Search in sources :

Example 1 with RoaCmsBuilder

use of net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder in project rpki-validator-3 by RIPE-NCC.

the class TrustAnchorsFactory method createCertificateAuthority.

public X509ResourceCertificate createCertificateAuthority(CertificateAuthority ca, CertificateAuthority issuer, ValidityPeriod mftValidityPeriod) {
    ManifestCmsBuilder manifestBuilder = new ManifestCmsBuilder();
    X509ResourceCertificate caCertificate = createCaCertificate(ca, ca.keyPair.getPublic(), issuer.dn, issuer.crlDistributionPoint, issuer.keyPair);
    X509Crl crl = new X509CrlBuilder().withIssuerDN(caCertificate.getSubject()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8)).withAuthorityKeyIdentifier(ca.keyPair.getPublic()).withNumber(nextSerial()).build(ca.keyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.crlDistributionPoint, crl));
    manifestBuilder.addFile(ca.crlDistributionPoint.substring(ca.crlDistributionPoint.lastIndexOf('/') + 1), crl.getEncoded());
    if (ca.children != null) {
        for (CertificateAuthority child : ca.children) {
            X509ResourceCertificate childCertificate = createCertificateAuthority(child, ca);
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + child.dn + ".cer", childCertificate));
            manifestBuilder.addFile(child.dn + ".cer", childCertificate.getEncoded());
        }
    }
    if (ca.roaPrefixes != null) {
        ca.roaPrefixes.stream().collect(groupingBy(RoaPrefix::getAsn)).forEach((asn, roaPrefix) -> {
            KeyPair roaKeyPair = KEY_PAIR_FACTORY.generate();
            IpResourceSet resources = new IpResourceSet();
            roaPrefix.stream().forEach(p -> resources.add(IpRange.parse(p.getPrefix())));
            X509ResourceCertificate roaCertificate = new X509ResourceCertificateBuilder().withResources(resources).withIssuerDN(new X500Principal(ca.dn)).withSubjectDN(new X500Principal("CN=AS" + asn + ", CN=roa, " + ca.dn)).withValidityPeriod(typicalValidityPeriod()).withPublicKey(roaKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
            RoaCms roaCms = new RoaCmsBuilder().withAsn(new Asn(asn)).withPrefixes(roaPrefix.stream().map(p -> new net.ripe.rpki.commons.crypto.cms.roa.RoaPrefix(IpRange.parse(p.getPrefix()), p.getMaximumLength())).collect(toList())).withCertificate(roaCertificate).withSignatureProvider(BouncyCastleProvider.PROVIDER_NAME).build(roaKeyPair.getPrivate());
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + "AS" + asn + ".roa", roaCms));
            manifestBuilder.addFile("AS" + asn + ".roa", roaCms.getEncoded());
        });
    }
    KeyPair manifestKeyPair = KEY_PAIR_FACTORY.generate();
    X509ResourceCertificate manifestCertificate = new X509ResourceCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withIssuerDN(caCertificate.getSubject()).withSubjectDN(new X500Principal("CN=manifest, " + caCertificate.getSubject())).withValidityPeriod(mftValidityPeriod).withPublicKey(manifestKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
    manifestBuilder.withCertificate(manifestCertificate).withManifestNumber(nextSerial()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8));
    ManifestCms manifest = manifestBuilder.build(manifestKeyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.manifestURI, manifest));
    return caCertificate;
}
Also used : KeyPair(java.security.KeyPair) X500Principal(javax.security.auth.x500.X500Principal) Duration(org.joda.time.Duration) Collectors.groupingBy(java.util.stream.Collectors.groupingBy) Autowired(org.springframework.beans.factory.annotation.Autowired) Security(java.security.Security) ValidityPeriod(net.ripe.rpki.commons.crypto.ValidityPeriod) Value(lombok.Value) CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory) ArrayList(java.util.ArrayList) Asn(net.ripe.ipresource.Asn) IpResourceType(net.ripe.ipresource.IpResourceType) RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms) CertificateTreeValidationServiceTest(net.ripe.rpki.validator3.domain.validation.CertificateTreeValidationServiceTest) X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder) X509CertificateInformationAccessDescriptor(net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) BigInteger(java.math.BigInteger) URI(java.net.URI) IpResourceSet(net.ripe.ipresource.IpResourceSet) KeyPairFactory(net.ripe.rpki.commons.crypto.util.KeyPairFactory) EnumSet(java.util.EnumSet) Resources(com.google.common.io.Resources) Transactional(javax.transaction.Transactional) IpRange(net.ripe.ipresource.IpRange) DateTime(org.joda.time.DateTime) TrustAnchorValidationServiceTest(net.ripe.rpki.validator3.domain.validation.TrustAnchorValidationServiceTest) IOException(java.io.IOException) PublicKey(java.security.PublicKey) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Consumer(java.util.function.Consumer) Component(org.springframework.stereotype.Component) List(java.util.List) Collectors.toList(java.util.stream.Collectors.toList) Builder(lombok.Builder) ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder) Instant(org.joda.time.Instant) PostConstruct(javax.annotation.PostConstruct) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) X509CertificateUtil(net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil) Collections(java.util.Collections) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder) KeyPair(java.security.KeyPair) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder) RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder) RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms) IpResourceSet(net.ripe.ipresource.IpResourceSet) X500Principal(javax.security.auth.x500.X500Principal) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) IpResourceType(net.ripe.ipresource.IpResourceType) Asn(net.ripe.ipresource.Asn)

Aggregations

Resources (com.google.common.io.Resources)1 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 URI (java.net.URI)1 KeyPair (java.security.KeyPair)1 PublicKey (java.security.PublicKey)1 Security (java.security.Security)1 ArrayList (java.util.ArrayList)1 Collections (java.util.Collections)1 EnumSet (java.util.EnumSet)1 List (java.util.List)1 Consumer (java.util.function.Consumer)1 Collectors.groupingBy (java.util.stream.Collectors.groupingBy)1 Collectors.toList (java.util.stream.Collectors.toList)1 PostConstruct (javax.annotation.PostConstruct)1 X500Principal (javax.security.auth.x500.X500Principal)1 Transactional (javax.transaction.Transactional)1 Builder (lombok.Builder)1 Value (lombok.Value)1 Asn (net.ripe.ipresource.Asn)1