Example 21 with TrustAnchor
use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.
the class JPARpkiRepositories method removeAllForTrustAnchor.
@Override
public void removeAllForTrustAnchor(TrustAnchor trustAnchor) {
for (RpkiRepository repository : select().where(rpkiRepository.trustAnchors.contains(trustAnchor)).fetch()) {
repository.removeTrustAnchor(trustAnchor);
if (repository.getTrustAnchors().isEmpty()) {
if (repository.getType() == RpkiRepository.Type.RRDP) {
quartzValidationScheduler.removeRpkiRepository(repository);
}
validationRuns.removeAllForRpkiRepository(repository);
entityManager.remove(repository);
}
}
}
Also used :
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
Example 22 with TrustAnchor
use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.
the class ValidatedRpkiObjects method initialize.
@PostConstruct
private synchronized void initialize() {
new TransactionTemplate(transactionManager).execute((status) -> {
Map<@NotNull @Valid TrustAnchor, List<RpkiObject>> grouped = Stream.concat(rpkiObjects.findCurrentlyValidated(RpkiObject.Type.ROA), rpkiObjects.findCurrentlyValidated(RpkiObject.Type.ROUTER_CER)).collect(Collectors.groupingBy(pair -> pair.getLeft().getTrustAnchor(), Collectors.mapping(pair -> pair.getRight(), Collectors.toList())));
grouped.forEach(this::update);
return null;
});
}
Also used :
X509RouterCertificate(net.ripe.rpki.commons.crypto.x509cert.X509RouterCertificate)
Autowired(org.springframework.beans.factory.annotation.Autowired)
HashMap(java.util.HashMap)
Value(lombok.Value)
ArrayList(java.util.ArrayList)
Sorting(net.ripe.rpki.validator3.api.Sorting)
Valid(javax.validation.Valid)
Asn(net.ripe.ipresource.Asn)
Paging(net.ripe.rpki.validator3.api.Paging)
ImmutableList(com.google.common.collect.ImmutableList)
Pair(org.apache.commons.lang3.tuple.Pair)
Map(java.util.Map)
Transactions(net.ripe.rpki.validator3.util.Transactions)
ImmutableSortedSet(com.google.common.collect.ImmutableSortedSet)
ImmutableSet(com.google.common.collect.ImmutableSet)
Transactional(javax.transaction.Transactional)
IpRange(net.ripe.ipresource.IpRange)
Collection(java.util.Collection)
NotNull(javax.validation.constraints.NotNull)
Collectors(java.util.stream.Collectors)
Consumer(java.util.function.Consumer)
Slf4j(lombok.extern.slf4j.Slf4j)
Component(org.springframework.stereotype.Component)
Base64(java.util.Base64)
List(java.util.List)
Stream(java.util.stream.Stream)
PlatformTransactionManager(org.springframework.transaction.PlatformTransactionManager)
TransactionTemplate(org.springframework.transaction.support.TransactionTemplate)
PostConstruct(javax.annotation.PostConstruct)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
SearchTerm(net.ripe.rpki.validator3.api.SearchTerm)
Optional(java.util.Optional)
X509CertificateUtil(net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil)
TransactionTemplate(org.springframework.transaction.support.TransactionTemplate)
ArrayList(java.util.ArrayList)
ImmutableList(com.google.common.collect.ImmutableList)
List(java.util.List)
PostConstruct(javax.annotation.PostConstruct)
Example 23 with TrustAnchor
use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.
the class RpkiObjectCleanupService method cleanupRpkiObjects.
/**
* Marks all RPKI objects that are reachable from a trust anchor by following the entries in the manifests.
* Objects that are no longer reachable will be deleted after a configurable grace duration.
