Example 1 with CertificateServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer in project ozone by apache.
the class TestDefaultCAServer method testRequestCertificate.
/**
* The most important test of this test suite. This tests that we are able
* to create a Test CA, creates it own self-Signed CA and then issue a
* certificate based on a CSR.
* @throws SCMSecurityException - on ERROR.
* @throws ExecutionException - on ERROR.
* @throws InterruptedException - on ERROR.
* @throws NoSuchProviderException - on ERROR.
* @throws NoSuchAlgorithmException - on ERROR.
*/
@Test
public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
String scmId = RandomStringUtils.randomAlphabetic(4);
String clusterId = RandomStringUtils.randomAlphabetic(4);
KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(clusterId).setScmID(scmId).setSubject("Ozone Cluster").setConfiguration(conf).setKey(keyPair).build();
// Let us convert this to a string to mimic the common use case.
String csrString = CertificateSignRequest.getEncodedString(csr);
CertificateServer testCA = new DefaultCAServer("testCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
// Right now our calls are synchronous. Eventually this will have to wait.
assertTrue(holder.isDone());
assertNotNull(holder.get());
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
KeyPair(java.security.KeyPair)
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
Test(org.junit.Test)
Example 2 with CertificateServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer in project ozone by apache.
the class TestDefaultCAServer method testMissingCertificate.
@Test
public void testMissingCertificate() {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
Consumer<SecurityConfig> caInitializer = ((DefaultCAServer) testCA).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE, SELF_SIGNED_CA);
try {
caInitializer.accept(securityConfig);
fail("code should not reach here, exception should have been thrown.");
} catch (IllegalStateException e) {
// This also is a runtime exception. Hence not caught by junit expected
// exception.
assertTrue(e.toString().contains("Missing Root Certs"));
}
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
Test(org.junit.Test)
Example 3 with CertificateServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer in project ozone by apache.
the class TestDefaultCAServer method testInit.
@Test
public void testInit() throws SCMSecurityException, CertificateException, IOException {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(securityConfig, SELF_SIGNED_CA);
X509CertificateHolder first = testCA.getCACertificate();
assertNotNull(first);
// Init is idempotent.
testCA.init(securityConfig, SELF_SIGNED_CA);
X509CertificateHolder second = testCA.getCACertificate();
assertEquals(first, second);
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
Test(org.junit.Test)
Example 4 with CertificateServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer in project ozone by apache.
the class TestDefaultCAServer method testIntermediaryCAWithEmpty.
@Test(expected = IllegalStateException.class)
public void testIntermediaryCAWithEmpty() throws Exception {
CertificateServer scmCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get("scm").toString());
scmCA.init(new SecurityConfig(conf), INTERMEDIARY_CA);
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
Test(org.junit.Test)
Example 5 with CertificateServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer in project ozone by apache.
the class TestRootCertificate method testCACert.
@Test
public void testCACert() throws SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, IOException, CertificateException {
LocalDate notBefore = LocalDate.now();
LocalDate notAfter = notBefore.plus(365, ChronoUnit.DAYS);
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "testRootCert";
HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
KeyPair keyPair = keyGen.generateKey();
SelfSignedCertificate.Builder builder = SelfSignedCertificate.newBuilder().setBeginDate(notBefore).setEndDate(notAfter).setClusterID(clusterID).setScmID(scmID).setSubject(subject).setKey(keyPair).setConfiguration(conf).makeCA();
try {
DomainValidator validator = DomainValidator.getInstance();
// Add all valid ips.
OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(ip -> {
builder.addIpAddress(ip.getHostAddress());
if (validator.isValid(ip.getCanonicalHostName())) {
builder.addDnsName(ip.getCanonicalHostName());
}
});
} catch (IOException e) {
throw new org.apache.hadoop.hdds.security.x509.exceptions.CertificateException("Error while adding ip to CA self signed certificate", e, CSR_ERROR);
}
X509CertificateHolder certificateHolder = builder.build();
// This time we asked for a CertificateServer Certificate, make sure that
// extension is
// present and valid.
Extension basicExt = certificateHolder.getExtension(Extension.basicConstraints);
Assert.assertNotNull(basicExt);
Assert.assertTrue(basicExt.isCritical());
// Since this code assigns ONE for the root certificate, we check if the
// serial number is the expected number.
Assert.assertEquals(certificateHolder.getSerialNumber(), BigInteger.ONE);
CertificateCodec codec = new CertificateCodec(securityConfig, "scm");
String pemString = codec.getPEMEncodedString(certificateHolder);
File basePath = temporaryFolder.newFolder();
if (!basePath.exists()) {
Assert.assertTrue(basePath.mkdirs());
}
codec.writeCertificate(basePath.toPath(), "pemcertificate.crt", pemString, false);
X509CertificateHolder loadedCert = codec.readCertificate(basePath.toPath(), "pemcertificate.crt");
assertNotNull(loadedCert);
assertEquals(certificateHolder.getSerialNumber(), loadedCert.getSerialNumber());
}
Also used :
KeyPair(java.security.KeyPair)
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
SelfSignedCertificate(org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate)
CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)
IOException(java.io.IOException)
LocalDate(java.time.LocalDate)
Extension(org.bouncycastle.asn1.x509.Extension)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
DomainValidator(org.apache.commons.validator.routines.DomainValidator)
File(java.io.File)
Test(org.junit.Test)
Aggregations
SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)11
Test (org.junit.Test)11
DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)10
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)9
KeyPair (java.security.KeyPair)7
HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)7
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)6
LocalDate (java.time.LocalDate)4
CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)4
IOException (java.io.IOException)3
CertificateException (java.security.cert.CertificateException)2
X509Certificate (java.security.cert.X509Certificate)2
Date (java.util.Date)2
ExecutionException (java.util.concurrent.ExecutionException)2
CertificateServer (org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer)2
DefaultCAServer (org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer)2
DefaultCAProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile)2
CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)2
CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)2
SelfSignedCertificate (org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate)2
