Example 1 with CertificateException
use of org.apache.hadoop.hdds.security.x509.exceptions.CertificateException in project ozone by apache.
the class TestDefaultCAServer method testInit.
@Test
public void testInit() throws SCMSecurityException, CertificateException, IOException {
SecurityConfig securityConfig = new SecurityConfig(conf);
CertificateServer testCA = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(securityConfig, SELF_SIGNED_CA);
X509CertificateHolder first = testCA.getCACertificate();
assertNotNull(first);
// Init is idempotent.
testCA.init(securityConfig, SELF_SIGNED_CA);
X509CertificateHolder second = testCA.getCACertificate();
assertEquals(first, second);
}
Also used :
DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)
SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
Test(org.junit.Test)
Example 2 with CertificateException
use of org.apache.hadoop.hdds.security.x509.exceptions.CertificateException in project ozone by apache.
the class TestCertificateCodec method writeCertificate2.
/**
* Tests writing to non-default certificate file name.
*
* @throws IOException - on Error.
* @throws SCMSecurityException - on Error.
* @throws NoSuchProviderException - on Error.
* @throws NoSuchAlgorithmException - on Error.
* @throws CertificateException - on Error.
*/
@Test
public void writeCertificate2() throws IOException, SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException {
HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
X509CertificateHolder cert = SelfSignedCertificate.newBuilder().setSubject(RandomStringUtils.randomAlphabetic(4)).setClusterID(RandomStringUtils.randomAlphabetic(4)).setScmID(RandomStringUtils.randomAlphabetic(4)).setBeginDate(LocalDate.now()).setEndDate(LocalDate.now().plus(1, ChronoUnit.DAYS)).setConfiguration(keyGenerator.getSecurityConfig().getConfiguration()).setKey(keyGenerator.generateKey()).makeCA().build();
CertificateCodec codec = new CertificateCodec(keyGenerator.getSecurityConfig(), "ca");
codec.writeCertificate(cert, "newcert.crt", false);
// Rewrite with force support
codec.writeCertificate(cert, "newcert.crt", true);
X509CertificateHolder x509CertificateHolder = codec.readCertificate(codec.getLocation(), "newcert.crt");
assertNotNull(x509CertificateHolder);
}
Also used :
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
Test(org.junit.Test)
Example 3 with CertificateException
use of org.apache.hadoop.hdds.security.x509.exceptions.CertificateException in project ozone by apache.
the class TestRootCertificate method testCACert.
@Test
public void testCACert() throws SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, IOException, CertificateException {
LocalDate notBefore = LocalDate.now();
LocalDate notAfter = notBefore.plus(365, ChronoUnit.DAYS);
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "testRootCert";
HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
KeyPair keyPair = keyGen.generateKey();
SelfSignedCertificate.Builder builder = SelfSignedCertificate.newBuilder().setBeginDate(notBefore).setEndDate(notAfter).setClusterID(clusterID).setScmID(scmID).setSubject(subject).setKey(keyPair).setConfiguration(conf).makeCA();
try {
DomainValidator validator = DomainValidator.getInstance();
// Add all valid ips.
OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(ip -> {
builder.addIpAddress(ip.getHostAddress());
if (validator.isValid(ip.getCanonicalHostName())) {
builder.addDnsName(ip.getCanonicalHostName());
}
});
} catch (IOException e) {
throw new org.apache.hadoop.hdds.security.x509.exceptions.CertificateException("Error while adding ip to CA self signed certificate", e, CSR_ERROR);
}
X509CertificateHolder certificateHolder = builder.build();
// This time we asked for a CertificateServer Certificate, make sure that
// extension is
// present and valid.
Extension basicExt = certificateHolder.getExtension(Extension.basicConstraints);
Assert.assertNotNull(basicExt);
Assert.assertTrue(basicExt.isCritical());
// Since this code assigns ONE for the root certificate, we check if the
// serial number is the expected number.
