Search in sources :

Example 1 with CertificateCodec

use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.

the class TestSecureOzoneManager method testSecureOmInitFailures.

/**
 * Test failure cases for secure OM initialization.
 */
@Test
public void testSecureOmInitFailures() throws Exception {
    PrivateKey privateKey;
    PublicKey publicKey;
    LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
    OMStorage omStorage = new OMStorage(conf);
    omStorage.setClusterId(clusterId);
    omStorage.setOmId(omId);
    omLogs.clearOutput();
    // Case 1: When keypair as well as certificate is missing. Initial keypair
    // boot-up. Get certificate will fail when SCM is not running.
    SecurityConfig securityConfig = new SecurityConfig(conf);
    CertificateClient client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
    Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
    privateKey = client.getPrivateKey();
    publicKey = client.getPublicKey();
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 2: If key pair already exist than response should be RECOVER.
    client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
    Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 3: When public key as well as certificate is missing.
    client = new OMCertificateClient(securityConfig);
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 4: When private key and certificate is missing.
    client = new OMCertificateClient(securityConfig);
    KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
    keyCodec.writePublicKey(publicKey);
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNull(client.getCertificate());
    // Case 5: When only certificate is present.
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    CertificateCodec certCodec = new CertificateCodec(securityConfig, COMPONENT);
    X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate("CN=Test", new KeyPair(publicKey, privateKey), 10, securityConfig.getSignatureAlgo());
    certCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
    Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
    Assert.assertNull(client.getPrivateKey());
    Assert.assertNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
    // Case 6: When private key and certificate is present.
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
    keyCodec.writePrivateKey(privateKey);
    Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
    // Case 7 When keypair and certificate is present.
    client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
    Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
    Assert.assertNotNull(client.getPrivateKey());
    Assert.assertNotNull(client.getPublicKey());
    Assert.assertNotNull(client.getCertificate());
}
Also used : OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) PublicKey(java.security.PublicKey) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) LogCapturer(org.apache.ozone.test.GenericTestUtils.LogCapturer) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec) OMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 2 with CertificateCodec

use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.

the class TestDefaultCertificateClient method testInitCertAndKeypairValidationFailures.

@Test
public void testInitCertAndKeypairValidationFailures() throws Exception {
    GenericTestUtils.LogCapturer dnClientLog = GenericTestUtils.LogCapturer.captureLogs(dnCertClient.getLogger());
    GenericTestUtils.LogCapturer omClientLog = GenericTestUtils.LogCapturer.captureLogs(omCertClient.getLogger());
    KeyPair keyPair = keyGenerator.generateKey();
    KeyPair keyPair2 = keyGenerator.generateKey();
    dnClientLog.clearOutput();
    omClientLog.clearOutput();
    // Case 1. Expect failure when keypair validation fails.
    FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getPrivateKeyFileName()).toFile());
    FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
    FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getPrivateKeyFileName()).toFile());
    FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
    omKeyCodec.writePrivateKey(keyPair.getPrivate());
    omKeyCodec.writePublicKey(keyPair2.getPublic());
    dnKeyCodec.writePrivateKey(keyPair.getPrivate());
    dnKeyCodec.writePublicKey(keyPair2.getPublic());
    // Check for DN.
    assertEquals(dnCertClient.init(), FAILURE);
    assertTrue(dnClientLog.getOutput().contains("Keypair validation " + "failed"));
    dnClientLog.clearOutput();
    omClientLog.clearOutput();
    // Check for OM.
    assertEquals(omCertClient.init(), FAILURE);
    assertTrue(omClientLog.getOutput().contains("Keypair validation " + "failed"));
    dnClientLog.clearOutput();
    omClientLog.clearOutput();
    // Case 2. Expect failure when certificate is generated from different
    // private key and keypair validation fails.
    getCertClient();
    FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getCertificateFileName()).toFile());
    FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getCertificateFileName()).toFile());
    CertificateCodec omCertCodec = new CertificateCodec(omSecurityConfig, OM_COMPONENT);
    omCertCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
    CertificateCodec dnCertCodec = new CertificateCodec(dnSecurityConfig, DN_COMPONENT);
    dnCertCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
    // Check for DN.
    assertEquals(dnCertClient.init(), FAILURE);
    assertTrue(dnClientLog.getOutput().contains("Keypair validation " + "failed"));
    dnClientLog.clearOutput();
    omClientLog.clearOutput();
    // Check for OM.
    assertEquals(omCertClient.init(), FAILURE);
    assertTrue(omClientLog.getOutput().contains("Keypair validation failed"));
    dnClientLog.clearOutput();
    omClientLog.clearOutput();
    // Case 3. Expect failure when certificate is generated from different
    // private key and certificate validation fails.
    // Re write the correct public key.
    FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
    FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
    getCertClient();
    omKeyCodec.writePublicKey(keyPair.getPublic());
    dnKeyCodec.writePublicKey(keyPair.getPublic());
    // Check for DN.
    assertEquals(dnCertClient.init(), FAILURE);
    assertTrue(dnClientLog.getOutput().contains("Stored certificate is " + "generated with different"));
    dnClientLog.clearOutput();
    omClientLog.clearOutput();
    // Check for OM.
    assertEquals(omCertClient.init(), FAILURE);
    assertTrue(omClientLog.getOutput().contains("Stored certificate is " + "generated with different"));
    dnClientLog.clearOutput();
    omClientLog.clearOutput();
    // Case 4. Failure when public key recovery fails.
    getCertClient();
    FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
    FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
    // Check for DN.
    assertEquals(dnCertClient.init(), FAILURE);
    assertTrue(dnClientLog.getOutput().contains("Can't recover public key"));
    // Check for OM.
    assertEquals(omCertClient.init(), FAILURE);
    assertTrue(omClientLog.getOutput().contains("Can't recover public key"));
    dnClientLog.clearOutput();
    omClientLog.clearOutput();
}
Also used : KeyPair(java.security.KeyPair) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) GenericTestUtils(org.apache.ozone.test.GenericTestUtils) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) Test(org.junit.Test)

