https://wiki.onap.org/display/DW/OOM+Certification+Service
```
-Project consists of three submodules:
+Project consists of four submodules:
1. oom-certservice-api
2. oom-certservice-client
3. oom-certservice-post-processor
+4. oom-certservice-k8s-external-provider
Detailed information about submodules can be found in ```README.md``` in their directories.
<parent>
<groupId>org.onap.oom.platform.cert-service</groupId>
<artifactId>oom-certservice</artifactId>
- <version>2.2.0-SNAPSHOT</version>
+ <version>2.3.0-SNAPSHOT</version>
</parent>
<artifactId>oom-certservice-api</artifactId>
- <version>2.2.0-SNAPSHOT</version>
+ <version>2.3.0-SNAPSHOT</version>
<name>oom-certservice-api</name>
<description>OOM Certification Service Api</description>
<packaging>jar</packaging>
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
-import java.util.Collections;
-import java.util.List;
-import java.util.Objects;
-import java.util.stream.Collectors;
+import java.util.stream.Collectors;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
private final X500Name subjectData;
private final PrivateKey privateKey;
private final PublicKey publicKey;
- private final List<String> sans;
+ private final GeneralName[] sans;
public CsrModel(PKCS10CertificationRequest csr, X500Name subjectData, PrivateKey privateKey, PublicKey publicKey,
- List<String> sans) {
+ GeneralName[] sans) {
this.csr = csr;
this.subjectData = subjectData;
this.privateKey = privateKey;
return publicKey;
}
- public List<String> getSans() {
+ public GeneralName[] getSans() {
return sans;
}
@Override
public String toString() {
- return "Subject: { " + subjectData + " ,SANs: " + sans + " }";
+ return "CSR: { Subject: { " + subjectData + " }, SANs: [" + getSansInReadableFormat() + "] }";
}
- public static class CsrModelBuilder {
+ private String getSansInReadableFormat() {
+ return Arrays.stream(this.sans)
+ .map(generalName -> generalName.getName().toString())
+ .collect(Collectors.joining(", "));
+ }
+ public static class CsrModelBuilder {
private final PKCS10CertificationRequest csr;
+
private final PemObject privateKey;
public CsrModel build() throws DecryptionException {
X500Name subjectData = getSubjectData();
PrivateKey javaPrivateKey = convertingPemPrivateKeyToJavaSecurityPrivateKey(getPrivateKey());
PublicKey javaPublicKey = convertingPemPublicKeyToJavaSecurityPublicKey(getPublicKey());
- List<String> sans = getSansData();
+ GeneralName[] sans = getSansData();
return new CsrModel(csr, subjectData, javaPrivateKey, javaPublicKey, sans);
}
return csr.getSubject();
}
- private List<String> getSansData() {
+ private GeneralName[] getSansData() {
if (!isAttrsEmpty() && !isAttrsValuesEmpty()) {
Extensions extensions = Extensions.getInstance(csr.getAttributes()[0].getAttrValues().getObjectAt(0));
- GeneralName[] arrayOfAlternativeNames =
- GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames();
- return Arrays.stream(arrayOfAlternativeNames).map(GeneralName::getName).map(Objects::toString)
- .collect(Collectors.toList());
+ return GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames();
}
- return Collections.emptyList();
+ return new GeneralName[0];
}
private boolean isAttrsValuesEmpty() {
}
private PrivateKey convertingPemPrivateKeyToJavaSecurityPrivateKey(PemObject privateKey)
- throws KeyDecryptionException {
+ throws KeyDecryptionException {
try {
KeyFactory factory = KeyFactory.getInstance("RSA");
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKey.getContent());
throw new KeyDecryptionException("Converting Private Key failed", e.getCause());
}
}
-
private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey)
- throws KeyDecryptionException {
+ throws KeyDecryptionException {
try {
KeyFactory factory = KeyFactory.getInstance("RSA");
X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKey.getContent());
throw new KeyDecryptionException("Converting Public Key from CSR failed", e.getCause());
}
}
- }
+ }
}
CmpMessageBuilder.of(CreateCertRequest::new)
.with(CreateCertRequest::setIssuerDn, server.getIssuerDN())
.with(CreateCertRequest::setSubjectDn, csrModel.getSubjectData())
- .with(CreateCertRequest::setSansList, csrModel.getSans())
+ .with(CreateCertRequest::setSansArray, csrModel.getSans())
.with(CreateCertRequest::setSubjectKeyPair, keyPair)
.with(CreateCertRequest::setNotBefore, notBefore)
.with(CreateCertRequest::setNotAfter, notAfter)
import java.security.NoSuchProviderException;
import java.security.Signature;
import java.security.SignatureException;
-import java.util.ArrayList;
import java.util.Date;
-import java.util.List;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
*
* @return {@link Extensions}.
*/
- public static Extensions generateExtension(final List<String> sansList)
+ public static Extensions generateExtension(final GeneralName[] sansArray)
throws CmpClientException {
LOG.info("Generating Extensions from Subject Alternative Names");
final ExtensionsGenerator extGenerator = new ExtensionsGenerator();
- final GeneralName[] sansGeneralNames = getGeneralNames(sansList);
// KeyUsage
try {
final KeyUsage keyUsage =
KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage));
extGenerator.addExtension(
- Extension.subjectAlternativeName, false, new GeneralNames(sansGeneralNames));
+ Extension.subjectAlternativeName, false, new GeneralNames(sansArray));
} catch (IOException ioe) {
CmpClientException cmpClientException =
new CmpClientException(
return extGenerator.generate();
}
- public static GeneralName[] getGeneralNames(List<String> sansList) {
- final List<GeneralName> nameList = new ArrayList<>();
- for (String san : sansList) {
- nameList.add(new GeneralName(GeneralName.dNSName, san));
- }
- final GeneralName[] sansGeneralNames = new GeneralName[nameList.size()];
- nameList.toArray(sansGeneralNames);
- return sansGeneralNames;
- }
-
/**
* Method generates Proof-of-Possession (POP) of Private Key. To allow a CA/RA to properly
* validity binding between an End Entity and a Key Pair, the PKI Operations specified here make
import java.security.KeyPair;
import java.util.Date;
-import java.util.List;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.crmf.ProofOfPossession;
import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
private X500Name issuerDn;
private X500Name subjectDn;
- private List<String> sansList;
+ private GeneralName[] sansArray;
private KeyPair subjectKeyPair;
private Date notBefore;
private Date notAfter;
this.subjectDn = subjectDn;
}
- public void setSansList(List<String> sansList) {
- this.sansList = sansList;
+ public void setSansArray(GeneralName[] sansArray) {
+ this.sansArray = sansArray;
}
public void setSubjectKeyPair(KeyPair subjectKeyPair) {
new CertTemplateBuilder()
.setIssuer(issuerDn)
.setSubject(subjectDn)
- .setExtensions(CmpMessageHelper.generateExtension(sansList))
+ .setExtensions(CmpMessageHelper.generateExtension(sansArray))
.setValidity(CmpMessageHelper.generateOptionalValidity(notBefore, notAfter))
.setPublicKey(
SubjectPublicKeyInfo.getInstance(subjectKeyPair.getPublic().getEncoded()));
// when
CsrModel decryptedCsr = csrModelFactory
- .createCsrModel(new StringBase64(encoderCsr), new StringBase64(encoderPK));
+ .createCsrModel(new StringBase64(encoderCsr), new StringBase64(encoderPK));
- // then
- assertTrue(
- decryptedCsr.toString()
- .contains(
- "C=US,ST=California,L=San-Francisco,O=Linux-Foundation,"
- + "OU=ONAP,CN=onap.org,E=tester@onap.org")
- &&
- decryptedCsr.toString()
- .contains("SANs: [gerrit.onap.org, test.onap.org, onap.com]")
- );
+ assertTrue(decryptedCsr.toString()
+ .contains(TestData.EXPECTED_CERT_SUBJECT));
+ assertTrue(decryptedCsr.toString()
+ .contains(TestData.EXPECTED_CERT_SANS));
}
@Test
// when
Exception exception = assertThrows(
- CsrDecryptionException.class, () -> csrModelFactory
- .createCsrModel(new StringBase64(wrongCsr), new StringBase64(encoderPK))
+ CsrDecryptionException.class, () -> csrModelFactory
+ .createCsrModel(new StringBase64(wrongCsr), new StringBase64(encoderPK))
);
String expectedMessage = "Incorrect CSR, decryption failed";
// when
Exception exception = assertThrows(
- KeyDecryptionException.class, () -> csrModelFactory
- .createCsrModel(new StringBase64(wrongCsr), new StringBase64(encoderPK))
+ KeyDecryptionException.class, () -> csrModelFactory
+ .createCsrModel(new StringBase64(wrongCsr), new StringBase64(encoderPK))
);
String expectedMessage = "Incorrect Key, decryption failed";
// when
Exception exception = assertThrows(
- CsrDecryptionException.class, () -> csrModelFactory
- .createCsrModel(new StringBase64(wrongCsr), new StringBase64(encoderPK))
+ CsrDecryptionException.class, () -> csrModelFactory
+ .createCsrModel(new StringBase64(wrongCsr), new StringBase64(encoderPK))
);
String expectedMessage = "Incorrect CSR, decryption failed";
// when
Exception exception = assertThrows(
- KeyDecryptionException.class, () -> csrModelFactory
- .createCsrModel(new StringBase64(wrongCsr), new StringBase64(encoderPK))
+ KeyDecryptionException.class, () -> csrModelFactory
+ .createCsrModel(new StringBase64(wrongCsr), new StringBase64(encoderPK))
);
String expectedMessage = "Incorrect Key, decryption failed";
private TestData() {
}
- public static final String TEST_CSR = ""
- + "-----BEGIN CERTIFICATE REQUEST-----\n"
- + "MIIDIzCCAgsCAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh\n"
- + "MRYwFAYDVQQHDA1TYW4tRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eC1Gb3VuZGF0\n"
- + "aW9uMQ0wCwYDVQQLDARPTkFQMREwDwYDVQQDDAhvbmFwLm9yZzEeMBwGCSqGSIb3\n"
- + "DQEJARYPdGVzdGVyQG9uYXAub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
- + "CgKCAQEA13K1LrQ1L6eL7B8K4kucNct0sSjZe7Ww91V40s6mjcWajeFJk+pObZKz\n"
- + "BfnImkVJwxdNMDD6tX16wykbGfQPyh4BBiAjLVk9XSeoPHFRBQ4LKTuyPtXhEXyr\n"
- + "qwatYXGWZE554qq64pbReddOUJHgMc38SrOk/eMAKxB0uRrXpA0mPH7zwIZ4X8g2\n"
- + "PoxJKI1BSYc8kOvvujsGSMw3e5nS8A+doFUwVi3jJMnaVCoZrvJbtREfXHZqBLQ5\n"
- + "XQ8mNpIFfmGYF/tvW/O6LBdlZkuAQ9i4FBgf5+HdIVZOXrn09ksIZxW6vxIvAVi0\n"
- + "5AOSgXictyphcNP2i/erBeCQCVB7MwIDAQABoEYwRAYJKoZIhvcNAQkOMTcwNTAz\n"
- + "BgNVHREELDAqgg9nZXJyaXQub25hcC5vcmeCDXRlc3Qub25hcC5vcmeCCG9uYXAu\n"
- + "Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQBXH2nRwodQRJTuyrLe/VSg3PUdcPyAx2Ew\n"
- + "63tWiGO+qWo8rK2a9Rr/t/zkQe2lx6NHqcMc2Rt6NeKGbrAvHGxTiYM35gktBdxG\n"
- + "UaQS1ymrBWHAwbC+kv78r+5lCfafNm/EVdhUZbEw+crsw2wx4iKEW0byS4Ln0o5g\n"
- + "aXVUW3i4G5FaYiYBUIDsujDdnH1IoxunEA6pDzDv1h6R9/TYu6Se8HToREIjOPBZ\n"
- + "pDI5lDRu0YmI8r+TmAU3tTT1sY2WVxYDnhJut9ofegfMPQV4FIohxtPcCfoLSWti\n"
- + "ml6jbcFqDvlzq3B3CXH9HU3jdJt33iSjCQGsSqy6bmCOdMS6XTPU\n"
- + "-----END CERTIFICATE REQUEST-----\n";
+ public static final String LOCALHOST_IP_IN_HEX = "#7f000001"; //127.0.0.1
+
+ public static final String EXPECTED_CERT_SUBJECT = "C=US,ST=California,L=San-Francisco,O=Linux-Foundation,OU=ONAP,CN=onap.org";
+ public static final String EXPECTED_CERT_SANS =
+ "SANs: [localhost, onap.org, test.onap.org, onap@onap.org, " + LOCALHOST_IP_IN_HEX + ", onap://cluster.local/]";
+
+
+ public static final String TEST_CSR = "-----BEGIN CERTIFICATE REQUEST-----\n"
+ + "MIIDNTCCAh0CAQAwdzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx\n"
+ + "FjAUBgNVBAcTDVNhbi1GcmFuY2lzY28xGTAXBgNVBAoTEExpbnV4LUZvdW5kYXRp\n"
+ + "b24xDTALBgNVBAsTBE9OQVAxETAPBgNVBAMTCG9uYXAub3JnMIIBIjANBgkqhkiG\n"
+ + "9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxRYVFOosyABMq+yANz9phmYyfmHbw9F9r3Ca\n"
+ + "v1oZ2xw1LbF2HGBq8F45nXfMjX2H+Lxk8m/XmIDb+9lzINU6J6xmDrKZiiif5ORa\n"
+ + "oRENfQZNWkAWPguWyKGtHk6ueeSjS8D0SWwloc1g0hB3GREffocuJ24K+t2nXglf\n"
+ + "7XVgmHxjiE8k+pD3SUo5rA7Fx1TmLguEA8aCRGaYg/aofCNe9hDm34iqUzm5tPPQ\n"
+ + "OgR3Lpqx2JW0iJYbQXmX3cG/RE0qFl+rgrNhCd8ptX7IUiWtQmttssR3bE8JVgaf\n"
+ + "x9EU9GZ5dZXifSFJzs42UY7X6DPiQDFerfWRNc3dRTYBlkbTiwIDAQABoHkwdwYJ\n"
+ + "KoZIhvcNAQkOMWowaDBZBgNVHREEUjBQgglsb2NhbGhvc3SCCG9uYXAub3Jngg10\n"
+ + "ZXN0Lm9uYXAub3JngQ1vbmFwQG9uYXAub3JnhwR/AAABhhVvbmFwOi8vY2x1c3Rl\n"
+ + "ci5sb2NhbC8wCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBCwUAA4IBAQAk9lRwbWyL\n"
+ + "VRWSM5cBiRK2nCKhfur20khHFQgYcPAD8BRXEk5/F0KBSBMNGMrBgOYqq3IYsoMc\n"
+ + "mvs9KKVqIV3+lBej2QTF3cxdHYPTrCvvkoheMYt5qqjkrQRbiydzj7/wvflmBXs1\n"
+ + "7TViU+TqoJ8q5DWTEvv0X5t/WF6sSIxFHHKD7otDXPW5CAeqXO5A99bTrSiXmVAH\n"
+ + "72/n/JFHueURv+NbpHyBNXweezNnB5BDrrqduabkhn31ThA0wzePDNR02aXwxxHn\n"
+ + "77sSa3iuAN3IaVWYfxCOX4fEw8F+wMAAMTiWItM8Lc9DT5rsYeRHAZmOMVEnowc2\n"
+ + "3eKLFeWDIi2Z\n"
+ + "-----END CERTIFICATE REQUEST-----\n";
public static final String TEST_WRONG_CSR = ""
- + "-----BEGIN CERTIFICATE REQUEST-----\n"
- + "MIIDIzCCAgsCAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh\n"
- + "MRYwFAYDVQQHDA1TYW4tRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eC1Gb3VuZGF0\n"
- + "aW9uMQ0wCwYDVQQLDARPTkFQMREwDwYDVQQDDAhvbmFwLm9yZzEeMBwGCSqGSIb3\n"
- + "-----END CERTIFICATE REQUEST-----\n";
+ + "-----BEGIN CERTIFICATE REQUEST-----\n"
+ + "MIIDIzCCAgsCAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh\n"
+ + "MRYwFAYDVQQHDA1TYW4tRnJhbmNpc2NvMRkwFwYDVQQKDBBMaW51eC1Gb3VuZGF0\n"
+ + "aW9uMQ0wCwYDVQQLDARPTkFQMREwDwYDVQQDDAhvbmFwLm9yZzEeMBwGCSqGSIb3\n"
+ + "-----END CERTIFICATE REQUEST-----\n";
public static final String TEST_PK = "-----BEGIN PRIVATE KEY-----\n"
- + "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXcrUutDUvp4vs\n"
- + "HwriS5w1y3SxKNl7tbD3VXjSzqaNxZqN4UmT6k5tkrMF+ciaRUnDF00wMPq1fXrD\n"
- + "KRsZ9A/KHgEGICMtWT1dJ6g8cVEFDgspO7I+1eERfKurBq1hcZZkTnniqrriltF5\n"
- + "105QkeAxzfxKs6T94wArEHS5GtekDSY8fvPAhnhfyDY+jEkojUFJhzyQ6++6OwZI\n"
- + "zDd7mdLwD52gVTBWLeMkydpUKhmu8lu1ER9cdmoEtDldDyY2kgV+YZgX+29b87os\n"
- + "F2VmS4BD2LgUGB/n4d0hVk5eufT2SwhnFbq/Ei8BWLTkA5KBeJy3KmFw0/aL96sF\n"
- + "4JAJUHszAgMBAAECggEAJ1StdsU3IGf5xzUzi3Q6JCfsOZs3eLoGgGB+Gh3XkfIM\n"
- + "8PG7uOEBSEeLnv+me2NCv/a1BKMsYY1yp8YNSIOhjkhD75ZWVaUA6syejcox/DZA\n"
- + "G1rmg0oQOF0GCcbCSBOwXMdmwNZiH5Ng0llX1qWKxAzSjeCVsjOKiFIMvO4Fh9D4\n"
