Example 1 with ApprovedCaDto
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method getIntermediateCertificateAuthorities.
@Test
public void getIntermediateCertificateAuthorities() throws Exception {
List<ApprovedCaDto> caDtos = certificateAuthorityService.getCertificateAuthorities(null, true);
assertEquals(4, caDtos.size());
ApprovedCaDto topCa = caDtos.get(2);
assertEquals("mock-top-ca", topCa.getName());
assertFalse(topCa.isAuthenticationOnly());
assertEquals(MOCK_TOP_CA_SUBJECT_DN, topCa.getIssuerDistinguishedName());
assertEquals(MOCK_TOP_CA_SUBJECT_DN, topCa.getSubjectDistinguishedName());
assertEquals(Collections.singletonList(MOCK_TOP_CA_SUBJECT_DN), topCa.getSubjectDnPath());
assertTrue(topCa.isTopCa());
assertEquals("good", topCa.getOcspResponse());
assertEquals(OffsetDateTime.parse("2039-06-09T06:11:31Z"), topCa.getNotAfter());
ApprovedCaDto intermediateCa = caDtos.get(3);
assertEquals("mock-intermediate-ca", intermediateCa.getName());
assertFalse(intermediateCa.isAuthenticationOnly());
assertEquals(MOCK_TOP_CA_SUBJECT_DN, intermediateCa.getIssuerDistinguishedName());
assertEquals(MOCK_INTERMEDIATE_CA_SUBJECT_DN, intermediateCa.getSubjectDistinguishedName());
assertEquals(Arrays.asList(MOCK_TOP_CA_SUBJECT_DN, MOCK_INTERMEDIATE_CA_SUBJECT_DN), intermediateCa.getSubjectDnPath());
assertFalse(intermediateCa.isTopCa());
assertEquals("good", intermediateCa.getOcspResponse());
assertEquals(OffsetDateTime.parse("2040-02-28T07:53:49Z"), intermediateCa.getNotAfter());
}
Also used :
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
Test(org.junit.Test)
Example 2 with ApprovedCaDto
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthoritiesApiControllerTest method setUp.
@Before
public void setUp() throws Exception {
KeyInfo signKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_SIGN_KEY_ID).keyUsageInfo(KeyUsageInfo.SIGNING).build();
KeyInfo authKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_AUTH_KEY_ID).keyUsageInfo(KeyUsageInfo.AUTHENTICATION).build();
doAnswer(invocation -> {
Object[] args = invocation.getArguments();
String keyId = (String) args[0];
if (keyId.equals(GOOD_AUTH_KEY_ID)) {
return authKeyInfo;
} else if (keyId.equals(GOOD_SIGN_KEY_ID)) {
return signKeyInfo;
} else {
throw new KeyNotFoundException("foo");
}
}).when(keyService).getKey(any());
List<ApprovedCaDto> approvedCAInfos = new ArrayList<>();
approvedCAInfos.add(ApprovedCaDto.builder().name(GENERAL_PURPOSE_CA_NAME).authenticationOnly(false).build());
when(certificateAuthorityService.getCertificateAuthorities(any())).thenReturn(approvedCAInfos);
when(certificateAuthorityService.getCertificateProfile(any(), any(), any(), anyBoolean())).thenReturn(new CertificateProfileInfo() {
@Override
public DnFieldDescription[] getSubjectFields() {
return new DnFieldDescription[0];
}
@Override
public X500Principal createSubjectDn(DnFieldValue[] values) {
return null;
}
@Override
public void validateSubjectField(DnFieldValue field) throws Exception {
}
});
}
Also used :
DnFieldValue(ee.ria.xroad.common.certificateprofile.DnFieldValue)
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
ArrayList(java.util.ArrayList)
TokenTestUtils(org.niis.xroad.securityserver.restapi.util.TokenTestUtils)
CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)
AccessDeniedException(org.springframework.security.access.AccessDeniedException)
KeyNotFoundException(org.niis.xroad.securityserver.restapi.service.KeyNotFoundException)
KeyInfo(ee.ria.xroad.signer.protocol.dto.KeyInfo)
X500Principal(javax.security.auth.x500.X500Principal)
KeyNotFoundException(org.niis.xroad.securityserver.restapi.service.KeyNotFoundException)
Before(org.junit.Before)
Example 3 with ApprovedCaDto
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthoritiesApiController method getApprovedCertificateAuthorities.
/**
* Currently returns partial CertificateAuthority objects that have only
* name and authentication_only properties set.
* Other properties will be added in another ticket (system parameters).
