diff --git a/changelog.txt b/changelog.txt
index 4c1db89783d3c38fb0a233aaaffdf640ae3f36f3..1984155e5af590c1ac970be8970ac7489ce7016b 100644
--- a/changelog.txt
+++ b/changelog.txt
@@ -2,8 +2,8 @@ eDelivery SMP 5.0
- added new properties:
smp.truststore.type: Truststore type as JKS/PKCS12
smp.keystore.type: Keystore type as JKS/PKCS12
- document.restriction.allowed.certificate.types: allowed certificate JCE key algorithms to be used in service metadata as example RSA|EC|Ed25519|Ed448;
-
+ document.restriction.allowed.certificate.types: Allowed key algorithms for certificates to be used in service metadata.Empty value means no restrictions, for other values see the java KeyFactory Algorithms for example: RSA|EC|Ed25519|Ed448;
+ smp.certificate.validation.allowed.certificate.type: Allowed user certificate JCE types. Empty value means no restrictions, for other values see the java KeyFactory Algorithms for examples: RSA|EC|Ed25519|Ed448;
eDelivery SMP 4.2
- added new properties:
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java
index 9f6a4d514c990c997a7d2e0247f3000daa987d6d..d2070c6575fe4c06ba0a4167401f8dd1219aea36 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/ui/enums/SMPPropertyEnum.java
@@ -100,6 +100,9 @@ public enum SMPPropertyEnum {
OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, LIST_STRING),
CERTIFICATE_SUBJECT_REGULAR_EXPRESSION("smp.certificate.validation.subjectRegex", ".*", "Regular expression to validate subject of the certificate",
OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, REGEXP),
+ CERTIFICATE_ALLOWED_KEY_TYPES("smp.certificate.validation.allowed.certificate.types",
+ "", "Allowed user certificate types. Empty value means no restrictions, for other values see the java KeyFactory Algorithms for examples: RSA|EC|Ed25519|Ed448",
+ OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, LIST_STRING),
SMP_PROPERTY_REFRESH_CRON("smp.property.refresh.cronJobExpression", "0 48 */1 * * *", "Property refresh cron expression (def 12 minutes to each hour). Property change is refreshed at restart!",
OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, CRON_EXPRESSION),
@@ -169,7 +172,7 @@ public enum SMPPropertyEnum {
OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, LIST_STRING
),
- EXTERNAL_TLS_AUTHENTICATION_CLIENT_CERT_HEADER_ENABLED("smp.automation.authentication.external.tls.clientCert.enabled", "false",
+ EXTERNAL_TLS_AUTHENTICATION_CLIENT_CERT_HEADER_ENABLED(".external.tls.clientCert.enabled", "false",
"Authentication with external module as: reverse proxy. Authenticated data are send send to application using 'Client-Cert' HTTP header. Do not enable this feature " +
"without properly configured reverse-proxy!",
OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, BOOLEAN),
@@ -357,7 +360,7 @@ public enum SMPPropertyEnum {
CLIENT_CERT_HEADER_ENABLED_DEPRECATED("authentication.blueCoat.enabled", "false", "Property was replaced by property: smp.automation.authentication.external.tls.clientCert.enabled",
OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, BOOLEAN),
- DOCUMENT_RESTRICTION_CERT_TYPES("document.restriction.allowed.certificate.types", "", "Allowed certificate types registered when composing service metadata. Empty value means no restrictions, for other values see the java KeyFactory Algorithms as examples: as example RSA|EC|Ed25519|Ed448",
+ DOCUMENT_RESTRICTION_CERT_TYPES("document.restriction.allowed.certificate.types", "", "Allowed certificate types registered when composing service metadata. Empty value means no restrictions, for other values see the java KeyFactory Algorithms for examples: RSA|EC|Ed25519|Ed448",
