Examples with RpkiObject net.ripe.rpki.validator3.domain.RpkiObject used on opensource projects

Example 6 with RpkiObject

use of net.ripe.rpki.validator3.domain.RpkiObject in project rpki-validator-3 by RIPE-NCC.

the class TrustAnchorsFactory method createCertificateAuthority.

public X509ResourceCertificate createCertificateAuthority(CertificateAuthority ca, CertificateAuthority issuer, ValidityPeriod mftValidityPeriod) {
    ManifestCmsBuilder manifestBuilder = new ManifestCmsBuilder();
    X509ResourceCertificate caCertificate = createCaCertificate(ca, ca.keyPair.getPublic(), issuer.dn, issuer.crlDistributionPoint, issuer.keyPair);
    X509Crl crl = new X509CrlBuilder().withIssuerDN(caCertificate.getSubject()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8)).withAuthorityKeyIdentifier(ca.keyPair.getPublic()).withNumber(nextSerial()).build(ca.keyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.crlDistributionPoint, crl));
    manifestBuilder.addFile(ca.crlDistributionPoint.substring(ca.crlDistributionPoint.lastIndexOf('/') + 1), crl.getEncoded());
    if (ca.children != null) {
        for (CertificateAuthority child : ca.children) {
            X509ResourceCertificate childCertificate = createCertificateAuthority(child, ca);
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + child.dn + ".cer", childCertificate));
            manifestBuilder.addFile(child.dn + ".cer", childCertificate.getEncoded());
        }
    }
    if (ca.roaPrefixes != null) {
        ca.roaPrefixes.stream().collect(groupingBy(RoaPrefix::getAsn)).forEach((asn, roaPrefix) -> {
            KeyPair roaKeyPair = KEY_PAIR_FACTORY.generate();
            IpResourceSet resources = new IpResourceSet();
            roaPrefix.stream().forEach(p -> resources.add(IpRange.parse(p.getPrefix())));
            X509ResourceCertificate roaCertificate = new X509ResourceCertificateBuilder().withResources(resources).withIssuerDN(new X500Principal(ca.dn)).withSubjectDN(new X500Principal("CN=AS" + asn + ", CN=roa, " + ca.dn)).withValidityPeriod(typicalValidityPeriod()).withPublicKey(roaKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
            RoaCms roaCms = new RoaCmsBuilder().withAsn(new Asn(asn)).withPrefixes(roaPrefix.stream().map(p -> new net.ripe.rpki.commons.crypto.cms.roa.RoaPrefix(IpRange.parse(p.getPrefix()), p.getMaximumLength())).collect(toList())).withCertificate(roaCertificate).withSignatureProvider(BouncyCastleProvider.PROVIDER_NAME).build(roaKeyPair.getPrivate());
            rpkiObjects.add(new RpkiObject(ca.repositoryURI + "/" + "AS" + asn + ".roa", roaCms));
            manifestBuilder.addFile("AS" + asn + ".roa", roaCms.getEncoded());
        });
    }
    KeyPair manifestKeyPair = KEY_PAIR_FACTORY.generate();
    X509ResourceCertificate manifestCertificate = new X509ResourceCertificateBuilder().withInheritedResourceTypes(EnumSet.allOf(IpResourceType.class)).withIssuerDN(caCertificate.getSubject()).withSubjectDN(new X500Principal("CN=manifest, " + caCertificate.getSubject())).withValidityPeriod(mftValidityPeriod).withPublicKey(manifestKeyPair.getPublic()).withSigningKeyPair(ca.keyPair).withCa(false).withKeyUsage(KeyUsage.digitalSignature).withSerial(nextSerial()).withCrlDistributionPoints(URI.create(ca.crlDistributionPoint)).build();
    manifestBuilder.withCertificate(manifestCertificate).withManifestNumber(nextSerial()).withThisUpdateTime(DateTime.now()).withNextUpdateTime(DateTime.now().plusHours(8));
    ManifestCms manifest = manifestBuilder.build(manifestKeyPair.getPrivate());
    rpkiObjects.add(new RpkiObject(ca.manifestURI, manifest));
    return caCertificate;
}

Example 7 with RpkiObject

use of net.ripe.rpki.validator3.domain.RpkiObject in project rpki-validator-3 by RIPE-NCC.

the class RrdpServiceTest method should_parse_notification_use_decline_delta_with_different_session_id_and_fallback_to_snapshot.