*/
@Scheduled(initialDelay = 60_000, fixedDelayString = "${rpki.validator.rpki.object.cleanup.interval.ms}")
public long cleanupRpkiObjects() {
Instant now = Instant.now();
for (TrustAnchor trustAnchor : trustAnchors.findAll()) {
transactionTemplate.execute((status) -> {
entityManager.setFlushMode(FlushModeType.COMMIT);
log.debug("tracing objects for trust anchor {}", trustAnchor);
X509ResourceCertificate resourceCertificate = trustAnchor.getCertificate();
if (resourceCertificate != null) {
traceCertificateAuthority(now, resourceCertificate);
}
return null;
});
}
return deleteUnreachableObjects(now);
}
Also used :
Instant(java.time.Instant)
TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
Scheduled(org.springframework.scheduling.annotation.Scheduled)
Example 24 with TrustAnchor
use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.
the class CertificateTreeValidationService method validateCertificateAuthority.
private List<RpkiObject> validateCertificateAuthority(TrustAnchor trustAnchor, Map<URI, RpkiRepository> registeredRepositories, CertificateRepositoryObjectValidationContext context, ValidationResult validationResult) {
final List<RpkiObject> validatedObjects = new ArrayList<>();
ValidationLocation certificateLocation = validationResult.getCurrentLocation();
ValidationResult temporary = ValidationResult.withLocation(certificateLocation);
try {
RpkiRepository rpkiRepository = registerRepository(trustAnchor, registeredRepositories, context);
temporary.warnIfTrue(rpkiRepository.isPending(), VALIDATOR_RPKI_REPOSITORY_PENDING, rpkiRepository.getLocationUri());
if (rpkiRepository.isPending()) {
return validatedObjects;
}
X509ResourceCertificate certificate = context.getCertificate();
URI manifestUri = certificate.getManifestUri();
temporary.setLocation(new ValidationLocation(manifestUri));
Optional<RpkiObject> manifestObject = rpkiObjects.findLatestByTypeAndAuthorityKeyIdentifier(RpkiObject.Type.MFT, context.getSubjectKeyIdentifier());
if (!manifestObject.isPresent()) {
if (rpkiRepository.getStatus() == RpkiRepository.Status.FAILED) {
temporary.error(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
} else {
temporary.error(ValidationString.VALIDATOR_NO_LOCAL_MANIFEST_NO_MANIFEST_IN_REPOSITORY, rpkiRepository.getLocationUri());
}
}
Optional<ManifestCms> maybeManifest = manifestObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), ManifestCms.class, temporary));
temporary.rejectIfTrue(manifestObject.isPresent() && rpkiRepository.getStatus() == RpkiRepository.Status.FAILED && maybeManifest.isPresent() && maybeManifest.get().isPastValidityTime(), ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
ManifestCms manifest = maybeManifest.get();
List<Map.Entry<String, byte[]>> crlEntries = manifest.getFiles().entrySet().stream().filter((entry) -> RepositoryObjectType.parse(entry.getKey()) == RepositoryObjectType.Crl).collect(toList());
temporary.rejectIfFalse(crlEntries.size() == 1, VALIDATOR_MANIFEST_CONTAINS_ONE_CRL_ENTRY, String.valueOf(crlEntries.size()));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
Map.Entry<String, byte[]> crlEntry = crlEntries.get(0);
URI crlUri = manifestUri.resolve(crlEntry.getKey());
Optional<RpkiObject> crlObject = rpkiObjects.findBySha256(crlEntry.getValue());
temporary.rejectIfFalse(crlObject.isPresent(), VALIDATOR_CRL_FOUND, crlUri.toASCIIString());
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(crlUri));
Optional<X509Crl> crl = crlObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), X509Crl.class, temporary));
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
crl.get().validate(crlUri.toASCIIString(), context, null, VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
temporary.setLocation(new ValidationLocation(manifestUri));
manifest.validate(manifestUri.toASCIIString(), context, crl.get(), manifest.getCrlUri(), VALIDATION_OPTIONS, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return validatedObjects;
}
validatedObjects.add(manifestObject.get());
Map<URI, RpkiObject> manifestEntries = retrieveManifestEntries(manifest, manifestUri, temporary);
manifestEntries.forEach((location, obj) -> {
temporary.setLocation(new ValidationLocation(location));
