Examples with CertificateInfo ee.ria.xroad.signer.protocol.dto.CertificateInfo used on opensource projects

Example 21 with CertificateInfo

use of ee.ria.xroad.signer.protocol.dto.CertificateInfo in project X-Road by nordic-institute.

the class TokenCertificateService method importCertificate.

/**
 * Import a cert that is found from a token by it's bytes.
 * Adds audit log properties for
 * - clientId (if sign cert),
 * - cert hash and cert hash algo
 * - key usage
 * @param certificateBytes
 * @param isFromToken whether the cert was read from a token or not
 * @return CertificateType
 * @throws GlobalConfOutdatedException
 * @throws KeyNotFoundException
 * @throws InvalidCertificateException other general import failure
 * @throws CertificateAlreadyExistsException
 * @throws WrongCertificateUsageException
 * @throws AuthCertificateNotSupportedException if trying to import an auth cert from a token
 */
private CertificateInfo importCertificate(byte[] certificateBytes, boolean isFromToken) throws GlobalConfOutdatedException, KeyNotFoundException, InvalidCertificateException, CertificateAlreadyExistsException, WrongCertificateUsageException, CsrNotFoundException, AuthCertificateNotSupportedException, ClientNotFoundException {
    globalConfService.verifyGlobalConfValidity();
    X509Certificate x509Certificate = convertToX509Certificate(certificateBytes);
    CertificateInfo certificateInfo = null;
    KeyUsageInfo keyUsageInfo = null;
    try {
        String certificateState;
        ClientId clientId = null;
        boolean isAuthCert = CertUtils.isAuthCert(x509Certificate);
        if (isAuthCert) {
            keyUsageInfo = KeyUsageInfo.AUTHENTICATION;
            securityHelper.verifyAuthority(IMPORT_AUTH_CERT);
            if (isFromToken) {
                throw new AuthCertificateNotSupportedException("auth cert cannot be imported from a token");
            }
            certificateState = CertificateInfo.STATUS_SAVED;
        } else {
            keyUsageInfo = KeyUsageInfo.SIGNING;
            securityHelper.verifyAuthority(IMPORT_SIGN_CERT);
            String xroadInstance = globalConfFacade.getInstanceIdentifier();
            clientId = getClientIdForSigningCert(xroadInstance, x509Certificate);
            auditDataHelper.put(clientId);
            boolean clientExists = clientRepository.clientExists(clientId, true);
            if (!clientExists) {
                throw new ClientNotFoundException("client " + clientId.toShortString() + " " + NOT_FOUND, FormatUtils.xRoadIdToEncodedId(clientId));
            }
            certificateState = CertificateInfo.STATUS_REGISTERED;
        }
        byte[] certBytes = x509Certificate.getEncoded();
        String hash = CryptoUtils.calculateCertHexHash(certBytes);
        auditDataHelper.putCertificateHash(hash);
        signerProxyFacade.importCert(certBytes, certificateState, clientId);
        certificateInfo = getCertificateInfo(hash);
    } catch (ClientNotFoundException | AccessDeniedException | AuthCertificateNotSupportedException e) {
        throw e;
    } catch (CodedException e) {
        translateCodedExceptions(e);
    } catch (Exception e) {
        // something went really wrong
        throw new RuntimeException("error importing certificate", e);
    }
    auditDataHelper.put(RestApiAuditProperty.KEY_USAGE, keyUsageInfo);
    return certificateInfo;
}

Example 22 with CertificateInfo

use of ee.ria.xroad.signer.protocol.dto.CertificateInfo in project X-Road by nordic-institute.

the class TokenCertificateService method changeCertificateActivation.

