summaryrefslogtreecommitdiffstats
path: root/certService
diff options
context:
space:
mode:
Diffstat (limited to 'certService')
-rw-r--r--certService/docker-compose.yml14
-rw-r--r--certService/helm/aaf-cert-service/resources/cmpServers.json18
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java18
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java40
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java40
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java47
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java10
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java87
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java42
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java120
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java45
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java56
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java49
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java11
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java12
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java28
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java44
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java8
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java1
-rwxr-xr-xcertService/src/main/resources/scripts/ejbca-configuration.sh2
-rw-r--r--certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java96
-rw-r--r--certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java74
-rw-r--r--certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java157
-rw-r--r--certService/src/test/java/org/onap/aaf/certservice/certification/CertificationProviderTest.java93
-rw-r--r--certService/src/test/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilderTest.java100
-rw-r--r--certService/src/test/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapterTest.java185
-rw-r--r--certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java29
-rw-r--r--certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java24
-rw-r--r--certService/src/test/resources/certificateChain.firstbin0 -> 1121 bytes
-rw-r--r--certService/src/test/resources/certificateModelChain.first1
-rw-r--r--certService/src/test/resources/trustedCertificates.firstbin0 -> 1207 bytes
-rw-r--r--certService/src/test/resources/trustedCertificatesModel.first28
32 files changed, 1317 insertions, 162 deletions
diff --git a/certService/docker-compose.yml b/certService/docker-compose.yml
index f418fc1b..3b071ace 100644
--- a/certService/docker-compose.yml
+++ b/certService/docker-compose.yml
@@ -6,10 +6,10 @@ services:
hostname: cahostname
container_name: mycontainer
ports:
- - "80:8080"
- - "443:8443"
+ - "80:8080"
+ - "443:8443"
volumes:
- - ./src/main/resources/scripts/:/opt/primekey/scripts
+ - ./src/main/resources/scripts/:/opt/primekey/scripts
command: bash -c "
./scripts/ejbca-configuration.sh &
/opt/primekey/bin/start.sh
@@ -19,6 +19,8 @@ services:
interval: 10s
timeout: 3s
retries: 9
+ networks:
+ - certservice
certservice:
image: onap/org.onap.aaf.certservice.aaf-certservice-api:latest
@@ -30,4 +32,10 @@ services:
depends_on:
ejbca:
condition: service_healthy
+ networks:
+ - certservice
+
+networks:
+ certservice:
+ driver: bridge
diff --git a/certService/helm/aaf-cert-service/resources/cmpServers.json b/certService/helm/aaf-cert-service/resources/cmpServers.json
index ee9e72b9..921a51ea 100644
--- a/certService/helm/aaf-cert-service/resources/cmpServers.json
+++ b/certService/helm/aaf-cert-service/resources/cmpServers.json
@@ -1,23 +1,23 @@
{
"cmpv2Servers": [
{
- "caName": "TEST",
- "url": "http://127.0.0.1/ejbca/publicweb/cmp/cmp",
+ "caName": "Client",
+ "url": "http://mycontainer:8080/ejbca/publicweb/cmp/cmp",
"issuerDN": "CN=ManagementCA",
"caMode": "CLIENT",
"authentication": {
- "iak": "xxx",
- "rv": "yyy"
+ "iak": "mypassword",
+ "rv": "mypassword"
}
},
{
- "caName": "TEST2",
- "url": "http://127.0.0.1/ejbca/publicweb/cmp/cmpRA",
- "issuerDN": "CN=ManagementCA2",
+ "caName": "RA",
+ "url": "http://mycontainer:8080/ejbca/publicweb/cmp/cmpRA",
+ "issuerDN": "CN=ManagementCA",
"caMode": "RA",
"authentication": {
- "iak": "xxx",
- "rv": "yyy"
+ "iak": "mypassword",
+ "rv": "mypassword"
}
}
]
diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java
index e663909c..abb6811b 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java
@@ -24,9 +24,13 @@ import com.google.gson.Gson;
import org.onap.aaf.certservice.certification.CertificationModelFactory;
import org.onap.aaf.certservice.certification.CsrModelFactory;
import org.onap.aaf.certservice.certification.CsrModelFactory.StringBase64;
+import org.onap.aaf.certservice.certification.configuration.Cmpv2ServerProvider;
+import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
import org.onap.aaf.certservice.certification.exception.DecryptionException;
import org.onap.aaf.certservice.certification.model.CertificationModel;
import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -43,12 +47,10 @@ public class CertificationController {
private static final Logger LOGGER = LoggerFactory.getLogger(CertificationController.class);
- private final CsrModelFactory csrModelFactory;
private final CertificationModelFactory certificationModelFactory;
@Autowired
- CertificationController(CsrModelFactory csrModelFactory, CertificationModelFactory certificationModelFactory) {
- this.csrModelFactory = csrModelFactory;
+ CertificationController(CertificationModelFactory certificationModelFactory) {
this.certificationModelFactory = certificationModelFactory;
}
@@ -66,17 +68,11 @@ public class CertificationController {
@PathVariable String caName,
@RequestHeader("CSR") String encodedCsr,
@RequestHeader("PK") String encodedPrivateKey
- ) throws DecryptionException {
-
+ ) throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException {
caName = caName.replaceAll("[\n|\r|\t]", "_");
LOGGER.info("Received certificate signing request for CA named: {}", caName);
- CsrModel csrModel = csrModelFactory.createCsrModel(
- new StringBase64(encodedCsr),
- new StringBase64(encodedPrivateKey)
- );
- LOGGER.debug("Received CSR meta data: \n{}", csrModel);
CertificationModel certificationModel = certificationModelFactory
- .createCertificationModel(csrModel, caName);
+ .createCertificationModel(encodedCsr, encodedPrivateKey, caName);
return new ResponseEntity<>(new Gson().toJson(certificationModel), HttpStatus.OK);
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java
index 130a5167..d649f147 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java
@@ -21,10 +21,12 @@
package org.onap.aaf.certservice.certification;
import com.google.gson.Gson;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException;
import org.onap.aaf.certservice.certification.exception.CsrDecryptionException;
import org.onap.aaf.certservice.certification.exception.ErrorResponseModel;
import org.onap.aaf.certservice.certification.exception.KeyDecryptionException;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
@@ -40,19 +42,51 @@ public class CertificationExceptionController {
@ExceptionHandler(value = CsrDecryptionException.class)
public ResponseEntity<String> handle(CsrDecryptionException exception) {
LOGGER.error("Exception occurred during decoding certificate sign request:", exception);
- return getErrorResponseEntity("Wrong certificate signing request (CSR) format", HttpStatus.BAD_REQUEST);
+ return getErrorResponseEntity(
+ "Wrong certificate signing request (CSR) format",
+ HttpStatus.BAD_REQUEST
+ );
}
@ExceptionHandler(value = KeyDecryptionException.class)
public ResponseEntity<String> handle(KeyDecryptionException exception) {
LOGGER.error("Exception occurred during decoding key:", exception);
- return getErrorResponseEntity("Wrong key (PK) format", HttpStatus.BAD_REQUEST);
+ return getErrorResponseEntity(
+ "Wrong key (PK) format",
+ HttpStatus.BAD_REQUEST
+ );
}
@ExceptionHandler(value = Cmpv2ServerNotFoundException.class)
public ResponseEntity<String> handle(Cmpv2ServerNotFoundException exception) {
LOGGER.error("Exception occurred selecting CMPv2 server:", exception);
- return getErrorResponseEntity("Certification authority not found for given CAName", HttpStatus.NOT_FOUND);
+ return getErrorResponseEntity(
+ "Certification authority not found for given CAName",
+ HttpStatus.NOT_FOUND
+ );
+ }
+
+ @ExceptionHandler(value = CmpClientException.class)
+ public ResponseEntity<String> handle(CmpClientException exception) {
+ LOGGER.error("Exception occurred calling cmp client:", exception);
+ return getErrorResponseEntity(
+ "Exception occurred during call to cmp client",
+ HttpStatus.INTERNAL_SERVER_ERROR
+ );
+ }
+
+ @ExceptionHandler(value = RuntimeException.class)
+ public ResponseEntity<String> handle(RuntimeException exception) throws CmpClientException {
+ throw new CmpClientException("Runtime exception occurred calling cmp client business logic", exception);
+ }
+
+ @ExceptionHandler(value = Cmpv2ClientAdapterException.class)
+ public ResponseEntity<String> handle(Cmpv2ClientAdapterException exception) {
