use of net.ripe.rpki.commons.crypto.ValidityPeriod in project rpki-validator-3 by RIPE-NCC.
the class RpkiObjectCleanupServiceTest method should_delete_objects_not_reachable_from_manifest.
@Test
public void should_delete_objects_not_reachable_from_manifest() {
TrustAnchor trustAnchor = factory.createTrustAnchor(ta -> {
ta.roaPrefixes(Arrays.asList(RoaPrefix.of(IpRange.parse("127.0.0.0/8"), null, Asn.parse("123"))));
});
// No orphans, so nothing to delete
assertThat(subject.cleanupRpkiObjects()).isEqualTo(0);
RpkiObject orphan = new RpkiObject("rsync://localhost/orphan.cer", new X509ResourceCertificateBuilder().withResources(IpResourceSet.parse("10.0.0.0/8")).withIssuerDN(trustAnchor.getCertificate().getSubject()).withSubjectDN(new X500Principal("CN=orphan")).withSerial(factory.nextSerial()).withPublicKey(KEY_PAIR_FACTORY.generate().getPublic()).withSigningKeyPair(KEY_PAIR_FACTORY.generate()).withValidityPeriod(new ValidityPeriod(DateTime.now(), DateTime.now().plusYears(1))).build());
rpkiObjects.add(orphan);
entityManager.flush();
// Orphan is still new, so nothing to delete
assertThat(subject.cleanupRpkiObjects()).isEqualTo(0);
orphan.markReachable(Instant.now().minus(Duration.ofDays(10)));
entityManager.flush();
// Orphan is now old, so should be deleted
assertThat(subject.cleanupRpkiObjects()).isEqualTo(1);
}
use of net.ripe.rpki.commons.crypto.ValidityPeriod in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationServiceTest method should_report_proper_error_when_repository_is_available_but_manifest_is_invalid.
@Test
public void should_report_proper_error_when_repository_is_available_but_manifest_is_invalid() {
KeyPair childKeyPair = KEY_PAIR_FACTORY.generate();
final ValidityPeriod mftValidityPeriod = new ValidityPeriod(Instant.now().minus(Duration.standardDays(2)), Instant.now().minus(Duration.standardDays(1)));
TrustAnchor ta = factory.createTrustAnchor(x -> {
CertificateAuthority child = CertificateAuthority.builder().dn("CN=child-ca").keyPair(childKeyPair).certificateLocation("rsync://rpki.test/CN=child-ca.cer").resources(IpResourceSet.parse("192.168.128.0/17")).notifyURI(TA_RRDP_NOTIFY_URI).manifestURI("rsync://rpki.test/CN=child-ca/child-ca.mft").repositoryURI("rsync://rpki.test/CN=child-ca/").crlDistributionPoint("rsync://rpki.test/CN=child-ca/child-ca.crl").build();
x.children(Collections.singletonList(child));
}, mftValidityPeriod);
trustAnchors.add(ta);
entityManager.flush();
RpkiRepository repository = rpkiRepositories.register(ta, TA_RRDP_NOTIFY_URI, RpkiRepository.Type.RRDP);
repository.setFailed();
entityManager.flush();
subject.validate(ta.getId());
entityManager.flush();
List<CertificateTreeValidationRun> completed = validationRuns.findAll(CertificateTreeValidationRun.class);
assertThat(completed).hasSize(1);
final List<ValidationCheck> checks = completed.get(0).getValidationChecks();
assertThat(checks.get(0).getKey()).isEqualTo(ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED);
assertThat(checks.get(0).getParameters()).isEqualTo(Collections.singletonList(repository.getRrdpNotifyUri()));
}
use of net.ripe.rpki.commons.crypto.ValidityPeriod in project rpki-validator-3 by RIPE-NCC.
the class TrustAnchorsFactory method createCertificateAuthority.