OPTIONAL, NOT_ENCRYPTED, NO_RESTART_NEEDED, LIST_STRING),
;
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java
index e03c6118efd4b33991ffa7874cc4eada32db1a1f..1a6dad50b2d331e6341ec364d4e5975854b2e526 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ConfigurationService.java
@@ -226,7 +226,11 @@ public class ConfigurationService {
}
public List<String> getAllowedCertificatePolicies() {
- return configurationDAO.getCachedPropertyValue(CERTIFICATE_ALLOWED_CERTIFICATEPOLICY_OIDS);
+ return configurationDAO.getCachedPropertyValue(CERTIFICATE_ALLOWED_CERTIFICATEPOLICY_OIDS);
+ }
+
+ public List<String> getAllowedCertificateKeyTypes() {
+ return configurationDAO.getCachedPropertyValue(CERTIFICATE_ALLOWED_KEY_TYPES);
}
public String getSMLIntegrationServerCertSubjectRegExpPattern() {
@@ -336,6 +340,7 @@ public class ConfigurationService {
public String getCasURLTokenValidation() {
return configurationDAO.getCachedPropertyValue(SSO_CAS_TOKEN_VALIDATION_URL_PATH);
}
+
public URL getCasUserDataURL() {
URL casUrl = getCasURL();
if (casUrl == null) {
@@ -359,7 +364,7 @@ public class ConfigurationService {
public Map<String, String> getCasTokenValidationParams() {
- return configurationDAO.getCachedPropertyValue(SSO_CAS_TOKEN_VALIDATION_PARAMS);
+ return configurationDAO.getCachedPropertyValue(SSO_CAS_TOKEN_VALIDATION_PARAMS);
}
public List<String> getCasURLTokenValidationGroups() {
@@ -555,6 +560,7 @@ public class ConfigurationService {
/**
* Property is set in "file property configuration and can not be changed via database!
+ *
* @return true if smp server is started in development mode
*/
public boolean isSMPStartupInDevMode() {
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
index f074781cebab3b6c9f583a06f3547d3d1d027885..53f20f7f87694359160174bd986759f04c57f9fa 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreService.java
@@ -262,6 +262,28 @@ public class UITruststoreService {
certificateValidator.validateCertificate(x509Certificate);
}
+ /**
+ * Method validates if certificate public key algorithm is allowed. If the allowedCertificateKeyType list is null or empty, then
+ * then all certificate types are allowed.
+ *
+ * @param x509Certificate certificate to validate
+ * @throws CertificateException
+ */
+ public void validateAllowedCertificateKeyTypes(X509Certificate x509Certificate) throws CertificateException {
+ List<String> allowedCertificateKeyTypes = configurationService.getAllowedCertificateKeyTypes();
+ if (allowedCertificateKeyTypes == null
+ || allowedCertificateKeyTypes.isEmpty()) {
+ LOG.debug("No certificate key types configured. Skip certificate key validation.");
+ return;
+ }
+ PublicKey certKey = x509Certificate.getPublicKey();
+ if (!StringUtils.equalsAnyIgnoreCase(certKey.getAlgorithm(), allowedCertificateKeyTypes.toArray(new String[]{}))) {
+ throw new CertificateException("Certificate does not have allowed key algorithm type! Key type ["
+ + certKey.getAlgorithm() + "] Allowed values ["
+ + allowedCertificateKeyTypes + "]!");
+ }
+ }
+
public void checkFullCertificateValidity(X509Certificate cert) throws CertificateException {
// test if certificate is valid
cert.checkValidity();
@@ -276,6 +298,8 @@ public class UITruststoreService {
throw new CertificateNotTrustedException("Certificate is not trusted!");
}
+ // validate if certificate key type is valid
+ validateAllowedCertificateKeyTypes(cert);
if (trustStore != null) {
validateCertificateWithTruststore(cert);
@@ -378,7 +402,7 @@ public class UITruststoreService {
}
try (InputStream truststoreInputStream = new FileInputStream(truststoreFile)) {