+ LOGGER.error("Exception occurred parsing cmp client response:", exception);
+ return getErrorResponseEntity(
+ "Exception occurred parsing cmp client response",
+ HttpStatus.INTERNAL_SERVER_ERROR
+ );
}
private ResponseEntity<String> getErrorResponseEntity(String errorMessage, HttpStatus status) {
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java
index 69b83465..1d586c17 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java
@@ -22,9 +22,12 @@ package org.onap.aaf.certservice.certification;
import org.onap.aaf.certservice.certification.configuration.Cmpv2ServerProvider;
import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException;
+import org.onap.aaf.certservice.certification.exception.DecryptionException;
import org.onap.aaf.certservice.certification.model.CertificationModel;
import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -42,28 +45,35 @@ public class CertificationModelFactory {
private static final Logger LOGGER = LoggerFactory.getLogger(CertificationModelFactory.class);
+ private final CsrModelFactory csrModelFactory;
private final Cmpv2ServerProvider cmpv2ServerProvider;
+ private final CertificationProvider certificationProvider;
@Autowired
- CertificationModelFactory(Cmpv2ServerProvider cmpv2ServerProvider) {
+ CertificationModelFactory(
+ CsrModelFactory csrModelFactory,
+ Cmpv2ServerProvider cmpv2ServerProvider,
+ CertificationProvider certificationProvider
+ ) {
this.cmpv2ServerProvider = cmpv2ServerProvider;
+ this.csrModelFactory = csrModelFactory;
+ this.certificationProvider = certificationProvider;
}
- public CertificationModel createCertificationModel(CsrModel csr, String caName) {
- LOGGER.info("Generating certification model for CA named: {}, and certificate signing request:\n{}",
- caName, csr);
-
- return cmpv2ServerProvider
- .getCmpv2Server(caName)
- .map(this::generateCertificationModel)
- .orElseThrow(() -> new Cmpv2ServerNotFoundException("No server found for given CA name"));
- }
+ public CertificationModel createCertificationModel(String encodedCsr, String encodedPrivateKey, String caName)
+ throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException {
+ CsrModel csrModel = csrModelFactory.createCsrModel(
+ new CsrModelFactory.StringBase64(encodedCsr),
+ new CsrModelFactory.StringBase64(encodedPrivateKey)
+ );
+ LOGGER.debug("Received CSR meta data: \n{}", csrModel);
- private CertificationModel generateCertificationModel(Cmpv2Server cmpv2Server) {
+ Cmpv2Server cmpv2Server = cmpv2ServerProvider.getCmpv2Server(caName);
LOGGER.debug("Found server for given CA name: \n{}", cmpv2Server);
- return new CertificationModel(
- Arrays.asList(ENTITY_CERT, INTERMEDIATE_CERT),
- Arrays.asList(CA_CERT, EXTRA_CA_CERT)
- );
+
+ LOGGER.info("Sending sign request for certification model for CA named: {}, and certificate signing request:\n{}",
+ caName, csrModel);
+ return certificationProvider.signCsr(csrModel, cmpv2Server);
}
+
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java
new file mode 100644
index 00000000..fa2d88ab
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java
@@ -0,0 +1,47 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.certification;
+
+import org.onap.aaf.certservice.certification.adapter.Cmpv2ClientAdapter;
+import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
+import org.onap.aaf.certservice.certification.model.CertificationModel;
+import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+@Service
+public class CertificationProvider {
+
+ private final Cmpv2ClientAdapter cmpv2ClientAdapter;
+
+ @Autowired
+ public CertificationProvider(Cmpv2ClientAdapter cmpv2ClientAdapter) {
+ this.cmpv2ClientAdapter = cmpv2ClientAdapter;
+ }
+
+ CertificationModel signCsr(CsrModel csrModel, Cmpv2Server server)
+ throws CmpClientException, Cmpv2ClientAdapterException {
+ return cmpv2ClientAdapter.callCmpClient(csrModel, server);
+ }
+
+}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java
index 6f356c1a..9ce65e6a 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java
@@ -21,6 +21,7 @@
package org.onap.aaf.certservice.certification;
import java.util.Base64;
+import java.util.Objects;
import java.util.Optional;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
@@ -89,6 +90,15 @@ public class CsrModelFactory {
return Optional.empty();
}
}
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) return true;
+ if (o == null || getClass() != o.getClass()) return false;
+ StringBase64 that = (StringBase64) o;
+ return Objects.equals(value, that.value);
+ }
+
}
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java
new file mode 100644
index 00000000..184d724a
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java
@@ -0,0 +1,87 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.certification.adapter;
+
+import java.security.KeyPair;
+import java.util.Arrays;
+import java.util.Objects;
+import java.util.Optional;
+import java.util.stream.Collectors;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x500.style.IETFUtils;
+import org.bouncycastle.cert.CertException;
+import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.external.CSRMeta;
+import org.onap.aaf.certservice.cmpv2client.external.RDN;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Component;
+
+@Component
+class CSRMetaBuilder {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(CSRMetaBuilder.class);
+
+ /**
+ * Creates CSRMeta from CsrModel and Cmpv2Server
+ *
+ * @param csrModel Certificate Signing Request from Service external API
+ * @param server Cmp Server configuration from cmpServers.json
+ * @return AAF native model for CSR metadata
+ */
+ CSRMeta build(CsrModel csrModel, Cmpv2Server server) {
+ CSRMeta csrMeta = createCsrMeta(csrModel);
+ addSans(csrModel, csrMeta);
+ csrMeta.keyPair(new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey()));
+ csrMeta.password(server.getAuthentication().getIak());
+ csrMeta.setIssuerName(server.getIssuerDN());
+ csrMeta.caUrl(server.getUrl());
+ csrMeta.setName(csrModel.getSubjectData());
+ csrMeta.senderKid(server.getAuthentication().getRv());
+ return csrMeta;
+ }
+
+ private CSRMeta createCsrMeta(CsrModel csrModel) {
+ return new CSRMeta((Arrays.stream(csrModel.getSubjectData().getRDNs()).map(this::convertFromBcRDN)
+ .filter(Optional::isPresent).map(Optional::get).collect(Collectors.toList())));
+ }
+
+ private void addSans(CsrModel csrModel, CSRMeta csrMeta) {
+ csrModel.getSans().forEach(csrMeta::san);
+ }
+
+ private String convertRDNToString(org.bouncycastle.asn1.x500.RDN rdn) {
+ return BCStyle.INSTANCE.oidToDisplayName(rdn.getFirst().getType()) + "=" + IETFUtils.valueToString(
+ rdn.getFirst().getValue());
+ }
+
+ private Optional<RDN> convertFromBcRDN(org.bouncycastle.asn1.x500.RDN rdn) {
+ RDN result = null;
+ try {
+ result = new RDN(convertRDNToString(rdn));
+ } catch (CertException e) {
+ LOGGER.error("Exception occurred during convert of RDN", e);
+ }
+ return Optional.ofNullable(result);
+ }
+
+}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java
new file mode 100644
index 00000000..79f59363
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java
@@ -0,0 +1,42 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.certification.adapter;
+
+import java.io.InputStream;
+import java.security.NoSuchProviderException;
+import java.security.Security;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.springframework.stereotype.Component;
+
+@Component
+public class CertificateFactoryProvider {
+
+ static {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ X509Certificate generateCertificate(InputStream inStream) throws CertificateException, NoSuchProviderException {
+ return (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(inStream);
+ }
+}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java
new file mode 100644
index 00000000..be39f1f3
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java
@@ -0,0 +1,120 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.certification.adapter;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.List;
+import java.util.stream.Collectors;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.util.io.pem.PemObjectGenerator;
+import org.bouncycastle.util.io.pem.PemWriter;
+import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
+import org.onap.aaf.certservice.certification.model.CertificationModel;
+import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.api.CmpClient;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+@Component
+public class Cmpv2ClientAdapter {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(Cmpv2ClientAdapter.class);
+
+ private final CmpClient cmpClient;
+ private final CSRMetaBuilder csrMetaBuilder;
+ private final RSAContentSignerBuilder rsaContentSignerBuilder;
+ private final X509CertificateBuilder x509CertificateBuilder;
+ private final CertificateFactoryProvider certificateFactoryProvider;
+
+ @Autowired
+ public Cmpv2ClientAdapter(CmpClient cmpClient, CSRMetaBuilder csrMetaBuilder,
