Search in sources :

Example 1 with ApprovedCaDto

use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.

the class CertificateAuthorityServiceTest method getIntermediateCertificateAuthorities.

@Test
public void getIntermediateCertificateAuthorities() throws Exception {
    List<ApprovedCaDto> caDtos = certificateAuthorityService.getCertificateAuthorities(null, true);
    assertEquals(4, caDtos.size());
    ApprovedCaDto topCa = caDtos.get(2);
    assertEquals("mock-top-ca", topCa.getName());
    assertFalse(topCa.isAuthenticationOnly());
    assertEquals(MOCK_TOP_CA_SUBJECT_DN, topCa.getIssuerDistinguishedName());
    assertEquals(MOCK_TOP_CA_SUBJECT_DN, topCa.getSubjectDistinguishedName());
    assertEquals(Collections.singletonList(MOCK_TOP_CA_SUBJECT_DN), topCa.getSubjectDnPath());
    assertTrue(topCa.isTopCa());
    assertEquals("good", topCa.getOcspResponse());
    assertEquals(OffsetDateTime.parse("2039-06-09T06:11:31Z"), topCa.getNotAfter());
    ApprovedCaDto intermediateCa = caDtos.get(3);
    assertEquals("mock-intermediate-ca", intermediateCa.getName());
    assertFalse(intermediateCa.isAuthenticationOnly());
    assertEquals(MOCK_TOP_CA_SUBJECT_DN, intermediateCa.getIssuerDistinguishedName());
    assertEquals(MOCK_INTERMEDIATE_CA_SUBJECT_DN, intermediateCa.getSubjectDistinguishedName());
    assertEquals(Arrays.asList(MOCK_TOP_CA_SUBJECT_DN, MOCK_INTERMEDIATE_CA_SUBJECT_DN), intermediateCa.getSubjectDnPath());
    assertFalse(intermediateCa.isTopCa());
    assertEquals("good", intermediateCa.getOcspResponse());
    assertEquals(OffsetDateTime.parse("2040-02-28T07:53:49Z"), intermediateCa.getNotAfter());
}
Also used : ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto) Test(org.junit.Test)

Example 2 with ApprovedCaDto

use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.

the class CertificateAuthoritiesApiControllerTest method setUp.

@Before
public void setUp() throws Exception {
    KeyInfo signKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_SIGN_KEY_ID).keyUsageInfo(KeyUsageInfo.SIGNING).build();
    KeyInfo authKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_AUTH_KEY_ID).keyUsageInfo(KeyUsageInfo.AUTHENTICATION).build();
    doAnswer(invocation -> {
        Object[] args = invocation.getArguments();
        String keyId = (String) args[0];
        if (keyId.equals(GOOD_AUTH_KEY_ID)) {
            return authKeyInfo;
        } else if (keyId.equals(GOOD_SIGN_KEY_ID)) {
            return signKeyInfo;
        } else {
            throw new KeyNotFoundException("foo");
        }
    }).when(keyService).getKey(any());
    List<ApprovedCaDto> approvedCAInfos = new ArrayList<>();
    approvedCAInfos.add(ApprovedCaDto.builder().name(GENERAL_PURPOSE_CA_NAME).authenticationOnly(false).build());
    when(certificateAuthorityService.getCertificateAuthorities(any())).thenReturn(approvedCAInfos);
    when(certificateAuthorityService.getCertificateProfile(any(), any(), any(), anyBoolean())).thenReturn(new CertificateProfileInfo() {

        @Override
        public DnFieldDescription[] getSubjectFields() {
            return new DnFieldDescription[0];
        }

        @Override
        public X500Principal createSubjectDn(DnFieldValue[] values) {
            return null;
        }

        @Override
        public void validateSubjectField(DnFieldValue field) throws Exception {
        }
    });
}
Also used : DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue) ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto) ArrayList(java.util.ArrayList) TokenTestUtils(org.niis.xroad.securityserver.restapi.util.TokenTestUtils) CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo) AccessDeniedException(org.springframework.security.access.AccessDeniedException) KeyNotFoundException(org.niis.xroad.securityserver.restapi.service.KeyNotFoundException) KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo) X500Principal(javax.security.auth.x500.X500Principal) KeyNotFoundException(org.niis.xroad.securityserver.restapi.service.KeyNotFoundException) Before(org.junit.Before)

Example 3 with ApprovedCaDto

use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.

the class CertificateAuthoritiesApiController method getApprovedCertificateAuthorities.