/**
 * Deactivates or activates certificate
 */
private void changeCertificateActivation(String hash, boolean activate) throws CertificateNotFoundException, AccessDeniedException, ActionNotPossibleException {
    // verify correct authority
    CertificateInfo certificateInfo = getCertificateInfo(hash);
    try {
        verifyActivateDisableAuthority(certificateInfo.getCertificateBytes());
    } catch (InvalidCertificateException e) {
        // cert from signer proxy was invalid, should not be possible
        throw new RuntimeException(e);
    }
    // verify possible actions
    EnumSet<PossibleActionEnum> possibleActions = getPossibleActionsForCertificateInternal(hash, certificateInfo, null, null);
    PossibleActionEnum activationAction = null;
    if (activate) {
        activationAction = PossibleActionEnum.ACTIVATE;
    } else {
        activationAction = PossibleActionEnum.DISABLE;
    }
    possibleActionsRuleEngine.requirePossibleAction(activationAction, possibleActions);
    // audit log data
    auditLogTokenKeyAndCert(hash, certificateInfo, true);
    try {
        if (activate) {
            signerProxyFacade.activateCert(certificateInfo.getId());
        } else {
            signerProxyFacade.deactivateCert(certificateInfo.getId());
        }
    } catch (CodedException e) {
        if (isCausedByCertNotFound(e)) {
            throw new CertificateNotFoundException("Certificate with id " + certificateInfo.getId() + " " + NOT_FOUND);
        } else {
            throw e;
        }
    } catch (Exception e) {
        throw new SignerNotReachableException("certificate " + (activate ? "activation" : "deactivation") + " failed", e);
    }
}

Example 23 with CertificateInfo

use of ee.ria.xroad.signer.protocol.dto.CertificateInfo in project X-Road by nordic-institute.

the class ClientsApiControllerIntegrationTest method getClientSignCertificates.

@Test
@WithMockUser(authorities = "VIEW_CLIENT_DETAILS")
public void getClientSignCertificates() throws Exception {
    ResponseEntity<Set<TokenCertificate>> certificates = clientsApiController.getClientSignCertificates("FI:GOV:M1");
    assertEquals(HttpStatus.OK, certificates.getStatusCode());
    assertEquals(0, certificates.getBody().size());
    CertificateInfo mockCertificate = new CertificateInfo(ClientId.create("FI", "GOV", "M1"), true, true, CertificateInfo.STATUS_REGISTERED, "id", CertificateTestUtils.getMockCertificateBytes(), null);
    doReturn(Collections.singletonList(mockCertificate)).when(tokenService).getSignCertificates(any());
    certificates = clientsApiController.getClientSignCertificates("FI:GOV:M1");
    assertEquals(HttpStatus.OK, certificates.getStatusCode());
    assertEquals(1, certificates.getBody().size());
    Set<TokenCertificate> onlyCertificateSet = certificates.getBody();
    TokenCertificate onlyCertificate = onlyCertificateSet.stream().findFirst().orElse(null);
    assertEquals("N/A", onlyCertificate.getCertificateDetails().getIssuerCommonName());
    assertEquals(OffsetDateTime.parse("1970-01-01T00:00:00Z"), onlyCertificate.getCertificateDetails().getNotBefore());
    assertEquals(OffsetDateTime.parse("2038-01-01T00:00:00Z"), onlyCertificate.getCertificateDetails().getNotAfter());
    assertEquals("1", onlyCertificate.getCertificateDetails().getSerial());
    assertEquals(new Integer(3), onlyCertificate.getCertificateDetails().getVersion());
    assertEquals("SHA512withRSA", onlyCertificate.getCertificateDetails().getSignatureAlgorithm());
    assertEquals("RSA", onlyCertificate.getCertificateDetails().getPublicKeyAlgorithm());
    assertEquals("A2293825AA82A5429EC32803847E2152A303969C", onlyCertificate.getCertificateDetails().getHash());
    assertTrue(onlyCertificate.getCertificateDetails().getSignature().startsWith("314b7a50a09a9b74322671"));
    assertTrue(onlyCertificate.getCertificateDetails().getRsaPublicKeyModulus().startsWith("9d888fbe089b32a35f58"));
    assertEquals(new Integer(65537), onlyCertificate.getCertificateDetails().getRsaPublicKeyExponent());
    assertEquals(new ArrayList<>(Arrays.asList(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsage.NON_REPUDIATION)), new ArrayList<>(onlyCertificate.getCertificateDetails().getKeyUsages()));
    try {
        certificates = clientsApiController.getClientSignCertificates("FI:GOV:M2");
        fail("should throw ResourceNotFoundException for 404");
    } catch (ResourceNotFoundException expected) {
    }
}

Example 24 with CertificateInfo

use of ee.ria.xroad.signer.protocol.dto.CertificateInfo in project X-Road by nordic-institute.

the class TokenCertificatesApiControllerIntegrationTest method importAuthCertificate.