+ RSAContentSignerBuilder rsaContentSignerBuilder, X509CertificateBuilder x509CertificateBuilder,
+ CertificateFactoryProvider certificateFactoryProvider) {
+ this.cmpClient = cmpClient;
+ this.csrMetaBuilder = csrMetaBuilder;
+ this.rsaContentSignerBuilder = rsaContentSignerBuilder;
+ this.x509CertificateBuilder = x509CertificateBuilder;
+ this.certificateFactoryProvider = certificateFactoryProvider;
+ }
+
+ /**
+ * Uses CmpClient to call to Cmp Server and gather certificates data
+ *
+ * @param csrModel Certificate Signing Request from Service external API
+ * @param server Cmp Server configuration from cmpServers.json
+ * @return container for returned certificates
+ * @throws CmpClientException Exceptions which comes from Cmp Client
+ * @throws Cmpv2ClientAdapterException Exceptions which comes from Adapter itself
+ */
+ public CertificationModel callCmpClient(CsrModel csrModel, Cmpv2Server server)
+ throws CmpClientException, Cmpv2ClientAdapterException {
+ List<List<X509Certificate>> certificates = cmpClient.createCertificate(server.getCaName(),
+ server.getCaMode().getProfile(), csrMetaBuilder.build(csrModel, server),
+ convertCSRToX509Certificate(csrModel.getCsr(), csrModel.getPrivateKey()));
+ return new CertificationModel(convertFromX509CertificateListToPEMList(certificates.get(0)),
+ convertFromX509CertificateListToPEMList(certificates.get(1)));
+ }
+
+ private String convertFromX509CertificateToPEM(X509Certificate certificate) {
+ StringWriter sw = new StringWriter();
+ try (PemWriter pw = new PemWriter(sw)) {
+ PemObjectGenerator gen = new JcaMiscPEMGenerator(certificate);
+ pw.writeObject(gen);
+ } catch (IOException e) {
+ LOGGER.error("Exception occurred during convert of X509 certificate", e);
+ }
+ return sw.toString();
+ }
+
+ private X509Certificate convertCSRToX509Certificate(PKCS10CertificationRequest csr, PrivateKey privateKey)
+ throws Cmpv2ClientAdapterException {
+ try {
+ X509v3CertificateBuilder certificateGenerator = x509CertificateBuilder.build(csr);
+ ContentSigner signer = rsaContentSignerBuilder.build(csr, privateKey);
+ X509CertificateHolder holder = certificateGenerator.build(signer);
+ return certificateFactoryProvider
+ .generateCertificate(new ByteArrayInputStream(holder.toASN1Structure().getEncoded()));
+ } catch (IOException | CertificateException | OperatorCreationException | NoSuchProviderException e) {
+ throw new Cmpv2ClientAdapterException(e);
+ }
+ }
+
+ private List<String> convertFromX509CertificateListToPEMList(List<X509Certificate> certificates) {
+ return certificates.stream().map(this::convertFromX509CertificateToPEM).filter(cert -> !cert.isEmpty())
+ .collect(Collectors.toList());
+ }
+
+}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java
new file mode 100644
index 00000000..266c22e2
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java
@@ -0,0 +1,45 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aaf.certservice.certification.adapter;
+
+import java.io.IOException;
+import java.security.PrivateKey;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.crypto.util.PrivateKeyFactory;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.springframework.stereotype.Component;
+
+@Component
+public class RSAContentSignerBuilder {
+
+ ContentSigner build(PKCS10CertificationRequest csr, PrivateKey privateKey)
+ throws IOException, OperatorCreationException {
+ AlgorithmIdentifier sigAlgId = csr.getSignatureAlgorithm();
+ AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
+
+ return new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
+ .build(PrivateKeyFactory.createKey(privateKey.getEncoded()));
+ }
+
+}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java
new file mode 100644
index 00000000..f96cec8e
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java
@@ -0,0 +1,56 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.certification.adapter;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.SecureRandom;
+import java.time.LocalDateTime;
+import java.time.ZoneOffset;
+import java.util.Date;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.springframework.stereotype.Component;
+
+@Component
+public class X509CertificateBuilder {
+
+ private static final int SECURE_NEXT_BYTES = 16;
+ private static final int VALID_PERIOD_IN_DAYS = 365;
+
+ X509v3CertificateBuilder build(PKCS10CertificationRequest csr) throws IOException {
+ return new X509v3CertificateBuilder(csr.getSubject(), createSerial(),
+ Date.from(LocalDateTime.now().toInstant(ZoneOffset.UTC)),
+ Date.from(LocalDateTime.now().plusDays(VALID_PERIOD_IN_DAYS).toInstant(ZoneOffset.UTC)),
+ new PKCS10CertificationRequest(csr.getEncoded()).getSubject(),
+ SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(csr.getSubjectPublicKeyInfo().getEncoded())));
+
+ }
+
+ private BigInteger createSerial() {
+ byte[] serial = new byte[SECURE_NEXT_BYTES];
+ new SecureRandom().nextBytes(serial);
+ return new BigInteger(serial).abs();
+ }
+
+}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java
new file mode 100644
index 00000000..21b873e6
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java
@@ -0,0 +1,49 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aaf.certservice.certification.configuration;
+
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.onap.aaf.certservice.cmpv2client.api.CmpClient;
+import org.onap.aaf.certservice.cmpv2client.impl.CmpClientImpl;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.context.annotation.RequestScope;
+
+@Configuration
+public class CmpClientConfig {
+
+ @Bean
+ CmpClient cmpClient(CloseableHttpClient closeableHttpClient){
+ return new CmpClientImpl(closeableHttpClient);
+ }
+
+ @Bean
+ @RequestScope
+ CloseableHttpClient closeableHttpClient(HttpClientBuilder httpClientBuilder){
+ return httpClientBuilder.build();
+ }
+
+ @Bean
+ HttpClientBuilder httpClientBuilder(){
+ return HttpClientBuilder.create();
+ }
+
+}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java
index 755bfeb0..190bb28a 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java
@@ -21,11 +21,10 @@
package org.onap.aaf.certservice.certification.configuration;
import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
-import java.util.Optional;
-
@Component
public class Cmpv2ServerProvider {
@@ -36,11 +35,9 @@ public class Cmpv2ServerProvider {
this.cmpServersConfig = cmpServersConfig;
}
- public Optional<Cmpv2Server> getCmpv2Server(String caName) {
- return cmpServersConfig.getCmpServers()
- .stream()
- .filter(server -> server.getCaName().equals(caName))
- .findFirst();
+ public Cmpv2Server getCmpv2Server(String caName) {
+ return cmpServersConfig.getCmpServers().stream().filter(server -> server.getCaName().equals(caName)).findFirst()
+ .orElseThrow(() -> new Cmpv2ServerNotFoundException("No server found for given CA name"));
}
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java
index f226bc58..2186b6ff 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java
@@ -21,5 +21,15 @@
package org.onap.aaf.certservice.certification.configuration.model;
public enum CaMode {
- RA, CLIENT
+ RA("RA"), CLIENT("Client");
+
+ private String profile;
+
+ CaMode(String profile) {
+ this.profile = profile;
+ }
+
+ public String getProfile(){
+ return profile;
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java
new file mode 100644
index 00000000..1b26da7b
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java
@@ -0,0 +1,28 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.certification.exception;
+
+public class Cmpv2ClientAdapterException extends Exception {
+
+ public Cmpv2ClientAdapterException(Throwable cause) {
+ super(cause);
+ }
+}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java
index b59f4e3a..a29658f4 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java
@@ -29,6 +29,7 @@ import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
+import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
@@ -54,9 +55,8 @@ public class CsrModel {
private final PublicKey publicKey;
private final List<String> sans;
- CsrModel(
- PKCS10CertificationRequest csr, X500Name subjectData,
- PrivateKey privateKey, PublicKey publicKey, List<String> sans) {
+ CsrModel(PKCS10CertificationRequest csr, X500Name subjectData, PrivateKey privateKey, PublicKey publicKey,
+ List<String> sans) {
this.csr = csr;
this.subjectData = subjectData;
this.privateKey = privateKey;
@@ -86,8 +86,7 @@ public class CsrModel {
@Override
public String toString() {
- return "Subject: { " + subjectData
- + " ,SANs: " + sans + " }";
+ return "Subject: { " + subjectData + " ,SANs: " + sans + " }";
}
public static class CsrModelBuilder {
@@ -95,9 +94,7 @@ public class CsrModel {
private final PKCS10CertificationRequest csr;
private final PemObject privateKey;
- public CsrModel build()
- throws DecryptionException
- {
+ public CsrModel build() throws DecryptionException {
X500Name subjectData = getSubjectData();
PrivateKey javaPrivateKey = convertingPemPrivateKeyToJavaSecurityPrivateKey(getPrivateKey());
