Search in sources :

Example 1 with ManifestCms

use of net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms in project rpki-validator-3 by RIPE-NCC.

the class TrustAnchorsFactory method createCertificateAuthority.

public X509ResourceCertificate createCertificateAuthority(CertificateAuthority ca, CertificateAuthority issuer, ValidityPeriod mftValidityPeriod) {
    ManifestCmsBuilder manifestBuilder = new ManifestCmsBuilder();
    X509ResourceCertificate caCertificate = createCaCertificate(ca, ca.keyPair.getPublic(), issuer.dn, issuer.crlDistributionPoint, issuer.keyPair);
    X509Crl crl = new X509CrlBuilder().withIssuerDN(caCertificate.getSubject()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8)).withAuthorityKeyIdentifier(ca.keyPair.getPublic()).withNumber(nextSerial()).build(ca.keyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.crlDistributionPoint, crl));
    manifestBuilder.addFile(ca.crlDistributionPoint.substring(ca.crlDistributionPoint.lastIndexOf('/') + 1), crl.getEncoded());
    if (ca.children != null) {
        for (CertificateAuthority child : ca.children) {
            X509ResourceCertificate childCertificate = createCertificateAuthority(child, ca);
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + child.dn + ".cer", childCertificate));
            manifestBuilder.addFile(child.dn + ".cer", childCertificate.getEncoded());
        }
    }
    if (ca.roaPrefixes != null) {
        ca.roaPrefixes.stream().collect(groupingBy(RoaPrefix::getAsn)).forEach((asn, roaPrefix) -> {
            KeyPair roaKeyPair = KEY_PAIR_FACTORY.generate();
            IpResourceSet resources = new IpResourceSet();
            roaPrefix.stream().forEach(p -> resources.add(IpRange.parse(p.getPrefix())));
            X509ResourceCertificate roaCertificate = new X509ResourceCertificateBuilder().withResources(resources).withIssuerDN(new X500Principal(ca.dn)).withSubjectDN(new X500Principal("CN=AS" + asn + ", CN=roa, " + ca.dn)).withValidityPeriod(typicalValidityPeriod()).withPublicKey(roaKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
            RoaCms roaCms = new RoaCmsBuilder().withAsn(new Asn(asn)).withPrefixes(roaPrefix.stream().map(p -> new net.ripe.rpki.commons.crypto.cms.roa.RoaPrefix(IpRange.parse(p.getPrefix()), p.getMaximumLength())).collect(toList())).withCertificate(roaCertificate).withSignatureProvider(BouncyCastleProvider.PROVIDER_NAME).build(roaKeyPair.getPrivate());
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + "AS" + asn + ".roa", roaCms));
            manifestBuilder.addFile("AS" + asn + ".roa", roaCms.getEncoded());
        });
    }
    KeyPair manifestKeyPair = KEY_PAIR_FACTORY.generate();
    X509ResourceCertificate manifestCertificate = new X509ResourceCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withIssuerDN(caCertificate.getSubject()).withSubjectDN(new X500Principal("CN=manifest, " + caCertificate.getSubject())).withValidityPeriod(mftValidityPeriod).withPublicKey(manifestKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
    manifestBuilder.withCertificate(manifestCertificate).withManifestNumber(nextSerial()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8));
    ManifestCms manifest = manifestBuilder.build(manifestKeyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.manifestURI, manifest));
    return caCertificate;
}
Also used : KeyPair(java.security.KeyPair) X500Principal(javax.security.auth.x500.X500Principal) Duration(org.joda.time.Duration) Collectors.groupingBy(java.util.stream.Collectors.groupingBy) Autowired(org.springframework.beans.factory.annotation.Autowired) Security(java.security.Security) ValidityPeriod(net.ripe.rpki.commons.crypto.ValidityPeriod) Value(lombok.Value) CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory) ArrayList(java.util.ArrayList) Asn(net.ripe.ipresource.Asn) IpResourceType(net.ripe.ipresource.IpResourceType) RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms) CertificateTreeValidationServiceTest(net.ripe.rpki.validator3.domain.validation.CertificateTreeValidationServiceTest) X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder) X509CertificateInformationAccessDescriptor(net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) BigInteger(java.math.BigInteger) URI(java.net.URI) IpResourceSet(net.ripe.ipresource.IpResourceSet) KeyPairFactory(net.ripe.rpki.commons.crypto.util.KeyPairFactory) EnumSet(java.util.EnumSet) Resources(com.google.common.io.Resources) Transactional(javax.transaction.Transactional) IpRange(net.ripe.ipresource.IpRange) DateTime(org.joda.time.DateTime) TrustAnchorValidationServiceTest(net.ripe.rpki.validator3.domain.validation.TrustAnchorValidationServiceTest) IOException(java.io.IOException) PublicKey(java.security.PublicKey) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Consumer(java.util.function.Consumer) Component(org.springframework.stereotype.Component) List(java.util.List) Collectors.toList(java.util.stream.Collectors.toList) Builder(lombok.Builder) ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder) Instant(org.joda.time.Instant) PostConstruct(javax.annotation.PostConstruct) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) X509CertificateUtil(net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil) Collections(java.util.Collections) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder) KeyPair(java.security.KeyPair) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder) RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder) RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms) IpResourceSet(net.ripe.ipresource.IpResourceSet) X500Principal(javax.security.auth.x500.X500Principal) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) IpResourceType(net.ripe.ipresource.IpResourceType) Asn(net.ripe.ipresource.Asn)

