Example 1 with X509Crl
use of net.ripe.rpki.commons.crypto.crl.X509Crl in project rpki-validator-3 by RIPE-NCC.
the class TrustAnchorsFactory method createCertificateAuthority.
public X509ResourceCertificate createCertificateAuthority(CertificateAuthority ca, CertificateAuthority issuer, ValidityPeriod mftValidityPeriod) {
ManifestCmsBuilder manifestBuilder = new ManifestCmsBuilder();
X509ResourceCertificate caCertificate = createCaCertificate(ca, ca.keyPair.getPublic(), issuer.dn, issuer.crlDistributionPoint, issuer.keyPair);
X509Crl crl = new X509CrlBuilder().withIssuerDN(caCertificate.getSubject()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8)).withAuthorityKeyIdentifier(ca.keyPair.getPublic()).withNumber(nextSerial()).build(ca.keyPair.getPrivate());
rpkiObjects.add(new RpkiObject(ca.crlDistributionPoint, crl));
manifestBuilder.addFile(ca.crlDistributionPoint.substring(ca.crlDistributionPoint.lastIndexOf('/') + 1), crl.getEncoded());
if (ca.children != null) {
for (CertificateAuthority child : ca.children) {
X509ResourceCertificate childCertificate = createCertificateAuthority(child, ca);
rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + child.dn + ".cer", childCertificate));
manifestBuilder.addFile(child.dn + ".cer", childCertificate.getEncoded());
}
}
if (ca.roaPrefixes != null) {
ca.roaPrefixes.stream().collect(groupingBy(RoaPrefix::getAsn)).forEach((asn, roaPrefix) -> {
KeyPair roaKeyPair = KEY_PAIR_FACTORY.generate();
IpResourceSet resources = new IpResourceSet();
roaPrefix.stream().forEach(p -> resources.add(IpRange.parse(p.getPrefix())));
X509ResourceCertificate roaCertificate = new X509ResourceCertificateBuilder().withResources(resources).withIssuerDN(new X500Principal(ca.dn)).withSubjectDN(new X500Principal("CN=AS" + asn + ", CN=roa, " + ca.dn)).withValidityPeriod(typicalValidityPeriod()).withPublicKey(roaKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
RoaCms roaCms = new RoaCmsBuilder().withAsn(new Asn(asn)).withPrefixes(roaPrefix.stream().map(p -> new net.ripe.rpki.commons.crypto.cms.roa.RoaPrefix(IpRange.parse(p.getPrefix()), p.getMaximumLength())).collect(toList())).withCertificate(roaCertificate).withSignatureProvider(BouncyCastleProvider.PROVIDER_NAME).build(roaKeyPair.getPrivate());
rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + "AS" + asn + ".roa", roaCms));
manifestBuilder.addFile("AS" + asn + ".roa", roaCms.getEncoded());
});
}
KeyPair manifestKeyPair = KEY_PAIR_FACTORY.generate();
X509ResourceCertificate manifestCertificate = new X509ResourceCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withIssuerDN(caCertificate.getSubject()).withSubjectDN(new X500Principal("CN=manifest, " + caCertificate.getSubject())).withValidityPeriod(mftValidityPeriod).withPublicKey(manifestKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
manifestBuilder.withCertificate(manifestCertificate).withManifestNumber(nextSerial()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8));
ManifestCms manifest = manifestBuilder.build(manifestKeyPair.getPrivate());
rpkiObjects.add(new RpkiObject(ca.manifestURI, manifest));
return caCertificate;
}
Also used :
KeyPair(java.security.KeyPair)
X500Principal(javax.security.auth.x500.X500Principal)
Duration(org.joda.time.Duration)
Collectors.groupingBy(java.util.stream.Collectors.groupingBy)
Autowired(org.springframework.beans.factory.annotation.Autowired)
Security(java.security.Security)
ValidityPeriod(net.ripe.rpki.commons.crypto.ValidityPeriod)
Value(lombok.Value)
CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory)
ArrayList(java.util.ArrayList)
Asn(net.ripe.ipresource.Asn)
IpResourceType(net.ripe.ipresource.IpResourceType)
RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms)
CertificateTreeValidationServiceTest(net.ripe.rpki.validator3.domain.validation.CertificateTreeValidationServiceTest)
X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder)
X509CertificateInformationAccessDescriptor(net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor)
X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder)
BigInteger(java.math.BigInteger)
URI(java.net.URI)
IpResourceSet(net.ripe.ipresource.IpResourceSet)
KeyPairFactory(net.ripe.rpki.commons.crypto.util.KeyPairFactory)
EnumSet(java.util.EnumSet)