@@ -129,20 +126,26 @@ public class CsrModel {
}
private List<String> getSansData() {
- Extensions extensions =
- Extensions.getInstance(csr.getAttributes()[0].getAttrValues().getObjectAt(0));
- GeneralName[] arrayOfAlternativeNames =
- GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames();
-
- return Arrays.stream(arrayOfAlternativeNames)
- .map(GeneralName::getName)
- .map(Objects::toString)
- .collect(Collectors.toList());
+ if (!isAttrsEmpty() && !isAttrsValuesEmpty()) {
+ Extensions extensions = Extensions.getInstance(csr.getAttributes()[0].getAttrValues().getObjectAt(0));
+ GeneralName[] arrayOfAlternativeNames =
+ GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames();
+ return Arrays.stream(arrayOfAlternativeNames).map(GeneralName::getName).map(Objects::toString)
+ .collect(Collectors.toList());
+ }
+ return Collections.emptyList();
+ }
+
+ private boolean isAttrsValuesEmpty() {
+ return csr.getAttributes()[0].getAttrValues().size() == 0;
+ }
+
+ private boolean isAttrsEmpty() {
+ return csr.getAttributes().length == 0;
}
private PrivateKey convertingPemPrivateKeyToJavaSecurityPrivateKey(PemObject privateKey)
- throws KeyDecryptionException
- {
+ throws KeyDecryptionException {
try {
KeyFactory factory = KeyFactory.getInstance("RSA");
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKey.getContent());
@@ -153,8 +156,7 @@ public class CsrModel {
}
private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey)
- throws KeyDecryptionException
- {
+ throws KeyDecryptionException {
try {
KeyFactory factory = KeyFactory.getInstance("RSA");
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKey.getContent());
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java
index e9f7a483..de11b5bb 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java
@@ -207,4 +207,12 @@ public class CSRMeta {
public void issuerEmail(String issuerEmail) {
this.issuerEmail = issuerEmail;
}
+
+ public void setIssuerName(X500Name issuerName) {
+ this.issuerName = issuerName;
+ }
+
+ public void setName(X500Name name) {
+ this.name = name;
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java
index 512a76e1..69445b2e 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java
@@ -75,6 +75,7 @@ public class RDN {
break; // surname
case "email":
case "EMAIL":
+ case "E":
case "emailaddress":
case "EMAILADDRESS":
aoi = BCStyle.EmailAddress;
diff --git a/certService/src/main/resources/scripts/ejbca-configuration.sh b/certService/src/main/resources/scripts/ejbca-configuration.sh
index cdff77de..705f40ca 100755
--- a/certService/src/main/resources/scripts/ejbca-configuration.sh
+++ b/certService/src/main/resources/scripts/ejbca-configuration.sh
@@ -8,9 +8,11 @@ configureEjbca() {
ejbca.sh config cmp addalias --alias cmpRA
ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra
ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword
+ ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe
ejbca.sh config cmp dumpalias --alias cmpRA
ejbca.sh config cmp addalias --alias cmp
ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true
+ ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe
ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED
ejbca.sh ra setclearpwd --username Node123 --password mypassword
ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN
diff --git a/certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java b/certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java
index 2fc6d665..802b2ea0 100644
--- a/certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java
+++ b/certService/src/test/java/org/onap/aaf/certservice/api/CertificationControllerTest.java
@@ -23,12 +23,9 @@ package org.onap.aaf.certservice.api;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
-import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import com.google.gson.Gson;
-import java.io.IOException;
import java.util.Arrays;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
@@ -36,56 +33,54 @@ import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.onap.aaf.certservice.certification.CertificationModelFactory;
-import org.onap.aaf.certservice.certification.CsrModelFactory;
-import org.onap.aaf.certservice.certification.CsrModelFactory.StringBase64;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException;
import org.onap.aaf.certservice.certification.exception.CsrDecryptionException;
import org.onap.aaf.certservice.certification.exception.DecryptionException;
import org.onap.aaf.certservice.certification.exception.KeyDecryptionException;
import org.onap.aaf.certservice.certification.model.CertificationModel;
-import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
-
@ExtendWith(MockitoExtension.class)
class CertificationControllerTest {
- private CertificationController certificationController;
+ private static final String TEST_CA_NAME = "TestCa";
+ private static final String TEST_ENCODED_CSR = "encodedCSR";
+ private static final String TEST_ENCODED_PK = "encodedPK";
+ private static final String TEST_WRONG_ENCODED_CSR = "wrongEncodedCSR";
+ private static final String TEST_WRONG_ENCODED_PK = "wrongEncodedPK";
+ private static final String TEST_WRONG_CA_NAME = "wrongTestCa";
- @Mock
- private CsrModelFactory csrModelFactory;
+ private CertificationController certificationController;
@Mock
private CertificationModelFactory certificationModelFactory;
@BeforeEach
- void setUp() {
- certificationController = new CertificationController(csrModelFactory, certificationModelFactory);
+ void serUp() {
+ certificationController = new CertificationController(certificationModelFactory);
}
@Test
- void shouldReturnDataAboutCsrBaseOnEncodedParameters() throws DecryptionException {
- // given
- final String testStringCsr = "testData";
- final String testCaName = "TestCa";
- CsrModel mockedCsrModel = mock(CsrModel.class);
+ void shouldReturnDataAboutCsrBaseOnEncodedParameters()
+ throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException {
+ // Given
CertificationModel testCertificationModel = new CertificationModel(
Arrays.asList("ENTITY_CERT", "INTERMEDIATE_CERT"),
Arrays.asList("CA_CERT", "EXTRA_CA_CERT")
);
- when(mockedCsrModel.toString()).thenReturn(testStringCsr);
- when(csrModelFactory.createCsrModel(any(StringBase64.class), any(StringBase64.class)))
- .thenReturn(mockedCsrModel);
- when(certificationModelFactory.createCertificationModel(mockedCsrModel, testCaName))
+ when(certificationModelFactory.createCertificationModel(TEST_ENCODED_CSR, TEST_ENCODED_PK, TEST_CA_NAME))
.thenReturn(testCertificationModel);
- // when
+ // When
ResponseEntity<String> testResponse =
- certificationController.signCertificate(testCaName, "encryptedCSR", "encryptedPK");
+ certificationController.signCertificate(TEST_CA_NAME, TEST_ENCODED_CSR, TEST_ENCODED_PK);
CertificationModel responseCertificationModel = new Gson().fromJson(testResponse.getBody(), CertificationModel.class);
- // then
+ // Then
assertEquals(HttpStatus.OK, testResponse.getStatusCode());
assertThat(responseCertificationModel
).isEqualToComparingFieldByField(testCertificationModel);
@@ -93,41 +88,62 @@ class CertificationControllerTest {
}
@Test
- void shouldThrowCsrDecryptionExceptionWhenCreatingCsrModelFails() throws DecryptionException {
- // given
+ void shouldThrowCsrDecryptionExceptionWhenCreatingCsrModelFails()
+ throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException {
+ // Given
String expectedMessage = "Incorrect CSR, decryption failed";
- when(csrModelFactory.createCsrModel(any(StringBase64.class), any(StringBase64.class)))
- .thenThrow(new CsrDecryptionException(expectedMessage,new IOException()));
+ when(certificationModelFactory.createCertificationModel(TEST_WRONG_ENCODED_CSR, TEST_ENCODED_PK, TEST_CA_NAME))
+ .thenThrow(new CsrDecryptionException(expectedMessage));
- // when
+ // When
Exception exception = assertThrows(
- CsrDecryptionException.class, () -> certificationController.
- signCertificate("TestCa", "encryptedCSR", "encryptedPK")
+ CsrDecryptionException.class, () ->
+ certificationController.signCertificate(TEST_CA_NAME, TEST_WRONG_ENCODED_CSR, TEST_ENCODED_PK)
);
String actualMessage = exception.getMessage();
- // then
+ // Then
assertEquals(expectedMessage, actualMessage);
}
@Test
- void shouldThrowPemDecryptionExceptionWhenCreatingPemModelFails() throws DecryptionException {
- // given
+ void shouldThrowPemDecryptionExceptionWhenCreatingPemModelFails()
+ throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException {
+ // Given
String expectedMessage = "Incorrect PEM, decryption failed";
- when(csrModelFactory.createCsrModel(any(StringBase64.class), any(StringBase64.class)))
- .thenThrow(new KeyDecryptionException(expectedMessage,new IOException()));
+ when(certificationModelFactory.createCertificationModel(TEST_ENCODED_CSR, TEST_WRONG_ENCODED_PK, TEST_CA_NAME))
+ .thenThrow(new KeyDecryptionException(expectedMessage));
- // when
+ // When
Exception exception = assertThrows(
- KeyDecryptionException.class, () -> certificationController.
