Search in sources :

Example 1 with ValidityPeriod

use of net.ripe.rpki.commons.crypto.ValidityPeriod in project rpki-validator-3 by RIPE-NCC.

the class RpkiObjectCleanupServiceTest method should_delete_objects_not_reachable_from_manifest.

@Test
public void should_delete_objects_not_reachable_from_manifest() {
    TrustAnchor trustAnchor = factory.createTrustAnchor(ta -> {
        ta.roaPrefixes(Arrays.asList(RoaPrefix.of(IpRange.parse("127.0.0.0/8"), null, Asn.parse("123"))));
    });
    // No orphans, so nothing to delete
    assertThat(subject.cleanupRpkiObjects()).isEqualTo(0);
    RpkiObject orphan = new RpkiObject("rsync://localhost/orphan.cer", new X509ResourceCertificateBuilder().withResources(IpResourceSet.parse("10.0.0.0/8")).withIssuerDN(trustAnchor.getCertificate().getSubject()).withSubjectDN(new X500Principal("CN=orphan")).withSerial(factory.nextSerial()).withPublicKey(KEY_PAIR_FACTORY.generate().getPublic()).withSigningKeyPair(KEY_PAIR_FACTORY.generate()).withValidityPeriod(new ValidityPeriod(DateTime.now(), DateTime.now().plusYears(1))).build());
    rpkiObjects.add(orphan);
    entityManager.flush();
    // Orphan is still new, so nothing to delete
    assertThat(subject.cleanupRpkiObjects()).isEqualTo(0);
    orphan.markReachable(Instant.now().minus(Duration.ofDays(10)));
    entityManager.flush();
    // Orphan is now old, so should be deleted
    assertThat(subject.cleanupRpkiObjects()).isEqualTo(1);
}
Also used : RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) X500Principal(javax.security.auth.x500.X500Principal) ValidityPeriod(net.ripe.rpki.commons.crypto.ValidityPeriod) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) Test(org.junit.Test) IntegrationTest(net.ripe.rpki.validator3.IntegrationTest)

Example 2 with ValidityPeriod

use of net.ripe.rpki.commons.crypto.ValidityPeriod in project rpki-validator-3 by RIPE-NCC.

the class CertificateTreeValidationServiceTest method should_report_proper_error_when_repository_is_available_but_manifest_is_invalid.

@Test
public void should_report_proper_error_when_repository_is_available_but_manifest_is_invalid() {
    KeyPair childKeyPair = KEY_PAIR_FACTORY.generate();
    final ValidityPeriod mftValidityPeriod = new ValidityPeriod(Instant.now().minus(Duration.standardDays(2)), Instant.now().minus(Duration.standardDays(1)));
    TrustAnchor ta = factory.createTrustAnchor(x -> {
        CertificateAuthority child = CertificateAuthority.builder().dn("CN=child-ca").keyPair(childKeyPair).certificateLocation("rsync://rpki.test/CN=child-ca.cer").resources(IpResourceSet.parse("192.168.128.0/17")).notifyURI(TA_RRDP_NOTIFY_URI).manifestURI("rsync://rpki.test/CN=child-ca/child-ca.mft").repositoryURI("rsync://rpki.test/CN=child-ca/").crlDistributionPoint("rsync://rpki.test/CN=child-ca/child-ca.crl").build();
        x.children(Collections.singletonList(child));
    }, mftValidityPeriod);
    trustAnchors.add(ta);
    entityManager.flush();
    RpkiRepository repository = rpkiRepositories.register(ta, TA_RRDP_NOTIFY_URI, RpkiRepository.Type.RRDP);
    repository.setFailed();
    entityManager.flush();
    subject.validate(ta.getId());
    entityManager.flush();
    List<CertificateTreeValidationRun> completed = validationRuns.findAll(CertificateTreeValidationRun.class);
    assertThat(completed).hasSize(1);
    final List<ValidationCheck> checks = completed.get(0).getValidationChecks();
    assertThat(checks.get(0).getKey()).isEqualTo(ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED);
    assertThat(checks.get(0).getParameters()).isEqualTo(Collections.singletonList(repository.getRrdpNotifyUri()));
}
Also used : KeyPair(java.security.KeyPair) RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) ValidityPeriod(net.ripe.rpki.commons.crypto.ValidityPeriod) CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) ValidationCheck(net.ripe.rpki.validator3.domain.ValidationCheck) Test(org.junit.Test) IntegrationTest(net.ripe.rpki.validator3.IntegrationTest)

