Example 1 with CertificateCodec.getPEMEncodedString
use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec.getPEMEncodedString in project ozone by apache.
the class HASecurityUtils method getPrimarySCMSelfSignedCert.
/**
* For primary SCM get sub-ca signed certificate and root CA certificate by
* root CA certificate server and store it using certificate client.
*/
private static void getPrimarySCMSelfSignedCert(CertificateClient client, OzoneConfiguration config, SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
try {
CertificateServer rootCAServer = initializeRootCertificateServer(config, null, scmStorageConfig, new DefaultCAProfile());
PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig, config, scmAddress);
X509CertificateHolder subSCMCertHolder = rootCAServer.requestCertificate(csr, KERBEROS_TRUSTED, SCM).get();
X509CertificateHolder rootCACertificateHolder = rootCAServer.getCACertificate();
String pemEncodedCert = CertificateCodec.getPEMEncodedString(subSCMCertHolder);
String pemEncodedRootCert = CertificateCodec.getPEMEncodedString(rootCACertificateHolder);
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
persistSubCACertificate(config, client, subSCMCertHolder);
// Persist scm cert serial ID.
scmStorageConfig.setScmCertSerialId(subSCMCertHolder.getSerialNumber().toString());
} catch (InterruptedException | ExecutionException | IOException | CertificateException e) {
LOG.error("Error while fetching/storing SCM signed certificate.", e);
Thread.currentThread().interrupt();
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
CertificateServer(org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer)
DefaultCAProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
ExecutionException(java.util.concurrent.ExecutionException)
Example 2 with CertificateCodec.getPEMEncodedString
use of org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec.getPEMEncodedString in project ozone by apache.
the class TestDefaultCAServer method testIntermediaryCA.
@Test
public void testIntermediaryCA() throws Exception {
conf.set(HddsConfigKeys.HDDS_X509_MAX_DURATION, "P3650D");
String clusterId = RandomStringUtils.randomAlphanumeric(4);
String scmId = RandomStringUtils.randomAlphanumeric(4);
CertificateServer rootCA = new DefaultCAServer("rootCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
rootCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
SCMCertificateClient scmCertificateClient = new SCMCertificateClient(new SecurityConfig(conf));
CertificateClient.InitResponse response = scmCertificateClient.init();
Assert.assertEquals(CertificateClient.InitResponse.GETCERT, response);
// Generate cert
KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("testCA").setConfiguration(conf).setKey(keyPair).build();
Future<X509CertificateHolder> holder = rootCA.requestCertificate(csr, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
Assert.assertTrue(holder.isDone());
X509CertificateHolder certificateHolder = holder.get();
Assert.assertNotNull(certificateHolder);
LocalDate invalidAfterDate = certificateHolder.getNotAfter().toInstant().atZone(ZoneId.systemDefault()).toLocalDate();
LocalDate now = LocalDate.now();
assertEquals(0, invalidAfterDate.compareTo(now.plusDays(3650)));
X509CertificateHolder rootCertHolder = rootCA.getCACertificate();
scmCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(rootCertHolder), true, true);
// Write to the location where Default CA Server reads from.
scmCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(certificateHolder), true);
CertificateCodec certCodec = new CertificateCodec(new SecurityConfig(conf), scmCertificateClient.getComponentName());
certCodec.writeCertificate(certificateHolder);
// The certificate generated by above cert client will be used by scmCA.
// Now scmCA init should be successful.
CertificateServer scmCA = new DefaultCAServer("scmCA", clusterId, scmId, caStore, new DefaultProfile(), scmCertificateClient.getComponentName());
try {
scmCA.init(new SecurityConfig(conf), INTERMEDIARY_CA);
} catch (Exception e) {
fail("testIntermediaryCA failed during init");
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)
KeyPair(java.security.KeyPair)
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)
LocalDate(java.time.LocalDate)
SCMSecurityException(org.apache.hadoop.hdds.security.exception.SCMSecurityException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
ExecutionException(java.util.concurrent.ExecutionException)
NoSuchProviderException(java.security.NoSuchProviderException)
SCMCertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)
CertificateClient(org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)
Test(org.junit.Test)
Aggregations
IOException (java.io.IOException)2
CertificateException (java.security.cert.CertificateException)2
ExecutionException (java.util.concurrent.ExecutionException)2
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)2
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)2
KeyPair (java.security.KeyPair)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
NoSuchProviderException (java.security.NoSuchProviderException)1
LocalDate (java.time.LocalDate)1
SCMSecurityException (org.apache.hadoop.hdds.security.exception.SCMSecurityException)1
SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)1
CertificateServer (org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer)1
DefaultCAProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile)1
DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)1
CertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient)1
SCMCertificateClient (org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient)1
CertificateCodec (org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)1
CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)1
CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)1
HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)1
