Search in sources :

Example 1 with RoaPrefix

use of net.ripe.rpki.validator3.domain.RoaPrefix in project rpki-validator-3 by RIPE-NCC.

the class TrustAnchorsFactory method createCertificateAuthority.

public X509ResourceCertificate createCertificateAuthority(CertificateAuthority ca, CertificateAuthority issuer, ValidityPeriod mftValidityPeriod) {
    ManifestCmsBuilder manifestBuilder = new ManifestCmsBuilder();
    X509ResourceCertificate caCertificate = createCaCertificate(ca, ca.keyPair.getPublic(), issuer.dn, issuer.crlDistributionPoint, issuer.keyPair);
    X509Crl crl = new X509CrlBuilder().withIssuerDN(caCertificate.getSubject()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8)).withAuthorityKeyIdentifier(ca.keyPair.getPublic()).withNumber(nextSerial()).build(ca.keyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.crlDistributionPoint, crl));
    manifestBuilder.addFile(ca.crlDistributionPoint.substring(ca.crlDistributionPoint.lastIndexOf('/') + 1), crl.getEncoded());
    if (ca.children != null) {
        for (CertificateAuthority child : ca.children) {
            X509ResourceCertificate childCertificate = createCertificateAuthority(child, ca);
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + child.dn + ".cer", childCertificate));
            manifestBuilder.addFile(child.dn + ".cer", childCertificate.getEncoded());
        }
    }
    if (ca.roaPrefixes != null) {
        ca.roaPrefixes.stream().collect(groupingBy(RoaPrefix::getAsn)).forEach((asn, roaPrefix) -> {
            KeyPair roaKeyPair = KEY_PAIR_FACTORY.generate();
            IpResourceSet resources = new IpResourceSet();
            roaPrefix.stream().forEach(p -> resources.add(IpRange.parse(p.getPrefix())));
            X509ResourceCertificate roaCertificate = new X509ResourceCertificateBuilder().withResources(resources).withIssuerDN(new X500Principal(ca.dn)).withSubjectDN(new X500Principal("CN=AS" + asn + ", CN=roa, " + ca.dn)).withValidityPeriod(typicalValidityPeriod()).withPublicKey(roaKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
            RoaCms roaCms = new RoaCmsBuilder().withAsn(new Asn(asn)).withPrefixes(roaPrefix.stream().map(p -> new net.ripe.rpki.commons.crypto.cms.roa.RoaPrefix(IpRange.parse(p.getPrefix()), p.getMaximumLength())).collect(toList())).withCertificate(roaCertificate).withSignatureProvider(BouncyCastleProvider.PROVIDER_NAME).build(roaKeyPair.getPrivate());
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + "AS" + asn + ".roa", roaCms));
            manifestBuilder.addFile("AS" + asn + ".roa", roaCms.getEncoded());
        });
    }
    KeyPair manifestKeyPair = KEY_PAIR_FACTORY.generate();
    X509ResourceCertificate manifestCertificate = new X509ResourceCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withIssuerDN(caCertificate.getSubject()).withSubjectDN(new X500Principal("CN=manifest, " + caCertificate.getSubject())).withValidityPeriod(mftValidityPeriod).withPublicKey(manifestKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
    manifestBuilder.withCertificate(manifestCertificate).withManifestNumber(nextSerial()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8));
    ManifestCms manifest = manifestBuilder.build(manifestKeyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.manifestURI, manifest));
    return caCertificate;
}
Also used : KeyPair(java.security.KeyPair) X500Principal(javax.security.auth.x500.X500Principal) Duration(org.joda.time.Duration) Collectors.groupingBy(java.util.stream.Collectors.groupingBy) Autowired(org.springframework.beans.factory.annotation.Autowired) Security(java.security.Security) ValidityPeriod(net.ripe.rpki.commons.crypto.ValidityPeriod) Value(lombok.Value) CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory) ArrayList(java.util.ArrayList) Asn(net.ripe.ipresource.Asn) IpResourceType(net.ripe.ipresource.IpResourceType) RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms) CertificateTreeValidationServiceTest(net.ripe.rpki.validator3.domain.validation.CertificateTreeValidationServiceTest) X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder) X509CertificateInformationAccessDescriptor(net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) BigInteger(java.math.BigInteger) URI(java.net.URI) IpResourceSet(net.ripe.ipresource.IpResourceSet) KeyPairFactory(net.ripe.rpki.commons.crypto.util.KeyPairFactory) EnumSet(java.util.EnumSet) Resources(com.google.common.io.Resources) Transactional(javax.transaction.Transactional) IpRange(net.ripe.ipresource.IpRange) DateTime(org.joda.time.DateTime) TrustAnchorValidationServiceTest(net.ripe.rpki.validator3.domain.validation.TrustAnchorValidationServiceTest) IOException(java.io.IOException) PublicKey(java.security.PublicKey) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Consumer(java.util.function.Consumer) Component(org.springframework.stereotype.Component) List(java.util.List) Collectors.toList(java.util.stream.Collectors.toList) Builder(lombok.Builder) ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder) Instant(org.joda.time.Instant) PostConstruct(javax.annotation.PostConstruct) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) X509CertificateUtil(net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil) Collections(java.util.Collections) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) X509CrlBuilder(net.ripe.rpki.commons.crypto.crl.X509CrlBuilder) KeyPair(java.security.KeyPair) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) ManifestCmsBuilder(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder) RoaCmsBuilder(net.ripe.rpki.commons.crypto.cms.roa.RoaCmsBuilder) RoaCms(net.ripe.rpki.commons.crypto.cms.roa.RoaCms) IpResourceSet(net.ripe.ipresource.IpResourceSet) X500Principal(javax.security.auth.x500.X500Principal) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) X509ResourceCertificateBuilder(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder) IpResourceType(net.ripe.ipresource.IpResourceType) Asn(net.ripe.ipresource.Asn)