* @return
*/
@Override
@PreAuthorize("hasAuthority('VIEW_APPROVED_CERTIFICATE_AUTHORITIES')" + " or (hasAuthority('GENERATE_AUTH_CERT_REQ') and " + " (#keyUsageType == T(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsageType).AUTHENTICATION" + " or #keyUsageType == null))" + "or (hasAuthority('GENERATE_SIGN_CERT_REQ') and " + "#keyUsageType == T(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsageType).SIGNING)")
public ResponseEntity<Set<CertificateAuthority>> getApprovedCertificateAuthorities(KeyUsageType keyUsageType, Boolean includeIntermediateCas) {
KeyUsageInfo keyUsageInfo = KeyUsageTypeMapping.map(keyUsageType).orElse(null);
Collection<ApprovedCaDto> caDtos = null;
try {
caDtos = certificateAuthorityService.getCertificateAuthorities(keyUsageInfo, includeIntermediateCas);
} catch (CertificateAuthorityService.InconsistentCaDataException e) {
throw new InternalServerErrorException(e);
}
Set<CertificateAuthority> cas = certificateAuthorityConverter.convert(caDtos);
return new ResponseEntity<>(cas, HttpStatus.OK);
}
Also used :
ResponseEntity(org.springframework.http.ResponseEntity)
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
CertificateAuthority(org.niis.xroad.securityserver.restapi.openapi.model.CertificateAuthority)
CertificateAuthorityService(org.niis.xroad.securityserver.restapi.service.CertificateAuthorityService)
KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
Example 4 with ApprovedCaDto
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method getCertificateAuthorities.
@Test
public void getCertificateAuthorities() throws Exception {
List<ApprovedCaDto> caDtos = certificateAuthorityService.getCertificateAuthorities(null);
assertEquals(3, caDtos.size());
caDtos = certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.SIGNING);
assertEquals(2, caDtos.size());
ApprovedCaDto ca = caDtos.get(0);
assertEquals("fi-not-auth-only", ca.getName());
assertFalse(ca.isAuthenticationOnly());
assertEquals("CN=N/A", ca.getIssuerDistinguishedName());
assertEquals("CN=N/A", ca.getSubjectDistinguishedName());
assertEquals(Collections.singletonList("CN=N/A"), ca.getSubjectDnPath());
assertTrue(ca.isTopCa());
assertEquals("good", ca.getOcspResponse());
assertEquals(OffsetDateTime.parse("2038-01-01T00:00Z"), ca.getNotAfter());
caDtos = certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.AUTHENTICATION);
assertEquals(3, caDtos.size());
ApprovedCaDto ca2 = caDtos.get(1);
assertEquals("est-auth-only", ca2.getName());
assertTrue(ca2.isAuthenticationOnly());
assertEquals(MOCK_AUTH_CERT_ISSUER, ca2.getIssuerDistinguishedName());
assertEquals(MOCK_AUTH_CERT_SUBJECT, ca2.getSubjectDistinguishedName());
assertEquals(Collections.singletonList(MOCK_AUTH_CERT_SUBJECT), ca2.getSubjectDnPath());
assertTrue(ca2.isTopCa());
assertEquals("not available", ca2.getOcspResponse());
assertEquals(OffsetDateTime.parse("2039-11-23T09:20:27Z"), ca2.getNotAfter());
evictCache();
when(globalConfFacade.getAllCaCerts(any())).thenReturn(new ArrayList<>());
when(signerProxyFacade.getOcspResponses(any())).thenReturn(new String[] {});
assertEquals(0, certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.SIGNING).size());
assertEquals(0, certificateAuthorityService.getCertificateAuthorities(null).size());
}
Also used :
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
Test(org.junit.Test)
Example 5 with ApprovedCaDto
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthorityService method getCertificateAuthorities.
/**
* Return approved certificate authorities
* @param keyUsageInfo list CAs for this type of key usage. If null, list all.
* @param includeIntermediateCas true = also include intermediate CAs.
* false = only include top CAs
* @throws InconsistentCaDataException if required CA data could not be extracted, for example due to OCSP
* responses not being valid
* @return list of approved CAs
*/
@Cacheable(GET_CERTIFICATE_AUTHORITIES_CACHE)
public List<ApprovedCaDto> getCertificateAuthorities(KeyUsageInfo keyUsageInfo, boolean includeIntermediateCas) throws InconsistentCaDataException {
log.debug("getCertificateAuthorities");
List<X509Certificate> caCerts = new ArrayList<>(globalConfService.getAllCaCertsForThisInstance());
List<ApprovedCaDto> dtos = new ArrayList<>();
// map of each subject - issuer DN pair for easy lookups
Map<String, String> subjectsToIssuers = caCerts.stream().collect(Collectors.toMap(x509 -> x509.getSubjectDN().getName(), x509 -> x509.getIssuerDN().getName()));
// we only fetch ocsp responses for intermediate approved CAs
// configured as approved CA and its issuer cert is also an approved CA
List<X509Certificate> filteredCerts = caCerts.stream().filter(cert -> subjectsToIssuers.containsKey(cert.getIssuerDN().getName())).collect(Collectors.toList());