/**
 * Currently returns partial CertificateAuthority objects that have only
 * name and authentication_only properties set.
 * Other properties will be added in another ticket (system parameters).
 * @return
 */
@Override
@PreAuthorize("hasAuthority('VIEW_APPROVED_CERTIFICATE_AUTHORITIES')" + " or (hasAuthority('GENERATE_AUTH_CERT_REQ') and " + " (#keyUsageType == T(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsageType).AUTHENTICATION" + " or #keyUsageType == null))" + "or (hasAuthority('GENERATE_SIGN_CERT_REQ') and " + "#keyUsageType == T(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsageType).SIGNING)")
public ResponseEntity<Set<CertificateAuthority>> getApprovedCertificateAuthorities(KeyUsageType keyUsageType, Boolean includeIntermediateCas) {
    KeyUsageInfo keyUsageInfo = KeyUsageTypeMapping.map(keyUsageType).orElse(null);
    Collection<ApprovedCaDto> caDtos = null;
    try {
        caDtos = certificateAuthorityService.getCertificateAuthorities(keyUsageInfo, includeIntermediateCas);
    } catch (CertificateAuthorityService.InconsistentCaDataException e) {
        throw new InternalServerErrorException(e);
    }
    Set<CertificateAuthority> cas = certificateAuthorityConverter.convert(caDtos);
    return new ResponseEntity<>(cas, HttpStatus.OK);
}
Also used : ResponseEntity(org.springframework.http.ResponseEntity) ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto) CertificateAuthority(org.niis.xroad.securityserver.restapi.openapi.model.CertificateAuthority) CertificateAuthorityService(org.niis.xroad.securityserver.restapi.service.CertificateAuthorityService) KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)

Example 4 with ApprovedCaDto

use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.

the class CertificateAuthorityServiceTest method getCertificateAuthorities.

@Test
public void getCertificateAuthorities() throws Exception {
    List<ApprovedCaDto> caDtos = certificateAuthorityService.getCertificateAuthorities(null);
    assertEquals(3, caDtos.size());
    caDtos = certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.SIGNING);
    assertEquals(2, caDtos.size());
    ApprovedCaDto ca = caDtos.get(0);
    assertEquals("fi-not-auth-only", ca.getName());
    assertFalse(ca.isAuthenticationOnly());
    assertEquals("CN=N/A", ca.getIssuerDistinguishedName());
    assertEquals("CN=N/A", ca.getSubjectDistinguishedName());
    assertEquals(Collections.singletonList("CN=N/A"), ca.getSubjectDnPath());
    assertTrue(ca.isTopCa());
    assertEquals("good", ca.getOcspResponse());
    assertEquals(OffsetDateTime.parse("2038-01-01T00:00Z"), ca.getNotAfter());
    caDtos = certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.AUTHENTICATION);
    assertEquals(3, caDtos.size());
    ApprovedCaDto ca2 = caDtos.get(1);
    assertEquals("est-auth-only", ca2.getName());
    assertTrue(ca2.isAuthenticationOnly());
    assertEquals(MOCK_AUTH_CERT_ISSUER, ca2.getIssuerDistinguishedName());
    assertEquals(MOCK_AUTH_CERT_SUBJECT, ca2.getSubjectDistinguishedName());
    assertEquals(Collections.singletonList(MOCK_AUTH_CERT_SUBJECT), ca2.getSubjectDnPath());
    assertTrue(ca2.isTopCa());
    assertEquals("not available", ca2.getOcspResponse());
    assertEquals(OffsetDateTime.parse("2039-11-23T09:20:27Z"), ca2.getNotAfter());
    evictCache();
    when(globalConfFacade.getAllCaCerts(any())).thenReturn(new ArrayList<>());
    when(signerProxyFacade.getOcspResponses(any())).thenReturn(new String[] {});
    assertEquals(0, certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.SIGNING).size());
    assertEquals(0, certificateAuthorityService.getCertificateAuthorities(null).size());
}
Also used : ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto) Test(org.junit.Test)

Example 5 with ApprovedCaDto

use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.

the class CertificateAuthorityService method getCertificateAuthorities.