Resources(com.google.common.io.Resources)
Transactional(javax.transaction.Transactional)
IpRange(net.ripe.ipresource.IpRange)
DateTime(org.joda.time.DateTime)
TrustAnchorValidationServiceTest(net.ripe.rpki.validator3.domain.validation.TrustAnchorValidationServiceTest)
IOException(java.io.IOException)
PublicKey(java.security.PublicKey)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Consumer(java.util.function.Consumer)
Component(org.springframework.stereotype.Component)
List(java.util.List)
Collectors.toList(java.util.stream.Collectors.toList)
Builder(lombok.Builder)
ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder)
Instant(org.joda.time.Instant)
PostConstruct(javax.annotation.PostConstruct)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
X509CertificateUtil(net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil)
Collections(java.util.Collections)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder)
KeyPair(java.security.KeyPair)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder)
RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder)
RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms)
IpResourceSet(net.ripe.ipresource.IpResourceSet)
X500Principal(javax.security.auth.x500.X500Principal)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder)
IpResourceType(net.ripe.ipresource.IpResourceType)
Asn(net.ripe.ipresource.Asn)
Example 2 with X509Crl
use of net.ripe.rpki.commons.crypto.crl.X509Crl in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationService method validateCertificateAuthority.
private List<RpkiObject> validateCertificateAuthority(TrustAnchor trustAnchor, Map<URI, RpkiRepository> registeredRepositories, CertificateRepositoryObjectValidationContext context, ValidationResult validationResult) {
final List<RpkiObject> validatedObjects = new ArrayList<>();
ValidationLocation certificateLocation = validationResult.getCurrentLocation();
ValidationResult temporary = ValidationResult.withLocation(certificateLocation);
try {
RpkiRepository rpkiRepository = registerRepository(trustAnchor, registeredRepositories, context);
temporary.warnIfTrue(rpkiRepository.isPending(), VALIDATOR_RPKI_REPOSITORY_PENDING, rpkiRepository.getLocationUri());
if (rpkiRepository.isPending()) {
return validatedObjects;
}
X509ResourceCertificate certificate = context.getCertificate();
URI manifestUri = certificate.getManifestUri();
temporary.setLocation(new ValidationLocation(manifestUri));
Optional<RpkiObject> manifestObject = rpkiObjects.findLatestByTypeAndAuthorityKeyIdentifier(RpkiObject.Type.MFT, context.getSubjectKeyIdentifier());
if (!manifestObject.isPresent()) {
if (rpkiRepository.getStatus() == RpkiRepository.Status.FAILED) {
temporary.error(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
} else {
temporary.error(ValidationString.VALIDATOR_NO_LOCAL_MANIFEST_NO_MANIFEST_IN_REPOSITORY, rpkiRepository.getLocationUri());
}
}
Optional<ManifestCms> maybeManifest = manifestObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), ManifestCms.class, temporary));
temporary.rejectIfTrue(manifestObject.isPresent() && rpkiRepository.getStatus() == RpkiRepository.Status.FAILED && maybeManifest.isPresent() && maybeManifest.get().isPastValidityTime(), ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
ManifestCms manifest = maybeManifest.get();
List<Map.Entry<String, byte[]>> crlEntries = manifest.getFiles().entrySet().stream().filter((entry) -> RepositoryObjectType.parse(entry.getKey()) == RepositoryObjectType.Crl).collect(toList());
temporary.rejectIfFalse(crlEntries.size() == 1, VALIDATOR_MANIFEST_CONTAINS_ONE_CRL_ENTRY, String.valueOf(crlEntries.size()));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
Map.Entry<String, byte[]> crlEntry = crlEntries.get(0);
URI crlUri = manifestUri.resolve(crlEntry.getKey());
Optional<RpkiObject> crlObject = rpkiObjects.findBySha256(crlEntry.getValue());
temporary.rejectIfFalse(crlObject.isPresent(), VALIDATOR_CRL_FOUND, crlUri.toASCIIString());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(crlUri));
Optional<X509Crl> crl = crlObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), X509Crl.class, temporary));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