Optional<CertificateRepositoryObject> maybeCertificateRepositoryObject = rpkiObjects.findCertificateRepositoryObject(obj.getId(), CertificateRepositoryObject.class, temporary);
if (temporary.hasFailureForCurrentLocation()) {
return;
}
maybeCertificateRepositoryObject.ifPresent(certificateRepositoryObject -> {
certificateRepositoryObject.validate(location.toASCIIString(), context, crl.get(), crlUri, VALIDATION_OPTIONS, temporary);
if (!temporary.hasFailureForCurrentLocation()) {
validatedObjects.add(obj);
}
if (certificateRepositoryObject instanceof X509ResourceCertificate && ((X509ResourceCertificate) certificateRepositoryObject).isCa() && !temporary.hasFailureForCurrentLocation()) {
CertificateRepositoryObjectValidationContext childContext = context.createChildContext(location, (X509ResourceCertificate) certificateRepositoryObject);
validatedObjects.addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, childContext, temporary));
}
});
});
} catch (Exception e) {
log.debug("e", e);
validationResult.error(ErrorCodes.UNHANDLED_EXCEPTION, e.toString(), ExceptionUtils.getStackTrace(e));
} finally {
validationResult.addAll(temporary);
}
return validatedObjects;
}
Also used :
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns)
Arrays(java.util.Arrays)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
Autowired(org.springframework.beans.factory.annotation.Autowired)
FlushModeType(javax.persistence.FlushModeType)
HashMap(java.util.HashMap)
ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes)
ArrayList(java.util.ArrayList)
ValidationOptions(net.ripe.rpki.commons.validation.ValidationOptions)
LinkedHashMap(java.util.LinkedHashMap)
RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories)
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects)
Service(org.springframework.stereotype.Service)
Map(java.util.Map)
URI(java.net.URI)
Objects(com.google.common.base.Objects)
CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun)
TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor)
ValidationStatus(net.ripe.rpki.commons.validation.ValidationStatus)
ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects)
Transactional(javax.transaction.Transactional)
TrustAnchors(net.ripe.rpki.validator3.domain.TrustAnchors)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
EntityManager(javax.persistence.EntityManager)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
RepositoryObjectType(net.ripe.rpki.commons.util.RepositoryObjectType)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
Collectors.toList(java.util.stream.Collectors.toList)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
Optional(java.util.Optional)
Settings(net.ripe.rpki.validator3.domain.Settings)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils)
X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl)
CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext)
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ArrayList(java.util.ArrayList)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
ValidationString(net.ripe.rpki.commons.validation.ValidationString)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
URI(java.net.URI)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
Map(java.util.Map)
Example 25 with TrustAnchor
use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.
the class RpkiRepositoryValidationService method validateRsyncRepositories.
@Scheduled(initialDelay = 10_000, fixedDelay = 10_000)
public void validateRsyncRepositories() {
entityManager.setFlushMode(FlushModeType.COMMIT);
Instant cutoffTime = Instant.now().minus(rsyncRepositoryDownloadInterval);
log.info("updating all rsync repositories that have not been downloaded since {}", cutoffTime);
Set<TrustAnchor> affectedTrustAnchors = new HashSet<>();
final RsyncRepositoryValidationRun validationRun = new RsyncRepositoryValidationRun();
validationRunRepository.add(validationRun);
Stream<RpkiRepository> repositories = rpkiRepositories.findRsyncRepositories();
Map<String, RpkiObject> objectsBySha256 = new HashMap<>();
Map<URI, RpkiRepository> fetchedLocations = new HashMap<>();
ValidationResult results = repositories.filter((repository) -> {
boolean needsUpdate = repository.isPending() || repository.getLastDownloadedAt() == null || repository.getLastDownloadedAt().isBefore(cutoffTime);
