use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.
the class TestSecureOzoneManager method testSecureOmInitFailures.
/**
* Test failure cases for secure OM initialization.
*/
@Test
public void testSecureOmInitFailures() throws Exception {
PrivateKey privateKey;
PublicKey publicKey;
LogCapturer omLogs = LogCapturer.captureLogs(OzoneManager.getLogger());
OMStorage omStorage = new OMStorage(conf);
omStorage.setClusterId(clusterId);
omStorage.setOmId(omId);
omLogs.clearOutput();
// Case 1: When keypair as well as certificate is missing. Initial keypair
// boot-up. Get certificate will fail when SCM is not running.
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateClient client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
Assert.assertEquals(CertificateClient.InitResponse.GETCERT, client.init());
privateKey = client.getPrivateKey();
publicKey = client.getPublicKey();
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 2: If key pair already exist than response should be RECOVER.
client = new OMCertificateClient(securityConfig, omStorage.getOmCertSerialId());
Assert.assertEquals(CertificateClient.InitResponse.RECOVER, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 3: When public key as well as certificate is missing.
client = new OMCertificateClient(securityConfig);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 4: When private key and certificate is missing.
client = new OMCertificateClient(securityConfig);
KeyCodec keyCodec = new KeyCodec(securityConfig, COMPONENT);
keyCodec.writePublicKey(publicKey);
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNull(client.getCertificate());
// Case 5: When only certificate is present.
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
CertificateCodec certCodec = new CertificateCodec(securityConfig, COMPONENT);
X509Certificate x509Certificate = KeyStoreTestUtil.generateCertificate("CN=Test", new KeyPair(publicKey, privateKey), 10, securityConfig.getSignatureAlgo());
certCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
omStorage.setOmCertSerialId(x509Certificate.getSerialNumber().toString());
Assert.assertEquals(CertificateClient.InitResponse.FAILURE, client.init());
Assert.assertNull(client.getPrivateKey());
Assert.assertNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
// Case 6: When private key and certificate is present.
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
keyCodec.writePrivateKey(privateKey);
Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
// Case 7 When keypair and certificate is present.
client = new OMCertificateClient(securityConfig, x509Certificate.getSerialNumber().toString());
Assert.assertEquals(CertificateClient.InitResponse.SUCCESS, client.init());
Assert.assertNotNull(client.getPrivateKey());
Assert.assertNotNull(client.getPublicKey());
Assert.assertNotNull(client.getCertificate());
}
use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.
the class TestDefaultCertificateClient method testInitCertAndKeypairValidationFailures.
@Test
public void testInitCertAndKeypairValidationFailures() throws Exception {
GenericTestUtils.LogCapturer dnClientLog = GenericTestUtils.LogCapturer.captureLogs(dnCertClient.getLogger());
GenericTestUtils.LogCapturer omClientLog = GenericTestUtils.LogCapturer.captureLogs(omCertClient.getLogger());
KeyPair keyPair = keyGenerator.generateKey();
KeyPair keyPair2 = keyGenerator.generateKey();
dnClientLog.clearOutput();
omClientLog.clearOutput();
// Case 1. Expect failure when keypair validation fails.
FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getPrivateKeyFileName()).toFile());
FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getPrivateKeyFileName()).toFile());
FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
omKeyCodec.writePrivateKey(keyPair.getPrivate());
omKeyCodec.writePublicKey(keyPair2.getPublic());
dnKeyCodec.writePrivateKey(keyPair.getPrivate());
dnKeyCodec.writePublicKey(keyPair2.getPublic());
// Check for DN.
assertEquals(dnCertClient.init(), FAILURE);
assertTrue(dnClientLog.getOutput().contains("Keypair validation " + "failed"));
dnClientLog.clearOutput();
omClientLog.clearOutput();
// Check for OM.