- signCertificate("TestCa", "encryptedCSR", "encryptedPK")
+ KeyDecryptionException.class, () ->
+ certificationController.signCertificate(TEST_CA_NAME, TEST_ENCODED_CSR, TEST_WRONG_ENCODED_PK)
);
String actualMessage = exception.getMessage();
- // then
+ // Then
assertEquals(expectedMessage, actualMessage);
}
+ @Test
+ void shouldThrowCmpv2ServerNotFoundWhenGivenWrongCaName()
+ throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException {
+ // Given
+ String expectedMessage = "No server found for given CA name";
+ when(certificationModelFactory.createCertificationModel(TEST_ENCODED_CSR, TEST_ENCODED_PK, TEST_WRONG_CA_NAME))
+ .thenThrow(new Cmpv2ServerNotFoundException(expectedMessage));
+
+ // When
+ Exception exception = assertThrows(
+ Cmpv2ServerNotFoundException.class, () ->
+ certificationController.signCertificate(TEST_WRONG_CA_NAME, TEST_ENCODED_CSR, TEST_ENCODED_PK)
+ );
+
+ String actualMessage = exception.getMessage();
+
+ // Then
+ assertEquals(expectedMessage, actualMessage);
+ }
}
diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java
index 1a92c0c8..10a818e4 100644
--- a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java
+++ b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationExceptionControllerTest.java
@@ -23,13 +23,17 @@ package org.onap.aaf.certservice.certification;
import com.google.gson.Gson;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException;
import org.onap.aaf.certservice.certification.exception.CsrDecryptionException;
import org.onap.aaf.certservice.certification.exception.ErrorResponseModel;
import org.onap.aaf.certservice.certification.exception.KeyDecryptionException;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
+import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
class CertificationExceptionControllerTest {
@@ -43,46 +47,98 @@ class CertificationExceptionControllerTest {
@Test
void shouldReturnResponseEntityWithAppropriateErrorMessageWhenGivenCsrDecryptionException() {
- // given
+ // Given
String expectedMessage = "Wrong certificate signing request (CSR) format";
CsrDecryptionException csrDecryptionException = new CsrDecryptionException("test csr exception");
- // when
+ // When
ResponseEntity<String> responseEntity = certificationExceptionController.handle(csrDecryptionException);
ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class);
- // then
+ // Then
+ assertEquals(HttpStatus.BAD_REQUEST, responseEntity.getStatusCode());
assertEquals(expectedMessage, response.getErrorMessage());
}
@Test
void shouldReturnResponseEntityWithAppropriateErrorMessageWhenGivenKeyDecryptionException() {
- // given
+ // Given
String expectedMessage = "Wrong key (PK) format";
KeyDecryptionException csrDecryptionException = new KeyDecryptionException("test pk exception");
- // when
+ // When
ResponseEntity<String> responseEntity = certificationExceptionController.handle(csrDecryptionException);
ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class);
- // then
+ // Then
+ assertEquals(HttpStatus.BAD_REQUEST, responseEntity.getStatusCode());
assertEquals(expectedMessage, response.getErrorMessage());
}
@Test
void shouldReturnResponseEntityWithAppropriateErrorMessageWhenGivenCaNameIsNotPresentInConfig() {
- // given
+ // Given
String expectedMessage = "Certification authority not found for given CAName";
Cmpv2ServerNotFoundException csrDecryptionException = new Cmpv2ServerNotFoundException("test Ca exception");
- // when
+ // When
ResponseEntity<String> responseEntity = certificationExceptionController.handle(csrDecryptionException);
ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class);
- // then
+ // Then
+ assertEquals(HttpStatus.NOT_FOUND, responseEntity.getStatusCode());
assertEquals(expectedMessage, response.getErrorMessage());
}
+
+ @Test
+ void shouldReturnResponseEntityWithAppropriateErrorMessageWhenCallingCmpClientFail() {
+ // Given
+ String expectedMessage = "Exception occurred during call to cmp client";
+ CmpClientException cmpClientException = new CmpClientException("Calling CMPv2 client failed");
+
+ // When
+ ResponseEntity<String> responseEntity = certificationExceptionController.handle(cmpClientException);
+
+ ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class);
+
+ // Then
+ assertEquals(HttpStatus.INTERNAL_SERVER_ERROR, responseEntity.getStatusCode());
+ assertEquals(expectedMessage, response.getErrorMessage());
+ }
+
+ @Test
+ void shouldReturnResponseEntityWithAppropriateErrorMessageWhenModelTransformationInAdapterFail() {
+ // Given
+ String expectedMessage = "Exception occurred parsing cmp client response";
+ Cmpv2ClientAdapterException cmpv2ClientAdapterException = new Cmpv2ClientAdapterException(new Throwable());
+
+ // When
+ ResponseEntity<String> responseEntity = certificationExceptionController.handle(cmpv2ClientAdapterException);
+
+ ErrorResponseModel response = new Gson().fromJson(responseEntity.getBody(), ErrorResponseModel.class);
+
+ // Then
+ assertEquals(HttpStatus.INTERNAL_SERVER_ERROR, responseEntity.getStatusCode());
+ assertEquals(expectedMessage, response.getErrorMessage());
+ }
+
+ @Test
+ void shouldThrowCmpClientExceptionWhenNotHandledRunTimeExceptionOccur() {
+ // Given
+ String expectedMessage = "Runtime exception occurred calling cmp client business logic";
+ RuntimeException runtimeException = new RuntimeException("Unknown runtime exception");
+
+ // When
+ Exception exception = assertThrows(
+ CmpClientException.class, () ->
+ certificationExceptionController.handle(runtimeException)
+ );
+
+ // Then
+ assertEquals(expectedMessage, exception.getMessage());
+ }
+
}
diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java
index 50e604e2..1b896a4b 100644
--- a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java
+++ b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationModelFactoryTest.java
@@ -27,49 +27,77 @@ import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.onap.aaf.certservice.certification.configuration.Cmpv2ServerProvider;
import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException;
+import org.onap.aaf.certservice.certification.exception.CsrDecryptionException;
+import org.onap.aaf.certservice.certification.exception.DecryptionException;
import org.onap.aaf.certservice.certification.model.CertificationModel;
import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
-import java.util.Optional;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.List;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
import static org.onap.aaf.certservice.certification.CertificationData.CA_CERT;
import static org.onap.aaf.certservice.certification.CertificationData.ENTITY_CERT;
import static org.onap.aaf.certservice.certification.CertificationData.INTERMEDIATE_CERT;
import static org.onap.aaf.certservice.certification.CertificationData.EXTRA_CA_CERT;
+import static org.onap.aaf.certservice.certification.TestData.TEST_CSR;
+import static org.onap.aaf.certservice.certification.TestData.TEST_PK;
+import static org.onap.aaf.certservice.certification.TestData.TEST_WRONG_CSR;
+import static org.onap.aaf.certservice.certification.TestData.TEST_WRONG_PEM;
@ExtendWith(MockitoExtension.class)
class CertificationModelFactoryTest {
private static final String TEST_CA = "testCA";
+ private static final String ENCODED_CSR = getEncodedString(TEST_CSR);
+ private static final String ENCODED_PK = getEncodedString(TEST_PK);
+ private static final String ENCODED_WRONG_CSR = getEncodedString(TEST_WRONG_CSR);
+ private static final String ENCODED_WRONG_PK = getEncodedString(TEST_WRONG_PEM);
private CertificationModelFactory certificationModelFactory;
@Mock
- Cmpv2ServerProvider cmpv2ServerProvider;
+ private Cmpv2ServerProvider cmpv2ServerProvider;
+ @Mock
+ private CsrModelFactory csrModelFactory;
+ @Mock
+ private CertificationProvider certificationProvider;
+
+
+ private static String getEncodedString(String testCsr) {
+ return Base64.getEncoder().encodeToString(testCsr.getBytes());
+ }
@BeforeEach
void setUp() {
- certificationModelFactory = new CertificationModelFactory(cmpv2ServerProvider);
+ certificationModelFactory =
+ new CertificationModelFactory(csrModelFactory, cmpv2ServerProvider, certificationProvider);
}
@Test
- void shouldCreateProperCertificationModelWhenGivenProperCsrModelAndCaName() {
- // given
- CsrModel mockedCsrModel = mock(CsrModel.class);
- when(cmpv2ServerProvider.getCmpv2Server(TEST_CA)).thenReturn(Optional.of(createTestCmpv2Server()));
+ void shouldCreateProperCertificationModelWhenGivenProperCsrModelAndCaName()
+ throws CmpClientException, DecryptionException, Cmpv2ClientAdapterException {
- // when
+ // Given
+ CsrModel csrModel = mockCsrFactoryModelCreation();