Example 3 with ValidityPeriod

use of net.ripe.rpki.commons.crypto.ValidityPeriod in project rpki-validator-3 by RIPE-NCC.

the class TrustAnchorsFactory method createCertificateAuthority.

public X509ResourceCertificate createCertificateAuthority(CertificateAuthority ca, CertificateAuthority issuer, ValidityPeriod mftValidityPeriod) {
    ManifestCmsBuilder manifestBuilder = new ManifestCmsBuilder();
    X509ResourceCertificate caCertificate = createCaCertificate(ca, ca.keyPair.getPublic(), issuer.dn, issuer.crlDistributionPoint, issuer.keyPair);
    X509Crl crl = new X509CrlBuilder().withIssuerDN(caCertificate.getSubject()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8)).withAuthorityKeyIdentifier(ca.keyPair.getPublic()).withNumber(nextSerial()).build(ca.keyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.crlDistributionPoint, crl));
    manifestBuilder.addFile(ca.crlDistributionPoint.substring(ca.crlDistributionPoint.lastIndexOf('/') + 1), crl.getEncoded());
    if (ca.children != null) {
        for (CertificateAuthority child : ca.children) {
            X509ResourceCertificate childCertificate = createCertificateAuthority(child, ca);
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + child.dn + ".cer", childCertificate));
            manifestBuilder.addFile(child.dn + ".cer", childCertificate.getEncoded());
        }
    }
    if (ca.roaPrefixes != null) {
        ca.roaPrefixes.stream().collect(groupingBy(RoaPrefix::getAsn)).forEach((asn, roaPrefix) -> {
            KeyPair roaKeyPair = KEY_PAIR_FACTORY.generate();
            IpResourceSet resources = new IpResourceSet();
            roaPrefix.stream().forEach(p -> resources.add(IpRange.parse(p.getPrefix())));
            X509ResourceCertificate roaCertificate = new X509ResourceCertificateBuilder().withResources(resources).withIssuerDN(new X500Principal(ca.dn)).withSubjectDN(new X500Principal("CN=AS" + asn + ", CN=roa, " + ca.dn)).withValidityPeriod(typicalValidityPeriod()).withPublicKey(roaKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
            RoaCms roaCms = new RoaCmsBuilder().withAsn(new Asn(asn)).withPrefixes(roaPrefix.stream().map(p -> new net.ripe.rpki.commons.crypto.cms.roa.RoaPrefix(IpRange.parse(p.getPrefix()), p.getMaximumLength())).collect(toList())).withCertificate(roaCertificate).withSignatureProvider(BouncyCastleProvider.PROVIDER_NAME).build(roaKeyPair.getPrivate());
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + "AS" + asn + ".roa", roaCms));
            manifestBuilder.addFile("AS" + asn + ".roa", roaCms.getEncoded());
        });
    }
    KeyPair manifestKeyPair = KEY_PAIR_FACTORY.generate();
    X509ResourceCertificate manifestCertificate = new X509ResourceCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withIssuerDN(caCertificate.getSubject()).withSubjectDN(new X500Principal("CN=manifest, " + caCertificate.getSubject())).withValidityPeriod(mftValidityPeriod).withPublicKey(manifestKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
    manifestBuilder.withCertificate(manifestCertificate).withManifestNumber(nextSerial()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8));
    ManifestCms manifest = manifestBuilder.build(manifestKeyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.manifestURI, manifest));
    return caCertificate;
}
Also used : KeyPair(java.security.KeyPair) X500Principal(javax.security.auth.x500.X500Principal) Duration(org.joda.time.Duration) Collectors.groupingBy(java.util.stream.Collectors.groupingBy) Autowired(org.springframework.beans.factory.annotation.Autowired) Security(java.security.Security) ValidityPeriod(net.ripe.rpki.commons.crypto.ValidityPeriod) Value(lombok.Value) CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory) ArrayList(java.util.ArrayList) Asn(net.ripe.ipresource.Asn) IpResourceType(net.ripe.ipresource.IpResourceType) RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms) CertificateTreeValidationServiceTest(net.ripe.rpki.validator3.domain.validation.CertificateTreeValidationServiceTest) X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder) X509CertificateInformationAccessDescriptor(net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) BigInteger(java.math.BigInteger) URI(java.net.URI) IpResourceSet(net.ripe.ipresource.IpResourceSet) KeyPairFactory(net.ripe.rpki.commons.crypto.util.KeyPairFactory) EnumSet(java.util.EnumSet) Resources(com.google.common.io.Resources) Transactional(javax.transaction.Transactional) IpRange(net.ripe.ipresource.IpRange) DateTime(org.joda.time.DateTime) TrustAnchorValidationServiceTest(net.ripe.rpki.validator3.domain.validation.TrustAnchorValidationServiceTest) IOException(java.io.IOException) PublicKey(java.security.PublicKey) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Consumer(java.util.function.Consumer) Component(org.springframework.stereotype.Component) List(java.util.List) Collectors.toList(java.util.stream.Collectors.toList) Builder(lombok.Builder) ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder) Instant(org.joda.time.Instant) PostConstruct(javax.annotation.PostConstruct) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) X509CertificateUtil(net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil) Collections(java.util.Collections) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder) KeyPair(java.security.KeyPair) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder) RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder) RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms) IpResourceSet(net.ripe.ipresource.IpResourceSet) X500Principal(javax.security.auth.x500.X500Principal) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) IpResourceType(net.ripe.ipresource.IpResourceType) Asn(net.ripe.ipresource.Asn)