- + "9Io6/dRRNCxB6MEs1GT5IDfCV2PGDIalJ3znFqDnfdu9RDEDfNVHSUr6Jdu3Hrf5\n"
- + "3qCcSEkMGuXYLotCNtTP1x0H0wW5gVpcbQEb29qdmHL1qkp3UiA3afsHnO/3k0gv\n"
- + "gV5FxaldugyZAjqUGERdKaY6BMDJkDuu0qD0tPQK4QKBgQDuP5X5BcQ4iHNej+il\n"
- + "xxT8QaEcZj0YEzcXzfm3ztZP7g+Jc1MbQXh6BuHLkXG5LeCwdnmk+LUD0MLoUSm3\n"
- + "N2ZdtVuOHX7VEBrhrTwK/kMDpC7ganQzfvgOr9WQGmgGMRiUYAyK1J/x78yX967Z\n"
- + "IAzdVZ/JSDdsyA983JckLL7CPQKBgQDngDkEJKYGfDt2mfItD8c8nhczGbDdoyYh\n"
- + "s93ppTtgzFoNgFL4y/DOvisWMGgoeeYXSgH5uoPv6yY7IIkQzYySY6qQ3gmk1/X+\n"
- + "bO+IsKVtlHBzqqojFteg3MfVojisMoAx6y5aBw1BXE2nAU8yWBTtuk+3KgGn9Oxk\n"
- + "+Z4rdP06LwKBgA4b09zIW6NhaTubWBKhJHv/wvO0lj+bu7J8LyKUbBqVpXPlUXGW\n"
- + "wfSv/aUZetuVfO3WRkPfupB8R16Ml+TSsgwwljhnRMCHUKA2qwyXnA5WJbSCeVkn\n"
- + "Vrc/8Gy1M53SQHtg6L079DDWm44QS9ltzXU6Adlgnm+htVEWmxi4UZ+dAoGAfr6z\n"
- + "+LG7+GcCA2AruEIgOe7wErkpHV+am+8nOymMxeV8FFJCmxbFQ9vYKTDdhfOfZvbM\n"
- + "+BYG8E8VQmAAyyNOqENK+j+mlgrrEp4/0t2r5L/VhW5V8hoqelcGTc+gKZ8IkswJ\n"
- + "N58Owc8wcJQF8TFKXBGaXVTxTSyKVIpZ778AeV8CgYAAvuicDkdwWv5EhDFf3aTI\n"
- + "wfRFYflA6oiygnI63HzVyY4a+SyZs+nQpB5HBDo+Lyz8RaVRC5E7jQ8kiXJpxAu7\n"
- + "1wnspz+pa3q61yR32N+zGuub71FXdLWSOlys6rzJqvqYihKxY22C2TyDyBCR2tMj\n"
- + "mdnshXNAJfKkfghkJhFHrg==\n"
- + "-----END PRIVATE KEY-----";
+ + "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDFFhUU6izIAEyr\n"
+ + "7IA3P2mGZjJ+YdvD0X2vcJq/WhnbHDUtsXYcYGrwXjmdd8yNfYf4vGTyb9eYgNv7\n"
+ + "2XMg1TonrGYOspmKKJ/k5FqhEQ19Bk1aQBY+C5bIoa0eTq555KNLwPRJbCWhzWDS\n"
+ + "EHcZER9+hy4nbgr63adeCV/tdWCYfGOITyT6kPdJSjmsDsXHVOYuC4QDxoJEZpiD\n"
+ + "9qh8I172EObfiKpTObm089A6BHcumrHYlbSIlhtBeZfdwb9ETSoWX6uCs2EJ3ym1\n"
+ + "fshSJa1Ca22yxHdsTwlWBp/H0RT0Znl1leJ9IUnOzjZRjtfoM+JAMV6t9ZE1zd1F\n"
+ + "NgGWRtOLAgMBAAECggEABG7Etp21uCHZl5xQHe39L5qo1BLbYIIbs5Byyo76OeVe\n"
+ + "hNKS93xrq1BTN2l0XlJOdpe2JYXCcZmkWPvBDSH+ltnXycjWjzbusbU5HJpHlWJI\n"
+ + "5xi951NXZtfMDvxyDCfKTG/gjq4yAnueC9t28kdiT/Q2Y4ikEpRdqU3IrIyRSZyo\n"
+ + "duBWfr3ADU5xxnWcTt61vpAQsYh4XiwosyBhXTwsMnWgRkOr6e4Vu2J+wL6vUid7\n"
+ + "7VOr8PtOu73CjYA7zIy0XSOrRq5Q3H7eGgyln0AQtaO0qO2COJHa6cv3yIgesSUL\n"
+ + "8ltiWAGiZZ6qZ72B3tDnKmoEkuvE1/KpeitewGcKkQKBgQDxqHR9IJBOBRjjmyKi\n"
+ + "ra54mJjKwHQ5dxJQpVFLEIRL2H3ujjRNH3ggLAOiH02TqZGS3fnTsTsApnkpy5J/\n"
+ + "qtysjV0SFxP0gprQQ1wM64NWTaeDAt9lXII918YrALAAR86ikrTxOyoS1kqOSEmX\n"
+ + "QZu3VrgkAvs+V5ckvEXjZWxO1wKBgQDQyHErT7aJeUBukj6skahnzhmVNTmjsn3P\n"
+ + "zyy/cOmBz8wn7JsxgTdpWETpHOVsO0G5wg9Ts7V3Krh6AmrEf/6/NlWLdygDfIvM\n"
+ + "9Jxc8D2dLEUUm18jw15tEsQtItj3Rt0e5GJiQO1rNBMb+2Q8FDlX1tu0xgMMZ4En\n"
+ + "izjnAEKObQKBgHnWZrTXgCn14/CNPM8sJfTjatV+Zpq6b999GhlwgGMFCakGxVPE\n"
+ + "8/m0dzh7887pBV440EZs6sSPKjNqUbhQWuYcd7oxLHxwhMFP1M8mxpbym+wvvJYM\n"
+ + "KBYp/d2cgSADFClfMh8Vp0bMB9bol0HNcEblT/3ICwgJfUimK85USmENAoGBAMnl\n"
+ + "O0LF19/C6CLEu2THihGvxR97k9yPy4f8cOpD9xq35lWpQT4zFXGCkUjXz6fE+b73\n"
+ + "QTkQ7GdrYW9jDPouSBuCIGE4ffI5KzusQ9S/4OUvnTHbObpsv9A8OIbpTuR4m3W3\n"
+ + "JsiavrxPZDdH99r9N6KQvG9omCQTp1qlEAaaQsJVAoGBAO4ccgmzbku62OKLIAqy\n"
+ + "JN4Z8i9PaCEPgqfs0THMIKuj1l8FO723zTZMwsBWgZ4Gd32EbYW9tbwvLblGdd6H\n"
+ + "xAXLfLjRWefKm6i2iIdkeNMJmTTCYjHFyoTe84Miq9d3cEnW7s055Pm1uxRPXYk+\n"
+ + "GFRpHltg2qX2u6M8ryskAMah\n"
+ + "-----END PRIVATE KEY-----\n";
public static final String TEST_PEM = ""
- + "-----BEGIN CERTIFICATE REQUEST-----\n"
- + "MIIDIzCCAgsCAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh\n"
- + "-----END CERTIFICATE REQUEST-----\n";
+ + "-----BEGIN CERTIFICATE REQUEST-----\n"
+ + "MIIDIzCCAgsCAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh\n"
+ + "-----END CERTIFICATE REQUEST-----\n";
public static final String TEST_WRONG_PEM = ""
- + "-----BEGIN WRONG REQUEST-----"
- + "MIIDIzCCAgsCAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh"
- + "-----END WRONG REQUEST-----";
+ + "-----BEGIN WRONG REQUEST-----"
+ + "MIIDIzCCAgsCAQAwgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh"
+ + "-----END WRONG REQUEST-----";
}
package org.onap.oom.certservice.certification.model;
+import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemObject;
import org.junit.jupiter.api.Test;
import org.onap.oom.certservice.certification.Pkcs10CertificationRequestFactory;
import org.onap.oom.certservice.certification.PemObjectFactory;
+import org.onap.oom.certservice.certification.TestData;
import org.onap.oom.certservice.certification.exception.CsrDecryptionException;
import org.onap.oom.certservice.certification.exception.DecryptionException;
import org.onap.oom.certservice.certification.exception.KeyDecryptionException;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;
+import static org.onap.oom.certservice.certification.TestData.LOCALHOST_IP_IN_HEX;
import static org.onap.oom.certservice.certification.TestData.TEST_CSR;
import static org.onap.oom.certservice.certification.TestData.TEST_PEM;
import static org.onap.oom.certservice.certification.TestData.TEST_PK;
class CsrModelTest {
private final Pkcs10CertificationRequestFactory certificationRequestFactory
- = new Pkcs10CertificationRequestFactory();
+ = new Pkcs10CertificationRequestFactory();
private final PemObjectFactory pemObjectFactory
- = new PemObjectFactory();
+ = new PemObjectFactory();
@Test
void shouldByConstructedAndReturnProperFields() throws DecryptionException, IOException {
// When
CsrModel csrModel = generateTestCsrModel(testCsr);
-
+ List<String> sansList = Arrays.stream(csrModel.getSans())
+ .map(generalName -> generalName.getName().toString())
+ .collect(Collectors.toList());
// Then
assertThat(csrModel.getCsr())
- .isEqualTo(testCsr);
+ .isEqualTo(testCsr);
assertThat(csrModel.getPrivateKey().getEncoded())
- .contains(testPrivateKey.getContent());
+ .contains(testPrivateKey.getContent());
assertThat(csrModel.getPublicKey().getEncoded())
- .contains(testPublicKey.getContent());
- assertThat(csrModel.getSans())
- .contains(
- "gerrit.onap.org", "test.onap.org", "onap.com");
+ .contains(testPublicKey.getContent());
+ assertThat(sansList)
+ .contains("localhost", "onap.org", "test.onap.org", "onap@onap.org", LOCALHOST_IP_IN_HEX,
+ "onap://cluster.local/");
+
assertThat(csrModel.getSubjectData().toString())
- .contains(
- "C=US,ST=California,L=San-Francisco,O=Linux-Foundation,OU=ONAP,CN=onap.org,E=tester@onap.org");
+ .contains(TestData.EXPECTED_CERT_SUBJECT);
}
@Test
PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class);
SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class);
when(testCsr.getSubjectPublicKeyInfo())
- .thenReturn(wrongKryInfo);
+ .thenReturn(wrongKryInfo);
when(wrongKryInfo.getEncoded())
- .thenThrow(new IOException());
+ .thenThrow(new IOException());
// When
Exception exception = assertThrows(
- CsrDecryptionException.class,
- () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
+ CsrDecryptionException.class,
+ () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
);
String expectedMessage = "Reading Public Key from CSR failed";
PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class);
SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class);
when(testCsr.getSubjectPublicKeyInfo())
- .thenReturn(wrongKryInfo);
+ .thenReturn(wrongKryInfo);
when(wrongKryInfo.getEncoded())
- .thenThrow(new IOException());
+ .thenThrow(new IOException());
// When
Exception exception = assertThrows(
- KeyDecryptionException.class,
- () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
+ KeyDecryptionException.class,
+ () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
);
String expectedMessage = "Converting Private Key failed";
PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class);
SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class);
when(testCsr.getSubjectPublicKeyInfo())
- .thenReturn(wrongKryInfo);
+ .thenReturn(wrongKryInfo);
when(wrongKryInfo.getEncoded())
- .thenReturn(testPublicKey.getContent());
+ .thenReturn(testPublicKey.getContent());
// When
Exception exception = assertThrows(
- KeyDecryptionException.class,
- () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
+ KeyDecryptionException.class,
+ () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build()
);
String expectedMessage = "Converting Public Key from CSR failed";
private PemObject getPemPrivateKey() throws KeyDecryptionException {
PemObjectFactory pemObjectFactory = new PemObjectFactory();
return pemObjectFactory.createPemObject(TEST_PK).orElseThrow(
- () -> new KeyDecryptionException("Private key decoding fail")
+ () -> new KeyDecryptionException("Private key decoding fail")
);
}
private PemObject getPemWrongKey() throws KeyDecryptionException {
PemObjectFactory pemObjectFactory = new PemObjectFactory();
return pemObjectFactory.createPemObject(TEST_PEM).orElseThrow(
- () -> new KeyDecryptionException("Private key decoding fail")
+ () -> new KeyDecryptionException("Private key decoding fail")
);
}
private CsrModel generateTestCsrModel(PKCS10CertificationRequest testCsr) throws DecryptionException {
PemObject testPrivateKey = pemObjectFactory.createPemObject(TEST_PK).orElseThrow(
- () -> new DecryptionException("Incorrect Private Key, decryption failed")
+ () -> new DecryptionException("Incorrect Private Key, decryption failed")
);
return new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build();
}
private PKCS10CertificationRequest generateTestCertificationRequest() throws DecryptionException {
return pemObjectFactory.createPemObject(TEST_CSR)
- .flatMap(
- certificationRequestFactory::createPkcs10CertificationRequest
- ).orElseThrow(
- () -> new DecryptionException("Incorrect CSR, decryption failed")
- );
+ .flatMap(
+ certificationRequestFactory::createPkcs10CertificationRequest
+ ).orElseThrow(
+ () -> new DecryptionException("Incorrect CSR, decryption failed")
+ );
}
}
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
}
private void setCsrModelAndServerValues(String iak, String rv, String externalCaUrl, Date notBefore, Date notAfter) {
- csrModel = new CsrModel(null, dn, keyPair.getPrivate(), keyPair.getPublic(), Collections.emptyList());
+ csrModel = new CsrModel(null, dn, keyPair.getPrivate(), keyPair.getPublic(), new GeneralName[0]);
Authentication authentication = new Authentication();
authentication.setIak(iak);
major=2
-minor=2
+minor=3
patch=0
base_version=${major}.${minor}.${patch}
release_version=${base_version}
<parent>
<artifactId>oom-certservice</artifactId>
<groupId>org.onap.oom.platform.cert-service</groupId>
- <version>2.2.0-SNAPSHOT</version>
+ <version>2.3.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>oom-certservice-client</artifactId>
- <version>2.2.0-SNAPSHOT</version>
+ <version>2.3.0-SNAPSHOT</version>
<name>oom-certservice-client</name>
<description>OOM Certification Service Api Client</description>
<packaging>jar</packaging>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
+ <dependency>
+ <groupId>commons-validator</groupId>
+ <artifactId>commons-validator</artifactId>
+ </dependency>
<dependency>
<groupId>org.assertj</groupId>
<artifactId>assertj-core</artifactId>
package org.onap.oom.certservice.client;
+import static org.onap.oom.certservice.client.api.ExitStatus.SUCCESS;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.KEY_SIZE;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM;
+
+import java.security.KeyPair;
+import javax.net.ssl.SSLContext;
+import org.onap.oom.certservice.client.api.ExitStatus;
import org.onap.oom.certservice.client.api.ExitableException;
import org.onap.oom.certservice.client.certification.ArtifactsCreatorProvider;
import org.onap.oom.certservice.client.certification.CsrFactory;
import org.onap.oom.certservice.client.configuration.EnvsForTls;
import org.onap.oom.certservice.client.configuration.factory.ClientConfigurationFactory;
import org.onap.oom.certservice.client.configuration.factory.CsrConfigurationFactory;
+import org.onap.oom.certservice.client.configuration.factory.SanMapper;
import org.onap.oom.certservice.client.configuration.factory.SslContextFactory;
import org.onap.oom.certservice.client.configuration.model.ClientConfiguration;
import org.onap.oom.certservice.client.configuration.model.CsrConfiguration;
+import org.onap.oom.certservice.client.configuration.validation.client.OutputTypeValidator;
+import org.onap.oom.certservice.client.configuration.validation.csr.CommonNameValidator;
import org.onap.oom.certservice.client.httpclient.CloseableHttpsClientProvider;
import org.onap.oom.certservice.client.httpclient.HttpClient;
import org.onap.oom.certservice.client.httpclient.model.CertServiceResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.net.ssl.SSLContext;
-import java.security.KeyPair;
-
-import static org.onap.oom.certservice.client.api.ExitStatus.SUCCESS;
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.KEY_SIZE;
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM;
-
public class CertServiceClient {
private static final Logger LOGGER = LoggerFactory.getLogger(CertServiceClient.class);
PrivateKeyToPemEncoder pkEncoder = new PrivateKeyToPemEncoder();
Base64Encoder base64Encoder = new Base64Encoder();
try {
- ClientConfiguration clientConfiguration = new ClientConfigurationFactory(new EnvsForClient()).create();
- CsrConfiguration csrConfiguration = new CsrConfigurationFactory(new EnvsForCsr()).create();
+ ClientConfiguration clientConfiguration = new ClientConfigurationFactory(new EnvsForClient(),
+ new OutputTypeValidator()).create();
+ CsrConfiguration csrConfiguration = new CsrConfigurationFactory(new EnvsForCsr(), new CommonNameValidator(),
+ new SanMapper()).create();
KeyPair keyPair = keyPairFactory.create();
CsrFactory csrFactory = new CsrFactory(csrConfiguration);
SSLContext sslContext = new SslContextFactory(new EnvsForTls()).create();
CloseableHttpsClientProvider provider = new CloseableHttpsClientProvider(
- sslContext, clientConfiguration.getRequestTimeout());
+ sslContext, clientConfiguration.getRequestTimeoutInMs());
HttpClient httpClient = new HttpClient(provider, clientConfiguration.getUrlToCertService());
CertServiceResponse certServiceData =
- httpClient.retrieveCertServiceData(
