Search in sources :

Example 6 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestKeyCodec method init.

@Before
public void init() throws IOException {
    configuration = new OzoneConfiguration();
    prefix = temporaryFolder.newFolder().toString();
    configuration.set(HDDS_METADATA_DIR_NAME, prefix);
    keyGenerator = new HDDSKeyGenerator(configuration);
    securityConfig = new SecurityConfig(configuration);
    component = "test_component";
}
Also used : SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) OzoneConfiguration(org.apache.hadoop.hdds.conf.OzoneConfiguration) Before(org.junit.Before)

Example 7 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestRootCertificate method testCACert.

@Test
public void testCACert() throws SCMSecurityException, NoSuchProviderException, NoSuchAlgorithmException, IOException, CertificateException {
    LocalDate notBefore = LocalDate.now();
    LocalDate notAfter = notBefore.plus(365, ChronoUnit.DAYS);
    String clusterID = UUID.randomUUID().toString();
    String scmID = UUID.randomUUID().toString();
    String subject = "testRootCert";
    HDDSKeyGenerator keyGen = new HDDSKeyGenerator(securityConfig.getConfiguration());
    KeyPair keyPair = keyGen.generateKey();
    SelfSignedCertificate.Builder builder = SelfSignedCertificate.newBuilder().setBeginDate(notBefore).setEndDate(notAfter).setClusterID(clusterID).setScmID(scmID).setSubject(subject).setKey(keyPair).setConfiguration(conf).makeCA();
    try {
        DomainValidator validator = DomainValidator.getInstance();
        // Add all valid ips.
        OzoneSecurityUtil.getValidInetsForCurrentHost().forEach(ip -> {
            builder.addIpAddress(ip.getHostAddress());
            if (validator.isValid(ip.getCanonicalHostName())) {
                builder.addDnsName(ip.getCanonicalHostName());
            }
        });
    } catch (IOException e) {
        throw new org.apache.hadoop.hdds.security.x509.exceptions.CertificateException("Error while adding ip to CA self signed certificate", e, CSR_ERROR);
    }
    X509CertificateHolder certificateHolder = builder.build();
    // This time we asked for a CertificateServer Certificate, make sure that
    // extension is
    // present and valid.
    Extension basicExt = certificateHolder.getExtension(Extension.basicConstraints);
    Assert.assertNotNull(basicExt);
    Assert.assertTrue(basicExt.isCritical());
    // Since this code assigns ONE for the root certificate, we check if the
    // serial number is the expected number.
    Assert.assertEquals(certificateHolder.getSerialNumber(), BigInteger.ONE);
    CertificateCodec codec = new CertificateCodec(securityConfig, "scm");
    String pemString = codec.getPEMEncodedString(certificateHolder);
    File basePath = temporaryFolder.newFolder();
    if (!basePath.exists()) {
        Assert.assertTrue(basePath.mkdirs());
    }
    codec.writeCertificate(basePath.toPath(), "pemcertificate.crt", pemString, false);
    X509CertificateHolder loadedCert = codec.readCertificate(basePath.toPath(), "pemcertificate.crt");
    assertNotNull(loadedCert);
    assertEquals(certificateHolder.getSerialNumber(), loadedCert.getSerialNumber());
}
Also used : KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SelfSignedCertificate(org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate) CertificateCodec(org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec) IOException(java.io.IOException) LocalDate(java.time.LocalDate) Extension(org.bouncycastle.asn1.x509.Extension) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) DomainValidator(org.apache.commons.validator.routines.DomainValidator) File(java.io.File) Test(org.junit.Test)

Example 8 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestSecureOzoneCluster method generateKeyPair.

private void generateKeyPair() throws Exception {
    HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
    KeyPair keyPair = keyGenerator.generateKey();
    KeyCodec pemWriter = new KeyCodec(new SecurityConfig(conf), COMPONENT);
    pemWriter.writeKey(keyPair, true);
}
Also used : KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec)

Example 9 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestDelegationToken method generateKeyPair.

private void generateKeyPair() throws Exception {
    HDDSKeyGenerator keyGenerator = new HDDSKeyGenerator(conf);
    KeyPair keyPair = keyGenerator.generateKey();
    KeyCodec pemWriter = new KeyCodec(new SecurityConfig(conf), COMPONENT);
    pemWriter.writeKey(keyPair, true);
}
Also used : KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) SecurityConfig(org.apache.hadoop.hdds.security.x509.SecurityConfig) KeyCodec(org.apache.hadoop.hdds.security.x509.keys.KeyCodec)

Example 10 with HDDSKeyGenerator

use of org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator in project ozone by apache.

the class TestDefaultProfile method testVerifyCertificateInvalidKeys.

/**
 * Test invalid keys fail in the validation.
 *
 * @throws SCMSecurityException      - on Error.
 * @throws PKCSException             - on Error.
 * @throws OperatorCreationException - on Error.
 * @throws NoSuchProviderException   - on Error.
 * @throws NoSuchAlgorithmException  - on Error.
 */
@Test
public void testVerifyCertificateInvalidKeys() throws SCMSecurityException, PKCSException, OperatorCreationException, NoSuchProviderException, NoSuchAlgorithmException {
    KeyPair newKeyPair = new HDDSKeyGenerator(securityConfig).generateKey();
    KeyPair wrongKey = new KeyPair(keyPair.getPublic(), newKeyPair.getPrivate());
    PKCS10CertificationRequest csr = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setClusterID("ClusterID").setScmID("SCMID").setSubject("Ozone Cluster").setConfiguration(configuration).setKey(wrongKey).build();
    // Signature verification should fail here, since the public/private key
    // does not match.
    assertFalse(testApprover.verifyPkcs10Request(csr));
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) KeyPair(java.security.KeyPair) HDDSKeyGenerator(org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator) CertificateSignRequest(org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest) Test(org.junit.Test)

Aggregations

HDDSKeyGenerator (org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator)25 KeyPair (java.security.KeyPair)17 Test (org.junit.Test)17 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)13 SecurityConfig (org.apache.hadoop.hdds.security.x509.SecurityConfig)11 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)10 CertificateSignRequest (org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest)9 DefaultProfile (org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile)6 LocalDate (java.time.LocalDate)5 KeyCodec (org.apache.hadoop.hdds.security.x509.keys.KeyCodec)5 X509Certificate (java.security.cert.X509Certificate)4 OzoneConfiguration (org.apache.hadoop.hdds.conf.OzoneConfiguration)4 Before (org.junit.Before)4 File (java.io.File)3 IOException (java.io.IOException)3 SelfSignedCertificate (org.apache.hadoop.hdds.security.x509.certificates.utils.SelfSignedCertificate)3 Extension (org.bouncycastle.asn1.x509.Extension)3 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)3 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)3 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)2