use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method getIntermediateCertificateAuthorities.
@Test
public void getIntermediateCertificateAuthorities() throws Exception {
List<ApprovedCaDto> caDtos = certificateAuthorityService.getCertificateAuthorities(null, true);
assertEquals(4, caDtos.size());
ApprovedCaDto topCa = caDtos.get(2);
assertEquals("mock-top-ca", topCa.getName());
assertFalse(topCa.isAuthenticationOnly());
assertEquals(MOCK_TOP_CA_SUBJECT_DN, topCa.getIssuerDistinguishedName());
assertEquals(MOCK_TOP_CA_SUBJECT_DN, topCa.getSubjectDistinguishedName());
assertEquals(Collections.singletonList(MOCK_TOP_CA_SUBJECT_DN), topCa.getSubjectDnPath());
assertTrue(topCa.isTopCa());
assertEquals("good", topCa.getOcspResponse());
assertEquals(OffsetDateTime.parse("2039-06-09T06:11:31Z"), topCa.getNotAfter());
ApprovedCaDto intermediateCa = caDtos.get(3);
assertEquals("mock-intermediate-ca", intermediateCa.getName());
assertFalse(intermediateCa.isAuthenticationOnly());
assertEquals(MOCK_TOP_CA_SUBJECT_DN, intermediateCa.getIssuerDistinguishedName());
assertEquals(MOCK_INTERMEDIATE_CA_SUBJECT_DN, intermediateCa.getSubjectDistinguishedName());
assertEquals(Arrays.asList(MOCK_TOP_CA_SUBJECT_DN, MOCK_INTERMEDIATE_CA_SUBJECT_DN), intermediateCa.getSubjectDnPath());
assertFalse(intermediateCa.isTopCa());
assertEquals("good", intermediateCa.getOcspResponse());
assertEquals(OffsetDateTime.parse("2040-02-28T07:53:49Z"), intermediateCa.getNotAfter());
}
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthoritiesApiControllerTest method setUp.
@Before
public void setUp() throws Exception {
KeyInfo signKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_SIGN_KEY_ID).keyUsageInfo(KeyUsageInfo.SIGNING).build();
KeyInfo authKeyInfo = new TokenTestUtils.KeyInfoBuilder().id(GOOD_AUTH_KEY_ID).keyUsageInfo(KeyUsageInfo.AUTHENTICATION).build();
doAnswer(invocation -> {
Object[] args = invocation.getArguments();
String keyId = (String) args[0];
if (keyId.equals(GOOD_AUTH_KEY_ID)) {
return authKeyInfo;
} else if (keyId.equals(GOOD_SIGN_KEY_ID)) {
return signKeyInfo;
} else {
throw new KeyNotFoundException("foo");
}
}).when(keyService).getKey(any());
List<ApprovedCaDto> approvedCAInfos = new ArrayList<>();
approvedCAInfos.add(ApprovedCaDto.builder().name(GENERAL_PURPOSE_CA_NAME).authenticationOnly(false).build());
when(certificateAuthorityService.getCertificateAuthorities(any())).thenReturn(approvedCAInfos);
when(certificateAuthorityService.getCertificateProfile(any(), any(), any(), anyBoolean())).thenReturn(new CertificateProfileInfo() {
@Override
public DnFieldDescription[] getSubjectFields() {
return new DnFieldDescription[0];
}
@Override
public X500Principal createSubjectDn(DnFieldValue[] values) {
return null;
}
@Override
public void validateSubjectField(DnFieldValue field) throws Exception {
}
});
}
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthoritiesApiController method getApprovedCertificateAuthorities.
/**
* Currently returns partial CertificateAuthority objects that have only
* name and authentication_only properties set.
* Other properties will be added in another ticket (system parameters).
* @return
*/
@Override
@PreAuthorize("hasAuthority('VIEW_APPROVED_CERTIFICATE_AUTHORITIES')" + " or (hasAuthority('GENERATE_AUTH_CERT_REQ') and " + " (#keyUsageType == T(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsageType).AUTHENTICATION" + " or #keyUsageType == null))" + "or (hasAuthority('GENERATE_SIGN_CERT_REQ') and " + "#keyUsageType == T(org.niis.xroad.securityserver.restapi.openapi.model.KeyUsageType).SIGNING)")
public ResponseEntity<Set<CertificateAuthority>> getApprovedCertificateAuthorities(KeyUsageType keyUsageType, Boolean includeIntermediateCas) {
KeyUsageInfo keyUsageInfo = KeyUsageTypeMapping.map(keyUsageType).orElse(null);
Collection<ApprovedCaDto> caDtos = null;
try {
caDtos = certificateAuthorityService.getCertificateAuthorities(keyUsageInfo, includeIntermediateCas);
} catch (CertificateAuthorityService.InconsistentCaDataException e) {
throw new InternalServerErrorException(e);
}
Set<CertificateAuthority> cas = certificateAuthorityConverter.convert(caDtos);
return new ResponseEntity<>(cas, HttpStatus.OK);
}
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthorityServiceTest method getCertificateAuthorities.