Example 2 with RoaPrefix

use of net.ripe.rpki.validator3.domain.RoaPrefix in project rpki-validator-3 by RIPE-NCC.

the class ObjectController method list.

@GetMapping(path = "/validated")
public ResponseEntity<ApiResponse<ValidatedObjects>> list(Locale locale) {
    final Map<Long, TrustAnchorResource> trustAnchorsById = trustAnchors.findAll().stream().collect(Collectors.toMap(TrustAnchor::getId, ta -> TrustAnchorResource.of(ta, locale)));
    final Map<Long, Links> trustAnchorLinks = trustAnchorsById.entrySet().stream().collect(Collectors.toMap(entry -> entry.getKey(), entry -> new Links(entry.getValue().getLinks().getLink("self").withRel(TrustAnchor.TYPE))));
    final Stream<RoaPrefix> validatedPrefixes = validatedRpkiObjects.findCurrentlyValidatedRoaPrefixes(null, null, null).getObjects().filter(new IgnoreFiltersPredicate(ignoreFilters.all()).negate()).map(prefix -> {
        Links links = trustAnchorLinks.get(prefix.getTrustAnchor().getId());
        return new RoaPrefix(String.valueOf(prefix.getAsn()), prefix.getPrefix().toString(), prefix.getEffectiveLength(), links);
    });
    final Stream<RoaPrefix> assertions = roaPrefixAssertions.all().map(assertion -> new RoaPrefix(new Asn(assertion.getAsn()).toString(), IpRange.parse(assertion.getPrefix()).toString(), assertion.getMaximumLength() != null ? assertion.getMaximumLength() : IpRange.parse(assertion.getPrefix()).getPrefixLength(), null));
    final Stream<RoaPrefix> combinedPrefixes = Stream.concat(validatedPrefixes, assertions).distinct();
    final Stream<ValidatedRpkiObjects.RouterCertificate> certificates = validatedRpkiObjects.findCurrentlyValidatedRouterCertificates().getObjects();
    final Stream<RouterCertificate> filteredRouterCertificates = bgpSecFilterService.filterCertificates(certificates).map(o -> new RouterCertificate(o.getAsn(), o.getSubjectKeyIdentifier(), o.getSubjectPublicKeyInfo()));
    final Stream<RouterCertificate> bgpSecAssertions = this.bgpSecAssertions.all().map(b -> {
        final List<String> asns = Collections.singletonList(String.valueOf(b.getAsn()));
        return new RouterCertificate(asns, b.getSki(), b.getPublicKey());
    });
    final Stream<RouterCertificate> combinedAssertions = Stream.concat(filteredRouterCertificates, bgpSecAssertions).distinct();
    return ResponseEntity.ok(ApiResponse.<ValidatedObjects>builder().data(new ValidatedObjects(settings.isInitialValidationRunCompleted(), trustAnchorsById.values(), combinedPrefixes, combinedAssertions)).build());
}
Also used : Links(org.springframework.hateoas.Links) Autowired(org.springframework.beans.factory.annotation.Autowired) RequestMapping(org.springframework.web.bind.annotation.RequestMapping) BgpSecFilterService(net.ripe.rpki.validator3.api.bgpsec.BgpSecFilterService) Value(lombok.Value) Asn(net.ripe.ipresource.Asn) TrustAnchorResource(net.ripe.rpki.validator3.api.trustanchors.TrustAnchorResource) Api(net.ripe.rpki.validator3.api.Api) RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects) Locale(java.util.Locale) Map(java.util.Map) RoaPrefixAssertions(net.ripe.rpki.validator3.domain.RoaPrefixAssertions) GetMapping(org.springframework.web.bind.annotation.GetMapping) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects) IpRange(net.ripe.ipresource.IpRange) TrustAnchors(net.ripe.rpki.validator3.domain.TrustAnchors) Collection(java.util.Collection) IgnoreFilters(net.ripe.rpki.validator3.domain.IgnoreFilters) RestController(org.springframework.web.bind.annotation.RestController) Collectors(java.util.stream.Collectors) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) Stream(java.util.stream.Stream) BgpSecAssertions(net.ripe.rpki.validator3.domain.BgpSecAssertions) IgnoreFiltersPredicate(net.ripe.rpki.validator3.domain.IgnoreFiltersPredicate) Settings(net.ripe.rpki.validator3.domain.Settings) ResponseEntity(org.springframework.http.ResponseEntity) ApiResponse(net.ripe.rpki.validator3.api.ApiResponse) Collections(java.util.Collections) ApiModelProperty(io.swagger.annotations.ApiModelProperty) IgnoreFiltersPredicate(net.ripe.rpki.validator3.domain.IgnoreFiltersPredicate) Links(org.springframework.hateoas.Links) Asn(net.ripe.ipresource.Asn) TrustAnchorResource(net.ripe.rpki.validator3.api.trustanchors.TrustAnchorResource) GetMapping(org.springframework.web.bind.annotation.GetMapping)