Assert.assertEquals(certificateHolder.getSerialNumber(), BigInteger.ONE);
CertificateCodec codec = new CertificateCodec(securityConfig, "scm");
String pemString = codec.getPEMEncodedString(certificateHolder);
File basePath = temporaryFolder.newFolder();
if (!basePath.exists()) {
Assert.assertTrue(basePath.mkdirs());
}
codec.writeCertificate(basePath.toPath(), "pemcertificate.crt", pemString, false);
X509CertificateHolder loadedCert = codec.readCertificate(basePath.toPath(), "pemcertificate.crt");
assertNotNull(loadedCert);
assertEquals(certificateHolder.getSerialNumber(), loadedCert.getSerialNumber());
}
Also used :
KeyPair(java.security.KeyPair)
HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)
SelfSignedCertificate(org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate)
CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec)
IOException(java.io.IOException)
LocalDate(java.time.LocalDate)
Extension(org.bouncycastle.asn1.x509.Extension)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
DomainValidator(org.apache.commons.validator.routines.DomainValidator)
File(java.io.File)
Test(org.junit.Test)
Example 4 with CertificateException
use of org.apache.hadoop.hdds.security.x509.exceptions.CertificateException in project ozone by apache.
the class OzoneManager method getSCMSignedCert.
/**
* Get SCM signed certificate and store it using certificate client.
*/
private static void getSCMSignedCert(CertificateClient client, OzoneConfiguration config, OMStorage omStore, String scmId) throws IOException {
CertificateSignRequest.Builder builder = client.getCSRBuilder();
KeyPair keyPair = new KeyPair(client.getPublicKey(), client.getPrivateKey());
InetSocketAddress omRpcAdd;
omRpcAdd = OmUtils.getOmAddress(config);
if (omRpcAdd == null || omRpcAdd.getAddress() == null) {
LOG.error("Incorrect om rpc address. omRpcAdd:{}", omRpcAdd);
throw new RuntimeException("Can't get SCM signed certificate. " + "omRpcAdd: " + omRpcAdd);
}
// Get host name.
String hostname = omRpcAdd.getAddress().getHostName();
String ip = omRpcAdd.getAddress().getHostAddress();
String subject;
if (builder.hasDnsName()) {
subject = UserGroupInformation.getCurrentUser().getShortUserName() + "@" + hostname;
} else {
// With only IP in alt.name, certificate validation would fail if subject
// isn't a hostname either, so omit username.
subject = hostname;
}
builder.setCA(false).setKey(keyPair).setConfiguration(config).setScmID(scmId).setClusterID(omStore.getClusterID()).setSubject(subject);
OMHANodeDetails haOMHANodeDetails = OMHANodeDetails.loadOMHAConfig(config);
String serviceName = haOMHANodeDetails.getLocalNodeDetails().getServiceId();
if (!StringUtils.isEmpty(serviceName)) {
builder.addServiceName(serviceName);
}
LOG.info("Creating csr for OM->dns:{},ip:{},scmId:{},clusterId:{}," + "subject:{}", hostname, ip, scmId, omStore.getClusterID(), subject);
HddsProtos.OzoneManagerDetailsProto.Builder omDetailsProtoBuilder = HddsProtos.OzoneManagerDetailsProto.newBuilder().setHostName(omRpcAdd.getHostName()).setIpAddress(ip).setUuid(omStore.getOmId()).addPorts(HddsProtos.Port.newBuilder().setName(RPC_PORT).setValue(omRpcAdd.getPort()).build());
PKCS10CertificationRequest csr = builder.build();
HddsProtos.OzoneManagerDetailsProto omDetailsProto = omDetailsProtoBuilder.build();
LOG.info("OzoneManager ports added:{}", omDetailsProto.getPortsList());
SCMSecurityProtocolClientSideTranslatorPB secureScmClient = HddsServerUtil.getScmSecurityClientWithFixedDuration(config);
SCMGetCertResponseProto response = secureScmClient.getOMCertChain(omDetailsProto, getEncodedString(csr));
String pemEncodedCert = response.getX509Certificate();
try {
// Store SCM CA certificate.