+ Cmpv2Server testServer = mockCmpv2ProviderServerSelection();
+ mockCertificateProviderCertificateSigning(csrModel, testServer);
+
+ // When
CertificationModel certificationModel =
- certificationModelFactory.createCertificationModel(mockedCsrModel ,TEST_CA);
+ certificationModelFactory.createCertificationModel(ENCODED_CSR, ENCODED_PK,TEST_CA);
- //then
+ // Then
assertEquals(2, certificationModel.getCertificateChain().size());
assertThat(certificationModel.getCertificateChain()).contains(INTERMEDIATE_CERT, ENTITY_CERT);
assertEquals(2, certificationModel.getTrustedCertificates().size());
@@ -77,23 +105,116 @@ class CertificationModelFactoryTest {
}
@Test
- void shouldThrowCmpv2ServerNotFoundExceptionWhenGivenWrongCaName() {
- // given
+ void shouldThrowDecryptionExceptionWhenGivenWrongEncodedCSR()
+ throws DecryptionException {
+ // Given
+ String expectedMessage = "Incorrect CSR, decryption failed";
+ when(
+ csrModelFactory.createCsrModel(
+ eq(new CsrModelFactory.StringBase64(ENCODED_WRONG_CSR)),
+ eq(new CsrModelFactory.StringBase64(ENCODED_WRONG_PK))
+ )
+ ).thenThrow(
+ new CsrDecryptionException(expectedMessage)
+ );
+
+ // When
+ Exception exception = assertThrows(
+ DecryptionException.class, () ->
+ certificationModelFactory.createCertificationModel(ENCODED_WRONG_CSR, ENCODED_WRONG_PK, TEST_CA)
+ );
+
+ // Then
+ assertTrue(exception.getMessage().contains(expectedMessage));
+ }
+
+ @Test
+ void shouldThrowCmpv2ServerNotFoundExceptionWhenGivenWrongCaName()
+ throws DecryptionException {
+ // Given
String expectedMessage = "CA not found";
- CsrModel mockedCsrModel = mock(CsrModel.class);
- when(cmpv2ServerProvider.getCmpv2Server(TEST_CA)).thenThrow(new Cmpv2ServerNotFoundException(expectedMessage));
+ mockCsrFactoryModelCreation();
+ when(
+ cmpv2ServerProvider.getCmpv2Server(TEST_CA)
+ ).thenThrow(
+ new Cmpv2ServerNotFoundException(expectedMessage)
+ );
- // when
+ // When
Exception exception = assertThrows(
Cmpv2ServerNotFoundException.class, () ->
- certificationModelFactory.createCertificationModel(mockedCsrModel ,TEST_CA)
+ certificationModelFactory.createCertificationModel(ENCODED_CSR, ENCODED_PK, TEST_CA)
+ );
+
+ // Then
+ assertTrue(exception.getMessage().contains(expectedMessage));
+ }
+
+ @Test
+ void shouldThrowCmpClientExceptionWhenSigningCsrFailed()
+ throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException {
+ // Given
+ String expectedMessage = "failed to sign certificate";
+ CsrModel csrModel = mockCsrFactoryModelCreation();
+ Cmpv2Server testServer = mockCmpv2ProviderServerSelection();
+ when(
+ certificationProvider.signCsr(eq(csrModel), eq(testServer))
+ ).thenThrow(
+ new CmpClientException(expectedMessage)
+ );
+
+ // When
+ Exception exception = assertThrows(
+ CmpClientException.class, () ->
+ certificationModelFactory.createCertificationModel(ENCODED_CSR, ENCODED_PK, TEST_CA)
);
- // then
+ // Then
assertTrue(exception.getMessage().contains(expectedMessage));
}
- private Cmpv2Server createTestCmpv2Server() {
+
+ private void mockCertificateProviderCertificateSigning(CsrModel csrModel, Cmpv2Server testServer)
+ throws CmpClientException, Cmpv2ClientAdapterException {
+ CertificationModel expectedCertificationModel = getCertificationModel();
+ when(
+ certificationProvider.signCsr(eq(csrModel), eq(testServer))
+ ).thenReturn(expectedCertificationModel);
+ }
+
+ private Cmpv2Server mockCmpv2ProviderServerSelection() {
+ Cmpv2Server testServer = getCmpv2Server();
+ when(
+ cmpv2ServerProvider.getCmpv2Server(eq(TEST_CA))
+ ).thenReturn(testServer);
+ return testServer;
+ }
+
+ private CsrModel mockCsrFactoryModelCreation()
+ throws DecryptionException {
+ CsrModel csrModel = getCsrModel();
+ when(
+ csrModelFactory.createCsrModel(
+ eq(new CsrModelFactory.StringBase64(ENCODED_CSR)),
+ eq(new CsrModelFactory.StringBase64(ENCODED_PK))
+ )
+ ).thenReturn(csrModel);
+ return csrModel;
+ }
+
+ private Cmpv2Server getCmpv2Server() {
return new Cmpv2Server();
}
+
+ private CsrModel getCsrModel() {
+ return mock(CsrModel.class);
+ }
+
+ private CertificationModel getCertificationModel() {
+ List<String> testTrustedCertificates = Arrays.asList(CA_CERT, EXTRA_CA_CERT);
+ List<String> testCertificationChain = Arrays.asList(INTERMEDIATE_CERT, ENTITY_CERT);
+ return new CertificationModel(testCertificationChain, testTrustedCertificates);
+ }
+
+
}
diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationProviderTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationProviderTest.java
new file mode 100644
index 00000000..aa6f1d08
--- /dev/null
+++ b/certService/src/test/java/org/onap/aaf/certservice/certification/CertificationProviderTest.java
@@ -0,0 +1,93 @@
+/*
+ * ============LICENSE_START=======================================================
+ * AAF Certification Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aaf.certservice.certification;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.onap.aaf.certservice.certification.adapter.Cmpv2ClientAdapter;
+import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
+import org.onap.aaf.certservice.certification.exception.DecryptionException;
+import org.onap.aaf.certservice.certification.model.CertificationModel;
+import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class CertificationProviderTest {
+
+ private CertificationProvider certificationProvider;
+
+ @Mock
+ private Cmpv2ClientAdapter cmpv2ClientAdapter;
+
+ @BeforeEach
+ void setUp() {
+ certificationProvider = new CertificationProvider(cmpv2ClientAdapter);
+ }
+
+ @Test
+ void certificationProviderShouldReturnCertificationModelWhenProvidedProperCsrModelAndCmpv2Server()
+ throws CmpClientException, Cmpv2ClientAdapterException {
+ // Given
+ CsrModel testCsrModel = mock(CsrModel.class);
+ Cmpv2Server testServer = mock(Cmpv2Server.class);
+ CertificationModel expectedCertificationModel = mock(CertificationModel.class);
+ when(
+ cmpv2ClientAdapter.callCmpClient(eq(testCsrModel), eq(testServer))
+ ).thenReturn(expectedCertificationModel);
+
+ // When
+ CertificationModel receivedCertificationModel = certificationProvider.signCsr(testCsrModel, testServer);
+
+ // Then
+ assertThat(receivedCertificationModel).isEqualTo(expectedCertificationModel);
+ }
+
+ @Test
+ void certificationProviderThrowCmpClientWhenCallingClientFails()
+ throws CmpClientException, Cmpv2ClientAdapterException {
+ // Given
+ CsrModel testCsrModel = mock(CsrModel.class);
+ Cmpv2Server testServer = mock(Cmpv2Server.class);
+ String expectedErrorMessage = "connecting to CMP client failed";
+ when(
+ cmpv2ClientAdapter.callCmpClient(eq(testCsrModel), eq(testServer))
+ ).thenThrow(new CmpClientException(expectedErrorMessage));
+
+ // When
+ Exception exception = assertThrows(
+ CmpClientException.class, () ->
+ certificationProvider.signCsr(testCsrModel, testServer)
+ );
+
+ // Then
+ assertThat(exception.getMessage()).isEqualTo(expectedErrorMessage);
+ }
+
+}
diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilderTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilderTest.java
new file mode 100644
index 00000000..165c9ec1
--- /dev/null
+++ b/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilderTest.java
@@ -0,0 +1,100 @@
+/*
+ * ============LICENSE_START=======================================================
+ * AAF Certification Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.certification.adapter;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.onap.aaf.certservice.certification.configuration.model.Authentication;
+import org.onap.aaf.certservice.certification.configuration.model.CaMode;
+import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.external.CSRMeta;
+
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+public class CSRMetaBuilderTest {
+
+ private CSRMetaBuilder csrMetaBuilder;
+
+ private static final String TEST_CA = "testCA";
+ private static final X500Name TEST_SUBJECT_DATA = new X500Name("CN=testIssuer");
+
+ @BeforeEach
+ void setUp() {
+ csrMetaBuilder = new CSRMetaBuilder();
+ }
+
+ @Test
+ void shouldBuildCsrMetaWhenGivenCsrModelAndCmpv2ServerAreCorrect() {
+ // Given
+ CsrModel testCsrModel = mock(CsrModel.class);
+ Cmpv2Server testServer = createTestServer();
+
+ PKCS10CertificationRequest certificationRequest = mock(PKCS10CertificationRequest.class);
+ when(testCsrModel.getCsr()).thenReturn(certificationRequest);
+ PrivateKey mockPrivateKey = mock(PrivateKey.class);
+ when(testCsrModel.getPrivateKey()).thenReturn(mockPrivateKey);
+ PublicKey mockPublicKey = mock(PublicKey.class);
+ when(testCsrModel.getPublicKey()).thenReturn(mockPublicKey);
+ List<String> testSans = Arrays.asList("SAN01","SAN02");
+ when(testCsrModel.getSans()).thenReturn(testSans);
+
