Example 1 with DefaultCAServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer in project ozone by apache.
the class TestDefaultCAServer method testRequestCertificate.
/**
* The most important test of this test suite. This tests that we are able
* to create a Test CA, creates it own self-Signed CA and then issue a
* certificate based on a CSR.
* @throws SCMSecurityException - on ERROR.
* @throws ExecutionException - on ERROR.
* @throws InterruptedException - on ERROR.
* @throws NoSuchProviderException - on ERROR.
* @throws NoSuchAlgorithmException - on ERROR.
*/
@Test
public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
String scmId = RandomStringUtils.randomAlphabetic(4);
String clusterId = RandomStringUtils.randomAlphabetic(4);
KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(clusterId).setScmID(scmId).setSubject("Ozone Cluster").setConfiguration(conf).setKey(keyPair).build();
// Let us convert this to a string to mimic the common use case.
String csrString = CertificateSignRequest.getEncodedString(csr);
CertificateServer testCA = new DefaultCAServer("testCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
// Right now our calls are synchronous. Eventually this will have to wait.
assertTrue(holder.isDone());
assertNotNull(holder.get());
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
KeyPair(java.security.KeyPair)
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
Test(org.junit.Test)
Example 2 with DefaultCAServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer in project ozone by apache.
the class TestDefaultCAServer method testMissingCertificate.
@Test
public void testMissingCertificate() {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
Consumer<SecurityConfig> caInitializer = ((DefaultCAServer) testCA).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE, SELF_SIGNED_CA);
try {
caInitializer.accept(securityConfig);
fail("code should not reach here, exception should have been thrown.");
} catch (IllegalStateException e) {
// This also is a runtime exception. Hence not caught by junit expected
// exception.
assertTrue(e.toString().contains("Missing Root Certs"));
}
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
Test(org.junit.Test)
Example 3 with DefaultCAServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer in project ozone by apache.
the class TestDefaultCAServer method testInit.
@Test
public void testInit() throws SCMSecurityException, CertificateException, IOException {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(securityConfig, SELF_SIGNED_CA);
X509CertificateHolder first = testCA.getCACertificate();
assertNotNull(first);
// Init is idempotent.
testCA.init(securityConfig, SELF_SIGNED_CA);
X509CertificateHolder second = testCA.getCACertificate();
assertEquals(first, second);
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
Test(org.junit.Test)
Example 4 with DefaultCAServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer in project ozone by apache.
the class TestDefaultCAServer method testIntermediaryCAWithEmpty.
@Test(expected = IllegalStateException.class)
public void testIntermediaryCAWithEmpty() throws Exception {
CertificateServer scmCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get("scm").toString());
scmCA.init(new SecurityConfig(conf), INTERMEDIARY_CA);
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
Test(org.junit.Test)
Example 5 with DefaultCAServer
use of org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer in project ozone by apache.
the class HASecurityUtils method initializeRootCertificateServer.
/**
* This function creates/initializes a certificate server as needed.
* This function is idempotent, so calling this again and again after the
* server is initialized is not a problem.
*
* @param config
* @param scmCertStore
* @param scmStorageConfig
*/
public static CertificateServer initializeRootCertificateServer(OzoneConfiguration config, CertificateStore scmCertStore, SCMStorageConfig scmStorageConfig, PKIProfile pkiProfile) throws IOException {
String subject = SCM_ROOT_CA_PREFIX + InetAddress.getLocalHost().getHostName();
DefaultCAServer rootCAServer = new DefaultCAServer(subject, scmStorageConfig.getClusterID(), scmStorageConfig.getScmId(), scmCertStore, pkiProfile, SCM_ROOT_CA_COMPONENT_NAME);
rootCAServer.init(new SecurityConfig(config), CertificateServer.CAType.SELF_SIGNED_CA);
return rootCAServer;
}
Also used :
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
DefaultCAServer(org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
Aggregations
SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)11
DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)10
Test (org.junit.Test)9
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)6
KeyPair (java.security.KeyPair)5
HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)5
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)5
CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)4
LocalDate (java.time.LocalDate)2
DefaultCAServer (org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer)2
IOException (java.io.IOException)1
BigInteger (java.math.BigInteger)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
NoSuchProviderException (java.security.NoSuchProviderException)1
CertificateException (java.security.cert.CertificateException)1
X509Certificate (java.security.cert.X509Certificate)1
ArrayList (java.util.ArrayList)1
Date (java.util.Date)1
Optional (java.util.Optional)1
ExecutionException (java.util.concurrent.ExecutionException)1