- String type = StringUtils.defaultIfEmpty(configurationService.getTruststoreType(),"JKS");
+ String type = StringUtils.defaultIfEmpty(configurationService.getTruststoreType(), "JKS");
LOG.info("Load truststore [{}] with type [{}].", truststoreFile, type);
KeyStore loadedTrustStore = KeyStore.getInstance(type);
loadedTrustStore.load(truststoreInputStream, token.toCharArray());
diff --git a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreServiceIntegrationTest.java b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreServiceIntegrationTest.java
index 652e735f1144f5085fd2e26bef362ef412877468..e3ebcda827d35bea5b763fd4bafc888f3856bd1d 100644
--- a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreServiceIntegrationTest.java
+++ b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/services/ui/UITruststoreServiceIntegrationTest.java
@@ -13,9 +13,7 @@ import org.apache.commons.io.IOUtils;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Before;
-import org.junit.Rule;
import org.junit.Test;
-import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
@@ -30,11 +28,11 @@ import java.math.BigInteger;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.cert.*;
+import java.time.OffsetDateTime;
import java.util.*;
import static org.junit.Assert.*;
-
@RunWith(SpringJUnit4ClassRunner.class)
public class UITruststoreServiceIntegrationTest extends AbstractServiceIntegrationTest {
@@ -54,9 +52,6 @@ public class UITruststoreServiceIntegrationTest extends AbstractServiceIntegrati
Path resourceDirectory = Paths.get("src", "test", "resources", "truststore");
Path targetDirectory = Paths.get("target", "truststore");
- @Rule
- public ExpectedException expectedEx = ExpectedException.none();
-
@Autowired
protected UITruststoreService testInstance;
@@ -261,34 +256,33 @@ public class UITruststoreServiceIntegrationTest extends AbstractServiceIntegrati
public void testCheckFullCertificateValidityNotYetValid() throws Exception {
// given
String certSubject = "CN=SMP Test,OU=eDelivery,O=DIGITAL,C=BE";
- Calendar from = Calendar.getInstance();
- Calendar to = Calendar.getInstance();
- to.add(Calendar.DAY_OF_YEAR, 2);
- from.add(Calendar.DAY_OF_YEAR, 1);
- X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest(
- "10af", certSubject, certSubject, from.getTime(), to.getTime(), Collections.emptyList());
-
- //then
- expectedEx.expect(CertificateNotYetValidException.class);
+ X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest("10af", certSubject, certSubject,
+ OffsetDateTime.now().plusDays(1),
+ OffsetDateTime.now().plusDays(1),
+ Collections.emptyList());
// when
- testInstance.checkFullCertificateValidity(certificate);
+ CertificateNotYetValidException result = assertThrows(CertificateNotYetValidException.class, () ->
+ testInstance.checkFullCertificateValidity(certificate));
+ //then
+ MatcherAssert.assertThat(result.getMessage(), CoreMatchers.containsString("certificate not valid till"));
}
@Test
public void testCheckFullCertificateValidityExpired() throws Exception {
// given
String certSubject = "CN=SMP Test,OU=eDelivery,O=DIGITAL,C=BE";
- Calendar from = Calendar.getInstance();
- Calendar to = Calendar.getInstance();
- to.add(Calendar.DAY_OF_YEAR, -1);
- from.add(Calendar.DAY_OF_YEAR, -2);
+
X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest(
- "10af", certSubject, certSubject, from.getTime(), to.getTime(), Collections.emptyList());
+ "10af", certSubject, certSubject,
+ OffsetDateTime.now().minusDays(2),
+ OffsetDateTime.now().minusDays(1),
+ Collections.emptyList());
- //then
- expectedEx.expect(CertificateExpiredException.class);
// when
- testInstance.checkFullCertificateValidity(certificate);
