Example 36 with PKCS10CertificationRequest
use of org.bouncycastle.pkcs.PKCS10CertificationRequest in project athenz by yahoo.
the class ZTSClientTest method testGenerateInstanceRefreshRequestSubDomain.
@Test
public void testGenerateInstanceRefreshRequestSubDomain() {
File privkey = new File("./src/test/resources/unit_test_private_k0.pem");
PrivateKey privateKey = Crypto.loadPrivateKey(privkey);
InstanceRefreshRequest req = ZTSClient.generateInstanceRefreshRequest("coretech.system", "test", privateKey, "aws", 3600);
assertNotNull(req);
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(req.getCsr());
assertEquals("coretech.system.test", Crypto.extractX509CSRCommonName(certReq));
X500Name x500name = certReq.getSubject();
RDN cnRdn = x500name.getRDNs(BCStyle.CN)[0];
assertEquals("coretech.system.test", IETFUtils.valueToString(cnRdn.getFirst().getValue()));
assertEquals("test.coretech-system.aws.athenz.cloud", Crypto.extractX509CSRDnsNames(certReq).get(0));
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
PrivateKey(java.security.PrivateKey)
X500Name(org.bouncycastle.asn1.x500.X500Name)
AccessTokenTestFileHelper.setupInvalidTokenFile(com.yahoo.athenz.zts.AccessTokenTestFileHelper.setupInvalidTokenFile)
AccessTokenTestFileHelper.setupTokenFile(com.yahoo.athenz.zts.AccessTokenTestFileHelper.setupTokenFile)
RDN(org.bouncycastle.asn1.x500.RDN)
Test(org.testng.annotations.Test)
Example 37 with PKCS10CertificationRequest
use of org.bouncycastle.pkcs.PKCS10CertificationRequest in project airlift by airlift.
the class TestCertificationRequest method test.
@Test
public void test() throws Exception {
// test only with state because BC encodes every other value using UTF8String instead of PrintableString used by the JDK
String name = "C=country";
KeyPairGenerator generator = KeyPairGenerator.getInstance("EC");
generator.initialize(new ECGenParameterSpec("secp256r1"));
KeyPair keyPair = generator.generateKeyPair();
CertificationRequestInfo certificationRequestInfo = new CertificationRequestInfo(new X500Principal(name), keyPair.getPublic());
SignatureAlgorithmIdentifier signatureAlgorithmIdentifier = findSignatureAlgorithmIdentifier("SHA256withECDSA");
byte[] signature = certificationRequestInfo.sign(signatureAlgorithmIdentifier, keyPair.getPrivate());
CertificationRequest certificationRequest = new CertificationRequest(certificationRequestInfo, signatureAlgorithmIdentifier, signature);
assertEquals(certificationRequest.getCertificationRequestInfo(), certificationRequestInfo);
assertEquals(certificationRequest.getSignatureAlgorithmIdentifier(), signatureAlgorithmIdentifier);
assertEquals(base16().encode(certificationRequest.getSignature()), base16().encode(signature));
assertEquals(certificationRequest, certificationRequest);
assertEquals(certificationRequest.hashCode(), certificationRequest.hashCode());
PKCS10CertificationRequest expectedCertificationRequest = new PKCS10CertificationRequest(new org.bouncycastle.asn1.pkcs.CertificationRequest(new org.bouncycastle.asn1.pkcs.CertificationRequestInfo(new X500Name(name), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()), new DERSet()), new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withECDSA"), new DERBitString(signature)));
assertEquals(base16().encode(certificationRequest.getEncoded()), base16().encode(expectedCertificationRequest.getEncoded()));
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
KeyPair(java.security.KeyPair)
ECGenParameterSpec(java.security.spec.ECGenParameterSpec)
DERBitString(org.bouncycastle.asn1.DERBitString)
DERBitString(org.bouncycastle.asn1.DERBitString)
KeyPairGenerator(java.security.KeyPairGenerator)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DERSet(org.bouncycastle.asn1.DERSet)
DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder)
SignatureAlgorithmIdentifier.findSignatureAlgorithmIdentifier(io.airlift.security.csr.SignatureAlgorithmIdentifier.findSignatureAlgorithmIdentifier)
X500Principal(javax.security.auth.x500.X500Principal)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
Test(org.testng.annotations.Test)
Example 38 with PKCS10CertificationRequest
use of org.bouncycastle.pkcs.PKCS10CertificationRequest in project athenz by yahoo.
the class ZTSImpl method postOSTKInstanceInformation.