public X509ResourceCertificate createCertificateAuthority(CertificateAuthority ca, CertificateAuthority issuer, ValidityPeriod mftValidityPeriod) {
ManifestCmsBuilder manifestBuilder = new ManifestCmsBuilder();
X509ResourceCertificate caCertificate = createCaCertificate(ca, ca.keyPair.getPublic(), issuer.dn, issuer.crlDistributionPoint, issuer.keyPair);
X509Crl crl = new X509CrlBuilder().withIssuerDN(caCertificate.getSubject()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8)).withAuthorityKeyIdentifier(ca.keyPair.getPublic()).withNumber(nextSerial()).build(ca.keyPair.getPrivate());
rpkiObjects.add(new RpkiObject(ca.crlDistributionPoint, crl));
manifestBuilder.addFile(ca.crlDistributionPoint.substring(ca.crlDistributionPoint.lastIndexOf('/') + 1), crl.getEncoded());
if (ca.children != null) {
for (CertificateAuthority child : ca.children) {
X509ResourceCertificate childCertificate = createCertificateAuthority(child, ca);
rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + child.dn + ".cer", childCertificate));
manifestBuilder.addFile(child.dn + ".cer", childCertificate.getEncoded());
}
}
if (ca.roaPrefixes != null) {
ca.roaPrefixes.stream().collect(groupingBy(RoaPrefix::getAsn)).forEach((asn, roaPrefix) -> {
KeyPair roaKeyPair = KEY_PAIR_FACTORY.generate();
IpResourceSet resources = new IpResourceSet();
roaPrefix.stream().forEach(p -> resources.add(IpRange.parse(p.getPrefix())));
X509ResourceCertificate roaCertificate = new X509ResourceCertificateBuilder().withResources(resources).withIssuerDN(new X500Principal(ca.dn)).withSubjectDN(new X500Principal("CN=AS" + asn + ", CN=roa, " + ca.dn)).withValidityPeriod(typicalValidityPeriod()).withPublicKey(roaKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
RoaCms roaCms = new RoaCmsBuilder().withAsn(new Asn(asn)).withPrefixes(roaPrefix.stream().map(p -> new net.ripe.rpki.commons.crypto.cms.roa.RoaPrefix(IpRange.parse(p.getPrefix()), p.getMaximumLength())).collect(toList())).withCertificate(roaCertificate).withSignatureProvider(BouncyCastleProvider.PROVIDER_NAME).build(roaKeyPair.getPrivate());
rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + "AS" + asn + ".roa", roaCms));
manifestBuilder.addFile("AS" + asn + ".roa", roaCms.getEncoded());
});
}
KeyPair manifestKeyPair = KEY_PAIR_FACTORY.generate();
X509ResourceCertificate manifestCertificate = new X509ResourceCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withIssuerDN(caCertificate.getSubject()).withSubjectDN(new X500Principal("CN=manifest, " + caCertificate.getSubject())).withValidityPeriod(mftValidityPeriod).withPublicKey(manifestKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
manifestBuilder.withCertificate(manifestCertificate).withManifestNumber(nextSerial()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8));
ManifestCms manifest = manifestBuilder.build(manifestKeyPair.getPrivate());
rpkiObjects.add(new RpkiObject(ca.manifestURI, manifest));
return caCertificate;
}
use of net.ripe.rpki.commons.crypto.ValidityPeriod in project rpki-validator-3 by RIPE-NCC.
the class TrustAnchorsFactory method createCaCertificate.
public X509ResourceCertificate createCaCertificate(CertificateAuthority ca, PublicKey publicKey, String issuerDN, String crlDistributionPoint, KeyPair signingKey) {
List<X509CertificateInformationAccessDescriptor> sia = new ArrayList<>();
sia.add(new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST, URI.create(ca.manifestURI)));
sia.add(new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY, URI.create(ca.repositoryURI)));
if (ca.notifyURI != null) {
sia.add(new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_NOTIFY, URI.create(ca.notifyURI)));
}
return new X509ResourceCertificateBuilder().withResources(ca.resources).withIssuerDN(new X500Principal(issuerDN)).withSubjectDN(new X500Principal(ca.dn)).withSubjectInformationAccess(sia.toArray(new X509CertificateInformationAccessDescriptor[0])).withCrlDistributionPoints(URI.create(crlDistributionPoint)).withCa(true).withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign).withSerial(nextSerial()).withValidityPeriod(new ValidityPeriod(Instant.now(), Instant.now().plus(Duration.standardDays(7)))).withSubjectKeyIdentifier(true).withPublicKey(publicKey).withSigningKeyPair(signingKey).build();
}
Aggregations