+ CertificateExpiredException result = assertThrows(CertificateExpiredException.class, () ->
+ testInstance.checkFullCertificateValidity(certificate));
+ //then
+ MatcherAssert.assertThat(result.getMessage(), CoreMatchers.containsString("certificate expired"));
}
@Test
@@ -306,11 +300,16 @@ public class UITruststoreServiceIntegrationTest extends AbstractServiceIntegrati
to.add(Calendar.DAY_OF_YEAR, 1);
from.add(Calendar.DAY_OF_YEAR, -2);
X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest(
- revokedSerialFromList, S_SUBJECT_PEPPOL_NOT_TRUSTED, S_SUBJECT_PEPPOL_NOT_TRUSTED, from.getTime(), to.getTime(), Collections.singletonList(crlUrl));
- //then
- expectedEx.expect(CertificateNotTrustedException.class);
+ revokedSerialFromList, S_SUBJECT_PEPPOL_NOT_TRUSTED, S_SUBJECT_PEPPOL_NOT_TRUSTED,
+ OffsetDateTime.now().minusDays(2),
+ OffsetDateTime.now().plusYears(1),
+ Collections.singletonList(crlUrl));
+
// when
- testInstance.checkFullCertificateValidity(certificate);
+ CertificateNotTrustedException result = assertThrows(CertificateNotTrustedException.class, () ->
+ testInstance.checkFullCertificateValidity(certificate));
+ //then
+ MatcherAssert.assertThat(result.getMessage(), CoreMatchers.containsString("Certificate is not trusted!"));
}
@@ -325,20 +324,40 @@ public class UITruststoreServiceIntegrationTest extends AbstractServiceIntegrati
Mockito.doReturn(crl).when(crlVerifierService).downloadCRL(ArgumentMatchers.eq(crlUrl), ArgumentMatchers.anyBoolean());
String certSubject = "CN=SMP Test,OU=eDelivery,O=DIGITAL,C=BE";
- Calendar from = Calendar.getInstance();
- Calendar to = Calendar.getInstance();
- to.add(Calendar.DAY_OF_YEAR, 1);
- from.add(Calendar.DAY_OF_YEAR, -2);
X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest(
- revokedSerialFromList, certSubject, certSubject, from.getTime(), to.getTime(), Collections.singletonList(crlUrl));
+ revokedSerialFromList, certSubject, certSubject,
+ OffsetDateTime.now().minusDays(2),
+ OffsetDateTime.now().plusYears(1),
+ Collections.singletonList(crlUrl));
// add as trusted certificate
testInstance.addCertificate(UUID.randomUUID().toString(), certificate);
+ // when
+ CertificateRevokedException result = assertThrows(CertificateRevokedException.class, () ->
+ testInstance.checkFullCertificateValidity(certificate));
+ //then
+ MatcherAssert.assertThat(result.getMessage(), CoreMatchers.containsString("Certificate has been revoked"));
+ }
+
+ @Test
+ public void testCheckFullCertificateValidityInvalidKey() throws Exception {
+ // given
+ String certSubject = "CN=SMP Test,OU=eDelivery,O=DIGITAL,C=BE";
+ X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest(
+ null, certSubject, certSubject,
+ OffsetDateTime.now().minusDays(2),
+ OffsetDateTime.now().plusYears(1),
+ Collections.emptyList()
+ );
+ Mockito.doReturn(Arrays.asList("InvalidKeyTest")).when(configurationService).getAllowedCertificateKeyTypes();
+ // add as trusted certificate
+ testInstance.addCertificate(UUID.randomUUID().toString(), certificate);
+
+ CertificateException result = assertThrows(CertificateException.class, () ->
+ testInstance.checkFullCertificateValidity(certificate));
//then
- expectedEx.expect(CertificateRevokedException.class);
- // when
- testInstance.checkFullCertificateValidity(certificate);
+ MatcherAssert.assertThat(result.getMessage(), CoreMatchers.containsString("Certificate does not have allowed key algorithm type!"));
}
@Test
@@ -352,12 +371,11 @@ public class UITruststoreServiceIntegrationTest extends AbstractServiceIntegrati