@Test
public void getCertificateAuthorities() throws Exception {
List<ApprovedCaDto> caDtos = certificateAuthorityService.getCertificateAuthorities(null);
assertEquals(3, caDtos.size());
caDtos = certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.SIGNING);
assertEquals(2, caDtos.size());
ApprovedCaDto ca = caDtos.get(0);
assertEquals("fi-not-auth-only", ca.getName());
assertFalse(ca.isAuthenticationOnly());
assertEquals("CN=N/A", ca.getIssuerDistinguishedName());
assertEquals("CN=N/A", ca.getSubjectDistinguishedName());
assertEquals(Collections.singletonList("CN=N/A"), ca.getSubjectDnPath());
assertTrue(ca.isTopCa());
assertEquals("good", ca.getOcspResponse());
assertEquals(OffsetDateTime.parse("2038-01-01T00:00Z"), ca.getNotAfter());
caDtos = certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.AUTHENTICATION);
assertEquals(3, caDtos.size());
ApprovedCaDto ca2 = caDtos.get(1);
assertEquals("est-auth-only", ca2.getName());
assertTrue(ca2.isAuthenticationOnly());
assertEquals(MOCK_AUTH_CERT_ISSUER, ca2.getIssuerDistinguishedName());
assertEquals(MOCK_AUTH_CERT_SUBJECT, ca2.getSubjectDistinguishedName());
assertEquals(Collections.singletonList(MOCK_AUTH_CERT_SUBJECT), ca2.getSubjectDnPath());
assertTrue(ca2.isTopCa());
assertEquals("not available", ca2.getOcspResponse());
assertEquals(OffsetDateTime.parse("2039-11-23T09:20:27Z"), ca2.getNotAfter());
evictCache();
when(globalConfFacade.getAllCaCerts(any())).thenReturn(new ArrayList<>());
when(signerProxyFacade.getOcspResponses(any())).thenReturn(new String[] {});
assertEquals(0, certificateAuthorityService.getCertificateAuthorities(KeyUsageInfo.SIGNING).size());
assertEquals(0, certificateAuthorityService.getCertificateAuthorities(null).size());
}
use of org.niis.xroad.securityserver.restapi.dto.ApprovedCaDto in project X-Road by nordic-institute.
the class CertificateAuthorityService method getCertificateAuthorities.
/**
* Return approved certificate authorities
* @param keyUsageInfo list CAs for this type of key usage. If null, list all.
* @param includeIntermediateCas true = also include intermediate CAs.
* false = only include top CAs
* @throws InconsistentCaDataException if required CA data could not be extracted, for example due to OCSP
* responses not being valid
* @return list of approved CAs
*/
@Cacheable(GET_CERTIFICATE_AUTHORITIES_CACHE)
public List<ApprovedCaDto> getCertificateAuthorities(KeyUsageInfo keyUsageInfo, boolean includeIntermediateCas) throws InconsistentCaDataException {
log.debug("getCertificateAuthorities");
List<X509Certificate> caCerts = new ArrayList<>(globalConfService.getAllCaCertsForThisInstance());
List<ApprovedCaDto> dtos = new ArrayList<>();
// map of each subject - issuer DN pair for easy lookups
Map<String, String> subjectsToIssuers = caCerts.stream().collect(Collectors.toMap(x509 -> x509.getSubjectDN().getName(), x509 -> x509.getIssuerDN().getName()));
// we only fetch ocsp responses for intermediate approved CAs
// configured as approved CA and its issuer cert is also an approved CA
List<X509Certificate> filteredCerts = caCerts.stream().filter(cert -> subjectsToIssuers.containsKey(cert.getIssuerDN().getName())).collect(Collectors.toList());
String[] base64EncodedOcspResponses;
try {
String[] certHashes = CertUtils.getCertHashes(new ArrayList<>(filteredCerts));
base64EncodedOcspResponses = signerProxyFacade.getOcspResponses(certHashes);
} catch (Exception e) {
throw new InconsistentCaDataException("failed to get read CA OCSP responses", e);
}
if (filteredCerts.size() != base64EncodedOcspResponses.length) {
throw new InconsistentCaDataException(String.format("ocsp responses do not match ca certs %d vs %d", filteredCerts.size(), base64EncodedOcspResponses.length));
}
// build dtos
for (X509Certificate cert : caCerts) {
int idx = filteredCerts.indexOf(cert);
dtos.add(buildCertificateAuthorityDto(cert, (idx != -1) ? base64EncodedOcspResponses[idx] : null, subjectsToIssuers));
}
if (keyUsageInfo == KeyUsageInfo.SIGNING) {
// remove "authentication only" CAs
dtos = dtos.stream().filter(dto -> !(Boolean.TRUE.equals(dto.isAuthenticationOnly()))).collect(Collectors.toList());
}
if (!includeIntermediateCas) {
// remove intermediate CAs
dtos = dtos.stream().filter(dto -> dto.isTopCa()).collect(Collectors.toList());
}
return dtos;
}
Aggregations