diff options
33 files changed, 1317 insertions, 164 deletions
diff --git a/certService/docker-compose.yml b/certService/docker-compose.yml index f418fc1b..3b071ace 100644 --- a/certService/docker-compose.yml +++ b/certService/docker-compose.yml @@ -6,10 +6,10 @@ services: hostname: cahostname container_name: mycontainer ports: - - "80:8080" - - "443:8443" + - "80:8080" + - "443:8443" volumes: - - ./src/main/resources/scripts/:/opt/primekey/scripts + - ./src/main/resources/scripts/:/opt/primekey/scripts command: bash -c " ./scripts/ejbca-configuration.sh & /opt/primekey/bin/start.sh @@ -19,6 +19,8 @@ services: interval: 10s timeout: 3s retries: 9 + networks: + - certservice certservice: image: onap/org.onap.aaf.certservice.aaf-certservice-api:latest @@ -30,4 +32,10 @@ services: depends_on: ejbca: condition: service_healthy + networks: + - certservice + +networks: + certservice: + driver: bridge diff --git a/certService/helm/aaf-cert-service/resources/cmpServers.json b/certService/helm/aaf-cert-service/resources/cmpServers.json index ee9e72b9..921a51ea 100644 --- a/certService/helm/aaf-cert-service/resources/cmpServers.json +++ b/certService/helm/aaf-cert-service/resources/cmpServers.json @@ -1,23 +1,23 @@ { "cmpv2Servers": [ { - "caName": "TEST", - "url": "http://127.0.0.1/ejbca/publicweb/cmp/cmp", + "caName": "Client", + "url": "http://mycontainer:8080/ejbca/publicweb/cmp/cmp", "issuerDN": "CN=ManagementCA", "caMode": "CLIENT", "authentication": { - "iak": "xxx", - "rv": "yyy" + "iak": "mypassword", + "rv": "mypassword" } }, { - "caName": "TEST2", - "url": "http://127.0.0.1/ejbca/publicweb/cmp/cmpRA", - "issuerDN": "CN=ManagementCA2", + "caName": "RA", + "url": "http://mycontainer:8080/ejbca/publicweb/cmp/cmpRA", + "issuerDN": "CN=ManagementCA", "caMode": "RA", "authentication": { - "iak": "xxx", - "rv": "yyy" + "iak": "mypassword", + "rv": "mypassword" } } ] diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java index e663909c..abb6811b 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java +++ b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java @@ -24,9 +24,13 @@ import com.google.gson.Gson; import org.onap.aaf.certservice.certification.CertificationModelFactory; import org.onap.aaf.certservice.certification.CsrModelFactory; import org.onap.aaf.certservice.certification.CsrModelFactory.StringBase64; +import org.onap.aaf.certservice.certification.configuration.Cmpv2ServerProvider; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; import org.onap.aaf.certservice.certification.exception.DecryptionException; import org.onap.aaf.certservice.certification.model.CertificationModel; import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -43,12 +47,10 @@ public class CertificationController { private static final Logger LOGGER = LoggerFactory.getLogger(CertificationController.class); - private final CsrModelFactory csrModelFactory; private final CertificationModelFactory certificationModelFactory; @Autowired - CertificationController(CsrModelFactory csrModelFactory, CertificationModelFactory certificationModelFactory) { - this.csrModelFactory = csrModelFactory; + CertificationController(CertificationModelFactory certificationModelFactory) { this.certificationModelFactory = certificationModelFactory; } @@ -66,17 +68,11 @@ public class CertificationController { @PathVariable String caName, @RequestHeader("CSR") String encodedCsr, @RequestHeader("PK") String encodedPrivateKey - ) throws DecryptionException { - + ) throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { caName = caName.replaceAll("[\n|\r|\t]", "_"); LOGGER.info("Received certificate signing request for CA named: {}", caName); - CsrModel csrModel = csrModelFactory.createCsrModel( - new StringBase64(encodedCsr), - new StringBase64(encodedPrivateKey) - ); - LOGGER.debug("Received CSR meta data: \n{}", csrModel); CertificationModel certificationModel = certificationModelFactory - .createCertificationModel(csrModel, caName); + .createCertificationModel(encodedCsr, encodedPrivateKey, caName); return new ResponseEntity<>(new Gson().toJson(certificationModel), HttpStatus.OK); } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java index 130a5167..d649f147 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java @@ -21,10 +21,12 @@ package org.onap.aaf.certservice.certification; import com.google.gson.Gson; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; import org.onap.aaf.certservice.certification.exception.CsrDecryptionException; import org.onap.aaf.certservice.certification.exception.ErrorResponseModel; import org.onap.aaf.certservice.certification.exception.KeyDecryptionException; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; @@ -40,19 +42,51 @@ public class CertificationExceptionController { @ExceptionHandler(value = CsrDecryptionException.class) public ResponseEntity<String> handle(CsrDecryptionException exception) { LOGGER.error("Exception occurred during decoding certificate sign request:", exception); - return getErrorResponseEntity("Wrong certificate signing request (CSR) format", HttpStatus.BAD_REQUEST); + return getErrorResponseEntity( + "Wrong certificate signing request (CSR) format", + HttpStatus.BAD_REQUEST + ); } @ExceptionHandler(value = KeyDecryptionException.class) public ResponseEntity<String> handle(KeyDecryptionException exception) { LOGGER.error("Exception occurred during decoding key:", exception); - return getErrorResponseEntity("Wrong key (PK) format", HttpStatus.BAD_REQUEST); + return getErrorResponseEntity( + "Wrong key (PK) format", + HttpStatus.BAD_REQUEST + ); } @ExceptionHandler(value = Cmpv2ServerNotFoundException.class) public ResponseEntity<String> handle(Cmpv2ServerNotFoundException exception) { LOGGER.error("Exception occurred selecting CMPv2 server:", exception); - return getErrorResponseEntity("Certification authority not found for given CAName", HttpStatus.NOT_FOUND); + return getErrorResponseEntity( + "Certification authority not found for given CAName", + HttpStatus.NOT_FOUND + ); + } + + @ExceptionHandler(value = CmpClientException.class) + public ResponseEntity<String> handle(CmpClientException exception) { + LOGGER.error("Exception occurred calling cmp client:", exception); + return getErrorResponseEntity( + "Exception occurred during call to cmp client", + HttpStatus.INTERNAL_SERVER_ERROR + ); + } + + @ExceptionHandler(value = RuntimeException.class) + public ResponseEntity<String> handle(RuntimeException exception) throws CmpClientException { + throw new CmpClientException("Runtime exception occurred calling cmp client business logic", exception); + } + + @ExceptionHandler(value = Cmpv2ClientAdapterException.class) + public ResponseEntity<String> handle(Cmpv2ClientAdapterException exception) { + LOGGER.error("Exception occurred parsing cmp client response:", exception); + return getErrorResponseEntity( + "Exception occurred parsing cmp client response", + HttpStatus.INTERNAL_SERVER_ERROR + ); } private ResponseEntity<String> getErrorResponseEntity(String errorMessage, HttpStatus status) { diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java index 69b83465..1d586c17 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java @@ -22,9 +22,12 @@ package org.onap.aaf.certservice.certification; import org.onap.aaf.certservice.certification.configuration.Cmpv2ServerProvider; import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; +import org.onap.aaf.certservice.certification.exception.DecryptionException; import org.onap.aaf.certservice.certification.model.CertificationModel; import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -42,28 +45,35 @@ public class CertificationModelFactory { private static final Logger LOGGER = LoggerFactory.getLogger(CertificationModelFactory.class); + private final CsrModelFactory csrModelFactory; private final Cmpv2ServerProvider cmpv2ServerProvider; + private final CertificationProvider certificationProvider; @Autowired - CertificationModelFactory(Cmpv2ServerProvider cmpv2ServerProvider) { + CertificationModelFactory( + CsrModelFactory csrModelFactory, + Cmpv2ServerProvider cmpv2ServerProvider, + CertificationProvider certificationProvider + ) { this.cmpv2ServerProvider = cmpv2ServerProvider; + this.csrModelFactory = csrModelFactory; + this.certificationProvider = certificationProvider; } - public CertificationModel createCertificationModel(CsrModel csr, String caName) { - LOGGER.info("Generating certification model for CA named: {}, and certificate signing request:\n{}", - caName, csr); - - return cmpv2ServerProvider - .getCmpv2Server(caName) - .map(this::generateCertificationModel) - .orElseThrow(() -> new Cmpv2ServerNotFoundException("No server found for given CA name")); - } + public CertificationModel createCertificationModel(String encodedCsr, String encodedPrivateKey, String caName) + throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { + CsrModel csrModel = csrModelFactory.createCsrModel( + new CsrModelFactory.StringBase64(encodedCsr), + new CsrModelFactory.StringBase64(encodedPrivateKey) + ); + LOGGER.debug("Received CSR meta data: \n{}", csrModel); - private CertificationModel generateCertificationModel(Cmpv2Server cmpv2Server) { + Cmpv2Server cmpv2Server = cmpv2ServerProvider.getCmpv2Server(caName); LOGGER.debug("Found server for given CA name: \n{}", cmpv2Server); - return new CertificationModel( - Arrays.asList(ENTITY_CERT, INTERMEDIATE_CERT), - Arrays.asList(CA_CERT, EXTRA_CA_CERT) - ); + + LOGGER.info("Sending sign request for certification model for CA named: {}, and certificate signing request:\n{}", + caName, csrModel); + return certificationProvider.signCsr(csrModel, cmpv2Server); } + } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java new file mode 100644 index 00000000..fa2d88ab --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java @@ -0,0 +1,47 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification; + +import org.onap.aaf.certservice.certification.adapter.Cmpv2ClientAdapter; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; +import org.onap.aaf.certservice.certification.model.CertificationModel; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +@Service +public class CertificationProvider { + + private final Cmpv2ClientAdapter cmpv2ClientAdapter; + + @Autowired + public CertificationProvider(Cmpv2ClientAdapter cmpv2ClientAdapter) { + this.cmpv2ClientAdapter = cmpv2ClientAdapter; + } + + CertificationModel signCsr(CsrModel csrModel, Cmpv2Server server) + throws CmpClientException, Cmpv2ClientAdapterException { + return cmpv2ClientAdapter.callCmpClient(csrModel, server); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java index 6f356c1a..501ed6d0 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java @@ -21,6 +21,7 @@ package org.onap.aaf.certservice.certification; import java.util.Base64; +import java.util.Objects; import java.util.Optional; import org.bouncycastle.pkcs.PKCS10CertificationRequest; @@ -82,13 +83,21 @@ public class CsrModelFactory { public Optional<String> asString() { try { String decodedString = new String(decoder.decode(value)); - LOGGER.debug("Decoded string: {}", decodedString); return Optional.of(decodedString); } catch(RuntimeException e) { LOGGER.error("Exception occurred during decoding:", e); return Optional.empty(); } } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + StringBase64 that = (StringBase64) o; + return Objects.equals(value, that.value); + } + } } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/PemObjectFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/PemObjectFactory.java index c2293d2d..1eb5270f 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/PemObjectFactory.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/PemObjectFactory.java @@ -39,7 +39,6 @@ public class PemObjectFactory { try (StringReader stringReader = new StringReader(pem); PemReader pemReader = new PemReader(stringReader)) { - LOGGER.debug("Creating pem object from: {}", pem); return Optional.ofNullable(pemReader.readPemObject()); } catch (DecoderException | IOException e) { LOGGER.error("Exception occurred during creation of PEM:", e); diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java new file mode 100644 index 00000000..184d724a --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java @@ -0,0 +1,87 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.security.KeyPair; +import java.util.Arrays; +import java.util.Objects; +import java.util.Optional; +import java.util.stream.Collectors; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; +import org.bouncycastle.cert.CertException; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.external.CSRMeta; +import org.onap.aaf.certservice.cmpv2client.external.RDN; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Component; + +@Component +class CSRMetaBuilder { + + private static final Logger LOGGER = LoggerFactory.getLogger(CSRMetaBuilder.class); + + /** + * Creates CSRMeta from CsrModel and Cmpv2Server + * + * @param csrModel Certificate Signing Request from Service external API + * @param server Cmp Server configuration from cmpServers.json + * @return AAF native model for CSR metadata + */ + CSRMeta build(CsrModel csrModel, Cmpv2Server server) { + CSRMeta csrMeta = createCsrMeta(csrModel); + addSans(csrModel, csrMeta); + csrMeta.keyPair(new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey())); + csrMeta.password(server.getAuthentication().getIak()); + csrMeta.setIssuerName(server.getIssuerDN()); + csrMeta.caUrl(server.getUrl()); + csrMeta.setName(csrModel.getSubjectData()); + csrMeta.senderKid(server.getAuthentication().getRv()); + return csrMeta; + } + + private CSRMeta createCsrMeta(CsrModel csrModel) { + return new CSRMeta((Arrays.stream(csrModel.getSubjectData().getRDNs()).map(this::convertFromBcRDN) + .filter(Optional::isPresent).map(Optional::get).collect(Collectors.toList()))); + } + + private void addSans(CsrModel csrModel, CSRMeta csrMeta) { + csrModel.getSans().forEach(csrMeta::san); + } + + private String convertRDNToString(org.bouncycastle.asn1.x500.RDN rdn) { + return BCStyle.INSTANCE.oidToDisplayName(rdn.getFirst().getType()) + "=" + IETFUtils.valueToString( + rdn.getFirst().getValue()); + } + + private Optional<RDN> convertFromBcRDN(org.bouncycastle.asn1.x500.RDN rdn) { + RDN result = null; + try { + result = new RDN(convertRDNToString(rdn)); + } catch (CertException e) { + LOGGER.error("Exception occurred during convert of RDN", e); + } + return Optional.ofNullable(result); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java new file mode 100644 index 00000000..79f59363 --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java @@ -0,0 +1,42 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.io.InputStream; +import java.security.NoSuchProviderException; +import java.security.Security; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.springframework.stereotype.Component; + +@Component +public class CertificateFactoryProvider { + + static { + Security.addProvider(new BouncyCastleProvider()); + } + + X509Certificate generateCertificate(InputStream inStream) throws CertificateException, NoSuchProviderException { + return (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(inStream); + } +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java new file mode 100644 index 00000000..be39f1f3 --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java @@ -0,0 +1,120 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.StringWriter; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.stream.Collectors; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.util.io.pem.PemObjectGenerator; +import org.bouncycastle.util.io.pem.PemWriter; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; +import org.onap.aaf.certservice.certification.model.CertificationModel; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.api.CmpClient; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class Cmpv2ClientAdapter { + + private static final Logger LOGGER = LoggerFactory.getLogger(Cmpv2ClientAdapter.class); + + private final CmpClient cmpClient; + private final CSRMetaBuilder csrMetaBuilder; + private final RSAContentSignerBuilder rsaContentSignerBuilder; + private final X509CertificateBuilder x509CertificateBuilder; + private final CertificateFactoryProvider certificateFactoryProvider; + + @Autowired + public Cmpv2ClientAdapter(CmpClient cmpClient, CSRMetaBuilder csrMetaBuilder, + RSAContentSignerBuilder rsaContentSignerBuilder, X509CertificateBuilder x509CertificateBuilder, + CertificateFactoryProvider certificateFactoryProvider) { + this.cmpClient = cmpClient; + this.csrMetaBuilder = csrMetaBuilder; + this.rsaContentSignerBuilder = rsaContentSignerBuilder; + this.x509CertificateBuilder = x509CertificateBuilder; + this.certificateFactoryProvider = certificateFactoryProvider; + } + + /** + * Uses CmpClient to call to Cmp Server and gather certificates data + * + * @param csrModel Certificate Signing Request from Service external API + * @param server Cmp Server configuration from cmpServers.json + * @return container for returned certificates + * @throws CmpClientException Exceptions which comes from