String[] base64EncodedOcspResponses;
try {
String[] certHashes = CertUtils.getCertHashes(new ArrayList<>(filteredCerts));
base64EncodedOcspResponses = signerProxyFacade.getOcspResponses(certHashes);
} catch (Exception e) {
throw new InconsistentCaDataException("failed to get read CA OCSP responses", e);
}
if (filteredCerts.size() != base64EncodedOcspResponses.length) {
throw new InconsistentCaDataException(String.format("ocsp responses do not match ca certs %d vs %d", filteredCerts.size(), base64EncodedOcspResponses.length));
}
// build dtos
for (X509Certificate cert : caCerts) {
int idx = filteredCerts.indexOf(cert);
dtos.add(buildCertificateAuthorityDto(cert, (idx != -1) ? base64EncodedOcspResponses[idx] : null, subjectsToIssuers));
}
if (keyUsageInfo == KeyUsageInfo.SIGNING) {
// remove "authentication only" CAs
dtos = dtos.stream().filter(dto -> !(Boolean.TRUE.equals(dto.isAuthenticationOnly()))).collect(Collectors.toList());
}
if (!includeIntermediateCas) {
// remove intermediate CAs
dtos = dtos.stream().filter(dto -> dto.isTopCa()).collect(Collectors.toList());
}
return dtos;
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
ApprovedCAInfo(ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)
CertUtils(ee.ria.xroad.common.util.CertUtils)
Cacheable(org.springframework.cache.annotation.Cacheable)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
RequiredArgsConstructor(lombok.RequiredArgsConstructor)
CertificateProfileInfoProvider(ee.ria.xroad.common.certificateprofile.CertificateProfileInfoProvider)
ArrayList(java.util.ArrayList)
FormatUtils(org.niis.xroad.restapi.util.FormatUtils)
SignCertificateProfileInfoParameters(ee.ria.xroad.common.certificateprofile.impl.SignCertificateProfileInfoParameters)
KeyUsageInfo(ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)
Service(org.springframework.stereotype.Service)
Map(java.util.Map)
ERROR_CA_CERT_PROCESSING(org.niis.xroad.restapi.exceptions.DeviationCodes.ERROR_CA_CERT_PROCESSING)
SignerProxyFacade(org.niis.xroad.securityserver.restapi.facade.SignerProxyFacade)
CurrentSecurityServerId(org.niis.xroad.securityserver.restapi.cache.CurrentSecurityServerId)
CertificateProfileInfo(ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)
Collection(java.util.Collection)
ErrorDeviation(org.niis.xroad.restapi.exceptions.ErrorDeviation)
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
OcspUtils(org.niis.xroad.securityserver.restapi.util.OcspUtils)
Collectors(java.util.stream.Collectors)
Slf4j(lombok.extern.slf4j.Slf4j)
List(java.util.List)
AuthCertificateProfileInfoParameters(ee.ria.xroad.common.certificateprofile.impl.AuthCertificateProfileInfoParameters)
ServiceException(org.niis.xroad.restapi.service.ServiceException)
SecurityServerId(ee.ria.xroad.common.identifier.SecurityServerId)
GlobalConfFacade(org.niis.xroad.securityserver.restapi.facade.GlobalConfFacade)
Optional(java.util.Optional)
GetCertificateProfile(ee.ria.xroad.common.certificateprofile.GetCertificateProfile)
ClientId(ee.ria.xroad.common.identifier.ClientId)
Transactional(org.springframework.transaction.annotation.Transactional)
ApprovedCaDto(org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)
ArrayList(java.util.ArrayList)
X509Certificate(java.security.cert.X509Certificate)
ServiceException(org.niis.xroad.restapi.service.ServiceException)
Cacheable(org.springframework.cache.annotation.Cacheable)
Aggregations
ApprovedCaDto (org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto)6
CertificateProfileInfo (ee.ria.xroad.common.certificateprofile.CertificateProfileInfo)2
ApprovedCAInfo (ee.ria.xroad.common.conf.globalconf.ApprovedCAInfo)2
KeyUsageInfo (ee.ria.xroad.signer.protocol.dto.KeyUsageInfo)2
ArrayList (java.util.ArrayList)2
Test (org.junit.Test)2
OcspUtils (org.niis.xroad.securityserver.restapi.util.OcspUtils)2
PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)2
CertificateProfileInfoProvider (ee.ria.xroad.common.certificateprofile.CertificateProfileInfoProvider)1
DnFieldValue (ee.ria.xroad.common.certificateprofile.DnFieldValue)1
GetCertificateProfile (ee.ria.xroad.common.certificateprofile.GetCertificateProfile)1
AuthCertificateProfileInfoParameters (ee.ria.xroad.common.certificateprofile.impl.AuthCertificateProfileInfoParameters)1
SignCertificateProfileInfoParameters (ee.ria.xroad.common.certificateprofile.impl.SignCertificateProfileInfoParameters)1
ClientId (ee.ria.xroad.common.identifier.ClientId)1
SecurityServerId (ee.ria.xroad.common.identifier.SecurityServerId)1
CertUtils (ee.ria.xroad.common.util.CertUtils)1
KeyInfo (ee.ria.xroad.signer.protocol.dto.KeyInfo)1
X509Certificate (java.security.cert.X509Certificate)1
Collection (java.util.Collection)1
List (java.util.List)1