assertEquals(omCertClient.init(), FAILURE);
assertTrue(omClientLog.getOutput().contains("Keypair validation " + "failed"));
dnClientLog.clearOutput();
omClientLog.clearOutput();
// Case 2. Expect failure when certificate is generated from different
// private key and keypair validation fails.
getCertClient();
FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getCertificateFileName()).toFile());
FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getCertificateFileName()).toFile());
CertificateCodec omCertCodec = new CertificateCodec(omSecurityConfig, OM_COMPONENT);
omCertCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
CertificateCodec dnCertCodec = new CertificateCodec(dnSecurityConfig, DN_COMPONENT);
dnCertCodec.writeCertificate(new X509CertificateHolder(x509Certificate.getEncoded()));
// Check for DN.
assertEquals(dnCertClient.init(), FAILURE);
assertTrue(dnClientLog.getOutput().contains("Keypair validation " + "failed"));
dnClientLog.clearOutput();
omClientLog.clearOutput();
// Check for OM.
assertEquals(omCertClient.init(), FAILURE);
assertTrue(omClientLog.getOutput().contains("Keypair validation failed"));
dnClientLog.clearOutput();
omClientLog.clearOutput();
// Case 3. Expect failure when certificate is generated from different
// private key and certificate validation fails.
// Re write the correct public key.
FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
getCertClient();
omKeyCodec.writePublicKey(keyPair.getPublic());
dnKeyCodec.writePublicKey(keyPair.getPublic());
// Check for DN.
assertEquals(dnCertClient.init(), FAILURE);
assertTrue(dnClientLog.getOutput().contains("Stored certificate is " + "generated with different"));
dnClientLog.clearOutput();
omClientLog.clearOutput();
// Check for OM.
assertEquals(omCertClient.init(), FAILURE);
assertTrue(omClientLog.getOutput().contains("Stored certificate is " + "generated with different"));
dnClientLog.clearOutput();
omClientLog.clearOutput();
// Case 4. Failure when public key recovery fails.
getCertClient();
FileUtils.deleteQuietly(Paths.get(omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), omSecurityConfig.getPublicKeyFileName()).toFile());
FileUtils.deleteQuietly(Paths.get(dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), dnSecurityConfig.getPublicKeyFileName()).toFile());
// Check for DN.
assertEquals(dnCertClient.init(), FAILURE);
assertTrue(dnClientLog.getOutput().contains("Can't recover public key"));
// Check for OM.
assertEquals(omCertClient.init(), FAILURE);
assertTrue(omClientLog.getOutput().contains("Can't recover public key"));
dnClientLog.clearOutput();
omClientLog.clearOutput();
}
use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.
the class TestDefaultCertificateClient method testCertificateLoadingOnInit.
@Test
public void testCertificateLoadingOnInit() throws Exception {
KeyPair keyPair = keyGenerator.generateKey();
X509Certificate cert1 = generateX509Cert(keyPair);
X509Certificate cert2 = generateX509Cert(keyPair);
X509Certificate cert3 = generateX509Cert(keyPair);
Path certPath = dnSecurityConfig.getCertificateLocation(DN_COMPONENT);
CertificateCodec codec = new CertificateCodec(dnSecurityConfig, DN_COMPONENT);
// Certificate not found.
LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert1.getSerialNumber().toString()));
LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert2.getSerialNumber().toString()));
LambdaTestUtils.intercept(CertificateException.class, "Error while" + " getting certificate", () -> dnCertClient.getCertificate(cert3.getSerialNumber().toString()));
codec.writeCertificate(certPath, "1.crt", getPEMEncodedString(cert1), true);
codec.writeCertificate(certPath, "2.crt", getPEMEncodedString(cert2), true);
codec.writeCertificate(certPath, "3.crt", getPEMEncodedString(cert3), true);
// Re instantiate DN client which will load certificates from filesystem.
dnCertClient = new DNCertificateClient(dnSecurityConfig, certSerialId);
assertNotNull(dnCertClient.getCertificate(cert1.getSerialNumber().toString()));
assertNotNull(dnCertClient.getCertificate(cert2.getSerialNumber().toString()));
assertNotNull(dnCertClient.getCertificate(cert3.getSerialNumber().toString()));
}
use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.
the class TestCertificateCodec method writeCertificate2.