@Test
public void should_parse_notification_use_decline_delta_with_different_session_id_and_fallback_to_snapshot() {
    final byte[] certificate = Objects.aParseableCertificate();
    final long serial = 2;
    final String sessionId = UUID.randomUUID().toString();
    final String wrongSessionId = UUID.randomUUID().toString();
    final Objects.Publish crl = new Objects.Publish("rsync://host/path/crl1.crl", Objects.aParseableCrl());
    rrdpClient.add(crl.uri, crl.content);
    final byte[] snapshotXml = Objects.snapshotXml(serial, sessionId, crl);
    final Objects.SnapshotInfo snapshot = new Objects.SnapshotInfo("https://host/path/snapshot.xml", Sha256.hash(snapshotXml));
    rrdpClient.add(snapshot.uri, snapshotXml);
    final Objects.DeltaPublish publishCert = new Objects.DeltaPublish("rsync://host/path/cert.cer", certificate);
    final byte[] deltaXml = Objects.deltaXml(serial, wrongSessionId, publishCert);
    final Objects.DeltaInfo deltaInfo = new Objects.DeltaInfo("https://host/path/delta1.xml", Sha256.hash(deltaXml), serial);
    rrdpClient.add(deltaInfo.uri, deltaXml);
    final String notificationUri = "https://rrdp.ripe.net/notification.xml";
    rrdpClient.add(notificationUri, Objects.notificationXml(serial, sessionId, snapshot, deltaInfo));
    final TrustAnchor trustAnchor = TestObjects.newTrustAnchor();
    entityManager.persist(trustAnchor);
    // make current serial lower to trigger delta download
    final RpkiRepository rpkiRepository = new RpkiRepository(trustAnchor, notificationUri, RpkiRepository.Type.RRDP);
    rpkiRepository.setRrdpSerial(BigInteger.valueOf(serial - 1));
    rpkiRepository.setRrdpSessionId(sessionId);
    entityManager.persist(rpkiRepository);
    // do the first run to get the snapshot
    final RrdpRepositoryValidationRun validationRun = new RrdpRepositoryValidationRun(rpkiRepository);
    subject.storeRepository(rpkiRepository, validationRun);
    assertEquals(1, validationRun.getValidationChecks().size());
    final ValidationCheck validationCheck = validationRun.getValidationChecks().get(0);
    assertEquals(ErrorCodes.RRDP_FETCH_DELTAS, validationCheck.getKey());
    assertEquals(ValidationCheck.Status.WARNING, validationCheck.getStatus());
    assertEquals(rpkiRepository.getRrdpNotifyUri(), validationCheck.getLocation());
    assertTrue(validationCheck.getParameters().get(0).contains("Session id of the delta"));
    assertTrue(validationCheck.getParameters().get(0).contains("is not the same as in the notification file: " + sessionId));
    // make sure that it will be the CRL from the snapsh
    final List<RpkiObject> objects = rpkiObjects.all().collect(Collectors.toList());
    assertEquals(1, objects.size());
    RpkiObject rpkiObject = objects.get(0);
    assertEquals(RpkiObject.Type.CRL, rpkiObject.getType());
    assertEquals(Sets.newHashSet("rsync://host/path/crl1.crl"), rpkiObject.getLocations());
}

Example 8 with RpkiObject

use of net.ripe.rpki.validator3.domain.RpkiObject in project rpki-validator-3 by RIPE-NCC.

the class RrdpServiceTest method should_parse_notification_use_delta_add_and_replace_an_object.

@Test
public void should_parse_notification_use_delta_add_and_replace_an_object() {
    final byte[] certificate = Objects.aParseableCertificate();
    final String sessionId = UUID.randomUUID().toString();
    final byte[] emptySnapshotXml = Objects.snapshotXml(3, sessionId);
    final Objects.SnapshotInfo emptySnapshot = new Objects.SnapshotInfo("https://host/path/snapshot.xml", Sha256.hash(emptySnapshotXml));
    rrdpClient.add(emptySnapshot.uri, emptySnapshotXml);
    final Objects.DeltaPublish publishCert = new Objects.DeltaPublish("rsync://host/path/cert.cer", certificate);
    final byte[] deltaXml1 = Objects.deltaXml(2, sessionId, publishCert);
    final Objects.DeltaPublish republishCert = new Objects.DeltaPublish("rsync://host/path/cert.cer", Sha256.hash(publishCert.content), certificate);
    final byte[] deltaXml2 = Objects.deltaXml(3, sessionId, republishCert);
    final Objects.DeltaInfo deltaInfo1 = new Objects.DeltaInfo("https://host/path/delta1.xml", Sha256.hash(deltaXml1), 2);
    final Objects.DeltaInfo deltaInfo2 = new Objects.DeltaInfo("https://host/path/delta2.xml", Sha256.hash(deltaXml2), 3);
    rrdpClient.add(deltaInfo1.uri, deltaXml1);
    rrdpClient.add(deltaInfo2.uri, deltaXml2);
    final String notificationUri = "https://rrdp.ripe.net/notification.xml";
    rrdpClient.add(notificationUri, Objects.notificationXml(3, sessionId, emptySnapshot, deltaInfo1, deltaInfo2));
    final TrustAnchor trustAnchor = TestObjects.newTrustAnchor();
    entityManager.persist(trustAnchor);
    // make current serial lower to trigger delta download
    final RpkiRepository rpkiRepository = makeRpkiRepository(sessionId, notificationUri, trustAnchor);
    // do the first run to get the snapshot
    RrdpRepositoryValidationRun validationRun = new RrdpRepositoryValidationRun(rpkiRepository);
    subject.storeRepository(rpkiRepository, validationRun);
    assertEquals(0, validationRun.getValidationChecks().size());
    final List<RpkiObject> objects = rpkiObjects.all().collect(Collectors.toList());
    assertEquals(1, objects.size());
}

Example 9 with RpkiObject

use of net.ripe.rpki.validator3.domain.RpkiObject in project rpki-validator-3 by RIPE-NCC.

the class RrdpServiceTest method should_parse_notification_use_delta_the_last_delta_serial_is_not_matching_fallback_to_snapshot.

