use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.
the class TestDefaultCAServer method testRequestCertificate.
/**
* The most important test of this test suite. This tests that we are able
* to create a Test CA, creates it own self-Signed CA and then issue a
* certificate based on a CSR.
* @throws SCMSecurityException - on ERROR.
* @throws ExecutionException - on ERROR.
* @throws InterruptedException - on ERROR.
* @throws NoSuchProviderException - on ERROR.
* @throws NoSuchAlgorithmException - on ERROR.
*/
@Test
public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
String scmId = RandomStringUtils.randomAlphabetic(4);
String clusterId = RandomStringUtils.randomAlphabetic(4);
KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(clusterId).setScmID(scmId).setSubject("Ozone Cluster").setConfiguration(conf).setKey(keyPair).build();
// Let us convert this to a string to mimic the common use case.
String csrString = CertificateSignRequest.getEncodedString(csr);
CertificateServer testCA = new DefaultCAServer("testCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
testCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
// Right now our calls are synchronous. Eventually this will have to wait.
assertTrue(holder.isDone());
assertNotNull(holder.get());
}
use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.
the class TestDefaultCertificateClient method setUp.
@Before
public void setUp() throws Exception {
OzoneConfiguration config = new OzoneConfiguration();
config.setStrings(OZONE_SCM_NAMES, "localhost");
config.setInt(IPC_CLIENT_CONNECT_MAX_RETRIES_KEY, 2);
final String omPath = GenericTestUtils.getTempPath(UUID.randomUUID().toString());
final String dnPath = GenericTestUtils.getTempPath(UUID.randomUUID().toString());
omMetaDirPath = Paths.get(omPath, "test");
dnMetaDirPath = Paths.get(dnPath, "test");
config.set(HDDS_METADATA_DIR_NAME, omMetaDirPath.toString());
omSecurityConfig = new SecurityConfig(config);
config.set(HDDS_METADATA_DIR_NAME, dnMetaDirPath.toString());
dnSecurityConfig = new SecurityConfig(config);
keyGenerator = new HDDSKeyGenerator(omSecurityConfig);
omKeyCodec = new KeyCodec(omSecurityConfig, OM_COMPONENT);
dnKeyCodec = new KeyCodec(dnSecurityConfig, DN_COMPONENT);
Files.createDirectories(omSecurityConfig.getKeyLocation(OM_COMPONENT));
Files.createDirectories(dnSecurityConfig.getKeyLocation(DN_COMPONENT));
x509Certificate = generateX509Cert(null);
certSerialId = x509Certificate.getSerialNumber().toString();
getCertClient();
}
use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.
the class TestCertificateCodec method writeCertificate2.
/**
* Tests writing to non-default certificate file name.
*
* @throws IOException - on Error.
* @throws SCMSecurityException - on Error.
* @throws NoSuchProviderException - on Error.
* @throws NoSuchAlgorithmException - on Error.
* @throws CertificateException - on Error.
*/
@Test
public void writeCertificate2() throws IOException, SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException {
HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
X509CertificateHolder cert = SelfSignedCertificate.newBuilder().setSubject(RandomStringUtils.randomAlphabetic(4)).setClusterID(RandomStringUtils.randomAlphabetic(4)).setScmID(RandomStringUtils.randomAlphabetic(4)).setBeginDate(LocalDate.now()).setEndDate(LocalDate.now().plus(1, ChronoUnit.DAYS)).setConfiguration(keyGenerator.getSecurityConfig().getConfiguration()).setKey(keyGenerator.generateKey()).makeCA().build();
CertificateCodec codec = new CertificateCodec(keyGenerator.getSecurityConfig(), "ca");
codec.writeCertificate(cert, "newcert.crt", false);
// Rewrite with force support
codec.writeCertificate(cert, "newcert.crt", true);
X509CertificateHolder x509CertificateHolder = codec.readCertificate(codec.getLocation(), "newcert.crt");
assertNotNull(x509CertificateHolder);
}
use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.
the class TestCertificateSignRequest method testGenerateCSR.