Mockito.doThrow(new SMPRuntimeException(ErrorCode.CERTIFICATE_ERROR, "Error occurred while downloading CRL:" + crlUrl, "")).when(crlVerifierService).downloadURL(crlUrl);
String certSubject = "CN=SMP Test,OU=eDelivery,O=DIGITAL,C=BE";
- Calendar from = Calendar.getInstance();
- Calendar to = Calendar.getInstance();
- to.add(Calendar.DAY_OF_YEAR, 1);
- from.add(Calendar.DAY_OF_YEAR, -2);
X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest(
- revokedSerialFromList, certSubject, certSubject, from.getTime(), to.getTime(), Collections.singletonList(crlUrl));
+ revokedSerialFromList, certSubject, certSubject,
+ OffsetDateTime.now().minusDays(2),
+ OffsetDateTime.now().plusYears(1),
+ Collections.singletonList(crlUrl));
// add as trusted certificate
testInstance.addCertificate(UUID.randomUUID().toString(), certificate);
@@ -371,19 +389,13 @@ public class UITruststoreServiceIntegrationTest extends AbstractServiceIntegrati
public void testCheckFullCertificateValidityOK() throws Exception {
// given
String crlUrl = "https://localhost/crl";
- String serialNotInList = "20011FF";
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509CRL crl = (X509CRL) cf.generateCRL(getClass().getResourceAsStream("/certificates/smp-crl-test.crl"));
Mockito.doReturn(crl).when(crlVerifierService).downloadCRL(crlUrl, true);
String certSubject = "CN=SMP Test,OU=eDelivery,O=DIGITAL,C=BE";
- Calendar from = Calendar.getInstance();
- Calendar to = Calendar.getInstance();
- to.add(Calendar.DAY_OF_YEAR, 1);
- from.add(Calendar.DAY_OF_YEAR, -2);
- X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest(
- serialNotInList, certSubject, certSubject, from.getTime(), to.getTime(), Collections.singletonList(crlUrl));
+ X509Certificate certificate = X509CertificateTestUtils.createX509CertificateForTest(certSubject);
// add as trusted certificate
testInstance.addCertificate(UUID.randomUUID().toString(), certificate);
diff --git a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/TestDBUtils.java b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/TestDBUtils.java
index a10bc9d5895cd2a28b7a8ab3a1319c457145e179..afb35fca9b2bed1bbf48e1da93e1470e4e256f79 100644
--- a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/TestDBUtils.java
+++ b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/TestDBUtils.java
@@ -1,6 +1,5 @@
package eu.europa.ec.edelivery.smp.testutil;
-import com.sun.org.apache.bcel.internal.generic.ARETURN;
import eu.europa.ec.edelivery.smp.data.model.*;
import eu.europa.ec.edelivery.smp.data.ui.enums.AlertLevelEnum;
import eu.europa.ec.edelivery.smp.data.ui.enums.AlertStatusEnum;
@@ -26,7 +25,7 @@ public class TestDBUtils {
}
public static DBAlert createDBAlert(String username) {
- return createDBAlert(username, "mail-subject", "mail.to@test.eu",AlertLevelEnum.MEDIUM, AlertTypeEnum.CREDENTIAL_IMMINENT_EXPIRATION);
+ return createDBAlert(username, "mail-subject", "mail.to@test.eu", AlertLevelEnum.MEDIUM, AlertTypeEnum.CREDENTIAL_IMMINENT_EXPIRATION);
}
public static DBAlert createDBAlert(String username, String mailSubject,
diff --git a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/X509CertificateTestUtils.java b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/X509CertificateTestUtils.java
index f02a0a01ab44bb3bf332bc77491fb983c53923a1..3a0a21a385939ad92080517fe47329ad3e60c188 100644
--- a/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/X509CertificateTestUtils.java
+++ b/smp-server-library/src/test/java/eu/europa/ec/edelivery/smp/testutil/X509CertificateTestUtils.java
@@ -1,95 +1,47 @@
package eu.europa.ec.edelivery.smp.testutil;
+import eu.europa.ec.edelivery.security.utils.CertificateKeyType;
import eu.europa.ec.edelivery.security.utils.X509CertificateUtils;