+ when(testCsrModel.getSubjectData()).thenReturn(TEST_SUBJECT_DATA);
+
+ // When
+ CSRMeta createdCSRMeta = csrMetaBuilder.build(testCsrModel, testServer);
+
+ // Then
+ assertThat(createdCSRMeta.password()).isEqualTo(testServer.getAuthentication().getIak());
+ assertThat(createdCSRMeta.senderKid()).isEqualTo(testServer.getAuthentication().getRv());
+ assertThat(createdCSRMeta.caUrl()).isEqualTo(testServer.getUrl());
+ assertThat(createdCSRMeta.sans()).containsAll(testSans);
+ assertThat(createdCSRMeta.keyPair().getPrivate()).isEqualTo(mockPrivateKey);
+ assertThat(createdCSRMeta.keyPair().getPublic()).isEqualTo(mockPublicKey);
+ assertThat(createdCSRMeta.x500Name()).isEqualTo(TEST_SUBJECT_DATA);
+ assertThat(createdCSRMeta.issuerx500Name()).isEqualTo(TEST_SUBJECT_DATA);
+ }
+
+ private Cmpv2Server createTestServer() {
+ Cmpv2Server testServer = new Cmpv2Server();
+ testServer.setCaName(TEST_CA);
+ testServer.setIssuerDN(TEST_SUBJECT_DATA);
+ testServer.setUrl("http://test.ca.server");
+ Authentication testAuthentication = new Authentication();
+ testAuthentication.setIak("testIak");
+ testAuthentication.setRv("testRv");
+ testServer.setAuthentication(testAuthentication);
+ testServer.setCaMode(CaMode.RA);
+
+ return testServer;
+ }
+
+}
diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapterTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapterTest.java
new file mode 100644
index 00000000..296f63cd
--- /dev/null
+++ b/certService/src/test/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapterTest.java
@@ -0,0 +1,185 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Cert Service
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.aaf.certservice.certification.adapter;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.StringWriter;
+import java.nio.charset.StandardCharsets;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Objects;
+import org.apache.commons.io.IOUtils;
+import org.bouncycastle.asn1.x509.Certificate;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.Mockito;
+import org.onap.aaf.certservice.certification.configuration.model.CaMode;
+import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException;
+import org.onap.aaf.certservice.certification.model.CertificationModel;
+import org.onap.aaf.certservice.certification.model.CsrModel;
+import org.onap.aaf.certservice.cmpv2client.api.CmpClient;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
+import org.onap.aaf.certservice.cmpv2client.external.CSRMeta;
+import org.springframework.boot.test.context.SpringBootTest;
+
+@SpringBootTest
+class Cmpv2ClientAdapterTest {
+
+ @Mock
+ private CmpClient cmpClient;
+ @Mock
+ private CsrModel csrModel;
+ @Mock
+ private Cmpv2Server server;
+ @Mock
+ private RSAContentSignerBuilder rsaContentSignerBuilder;
+ @Mock
+ private X509CertificateBuilder x509CertificateBuilder;
+ @Mock
+ private PKCS10CertificationRequest csr;
+ @Mock
+ private PrivateKey privateKey;
+ @Mock
+ private X509v3CertificateBuilder x509V3CertificateBuilder;
+ @Mock
+ private ContentSigner contentSigner;
+ @Mock
+ private X509CertificateHolder holder;
+ @Mock
+ private Certificate asn1Certificate;
+ @Mock
+ private X509Certificate certificate;
+ @Mock
+ private CertificateFactoryProvider certificateFactoryProvider;
+ @Mock
+ private CSRMetaBuilder csrMetaBuilder;
+ @Mock
+ private CSRMeta csrMeta;
+
+ @InjectMocks
+ private Cmpv2ClientAdapter adapter;
+
+ private static final CaMode CA_MODEL = CaMode.CLIENT;
+ private static final String TEST_MSG = "Test";
+
+ @Test
+ void adapterShouldRethrowClientExceptionOnFailure()
+ throws CmpClientException, IOException, OperatorCreationException, CertificateException,
+ NoSuchProviderException {
+ // Given
+ stubInternalProperties();
+
+ // When
+ Mockito.when(cmpClient.createCertificate(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any()))
+ .thenThrow(new CmpClientException(TEST_MSG));
+
+ // Then
+ Assertions.assertThrows(CmpClientException.class, () -> adapter.callCmpClient(csrModel, server));
+ }
+
+ @Test
+ void shouldConvertToCertificationModel()
+ throws OperatorCreationException, CertificateException, NoSuchProviderException, IOException,
+ CmpClientException, Cmpv2ClientAdapterException {
+ // Given
+ stubInternalProperties();
+
+ // When
+ Mockito.when(cmpClient.createCertificate(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any()))
+ .thenReturn(createCorrectClientResponse());
+ CertificationModel certificationModel = adapter.callCmpClient(csrModel, server);
+
+ // Then
+ InputStream certificate = getClass().getClassLoader().getResourceAsStream("certificateModelChain.first");
+ InputStream trustedCertificate =
+ getClass().getClassLoader().getResourceAsStream("trustedCertificatesModel.first");
+ String certificateModel = removeLineEndings(certificationModel.getCertificateChain().get(0));
+ String expectedCertificate =
+ removeLineEndings(IOUtils.toString(Objects.requireNonNull(certificate), StandardCharsets.UTF_8));
+ String trustedCertificateModel = removeLineEndings(certificationModel.getTrustedCertificates().get(0));
+ String expectedTrustedCertificate =
+ removeLineEndings(IOUtils.toString(Objects.requireNonNull(trustedCertificate), StandardCharsets.UTF_8));
+
+ Assertions.assertEquals(certificateModel, expectedCertificate);
+ Assertions.assertEquals(trustedCertificateModel, expectedTrustedCertificate);
+ }
+
+ @Test
+ void adapterShouldThrowClientAdapterExceptionOnFailure()
+ throws OperatorCreationException, CertificateException, NoSuchProviderException, IOException,
+ CmpClientException {
+ // Given
+ stubInternalProperties();
+
+ // When
+ Mockito.when(cmpClient.createCertificate(Mockito.any(), Mockito.any(), Mockito.any(), Mockito.any()))
+ .thenReturn(createCorrectClientResponse());
+ Mockito.when(certificateFactoryProvider.generateCertificate(Mockito.any()))
+ .thenThrow(new CertificateException(TEST_MSG));
+
+ // Then
+ Assertions.assertThrows(Cmpv2ClientAdapterException.class, () -> adapter.callCmpClient(csrModel, server));
+ }
+
+ private List<List<X509Certificate>> createCorrectClientResponse()
+ throws CertificateException, NoSuchProviderException {
+ InputStream certificateChain = getClass().getClassLoader().getResourceAsStream("certificateChain.first");
+ InputStream trustedCertificate = getClass().getClassLoader().getResourceAsStream("trustedCertificates.first");
+ X509Certificate x509Certificate = new CertificateFactoryProvider().generateCertificate(certificateChain);
+ X509Certificate x509TrustedCertificate =
+ new CertificateFactoryProvider().generateCertificate(trustedCertificate);
+ return Arrays.asList(Collections.singletonList(x509Certificate),
+ Collections.singletonList(x509TrustedCertificate));
+ }
+
+ private String removeLineEndings(String string) {
+ return string.replace("\n", "").replace("\r", "");
+ }
+
+ private void stubInternalProperties()
+ throws IOException, OperatorCreationException, CertificateException, NoSuchProviderException {
+ Mockito.when(server.getCaMode()).thenReturn(CA_MODEL);
+ Mockito.when(csrModel.getCsr()).thenReturn(csr);
+ Mockito.when(csrModel.getPrivateKey()).thenReturn(privateKey);
+ Mockito.when(x509CertificateBuilder.build(csr)).thenReturn(x509V3CertificateBuilder);
+ Mockito.when(rsaContentSignerBuilder.build(csr, privateKey)).thenReturn(contentSigner);
+ Mockito.when(x509V3CertificateBuilder.build(contentSigner)).thenReturn(holder);
+ Mockito.when(holder.toASN1Structure()).thenReturn(asn1Certificate);
+ Mockito.when(certificateFactoryProvider.generateCertificate(Mockito.any())).thenReturn(certificate);
+ Mockito.when(holder.toASN1Structure().getEncoded()).thenReturn("".getBytes());
+ Mockito.when(csrMetaBuilder.build(csrModel, server)).thenReturn(csrMeta);
+ }
+
+}
diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java
index 20a85783..7e14e470 100644
--- a/certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java
+++ b/certService/src/test/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProviderTest.java
@@ -29,10 +29,13 @@ import org.mockito.junit.jupiter.MockitoExtension;
import org.onap.aaf.certservice.certification.configuration.model.Authentication;
import org.onap.aaf.certservice.certification.configuration.model.CaMode;
import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
+import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException;
import java.util.Collections;
import static org.assertj.core.api.Assertions.assertThat;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
@@ -53,32 +56,32 @@ class Cmpv2ServerProviderTest {
@Test
void shouldReturnOptionalWithServerWhenServerWithGivenCaNameIsPresentInConfig() {
- // given
+ // Given
Cmpv2Server testServer = createTestServer();
