Search in sources :

Example 1 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestDefaultCAServer method testRequestCertificate.

/**
 * The most important test of this test suite. This tests that we are able
 * to create a Test CA, creates it own self-Signed CA and then issue a
 * certificate based on a CSR.
 * @throws SCMSecurityException - on ERROR.
 * @throws ExecutionException - on ERROR.
 * @throws InterruptedException - on ERROR.
 * @throws NoSuchProviderException - on ERROR.
 * @throws NoSuchAlgorithmException - on ERROR.
 */
@Test
public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
    String scmId = RandomStringUtils.randomAlphabetic(4);
    String clusterId = RandomStringUtils.randomAlphabetic(4);
    KeyPair keyPair = new HDDSKeyGenerator(conf).generateKey();
    PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(clusterId).setScmID(scmId).setSubject("Ozone Cluster").setConfiguration(conf).setKey(keyPair).build();
    // Let us convert this to a string to mimic the common use case.
    String csrString = CertificateSignRequest.getEncodedString(csr);
    CertificateServer testCA = new DefaultCAServer("testCA", clusterId, scmId, caStore, new DefaultProfile(), Paths.get(SCM_CA_CERT_STORAGE_DIR, SCM_CA_PATH).toString());
    testCA.init(new SecurityConfig(conf), SELF_SIGNED_CA);
    Future<X509CertificateHolder> holder = testCA.requestCertificate(csrString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, SCM);
    // Right now our calls are synchronous. Eventually this will have to wait.
    assertTrue(holder.isDone());
    assertNotNull(holder.get());
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) DefaultProfile(org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile) KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) Test(org.junit.Test)

Example 2 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestDefaultCertificateClient method setUp.

@Before
public void setUp() throws Exception {
    OzoneConfiguration config = new OzoneConfiguration();
    config.setStrings(OZONE_SCM_NAMES, "localhost");
    config.setInt(IPC_CLIENT_CONNECT_MAX_RETRIES_KEY, 2);
    final String omPath = GenericTestUtils.getTempPath(UUID.randomUUID().toString());
    final String dnPath = GenericTestUtils.getTempPath(UUID.randomUUID().toString());
    omMetaDirPath = Paths.get(omPath, "test");
    dnMetaDirPath = Paths.get(dnPath, "test");
    config.set(HDDS_METADATA_DIR_NAME, omMetaDirPath.toString());
    omSecurityConfig = new SecurityConfig(config);
    config.set(HDDS_METADATA_DIR_NAME, dnMetaDirPath.toString());
    dnSecurityConfig = new SecurityConfig(config);
    keyGenerator = new HDDSKeyGenerator(omSecurityConfig);
    omKeyCodec = new KeyCodec(omSecurityConfig, OM_COMPONENT);
    dnKeyCodec = new KeyCodec(dnSecurityConfig, DN_COMPONENT);
    Files.createDirectories(omSecurityConfig.getKeyLocation(OM_COMPONENT));
    Files.createDirectories(dnSecurityConfig.getKeyLocation(DN_COMPONENT));
    x509Certificate = generateX509Cert(null);
    certSerialId = x509Certificate.getSerialNumber().toString();
    getCertClient();
}
Also used : HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) CertificateCodec.getPEMEncodedString(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec.getPEMEncodedString) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec) Before(org.junit.Before)

Example 3 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestCertificateCodec method writeCertificate2.

/**
 * Tests writing to non-default certificate file name.
 *
 * @throws IOException              - on Error.
 * @throws SCMSecurityException     - on Error.
 * @throws NoSuchProviderException  - on Error.
 * @throws NoSuchAlgorithmException - on Error.
 * @throws CertificateException     - on Error.
 */
@Test
public void writeCertificate2() throws IOException, SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException {
    HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
    X509CertificateHolder cert = SelfSignedCertificate.newBuilder().setSubject(RandomStringUtils.randomAlphabetic(4)).setClusterID(RandomStringUtils.randomAlphabetic(4)).setScmID(RandomStringUtils.randomAlphabetic(4)).setBeginDate(LocalDate.now()).setEndDate(LocalDate.now().plus(1, ChronoUnit.DAYS)).setConfiguration(keyGenerator.getSecurityConfig().getConfiguration()).setKey(keyGenerator.generateKey()).makeCA().build();
    CertificateCodec codec = new CertificateCodec(keyGenerator.getSecurityConfig(), "ca");
    codec.writeCertificate(cert, "newcert.crt", false);
    // Rewrite with force support
    codec.writeCertificate(cert, "newcert.crt", true);
    X509CertificateHolder x509CertificateHolder = codec.readCertificate(codec.getLocation(), "newcert.crt");
    assertNotNull(x509CertificateHolder);
}
Also used : HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) Test(org.junit.Test)

Example 4 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestCertificateSignRequest method testGenerateCSR.