-import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.asn1.x509.*;
-import org.bouncycastle.cert.X509v3CertificateBuilder;
-import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.bouncycastle.operator.ContentSigner;
-import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.asn1.x509.KeyUsage;
-import java.io.FileInputStream;
import java.math.BigInteger;
import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.KeyStore;
-import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.OffsetDateTime;
-import java.util.*;
-import java.util.stream.Collectors;
+import java.util.Collections;
+import java.util.List;
public class X509CertificateTestUtils {
- public static X509Certificate createX509CertificateForTest( String subject) throws Exception {
- Calendar from = Calendar.getInstance();
- Calendar to = Calendar.getInstance();
- to.add(Calendar.DAY_OF_YEAR, 1);
- from.add(Calendar.DAY_OF_YEAR, -1);
- return createX509CertificateForTest("1234321", subject, subject, from.getTime(), to.getTime(), Collections.emptyList());
+ public static X509Certificate createX509CertificateForTest(String subject) throws Exception {
+ return createX509CertificateForTest(null, subject, subject,
+ OffsetDateTime.now().minusDays(1),
+ OffsetDateTime.now().plusYears(1), Collections.emptyList());
}
- public static X509Certificate createX509CertificateForTest(String serialNumber, String issuer, String subject, Date startDate, Date expiryDate, List<String> distributionList) throws Exception {
+ public static X509Certificate createX509CertificateForTest(String serialNumber,
+ String issuer, String subject,
+ OffsetDateTime startDate, OffsetDateTime expiryDate,
+ List<String> distributionList) throws Exception {
- KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
- keyGen.initialize(1024);
- KeyPair key = keyGen.generateKeyPair();
- X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(new X500Name(issuer), new BigInteger(serialNumber, 16), startDate, expiryDate, new X500Name(subject), SubjectPublicKeyInfo.getInstance(key.getPublic().getEncoded()));
- if (!distributionList.isEmpty()) {
-
- List<DistributionPoint> distributionPoints = distributionList.stream().map(url -> {
- DistributionPointName distPointOne = new DistributionPointName(new GeneralNames(
- new GeneralName(GeneralName.uniformResourceIdentifier, url)));
-
- return new DistributionPoint(distPointOne, null, null);
- }).collect(Collectors.toList());
-
- certBuilder.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(distributionPoints.toArray(new DistributionPoint[]{})));
- }
-
- ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider("BC").build(key.getPrivate());
- return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBuilder.build(sigGen));
- }
-
- public static X509Certificate[] createCertificateChain(String[] subjects, Date startDate, Date expiryDate) throws Exception {
-
- String issuer = null;
- PrivateKey issuerKey = null;
- long iSerial = 10000;
- X509Certificate[] certs = new X509Certificate[subjects.length];
-
- int index = subjects.length;
- for (String sbj: subjects){
- KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
- keyGen.initialize(1024);
- KeyPair key = keyGen.generateKeyPair();
-
- X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(new X500Name(issuer ==null? sbj:issuer),
- BigInteger.valueOf(iSerial++), startDate, expiryDate, new X500Name(sbj),
- SubjectPublicKeyInfo.getInstance(key.getPublic().getEncoded()));
-
- ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WITHRSA")
- .setProvider("BC").build(issuerKey ==null?key.getPrivate():issuerKey);
-