- clientConfiguration.getCaName(),
- base64Encoder.encode(csrFactory.createCsrInPem(keyPair)),
- base64Encoder.encode(pkEncoder.encodePrivateKeyToPem(keyPair.getPrivate())));
+ httpClient.retrieveCertServiceData(
+ clientConfiguration.getCaName(),
+ base64Encoder.encode(csrFactory.createCsrInPem(keyPair)),
+ base64Encoder.encode(pkEncoder.encodePrivateKeyToPem(keyPair.getPrivate())));
ArtifactsCreatorProvider
- .get(clientConfiguration.getOutputType(),
- clientConfiguration.getCertsOutputPath())
- .create(certServiceData.getCertificateChain(),
- certServiceData.getTrustedCertificates(),
- keyPair.getPrivate());
+ .get(clientConfiguration.getOutputType(),
+ clientConfiguration.getCertsOutputPath())
+ .create(certServiceData.getCertificateChain(),
+ certServiceData.getTrustedCertificates(),
+ keyPair.getPrivate());
} catch (ExitableException e) {
LOGGER.error("Cert Service Client fails in execution: ", e);
appExitHandler.exit(e.applicationExitStatus());
+ } catch (Exception e) {
+ LOGGER.error("Application failed (unexpected error): ", e);
+ appExitHandler.exit(ExitStatus.UNEXPECTED_EXCEPTION);
}
appExitHandler.exit(SUCCESS);
}
PEM_CONVERSION_EXCEPTION(7, "Fail in PEM conversion"),
PK_TO_PEM_ENCODING_EXCEPTION(8, "Fail in Private Key to PEM Encoding"),
TLS_CONFIGURATION_EXCEPTION(9, "Invalid TLS configuration"),
- FILE_CREATION_EXCEPTION(10, "File could not be created");
+ FILE_CREATION_EXCEPTION(10, "File could not be created"),
+ UNEXPECTED_EXCEPTION(99, "Application exited abnormally");
private final int value;
private final String message;
package org.onap.oom.certservice.client.api;
-public abstract class ExitableException extends Exception {
+public abstract class ExitableException extends RuntimeException {
public ExitableException(Throwable cause) {
super(cause);
}
package org.onap.oom.certservice.client.certification;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.COMMON_NAME;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.COUNTRY;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.LOCATION;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.ORGANIZATION;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.ORGANIZATION_UNIT;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.SIGN_ALGORITHM;
+import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.STATE;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.KeyPair;
+import java.util.List;
+import java.util.Optional;
+import java.util.stream.Collectors;
+import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.Extensions;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.onap.oom.certservice.client.certification.exception.CsrGenerationException;
import org.onap.oom.certservice.client.configuration.model.CsrConfiguration;
+import org.onap.oom.certservice.client.configuration.model.San;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import javax.security.auth.x500.X500Principal;
-import java.io.IOException;
-import java.io.StringWriter;
-import java.security.KeyPair;
-import java.util.Optional;
-
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.COMMON_NAME;
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.COUNTRY;
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.LOCATION;
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.ORGANIZATION;
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.ORGANIZATION_UNIT;
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.SIGN_ALGORITHM;
-import static org.onap.oom.certservice.client.certification.EncryptionAlgorithmConstants.STATE;
-
public class CsrFactory {
private static final Logger LOGGER = LoggerFactory.getLogger(CsrFactory.class);
- private static final String SANS_DELIMITER = ":";
private final CsrConfiguration configuration;
private StringBuilder getMandatoryParameters() {
return new StringBuilder(String.format("%s=%s, %s=%s, %s=%s, %s=%s",
- COMMON_NAME, configuration.getCommonName(),
- COUNTRY, configuration.getCountry(),
- STATE, configuration.getState(),
- ORGANIZATION, configuration.getOrganization()));
+ COMMON_NAME, configuration.getCommonName(),
+ COUNTRY, configuration.getCountry(),
+ STATE, configuration.getState(),
+ ORGANIZATION, configuration.getOrganization()));
}
private String getOptionalParameters() {
StringBuilder optionalParameters = new StringBuilder();
Optional.ofNullable(configuration.getOrganizationUnit())
- .filter(CsrFactory::isParameterPresent)
- .map(unit -> optionalParameters.append(String.format(", %s=%s", ORGANIZATION_UNIT, unit)));
+ .filter(CsrFactory::isParameterPresent)
+ .map(unit -> optionalParameters.append(String.format(", %s=%s", ORGANIZATION_UNIT, unit)));
Optional.ofNullable(configuration.getLocation())
- .filter(CsrFactory::isParameterPresent)
- .map(location -> optionalParameters.append(String.format(", %s=%s", LOCATION, location)));
+ .filter(CsrFactory::isParameterPresent)
+ .map(location -> optionalParameters.append(String.format(", %s=%s", LOCATION, location)));
return optionalParameters.toString();
}
- private PKCS10CertificationRequest createPkcs10Csr(X500Principal subject, KeyPair keyPair) throws CsrGenerationException {
- JcaPKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
+ private PKCS10CertificationRequest createPkcs10Csr(X500Principal subject, KeyPair keyPair)
+ throws CsrGenerationException {
+ JcaPKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(subject,
+ keyPair.getPublic());
- if (isParameterPresent(configuration.getSans())) {
+ if (!configuration.getSans().isEmpty()) {
builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, generateSansExtension());
}
}
private GeneralNames createGeneralNames() {
- String[] sansTable = this.configuration.getSans().split(SANS_DELIMITER);
- int length = sansTable.length;
- GeneralName[] generalNames = new GeneralName[length];
- for (int i = 0; i < length; i++) {
- generalNames[i] = new GeneralName(GeneralName.dNSName, sansTable[i]);
- }
+ List<San> sans = this.configuration.getSans();
+ GeneralName[] generalNames = sans.stream()
+ .map(san -> new GeneralName(san.getType(), san.getValue()))
+ .collect(Collectors.toList())
+ .toArray(GeneralName[]::new);
return new GeneralNames(generalNames);
}
+++ /dev/null
-/*
- * ============LICENSE_START=======================================================
- * oom-certservice-client
- * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.oom.certservice.client.configuration.factory;
-
-
-import org.onap.oom.certservice.client.certification.ArtifactsCreatorProvider;
-import org.onap.oom.certservice.client.configuration.exception.ClientConfigurationException;
-import org.onap.oom.certservice.client.configuration.exception.CsrConfigurationException;
-import org.onap.oom.certservice.client.configuration.model.ConfigurationModel;
-
-import java.util.Arrays;
-import java.util.Locale;
-import java.util.regex.Pattern;
-
-public abstract class AbstractConfigurationFactory<T extends ConfigurationModel> {
-
- abstract T create() throws ClientConfigurationException, CsrConfigurationException;
-
- public boolean isPathValid(String path) {
- return path.matches("^/|(/[a-zA-Z0-9_-]+)+/?$");
- }
-
- public boolean isAlphaNumeric(String caName) {
- return caName.matches("^[a-zA-Z0-9]*$");
- }
-
- public boolean isCommonNameValid(String commonName) {
- return !isSpecialCharsPresent(commonName)
- && !isHttpProtocolsPresent(commonName)
- && !isIpAddressPresent(commonName)
- && !isPortNumberPresent(commonName);
- }
-
- public boolean isSpecialCharsPresent(String stringToCheck) {
- return Pattern.compile("[~#@*$+%!()?/{}<>\\|_^]").matcher(stringToCheck).find();
- }
-
- public boolean isCountryValid(String country) {
- return Arrays.asList(Locale.getISOCountries()).contains(country);
- }
-
- public boolean isOutputTypeValid(String outputType) {
- return Arrays.stream(ArtifactsCreatorProvider.values())
- .map(ArtifactsCreatorProvider::toString)
- .anyMatch(name -> name.equals(outputType));
- }
-
- private boolean isPortNumberPresent(String stringToCheck) {
- return Pattern.compile(":[0-9]{1,5}").matcher(stringToCheck).find();
- }
-
- private boolean isIpAddressPresent(String stringToCheck) {
- return Pattern.compile("[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}").matcher(stringToCheck).find();
- }
-
- private boolean isHttpProtocolsPresent(String stringToCheck) {
- return Pattern.compile("[h][t][t][p][:][/][/]|[h][t][t][p][s][:][/][/]").matcher(stringToCheck).find();
- }
-}
package org.onap.oom.certservice.client.configuration.factory;
+import java.util.Optional;
import org.onap.oom.certservice.client.configuration.ClientConfigurationEnvs;
import org.onap.oom.certservice.client.configuration.EnvsForClient;
import org.onap.oom.certservice.client.configuration.exception.ClientConfigurationException;
import org.onap.oom.certservice.client.configuration.model.ClientConfiguration;
+import org.onap.oom.certservice.client.configuration.validation.client.ClientEnvsValueValidators;
+import org.onap.oom.certservice.client.configuration.validation.client.OutputTypeValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.util.Optional;
-
-public class ClientConfigurationFactory extends AbstractConfigurationFactory<ClientConfiguration> {
+public class ClientConfigurationFactory implements ConfigurationFactory<ClientConfiguration> {
private static final Logger LOGGER = LoggerFactory.getLogger(ClientConfigurationFactory.class);
private final EnvsForClient envsForClient;
+ private final OutputTypeValidator outputTypeValidator;
- public ClientConfigurationFactory(EnvsForClient envsForClient) {
+
+ public ClientConfigurationFactory(EnvsForClient envsForClient, OutputTypeValidator outputTypeValidator) {
this.envsForClient = envsForClient;
+ this.outputTypeValidator = outputTypeValidator;
}
@Override
ClientConfiguration configuration = new ClientConfiguration();
-
envsForClient.getUrlToCertService()
- .map(configuration::setUrlToCertService);
+ .map(configuration::setUrlToCertService);
envsForClient.getRequestTimeOut()
- .map(timeout -> configuration.setRequestTimeout(Integer.valueOf(timeout)));
+ .map(timeout -> configuration.setRequestTimeoutInMs(Integer.valueOf(timeout)));
envsForClient.getOutputPath()
- .filter(this::isPathValid)
- .map(configuration::setCertsOutputPath)
- .orElseThrow(() -> new ClientConfigurationException(ClientConfigurationEnvs.OUTPUT_PATH + " is invalid."));
+ .filter(ClientEnvsValueValidators::isPathValid)
+ .map(configuration::setCertsOutputPath)
+ .orElseThrow(() -> new ClientConfigurationException(ClientConfigurationEnvs.OUTPUT_PATH + " is invalid."));
envsForClient.getCaName()
- .filter(this::isAlphaNumeric)
- .map(configuration::setCaName)
- .orElseThrow(() -> new ClientConfigurationException(ClientConfigurationEnvs.CA_NAME + " is invalid."));
+ .filter(ClientEnvsValueValidators::isAlphaNumeric)
+ .map(configuration::setCaName)
+ .orElseThrow(() -> new ClientConfigurationException(ClientConfigurationEnvs.CA_NAME + " is invalid."));
Optional<String> outputType = envsForClient.getOutputType();
if (outputType.isPresent()) {
- outputType.filter(this::isOutputTypeValid)
- .map(configuration::setOutputType)
- .orElseThrow(() -> new ClientConfigurationException(ClientConfigurationEnvs.OUTPUT_TYPE + " is invalid."));
+ outputType.filter(outputTypeValidator)
+ .map(configuration::setOutputType)
+ .orElseThrow(
+ () -> new ClientConfigurationException(ClientConfigurationEnvs.OUTPUT_TYPE + " is invalid."));
}
LOGGER.info("Successful validation of Client configuration. Configuration data: {}", configuration.toString());
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.factory;
+
+
+import org.onap.oom.certservice.client.configuration.exception.ClientConfigurationException;
+import org.onap.oom.certservice.client.configuration.exception.CsrConfigurationException;
+import org.onap.oom.certservice.client.configuration.model.ConfigurationModel;
+
+interface ConfigurationFactory<T extends ConfigurationModel> {
+
+ T create() throws ClientConfigurationException, CsrConfigurationException;
+
+}
package org.onap.oom.certservice.client.configuration.factory;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isSpecialCharPresent;
+
+import java.util.Arrays;
+import java.util.stream.Collectors;
import org.onap.oom.certservice.client.configuration.CsrConfigurationEnvs;
import org.onap.oom.certservice.client.configuration.EnvsForCsr;
import org.onap.oom.certservice.client.configuration.exception.CsrConfigurationException;
import org.onap.oom.certservice.client.configuration.model.CsrConfiguration;
+import org.onap.oom.certservice.client.configuration.validation.csr.CommonNameValidator;
+import org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class CsrConfigurationFactory extends AbstractConfigurationFactory<CsrConfiguration> {
+public class CsrConfigurationFactory implements ConfigurationFactory<CsrConfiguration> {
private static final Logger LOGGER = LoggerFactory.getLogger(CsrConfigurationFactory.class);
+ private static final String SANS_DELIMITER = ",";
+
private final EnvsForCsr envsForCsr;
+ private final CommonNameValidator commonNameValidator;
+ private final SanMapper sanMapper;
- public CsrConfigurationFactory(EnvsForCsr envsForCsr) {
+ public CsrConfigurationFactory(EnvsForCsr envsForCsr, CommonNameValidator commonNameValidator,
+ SanMapper sanMapper) {
this.envsForCsr = envsForCsr;
+ this.commonNameValidator = commonNameValidator;
+ this.sanMapper = sanMapper;
}
@Override
CsrConfiguration configuration = new CsrConfiguration();
envsForCsr.getCommonName()
- .filter(this::isCommonNameValid)
- .map(configuration::setCommonName)
- .orElseThrow(() -> new CsrConfigurationException(CsrConfigurationEnvs.COMMON_NAME + " is invalid."));
+ .filter(commonNameValidator)
+ .map(configuration::setCommonName)
+ .orElseThrow(() -> new CsrConfigurationException(CsrConfigurationEnvs.COMMON_NAME + " is invalid."));
