Collectors.toMap(x509 -> x509.getSubjectDN().getName(), x509 -> x509.getIssuerDN().getName()));
List<X509Certificate> filteredCerts = caCerts.stream().filter(cert -> subjectsToIssuers.containsKey(cert.getIssuerDN().getName())).collect(Collectors.toList());
String[] ocspResponses = filteredCerts.stream().map(cert -> {
try {
byte[] bytes = CertificateTestUtils.generateOcspBytes(cert, CertificateStatus.GOOD);
return CryptoUtils.encodeBase64(bytes);
} catch (Exception e) {
throw new RuntimeException(e);
}
}).collect(Collectors.toList()).toArray(new String[] {});
doReturn(ocspResponses).when(signerProxyFacade).getOcspResponses(any());
when(clientRepository.getClient(any())).thenReturn(new ClientType());
}
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method getCertificateAuthorityInfo.
@Test
public void getCertificateAuthorityInfo() throws Exception {
ApprovedCAInfo caInfo = certificateAuthorityService.getCertificateAuthorityInfo("fi-not-auth-only");
assertEquals("ee.ria.xroad.common.certificateprofile.impl.FiVRKCertificateProfileInfoProvider", caInfo.getCertificateProfileInfo());
try {
certificateAuthorityService.getCertificateAuthorityInfo("does-not-exist");
fail("should have thrown exception");
} catch (CertificateAuthorityNotFoundException expected) {
}
}
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method getCertificateProfile.
@Test
public void getCertificateProfile() throws Exception {
ClientType client = new ClientType();
client.setIdentifier(COMMON_OWNER_ID);
when(clientRepository.getAllLocalClients()).thenReturn(Collections.singletonList(client));
// test handling of profile info parameters:
// private final SecurityServerId serverId;
// private final ClientId clientId; (sign only)
// private final String memberName;
CertificateProfileInfo profile = certificateAuthorityService.getCertificateProfile("fi-not-auth-only", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
assertTrue(profile instanceof FiVRKSignCertificateProfileInfo);
assertEquals("FI/SS1/GOV", profile.getSubjectFields()[2].getDefaultValue());
assertEquals("M1", profile.getSubjectFields()[3].getDefaultValue());
assertTrue(profile.getSubjectFields()[3].isReadOnly());
profile = certificateAuthorityService.getCertificateProfile("fi-not-auth-only", KeyUsageInfo.AUTHENTICATION, COMMON_OWNER_ID, false);
assertTrue(profile instanceof FiVRKAuthCertificateProfileInfo);
assertEquals("FI/SS1/GOV", profile.getSubjectFields()[2].getDefaultValue());
assertEquals("", profile.getSubjectFields()[3].getDefaultValue());
assertFalse(profile.getSubjectFields()[3].isReadOnly());
profile = certificateAuthorityService.getCertificateProfile("est-auth-only", KeyUsageInfo.AUTHENTICATION, COMMON_OWNER_ID, false);
assertTrue(profile instanceof AuthCertificateProfileInfo);
assertEquals(0, profile.getSubjectFields().length);
// exceptions
try {
certificateAuthorityService.getCertificateProfile("est-auth-only", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
fail("should have thrown exception");
} catch (WrongKeyUsageException expected) {
}
try {
certificateAuthorityService.getCertificateProfile("this-does-not-exist", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
fail("should have thrown exception");
} catch (CertificateAuthorityNotFoundException expected) {
}
// cant instantiate
List<ApprovedCAInfo> approvedCAInfos = new ArrayList<>();
approvedCAInfos.add(new ApprovedCAInfo("provider-class-does-not-exist", false, "ee.ria.xroad.common.certificateprofile.impl.NonExistentProvider"));
when(globalConfFacade.getApprovedCAs(any())).thenReturn(approvedCAInfos);
try {
certificateAuthorityService.getCertificateProfile("provider-class-does-not-exist", KeyUsageInfo.SIGNING, COMMON_OWNER_ID, false);
fail("should have thrown exception");
} catch (CertificateProfileInstantiationException expected) {
}
}
use of ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo in project X-Road by nordic-institute.
the class CertificateAuthorityService method buildCertificateAuthorityDto.
/**
* Build a single {@code ApprovedCaDto} object using given parameters
* @param certificate CA certificate
* @param base64EncodedOcspResponse OCSP response
* @param subjectsToIssuers map linking all CA subject DNs to corresponding issuer DNs
* @return approved CA DTO
* @throws InconsistentCaDataException if required CA data could not be extracted, for example due to OCSP
* responses not being valid
*/
private ApprovedCaDto buildCertificateAuthorityDto(X509Certificate certificate, String base64EncodedOcspResponse, Map<String, String> subjectsToIssuers) throws InconsistentCaDataException {
ApprovedCAInfo approvedCAInfo = globalConfService.getApprovedCAForThisInstance(certificate);
if (approvedCAInfo == null) {
throw new InconsistentCaDataException("approved ca info not found");
}
// properties from ApprovedCAInfo
ApprovedCaDto.ApprovedCaDtoBuilder builder = ApprovedCaDto.builder();
builder.authenticationOnly(Boolean.TRUE.equals(approvedCAInfo.getAuthenticationOnly()));
builder.name(approvedCAInfo.getName());
// properties from X509Certificate
builder.notAfter(FormatUtils.fromDateToOffsetDateTime(certificate.getNotAfter()));
builder.issuerDistinguishedName(certificate.getIssuerDN().getName());
String subjectName = certificate.getSubjectDN().getName();
builder.subjectDistinguishedName(subjectName);
// properties from ocsp response
String ocspResponseStatus = null;
try {
ocspResponseStatus = OcspUtils.getOcspResponseStatus(base64EncodedOcspResponse);
} catch (OcspUtils.OcspStatusExtractionException e) {
throw new InconsistentCaDataException(e);
}
if (ocspResponseStatus == null) {
builder.ocspResponse(OCSP_RESPONSE_NOT_AVAILABLE);
} else {
builder.ocspResponse(ocspResponseStatus);
}
// path and is-top-ca info
List<String> subjectDnPath = buildPath(certificate, subjectsToIssuers);
builder.subjectDnPath(subjectDnPath);
if (subjectDnPath.size() > 1 || !subjectName.equals(subjectDnPath.get(0))) {
builder.topCa(false);
} else {
builder.topCa(true);
}
return builder.build();
}
Aggregations