- certs[--index] = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBuilder.build(sigGen));
- issuer= sbj;
- issuerKey = key.getPrivate();
-
- }
- return certs;
+ KeyPair key = X509CertificateUtils.generateKeyPair(CertificateKeyType.RSA_2048);
+ return X509CertificateUtils.generateCertificate(
+ serialNumber == null ? BigInteger.TEN : new BigInteger(serialNumber, 16), key.getPublic(), subject, startDate, expiryDate, issuer,
+ key.getPrivate(), false, -1, null,
+ distributionList, Collections.emptyList(), Collections.emptyList());
}
+ public static X509Certificate createX509CertificateForTest(String subject, BigInteger serial, List<String> listOfPolicyOIDs) throws Exception {
- public static X509Certificate createX509CertificateForTest( String subject, BigInteger serial, List<String> listOfPolicyOIDs) throws Exception {
- KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
- keyGen.initialize(2048);
- KeyPair key = keyGen.generateKeyPair();
+ KeyPair key = X509CertificateUtils.generateKeyPair(CertificateKeyType.RSA_2048);
KeyUsage usage = new KeyUsage(244);
- X509Certificate cert = X509CertificateUtils.createCertificate(serial,
+ X509Certificate cert = X509CertificateUtils.generateCertificate(serial,
key.getPublic(), subject, OffsetDateTime.now().minusDays(1L),
- OffsetDateTime.now().plusYears(5L), (String)null,
- key.getPrivate(), false, -1, usage, "SHA256withRSA",listOfPolicyOIDs);
+ OffsetDateTime.now().plusYears(5L), (String) null,
+ key.getPrivate(), false, -1, usage,
+ Collections.emptyList(), Collections.emptyList(),
+ listOfPolicyOIDs);
return cert;
}
diff --git a/smp-webapp/src/main/smp-setup/database-scripts/mysql5innodb.ddl b/smp-webapp/src/main/smp-setup/database-scripts/mysql5innodb.ddl
index 4ef6624f6504c2e945a9a964e26e8b350717398a..c486d9b35b617885d38f8e04d235da948a247a99 100644
--- a/smp-webapp/src/main/smp-setup/database-scripts/mysql5innodb.ddl
+++ b/smp-webapp/src/main/smp-setup/database-scripts/mysql5innodb.ddl
@@ -122,7 +122,7 @@
SML_BLUE_COAT_AUTH bit not null comment 'Flag for SML authentication type - use ClientCert header or HTTPS ClientCertificate (key)',
SML_CLIENT_CERT_HEADER varchar(4000) CHARACTER SET utf8 COLLATE utf8_bin comment 'Client-Cert header used behind RP - ClientCertHeader for SML integration',
SML_CLIENT_KEY_ALIAS varchar(256) CHARACTER SET utf8 COLLATE utf8_bin comment 'Client key alias used for SML integration',
- SML_PARTC_IDENT_REGEXP varchar(4000) CHARACTER SET utf8 COLLATE utf8_bin comment 'Reqular expresion for participant ids',
+ SML_PARTC_IDENT_REGEXP varchar(4000) CHARACTER SET utf8 COLLATE utf8_bin comment 'Regular expresion for participant ids',
SML_REGISTERED bit not null comment 'Flag for: Is domain registered in SML',
SML_SMP_ID varchar(256) CHARACTER SET utf8 COLLATE utf8_bin comment 'SMP ID used for SML integration',
SML_SUBDOMAIN varchar(256) CHARACTER SET utf8 COLLATE utf8_bin comment 'SML subdomain',
diff --git a/smp-webapp/src/main/smp-setup/database-scripts/oracle10g.ddl b/smp-webapp/src/main/smp-setup/database-scripts/oracle10g.ddl
index c87600879d218d6f87009ef2c55203d047e55e27..55ff05abe62c6e1412cc5efef0010f4f3dfb9320 100644
--- a/smp-webapp/src/main/smp-setup/database-scripts/oracle10g.ddl
+++ b/smp-webapp/src/main/smp-setup/database-scripts/oracle10g.ddl
@@ -213,7 +213,7 @@ create sequence SMP_USER_SEQ start with 1 increment by 1;
'Client key alias used for SML integration';
comment on column SMP_DOMAIN.SML_PARTC_IDENT_REGEXP is
- 'Reqular expresion for participant ids';
+ 'Regular expresion for participant ids';
comment on column SMP_DOMAIN.SML_REGISTERED is
'Flag for: Is domain registered in SML';