Example 3 with CertificateCodec

use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.

the class TestDefaultCertificateClient method testCertificateLoadingOnInit.

@Test
public void testCertificateLoadingOnInit() throws Exception {
    KeyPair keyPair = keyGenerator.generateKey();
    X509Certificate cert1 = generateX509Cert(keyPair);
    X509Certificate cert2 = generateX509Cert(keyPair);
    X509Certificate cert3 = generateX509Cert(keyPair);
    Path certPath = dnSecurityConfig.getCertificateLocation(DN_COMPONENT);
    CertificateCodec codec = new CertificateCodec(dnSecurityConfig, DN_COMPONENT);
    // Certificate not found.
    LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert1.getSerialNumber().toString()));
    LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert2.getSerialNumber().toString()));
    LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert3.getSerialNumber().toString()));
    codec.writeCertificate(certPath, "1.crt", getPEMEncodedString(cert1), true);
    codec.writeCertificate(certPath, "2.crt", getPEMEncodedString(cert2), true);
    codec.writeCertificate(certPath, "3.crt", getPEMEncodedString(cert3), true);
    // Re instantiate DN client which will load certificates from filesystem.
    dnCertClient = new DNCertificateClient(dnSecurityConfig, certSerialId);
    assertNotNull(dnCertClient.getCertificate(cert1.getSerialNumber().toString()));
    assertNotNull(dnCertClient.getCertificate(cert2.getSerialNumber().toString()));
    assertNotNull(dnCertClient.getCertificate(cert3.getSerialNumber().toString()));
}
Also used : Path(java.nio.file.Path) KeyPair(java.security.KeyPair) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 4 with CertificateCodec

use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.

the class TestCertificateCodec method writeCertificate2.

/**
 * Tests writing to non-default certificate file name.
 *
 * @throws IOException              - on Error.
 * @throws SCMSecurityException     - on Error.
 * @throws NoSuchProviderException  - on Error.
 * @throws NoSuchAlgorithmException - on Error.
 * @throws CertificateException     - on Error.
 */
@Test
public void writeCertificate2() throws IOException, SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException {
    HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
    X509CertificateHolder cert = SelfSignedCertificate.newBuilder().setSubject(RandomStringUtils.randomAlphabetic(4)).setClusterID(RandomStringUtils.randomAlphabetic(4)).setScmID(RandomStringUtils.randomAlphabetic(4)).setBeginDate(LocalDate.now()).setEndDate(LocalDate.now().plus(1, ChronoUnit.DAYS)).setConfiguration(keyGenerator.getSecurityConfig().getConfiguration()).setKey(keyGenerator.generateKey()).makeCA().build();
    CertificateCodec codec = new CertificateCodec(keyGenerator.getSecurityConfig(), "ca");
    codec.writeCertificate(cert, "newcert.crt", false);
    // Rewrite with force support
    codec.writeCertificate(cert, "newcert.crt", true);
    X509CertificateHolder x509CertificateHolder = codec.readCertificate(codec.getLocation(), "newcert.crt");
    assertNotNull(x509CertificateHolder);
}
Also used : HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) Test(org.junit.Test)