envsForCsr.getOrganization()
- .filter(org -> !isSpecialCharsPresent(org))
- .map(configuration::setOrganization)
- .orElseThrow(() -> new CsrConfigurationException(CsrConfigurationEnvs.ORGANIZATION + " is invalid."));
+ .filter(org -> !isSpecialCharPresent(org))
+ .map(configuration::setOrganization)
+ .orElseThrow(() -> new CsrConfigurationException(CsrConfigurationEnvs.ORGANIZATION + " is invalid."));
envsForCsr.getState()
- .map(configuration::setState)
- .orElseThrow(() -> new CsrConfigurationException(CsrConfigurationEnvs.STATE + " is invalid."));
+ .map(configuration::setState)
+ .orElseThrow(() -> new CsrConfigurationException(CsrConfigurationEnvs.STATE + " is invalid."));
envsForCsr.getCountry()
- .filter(this::isCountryValid)
- .map(configuration::setCountry)
- .orElseThrow(() -> new CsrConfigurationException(CsrConfigurationEnvs.COUNTRY + " is invalid."));
+ .filter(CsrEnvsValueValidators::isCountryValid)
+ .map(configuration::setCountry)
+ .orElseThrow(() -> new CsrConfigurationException(CsrConfigurationEnvs.COUNTRY + " is invalid."));
envsForCsr.getOrganizationUnit()
- .map(configuration::setOrganizationUnit);
+ .map(configuration::setOrganizationUnit);
envsForCsr.getLocation()
- .map(configuration::setLocation);
+ .map(configuration::setLocation);
envsForCsr.getSubjectAlternativesName()
- .map(configuration::setSubjectAlternativeNames);
+ .map(sans -> Arrays.asList(sans.split(SANS_DELIMITER)))
+ .map(list -> list.stream().map(sanMapper).collect(Collectors.toList()))
+ .map(configuration::setSans);
LOGGER.info("Successful validation of CSR configuration. Configuration data: {}", configuration.toString());
return configuration;
}
+
}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.factory;
+
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isDomainNameValid;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isEmailAddressValid;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isIpAddressValid;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isUriValid;
+
+import java.util.function.Function;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.onap.oom.certservice.client.configuration.exception.CsrConfigurationException;
+import org.onap.oom.certservice.client.configuration.model.San;
+
+public class SanMapper implements Function<String, San> {
+
+ public San apply(String san) {
+ if (isEmailAddressValid(san)) {
+ return new San(san, GeneralName.rfc822Name);
+ } else if (isIpAddressValid(san)) {
+ return new San(san, GeneralName.iPAddress);
+ } else if (isDomainNameValid(san)) {
+ return new San(san, GeneralName.dNSName);
+ } else if (isUriValid(san)) {
+ return new San(san, GeneralName.uniformResourceIdentifier);
+ } else {
+ throw new CsrConfigurationException("SAN :" + san + " does not match any requirements");
+ }
+ }
+}
private static final String DEFAULT_OUTPUT_TYPE = "P12";
private String urlToCertService;
- private Integer requestTimeout;
+ private Integer requestTimeoutInMs;
private String certsOutputPath;
private String caName;
private String outputType;
public ClientConfiguration() {
urlToCertService = DEFAULT_REQUEST_URL;
- requestTimeout = DEFAULT_TIMEOUT_MS;
+ requestTimeoutInMs = DEFAULT_TIMEOUT_MS;
outputType = DEFAULT_OUTPUT_TYPE;
}
return this;
}
- public Integer getRequestTimeout() {
- return requestTimeout;
+ public Integer getRequestTimeoutInMs() {
+ return requestTimeoutInMs;
}
- public ClientConfiguration setRequestTimeout(Integer requestTimeout) {
- this.requestTimeout = requestTimeout;
+ public ClientConfiguration setRequestTimeoutInMs(Integer requestTimeoutInMs) {
+ this.requestTimeoutInMs = requestTimeoutInMs;
return this;
}
public String toString() {
return String.format("%s: %s, %s: %s, %s: %s, %s: %s, %s: %s",
ClientConfigurationEnvs.REQUEST_URL, urlToCertService,
- ClientConfigurationEnvs.REQUEST_TIMEOUT, requestTimeout,
+ ClientConfigurationEnvs.REQUEST_TIMEOUT, requestTimeoutInMs,
ClientConfigurationEnvs.OUTPUT_PATH, certsOutputPath,
ClientConfigurationEnvs.CA_NAME, caName,
ClientConfigurationEnvs.OUTPUT_TYPE, outputType);
package org.onap.oom.certservice.client.configuration.model;
+import java.util.List;
import org.onap.oom.certservice.client.configuration.CsrConfigurationEnvs;
public class CsrConfiguration implements ConfigurationModel {
private String country;
private String organizationUnit;
private String location;
- private String sans;
+ private List<San> sans;
public String getCommonName() {
return this;
}
- public String getSans() {
+ public List<San> getSans() {
return sans;
}
- public CsrConfiguration setSubjectAlternativeNames(String subjectAlternativeNames) {
- this.sans = subjectAlternativeNames;
+ public CsrConfiguration setSans(List<San> subjectAlternativeNames) {
+ this.sans = List.copyOf(subjectAlternativeNames);
return this;
}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.model;
+
+import java.util.Objects;
+
+public final class San {
+
+ private final String value;
+ private final int type;
+
+ public San(String value, int type) {
+ this.value = value;
+ this.type = type;
+ }
+
+ public String getValue() {
+ return value;
+ }
+
+ public int getType() {
+ return type;
+ }
+
+ public String toString() {
+ return "{SAN value: " + value + ", type: " + getReadableType(type) + '}';
+ }
+
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o == null || getClass() != o.getClass()) {
+ return false;
+ }
+ San san1 = (San) o;
+ return type == san1.type &&
+ Objects.equals(value, san1.value);
+ }
+
+ public int hashCode() {
+ return Objects.hash(value, type);
+ }
+
+ private String getReadableType(int type) {
+ String readableType = "undefined";
+ switch (type) {
+ case 1: readableType = "rfc822Name"; break;
+ case 2: readableType = "dNSName"; break;
+ case 6: readableType = "uniformResourceIdentifier"; break;
+ case 7: readableType = "iPAddress"; break;
+ }
+ return readableType;
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.oom.certservice.client.configuration.validation.client;
+
+public final class ClientEnvsValueValidators {
+ private static final String ALPHA_NUMERIC_REGEX = "^[a-zA-Z0-9]*$";
+ private static final String VALID_PATH_REGEX = "^/|(/[a-zA-Z0-9_-]+)+/?$";
+
+ public static boolean isAlphaNumeric(String caName) {
+ return caName.matches(ALPHA_NUMERIC_REGEX);
+ }
+
+ public static boolean isPathValid(String path) {
+ return path.matches(VALID_PATH_REGEX);
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.validation.client;
+
+import java.util.Arrays;
+import java.util.function.Predicate;
+import org.onap.oom.certservice.client.certification.ArtifactsCreatorProvider;
+
+public class OutputTypeValidator implements Predicate<String> {
+
+ public boolean test(String outputType) {
+ return Arrays.stream(ArtifactsCreatorProvider.values())
+ .map(ArtifactsCreatorProvider::toString)
+ .anyMatch(name -> name.equals(outputType));
+ }
+
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.validation.csr;
+
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isSpecialCharPresent;
+
+import java.util.function.Predicate;
+import java.util.regex.Pattern;
+
+public final class CommonNameValidator implements Predicate<String> {
+
+ private static final String PORT_POSTFIX_REGEX = ":[0-9]{1,5}";
+ private static final String IPV4_ADDRESS_REGEX = "[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}";
+ private static final String HTTP_HTTPS_SCHEME_REGEX = "[h][t][t][p][:][/][/]|[h][t][t][p][s][:][/][/]";
+
+ public boolean test(String commonName) {
+ return !isSpecialCharPresent(commonName)
+ && !isHttpProtocolsPresent(commonName)
+ && !isIpAddressPresent(commonName)
+ && !isPortNumberPresent(commonName);
+ }
+
+ private boolean isPortNumberPresent(String stringToCheck) {
+ return Pattern.compile(PORT_POSTFIX_REGEX).matcher(stringToCheck).find();
+ }
+
+ private boolean isIpAddressPresent(String stringToCheck) {
+ return Pattern.compile(IPV4_ADDRESS_REGEX).matcher(stringToCheck).find();
+ }
+
+ private boolean isHttpProtocolsPresent(String stringToCheck) {
+ return Pattern.compile(HTTP_HTTPS_SCHEME_REGEX).matcher(stringToCheck).find();
+ }
+
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.validation.csr;
+
+import java.util.Arrays;
+import java.util.Locale;
+import java.util.regex.Pattern;
+import org.apache.commons.validator.routines.DomainValidator;
+import org.apache.commons.validator.routines.EmailValidator;
+import org.apache.commons.validator.routines.InetAddressValidator;
+
+public final class CsrEnvsValueValidators {
+
+ private static final boolean ALLOW_LOCAL_DOMAINS = true;
+
+ private static final String SPECIAL_CHAR_PRESENCE_REGEX = "[~#@*$+%!()?/{}<>\\|_^]";
+
+ private CsrEnvsValueValidators() {
+ }
+
+ public static boolean isCountryValid(String country) {
+ return Arrays.asList(Locale.getISOCountries()).contains(country);
+ }
+
+ public static boolean isEmailAddressValid(String address) {
+ return EmailValidator.getInstance().isValid(address);
+ }
+
+ public static boolean isIpAddressValid(String address) {
+ return InetAddressValidator.getInstance().isValid(address);
+ }
+
+ public static boolean isDomainNameValid(String domain) {
+ return DomainValidator.getInstance(ALLOW_LOCAL_DOMAINS).isValid(domain);
+ }
+
+ public static boolean isUriValid(String uri) {
+ return UriValidator.isValid(uri);
+ }
+
+ public static boolean isSpecialCharPresent(String stringToCheck) {
+ return Pattern.compile(SPECIAL_CHAR_PRESENCE_REGEX).matcher(stringToCheck).find();
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.oom.certservice.client.configuration.validation.csr;
+
+/**
+ * Compliant with the RFC3986
+ */
+final class UriValidator {
+
+ private static final String SCHEME = "([A-Za-z][A-Za-z0-9+\\-.]*):";
+
+ private static final String OR = "|";
+
+ private static final String AUTHORITY_WITH_PATH = "?:(//)(?:((?:[A-Za-z0-9\\-._~!$&'()*+,;=:]|%[0-9A-Fa-f]{2})*)"
+ + "@)?((?:\\[(?:(?:(?:(?:[0-9A-Fa-f]{1,4}:){6}|::(?:[0-9A-Fa-f]{1,4}:){5}|(?:[0-9A-Fa-f]{1,4})?::"
+ + "(?:[0-9A-Fa-f]{1,4}:){4}|(?:(?:[0-9A-Fa-f]{1,4}:){0,1}[0-9A-Fa-f]{1,4})?::(?:[0-9A-Fa-f]{1,4}:){3}|(?:"
+ + "(?:[0-9A-Fa-f]{1,4}:){0,2}[0-9A-Fa-f]{1,4})?::(?:[0-9A-Fa-f]{1,4}:){2}|(?:(?:[0-9A-Fa-f]{1,4}:){0,"
+ + "3}[0-9A-Fa-f]{1,4})?::[0-9A-Fa-f]{1,4}:|(?:(?:[0-9A-Fa-f]{1,4}:){0,4}[0-9A-Fa-f]{1,4})?::)"
+ + "(?:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}"
+ + "(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(?:(?:[0-9A-Fa-f]{1,4}:){0,5}[0-9A-Fa-f]{1,4})?::[0-9A-Fa-f]{1,"
+ + "4}|(?:(?:[0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4})?::)|[Vv][0-9A-Fa-f]+\\.[A-Za-z0-9\\-._~!$&'()*+,;=:]+)"
+ + "\\]|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|"
+ + "(?:[A-Za-z0-9\\-._~!$&'()*+,;=]|%[0-9A-Fa-f]{2})*))(?::([0-9]*))?((?:/(?:[A-Za-z0-9\\-._~!$&'()*+,;"
+ + "=:@]|%[0-9A-Fa-f]{2})*)*)";
+
+ private static final String PATH_BEGIN_WITH_SLASH = "/((?:(?:[A-Za-z0-9\\-._~!$&'()*+,;=:@]|%[0-9A-Fa-f]{2})+(?:/"
+ + "(?:[A-Za-z0-9\\-._~!$&'()*+,;=:@]|%[0-9A-Fa-f]{2})*)*)?)";
+
+ private static final String PATH_WITHOUT_SLASH = "((?:[A-Za-z0-9\\-._~!$&'()*+,;=:@]|%[0-9A-Fa-f]{2})+(?:/"
+ + "(?:[A-Za-z0-9\\-._~!$&'()*+,;=:@]|%[0-9A-Fa-f]{2})*)*)";
+
+ private static final String QUERY = "(?:\\?((?:[A-Za-z0-9\\-._~!$&'()*+,;=:@/?]|%[0-9A-Fa-f]{2})*))?";
+
+ private static final String FRAGMENT = "(?:\\#((?:[A-Za-z0-9\\-._~!$&'()*+,;=:@/?]|%[0-9A-Fa-f]{2})*))?";
+
+ /**
+ * URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]
+ * <p>
+ * hier-part = "//" authority path-abempty / path-absolute / path-rootless / path-empty
+ */
+ private static final String RFC3986_URI_MATCH_PATTERN =
+ SCHEME + "(" + AUTHORITY_WITH_PATH + OR + PATH_BEGIN_WITH_SLASH + OR + PATH_WITHOUT_SLASH + OR + "" + ")"
+ + QUERY + FRAGMENT;
+
+ private UriValidator() {
+ }
+
+ static boolean isValid(String uri) {
+ return uri.matches(RFC3986_URI_MATCH_PATTERN);
+ }
+}
+
package org.onap.oom.certservice.client.certification;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.security.KeyPair;
+import java.util.List;
+import org.bouncycastle.asn1.x509.GeneralName;
import org.junit.jupiter.api.Test;
import org.onap.oom.certservice.client.certification.exception.CsrGenerationException;
import org.onap.oom.certservice.client.certification.exception.KeyPairGenerationException;
import org.onap.oom.certservice.client.configuration.model.CsrConfiguration;
-
-import java.security.KeyPair;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.when;
+import org.onap.oom.certservice.client.configuration.model.San;
class CsrFactoryTest {
CsrConfiguration config = mock(CsrConfiguration.class);
-
@Test
- void createEncodedCsr_shouldSucceedWhenAllFieldsAreSetCorrectly() throws KeyPairGenerationException, CsrGenerationException {
+ void createEncodedCsr_shouldSucceedWhenAllFieldsAreSetCorrectly()
+ throws KeyPairGenerationException, CsrGenerationException {
KeyPair keyPair =
- new KeyPairFactory(EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM, EncryptionAlgorithmConstants.KEY_SIZE).create();
+ new KeyPairFactory(EncryptionAlgorithmConstants.RSA_ENCRYPTION_ALGORITHM,
+ EncryptionAlgorithmConstants.KEY_SIZE).create();
+ San san1 = new San("onapexample.com", GeneralName.dNSName);
+ San san2 = new San("onapexample.com.pl", GeneralName.dNSName);
when(config.getCommonName()).thenReturn("onap.org");
- when(config.getSans()).thenReturn("onapexample.com:onapexample.com.pl:onapexample.pl");
+ when(config.getSans()).thenReturn(List.of(san1, san2));
when(config.getCountry()).thenReturn("US");
when(config.getLocation()).thenReturn("San-Francisco");
when(config.getOrganization()).thenReturn("Linux-Foundation");
+++ /dev/null
-/*
- * ============LICENSE_START=======================================================
- * oom-certservice-client
- * ================================================================================
- * Copyright (C) 2020 Nokia. All rights reserved.