if (!needsUpdate) {
fetchedLocations.put(URI.create(repository.getRsyncRepositoryUri()), repository);
}
return needsUpdate;
}).map((repository) -> processRsyncRepository(affectedTrustAnchors, validationRun, fetchedLocations, objectsBySha256, repository)).collect(() -> ValidationResult.withLocation("placeholder"), ValidationResult::addAll, ValidationResult::addAll);
validationRun.completeWith(results);
affectedTrustAnchors.forEach(validationRunRepository::runCertificateTreeValidation);
}
Also used :
RsyncRepositoryValidationRun(net.ripe.rpki.validator3.domain.RsyncRepositoryValidationRun)
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns)
CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject)
RpkiRepositoryValidationRun(net.ripe.rpki.validator3.domain.RpkiRepositoryValidationRun)
RsyncRepositoryValidationRun(net.ripe.rpki.validator3.domain.RsyncRepositoryValidationRun)
Autowired(org.springframework.beans.factory.annotation.Autowired)
ArrayUtils(org.apache.commons.lang3.ArrayUtils)
FlushModeType(javax.persistence.FlushModeType)
HashMap(java.util.HashMap)
Scheduled(org.springframework.scheduling.annotation.Scheduled)
CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory)
ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes)
Value(org.springframework.beans.factory.annotation.Value)
HashSet(java.util.HashSet)
RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories)
RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects)
Service(org.springframework.stereotype.Service)
Locale(java.util.Locale)
Duration(java.time.Duration)
Map(java.util.Map)
Sha256(net.ripe.rpki.validator3.util.Sha256)
URI(java.net.URI)
Path(java.nio.file.Path)
SimpleFileVisitor(java.nio.file.SimpleFileVisitor)
TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor)
Rsync(net.ripe.rpki.commons.rsync.Rsync)
Transactional(javax.transaction.Transactional)
Files(java.nio.file.Files)
RrdpService(net.ripe.rpki.validator3.rrdp.RrdpService)
Hex(net.ripe.rpki.validator3.util.Hex)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
Set(java.util.Set)
IOException(java.io.IOException)
RrdpRepositoryValidationRun(net.ripe.rpki.validator3.domain.RrdpRepositoryValidationRun)
EntityManager(javax.persistence.EntityManager)
BasicFileAttributes(java.nio.file.attribute.BasicFileAttributes)
Instant(java.time.Instant)
File(java.io.File)
ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation)
FileVisitResult(java.nio.file.FileVisitResult)
Slf4j(lombok.extern.slf4j.Slf4j)
Stream(java.util.stream.Stream)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
RsyncUtils(net.ripe.rpki.validator3.util.RsyncUtils)
ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils)
RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)
HashMap(java.util.HashMap)
Instant(java.time.Instant)
TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor)
ValidationResult(net.ripe.rpki.commons.validation.ValidationResult)
URI(java.net.URI)
RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject)
HashSet(java.util.HashSet)
Scheduled(org.springframework.scheduling.annotation.Scheduled)
Aggregations
TrustAnchor (net.ripe.rpki.validator3.domain.TrustAnchor)36
IntegrationTest (net.ripe.rpki.validator3.IntegrationTest)23
RpkiRepository (net.ripe.rpki.validator3.domain.RpkiRepository)23
Test (org.junit.Test)23
RpkiObject (net.ripe.rpki.validator3.domain.RpkiObject)15
RpkiObjects (net.ripe.rpki.validator3.domain.RpkiObjects)15
ValidationCheck (net.ripe.rpki.validator3.domain.ValidationCheck)14
CertificateTreeValidationRun (net.ripe.rpki.validator3.domain.CertificateTreeValidationRun)10
RrdpRepositoryValidationRun (net.ripe.rpki.validator3.domain.RrdpRepositoryValidationRun)10
Autowired (org.springframework.beans.factory.annotation.Autowired)10
List (java.util.List)9
Transactional (javax.transaction.Transactional)9
TestObjects (net.ripe.rpki.validator3.TestObjects)9
URI (java.net.URI)8
ValidationResult (net.ripe.rpki.commons.validation.ValidationResult)8
EntityManager (javax.persistence.EntityManager)7
Optional (java.util.Optional)6
RpkiRepositories (net.ripe.rpki.validator3.domain.RpkiRepositories)6
TrustAnchors (net.ripe.rpki.validator3.domain.TrustAnchors)6
ValidationRuns (net.ripe.rpki.validator3.domain.ValidationRuns)6