@Test
public void testGenerateCSR() throws NoSuchProviderException, NoSuchAlgorithmException, SCMSecurityException, OperatorCreationException, PKCSException {
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "DN001";
HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
KeyPair keyPair = keyGen.generateKey();
CertificateSignRequest.Builder builder = new CertificateSignRequest.Builder().setSubject(subject).setScmID(scmID).setClusterID(clusterID).setKey(keyPair).setConfiguration(conf);
PKCS10CertificationRequest csr = builder.build();
// Check the Subject Name is in the expected format.
String dnName = String.format(SecurityUtil.getDistinguishedNameFormat(), subject, scmID, clusterID);
Assert.assertEquals(csr.getSubject().toString(), dnName);
// Verify the public key info match
byte[] encoded = keyPair.getPublic().getEncoded();
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(encoded));
SubjectPublicKeyInfo csrPublicKeyInfo = csr.getSubjectPublicKeyInfo();
Assert.assertEquals(csrPublicKeyInfo, subjectPublicKeyInfo);
// Verify CSR with attribute for extensions
Assert.assertEquals(1, csr.getAttributes().length);
Extensions extensions = SecurityUtil.getPkcs9Extensions(csr);
// Verify key usage extension
Extension keyUsageExt = extensions.getExtension(Extension.keyUsage);
Assert.assertEquals(true, keyUsageExt.isCritical());
// Verify San extension not set
Assert.assertEquals(null, extensions.getExtension(Extension.subjectAlternativeName));
// Verify signature in CSR
ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder().setProvider(securityConfig.getProvider()).build(csr.getSubjectPublicKeyInfo());
Assert.assertEquals(true, csr.isSignatureValid(verifierProvider));
}
use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.
the class TestCertificateSignRequest method testGenerateCSRWithInvalidParams.
@Test
public void testGenerateCSRWithInvalidParams() throws NoSuchProviderException, NoSuchAlgorithmException, SCMSecurityException {
String clusterID = UUID.randomUUID().toString();
String scmID = UUID.randomUUID().toString();
String subject = "DN001";
HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
KeyPair keyPair = keyGen.generateKey();
CertificateSignRequest.Builder builder = new CertificateSignRequest.Builder().setSubject(subject).setScmID(scmID).setClusterID(clusterID).setKey(keyPair).setConfiguration(conf);
try {
builder.setKey(null);
builder.build();
Assert.fail("Null Key should have failed.");
} catch (NullPointerException | IllegalArgumentException e) {
builder.setKey(keyPair);
}
// Now try with blank/null Subject.
try {
builder.setSubject(null);
builder.build();
Assert.fail("Null/Blank Subject should have thrown.");
} catch (IllegalArgumentException e) {
builder.setSubject(subject);
}
try {
builder.setSubject("");
builder.build();
Assert.fail("Null/Blank Subject should have thrown.");
} catch (IllegalArgumentException e) {
builder.setSubject(subject);
}
// Now try with invalid IP address
try {
builder.addIpAddress("255.255.255.*");
builder.build();
Assert.fail("Invalid ip address");
} catch (IllegalArgumentException e) {
}
PKCS10CertificationRequest csr = builder.build();
// Check the Subject Name is in the expected format.
String dnName = String.format(SecurityUtil.getDistinguishedNameFormat(), subject, scmID, clusterID);
Assert.assertEquals(csr.getSubject().toString(), dnName);
// Verify the public key info match
byte[] encoded = keyPair.getPublic().getEncoded();
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(encoded));
SubjectPublicKeyInfo csrPublicKeyInfo = csr.getSubjectPublicKeyInfo();
Assert.assertEquals(csrPublicKeyInfo, subjectPublicKeyInfo);
// Verify CSR with attribute for extensions
Assert.assertEquals(1, csr.getAttributes().length);
}
Aggregations