when(cmpServersConfig.getCmpServers()).thenReturn(Collections.singletonList(testServer));
- // when
+ // When
Cmpv2Server receivedServer = cmpv2ServerProvider
- .getCmpv2Server(TEST_CA)
- .get();
+ .getCmpv2Server(TEST_CA);
- // then
+ // Then
assertThat(receivedServer).isEqualToComparingFieldByField(testServer);
}
-
@Test
void shouldReturnEmptyOptionalWhenServerWithGivenCaNameIsNotPresentInConfig() {
- // given
+ // Given
+ String expectedMessage = "No server found for given CA name";
when(cmpServersConfig.getCmpServers()).thenReturn(Collections.emptyList());
- // when
- Boolean isEmpty = cmpv2ServerProvider
- .getCmpv2Server(TEST_CA)
- .isEmpty();
+ // When
+ Exception exception = assertThrows(
+ Cmpv2ServerNotFoundException.class, () ->
+ cmpv2ServerProvider.getCmpv2Server(TEST_CA)
+ );
- // then
- assertThat(isEmpty).isTrue();
+ // Then
+ assertTrue(exception.getMessage().contains(expectedMessage));
}
private Cmpv2Server createTestServer() {
diff --git a/certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java b/certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java
index f47f495f..45bd9664 100644
--- a/certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java
+++ b/certService/src/test/java/org/onap/aaf/certservice/certification/model/CsrModelTest.java
@@ -50,15 +50,15 @@ class CsrModelTest {
= new PemObjectFactory();
@Test
void shouldByConstructedAndReturnProperFields() throws DecryptionException, IOException {
- // given
+ // Given
PemObject testPrivateKey = getPemPrivateKey();
PemObject testPublicKey = generateTestPublicKey();
PKCS10CertificationRequest testCsr = generateTestCertificationRequest();
- // when
+ // When
CsrModel csrModel = generateTestCsrModel(testCsr);
- // then
+ // Then
assertThat(csrModel.getCsr())
.isEqualTo(testCsr);
assertThat(csrModel.getPrivateKey().getEncoded())
@@ -75,7 +75,7 @@ class CsrModelTest {
@Test
void shouldThrowExceptionWhenPublicKeyIsNotCorrect() throws DecryptionException, IOException {
- // given
+ // Given
PemObject testPrivateKey = getPemPrivateKey();
PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class);
SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class);
@@ -84,7 +84,7 @@ class CsrModelTest {
when(wrongKryInfo.getEncoded())
.thenThrow(new IOException());
- // when
+ // When
Exception exception = assertThrows(
CsrDecryptionException.class,
() -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
@@ -93,13 +93,13 @@ class CsrModelTest {
String expectedMessage = "Reading Public Key from CSR failed";
String actualMessage = exception.getMessage();
- // then
+ // Then
assertTrue(actualMessage.contains(expectedMessage));
}
@Test
void shouldThrowExceptionWhenPrivateKeyPemIsNotProperPrivateKey() throws KeyDecryptionException, IOException {
- // given
+ // Given
PemObject testPrivateKey = getPemWrongKey();
PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class);
SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class);
@@ -108,7 +108,7 @@ class CsrModelTest {
when(wrongKryInfo.getEncoded())
.thenThrow(new IOException());
- // when
+ // When
Exception exception = assertThrows(
KeyDecryptionException.class,
() -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
@@ -117,13 +117,13 @@ class CsrModelTest {
String expectedMessage = "Converting Private Key failed";
String actualMessage = exception.getMessage();
- // then
+ // Then
assertTrue(actualMessage.contains(expectedMessage));
}
@Test
void shouldThrowExceptionWhenPublicKeyPemIsNotProperPublicKey() throws KeyDecryptionException, IOException {
- // given
+ // Given
PemObject testPrivateKey = getPemPrivateKey();
PemObject testPublicKey = getPemWrongKey();
PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class);
@@ -133,7 +133,7 @@ class CsrModelTest {
when(wrongKryInfo.getEncoded())
.thenReturn(testPublicKey.getContent());
- // when
+ // When
Exception exception = assertThrows(
KeyDecryptionException.class,
() -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
@@ -142,7 +142,7 @@ class CsrModelTest {
String expectedMessage = "Converting Public Key from CSR failed";
String actualMessage = exception.getMessage();
- // then
+ // Then
assertTrue(actualMessage.contains(expectedMessage));
}
diff --git a/certService/src/test/resources/certificateChain.first b/certService/src/test/resources/certificateChain.first
new file mode 100644
index 00000000..3e0ae028
--- /dev/null
+++ b/certService/src/test/resources/certificateChain.first
Binary files differ
diff --git a/certService/src/test/resources/certificateModelChain.first b/certService/src/test/resources/certificateModelChain.first
new file mode 100644
index 00000000..e6383860
--- /dev/null
+++ b/certService/src/test/resources/certificateModelChain.first
@@ -0,0 +1 @@
+-----BEGIN CERTIFICATE----- MIIEXTCCAsWgAwIBAgIUMI4X5/zCpkgY/NIx287DT/T1zEQwDQYJKoZIhvcNAQEL BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMDE5MmY0N2VkY2NjZjg5NzYxFTATBgNV BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr c3RhcnQwHhcNMTkxMjEyMTEwMDUxWhcNMjExMjExMTA1OTI1WjBSMSAwHgYJKoZI hvcNAQkBFhFDb21tb25OYW1lQGNuLmNvbTEWMBQGA1UEAwwNQ049Q29tbW9uTmFt ZTEWMBQGA1UECgwNQ29tbW9uQ29tcGFueTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAJtc1vAn9F166nHED5D2E/xoMMFkCJ0RhpXqn9A9RArB20U54TSf nEDuayAGpWIypAnGc1wXCj2ZTWFj48oIRGNy6b2uJ7qHlg7FGwdIGfTP151P0O6W zcb9kFj/KwRkyKu7Z9m7BR3G0MBhGaN4DFAVlAFNqmvIip4PW9cO4zCFGABGQcPx PhWtBt1Dp3wewp38yXN0evMjOTS7naogPCVme7ffqrqsd8ozlcjk5zd2giJPduUO 7puBkt6aynM1cc6kGpbQIHCf9f7L0ZGWDXSP/mr87h/WEDkhzBGa7aoME5gTLToT o0PPHtyfwOGi2KEBVQg0vde5BiKuisJTw2sCAwEAAaOBmzCBmDAMBgNVHRMBAf8E AjAAMB8GA1UdIwQYMBaAFKSoZvZ+ycvTR9MmLcG1sbVLZC19MBkGA1UdEQQSMBCC DkNvbW1vbk5hbWUuY29tMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAd BgNVHQ4EFgQUKgFUjDFajTD1leb7Q2rvvSFvJZAwDgYDVR0PAQH/BAQDAgXgMA0G CSqGSIb3DQEBCwUAA4IBgQBs8knYiqq9GrHG8R0Lh46XTayAddcjN+dX4DHX/Tg9 sBkl1qUXKEUuOaK2JlW+BzLVuy5QtAAJuDc2BVq19hF2NALOiMi6cJUW/gWJi9ug eRqMELwxf44Am/CzQoUp52MVuCj4K9sJ6KLC5jm/GgTyFG+Qy7ZoU6df5Gd1E0iU Qf+tuF77LldMtNcYKbYbBVGDg4O/M221+D2Kq/gfTyWYiB6coiAuiXEjBfgsmCLp h8/JHK6zhq+wOUL0isaekPCK8LvzryHoZ5c1MdVXgDgwErWoZf+PnaUUHSH9DbTR LyWY++TXYLn0xUDZTqJboshDq3C4vqGsUJ4eSCfaAeiyX0RmXvE8DPiKQy7vTOGP 5CzpqnZbHSbKf/L3nbu4q7LZMtHzNhqgnqHVPJE42okHwBEbQX4POnghdujxCuFF gr+8LjQpc+0tlCXqTLeapBIHQDc0ECwWB2fPU1XRVHJB7MOew0OJ2yGgCSeJXO4W pujWO9CVPB49h5LyMPkNdr8= -----END CERTIFICATE----- \ No newline at end of file
diff --git a/certService/src/test/resources/trustedCertificates.first b/certService/src/test/resources/trustedCertificates.first
new file mode 100644
index 00000000..6b44296d
--- /dev/null
+++ b/certService/src/test/resources/trustedCertificates.first
Binary files differ
diff --git a/certService/src/test/resources/trustedCertificatesModel.first b/certService/src/test/resources/trustedCertificatesModel.first
new file mode 100644
index 00000000..390f6e6b
--- /dev/null
+++ b/certService/src/test/resources/trustedCertificatesModel.first
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEszCCAxugAwIBAgIUGMTLyt0bYrNGz4KPqapEq64XmIIwDQYJKoZIhvcNAQEL
+BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMDE5MmY0N2VkY2NjZjg5NzYxFTATBgNV
+BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr
+c3RhcnQwHhcNMTkxMjEyMTEwMDUxWhcNMjkxMjExMTEwMDUxWjBhMSMwIQYKCZIm
+iZPyLGQBAQwTYy0wMTkyZjQ3ZWRjY2NmODk3NjEVMBMGA1UEAwwMTWFuYWdlbWVu
+dENBMSMwIQYDVQQKDBpFSkJDQSBDb250YWluZXIgUXVpY2tzdGFydDCCAaIwDQYJ
+KoZIhvcNAQEBBQADggGPADCCAYoCggGBAK2yz/z273gG55p4NvDfg8EZIOFkQmAV
+Vi+gfvyl3zb8KYOBWGAOM8IKMInJP1Gulz2D2qYAL7PlJi87WaMI1mTNL0ca177T
+UOz3C1vuFp5QqcQZP8fbGlQCHawcPwacLm6G4WFHi5tjtuBQS+qn1RrHdnvSMwG7
+1bZll3wLOnU3TOAvDMEbAXCXIwc7wxAluO1e+bCM2VjL8iFvNtEqQ2KY3IKO7aaE
+nEGkTniYg6lBSd/3D04CLVEqinI4sbGV/DX3cULmIsGT5E4b6KMlXrFuzbfj5VtS
+n8awf+EMWm1AHlyM05GhMD8N60nZcoF5/rzrzxPr1Jv9DTl/MRRasqwtmEddbn0e
+OVgB7c5LEbNrnJWt/4sdEBQXX3z4y2HI40iuZmTMP0zPwxWA1v/bmd9EIE2/QKGo
+kMHvvjTRTtdBYGGeeL5TRU2o1YSw6bda57Dv2I3OGA6gNxbH1juG/2W8kg01YL7S
+C49OnY9l3EP0iPHhtNnikuULG+Us1AL+HwIDAQABo2MwYTAPBgNVHRMBAf8EBTAD
+AQH/MB8GA1UdIwQYMBaAFKSoZvZ+ycvTR9MmLcG1sbVLZC19MB0GA1UdDgQWBBSk
+qGb2fsnL00fTJi3BtbG1S2QtfTAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQEL
+BQADggGBAD2z2NNVF1HKei+IGBiClyuSVOIXU86p+BLk4EoIlBvWB6jwB++jBHt5
+EfQhGr8dkRqkd9EG92PDgJklHz6qeogCGdkEQikaN03SwFxk5ig5HW8Fycpffbp/
+dY+QT8IVkx7jJfpe/+unf2FZbaIGcFiL+YFa2Ii6dHKIC5ntIUiKjRsQdbs6EjWU
+sxiozLuAxeD/otReNu2VZze43cZqygEB77cbHT8DSRsAtLUdbNluyTwZOZXKiTlG
+ClBXP4NkNTG+deP1B9k8CZolTn2fyj6KmQdBQ3S1MWIF9IsMbc2vjvbJlRkdX/nl
+lQC6bsvb0VVWnBHiLGpsgsye7eyE0PJ/tAvQNsrhOSxCxaTFBhRExG3Mr9uU7iDj
+PFxnuTACAOv9aAyoBbJnLkN/Mkq3ILTChGY8cLnM3tGnb8fpbXbtMSzGAoLPmsh4
+vvJEjIgi5NTIMqaADsXSAToW61AU2otAQxLvgI03szPxUF1l4Neo1RHJDNwp5yyo
+oYIM2lYI0w==
+-----END CERTIFICATE-----