Example 5 with CertificateCodec

use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.

the class TestRootCertificate method testCACert.

@Test
public void testCACert() throws SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, IOException, CertificateException {
    LocalDate notBefore = LocalDate.now();
    LocalDate notAfter = notBefore.plus(365, ChronoUnit.DAYS);
    String clusterID = UUID.randomUUID().toString();
    String scmID = UUID.randomUUID().toString();
    String subject = "testRootCert";
    HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
    KeyPair keyPair = keyGen.generateKey();
    SelfSignedCertificate.Builder builder = SelfSignedCertificate.newBuilder().setBeginDate(notBefore).setEndDate(notAfter).setClusterID(clusterID).setScmID(scmID).setSubject(subject).setKey(keyPair).setConfiguration(conf).makeCA();
    try {
        DomainValidator validator = DomainValidator.getInstance();
        // Add all valid ips.
        OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(ip -> {
            builder.addIpAddress(ip.getHostAddress());
            if (validator.isValid(ip.getCanonicalHostName())) {
                builder.addDnsName(ip.getCanonicalHostName());
            }
        });
    } catch (IOException e) {
        throw new org.apache.hadoop.hdds.security.x509.exceptions.CertificateException("Error while adding ip to CA self signed certificate", e, CSR_ERROR);
    }
    X509CertificateHolder certificateHolder = builder.build();
    // This time we asked for a CertificateServer Certificate, make sure that
    // extension is
    // present and valid.
    Extension basicExt = certificateHolder.getExtension(Extension.basicConstraints);
    Assert.assertNotNull(basicExt);
    Assert.assertTrue(basicExt.isCritical());
    // Since this code assigns ONE for the root certificate, we check if the
    // serial number is the expected number.
    Assert.assertEquals(certificateHolder.getSerialNumber(), BigInteger.ONE);
    CertificateCodec codec = new CertificateCodec(securityConfig, "scm");
    String pemString = codec.getPEMEncodedString(certificateHolder);
    File basePath = temporaryFolder.newFolder();
    if (!basePath.exists()) {
        Assert.assertTrue(basePath.mkdirs());
    }
    codec.writeCertificate(basePath.toPath(), "pemcertificate.crt", pemString, false);
    X509CertificateHolder loadedCert = codec.readCertificate(basePath.toPath(), "pemcertificate.crt");
    assertNotNull(loadedCert);
    assertEquals(certificateHolder.getSerialNumber(), loadedCert.getSerialNumber());
}
Also used : KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SelfSignedCertificate(org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) IOException(java.io.IOException) LocalDate(java.time.LocalDate) Extension(org.bouncycastle.asn1.x509.Extension) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) DomainValidator(org.apache.commons.validator.routines.DomainValidator) File(java.io.File) Test(org.junit.Test)

Aggregations

X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)14 CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)13 Test (org.junit.Test)11 X509Certificate (java.security.cert.X509Certificate)7 HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)7 IOException (java.io.IOException)6 KeyPair (java.security.KeyPair)6 File (java.io.File)4 Path (java.nio.file.Path)4 SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)4 LocalDate (java.time.LocalDate)3 CertificateException (org.apache.hadoop.hdds.security.x509.exceptions.CertificateException)3 DomainValidator (org.apache.commons.validator.routines.DomainValidator)2 CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)2 InitResponse (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient.InitResponse)2 SelfSignedCertificate (org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate)2 KeyCodec (org.apache.hadoop.hdds.security.x509.keys.KeyCodec)2 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 NoSuchProviderException (java.security.NoSuchProviderException)1 PrivateKey (java.security.PrivateKey)1