@Test
public void testGenerateCSR() throws NoSuchProviderException, NoSuchAlgorithmException, SCMSecurityException, OperatorCreationException, PKCSException {
    String clusterID = UUID.randomUUID().toString();
    String scmID = UUID.randomUUID().toString();
    String subject = "DN001";
    HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
    KeyPair keyPair = keyGen.generateKey();
    CertificateSignRequest.Builder builder = new CertificateSignRequest.Builder().setSubject(subject).setScmID(scmID).setClusterID(clusterID).setKey(keyPair).setConfiguration(conf);
    PKCS10CertificationRequest csr = builder.build();
    // Check the Subject Name is in the expected format.
    String dnName = String.format(SecurityUtil.getDistinguishedNameFormat(), subject, scmID, clusterID);
    Assert.assertEquals(csr.getSubject().toString(), dnName);
    // Verify the public key info match
    byte[] encoded = keyPair.getPublic().getEncoded();
    SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(encoded));
    SubjectPublicKeyInfo csrPublicKeyInfo = csr.getSubjectPublicKeyInfo();
    Assert.assertEquals(csrPublicKeyInfo, subjectPublicKeyInfo);
    // Verify CSR with attribute for extensions
    Assert.assertEquals(1, csr.getAttributes().length);
    Extensions extensions = SecurityUtil.getPkcs9Extensions(csr);
    // Verify key usage extension
    Extension keyUsageExt = extensions.getExtension(Extension.keyUsage);
    Assert.assertEquals(true, keyUsageExt.isCritical());
    // Verify San extension not set
    Assert.assertEquals(null, extensions.getExtension(Extension.subjectAlternativeName));
    // Verify signature in CSR
    ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder().setProvider(securityConfig.getProvider()).build(csr.getSubjectPublicKeyInfo());
    Assert.assertEquals(true, csr.isSignatureValid(verifierProvider));
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) Extension(org.bouncycastle.asn1.x509.Extension) KeyPair(java.security.KeyPair) JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) Extensions(org.bouncycastle.asn1.x509.Extensions) CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider) Test(org.junit.Test)

Example 5 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestCertificateSignRequest method testGenerateCSRWithInvalidParams.

@Test
public void testGenerateCSRWithInvalidParams() throws NoSuchProviderException, NoSuchAlgorithmException, SCMSecurityException {
    String clusterID = UUID.randomUUID().toString();
    String scmID = UUID.randomUUID().toString();
    String subject = "DN001";
    HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
    KeyPair keyPair = keyGen.generateKey();
    CertificateSignRequest.Builder builder = new CertificateSignRequest.Builder().setSubject(subject).setScmID(scmID).setClusterID(clusterID).setKey(keyPair).setConfiguration(conf);
    try {
        builder.setKey(null);
        builder.build();
        Assert.fail("Null Key should have failed.");
    } catch (NullPointerException | IllegalArgumentException e) {
        builder.setKey(keyPair);
    }
    // Now try with blank/null Subject.
    try {
        builder.setSubject(null);
        builder.build();
        Assert.fail("Null/Blank Subject should have thrown.");
    } catch (IllegalArgumentException e) {
        builder.setSubject(subject);
    }
    try {
        builder.setSubject("");
        builder.build();
        Assert.fail("Null/Blank Subject should have thrown.");
    } catch (IllegalArgumentException e) {
        builder.setSubject(subject);
    }
    // Now try with invalid IP address
    try {
        builder.addIpAddress("255.255.255.*");
        builder.build();
        Assert.fail("Invalid ip address");
    } catch (IllegalArgumentException e) {
    }
    PKCS10CertificationRequest csr = builder.build();
    // Check the Subject Name is in the expected format.
    String dnName = String.format(SecurityUtil.getDistinguishedNameFormat(), subject, scmID, clusterID);
    Assert.assertEquals(csr.getSubject().toString(), dnName);
    // Verify the public key info match
    byte[] encoded = keyPair.getPublic().getEncoded();
    SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(encoded));
    SubjectPublicKeyInfo csrPublicKeyInfo = csr.getSubjectPublicKeyInfo();
    Assert.assertEquals(csrPublicKeyInfo, subjectPublicKeyInfo);
    // Verify CSR with attribute for extensions
    Assert.assertEquals(1, csr.getAttributes().length);
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Test(org.junit.Test)

Aggregations

HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)25 KeyPair (java.security.KeyPair)17 Test (org.junit.Test)17 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)13 SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)11 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)10 CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)9 DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)6 LocalDate (java.time.LocalDate)5 KeyCodec (org.apache.hadoop.hdds.security.x509.keys.KeyCodec)5 X509Certificate (java.security.cert.X509Certificate)4 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)4 Before (org.junit.Before)4 File (java.io.File)3 IOException (java.io.IOException)3 SelfSignedCertificate (org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate)3 Extension (org.bouncycastle.asn1.x509.Extension)3 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)3 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2