/**
 * Return approved certificate authorities
 * @param keyUsageInfo list CAs for this type of key usage. If null, list all.
 * @param includeIntermediateCas true = also include intermediate CAs.
 *                               false = only include top CAs
 * @throws InconsistentCaDataException if required CA data could not be extracted, for example due to OCSP
 * responses not being valid
 * @return list of approved CAs
 */
@Cacheable(GET_CERTIFICATE_AUTHORITIES_CACHE)
public List<ApprovedCaDto> getCertificateAuthorities(KeyUsageInfo keyUsageInfo, boolean includeIntermediateCas) throws InconsistentCaDataException {
    log.debug("getCertificateAuthorities");
    List<X509Certificate> caCerts = new ArrayList<>(globalConfService.getAllCaCertsForThisInstance());
    List<ApprovedCaDto> dtos = new ArrayList<>();
    // map of each subject - issuer DN pair for easy lookups
    Map<String, String> subjectsToIssuers = caCerts.stream().collect(Collectors.toMap(x509 -> x509.getSubjectDN().getName(), x509 -> x509.getIssuerDN().getName()));
    // we only fetch ocsp responses for intermediate approved CAs
    // configured as approved CA and its issuer cert is also an approved CA
    List<X509Certificate> filteredCerts = caCerts.stream().filter(cert -> subjectsToIssuers.containsKey(cert.getIssuerDN().getName())).collect(Collectors.toList());
    String[] base64EncodedOcspResponses;
    try {
        String[] certHashes = CertUtils.getCertHashes(new ArrayList<>(filteredCerts));
        base64EncodedOcspResponses = signerProxyFacade.getOcspResponses(certHashes);
    } catch (Exception e) {
        throw new InconsistentCaDataException("failed to get read CA OCSP responses", e);
    }
    if (filteredCerts.size() != base64EncodedOcspResponses.length) {
        throw new InconsistentCaDataException(String.format("ocsp responses do not match ca certs %d vs %d", filteredCerts.size(), base64EncodedOcspResponses.length));
    }
    // build dtos
    for (X509Certificate cert : caCerts) {
        int idx = filteredCerts.indexOf(cert);
        dtos.add(buildCertificateAuthorityDto(cert, (idx != -1) ? base64EncodedOcspResponses[idx] : null, subjectsToIssuers));
    }
    if (keyUsageInfo == KeyUsageInfo.SIGNING) {
        // remove "authentication only" CAs
        dtos = dtos.stream().filter(dto -> !(Boolean.TRUE.equals(dto.isAuthenticationOnly()))).collect(Collectors.toList());
    }
    if (!includeIntermediateCas) {
        // remove intermediate CAs
        dtos = dtos.stream().filter(dto -> dto.isTopCa()).collect(Collectors.toList());
    }
    return dtos;
}
Also used : X509Certificate(java.security.cert.X509Certificate) ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo) CertUtils(ee.ria.xroad.common.util.CertUtils) Cacheable(org.springframework.cache.annotation.Cacheable) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize) RequiredArgsConstructor(lombok.RequiredArgsConstructor) CertificateProfileInfoProvider(ee.ria.xroad.common.certificateprofile.CertificateProfileInfoProvider) ArrayList(java.util.ArrayList) FormatUtils(org.niis.xroad.restapi.util.FormatUtils) SignCertificateProfileInfoParameters(ee.ria.xroad.common.certificateprofile.impl.SignCertificateProfileInfoParameters) KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo) Service(org.springframework.stereotype.Service) Map(java.util.Map) ERROR_CA_CERT_PROCESSING(org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_CA_CERT_PROCESSING) SignerProxyFacade(org.niis.xroad.securityserver.restapi.facade.SignerProxyFacade) CurrentSecurityServerId(org.niis.xroad.securityserver.restapi.cache.CurrentSecurityServerId) CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo) Collection(java.util.Collection) ErrorDeviation(org.niis.xroad.restapi.exceptions.ErrorDeviation) ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto) OcspUtils(org.niis.xroad.securityserver.restapi.util.OcspUtils) Collectors(java.util.stream.Collectors) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) AuthCertificateProfileInfoParameters(ee.ria.xroad.common.certificateprofile.impl.AuthCertificateProfileInfoParameters) ServiceException(org.niis.xroad.restapi.service.ServiceException) SecurityServerId(ee.ria.xroad.common.identifier.SecurityServerId) GlobalConfFacade(org.niis.xroad.securityserver.restapi.facade.GlobalConfFacade) Optional(java.util.Optional) GetCertificateProfile(ee.ria.xroad.common.certificateprofile.GetCertificateProfile) ClientId(ee.ria.xroad.common.identifier.ClientId) Transactional(org.springframework.transaction.annotation.Transactional) ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) ServiceException(org.niis.xroad.restapi.service.ServiceException) Cacheable(org.springframework.cache.annotation.Cacheable)

Aggregations

ApprovedCaDto (org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)6 CertificateProfileInfo (ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)2 ApprovedCAInfo (ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)2 KeyUsageInfo (ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)2 ArrayList (java.util.ArrayList)2 Test (org.junit.Test)2 OcspUtils (org.niis.xroad.securityserver.restapi.util.OcspUtils)2 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)2 CertificateProfileInfoProvider (ee.ria.xroad.common.certificateprofile.CertificateProfileInfoProvider)1 DnFieldValue (ee.ria.xroad.common.certificateprofile.DnFieldValue)1 GetCertificateProfile (ee.ria.xroad.common.certificateprofile.GetCertificateProfile)1 AuthCertificateProfileInfoParameters (ee.ria.xroad.common.certificateprofile.impl.AuthCertificateProfileInfoParameters)1 SignCertificateProfileInfoParameters (ee.ria.xroad.common.certificateprofile.impl.SignCertificateProfileInfoParameters)1 ClientId (ee.ria.xroad.common.identifier.ClientId)1 SecurityServerId (ee.ria.xroad.common.identifier.SecurityServerId)1 CertUtils (ee.ria.xroad.common.util.CertUtils)1 KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)1 X509Certificate (java.security.cert.X509Certificate)1 Collection (java.util.Collection)1 List (java.util.List)1