Example 2 with ManifestCms

use of net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms in project rpki-validator-3 by RIPE-NCC.

the class CertificateTreeValidationService method validateCertificateAuthority.

private List<RpkiObject> validateCertificateAuthority(TrustAnchor trustAnchor, Map<URI, RpkiRepository> registeredRepositories, CertificateRepositoryObjectValidationContext context, ValidationResult validationResult) {
    final List<RpkiObject> validatedObjects = new ArrayList<>();
    ValidationLocation certificateLocation = validationResult.getCurrentLocation();
    ValidationResult temporary = ValidationResult.withLocation(certificateLocation);
    try {
        RpkiRepository rpkiRepository = registerRepository(trustAnchor, registeredRepositories, context);
        temporary.warnIfTrue(rpkiRepository.isPending(), VALIDATOR_RPKI_REPOSITORY_PENDING, rpkiRepository.getLocationUri());
        if (rpkiRepository.isPending()) {
            return validatedObjects;
        }
        X509ResourceCertificate certificate = context.getCertificate();
        URI manifestUri = certificate.getManifestUri();
        temporary.setLocation(new ValidationLocation(manifestUri));
        Optional<RpkiObject> manifestObject = rpkiObjects.findLatestByTypeAndAuthorityKeyIdentifier(RpkiObject.Type.MFT, context.getSubjectKeyIdentifier());
        if (!manifestObject.isPresent()) {
            if (rpkiRepository.getStatus() == RpkiRepository.Status.FAILED) {
                temporary.error(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
            } else {
                temporary.error(ValidationString.VALIDATOR_NO_LOCAL_MANIFEST_NO_MANIFEST_IN_REPOSITORY, rpkiRepository.getLocationUri());
            }
        }
        Optional<ManifestCms> maybeManifest = manifestObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), ManifestCms.class, temporary));
        temporary.rejectIfTrue(manifestObject.isPresent() && rpkiRepository.getStatus() == RpkiRepository.Status.FAILED && maybeManifest.isPresent() && maybeManifest.get().isPastValidityTime(), ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        ManifestCms manifest = maybeManifest.get();
        List<Map.Entry<String, byte[]>> crlEntries = manifest.getFiles().entrySet().stream().filter((entry) -> RepositoryObjectType.parse(entry.getKey()) == RepositoryObjectType.Crl).collect(toList());
        temporary.rejectIfFalse(crlEntries.size() == 1, VALIDATOR_MANIFEST_CONTAINS_ONE_CRL_ENTRY, String.valueOf(crlEntries.size()));
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        Map.Entry<String, byte[]> crlEntry = crlEntries.get(0);
        URI crlUri = manifestUri.resolve(crlEntry.getKey());
        Optional<RpkiObject> crlObject = rpkiObjects.findBySha256(crlEntry.getValue());
        temporary.rejectIfFalse(crlObject.isPresent(), VALIDATOR_CRL_FOUND, crlUri.toASCIIString());
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        temporary.setLocation(new ValidationLocation(crlUri));
        Optional<X509Crl> crl = crlObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), X509Crl.class, temporary));
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        crl.get().validate(crlUri.toASCIIString(), context, null, VALIDATION_OPTIONS, temporary);
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        temporary.setLocation(new ValidationLocation(manifestUri));
        manifest.validate(manifestUri.toASCIIString(), context, crl.get(), manifest.getCrlUri(), VALIDATION_OPTIONS, temporary);
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        validatedObjects.add(manifestObject.get());
        Map<URI, RpkiObject> manifestEntries = retrieveManifestEntries(manifest, manifestUri, temporary);
        manifestEntries.forEach((location, obj) -> {
            temporary.setLocation(new ValidationLocation(location));
            Optional<CertificateRepositoryObject> maybeCertificateRepositoryObject = rpkiObjects.findCertificateRepositoryObject(obj.getId(), CertificateRepositoryObject.class, temporary);