- * ================================================================================
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * ============LICENSE_END=========================================================
- */
-
-package org.onap.oom.certservice.client.configuration.factory;
-
-import org.junit.jupiter.params.ParameterizedTest;
-import org.junit.jupiter.params.provider.ValueSource;
-import org.mockito.Mockito;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Mockito.mock;
-
-class AbstractConfigurationFactoryTest {
-
- private final AbstractConfigurationFactory cut = mock(AbstractConfigurationFactory.class, Mockito.CALLS_REAL_METHODS);
-
- @ParameterizedTest
- @ValueSource(strings = {"/var/log", "/", "/var/log/", "/second_var", "/second-var"})
- void shouldAcceptValidPath(String path) {
- assertThat(cut.isPathValid(path)).isTrue();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"/var/log?", "", "var_", "var", "//", "/var//log"})
- void shouldRejectInvalidPath(String path) {
- assertThat(cut.isPathValid(path)).isFalse();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"PL", "DE", "PN", "US", "IO", "CA", "KH", "CO", "DK", "EC", "CZ", "CN", "BR", "BD", "BE"})
- void shouldAcceptValidCountryCode(String countryCode) {
- assertThat(cut.isCountryValid(countryCode)).isTrue();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"", "QQ", "AFG", "D", "&*", "!", "ONAP", "p", "pl", "us", "afg"})
- void shouldRejectInvalidCountryCode(String countryCode) {
- assertThat(cut.isCountryValid(countryCode)).isFalse();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"caname", "caname1", "123caName", "ca1name"})
- void shouldAcceptValidAlphanumeric(String caName) {
- assertThat(cut.isAlphaNumeric(caName)).isTrue();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"44caname$", "#caname1", "1c_aname", "ca1-name"})
- void shouldRejectInvalidAlphanumeric(String caName) {
- assertThat(cut.isAlphaNumeric(caName)).isFalse();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"example.com", "www.example.com"})
- void shouldAcceptValidCommonName(String commonName) {
- assertThat(cut.isCommonNameValid(commonName)).isTrue();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"https://example.com", "http://example.com", "example.com:8080", "0.0.0.0", "@#$%.com"})
- void shouldRejectInvalidCommonName(String commonName) {
- assertThat(cut.isCommonNameValid(commonName)).isFalse();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"JKS", "P12", "PEM"})
- void shouldAcceptValidOutputType(String outputType) {
- assertThat(cut.isOutputTypeValid(outputType)).isTrue();
- }
-
- @ParameterizedTest
- @ValueSource(strings = {"jks", "p12", "pem", "", "pass", "!@$#pp"})
- void shouldRejectInvalidOutputType(String outputType) {
- assertThat(cut.isOutputTypeValid(outputType)).isFalse();
- }
-}
import org.onap.oom.certservice.client.configuration.model.ClientConfiguration;
import java.util.Optional;
+import org.onap.oom.certservice.client.configuration.validation.client.OutputTypeValidator;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
private static final String OUTPUT_TYPE_DEFAULT = "P12";
private EnvsForClient envsForClient = mock(EnvsForClient.class);
+ private OutputTypeValidator outputTypeValidator = new OutputTypeValidator();
@Test
when(envsForClient.getOutputType()).thenReturn(Optional.of(OUTPUT_TYPE_VALID));
// when
- ClientConfiguration configuration = new ClientConfigurationFactory(envsForClient).create();
+ ClientConfiguration configuration = new ClientConfigurationFactory(envsForClient, outputTypeValidator).create();
System.out.println(configuration.toString());
// then
assertThat(configuration.getCaName()).isEqualTo(CA_NAME_VALID);
- assertThat(configuration.getRequestTimeout()).isEqualTo(Integer.valueOf(TIME_OUT_VALID));
+ assertThat(configuration.getRequestTimeoutInMs()).isEqualTo(Integer.valueOf(TIME_OUT_VALID));
assertThat(configuration.getCertsOutputPath()).isEqualTo(OUTPUT_PATH_VALID);
assertThat(configuration.getUrlToCertService()).isEqualTo(URL_TO_CERT_SERVICE_VALID);
assertThat(configuration.getOutputType()).isEqualTo(OUTPUT_TYPE_VALID);
when(envsForClient.getOutputPath()).thenReturn(Optional.of(OUTPUT_PATH_VALID));
// when
- ClientConfiguration configuration = new ClientConfigurationFactory(envsForClient).create();
+ ClientConfiguration configuration = new ClientConfigurationFactory(envsForClient, outputTypeValidator).create();
// then
assertThat(configuration.getCaName()).isEqualTo(CA_NAME_VALID);
- assertThat(configuration.getRequestTimeout()).isEqualTo(Integer.valueOf(TIME_OUT_VALID));
+ assertThat(configuration.getRequestTimeoutInMs()).isEqualTo(Integer.valueOf(TIME_OUT_VALID));
assertThat(configuration.getCertsOutputPath()).isEqualTo(OUTPUT_PATH_VALID);
assertThat(configuration.getUrlToCertService()).isEqualTo(URL_TO_CERT_SERVICE_DEFAULT);
assertThat(configuration.getOutputType()).isEqualTo(OUTPUT_TYPE_DEFAULT);
when(envsForClient.getOutputPath()).thenReturn(Optional.of(OUTPUT_PATH_VALID));
// when
- ClientConfigurationFactory configurationFactory = new ClientConfigurationFactory(envsForClient);
+ ClientConfigurationFactory configurationFactory = new ClientConfigurationFactory(envsForClient,
+ outputTypeValidator);
// then
assertThatExceptionOfType(ClientConfigurationException.class)
when(envsForClient.getUrlToCertService()).thenReturn(Optional.of(URL_TO_CERT_SERVICE_VALID));
// when
- ClientConfigurationFactory configurationFactory = new ClientConfigurationFactory(envsForClient);
+ ClientConfigurationFactory configurationFactory = new ClientConfigurationFactory(envsForClient,
+ outputTypeValidator);
// when/then
assertThatExceptionOfType(ClientConfigurationException.class)
when(envsForClient.getUrlToCertService()).thenReturn(Optional.of(URL_TO_CERT_SERVICE_VALID));
// when
- ClientConfigurationFactory configurationFactory = new ClientConfigurationFactory(envsForClient);
+ ClientConfigurationFactory configurationFactory = new ClientConfigurationFactory(envsForClient,
+ outputTypeValidator);
//then
assertThatExceptionOfType(ClientConfigurationException.class)
when(envsForClient.getOutputType()).thenReturn(Optional.of(OUTPUT_TYPE_INVALID));
// when
- ClientConfigurationFactory configurationFactory = new ClientConfigurationFactory(envsForClient);
+ ClientConfigurationFactory configurationFactory = new ClientConfigurationFactory(envsForClient,
+ outputTypeValidator);
//then
assertThatExceptionOfType(ClientConfigurationException.class)
package org.onap.oom.certservice.client.configuration.factory;
+import java.util.List;
import org.assertj.core.api.Condition;
+import org.bouncycastle.asn1.x509.GeneralName;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.onap.oom.certservice.client.configuration.CsrConfigurationEnvs;
import org.onap.oom.certservice.client.configuration.model.CsrConfiguration;
import java.util.Optional;
+import org.onap.oom.certservice.client.configuration.model.San;
+import org.onap.oom.certservice.client.configuration.validation.csr.CommonNameValidator;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
public class CsrConfigurationFactoryTest {
private static final String COMMON_NAME_VALID = "onap.org";
- private static final String SANS_VALID = "test-name";
+ private static final String RAW_SAN1 = "ves-collector";
+ private static final String RAW_SAN2 = "ves";
+ private static final String RAW_SANS_VALID = String.format("%s,%s", RAW_SAN1, RAW_SAN2);
private static final String COUNTRY_VALID = "US";
private static final String LOCATION_VALID = "San-Francisco";
private static final String ORGANIZATION_VALID = "Linux-Foundation";
private static final String COMMON_NAME_INVALID = "onap.org*&";
private static final String COUNTRY_INVALID = "PLA";
private static final String ORGANIZATION_INVALID = "Linux?Foundation";
+ private static final String INVALID_SANS = "192.168.1.";
private EnvsForCsr envsForCsr = mock(EnvsForCsr.class);
+ private CommonNameValidator commonNameValidator = new CommonNameValidator();
+ private SanMapper sanMapper = new SanMapper();
private CsrConfigurationFactory testedFactory;
private Condition<CsrConfigurationException> expectedExitCodeCondition = new Condition<>("Correct exit code") {
@Override
@BeforeEach
void setUp() {
- testedFactory = new CsrConfigurationFactory(envsForCsr);
+ testedFactory = new CsrConfigurationFactory(envsForCsr, commonNameValidator, sanMapper);
}
@Test
void shouldReturnCorrectConfiguration_WhenAllVariablesAreSetAndValid() throws CsrConfigurationException {
// given
mockEnvsWithAllValidParameters();
+ San san1 = new San(RAW_SAN1, GeneralName.dNSName);
+ San san2 = new San(RAW_SAN2, GeneralName.dNSName);
+ List<San> sans = List.of(san1, san2);
// when
CsrConfiguration configuration = testedFactory.create();
// then
assertThat(configuration.getCommonName()).isEqualTo(COMMON_NAME_VALID);
- assertThat(configuration.getSans()).isEqualTo(SANS_VALID);
+ assertThat(configuration.getSans()).isEqualTo(sans);
assertThat(configuration.getCountry()).isEqualTo(COUNTRY_VALID);
assertThat(configuration.getLocation()).isEqualTo(LOCATION_VALID);
assertThat(configuration.getOrganization()).isEqualTo(ORGANIZATION_VALID);
.has(expectedExitCodeCondition);
}
+ @Test
+ void shouldThrowCsrConfigurationExceptionWhenSansInvalid() {
+ // given
+ mockEnvsWithInvalidSans();
+ // when/then
+ assertThatExceptionOfType(CsrConfigurationException.class)
+ .isThrownBy(testedFactory::create)
+ .withMessageContaining("SAN :" + INVALID_SANS + " does not match any requirements")
+ .has(expectedExitCodeCondition);
+ }
+
private void mockEnvsWithAllValidParameters() {
mockEnvsWithValidRequiredParameters();
mockEnvsWithValidOptionalParameters();
private void mockEnvsWithValidOptionalParameters() {
when(envsForCsr.getOrganizationUnit()).thenReturn(Optional.of(ORGANIZATION_UNIT_VALID));
when(envsForCsr.getLocation()).thenReturn(Optional.of(LOCATION_VALID));
- when(envsForCsr.getSubjectAlternativesName()).thenReturn(Optional.of(SANS_VALID));
+ when(envsForCsr.getSubjectAlternativesName()).thenReturn(Optional.of(RAW_SANS_VALID));
}
private void mockEnvsWithValidRequiredParameters() {
mockEnvsWithAllValidParameters();
when(envsForCsr.getState()).thenReturn(Optional.empty());
}
+
+ private void mockEnvsWithInvalidSans() {
+ mockEnvsWithAllValidParameters();
+ when(envsForCsr.getSubjectAlternativesName()).thenReturn(Optional.of(INVALID_SANS));
+ }
}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.factory;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+
+import java.util.function.Function;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.onap.oom.certservice.client.configuration.exception.CsrConfigurationException;
+import org.onap.oom.certservice.client.configuration.model.San;
+
+class SanMapperTest {
+
+ private Function<String, San> sanMapper = new SanMapper();
+
+ @ParameterizedTest
+ @ValueSource(strings = {"192.178.2.3", "10.183.34.201", "ff:ff:ff:ff:ff:ff:ff:ff", "ff:ff::"})
+ void shouldCorrectlyMapIpAddress(String san) {
+ // when
+ San result = sanMapper.apply(san);
+ // then
+ assertThat(result.getValue()).isEqualTo(san);
+ assertThat(result.getType()).isEqualTo(GeneralName.iPAddress);
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"foo@bar.com", "sample@example.com", "onap@domain.pl", "alex.supertramp@onap.com",
+ "al.super^tramp@onap.org"})
+ void shouldCorrectlyMapEmailAddress(String san) {
+ // when
+ San result = sanMapper.apply(san);
+ // then
+ assertThat(result.getValue()).isEqualTo(san);
+ assertThat(result.getType()).isEqualTo(GeneralName.rfc822Name);
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"sample.com", "Sample.com", "onap.org", "SRI-NIC.ARPA", "ves-collector", "sample"})
+ void shouldCorrectlyMapDomain(String san) {
+ // when
+ San result = sanMapper.apply(san);
+ // then
+ assertThat(result.getValue()).isEqualTo(san);
+ assertThat(result.getType()).isEqualTo(GeneralName.dNSName);
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {" ", "", "192.168.0.", "10.183.34.201:8080", "incoreectdomaim@onap.ux", "<sample@example.com>",
+ "onap@domain"})
+ void shouldThrowExceptionOnIncorrectString(String san) {
+ // when, then
+ assertThatExceptionOfType(CsrConfigurationException.class)
+ .isThrownBy(() -> sanMapper.apply(san))
+ .withMessage("SAN :" + san + " does not match any requirements");
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.validation.client;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.onap.oom.certservice.client.configuration.validation.client.ClientEnvsValueValidators.isAlphaNumeric;
+import static org.onap.oom.certservice.client.configuration.validation.client.ClientEnvsValueValidators.isPathValid;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+class ClientEnvsValueValidatorsTest {
+ @ParameterizedTest
+ @ValueSource(strings = {"caname", "caname1", "123caName", "ca1name"})
+ void shouldAcceptValidAlphanumeric(String caName) {
+ assertThat(isAlphaNumeric(caName)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"44caname$", "#caname1", "1c_aname", "ca1-name"})
+ void shouldRejectInvalidAlphanumeric(String caName) {
+ assertThat(isAlphaNumeric(caName)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"/var/log", "/", "/var/log/", "/second_var", "/second-var"})
+ void shouldAcceptValidPath(String path) {
+ assertThat(isPathValid(path)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"/var/log?", "", "var_", "var", "//", "/var//log"})
+ void shouldRejectInvalidPath(String path) {
+ assertThat(isPathValid(path)).isFalse();
+ }
+
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.validation.client;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+class OutputTypeValidatorTest {
+
+ OutputTypeValidator cut = new OutputTypeValidator();
+
+ @ParameterizedTest
+ @ValueSource(strings = {"JKS", "P12", "PEM"})
+ void shouldAcceptValidOutputType(String outputType) {
+ assertThat(cut.test(outputType)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"jks", "p12", "pem", "", "pass", "!@$#pp"})