crl.get().validate(crlUri.toASCIIString(), context, null, VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(manifestUri));
manifest.validate(manifestUri.toASCIIString(), context, crl.get(), manifest.getCrlUri(), VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
validatedObjects.add(manifestObject.get());
Map<URI, RpkiObject> manifestEntries = retrieveManifestEntries(manifest, manifestUri, temporary);
manifestEntries.forEach((location, obj) -> {
temporary.setLocation(new ValidationLocation(location));
Optional<CertificateRepositoryObject> maybeCertificateRepositoryObject = rpkiObjects.findCertificateRepositoryObject(obj.getId(), CertificateRepositoryObject.class, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return;
}
maybeCertificateRepositoryObject.ifPresent(certificateRepositoryObject -> {
certificateRepositoryObject.validate(location.toASCIIString(), context, crl.get(), crlUri, VALIDATION_OPTIONS, temporary);
if (!temporary.hasFailureForCurrentLocation()) {
validatedObjects.add(obj);
}
if (certificateRepositoryObject instanceof X509ResourceCertificate && ((X509ResourceCertificate) certificateRepositoryObject).isCa() && !temporary.hasFailureForCurrentLocation()) {
CertificateRepositoryObjectValidationContext childContext = context.createChildContext(location, (X509ResourceCertificate) certificateRepositoryObject);
validatedObjects.addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, childContext, temporary));
}
});
});
} catch (Exception e) {
log.debug("e", e);
validationResult.error(ErrorCodes.UNHANDLED_EXCEPTION, e.toString(), ExceptionUtils.getStackTrace(e));
} finally {
validationResult.addAll(temporary);
}
return validatedObjects;
}
Also used :
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns)
Arrays(java.util.Arrays)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
Autowired(org.springframework.beans.factory.annotation.Autowired)
FlushModeType(javax.persistence.FlushModeType)
HashMap(java.util.HashMap)
ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes)
ArrayList(java.util.ArrayList)
ValidationOptions(net.ripe.rpki.commons.validation.ValidationOptions)
LinkedHashMap(java.util.LinkedHashMap)
RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories)
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects)
Service(org.springframework.stereotype.Service)
Map(java.util.Map)
URI(java.net.URI)
Objects(com.google.common.base.Objects)
CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun)
TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor)
ValidationStatus(net.ripe.rpki.commons.validation.ValidationStatus)
ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects)
Transactional(javax.transaction.Transactional)
TrustAnchors(net.ripe.rpki.validator3.domain.TrustAnchors)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
EntityManager(javax.persistence.EntityManager)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
RepositoryObjectType(net.ripe.rpki.commons.util.RepositoryObjectType)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
Collectors.toList(java.util.stream.Collectors.toList)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Optional(java.util.Optional)
Settings(net.ripe.rpki.validator3.domain.Settings)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ArrayList(java.util.ArrayList)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
URI(java.net.URI)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Map(java.util.Map)
Aggregations
URI (java.net.URI)2
ArrayList (java.util.ArrayList)2
List (java.util.List)2
Collectors.toList (java.util.stream.Collectors.toList)2
Transactional (javax.transaction.Transactional)2
ManifestCms (net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)2
X509Crl (net.ripe.rpki.commons.crypto.crl.X509Crl)2
X509ResourceCertificate (net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)2
ValidationResult (net.ripe.rpki.commons.validation.ValidationResult)2
Objects (com.google.common.base.Objects)1
Resources (com.google.common.io.Resources)1
IOException (java.io.IOException)1
BigInteger (java.math.BigInteger)1
KeyPair (java.security.KeyPair)1
PublicKey (java.security.PublicKey)1
Security (java.security.Security)1
Arrays (java.util.Arrays)1
Collections (java.util.Collections)1
EnumSet (java.util.EnumSet)1
HashMap (java.util.HashMap)1