@Test
@WithMockUser(authorities = "IMPORT_AUTH_CERT")
public void importAuthCertificate() throws Exception {
    X509Certificate mockAuthCert = getMockAuthCertificate();
    CertificateInfo certificateInfo = new CertificateTestUtils.CertificateInfoBuilder().certificate(mockAuthCert).certificateStatus(CertificateInfo.STATUS_SAVED).build();
    doAnswer(answer -> certificateInfo).when(signerProxyFacade).getCertForHash(any());
    Resource body = CertificateTestUtils.getResource(mockAuthCert.getEncoded());
    ResponseEntity<TokenCertificate> response = tokenCertificatesApiController.importCertificate(body);
    TokenCertificate addedCert = response.getBody();
    assertEquals(HttpStatus.CREATED, response.getStatusCode());
    assertAuthCertificateDetails(addedCert);
    assertLocationHeader("/api/token-certificates/" + addedCert.getCertificateDetails().getHash(), response);
}

Example 25 with CertificateInfo

use of ee.ria.xroad.signer.protocol.dto.CertificateInfo in project X-Road by nordic-institute.

the class TokenCertificatesApiControllerIntegrationTest method setup.

@Before
public void setup() throws Exception {
    doAnswer(answer -> "key-id").when(signerProxyFacade).importCert(any(), any(), any());
    doAnswer(answer -> null).when(globalConfFacade).verifyValidity();
    doAnswer(answer -> TestUtils.INSTANCE_FI).when(globalConfFacade).getInstanceIdentifier();
    doAnswer(answer -> TestUtils.getM1Ss1ClientId()).when(globalConfFacade).getSubjectName(any(), any());
    CertificateInfo signCertificateInfo = new CertificateInfoBuilder().certificate(getMockCertificate()).certificateStatus("SAVED").build();
    CertificateInfo authCertificateInfo = new CertificateInfoBuilder().certificate(getMockAuthCertificate()).certificateStatus("SAVED").build();
    CertificateInfo unknownCertificateInfo = new CertificateInfoBuilder().certificate(getMockCertificateWithoutExtensions()).certificateStatus("SAVED").build();
    doAnswer(invocation -> {
        Object[] args = invocation.getArguments();
        String certId = (String) args[0];
        if (AUTH_CERT_HASH.equals(certId)) {
            return authCertificateInfo;
        } else if (UNKNOWN_CERT_HASH.equals(certId)) {
            return unknownCertificateInfo;
        } else {
            return signCertificateInfo;
        }
    }).when(signerProxyFacade).getCertForHash(any());
    doAnswer(answer -> "key-id").when(signerProxyFacade).getKeyIdForCertHash(any());
    TokenInfo tokenInfo = new TokenTestUtils.TokenInfoBuilder().build();
    KeyInfo keyInfo = new TokenTestUtils.KeyInfoBuilder().id("key-id").build();
    tokenInfo.getKeyInfo().add(keyInfo);
    doAnswer(answer -> Collections.singletonList(tokenInfo)).when(signerProxyFacade).getTokens();
    TokenInfoAndKeyId tokenInfoAndKeyId = new TokenInfoAndKeyId(tokenInfo, keyInfo.getId());
    doAnswer(answer -> tokenInfoAndKeyId).when(signerProxyFacade).getTokenAndKeyIdForCertRequestId(any());
    doAnswer(answer -> tokenInfoAndKeyId).when(signerProxyFacade).getTokenAndKeyIdForCertHash(any());
    // by default all actions are possible
    doReturn(EnumSet.allOf(PossibleActionEnum.class)).when(possibleActionsRuleEngine).getPossibleCertificateActions(any(), any(), any());
}