Example 3 with RoaPrefix

use of net.ripe.rpki.validator3.domain.RoaPrefix in project rpki-validator-3 by RIPE-NCC.

the class ValidatedRoasController method list.

@GetMapping
public ResponseEntity<ApiResponse<Stream<RoaPrefix>>> list(@RequestParam(name = "startFrom", defaultValue = "0") int startFrom, @RequestParam(name = "pageSize", defaultValue = "20") int pageSize, @RequestParam(name = "search", defaultValue = "", required = false) String searchString, @RequestParam(name = "sortBy", defaultValue = "prefix") String sortBy, @RequestParam(name = "sortDirection", defaultValue = "asc") String sortDirection) {
    final SearchTerm searchTerm = StringUtils.isNotBlank(searchString) ? new SearchTerm(searchString) : null;
    final Sorting sorting = Sorting.parse(sortBy, sortDirection);
    final Paging paging = Paging.of(startFrom, pageSize);
    ValidatedRpkiObjects.ValidatedObjects<ValidatedRpkiObjects.RoaPrefix> currentlyValidatedRoaPrefixes = validatedRpkiObjects.findCurrentlyValidatedRoaPrefixes(searchTerm, sorting, paging);
    final Stream<RoaPrefix> roas = currentlyValidatedRoaPrefixes.getObjects().map(prefix -> new RoaPrefix(prefix.getAsn().toString(), prefix.getPrefix().toString(), prefix.getEffectiveLength(), prefix.getTrustAnchor().getName(), prefix.getLocations().first()));
    int totalSize = currentlyValidatedRoaPrefixes.getTotalCount();
    final Links links = Paging.links(startFrom, pageSize, totalSize, (sf, ps) -> methodOn(ValidatedRoasController.class).list(sf, ps, searchString, sortBy, sortDirection));
    return ResponseEntity.ok(ApiResponse.<Stream<RoaPrefix>>builder().links(links).metadata(Metadata.of(totalSize)).data(roas).build());
}
Also used : ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects) Paging(net.ripe.rpki.validator3.api.Paging) Links(org.springframework.hateoas.Links) SearchTerm(net.ripe.rpki.validator3.api.SearchTerm) Sorting(net.ripe.rpki.validator3.api.Sorting) GetMapping(org.springframework.web.bind.annotation.GetMapping)

Aggregations

Collections (java.util.Collections)2 List (java.util.List)2 Value (lombok.Value)2 Asn (net.ripe.ipresource.Asn)2 IpRange (net.ripe.ipresource.IpRange)2 ValidatedRpkiObjects (net.ripe.rpki.validator3.domain.ValidatedRpkiObjects)2 Links (org.springframework.hateoas.Links)2 GetMapping (org.springframework.web.bind.annotation.GetMapping)2 Resources (com.google.common.io.Resources)1 ApiModelProperty (io.swagger.annotations.ApiModelProperty)1 IOException (java.io.IOException)1 BigInteger (java.math.BigInteger)1 URI (java.net.URI)1 KeyPair (java.security.KeyPair)1 PublicKey (java.security.PublicKey)1 Security (java.security.Security)1 ArrayList (java.util.ArrayList)1 Collection (java.util.Collection)1 EnumSet (java.util.EnumSet)1 Locale (java.util.Locale)1