+ void shouldRejectInvalidOutputType(String outputType) {
+ assertThat(cut.test(outputType)).isFalse();
+ }
+
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.validation.csr;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+class CommonNameValidatorTest {
+
+ CommonNameValidator cut = new CommonNameValidator();
+
+ @ParameterizedTest
+ @ValueSource(strings = {"example.com", "www.example.com"})
+ void shouldAcceptValidCommonName(String commonName) {
+ assertThat(cut.test(commonName)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"https://example.com", "http://example.com", "example.com:8080", "0.0.0.0", "@#$%.com"})
+ void shouldRejectInvalidCommonName(String commonName) {
+ assertThat(cut.test(commonName)).isFalse();
+ }
+
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.validation.csr;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.onap.oom.certservice.client.configuration.validation.client.ClientEnvsValueValidators.isPathValid;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isCountryValid;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isDomainNameValid;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isEmailAddressValid;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isIpAddressValid;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isSpecialCharPresent;
+import static org.onap.oom.certservice.client.configuration.validation.csr.CsrEnvsValueValidators.isUriValid;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+class CsrEnvsValueValidatorsTest {
+
+ @ParameterizedTest
+ @ValueSource(strings = {"/var/log", "/", "/var/log/", "/second_var", "/second-var"})
+ void shouldAcceptValidPath(String path) {
+ assertThat(isPathValid(path)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"/var/log?", "", "var_", "var", "//", "/var//log"})
+ void shouldRejectInvalidPath(String path) {
+ assertThat(isPathValid(path)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"PL", "DE", "PN", "US", "IO", "CA", "KH", "CO", "DK", "EC", "CZ", "CN", "BR", "BD", "BE"})
+ void shouldAcceptValidCountryCode(String countryCode) {
+ assertThat(isCountryValid(countryCode)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"", "QQ", "AFG", "D", "&*", "!", "ONAP", "p", "pl", "us", "afg"})
+ void shouldRejectInvalidCountryCode(String countryCode) {
+ assertThat(isCountryValid(countryCode)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"sample@example.com", "onap@domain.pl", "alex.supertramp@onap.com",
+ "al.super^tramp@onap.org"})
+ void shouldAcceptValidEmailAddr(String emailAddr) {
+ assertThat(isEmailAddressValid(emailAddr)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"<sample@example.com>", "onap@domain", "(mailto)user@onap.com", "mailto:axe@axe.de",
+ "incoreectdomaim@onap.ux"})
+ void shouldRejectInvalidEmailAddr(String address) {
+ assertThat(isEmailAddressValid(address)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"192.168.0.1", "10.183.34.201", "ff:ff:ff:ff::", "ff:ff:ff:ff:ff:ff:ff:ff"})
+ void shouldAcceptValidIpAddress(String address) {
+ assertThat(isIpAddressValid(address)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"192.168.0.", "ff:ff:ee:a1:", "fg:ff:ff:ff::", "http://10.183.34.201",
+ "10.183.34.201:8080"})
+ void shouldRejectInvalidIpAddress(String address) {
+ assertThat(isIpAddressValid(address)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"sample.com", "Sample.com", "onap.org", "SRI-NIC.ARPA", "ves-collector", "sample"})
+ void shouldAcceptValidDomainName(String domain) {
+ assertThat(isDomainNameValid(domain)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {" ", "", "sample@onap.org", "192.168.0.1", "http://sample.com"})
+ void shouldRejectInvalidDomainNames(String domain) {
+ assertThat(isDomainNameValid(domain)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"http://sample.com/path", "ftp://sample.com/path/file.txt", "https://ves.pl"})
+ void shouldBeTrueForValidUris(String text) {
+ assertThat(isUriValid(text)).isTrue();
+ }
+ @ParameterizedTest
+ @ValueSource(strings = {"3http://sample.com", "192.168.0.1", "www.example.com"})
+ void shouldBeFalseForInvalidUris(String text) {
+ assertThat(isUriValid(text)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"/text~", "/text#", "/text@", "/text*","/text$", "/text+", "/text%", "/text!", "/text(",
+ "/text)", "/text?", "/text|", "/text_", "/text^"})
+ void shouldBeTrueForStringsWithSpecialChars(String text) {
+ assertThat(isSpecialCharPresent(text)).isTrue();
+ }
+ @ParameterizedTest
+ @ValueSource(strings = {"text", ""})
+ void shouldBeFalseForStringsWithoutSpecialChars(String text) {
+ assertThat(isSpecialCharPresent(text)).isFalse();
+ }
+}
--- /dev/null
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-client
+ * ================================================================================
+ * Copyright (C) 2020 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.client.configuration.validation.csr;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.onap.oom.certservice.client.configuration.validation.csr.UriValidator.isValid;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+class UriValidatorTest {
+
+ /**
+ * scheme = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
+ */
+
+ @ParameterizedTest
+ @ValueSource(strings = {"http:/", "http:", "http://", "h4ttp://"})
+ void shouldTrueForValidScheme(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"example.com", "www.example.com", "0.0.0.0", "[2001:0db8:85a3:0000:0000:8a2e:0370:7334]"})
+ void shouldFalseForUriWithoutScheme(String uri) {
+ assertThat(isValid(uri)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"*http://", "_http://", "?http://", "4http://"})
+ void shouldFalseForUriWithInvalidScheme(String uri) {
+ assertThat(isValid(uri)).isFalse();
+ }
+
+ /**
+ * authority = [ userinfo "@" ] host [ ":" port ]
+ * <p>
+ * userinfo = *( unreserved / pct-encoded / sub-delims / ":" )
+ * <p>
+ * host = IP-literal / IPv4address / reg-name
+ */
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http://user:password@example.com",
+ "http://user@example.com",
+ "http://user:password:test@example.com",
+ "http://user-info:password@example.com"})
+ void shouldTrueForValidUserInAuthority(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http://user:password",
+ "http://user:password:test:"})
+ void shouldFalseForMissingHostInAuthority(String uri) {
+ assertThat(isValid(uri)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/test",
+ "https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/",
+ "http://8.8.8.8/",
+ "http://8.8.8.8/test"})
+ void shouldTrueForUriContainsIP(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:443/test",
+ "https://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:443/",
+ "http://8.8.8.8:8080/test",
+ "https://8.8.8.8:443/"})
+ void shouldTrueForUriContainsIPAndPort(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http:/path.to.file",
+ "http:/file",
+ "http:/ptah/to/file"})
+ void shouldTrueForMissingAuthority(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+ /**
+ * PATH QUERY FRAGMENT
+ */
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http://example.com/path/to/file",
+ "http://example.com/path",
+ "http://example.com/",})
+ void shouldTrueForPathWithAuthority(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http:/path/to/file",
+ "http:/path",
+ "http:/",})
+ void shouldTrueForPathWithoutAuthority(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http://example.com/test.txt?test=test1&test2=test3#onap",
+ "http://example.com?",
+ "http://example.com?test=tes1&#",
+ "http://example.com#onap"})
+ void shouldTrueForUriWithQueryAndFragmentInPath(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "http://example.com/test.txt?#onap#?",
+ "http://example.com?##",
+ "http://www.example.com/file%GF.html"})
+ void shouldFalseForUriWithWrongQueryOrWrongFragmentInPath(String uri) {
+ assertThat(isValid(uri)).isFalse();
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {
+ "ftp://ftp.is.co.za/rfc/rfc1808.txt",
+ "http://www.ietf.org/rfc/rfc2396.txt",
+ "ldap://[2001:db8::7]/c=GB?objectClass?one",
+ "mailto:John.Doe@example.com",
+ "news:comp.infosystems.www.servers.unix",
+ "tel:+1-816-555-1212",
+ "telnet://192.0.2.16:80/",
+ "urn:oasis:names:specification:docbook:dtd:xml:4.1.2"})
+ void shouldTrueForRFC3986Examples(String uri) {
+ assertThat(isValid(uri)).isTrue();
+ }
+
+}
major=2
-minor=2
+minor=3
patch=0
base_version=${major}.${minor}.${patch}
release_version=${base_version}
- streetAddresses
- postalCodes
- isCa
- - ipAddresses
- - uris
- - emails
- duration
- usages
- California
organizationalUnits:
- ONAP
- # DNS SAN
+ # SANs
dnsNames:
- localhost
- certissuer.onap.org
+ ipAddresses:
+ - "127.0.0.1"
+ uris:
+ - onap://cluster.local/
+ emailAddresses:
+ - onap@onap.org
# The reference to the CMPv2 issuer
issuerRef:
group: certmanager.onap.org
postalCodes: #***NOT SUPPORTED BY CERT SERVICE API***
- 12-345
serialNumber: "12345" #***NOT SUPPORTED BY CERT SERVICE API***
- # DNS SAN
+ # SANs
dnsNames:
- localhost
- certissuer.onap.org
- ipAddresses: #***NOT SUPPORTED BY CERT SERVICE API***
+ ipAddresses:
- "127.0.0.1"
- uris: #***NOT SUPPORTED BY CERT SERVICE API***
+ uris:
- onap://cluster.local/
- emailAddresses: #***NOT SUPPORTED BY CERT SERVICE API***
+ emailAddresses:
- onap@onap.org
duration: 24h #***OVERRIDDEN BY CMPV2 SERVER***
renewBefore: 8h
<parent>
<artifactId>oom-certservice</artifactId>
<groupId>org.onap.oom.platform.cert-service</groupId>
- <version>2.2.0-SNAPSHOT</version>
+ <version>2.3.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<properties>
<version.mvn-clean-plugin>3.1.0</version.mvn-clean-plugin>
<version.mvn-golang-wrapper-plugin>2.3.5</version.mvn-golang-wrapper-plugin>
+ <sonar.go.coverage.reportPaths>bin/coverage.out</sonar.go.coverage.reportPaths>
+ <sonar.exclusions>**/*_test.go, **/testdata/*</sonar.exclusions>
+ <sonar-go-plugin.version>1.1.1.2000</sonar-go-plugin.version>
</properties>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.sonarsource.go</groupId>
+ <artifactId>sonar-go-plugin</artifactId>
+ <version>${sonar-go-plugin.version}</version>
+ </dependency>
+ </dependencies>
+
<build>
<!--Changing standard Maven project source structure to make it Go compatible-->
<sourceDirectory>${basedir}</sourceDirectory>
<version>${version.mvn-golang-wrapper-plugin}</version>
<extensions>true</extensions>
<executions>
+ <execution>
+ <id>coverage</id>
+ <goals>
+ <goal>test</goal>
+ </goals>
+ <configuration>
+ <testFlags>
+ <flag>-coverprofile=bin/coverage.out</flag>
+ </testFlags>
+ </configuration>
+ </execution>
<execution>
<id>install</id>
<goals>
logSupportedMultiValueProperty(log, csr.Subject.Province, "state")
logSupportedMultiValueProperty(log, csr.Subject.Locality, "location")
logSupportedMultiValueProperty(log, csr.DNSNames, "dns names")
+ logSupportedMultiValueProperty(log, csr.EmailAddresses, "email addresses")
+ logSupportedMultiValueProperty(log, mapIpAddressesToText(csr.IPAddresses), "ipAddresses")
+ logSupportedMultiValueProperty(log, mapUrisToText(csr.URIs), "uris")
}
func logSupportedMultiValueProperty(log leveledlogger.Logger, values []string, propertyName string) {
}
func logPropertiesNotSupportedByCertService(log leveledlogger.Logger, request *cmapi.CertificateRequest, csr *x509.CertificateRequest) {
-
- //IP addresses in SANs
- if len(csr.IPAddresses) > 0 {
- log.Warning(getNotSupportedMessage("ipAddresses", extractIPAddresses(csr.IPAddresses)))
- }
- //URIs in SANs
- if len(csr.URIs) > 0 {
- log.Warning(getNotSupportedMessage("uris", extractURIs(csr.URIs)))
- }
-
- //Email addresses in SANs
- if len(csr.EmailAddresses) > 0 {
- log.Warning(getNotSupportedMessage("emailAddresses", extractStringArray(csr.EmailAddresses)))
- }
-
if request.Spec.IsCA == true {
log.Warning(getNotSupportedMessage("isCA", strconv.FormatBool(request.Spec.IsCA)))
}
return values
}
-func extractURIs(URIs []*url.URL) string {
- values := ""
- for _, uri := range URIs {
- values = values + uri.String() + ", "
+func mapUrisToText(uris []*url.URL) []string {
+ urisAsText := make([]string, len(uris))
+ for i, ipAddress := range uris {
+ urisAsText[i] = ipAddress.String()
}
- return values
+ return urisAsText
}
-func extractIPAddresses(addresses []net.IP) string {
- values := ""
- for _, ipAddress := range addresses {
- values = values + ipAddress.String() + ", "
+func mapIpAddressesToText(addresses []net.IP) []string {
+ ipsAsText := make([]string, len(addresses))
+ for i, ipAddress := range addresses {
+ ipsAsText[i] = ipAddress.String()
}
- return values
+ return ipsAsText
}
func getSupportedMessage(property string, value string) string {
var unsupportedProperties = []string{
"* property 'duration'",
"* property 'usages'",
- "- property 'ipAddresses'",
"- property 'isCA'",
"- property 'subject.streetAddress'",
"- property 'subject.postalCodes'",
"+ property 'country'",
"+ property 'state'",
"+ property 'location'",
- "+ property 'dns names'"}
+ "+ property 'dns names'",
+ "+ property 'ipAddresses'",
+ "+ property 'uris'",
+ "+ property 'email addresses'",
+ }
const RESULT_LOG = "testdata/test_result.log"
package logger
const csrWithoutSkippedProperties = (`-----BEGIN CERTIFICATE REQUEST-----
-MIIDETCCAfkCAQAwgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MIIDPTCCAiUCAQAwgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1TYW4tRnJhbmNpc2NvMRkwFwYDVQQKExBMaW51eC1Gb3VuZGF0
aW9uMQ0wCwYDVQQLEwRPTkFQMRwwGgYDVQQDExNjZXJ0aXNzdWVyLm9uYXAub3Jn
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxhQiSgyYGpEfX/HuCFwT
-GHkLe1CheKz2CQzSP9an5BSdET1OgABmuJjtnXZzKpPAZCGJX2QTyDE9zvdTN0Ci
-/8WRL/m2tWUPbt8qRVW36PSKazpB+ELZjQi3rmYtmWUlRuJNfLcksK59pcD5W46t
-d9eettkex0FAcxpQE/ukhpW9r6QrmlQAQHuF1rBw6uJMGzFSPWh9XFLFbxZJyJCu
-AIycvT95bgtot3EMPwGkxAYzxtAu6D5/n65nIZ0f9BuuNFtmnoHmn/9fPUnZHA0h
-qP9kXAAU10S3gig+Na6DeZFBE1y9jCt4vmSq2ssBO24kOAHrg5GrqEsnfoSnu8Nb