if (response.hasX509CACertificate()) {
String pemEncodedRootCert = response.getX509CACertificate();
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
// Store Root CA certificate if available.
if (response.hasX509RootCACertificate()) {
client.storeRootCACertificate(response.getX509RootCACertificate(), true);
}
// Persist om cert serial id.
omStore.setOmCertSerialId(CertificateCodec.getX509Certificate(pemEncodedCert).getSerialNumber().toString());
} else {
throw new RuntimeException("Unable to retrieve OM certificate " + "chain");
}
} catch (IOException | CertificateException e) {
LOG.error("Error while storing SCM signed certificate.", e);
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
KeyPair(java.security.KeyPair)
OMHANodeDetails(org.apache.hadoop.ozone.om.ha.OMHANodeDetails)
SCMSecurityProtocolClientSideTranslatorPB(org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)
InetSocketAddress(java.net.InetSocketAddress)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
UncheckedIOException(java.io.UncheckedIOException)
SCMGetCertResponseProto(org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos.SCMGetCertResponseProto)
HddsProtos(org.apache.hadoop.hdds.protocol.proto.HddsProtos)
CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)
Example 5 with CertificateException
use of org.apache.hadoop.hdds.security.x509.exceptions.CertificateException in project ozone by apache.
the class HASecurityUtils method getPrimarySCMSelfSignedCert.
/**
* For primary SCM get sub-ca signed certificate and root CA certificate by
* root CA certificate server and store it using certificate client.
*/
private static void getPrimarySCMSelfSignedCert(CertificateClient client, OzoneConfiguration config, SCMStorageConfig scmStorageConfig, InetSocketAddress scmAddress) {
try {
CertificateServer rootCAServer = initializeRootCertificateServer(config, null, scmStorageConfig, new DefaultCAProfile());
PKCS10CertificationRequest csr = generateCSR(client, scmStorageConfig, config, scmAddress);
X509CertificateHolder subSCMCertHolder = rootCAServer.requestCertificate(csr, KERBEROS_TRUSTED, SCM).get();
X509CertificateHolder rootCACertificateHolder = rootCAServer.getCACertificate();
String pemEncodedCert = CertificateCodec.getPEMEncodedString(subSCMCertHolder);
String pemEncodedRootCert = CertificateCodec.getPEMEncodedString(rootCACertificateHolder);
client.storeCertificate(pemEncodedRootCert, true, true);
client.storeCertificate(pemEncodedCert, true);
persistSubCACertificate(config, client, subSCMCertHolder);
// Persist scm cert serial ID.
scmStorageConfig.setScmCertSerialId(subSCMCertHolder.getSerialNumber().toString());
} catch (InterruptedException | ExecutionException | IOException | CertificateException e) {
LOG.error("Error while fetching/storing SCM signed certificate.", e);
Thread.currentThread().interrupt();
throw new RuntimeException(e);
}
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
CertificateServer(org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer)
DefaultCAProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile)
CertificateException(java.security.cert.CertificateException)
CertificateSignRequest.getEncodedString(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)
IOException(java.io.IOException)
ExecutionException(java.util.concurrent.ExecutionException)
Aggregations
IOException (java.io.IOException)17
CertificateException (org.apache.hadoop.hdds.security.x509.exceptions.CertificateException)14
Test (org.junit.Test)11
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)9
InvalidKeyException (java.security.InvalidKeyException)8
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8
NoSuchProviderException (java.security.NoSuchProviderException)8
SignatureException (java.security.SignatureException)8
CertificateException (java.security.cert.CertificateException)8
HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)8
X509Certificate (java.security.cert.X509Certificate)7
KeyPair (java.security.KeyPair)6
LocalDate (java.time.LocalDate)6
Signature (java.security.Signature)5
CertificateSignRequest.getEncodedString (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest.getEncodedString)5
Date (java.util.Date)4
SCMSecurityProtocolClientSideTranslatorPB (org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB)4
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)4
File (java.io.File)3
Path (java.nio.file.Path)3