Cmp Client + * @throws Cmpv2ClientAdapterException Exceptions which comes from Adapter itself + */ + public CertificationModel callCmpClient(CsrModel csrModel, Cmpv2Server server) + throws CmpClientException, Cmpv2ClientAdapterException { + List<List<X509Certificate>> certificates = cmpClient.createCertificate(server.getCaName(), + server.getCaMode().getProfile(), csrMetaBuilder.build(csrModel, server), + convertCSRToX509Certificate(csrModel.getCsr(), csrModel.getPrivateKey())); + return new CertificationModel(convertFromX509CertificateListToPEMList(certificates.get(0)), + convertFromX509CertificateListToPEMList(certificates.get(1))); + } + + private String convertFromX509CertificateToPEM(X509Certificate certificate) { + StringWriter sw = new StringWriter(); + try (PemWriter pw = new PemWriter(sw)) { + PemObjectGenerator gen = new JcaMiscPEMGenerator(certificate); + pw.writeObject(gen); + } catch (IOException e) { + LOGGER.error("Exception occurred during convert of X509 certificate", e); + } + return sw.toString(); + } + + private X509Certificate convertCSRToX509Certificate(PKCS10CertificationRequest csr, PrivateKey privateKey) + throws Cmpv2ClientAdapterException { + try { + X509v3CertificateBuilder certificateGenerator = x509CertificateBuilder.build(csr); + ContentSigner signer = rsaContentSignerBuilder.build(csr, privateKey); + X509CertificateHolder holder = certificateGenerator.build(signer); + return certificateFactoryProvider + .generateCertificate(new ByteArrayInputStream(holder.toASN1Structure().getEncoded())); + } catch (IOException | CertificateException | OperatorCreationException | NoSuchProviderException e) { + throw new Cmpv2ClientAdapterException(e); + } + } + + private List<String> convertFromX509CertificateListToPEMList(List<X509Certificate> certificates) { + return certificates.stream().map(this::convertFromX509CertificateToPEM).filter(cert -> !cert.isEmpty()) + .collect(Collectors.toList()); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java new file mode 100644 index 00000000..266c22e2 --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java @@ -0,0 +1,45 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aaf.certservice.certification.adapter; + +import java.io.IOException; +import java.security.PrivateKey; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.crypto.util.PrivateKeyFactory; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.springframework.stereotype.Component; + +@Component +public class RSAContentSignerBuilder { + + ContentSigner build(PKCS10CertificationRequest csr, PrivateKey privateKey) + throws IOException, OperatorCreationException { + AlgorithmIdentifier sigAlgId = csr.getSignatureAlgorithm(); + AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); + + return new BcRSAContentSignerBuilder(sigAlgId, digAlgId) + .build(PrivateKeyFactory.createKey(privateKey.getEncoded())); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java new file mode 100644 index 00000000..f96cec8e --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java @@ -0,0 +1,56 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.SecureRandom; +import java.time.LocalDateTime; +import java.time.ZoneOffset; +import java.util.Date; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.springframework.stereotype.Component; + +@Component +public class X509CertificateBuilder { + + private static final int SECURE_NEXT_BYTES = 16; + private static final int VALID_PERIOD_IN_DAYS = 365; + + X509v3CertificateBuilder build(PKCS10CertificationRequest csr) throws IOException { + return new X509v3CertificateBuilder(csr.getSubject(), createSerial(), + Date.from(LocalDateTime.now().toInstant(ZoneOffset.UTC)), + Date.from(LocalDateTime.now().plusDays(VALID_PERIOD_IN_DAYS).toInstant(ZoneOffset.UTC)), + new PKCS10CertificationRequest(csr.getEncoded()).getSubject(), + SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(csr.getSubjectPublicKeyInfo().getEncoded()))); + + } + + private BigInteger createSerial() { + byte[] serial = new byte[SECURE_NEXT_BYTES]; + new SecureRandom().nextBytes(serial); + return new BigInteger(serial).abs(); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java new file mode 100644 index 00000000..21b873e6 --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java @@ -0,0 +1,49 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aaf.certservice.certification.configuration; + +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.onap.aaf.certservice.cmpv2client.api.CmpClient; +import org.onap.aaf.certservice.cmpv2client.impl.CmpClientImpl; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.web.context.annotation.RequestScope; + +@Configuration +public class CmpClientConfig { + + @Bean + CmpClient cmpClient(CloseableHttpClient closeableHttpClient){ + return new CmpClientImpl(closeableHttpClient); + } + + @Bean + @RequestScope + CloseableHttpClient closeableHttpClient(HttpClientBuilder httpClientBuilder){ + return httpClientBuilder.build(); + } + + @Bean + HttpClientBuilder httpClientBuilder(){ + return HttpClientBuilder.create(); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java index 755bfeb0..190bb28a 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java @@ -21,11 +21,10 @@ package org.onap.aaf.certservice.certification.configuration; import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; -import java.util.Optional; - @Component public class Cmpv2ServerProvider { @@ -36,11 +35,9 @@ public class Cmpv2ServerProvider { this.cmpServersConfig = cmpServersConfig; } - public Optional<Cmpv2Server> getCmpv2Server(String caName) { - return cmpServersConfig.getCmpServers() - .stream() - .filter(server -> server.getCaName().equals(caName)) - .findFirst(); + public Cmpv2Server getCmpv2Server(String caName) { + return cmpServersConfig.getCmpServers().stream().filter(server -> server.getCaName().equals(caName)).findFirst() + .orElseThrow(() -> new Cmpv2ServerNotFoundException("No server found for given CA name")); } } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java index f226bc58..2186b6ff 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java @@ -21,5 +21,15 @@ package org.onap.aaf.certservice.certification.configuration.model; public enum CaMode { - RA, CLIENT + RA("RA"), CLIENT("Client"); + + private String profile; + + CaMode(String profile) { + this.profile = profile; + } + + public String getProfile(){ + return profile; + } } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java new file mode 100644 index 00000000..1b26da7b --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java @@ -0,0 +1,28 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.exception; + +public class Cmpv2ClientAdapterException extends Exception { + + public Cmpv2ClientAdapterException(Throwable cause) { + super(cause); + } +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java index b59f4e3a..a29658f4 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java @@ -29,6 +29,7 @@ import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.Arrays; +import java.util.Collections; import java.util.List; import java.util.Objects; import java.util.stream.Collectors; @@ -54,9 +55,8 @@ public class CsrModel { private final PublicKey publicKey; private final List<String> sans; - CsrModel( - PKCS10CertificationRequest csr, X500Name subjectData, - PrivateKey privateKey, PublicKey publicKey, List<String> sans) { + CsrModel(PKCS10CertificationRequest csr, X500Name subjectData, PrivateKey privateKey, PublicKey publicKey, + List<String> sans) { this.csr = csr; this.subjectData = subjectData; this.privateKey = privateKey; @@ -86,8 +86,7 @@ public class CsrModel { @Override public String toString() { - return "Subject: { " + subjectData - + " ,SANs: " + sans + " }"; + return "Subject: { " + subjectData + " ,SANs: " + sans + " }"; } public static class CsrModelBuilder { @@ -95,9 +94,7 @@ public class CsrModel { private final PKCS10CertificationRequest csr; private final PemObject privateKey; - public CsrModel build() - throws DecryptionException - { + public CsrModel build() throws DecryptionException { X500Name subjectData = getSubjectData(); PrivateKey javaPrivateKey = convertingPemPrivateKeyToJavaSecurityPrivateKey(getPrivateKey()); @@ -129,20 +126,26 @@ public class CsrModel { } private List<String> getSansData() { - Extensions extensions = - Extensions.getInstance(csr.getAttributes()[0].getAttrValues().getObjectAt(0)); - GeneralName[] arrayOfAlternativeNames = - GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames(); - - return Arrays.stream(arrayOfAlternativeNames) - .map(GeneralName::getName) - .map(Objects::toString) - .collect(Collectors.toList()); + if (!isAttrsEmpty() && !isAttrsValuesEmpty()) { + Extensions extensions = Extensions.getInstance(csr.getAttributes()[0].getAttrValues().getObjectAt(0)); + GeneralName[] arrayOfAlternativeNames = + GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames(); + return Arrays.stream(arrayOfAlternativeNames).map(GeneralName::getName).map(Objects::toString) + .collect(Collectors.toList()); + } + return Collections.emptyList(); + } + + private boolean isAttrsValuesEmpty() { + return csr.getAttributes()[0].getAttrValues().size() == 0; + } + + private boolean isAttrsEmpty() { + return csr.getAttributes().length == 0; } private PrivateKey convertingPemPrivateKeyToJavaSecurityPrivateKey(PemObject privateKey) - throws KeyDecryptionException - { + throws KeyDecryptionException { try { KeyFactory factory = KeyFactory.getInstance("RSA"); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKey.getContent()); @@ -153,8 +156,7 @@ public class CsrModel { } private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey) - throws KeyDecryptionException - { + throws KeyDecryptionException { try { KeyFactory factory = KeyFactory.getInstance("RSA"); X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKey.getContent()); diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java index e9f7a483..de11b5bb 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java +++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java @@ -207,4 +207,12 @@ public class CSRMeta { public void issuerEmail(String issuerEmail) { this.issuerEmail = issuerEmail; } + + public void setIssuerName(X500Name issuerName) { + this.issuerName = issuerName; + } + + public void setName(X500Name name) { + this.name = name; + } } diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java index 512a76e1..69445b2e 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java +++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java @@ -75,6 +75,7 @@ public class RDN { break; // surname case "email": case "EMAIL": + case "E": case "emailaddress": case "EMAILADDRESS": aoi = BCStyle.EmailAddress; diff --git a/certService/src/main/resources/scripts/ejbca-configuration.sh b/certService/src/main/resources/scripts/ejbca-configuration.sh index cdff77de..705f40ca 100755 --- a/certService/src/main/resources/scripts/ejbca-configuration.sh +++ b/certService/src/main/resources/scripts/ejbca-configuration.sh @@ -8,9 +8,11 @@ configureEjbca() { ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED ejbca.sh ra setclearpwd --username Node123 --password mypassword ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN diff --git a/certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java b/certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java index 2fc6d665..802b2ea0 100644 --- a/certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java +++ b/certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java @@ -23,12 +23,9 @@ package org.onap.aaf.certservice.api; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; import com.google.gson.Gson; -import java.io.IOException; import java.util.Arrays; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -36,56 +33,54 @@ import org.junit.jupiter.api.extension.ExtendWith; import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; import org.onap.aaf.certservice.certification.CertificationModelFactory; -import org.onap.aaf.certservice.certification.CsrModelFactory; -import org.onap.aaf.certservice.certification.CsrModelFactory.StringBase64; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; +import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; import org.onap.aaf.certservice.certification.exception.CsrDecryptionException; import org.onap.aaf.certservice.certification.exception.DecryptionException; import org.onap.aaf.certservice.certification.exception.KeyDecryptionException; import org.onap.aaf.certservice.certification.model.CertificationModel; -import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; - @ExtendWith(MockitoExtension.class) class CertificationControllerTest { - private CertificationController certificationController; + private static final String TEST_CA_NAME = "TestCa"; + private static final String TEST_ENCODED_CSR = "encodedCSR"; + private static final String TEST_ENCODED_PK = "encodedPK"; + private static final String TEST_WRONG_ENCODED_CSR = "wrongEncodedCSR"; + private static final String TEST_WRONG_ENCODED_PK = "wrongEncodedPK"; + private static final String TEST_WRONG_CA_NAME = "wrongTestCa"; - @Mock - private CsrModelFactory csrModelFactory; + private CertificationController certificationController; @Mock private CertificationModelFactory certificationModelFactory; @BeforeEach - void setUp() { - certificationController = new CertificationController(csrModelFactory, certificationModelFactory); + void serUp() { + certificationController = new CertificationController(certificationModelFactory); } @Test - void shouldReturnDataAboutCsrBaseOnEncodedParameters() throws DecryptionException { - // given - final String testStringCsr = "testData"; - final String testCaName = "TestCa"; - CsrModel mockedCsrModel = mock(CsrModel.class); + void shouldReturnDataAboutCsrBaseOnEncodedParameters() + throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { + // Given CertificationModel testCertificationModel = new CertificationModel( Arrays.asList("ENTITY_CERT", "INTERMEDIATE_CERT"), Arrays.asList("CA_CERT", "EXTRA_CA_CERT") ); - when(mockedCsrModel.toString()).thenReturn(testStringCsr); - when(csrModelFactory.createCsrModel(any(StringBase64.class), any(StringBase64.class))) - .thenReturn(mockedCsrModel); - when(certificationModelFactory.createCertificationModel(mockedCsrModel, testCaName)) + when(certificationModelFactory.createCertificationModel(TEST_ENCODED_CSR, TEST_ENCODED_PK, TEST_CA_NAME)) .thenReturn(testCertificationModel); - // when + // When ResponseEntity<String> testResponse = - certificationController.signCertificate(testCaName, "encryptedCSR", "encryptedPK"); + certificationController.signCertificate(TEST_CA_NAME, TEST_ENCODED_CSR, TEST_ENCODED_PK); CertificationModel responseCertificationModel = new Gson().fromJson(testResponse.getBody(), CertificationModel.class); - // then + // Then assertEquals(HttpStatus.OK, testResponse.getStatusCode()); assertThat(responseCertificationModel ).isEqualToComparingFieldByField(testCertificationModel); @@ -93,41 +88,62 @@ class CertificationControllerTest { } @Test - void shouldThrowCsrDecryptionExceptionWhenCreatingCsrModelFails() throws DecryptionException { - // given + void shouldThrowCsrDecryptionExceptionWhenCreatingCsrModelFails() + throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { + // Given String expectedMessage = "Incorrect CSR, decryption failed"; - when(csrModelFactory.createCsrModel(any(StringBase64.class), any(StringBase64.class))) - .thenThrow(new CsrDecryptionException(expectedMessage,new IOException())); + when(certificationModelFactory.createCertificationModel(TEST_WRONG_ENCODED_CSR, TEST_ENCODED_PK, TEST_CA_NAME)) + .thenThrow(new CsrDecryptionException(expectedMessage)); - // when + // When Exception exception = assertThrows( - CsrDecryptionException.class, () -> certificationController. - signCertificate("TestCa", "encryptedCSR", "encryptedPK") + CsrDecryptionException.class, () -> + certificationController.signCertificate(TEST_CA_NAME, TEST_WRONG_ENCODED_CSR, TEST_ENCODED_PK) ); String actualMessage = exception.getMessage(); - // then + // Then assertEquals(expectedMessage, actualMessage); } @Test - void shouldThrowPemDecryptionExceptionWhenCreatingPemModelFails() throws DecryptionException { - // given + void shouldThrowPemDecryptionExceptionWhenCreatingPemModelFails() + throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { + // Given String expectedMessage = "Incorrect PEM, decryption failed"; - when(csrModelFactory.createCsrModel(any(StringBase64.class), any(StringBase64.class))) - .thenThrow(new KeyDecryptionException(expectedMessage,new IOException())); + when(certificationModelFactory.createCertificationModel(TEST_ENCODED_CSR, TEST_WRONG_ENCODED_PK, TEST_CA_NAME)) + .thenThrow(new KeyDecryptionException(expectedMessage)); - // when + // When Exception exception = assertThrows( - KeyDecryptionException.class, () -> certificationController. - signCertificate("TestCa", "encryptedCSR", "encryptedPK") + KeyDecryptionException.class, () -> + certificationController.signCertificate(TEST_CA_NAME, TEST_ENCODED_CSR, TEST_WRONG_ENCODED_PK) ); String actualMessage = exception.getMessage(); - // then + // Then assertEquals(expectedMessage, actualMessage); } + @Test + void shouldThrowCmpv2ServerNotFoundWhenGivenWrongCaName() + throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { + // Given + String expectedMessage = "No server found for given CA name"; + when(certificationModelFactory.createCertificationModel(TEST_ENCODED_CSR, TEST_ENCODED_PK, TEST_WRONG_CA_NAME)) + .thenThrow(new Cmpv2ServerNotFoundException(expectedMessage)); + + // When + Exception exception = assertThrows( + Cmpv2ServerNotFoundException.class, () -> + certificationController.signCertificate(TEST_WRONG_CA_NAME, TEST_ENCODED_CSR, TEST_ENCODED_PK) + ); + + String actualMessage = exception.getMessage(); + + // Then + assertEquals(expectedMessage, actualMessage); + } } diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java index 1a92c0c8..10a818e4 100644 --- a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java +++ b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java @@ -23,13 +23,17 @@ package org.onap.aaf.certservice.certification; import com.google.gson.Gson; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; import org.onap.aaf.certservice.certification.exception.CsrDecryptionException; import org.onap.aaf.certservice.certification.exception.ErrorResponseModel; import org.onap.aaf.certservice.certification.exception.KeyDecryptionException; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; +import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; class CertificationExceptionControllerTest { @@ -43,46 +47,98 @@ class CertificationExceptionControllerTest { @Test void shouldReturnResponseEntityWithAppropriateErrorMessageWhenGivenCsrDecryptionException() { - // given + // Given String expectedMessage = "Wrong certificate signing request (CSR) format"; CsrDecryptionException csrDecryptionException = new CsrDecryptionException("test csr exception"); - // when + // When ResponseEntity<String> responseEntity = certificationExceptionController.handle(csrDecryptionException); ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class); - // then + // Then + assertEquals(HttpStatus.BAD_REQUEST, responseEntity.getStatusCode()); assertEquals(expectedMessage, response.getErrorMessage()); } @Test void shouldReturnResponseEntityWithAppropriateErrorMessageWhenGivenKeyDecryptionException() { - // given + // Given String expectedMessage = "Wrong key (PK) format"; KeyDecryptionException csrDecryptionException = new KeyDecryptionException("test pk exception"); - // when + // When ResponseEntity<String> responseEntity = certificationExceptionController.handle(csrDecryptionException); ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class); - // then + // Then + assertEquals(HttpStatus.BAD_REQUEST, responseEntity.getStatusCode()); assertEquals(expectedMessage, response.getErrorMessage()); } @Test void shouldReturnResponseEntityWithAppropriateErrorMessageWhenGivenCaNameIsNotPresentInConfig() { - // given + // Given String expectedMessage = "Certification authority not found for given CAName"; Cmpv2ServerNotFoundException csrDecryptionException = new Cmpv2ServerNotFoundException("test Ca exception"); - // when + // When ResponseEntity<String> responseEntity = certificationExceptionController.handle(csrDecryptionException); ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class); - // then + // Then + assertEquals(HttpStatus.NOT_FOUND, responseEntity.getStatusCode()); assertEquals(expectedMessage, response.getErrorMessage()); } + + @Test + void shouldReturnResponseEntityWithAppropriateErrorMessageWhenCallingCmpClientFail() { + // Given + String expectedMessage = "Exception occurred during call to cmp client"; + CmpClientException cmpClientException = new CmpClientException("Calling CMPv2 client failed"); + + // When + ResponseEntity<String> responseEntity = certificationExceptionController.handle(cmpClientException); + + ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class); + + // Then + assertEquals(HttpStatus.INTERNAL_SERVER_ERROR, responseEntity.getStatusCode()); + assertEquals(expectedMessage, response.getErrorMessage()); + } + + @Test + void shouldReturnResponseEntityWithAppropriateErrorMessageWhenModelTransformationInAdapterFail() { + // Given + String expectedMessage = "Exception occurred parsing cmp client response"; + Cmpv2ClientAdapterException cmpv2ClientAdapterException = new Cmpv2ClientAdapterException(new Throwable()); + + // When + ResponseEntity<String> responseEntity = certificationExceptionController.handle(cmpv2ClientAdapterException); + + ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class); + + // Then + assertEquals(HttpStatus.INTERNAL_SERVER_ERROR, responseEntity.getStatusCode()); + assertEquals(expectedMessage, response.getErrorMessage()); + } + + @Test + void shouldThrowCmpClientExceptionWhenNotHandledRunTimeExceptionOccur() { + // Given + String expectedMessage = "Runtime exception occurred calling cmp client business logic"; + RuntimeException runtimeException = new RuntimeException("Unknown runtime exception"); + + // When + Exception exception = assertThrows( + CmpClientException.class, () -> + certificationExceptionController.handle(runtimeException) + ); + + // Then + assertEquals(expectedMessage, exception.getMessage()); + } + } diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java index 50e604e2..1b896a4b 100644 --- a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java +++ b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java @@ -27,49 +27,77 @@ import org.mockito.Mock; import org.mockito.junit.jupiter.MockitoExtension; import org.onap.aaf.certservice.certification.configuration.Cmpv2ServerProvider; import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; +import org.onap.aaf.certservice.certification.exception.CsrDecryptionException; +import org.onap.aaf.certservice.certification.exception.DecryptionException; import org.onap.aaf.certservice.certification.model.CertificationModel; import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; -import java.util.Optional; +import java.util.Arrays; +import java.util.Base64; +import java.util.List; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.when; import static org.onap.aaf.certservice.certification.CertificationData.CA_CERT; import static org.onap.aaf.certservice.certification.CertificationData.ENTITY_CERT; import static org.onap.aaf.certservice.certification.CertificationData.INTERMEDIATE_CERT; import static org.onap.aaf.certservice.certification.CertificationData.EXTRA_CA_CERT; +import static org.onap.aaf.certservice.certification.TestData.TEST_CSR; +import static org.onap.aaf.certservice.certification.TestData.TEST_PK; +import static org.onap.aaf.certservice.certification.TestData.TEST_WRONG_CSR; +import static org.onap.aaf.certservice.certification.TestData.TEST_WRONG_PEM; @ExtendWith(MockitoExtension.class) class CertificationModelFactoryTest { private static final String TEST_CA = "testCA"; + private static final String ENCODED_CSR = getEncodedString(TEST_CSR); + private static final String ENCODED_PK = getEncodedString(TEST_PK); + private static final String ENCODED_WRONG_CSR = getEncodedString(TEST_WRONG_CSR); + private static final String ENCODED_WRONG_PK = getEncodedString(TEST_WRONG_PEM); private CertificationModelFactory certificationModelFactory; @Mock - Cmpv2ServerProvider cmpv2ServerProvider; + private Cmpv2ServerProvider cmpv2ServerProvider; + @Mock + private CsrModelFactory csrModelFactory; + @Mock + private CertificationProvider certificationProvider; + + + private static String getEncodedString(String testCsr) { + return Base64.getEncoder().encodeToString(testCsr.getBytes()); + } @BeforeEach void setUp() { - certificationModelFactory = new CertificationModelFactory(cmpv2ServerProvider); + certificationModelFactory = + new CertificationModelFactory(csrModelFactory, cmpv2ServerProvider, certificationProvider); } @Test - void shouldCreateProperCertificationModelWhenGivenProperCsrModelAndCaName() { - // given - CsrModel mockedCsrModel = mock(CsrModel.class); - when(cmpv2ServerProvider.getCmpv2Server(TEST_CA)).thenReturn(Optional.of(createTestCmpv2Server())); + void shouldCreateProperCertificationModelWhenGivenProperCsrModelAndCaName() + throws CmpClientException, DecryptionException, Cmpv2ClientAdapterException { - // when + // Given + CsrModel csrModel = mockCsrFactoryModelCreation(); + Cmpv2Server testServer = mockCmpv2ProviderServerSelection(); + mockCertificateProviderCertificateSigning(csrModel, testServer); + + // When CertificationModel certificationModel = - certificationModelFactory.createCertificationModel(mockedCsrModel ,TEST_CA); + certificationModelFactory.createCertificationModel(ENCODED_CSR, ENCODED_PK,TEST_CA); - //then + // Then assertEquals(2, certificationModel.getCertificateChain().size()); assertThat(certificationModel.getCertificateChain()).contains(INTERMEDIATE_CERT, ENTITY_CERT); assertEquals(2, certificationModel.getTrustedCertificates().size()); @@ -77,23 +105,116 @@ class CertificationModelFactoryTest { } @Test - void shouldThrowCmpv2ServerNotFoundExceptionWhenGivenWrongCaName() { - // given + void shouldThrowDecryptionExceptionWhenGivenWrongEncodedCSR() + throws DecryptionException { + // Given + String expectedMessage = "Incorrect CSR, decryption failed"; + when( + csrModelFactory.createCsrModel( + eq(new CsrModelFactory.StringBase64(ENCODED_WRONG_CSR)), + eq(new CsrModelFactory.StringBase64(ENCODED_WRONG_PK)) + ) + ).thenThrow( + new CsrDecryptionException(expectedMessage) + ); + + // When + Exception exception = assertThrows( + DecryptionException.class, () -> + certificationModelFactory.createCertificationModel(ENCODED_WRONG_CSR, ENCODED_WRONG_PK, TEST_CA) + ); + + // Then + assertTrue(exception.getMessage().contains(expectedMessage)); + } + + @Test + void shouldThrowCmpv2ServerNotFoundExceptionWhenGivenWrongCaName() + throws DecryptionException { + // Given String expectedMessage = "CA not found"; - CsrModel mockedCsrModel = mock(CsrModel.class); - when(cmpv2ServerProvider.getCmpv2Server(TEST_CA)).thenThrow(new Cmpv2ServerNotFoundException(expectedMessage)); + mockCsrFactoryModelCreation(); + when( + cmpv2ServerProvider.getCmpv2Server(TEST_CA) + ).thenThrow( + new Cmpv2ServerNotFoundException(expectedMessage) + ); - // when + // When Exception exception = assertThrows( Cmpv2ServerNotFoundException.class, () -> - certificationModelFactory.createCertificationModel(mockedCsrModel ,TEST_CA) + certificationModelFactory.createCertificationModel(ENCODED_CSR, ENCODED_PK, TEST_CA) + ); + + // Then + assertTrue(exception.getMessage().contains(expectedMessage)); + } + + @Test + void shouldThrowCmpClientExceptionWhenSigningCsrFailed() + throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { + // Given + String expectedMessage = "failed to sign certificate"; + CsrModel csrModel = mockCsrFactoryModelCreation(); + Cmpv2Server testServer = mockCmpv2ProviderServerSelection(); + when( + certificationProvider.signCsr(eq(csrModel), eq(testServer)) + ).thenThrow( + new CmpClientException(expectedMessage) + ); + + // When + Exception exception = assertThrows( + CmpClientException.class, () -> + certificationModelFactory.createCertificationModel(ENCODED_CSR, ENCODED_PK, TEST_CA) ); - // then + // Then assertTrue(exception.getMessage().contains(expectedMessage)); } - private Cmpv2Server createTestCmpv2Server() { + + private void mockCertificateProviderCertificateSigning(CsrModel csrModel, Cmpv2Server testServer) + throws CmpClientException, Cmpv2ClientAdapterException { + CertificationModel expectedCertificationModel = getCertificationModel(); + when( + certificationProvider.signCsr(eq(csrModel), eq(testServer)) + ).thenReturn(expectedCertificationModel); + } + + private Cmpv2Server mockCmpv2ProviderServerSelection() { + Cmpv2Server testServer = getCmpv2Server(); + when( + cmpv2ServerProvider.getCmpv2Server(eq(TEST_CA)) + ).thenReturn(testServer); + return testServer; + } + + private CsrModel mockCsrFactoryModelCreation() + throws DecryptionException { + CsrModel csrModel = getCsrModel(); + when( + csrModelFactory.createCsrModel( + eq(new CsrModelFactory.StringBase64(ENCODED_CSR)), + eq(new CsrModelFactory.StringBase64(ENCODED_PK)) + ) + ).thenReturn(csrModel); + return csrModel; + } + + private Cmpv2Server getCmpv2Server() { return new Cmpv2Server(); } + + private CsrModel getCsrModel() { + return mock(CsrModel.class); + } + + private CertificationModel getCertificationModel() { + List<String> testTrustedCertificates = Arrays.asList(CA_CERT, EXTRA_CA_CERT); + List<String> testCertificationChain = Arrays.asList(INTERMEDIATE_CERT, ENTITY_CERT); + return new CertificationModel(testCertificationChain, testTrustedCertificates); + } + + } diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationProviderTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationProviderTest.java new file mode 100644 index 00000000..aa6f1d08 --- /dev/null +++ b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationProviderTest.java @@ -0,0 +1,93 @@ +/* + * ============LICENSE_START======================================================= + * AAF Certification Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aaf.certservice.certification; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.onap.aaf.certservice.certification.adapter.Cmpv2ClientAdapter; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; +import org.onap.aaf.certservice.certification.exception.DecryptionException; +import org.onap.aaf.certservice.certification.model.CertificationModel; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.mockito.ArgumentMatchers.eq; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +@ExtendWith(MockitoExtension.class) +class CertificationProviderTest { + + private CertificationProvider certificationProvider; + + @Mock + private Cmpv2ClientAdapter cmpv2ClientAdapter; + + @BeforeEach + void setUp() { + certificationProvider = new CertificationProvider(cmpv2ClientAdapter); + } + + @Test + void certificationProviderShouldReturnCertificationModelWhenProvidedProperCsrModelAndCmpv2Server() + throws CmpClientException, Cmpv2ClientAdapterException { + // Given + CsrModel testCsrModel = mock(CsrModel.class); + Cmpv2Server testServer = mock(Cmpv2Server.class); + CertificationModel expectedCertificationModel = mock(CertificationModel.class); + when( + cmpv2ClientAdapter.callCmpClient(eq(testCsrModel), eq(testServer)) + ).thenReturn(expectedCertificationModel); + + // When + CertificationModel receivedCertificationModel = certificationProvider.signCsr(testCsrModel, testServer); + + // Then + assertThat(receivedCertificationModel).isEqualTo(expectedCertificationModel); + } + + @Test + void certificationProviderThrowCmpClientWhenCallingClientFails() + throws CmpClientException, Cmpv2ClientAdapterException { + // Given + CsrModel testCsrModel = mock(CsrModel.class); + Cmpv2Server testServer = mock(Cmpv2Server.class); + String expectedErrorMessage = "connecting to CMP client failed"; + when( + cmpv2ClientAdapter.callCmpClient(eq(testCsrModel), eq(testServer)) + ).thenThrow(new CmpClientException(expectedErrorMessage)); + + // When + Exception exception = assertThrows( + CmpClientException.class, () -> + certificationProvider.signCsr(testCsrModel, testServer) + ); + + // Then + assertThat(exception.getMessage()).isEqualTo(expectedErrorMessage); + } + +} diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilderTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilderTest.java new file mode 100644 index 00000000..165c9ec1 --- /dev/null +++ b/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilderTest.java @@ -0,0 +1,100 @@ +/* + * ============LICENSE_START======================================================= + * AAF Certification Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.onap.aaf.certservice.certification.configuration.model.Authentication; +import org.onap.aaf.certservice.certification.configuration.model.CaMode; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.external.CSRMeta; + +import java.security.PrivateKey; +import java.security.PublicKey; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +public class CSRMetaBuilderTest { + + private CSRMetaBuilder csrMetaBuilder; + + private static final String TEST_CA = "testCA"; + private static final X500Name TEST_SUBJECT_DATA = new X500Name("CN=testIssuer"); + + @BeforeEach + void setUp() { + csrMetaBuilder = new CSRMetaBuilder(); + } + + @Test + void shouldBuildCsrMetaWhenGivenCsrModelAndCmpv2ServerAreCorrect() { + // Given + CsrModel testCsrModel = mock(CsrModel.class); + Cmpv2Server testServer = createTestServer(); + + PKCS10CertificationRequest certificationRequest = mock(PKCS10CertificationRequest.class); + when(testCsrModel.getCsr()).thenReturn(certificationRequest); + PrivateKey mockPrivateKey = mock(PrivateKey.class); + when(testCsrModel.getPrivateKey()).thenReturn(mockPrivateKey); + PublicKey mockPublicKey = mock(PublicKey.class); + when(testCsrModel.getPublicKey()).thenReturn(mockPublicKey); + List<String> testSans = Arrays.asList("SAN01","SAN02"); + when(testCsrModel.getSans()).thenReturn(testSans); + + when(testCsrModel.getSubjectData()).thenReturn(TEST_SUBJECT_DATA); + + // When + CSRMeta createdCSRMeta = csrMetaBuilder.build(testCsrModel, testServer); + + // Then + assertThat(createdCSRMeta.password()).isEqualTo(testServer.getAuthentication().getIak()); + assertThat(createdCSRMeta.senderKid()).isEqualTo(testServer.getAuthentication().getRv()); + assertThat(createdCSRMeta.caUrl()).isEqualTo(testServer.getUrl()); + assertThat(createdCSRMeta.sans()).containsAll(testSans); + assertThat(createdCSRMeta.keyPair().getPrivate()).isEqualTo(mockPrivateKey); + assertThat(createdCSRMeta.keyPair().getPublic()).isEqualTo(mockPublicKey); + assertThat(createdCSRMeta.x500Name()).isEqualTo(TEST_SUBJECT_DATA); + assertThat(createdCSRMeta.issuerx500Name()).isEqualTo(TEST_SUBJECT_DATA); + } + + private Cmpv2Server createTestServer() { + Cmpv2Server testServer = new Cmpv2Server(); + testServer.setCaName(TEST_CA); + testServer.setIssuerDN(TEST_SUBJECT_DATA); + testServer.setUrl("http://test.ca.server"); + Authentication testAuthentication = new Authentication(); + testAuthentication.setIak("testIak"); + testAuthentication.setRv("testRv"); + testServer.setAuthentication(testAuthentication); + testServer.setCaMode(CaMode.RA); + + return testServer; + } + +} diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapterTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapterTest.java new file mode 100644 index 00000000..296f63cd --- /dev/null +++ b/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapterTest.java @@ -0,0 +1,185 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.io.IOException; +import java.io.InputStream; +import java.io.StringWriter; +import java.nio.charset.StandardCharsets; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Collections; +import java.util.List; +import java.util.Objects; +import org.apache.commons.io.IOUtils; +import org.bouncycastle.asn1.x509.Certificate; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.Test; +import org.mockito.InjectMocks; +import org.mockito.Mock; +import org.mockito.Mockito; +import org.onap.aaf.certservice.certification.configuration.model.CaMode; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; +import org.onap.aaf.certservice.certification.model.CertificationModel; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.api.CmpClient; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; +import org.onap.aaf.certservice.cmpv2client.external.CSRMeta; +import org.springframework.boot.test.context.SpringBootTest; + +@SpringBootTest +class Cmpv2ClientAdapterTest { + + @Mock + private CmpClient cmpClient; + @Mock + private CsrModel csrModel; + @Mock + private Cmpv2Server server; + @Mock + private RSAContentSignerBuilder rsaContentSignerBuilder; + @Mock + private X509CertificateBuilder x509CertificateBuilder; + @Mock + private PKCS10CertificationRequest csr; + @Mock + private PrivateKey privateKey; + @Mock + private X509v3CertificateBuilder x509V3CertificateBuilder; + @Mock + private ContentSigner contentSigner; + @Mock + private X509CertificateHolder holder; + @Mock + private Certificate asn1Certificate; + @Mock + private X509Certificate certificate; + @Mock + private CertificateFactoryProvider certificateFactoryProvider; + @Mock + private CSRMetaBuilder csrMetaBuilder; + @Mock + private CSRMeta csrMeta; + + @InjectMocks + private Cmpv2ClientAdapter adapter; + + private static final CaMode CA_MODEL = CaMode.CLIENT; + private static final String TEST_MSG = "Test"; + + @Test + void adapterShouldRethrowClientExceptionOnFailure() + throws CmpClientException, IOException, OperatorCreationException, CertificateException, + NoSuchProviderException { + // Given + stubInternalProperties(); + + // When + Mockito.when(cmpClient.createCertificate(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any())) + .thenThrow(new CmpClientException(TEST_MSG)); + + // Then + Assertions.assertThrows(CmpClientException.class, () -> adapter.callCmpClient(csrModel, server)); + } + + @Test + void shouldConvertToCertificationModel() + throws OperatorCreationException, CertificateException, NoSuchProviderException, IOException, + CmpClientException, Cmpv2ClientAdapterException { + // Given + stubInternalProperties(); + + // When + Mockito.when(cmpClient.createCertificate(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any())) + .thenReturn(createCorrectClientResponse()); + CertificationModel certificationModel = adapter.callCmpClient(csrModel, server); + + // Then + InputStream certificate = getClass().getClassLoader().getResourceAsStream("certificateModelChain.first"); + InputStream trustedCertificate = + getClass().getClassLoader().getResourceAsStream("trustedCertificatesModel.first"); + String certificateModel = removeLineEndings(certificationModel.getCertificateChain().get(0)); + String expectedCertificate = + removeLineEndings(IOUtils.toString(Objects.requireNonNull(certificate), StandardCharsets.UTF_8)); + String trustedCertificateModel = removeLineEndings(certificationModel.getTrustedCertificates().get(0)); + String expectedTrustedCertificate = + removeLineEndings(IOUtils.toString(Objects.requireNonNull(trustedCertificate), StandardCharsets.UTF_8)); + + Assertions.assertEquals(certificateModel, expectedCertificate); + Assertions.assertEquals(trustedCertificateModel, expectedTrustedCertificate); + } + + @Test + void adapterShouldThrowClientAdapterExceptionOnFailure() + throws OperatorCreationException, CertificateException, NoSuchProviderException, IOException, + CmpClientException { + // Given + stubInternalProperties(); + + // When + Mockito.when(cmpClient.createCertificate(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any())) + .thenReturn(createCorrectClientResponse()); + Mockito.when(certificateFactoryProvider.generateCertificate(Mockito.any())) + .thenThrow(new CertificateException(TEST_MSG)); + + // Then + Assertions.assertThrows(Cmpv2ClientAdapterException.class, () -> adapter.callCmpClient(csrModel, server)); + } + + private List<List<X509Certificate>> createCorrectClientResponse() + throws CertificateException, NoSuchProviderException { + InputStream certificateChain = getClass().getClassLoader().getResourceAsStream("certificateChain.first"); + InputStream trustedCertificate = getClass().getClassLoader().getResourceAsStream("trustedCertificates.first"); + X509Certificate x509Certificate = new CertificateFactoryProvider().generateCertificate(certificateChain); + X509Certificate x509TrustedCertificate = + new CertificateFactoryProvider().generateCertificate(trustedCertificate); + return Arrays.asList(Collections.singletonList(x509Certificate), + Collections.singletonList(x509TrustedCertificate)); + } + + private String removeLineEndings(String string) { + return string.replace("\n", "").replace("\r", ""); + } + + private void stubInternalProperties() + throws IOException, OperatorCreationException, CertificateException, NoSuchProviderException { + Mockito.when(server.getCaMode()).thenReturn(CA_MODEL); + Mockito.when(csrModel.getCsr()).thenReturn(csr); + Mockito.when(csrModel.getPrivateKey()).thenReturn(privateKey); + Mockito.when(x509CertificateBuilder.build(csr)).thenReturn(x509V3CertificateBuilder); + Mockito.when(rsaContentSignerBuilder.build(csr, privateKey)).thenReturn(contentSigner); + Mockito.when(x509V3CertificateBuilder.build(contentSigner)).thenReturn(holder); + Mockito.when(holder.toASN1Structure()).thenReturn(asn1Certificate); + Mockito.when(certificateFactoryProvider.generateCertificate(Mockito.any())).thenReturn(certificate); + Mockito.when(holder.toASN1Structure().getEncoded()).thenReturn("".getBytes()); + Mockito.when(csrMetaBuilder.build(csrModel, server)).thenReturn(csrMeta); + } + +} diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java index 20a85783..7e14e470 100644 --- a/certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java +++ b/certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java @@ -29,10 +29,13 @@ import org.mockito.junit.jupiter.MockitoExtension; import org.onap.aaf.certservice.certification.configuration.model.Authentication; import org.onap.aaf.certservice.certification.configuration.model.CaMode; import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; import java.util.Collections; import static org.assertj.core.api.Assertions.assertThat; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; import static org.mockito.Mockito.when; @ExtendWith(MockitoExtension.class) @@ -53,32 +56,32 @@ class Cmpv2ServerProviderTest { @Test void shouldReturnOptionalWithServerWhenServerWithGivenCaNameIsPresentInConfig() { - // given + // Given Cmpv2Server testServer = createTestServer(); when(cmpServersConfig.getCmpServers()).thenReturn(Collections.singletonList(testServer)); - // when + // When Cmpv2Server receivedServer = cmpv2ServerProvider - .getCmpv2Server(TEST_CA) - .get(); + .getCmpv2Server(TEST_CA); - // then + // Then assertThat(receivedServer).isEqualToComparingFieldByField(testServer); } - @Test void shouldReturnEmptyOptionalWhenServerWithGivenCaNameIsNotPresentInConfig() { - // given + // Given + String expectedMessage = "No server found for given CA name"; when(cmpServersConfig.getCmpServers()).thenReturn(Collections.emptyList()); - // when - Boolean isEmpty = cmpv2ServerProvider - .getCmpv2Server(TEST_CA) - .isEmpty(); + // When + Exception exception = assertThrows( + Cmpv2ServerNotFoundException.class, () -> + cmpv2ServerProvider.getCmpv2Server(TEST_CA) + ); - // then - assertThat(isEmpty).isTrue(); + // Then + assertTrue(exception.getMessage().contains(expectedMessage)); } private Cmpv2Server createTestServer() { diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java index f47f495f..45bd9664 100644 --- a/certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java +++ b/certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java @@ -50,15 +50,15 @@ class CsrModelTest { = new PemObjectFactory(); @Test void shouldByConstructedAndReturnProperFields() throws DecryptionException, IOException { - // given + // Given PemObject testPrivateKey = getPemPrivateKey(); PemObject testPublicKey = generateTestPublicKey(); PKCS10CertificationRequest testCsr = generateTestCertificationRequest(); - // when + // When CsrModel csrModel = generateTestCsrModel(testCsr); - // then + // Then assertThat(csrModel.getCsr()) .isEqualTo(testCsr); assertThat(csrModel.getPrivateKey().getEncoded()) @@ -75,7 +75,7 @@ class CsrModelTest { @Test void shouldThrowExceptionWhenPublicKeyIsNotCorrect() throws DecryptionException, IOException { - // given + // Given PemObject testPrivateKey = getPemPrivateKey(); PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class); SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class); @@ -84,7 +84,7 @@ class CsrModelTest { when(wrongKryInfo.getEncoded()) .thenThrow(new IOException()); - // when + // When Exception exception = assertThrows( CsrDecryptionException.class, () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build() @@ -93,13 +93,13 @@ class CsrModelTest { String expectedMessage = "Reading Public Key from CSR failed"; String actualMessage = exception.getMessage(); - // then + // Then assertTrue(actualMessage.contains(expectedMessage)); } @Test void shouldThrowExceptionWhenPrivateKeyPemIsNotProperPrivateKey() throws KeyDecryptionException, IOException { - // given + // Given PemObject testPrivateKey = getPemWrongKey(); PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class); SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class); @@ -108,7 +108,7 @@ class CsrModelTest { when(wrongKryInfo.getEncoded()) .thenThrow(new IOException()); - // when + // When Exception exception = assertThrows( KeyDecryptionException.class, () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build() @@ -117,13 +117,13 @@ class CsrModelTest { String expectedMessage = "Converting Private Key failed"; String actualMessage = exception.getMessage(); - // then + // Then assertTrue(actualMessage.contains(expectedMessage)); } @Test void shouldThrowExceptionWhenPublicKeyPemIsNotProperPublicKey() throws KeyDecryptionException, IOException { - // given + // Given PemObject testPrivateKey = getPemPrivateKey(); PemObject testPublicKey = getPemWrongKey(); PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class); @@ -133,7 +133,7 @@ class CsrModelTest { when(wrongKryInfo.getEncoded()) .thenReturn(testPublicKey.getContent()); - // when + // When Exception exception = assertThrows( KeyDecryptionException.class, () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build() @@ -142,7 +142,7 @@ class CsrModelTest { String expectedMessage = "Converting Public Key from CSR failed"; String actualMessage = exception.getMessage(); - // then + // Then assertTrue(actualMessage.contains(expectedMessage)); } diff --git a/certService/src/test/resources/certificateChain.first b/certService/src/test/resources/certificateChain.first Binary files differnew file mode 100644 index 00000000..3e0ae028 --- /dev/null +++ b/certService/src/test/resources/certificateChain.first diff --git a/certService/src/test/resources/certificateModelChain.first b/certService/src/test/resources/certificateModelChain.first new file mode 100644 index 00000000..e6383860 --- /dev/null +++ b/certService/src/test/resources/certificateModelChain.first @@ -0,0 +1 @@ +-----BEGIN CERTIFICATE-----
MIIEXTCCAsWgAwIBAgIUMI4X5/zCpkgY/NIx287DT/T1zEQwDQYJKoZIhvcNAQEL
BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMDE5MmY0N2VkY2NjZjg5NzYxFTATBgNV
BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr
c3RhcnQwHhcNMTkxMjEyMTEwMDUxWhcNMjExMjExMTA1OTI1WjBSMSAwHgYJKoZI
hvcNAQkBFhFDb21tb25OYW1lQGNuLmNvbTEWMBQGA1UEAwwNQ049Q29tbW9uTmFt
ZTEWMBQGA1UECgwNQ29tbW9uQ29tcGFueTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJtc1vAn9F166nHED5D2E/xoMMFkCJ0RhpXqn9A9RArB20U54TSf
nEDuayAGpWIypAnGc1wXCj2ZTWFj48oIRGNy6b2uJ7qHlg7FGwdIGfTP151P0O6W
zcb9kFj/KwRkyKu7Z9m7BR3G0MBhGaN4DFAVlAFNqmvIip4PW9cO4zCFGABGQcPx
PhWtBt1Dp3wewp38yXN0evMjOTS7naogPCVme7ffqrqsd8ozlcjk5zd2giJPduUO
7puBkt6aynM1cc6kGpbQIHCf9f7L0ZGWDXSP/mr87h/WEDkhzBGa7aoME5gTLToT
o0PPHtyfwOGi2KEBVQg0vde5BiKuisJTw2sCAwEAAaOBmzCBmDAMBgNVHRMBAf8E
AjAAMB8GA1UdIwQYMBaAFKSoZvZ+ycvTR9MmLcG1sbVLZC19MBkGA1UdEQQSMBCC
DkNvbW1vbk5hbWUuY29tMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAd
BgNVHQ4EFgQUKgFUjDFajTD1leb7Q2rvvSFvJZAwDgYDVR0PAQH/BAQDAgXgMA0G
CSqGSIb3DQEBCwUAA4IBgQBs8knYiqq9GrHG8R0Lh46XTayAddcjN+dX4DHX/Tg9
sBkl1qUXKEUuOaK2JlW+BzLVuy5QtAAJuDc2BVq19hF2NALOiMi6cJUW/gWJi9ug
eRqMELwxf44Am/CzQoUp52MVuCj4K9sJ6KLC5jm/GgTyFG+Qy7ZoU6df5Gd1E0iU
Qf+tuF77LldMtNcYKbYbBVGDg4O/M221+D2Kq/gfTyWYiB6coiAuiXEjBfgsmCLp
h8/JHK6zhq+wOUL0isaekPCK8LvzryHoZ5c1MdVXgDgwErWoZf+PnaUUHSH9DbTR
LyWY++TXYLn0xUDZTqJboshDq3C4vqGsUJ4eSCfaAeiyX0RmXvE8DPiKQy7vTOGP
5CzpqnZbHSbKf/L3nbu4q7LZMtHzNhqgnqHVPJE42okHwBEbQX4POnghdujxCuFF
gr+8LjQpc+0tlCXqTLeapBIHQDc0ECwWB2fPU1XRVHJB7MOew0OJ2yGgCSeJXO4W
pujWO9CVPB49h5LyMPkNdr8=
-----END CERTIFICATE-----
\ No newline at end of file diff --git a/certService/src/test/resources/trustedCertificates.first b/certService/src/test/resources/trustedCertificates.first Binary files differnew file mode 100644 index 00000000..6b44296d --- /dev/null +++ b/certService/src/test/resources/trustedCertificates.first diff --git a/certService/src/test/resources/trustedCertificatesModel.first b/certService/src/test/resources/trustedCertificatesModel.first new file mode 100644 index 00000000..390f6e6b --- /dev/null +++ b/certService/src/test/resources/trustedCertificatesModel.first @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEszCCAxugAwIBAgIUGMTLyt0bYrNGz4KPqapEq64XmIIwDQYJKoZIhvcNAQEL +BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMDE5MmY0N2VkY2NjZjg5NzYxFTATBgNV +BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr +c3RhcnQwHhcNMTkxMjEyMTEwMDUxWhcNMjkxMjExMTEwMDUxWjBhMSMwIQYKCZIm +iZPyLGQBAQwTYy0wMTkyZjQ3ZWRjY2NmODk3NjEVMBMGA1UEAwwMTWFuYWdlbWVu +dENBMSMwIQYDVQQKDBpFSkJDQSBDb250YWluZXIgUXVpY2tzdGFydDCCAaIwDQYJ +KoZIhvcNAQEBBQADggGPADCCAYoCggGBAK2yz/z273gG55p4NvDfg8EZIOFkQmAV +Vi+gfvyl3zb8KYOBWGAOM8IKMInJP1Gulz2D2qYAL7PlJi87WaMI1mTNL0ca177T +UOz3C1vuFp5QqcQZP8fbGlQCHawcPwacLm6G4WFHi5tjtuBQS+qn1RrHdnvSMwG7 +1bZll3wLOnU3TOAvDMEbAXCXIwc7wxAluO1e+bCM2VjL8iFvNtEqQ2KY3IKO7aaE +nEGkTniYg6lBSd/3D04CLVEqinI4sbGV/DX3cULmIsGT5E4b6KMlXrFuzbfj5VtS +n8awf+EMWm1AHlyM05GhMD8N60nZcoF5/rzrzxPr1Jv9DTl/MRRasqwtmEddbn0e +OVgB7c5LEbNrnJWt/4sdEBQXX3z4y2HI40iuZmTMP0zPwxWA1v/bmd9EIE2/QKGo +kMHvvjTRTtdBYGGeeL5TRU2o1YSw6bda57Dv2I3OGA6gNxbH1juG/2W8kg01YL7S +C49OnY9l3EP0iPHhtNnikuULG+Us1AL+HwIDAQABo2MwYTAPBgNVHRMBAf8EBTAD +AQH/MB8GA1UdIwQYMBaAFKSoZvZ+ycvTR9MmLcG1sbVLZC19MB0GA1UdDgQWBBSk +qGb2fsnL00fTJi3BtbG1S2QtfTAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL +BQADggGBAD2z2NNVF1HKei+IGBiClyuSVOIXU86p+BLk4EoIlBvWB6jwB++jBHt5 +EfQhGr8dkRqkd9EG92PDgJklHz6qeogCGdkEQikaN03SwFxk5ig5HW8Fycpffbp/ +dY+QT8IVkx7jJfpe/+unf2FZbaIGcFiL+YFa2Ii6dHKIC5ntIUiKjRsQdbs6EjWU +sxiozLuAxeD/otReNu2VZze43cZqygEB77cbHT8DSRsAtLUdbNluyTwZOZXKiTlG +ClBXP4NkNTG+deP1B9k8CZolTn2fyj6KmQdBQ3S1MWIF9IsMbc2vjvbJlRkdX/nl +lQC6bsvb0VVWnBHiLGpsgsye7eyE0PJ/tAvQNsrhOSxCxaTFBhRExG3Mr9uU7iDj +PFxnuTACAOv9aAyoBbJnLkN/Mkq3ILTChGY8cLnM3tGnb8fpbXbtMSzGAoLPmsh4 +vvJEjIgi5NTIMqaADsXSAToW61AU2otAQxLvgI03szPxUF1l4Neo1RHJDNwp5yyo +oYIM2lYI0w== +-----END CERTIFICATE----- |