/**
* Tests writing to non-default certificate file name.
*
* @throws IOException - on Error.
* @throws SCMSecurityException - on Error.
* @throws NoSuchProviderException - on Error.
* @throws NoSuchAlgorithmException - on Error.
* @throws CertificateException - on Error.
*/
@Test
public void writeCertificate2() throws IOException, SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException {
HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
X509CertificateHolder cert = SelfSignedCertificate.newBuilder().setSubject(RandomStringUtils.randomAlphabetic(4)).setClusterID(RandomStringUtils.randomAlphabetic(4)).setScmID(RandomStringUtils.randomAlphabetic(4)).setBeginDate(LocalDate.now()).setEndDate(LocalDate.now().plus(1, ChronoUnit.DAYS)).setConfiguration(keyGenerator.getSecurityConfig().getConfiguration()).setKey(keyGenerator.generateKey()).makeCA().build();
CertificateCodec codec = new CertificateCodec(keyGenerator.getSecurityConfig(), "ca");
codec.writeCertificate(cert, "newcert.crt", false);
// Rewrite with force support
codec.writeCertificate(cert, "newcert.crt", true);
X509CertificateHolder x509CertificateHolder = codec.readCertificate(codec.getLocation(), "newcert.crt");
assertNotNull(x509CertificateHolder);
}
use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec in project ozone by apache.
the class TestRootCertificate method testCACert.
@Test
public void testCACert() throws SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, IOException, CertificateException {
LocalDate notBefore = LocalDate.now();
LocalDate notAfter = notBefore.plus(365, ChronoUnit.DAYS);
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "testRootCert";
HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
KeyPair keyPair = keyGen.generateKey();
SelfSignedCertificate.Builder builder = SelfSignedCertificate.newBuilder().setBeginDate(notBefore).setEndDate(notAfter).setClusterID(clusterID).setScmID(scmID).setSubject(subject).setKey(keyPair).setConfiguration(conf).makeCA();
try {
DomainValidator validator = DomainValidator.getInstance();
// Add all valid ips.
OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(ip -> {
builder.addIpAddress(ip.getHostAddress());
if (validator.isValid(ip.getCanonicalHostName())) {
builder.addDnsName(ip.getCanonicalHostName());
}
});
} catch (IOException e) {
throw new org.apache.hadoop.hdds.security.x509.exceptions.CertificateException("Error while adding ip to CA self signed certificate", e, CSR_ERROR);
}
X509CertificateHolder certificateHolder = builder.build();
// This time we asked for a CertificateServer Certificate, make sure that
// extension is
// present and valid.
Extension basicExt = certificateHolder.getExtension(Extension.basicConstraints);
Assert.assertNotNull(basicExt);
Assert.assertTrue(basicExt.isCritical());
// Since this code assigns ONE for the root certificate, we check if the
// serial number is the expected number.
Assert.assertEquals(certificateHolder.getSerialNumber(), BigInteger.ONE);
CertificateCodec codec = new CertificateCodec(securityConfig, "scm");
String pemString = codec.getPEMEncodedString(certificateHolder);
File basePath = temporaryFolder.newFolder();
if (!basePath.exists()) {
Assert.assertTrue(basePath.mkdirs());
}
codec.writeCertificate(basePath.toPath(), "pemcertificate.crt", pemString, false);
X509CertificateHolder loadedCert = codec.readCertificate(basePath.toPath(), "pemcertificate.crt");
assertNotNull(loadedCert);
assertEquals(certificateHolder.getSerialNumber(), loadedCert.getSerialNumber());
}
Aggregations