@Test
public void should_parse_notification_use_delta_the_last_delta_serial_is_not_matching_fallback_to_snapshot() {
    final byte[] certificate = Objects.aParseableCertificate();
    final String sessionId = UUID.randomUUID().toString();
    final Objects.Publish crl = new Objects.Publish("rsync://host/path/crl1.crl", Objects.aParseableCrl());
    rrdpClient.add(crl.uri, crl.content);
    final byte[] snapshotXml = Objects.snapshotXml(4, sessionId, crl);
    final Objects.SnapshotInfo emptySnapshot = new Objects.SnapshotInfo("https://host/path/snapshot.xml", Sha256.hash(snapshotXml));
    rrdpClient.add(emptySnapshot.uri, snapshotXml);
    final Objects.DeltaPublish publishCert = new Objects.DeltaPublish("rsync://host/path/cert.cer", certificate);
    final byte[] deltaXml1 = Objects.deltaXml(2, sessionId, publishCert);
    final Objects.DeltaPublish republishCert = new Objects.DeltaPublish("rsync://host/path/cert.cer", Sha256.hash(publishCert.content), certificate);
    final byte[] deltaXml2 = Objects.deltaXml(3, sessionId, republishCert);
    final Objects.DeltaInfo deltaInfo1 = new Objects.DeltaInfo("https://host/path/delta1.xml", Sha256.hash(deltaXml1), 2);
    final Objects.DeltaInfo deltaInfo2 = new Objects.DeltaInfo("https://host/path/delta2.xml", Sha256.hash(deltaXml2), 3);
    rrdpClient.add(deltaInfo1.uri, deltaXml1);
    rrdpClient.add(deltaInfo2.uri, deltaXml2);
    final String notificationUri = "https://rrdp.ripe.net/notification.xml";
    rrdpClient.add(notificationUri, Objects.notificationXml(4, sessionId, emptySnapshot, deltaInfo1, deltaInfo2));
    final TrustAnchor trustAnchor = TestObjects.newTrustAnchor();
    entityManager.persist(trustAnchor);
    // make current serial lower to trigger delta download
    final RpkiRepository rpkiRepository = makeRpkiRepository(sessionId, notificationUri, trustAnchor);
    // do the first run to get the snapshot
    final RrdpRepositoryValidationRun validationRun = new RrdpRepositoryValidationRun(rpkiRepository);
    subject.storeRepository(rpkiRepository, validationRun);
    assertEquals(1, validationRun.getValidationChecks().size());
    final ValidationCheck validationCheck = validationRun.getValidationChecks().get(0);
    assertEquals(ErrorCodes.RRDP_FETCH_DELTAS, validationCheck.getKey());
    assertEquals(ValidationCheck.Status.WARNING, validationCheck.getStatus());
    assertEquals(rpkiRepository.getRrdpNotifyUri(), validationCheck.getLocation());
    assertEquals("The last delta serial is 3, notification file serial is 4", validationCheck.getParameters().get(0));
    final List<RpkiObject> objects = rpkiObjects.all().collect(Collectors.toList());
    assertEquals(1, objects.size());
    final RpkiObject rpkiObject = objects.get(0);
    assertEquals(RpkiObject.Type.CRL, rpkiObject.getType());
    assertEquals(Sets.newHashSet("rsync://host/path/crl1.crl"), rpkiObject.getLocations());
}

Example 10 with RpkiObject

use of net.ripe.rpki.validator3.domain.RpkiObject in project rpki-validator-3 by RIPE-NCC.

the class RrdpService method applyDeltaWithdraw.

private void applyDeltaWithdraw(RpkiRepositoryValidationRun validationRun, String uri, DeltaWithdraw deltaWithdraw) {
    final Optional<RpkiObject> maybeObject = rpkiObjectRepository.findBySha256(deltaWithdraw.getHash());
    if (maybeObject.isPresent()) {
        maybeObject.get().removeLocation(uri);
    } else {
        ValidationCheck validationCheck = new ValidationCheck(validationRun, uri, ValidationCheck.Status.ERROR, ErrorCodes.RRDP_WITHDRAW_NONEXISTENT_OBJECT, Hex.format(deltaWithdraw.getHash()));
        validationRun.addCheck(validationCheck);
    }
}