            if (temporary.hasFailureForCurrentLocation()) {
                return;
            }
            maybeCertificateRepositoryObject.ifPresent(certificateRepositoryObject -> {
                certificateRepositoryObject.validate(location.toASCIIString(), context, crl.get(), crlUri, VALIDATION_OPTIONS, temporary);
                if (!temporary.hasFailureForCurrentLocation()) {
                    validatedObjects.add(obj);
                }
                if (certificateRepositoryObject instanceof X509ResourceCertificate && ((X509ResourceCertificate) certificateRepositoryObject).isCa() && !temporary.hasFailureForCurrentLocation()) {
                    CertificateRepositoryObjectValidationContext childContext = context.createChildContext(location, (X509ResourceCertificate) certificateRepositoryObject);
                    validatedObjects.addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, childContext, temporary));
                }
            });
        });
    } catch (Exception e) {
        log.debug("e", e);
        validationResult.error(ErrorCodes.UNHANDLED_EXCEPTION, e.toString(), ExceptionUtils.getStackTrace(e));
    } finally {
        validationResult.addAll(temporary);
    }
    return validatedObjects;
}
Also used : RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns) Arrays(java.util.Arrays) CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) Autowired(org.springframework.beans.factory.annotation.Autowired) FlushModeType(javax.persistence.FlushModeType) HashMap(java.util.HashMap) ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes) ArrayList(java.util.ArrayList) ValidationOptions(net.ripe.rpki.commons.validation.ValidationOptions) LinkedHashMap(java.util.LinkedHashMap) RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories) CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects) Service(org.springframework.stereotype.Service) Map(java.util.Map) URI(java.net.URI) Objects(com.google.common.base.Objects) CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) ValidationStatus(net.ripe.rpki.commons.validation.ValidationStatus) ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects) Transactional(javax.transaction.Transactional) TrustAnchors(net.ripe.rpki.validator3.domain.TrustAnchors) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) EntityManager(javax.persistence.EntityManager) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) RepositoryObjectType(net.ripe.rpki.commons.util.RepositoryObjectType) ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) Collectors.toList(java.util.stream.Collectors.toList) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) Optional(java.util.Optional) Settings(net.ripe.rpki.validator3.domain.Settings) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) ValidationString(net.ripe.rpki.commons.validation.ValidationString) ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext) RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) ArrayList(java.util.ArrayList) ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation) ValidationString(net.ripe.rpki.commons.validation.ValidationString) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) URI(java.net.URI) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map)

Aggregations

URI (java.net.URI)2 ArrayList (java.util.ArrayList)2 List (java.util.List)2 Collectors.toList (java.util.stream.Collectors.toList)2 Transactional (javax.transaction.Transactional)2 ManifestCms (net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)2 X509Crl (net.ripe.rpki.commons.crypto.crl.X509Crl)2 X509ResourceCertificate (net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)2 ValidationResult (net.ripe.rpki.commons.validation.ValidationResult)2 Objects (com.google.common.base.Objects)1 Resources (com.google.common.io.Resources)1 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 KeyPair (java.security.KeyPair)1 PublicKey (java.security.PublicKey)1 Security (java.security.Security)1 Arrays (java.util.Arrays)1 Collections (java.util.Collections)1 EnumSet (java.util.EnumSet)1 HashMap (java.util.HashMap)1