// this method will be removed and replaced with call to postInstanceRegisterInformation
@Override
public Identity postOSTKInstanceInformation(ResourceContext ctx, OSTKInstanceInformation info) {
final String caller = "postostinstanceinformation";
final String callerTiming = "postostinstanceinformation_timing";
metric.increment(HTTP_POST);
logPrincipal(ctx);
if (LOGGER.isDebugEnabled()) {
LOGGER.debug("postOSTKInstanceInformation: " + info);
}
validateRequest(ctx.request(), caller);
String domain = info.getDomain();
String service = info.getService();
Object timerMetric = metric.startTiming(callerTiming, domain);
metric.increment(HTTP_REQUEST, domain);
metric.increment(caller, domain);
validate(info, TYPE_OSTK_INSTANCE_INFO, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
domain = domain.toLowerCase();
service = service.toLowerCase();
final String cn = domain + "." + service;
if (ostkHostSignerDomain == null) {
throw serverError("postOSTKInstanceInformation: Host Signer not configured", caller, domain);
}
// Fetch the public key of ostk host signer service
DataCache data = dataStore.getDataCache(ostkHostSignerDomain);
if (data == null) {
throw notFoundError("postOSTKInstanceInformation: No such domain: " + ostkHostSignerDomain, caller, domain);
}
String keyId = info.getKeyId();
String publicKey = dataStore.getPublicKey(ostkHostSignerDomain, ostkHostSignerService, keyId);
if (publicKey == null) {
throw notFoundError("postOSTKInstanceInformation: No publicKey for service: " + ostkHostSignerService + " with key id: " + keyId, caller, domain);
}
if (!cloudStore.verifyInstanceDocument(info, publicKey)) {
throw requestError("postOSTKInstanceInformation: unable to validate instance document", caller, domain);
}
// validate the CSR
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(info.getCsr());
if (certReq == null) {
throw requestError("postOSTKInstanceInformation: unable to parse PKCS10 certificate request", caller, domain);
}
if (!ZTSUtils.verifyCertificateRequest(certReq, domain, service, null)) {
throw requestError("postOSTKInstanceInformation: unable to verify certificate request, invalid csr", caller, domain);
}
final String instanceId = ZTSUtils.extractCertReqInstanceId(certReq);
if (instanceId == null) {
throw requestError("postOSTKInstanceInformation: unable to extract instance id", caller, domain);
}
// generate certificate for the instance
Identity identity = ZTSUtils.generateIdentity(certSigner, info.getCsr(), cn, null, 0);
if (identity == null) {
throw requestError("postOSTKInstanceInformation: unable to generate identity", caller, domain);
}
// need to update our cert record with new certificate details
X509CertRecord x509CertRecord = new X509CertRecord();
x509CertRecord.setService(cn);
x509CertRecord.setProvider("ostk");
x509CertRecord.setInstanceId(instanceId);
X509Certificate newCert = Crypto.loadX509Certificate(identity.getCertificate());
x509CertRecord.setCurrentSerial(newCert.getSerialNumber().toString());
x509CertRecord.setCurrentIP(ServletRequestUtil.getRemoteAddress(ctx.request()));
x509CertRecord.setCurrentTime(new Date());
x509CertRecord.setPrevSerial(x509CertRecord.getCurrentSerial());
x509CertRecord.setPrevIP(x509CertRecord.getCurrentIP());
x509CertRecord.setPrevTime(x509CertRecord.getCurrentTime());
if (!instanceCertManager.insertX509CertRecord(x509CertRecord)) {
throw serverError("postOSTKInstanceInformation: unable to update cert db", caller, domain);
}
metric.stopTiming(timerMetric);
return identity;
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
DataCache(com.yahoo.athenz.zts.cache.DataCache)
X509CertRecord(com.yahoo.athenz.zts.cert.X509CertRecord)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
Example 39 with PKCS10CertificationRequest
use of org.bouncycastle.pkcs.PKCS10CertificationRequest in project athenz by yahoo.
the class X509CertRequestTest method testComparePublicKeysCertCSRFailure.
@Test
public void testComparePublicKeysCertCSRFailure() throws IOException {
Path path = Paths.get("src/test/resources/valid_provider_refresh.csr");
String csr = new String(Files.readAllBytes(path));
X509CertRequest certReq = new X509CertRequest(csr);
assertNotNull(certReq);
PKCS10CertificationRequest req = Mockito.mock(PKCS10CertificationRequest.class);
Mockito.when(req.getSubjectPublicKeyInfo()).thenReturn(null);
certReq.setCertReq(req);
path = Paths.get("src/test/resources/valid_provider_refresh.pem");
String pem = new String(Files.readAllBytes(path));
X509Certificate cert = Crypto.loadX509Certificate(pem);
assertFalse(certReq.comparePublicKeys(cert));
}
Also used :
Path(java.nio.file.Path)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
X509Certificate(java.security.cert.X509Certificate)
Test(org.testng.annotations.Test)
Example 40 with PKCS10CertificationRequest
use of org.bouncycastle.pkcs.PKCS10CertificationRequest in project athenz by yahoo.
the class ZTSImplTest method testValidateRoleCertificateRequestMismatchRole.
@Test
public void testValidateRoleCertificateRequestMismatchRole() throws IOException {
Path path = Paths.get("src/test/resources/valid_email.csr");
String csr = new String(Files.readAllBytes(path));
PKCS10CertificationRequest certReq = Crypto.getPKCS10CertRequest(csr);
Set<String> roles = new HashSet<>();
roles.add("writer");
assertFalse(zts.validateRoleCertificateRequest(certReq, "sports", roles, "sports.scores"));
}
Also used :
Path(java.nio.file.Path)
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
HashSet(java.util.HashSet)
Test(org.testng.annotations.Test)
Aggregations
PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)79
Test (org.testng.annotations.Test)39
Path (java.nio.file.Path)34
DERIA5String (org.bouncycastle.asn1.DERIA5String)19
X509Certificate (java.security.cert.X509Certificate)17
IOException (java.io.IOException)14
X500Name (org.bouncycastle.asn1.x500.X500Name)13
PrivateKey (java.security.PrivateKey)12
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)11
JcaPKCS10CertificationRequestBuilder (org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder)11
KeyPair (java.security.KeyPair)9
X500Principal (javax.security.auth.x500.X500Principal)9
KeyPairGenerator (java.security.KeyPairGenerator)8
ContentSigner (org.bouncycastle.operator.ContentSigner)8
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)8
File (java.io.File)7
BouncyCastleProvider (org.bouncycastle.jce.provider.BouncyCastleProvider)7
JcaPKCS10CertificationRequest (org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest)7
PemObject (org.bouncycastle.util.io.pem.PemObject)6
CryptoException (org.kse.crypto.CryptoException)6