-sQIDAQABoEkwRwYJKoZIhvcNAQkOMTowODApBgNVHREEIjAggglsb2NhbGhvc3SC
-E2NlcnRpc3N1ZXIub25hcC5vcmcwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBCwUA
-A4IBAQAWkOeJHnmtlSvlb7HbBeSGY4E9M338sKtwV4ZSvH+n5rgwamkvjhUwhycs
-UR0XgeAyD86kK6kkvVewdIanHYp1k7CuDZkU6piy8t4RhosyqUWQNWtemGYdNZCL
-cgZ1Jbj4NdIZo2EKBIEbTrm9VFt1zidYRFNGNJp8RQQds6r4qATq1NKr6ptrLuIc
-dzfOm1ZPtSn8u4H4+z1re6q18JeM0VPXBiXBtEXwQRXIEnsjCzYxdjy+QwbEmlpB
-o2hMIamWNIbskYnNkaky8eQzjJ8uIesESeanWJlrMUbzicOwQeYMPmj+Mkn1nqlK
-YFwml5XnVXXpGLHGWCswpN3CDyXi
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3RKJGx0bXUz2hyWPssq5
+sZEOcC4ITkBWDx1b/g+abX1J2nTfKZK4JSRd1I/9Lz8LaiyuqacCzJ3vZ+IbvbwJ
+HjTvzakbdQgbm7TSOH4zBXUp6lN92PT+RwM5PGcipi3vcC/eT4aMohEhHH1qkNCP
+G7EC69hTnw3tyXX19euF/gAJwHeYNSHC6k2WwLYkYkkhRIndzv1vM8nBLb7C7JBE
+aAO0fq1trVEoIYdz3tNWZWs+T+Vu8fATqm1rLzKOj3bQljRluFsegrRPR2oD9Th5
+AE5nmw948higVTlXcdeoW0MiAn6pWyHzcTKhBizm+Yp4bejqx8oq+Joq7u5nue/p
+KQIDAQABoHUwcwYJKoZIhvcNAQkOMWYwZDBVBgNVHREETjBMgglsb2NhbGhvc3SC
+E2NlcnRpc3N1ZXIub25hcC5vcmeBDW9uYXBAb25hcC5vcmeHBH8AAAGGFW9uYXA6
+Ly9jbHVzdGVyLmxvY2FsLzALBgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQELBQADggEB
+AI3LghPWW3P8zO5CiLIMYwbYbQt0nA0AA/iDzBh/HXE+owLXECffGhidC9oG8d1r
+ZAL+fkjU1+hBSPyk8ZIeiPGi1NDL4h+65Cobv/D3O5PEDYui98FZSykrkcLCb3Qx
+ga6ki+l3sQYP6sWyK6N1U7uX8t1g7IMbcpMO7rASNMDRWkYtlmJhit0Yd6YgvYuL
+gqH+TRiUTvm6XKby5DaTK3lz7h78lqTxVcWHlxUGTvXAEF15cqbKGy9n/4y1LQUc
+AhEFo/1MKDqMpG8FTw/EFMMzKQAXofeLGcWepXo1oDGHal8/3kYN+0c2cH4ZASp4
+N8j9VQMXik3mDiJWFtM0oWI=
-----END CERTIFICATE REQUEST-----`)
const csrWithSkippedProperties = (`-----BEGIN CERTIFICATE REQUEST-----
-MIIDgjCCAmoCAQAwgaQxCzAJBgNVBAYTAlBMMRMwEQYDVQQIEwpEb2xueVNsYXNr
-MRAwDgYDVQQHEwdXcm9jbGF3MREwDwYDVQQJEwhMb3RuaWN6YTEPMA0GA1UEERMG
-MTItMzQ1MQ0wCwYDVQQKEwRPTkFQMQ0wCwYDVQQLEwRvbmFwMRwwGgYDVQQDExNj
-ZXJ0aXNzdWVyLm9uYXAub3JnMQ4wDAYDVQQFEwUxMjM0NTCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAPdrWRYpdGY6A9YEQ8mnQdOW7wzdaNHJ83ZrMPZd
-V7jBOMvQbTw6Oe/Q4vD+Dla7FmGqlAajNIgKRiUUQLKVmASELhCYhtW7Mn91qe6l
-xuyPyOEi9o8mArJosFAfPPF0nm9FQPi2qHgyi6C52QR7cKsgNPflpKVsEx9Y+Zns
-YBqkaX16BukvcHUANgsvZ3rLUVeiOsCi2ysVcsm+4XMvF6ejoqKJ9k7Ti0VrQtqh
-e1nKlaa4uP3dreeUXBMLfKUS7QrNavpiX6wVaohVp6p/AYQ2HZurMv86Q2E5D5SC
-ReEpVuWx+r4MI8dAHbYe09ntkRGIe8mVyxHHEWLNfZiwKGsCAwEAAaCBlzCBlAYJ
-KoZIhvcNAQkOMYGGMIGDMFUGA1UdEQROMEyCCWxvY2FsaG9zdIITY2VydGlzc3Vl
-ci5vbmFwLm9yZ4ENb25hcEBvbmFwLm9yZ4cEfwAAAYYVb25hcDovL2NsdXN0ZXIu
-bG9jYWwvMAsGA1UdDwQEAwICBDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
-AwIwDQYJKoZIhvcNAQELBQADggEBAHDMw3+fVOrbVnMI2g/IP40vt1eenkoriTHX
-dnjRRFio75nCNRJdLOJ9FU3wIgdDZwGaiXdn5NDQxCe0BWcbElDJSYR/xOi7V0AM
-2L3CrRAOhr2MjwX7CaOuYWcVtrbtIMf26NLKRXYPlGgc6YeofalDnezMJ/IuRQhj
-bcm17a8owa5dH9u/rmTmlrIT7PV4JHkZIogctIcSqod6xdr1mbi8G9DMFAqV+o7W
-9kV7XDKhTqYoBIsXwfehNMu3lo72VuklIyVNiEVz4mVzpeZy2DgjRjCLt106yDHZ
-f3nco6O4y2EyexBVKq6QRFfZDUab6YcoEVvPAio01RmFrHgnxHs=
+MIIDaDCCAlACAQAwgboxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
+MRYwFAYDVQQHEw1TYW4tRnJhbmNpc2NvMRUwEwYDVQQJEwxzYW1wbGVTdHJlZXQx
+DzANBgNVBBETBjEyLTM0NTEZMBcGA1UEChMQTGludXgtRm91bmRhdGlvbjENMAsG
+A1UECxMET05BUDEcMBoGA1UEAxMTY2VydGlzc3Vlci5vbmFwLm9yZzEOMAwGA1UE
+BRMFMTIzNDUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOsn9B8AmR
+ZGcJ/b2pp+oeA0jQgr7wnJeDCWzF7v5k6vBSeladlERVTCBaWO5SSSVDqrhidnvv
++FpxG6LeN+Y/KQn/Hk8pQSoht3yZaTgQV352nOysIr/tI4QUwahAXH8RwvyS4CHJ
+vy1n/cJlvdiymC9z61dUx4DyHsMlZMRTldiFIs0/VKtgPPZ3hxMT1NJjg9dmyJhm
+RCZOn/cj1laIW6ie/BQJuXINf8VT3bl4mYkfc7yvrj7V3aMWKuzbr8/yMo9fpHqd
+gGQIqtmDOWOHkawkEAPqpeFLdryXcfFEFsy9iJHbr4N/5FKj4lbUaS4aVA04oigl
+RUKM8bE5uQUHAgMBAAGgaDBmBgkqhkiG9w0BCQ4xWTBXMCkGA1UdEQQiMCCCCWxv
+Y2FsaG9zdIITY2VydGlzc3Vlci5vbmFwLm9yZzALBgNVHQ8EBAMCAgQwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUAA4IBAQACQMf4
+OcJHOD1AWmIXy5G0VYUs2qogrSX0BEWWuXRGt9vicUmesgf9YLHNlg5dOujJmEIP
+HKkks1uy5dNXMlKAZ3i1TSaVhoFap5jZiXmfKfRXb5ImL3e5146hr+1dqRnPA7rR
+4fjjz8B7HeO2TiWu2xgJnyuPHKOwalSOYhVljpEE2hjs064Vc2yovj2FcYdPbfc2
+gFQqkUSBrviuzxhK63fWtMGStv/kSc3cEylDzV45LLIUCVFKzKaqXiG8MCQjhtFI
+2ve5+9NJxPQ3SqBKUuRoTHYBC3YppY/QagepVlENeDomvku8iS2FSkkOxGspbhla
+7uR7K5JP5H9jLQbj
-----END CERTIFICATE REQUEST-----`)
if err != nil {
return nil, nil, err
}
- log.Debug("Filtered out CSR PEM: ", "bytes", csrBytes)
+ log.Debug("Filtered out CSR PEM: ", "bytes", filteredCsrBytes)
response, err := ca.certServiceClient.GetCertificates(filteredCsrBytes, privateKeyBytes)
if err != nil {
filteredCsr, err := x509.CreateCertificateRequest(rand.Reader, &x509.CertificateRequest{
Subject: filteredSubject,
DNSNames: csr.DNSNames,
+ IPAddresses: csr.IPAddresses,
+ URIs: csr.URIs,
+ EmailAddresses: csr.EmailAddresses,
}, key)
if err != nil {
return nil, err
filteredCsr := parseCsrBytes(filteredCsrBytes)
assert.Equal(t, originalCsr.DNSNames, filteredCsr.DNSNames)
+ assert.Equal(t, originalCsr.URIs, filteredCsr.URIs)
+ assert.Equal(t, originalCsr.EmailAddresses, filteredCsr.EmailAddresses)
+ assert.Equal(t, originalCsr.IPAddresses, filteredCsr.IPAddresses)
assert.Equal(t, originalCsr.PublicKey, filteredCsr.PublicKey)
assert.Equal(t, originalCsr.PublicKeyAlgorithm, filteredCsr.PublicKeyAlgorithm)
assert.Equal(t, originalCsr.SignatureAlgorithm, filteredCsr.SignatureAlgorithm)
func assertFilteredFieldsEmpty(t *testing.T, csrBytes []byte) {
csr := parseCsrBytes(csrBytes)
- assert.Nil(t, csr.URIs)
- assert.Nil(t, csr.EmailAddresses)
- assert.Nil(t, csr.IPAddresses)
assert.Nil(t, csr.Subject.PostalCode)
assert.Equal(t, "", csr.Subject.SerialNumber)
assert.Nil(t, csr.Subject.StreetAddress)
<parent>
<artifactId>oom-certservice</artifactId>
<groupId>org.onap.oom.platform.cert-service</groupId>
- <version>2.2.0-SNAPSHOT</version>
+ <version>2.3.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>oom-certservice-post-processor</artifactId>
- <version>2.2.0-SNAPSHOT</version>
+ <version>2.3.0-SNAPSHOT</version>
<name>oom-certservice-post-processor</name>
<description>An application which conducts certificate post-processing like: merging truststores, copying keystores.</description>
<packaging>jar</packaging>
LOCATION=San-Francisco
STATE=California
COUNTRY=US
-SANS=example.org
+SANS=example.org,test.onap.org,onap@onap.org,127.0.0.1,onap://cluster.local/
#Tls config envs
KEYSTORE_PATH=/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks
KEYSTORE_PASSWORD=secret
<int>1</int>
</void>
<void method="add">
- <int>0</int>
+ <int>3</int>
</void>
<void method="add">
<int>3</int>
</void>
<void method="add">
- <int>0</int>
+ <int>3</int>
</void>
<void method="add">
<int>0</int>
</void>
<void method="add">
- <int>0</int>
+ <int>3</int>
</void>
<void method="add">
<int>0</int>
<void method="add">
<int>1802</int>
</void>
+ <void method="add">
+ <int>1700</int>
+ </void>
+ <void method="add">
+ <int>1701</int>
+ </void>
+ <void method="add">
+ <int>1702</int>
+ </void>
+ <void method="add">
+ <int>1900</int>
+ </void>
+ <void method="add">
+ <int>1901</int>
+ </void>
+ <void method="add">
+ <int>1902</int>
+ </void>
+ <void method="add">
+ <int>2100</int>
+ </void>
+ <void method="add">
+ <int>2101</int>
+ </void>
+ <void method="add">
+ <int>2102</int>
+ </void>
</object>
</void>
<void method="put">
</void>
<void method="put">
<int>37</int>
- <string>-1501801709</string>
+ <string>-29939301</string>
</void>
<void method="put">
<int>20037</int>
<int>30218</int>
<boolean>true</boolean>
</void>
+ <void method="put">
+ <int>17</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20017</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10017</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>30017</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>117</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20117</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10117</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>30117</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>217</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20217</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10217</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>30217</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>19</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20019</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10019</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>30019</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>119</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20119</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10119</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>30119</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>219</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20219</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10219</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>30219</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>21</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20021</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10021</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>30021</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>121</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20121</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10121</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>30121</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>221</int>
+ <string></string>
+ </void>
+ <void method="put">
+ <int>20221</int>
+ <boolean>false</boolean>
+ </void>
+ <void method="put">
+ <int>10221</int>
+ <boolean>true</boolean>
+ </void>
+ <void method="put">
+ <int>30221</int>
+ <boolean>true</boolean>
+ </void>
</object>
</java>
sections/logging.rst
sections/installation.rst
sections/configuration.rst
+ sections/change-log.rst
sections/release-notes.rst
sections/troubleshooting.rst
--- /dev/null
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright 2020 NOKIA
+
+
+Change Log
+==============
+
+
+Version: 2.1.0
+--------------
+
+:Release Date:
+
+**New Features**
+
+* Added module **oom-certservice-post-processor** with following functionality:
+
+ * appending CMPv2 certificates to CertMan truststore
+ * replacing CertMan keystore with CMPv2 keystore
+
+**Bug Fixes**
+
+ N/A
+
+**Known Issues**
+
+ N/A
+
+**Security Notes**
+
+ N/A
+
+*Fixed Security Issues*
+
+ N/A
+
+*Known Security Issues*
+
+ N/A
+
+*Known Vulnerabilities in Used Modules*
+
+ N/A
+
+**Upgrade Notes**
+
+**Deprecation Notes**
+
+**Other**
+
+==============
+
+Version: 2.0.0
+--------------
+
+:Release Date:
+
+**New Features**
+
+ - The same functionality as in aaf-certservice 1.2.0
+
+**Bug Fixes**
+
+ N/A
+
+**Known Issues**
+
+ N/A
+
+**Security Notes**
+
+ N/A
+
+*Fixed Security Issues*
+
+ N/A
+
+*Known Security Issues*
+
+ N/A
+
+*Known Vulnerabilities in Used Modules*
+
+ N/A
+
+**Upgrade Notes**
+
+**Deprecation Notes**
+
+**Other**
+
+===========
+
+Version: 1.2.0
+--------------
+
+:Release Date:
+
+**New Features**
+
+ - Client creates subdirectories in given OUTPUT_PATH and place certificate into it.
+
+**Bug Fixes**
+
+ N/A
+
+**Known Issues**
+
+ N/A
+
+**Security Notes**
+
+ N/A
+
+*Fixed Security Issues*
+
+ N/A
+
+*Known Security Issues*
+
+ N/A
+
+*Known Vulnerabilities in Used Modules*
+
+ N/A
+
+**Upgrade Notes**
+
+**Deprecation Notes**
+
+**Other**
+
+===========
+
+Version: 1.1.0
+--------------
+
+:Release Date: 2020-06-29
+
+**New Features**
+
+ - Added property to CertService Client to allow selection of output certificates type (One of: PEM, JKS, P12).
+
+**Bug Fixes**
+
+ - Resolved issue where created PKCS12 certificates had jks extension.
+
+**Known Issues**
+
+ N/A
+
+**Security Notes**
+
+ N/A
+
+*Fixed Security Issues*
+
+ N/A
+
+*Known Security Issues*
+
+ N/A
+
+*Known Vulnerabilities in Used Modules*
+
+ N/A
+
+**Upgrade Notes**
+
+**Deprecation Notes**
+
+**Other**
+
+===========
+
+Version: 1.0.1
+--------------
+
+:Release Date: 2020-05-22
+
+**New Features**
+
+The Frankfurt Release is the first release of the Certification Service.
+
+
+**Bug Fixes**
+
+ - `AAF-1132 <https://jira.onap.org/browse/AAF-1132>`_ - CertService Client returns exit status 5 when TLS configuration fails
+
+**Known Issues**
+
+ - PKCS12 certificates have jks extension
+
+**Security Notes**
+
+ N/A
+
+*Fixed Security Issues*
+
+ N/A
+
+*Known Security Issues*
+
+ N/A
+
+*Known Vulnerabilities in Used Modules*
+
+ N/A
+
+**Upgrade Notes**
+
+**Deprecation Notes**
+
+**Other**
+
+===========
+
+Version: 1.0.0
+--------------
+
+:Release Date: 2020-04-16
+
+**New Features**
+
+The Frankfurt Release is the first release of the Certification Service.
+
+**Bug Fixes**
+
+ - No new fixes were implemented for this release
+
+**Known Issues**
+
+ - `AAF-1132 <https://jira.onap.org/browse/AAF-1132>`_ - CertService Client returns exit status 5 when TLS configuration fails
+
+ - PKCS12 certificates have jks extension
+
+**Security Notes**
+
+ N/A
+
+*Fixed Security Issues*
+
+ N/A
+
+*Known Security Issues*
+
+ N/A
+
+*Known Vulnerabilities in Used Modules*
+
+ N/A
+
+**Upgrade Notes**
+
+**Deprecation Notes**
+
+**Other**
+
+===========
+
+End of Change Log
+-------+------------------------------------------------+
| 10 | File could not be created |
+-------+------------------------------------------------+
+| 99 | Application exited abnormally |
++-------+------------------------------------------------+
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. Copyright 2020 NOKIA
+.. _release_notes:
+***************************************
+OOM Certification Service Release Notes
+***************************************
-Release Notes
+Abstract
+========
-==============
+This document provides the release notes for the Guilin release.
-Version: 2.2.0
---------------
-
-:Release Date:
-
-**New Features**
-
-* Added module **oom-certservice-k8s-external-provider** with following functionality:
-
- An external provider is a part of PKI infrastructure. It consumes CertificateRequest CRD from Cert-Manager and calls CertService API to enroll certificate from CMPv2 server.