Example 4 with ValidityPeriod

use of net.ripe.rpki.commons.crypto.ValidityPeriod in project rpki-validator-3 by RIPE-NCC.

the class TrustAnchorsFactory method createCaCertificate.

public X509ResourceCertificate createCaCertificate(CertificateAuthority ca, PublicKey publicKey, String issuerDN, String crlDistributionPoint, KeyPair signingKey) {
    List<X509CertificateInformationAccessDescriptor> sia = new ArrayList<>();
    sia.add(new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_MANIFEST, URI.create(ca.manifestURI)));
    sia.add(new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_CA_REPOSITORY, URI.create(ca.repositoryURI)));
    if (ca.notifyURI != null) {
        sia.add(new X509CertificateInformationAccessDescriptor(X509CertificateInformationAccessDescriptor.ID_AD_RPKI_NOTIFY, URI.create(ca.notifyURI)));
    }
    return new X509ResourceCertificateBuilder().withResources(ca.resources).withIssuerDN(new X500Principal(issuerDN)).withSubjectDN(new X500Principal(ca.dn)).withSubjectInformationAccess(sia.toArray(new X509CertificateInformationAccessDescriptor[0])).withCrlDistributionPoints(URI.create(crlDistributionPoint)).withCa(true).withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign).withSerial(nextSerial()).withValidityPeriod(new ValidityPeriod(Instant.now(), Instant.now().plus(Duration.standardDays(7)))).withSubjectKeyIdentifier(true).withPublicKey(publicKey).withSigningKeyPair(signingKey).build();
}
Also used : X509CertificateInformationAccessDescriptor(net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor) ArrayList(java.util.ArrayList) X500Principal(javax.security.auth.x500.X500Principal) ValidityPeriod(net.ripe.rpki.commons.crypto.ValidityPeriod) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder)

Aggregations

ValidityPeriod (net.ripe.rpki.commons.crypto.ValidityPeriod)4 X500Principal (javax.security.auth.x500.X500Principal)3 X509ResourceCertificateBuilder (net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder)3 KeyPair (java.security.KeyPair)2 ArrayList (java.util.ArrayList)2 X509CertificateInformationAccessDescriptor (net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor)2 IntegrationTest (net.ripe.rpki.validator3.IntegrationTest)2 TrustAnchor (net.ripe.rpki.validator3.domain.TrustAnchor)2 Test (org.junit.Test)2 Resources (com.google.common.io.Resources)1 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 URI (java.net.URI)1 PublicKey (java.security.PublicKey)1 Security (java.security.Security)1 Collections (java.util.Collections)1 EnumSet (java.util.EnumSet)1 List (java.util.List)1 Consumer (java.util.function.Consumer)1 Collectors.groupingBy (java.util.stream.Collectors.groupingBy)1