-
- More information can be found on dedicated `wiki page <https://wiki.onap.org/display/DW/CertService+and+K8s+Cert-Manager+integration>`_
-
-**Bug Fixes**
-
- N/A
-
-**Known Issues**
-
- N/A
-
-**Security Notes**
-
- N/A
-
-*Fixed Security Issues*
-
- N/A
-
-*Known Security Issues*
-
- N/A
-
-*Known Vulnerabilities in Used Modules*
-
- N/A
-
-**Upgrade Notes**
-
-**Deprecation Notes**
-
-**Other**
-
-==============
-
-Version: 2.1.0
---------------
-
-:Release Date:
-
-**New Features**
-
-* Added module **oom-certservice-post-processor** with following functionality:
-
- * appending CMPv2 certificates to CertMan truststore
- * replacing CertMan keystore with CMPv2 keystore
-
-**Bug Fixes**
-
- N/A
-
-**Known Issues**
-
- N/A
-
-**Security Notes**
-
- N/A
-
-*Fixed Security Issues*
-
- N/A
-
-*Known Security Issues*
-
- N/A
-
-*Known Vulnerabilities in Used Modules*
-
- N/A
-
-**Upgrade Notes**
-
-**Deprecation Notes**
-
-**Other**
-
-==============
-
-Version: 2.0.0
---------------
-
-:Release Date:
-
-**New Features**
-
- - The same functionality as in aaf-certservice 1.2.0
-
-**Bug Fixes**
-
- N/A
-
-**Known Issues**
-
- N/A
-
-**Security Notes**
-
- N/A
+Summary
+=======
-*Fixed Security Issues*
+Certification Service provides certificates signed by external CMPv2 server - such certificates are further called operators certificates. Operators certificates are meant to secure external ONAP traffic - traffic between network functions (xNFs) and ONAP.
- N/A
+This project was moved from Application Authorization Framework (AAF), to check previous release notes see, `AAF CertService release notes <https://docs.onap.org/projects/onap-aaf-certservice/en/frankfurt/sections/release-notes.html>`_ .
-*Known Security Issues*
- N/A
+Release Data
+============
-*Known Vulnerabilities in Used Modules*
++--------------------------------------+--------------------------------------------------------------------------------+
+| **Project** | OOM |
+| | |
++--------------------------------------+--------------------------------------------------------------------------------+
+| **Docker images** | * onap/org.onap.oom.platform.cert-service.oom-certservice-api:2.1.0 |
+| | * onap/org.onap.oom.platform.cert-service.oom-certservice-client:2.1.0 |
+| | * onap/org.onap.oom.platform.cert-service.oom-certservice-post-processor:2.1.0|
+| | |
++--------------------------------------+--------------------------------------------------------------------------------+
+| **Release designation** | Guilin |
+| | |
++--------------------------------------+--------------------------------------------------------------------------------+
- N/A
-**Upgrade Notes**
+New features
+------------
-**Deprecation Notes**
+- `AAF-1152 <https://jira.onap.org/browse/AAF-1152>`_ Added to CertService's client parameter which controls output type of certificates (JKS, PKCS12, PEM)
-**Other**
+- `DCAEGEN2-2252 <https://jira.onap.org/browse/DCAEGEN2-2252>`_ Added new not existing subfolders creation in output path (CMPv2 Integration).
-===========
+- `DCAEGEN2-2253 <https://jira.onap.org/browse/DCAEGEN2-2253>`_ Implemented CertServicePostprocessor, allows merging truststores and moving keystore files.
-Version: 1.2.0
---------------
-
-:Release Date:
-
-**New Features**
-
- - Client creates subdirectories in given OUTPUT_PATH and place certificate into it.
+- `OOM-2526 <https://jira.onap.org/browse/OOM-2526>`_ Moved project from AAF to OOM platform.
-**Bug Fixes**
+**Bug fixes**
- N/A
+- `OOM-2524 <https://jira.onap.org/browse/OOM-2524>`_ Fixed project makefile.
**Known Issues**
- N/A
-
-**Security Notes**
-
- N/A
-
-*Fixed Security Issues*
-
- N/A
-
-*Known Security Issues*
-
- N/A
-
-*Known Vulnerabilities in Used Modules*
-
- N/A
-
-**Upgrade Notes**
-
-**Deprecation Notes**
-
-**Other**
-
-===========
-
-Version: 1.1.0
---------------
-
-:Release Date: 2020-06-29
-
-**New Features**
-
- - Added property to CertService Client to allow selection of output certificates type (One of: PEM, JKS, P12).
-
-**Bug Fixes**
-
- - Resolved issue where created PKCS12 certificates had jks extension.
-
-**Known Issues**
-
- N/A
-
-**Security Notes**
-
- N/A
-
-*Fixed Security Issues*
+None
- N/A
+Deliverables
+------------
-*Known Security Issues*
+Software Deliverables
+~~~~~~~~~~~~~~~~~~~~~
+Docker images mentioned in Release Date section.
- N/A
+Documentation Deliverables
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+Documentation moved from AAF - `OOM Certification Service <https://docs.onap.org/projects/onap-oom-platform-cert-service/en/latest/index.html#master-index>`_ .
-*Known Vulnerabilities in Used Modules*
+Known Limitations, Issues and Workarounds
+=========================================
- N/A
+System Limitations
+------------------
-**Upgrade Notes**
+Any known system limitations.
-**Deprecation Notes**
-**Other**
+Known Vulnerabilities
+---------------------
-===========
+Any known vulnerabilities.
-Version: 1.0.1
---------------
-
-:Release Date: 2020-05-22
-
-**New Features**
-
-The Frankfurt Release is the first release of the Certification Service.
-
-
-**Bug Fixes**
-
- - `AAF-1132 <https://jira.onap.org/browse/AAF-1132>`_ - CertService Client returns exit status 5 when TLS configuration fails
-
-**Known Issues**
-
- - PKCS12 certificates have jks extension
-
-**Security Notes**
-
- N/A
-
-*Fixed Security Issues*
-
- N/A
-
-*Known Security Issues*
- N/A
+Workarounds
+-----------
-*Known Vulnerabilities in Used Modules*
+Any known workarounds.
- N/A
-**Upgrade Notes**
-
-**Deprecation Notes**
-
-**Other**
-
-===========
-
-Version: 1.0.0
+Security Notes
--------------
-:Release Date: 2020-04-16
-
-**New Features**
-
-The Frankfurt Release is the first release of the Certification Service.
-
-**Bug Fixes**
-
- - No new fixes were implemented for this release
-
-**Known Issues**
-
- - `AAF-1132 <https://jira.onap.org/browse/AAF-1132>`_ - CertService Client returns exit status 5 when TLS configuration fails
-
- - PKCS12 certificates have jks extension
-
-**Security Notes**
-
- N/A
+**Fixed Security Issues**
-*Fixed Security Issues*
+None
- N/A
+**Known Security Issues**
-*Known Security Issues*
+None
- N/A
-*Known Vulnerabilities in Used Modules*
+Test Results
+============
+Not applicable
- N/A
-**Upgrade Notes**
+References
+==========
-**Deprecation Notes**
+For more information on the ONAP Guilin release, please see:
-**Other**
+#. `ONAP Home Page`_
+#. `ONAP Documentation`_
+#. `ONAP Release Downloads`_
+#. `ONAP Wiki Page`_
-===========
-End of Release Notes
+.. _`ONAP Home Page`: https://www.onap.org
+.. _`ONAP Wiki Page`: https://wiki.onap.org
+.. _`ONAP Documentation`: https://docs.onap.org
+.. _`ONAP Release Downloads`: https://git.onap.org
- LOCATION *(optional)* - Location for which certificate from CMPv2 server should be issued
- STATE *(required)* - State for which certificate from CMPv2 server should be issued
- COUNTRY *(required)* - Country for which certificate from CMPv2 server should be issued
- - SANS *(optional)(SANS's should be separated by a colon e.g. test.onap.org:onap.com)* - Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued.
+ - SANS *(optional)(SANS's should be separated by a comma e.g. test.onap.org,onap.com)* - Subject Alternative Names (SANs) for which certificate from CMPv2 server should be issued. All SANs types are supported (DNS names, IPs, URIs, emails).
3. Parameters to establish secure communication to CertService:
LOCATION=San-Francisco
STATE=California
COUNTRY=US
- SANS=test.onap.org:onap.com
+ SANS=test.onap.org,onap.com,onap@onap.org,127.0.0.1,onap://cluster.local/
#TLS config envs
KEYSTORE_PATH=/etc/onap/oom/certservice/certs/certServiceClient-keystore.jks
.. code-block:: bash
- INFO 1 [ main] o.o.a.c.c.c.f.ClientConfigurationFactory : Successful validation of Client configuration. Configuration data: REQUEST_URL: https://oom-cert-service:8443/v1/certificate/, REQUEST_TIMEOUT: 10000, OUTPUT_PATH: /var/certs, CA_NAME: RA, OUTPUT_TYPE: P12
- INFO 1 [ main] o.o.a.c.c.c.f.CsrConfigurationFactory : Successful validation of CSR configuration. Configuration data: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org
- INFO 1 [ main] o.o.a.c.c.c.KeyPairFactory : KeyPair generation started with algorithm: RSA and key size: 2048
- INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been started with following parameters: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: test.onap.org:onap.org
- INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Creation of CSR has been completed successfully
- INFO 1 [ main] o.o.a.c.c.c.CsrFactory : Conversion of CSR to PEM has been started
- INFO 1 [ main] o.o.a.c.c.c.PrivateKeyToPemEncoder : Attempt to encode private key to PEM
- INFO 1 [ main] o.o.a.c.c.h.HttpClient : Attempt to send request to API, on url: https://oom-cert-service:8443/v1/certificate/RA
- INFO 1 [ main] o.o.a.c.c.h.HttpClient : Received response from API
- DEBUG 1 [ main] o.o.a.c.c.c.c.ConvertedArtifactsCreator : Attempt to create keystore files and saving data. File names: keystore.p12, keystore.pass
- INFO 1 [ main] o.o.a.c.c.c.c.PemConverter : Conversion of PEM certificates to PKCS12 keystore
- DEBUG 1 [ main] o.o.a.c.c.c.w.CertFileWriter : Attempt to save file keystore.p12 in path /var/certs
- DEBUG 1 [ main] o.o.a.c.c.c.w.CertFileWriter : Attempt to save file keystore.pass in path /var/certs
- DEBUG 1 [ main] o.o.a.c.c.c.c.ConvertedArtifactsCreator : Attempt to create truststore files and saving data. File names: truststore.p12, truststore.pass
- INFO 1 [ main] o.o.a.c.c.c.c.PemConverter : Conversion of PEM certificates to PKCS12 truststore
- DEBUG 1 [ main] o.o.a.c.c.c.w.CertFileWriter : Attempt to save file truststore.p12 in path /var/certs
- DEBUG 1 [ main] o.o.a.c.c.c.w.CertFileWriter : Attempt to save file truststore.pass in path /var/certs
- INFO 1 [ main] o.o.a.c.c.AppExitHandler : Application exits with following exit code: 0 and message: Success
+ INFO 1 [ main] o.o.o.c.c.c.f.ClientConfigurationFactory : Successful validation of Client configuration. Configuration data: REQUEST_URL: https://oom-cert-service:8443/v1/certificate/, REQUEST_TIMEOUT: 10000, OUTPUT_PATH: /var/certs, CA_NAME: RA, OUTPUT_TYPE: P12
+ INFO 1 [ main] o.o.o.c.c.c.f.CsrConfigurationFactory : Successful validation of CSR configuration. Configuration data: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: [{SAN value: example.org, type: dNSName}, {SAN value: test.onap.org, type: dNSName}, {SAN value: onap@onap.org, type: rfc822Name}, {SAN value: 127.0.0.1, type: iPAddress}, {SAN value: onap://cluster.local/, type: uniformResourceIdentifier}]
+ INFO 1 [ main] o.o.o.c.c.c.KeyPairFactory : KeyPair generation started with algorithm: RSA and key size: 2048
+ INFO 1 [ main] o.o.o.c.c.c.CsrFactory : Creation of CSR has been started with following parameters: COMMON_NAME: onap.org, COUNTRY: US, STATE: California, ORGANIZATION: Linux-Foundation, ORGANIZATION_UNIT: ONAP, LOCATION: San-Francisco, SANS: [{SAN value: example.org, type: dNSName}, {SAN value: test.onap.org, type: dNSName}, {SAN value: onap@onap.org, type: rfc822Name}, {SAN value: 127.0.0.1, type: iPAddress}, {SAN value: onap://cluster.local/, type: uniformResourceIdentifier}]
+ INFO 1 [ main] o.o.o.c.c.c.CsrFactory : Creation of CSR has been completed successfully
+ INFO 1 [ main] o.o.o.c.c.c.CsrFactory : Conversion of CSR to PEM has been started
+ INFO 1 [ main] o.o.o.c.c.c.PrivateKeyToPemEncoder : Attempt to encode private key to PEM
+ INFO 1 [ main] o.o.o.c.c.h.HttpClient : Attempt to send request to API, on url: https://oom-cert-service:8443/v1/certificate/RA
+ INFO 1 [ main] o.o.o.c.c.h.HttpClient : Received response from API
+ DEBUG 1 [ main] o.o.o.c.c.c.c.ConvertedArtifactsCreator : Attempt to create keystore files and saving data. File names: keystore.p12, keystore.pass
+ INFO 1 [ main] o.o.o.c.c.c.c.PemConverter : Conversion of PEM certificates to PKCS12 keystore
+ DEBUG 1 [ main] o.o.o.c.c.c.w.CertFileWriter : Attempt to save file keystore.p12 in path /var/certs
+ DEBUG 1 [ main] o.o.o.c.c.c.w.CertFileWriter : Attempt to save file keystore.pass in path /var/certs
+ DEBUG 1 [ main] o.o.o.c.c.c.c.ConvertedArtifactsCreator : Attempt to create truststore files and saving data. File names: truststore.p12, truststore.pass
+ INFO 1 [ main] o.o.o.c.c.c.c.PemConverter : Conversion of PEM certificates to PKCS12 truststore
+ DEBUG 1 [ main] o.o.o.c.c.c.w.CertFileWriter : Attempt to save file truststore.p12 in path /var/certs
+ DEBUG 1 [ main] o.o.o.c.c.c.w.CertFileWriter : Attempt to save file truststore.pass in path /var/certs
+ INFO 1 [ main] o.o.o.c.c.AppExitHandler : Application exits with following exit code: 0 and message: Success
- name: COUNTRY
value: US
- name: SANS
- value: test.onap.org:onap.com
+ value: test.onap.org,onap.com,onap@onap.org,127.0.0.1,onap://cluster.local/
- name: KEYSTORE_PATH
value: /etc/onap/oom/certservice/certs/certServiceClient-keystore.jks
- name: KEYSTORE_PASSWORD
</parent>
<groupId>org.onap.oom.platform.cert-service</groupId>
<artifactId>oom-certservice</artifactId>
- <version>2.2.0-SNAPSHOT</version>
+ <version>2.3.0-SNAPSHOT</version>
<name>oom-certservice</name>
<description>OOM Certification Service</description>
<packaging>pom</packaging>
<gson.version>2.8.6</gson.version>
<httpcomponents.version>4.5.6</httpcomponents.version>
<commons-lang3.version>3.9</commons-lang3.version>
+ <commons-validator.version>1.7</commons-validator.version>
<commons-io.version>2.6</commons-io.version>
<junit.version>5.5.2</junit.version>
<mockito-junit-jupiter.version>2.17.0</mockito-junit-jupiter.version>
<artifactId>commons-io</artifactId>
<version>${commons-io.version}</version>
</dependency>
+ <dependency>
+ <groupId>commons-validator</groupId>
+ <artifactId>commons-validator</artifactId>
+ <version>${commons-validator.version}</version>
+ </dependency>
<dependency>
<!-- Import dependency management from Spring Boot -->
<groupId>org.springframework.boot</groupId>
--- /dev/null
+distribution_type: 'container'
+container_release_tag: '2.2.0'
+container_pull_registry: nexus3.onap.org:10003
+container_push_registry: nexus3.onap.org:10002
+project: 'oom-platform-cert-service'
+log_dir: 'oom-platform-cert-service-maven-docker-stage-master/118'
+ref: c3c260ac52d12a8a2bcec9c3e2451c48d388ecec
+containers:
+ - name: 'org.onap.oom.platform.cert-service.oom-certservice-api'
+ version: '2.2.0-20201112T134226Z'
+ - name: 'org.onap.oom.platform.cert-service.oom-certservice-client'
+ version: '2.2.0-20201112T134226Z'
+ - name: 'org.onap.oom.platform.cert-service.oom-certservice-post-processor'
+ version: '2.2.0-20201112T134226Z'
+ - name: 'org.onap.oom.platform.cert-service.oom-certservice-k8s-external-provider'
+ version: '2.2.0-20201112T134226Z'
major=2
-minor=2
+minor=3
patch=0
base_version=${major}.${minor}.${patch}
release_version=${base_version}