/** * Public constructor. * @param hashAlg The hash algorithm to use to calculate the signer id (which * is the base-64-encoding of the hash of the PkiPath-encoding of the cert * chain). * @param certs the cert chain used by this signer. Cert of the signer is * first, and cert of the CA is last. * @param domain the domain that the certificates are issued to. This should * match the CN in the target certificate. * @throws SignatureException if the certs couldn't be parsed into a cert * chain, or if the hash couldn't be calculated. */ public SignerInfo(HashAlgorithm hashAlg, List<X509Certificate> certs, String domain) throws SignatureException { Preconditions.checkArgument(certs.size() > 0, "need at least one" + "cert in the chain"); try { this.protobuf = ProtocolSignerInfo.newBuilder() .setHashAlgorithm(hashAlg) .setDomain(domain) .addAllCertificate(getCertificatesAsListOfByteArrays(certs)) .build(); } catch (CertificateEncodingException e) { throw new SignatureException("couldn't parse certificates", e); } this.certChain = ImmutableList.copyOf(certs); this.signerId = calculateSignerId(this.certChain); }
@Override public void onSuccess(ProtocolSignerInfo signerInfo) { LOG.info("Signer info prefetch success for " + signerInfo.getDomain()); countDown.run(); } };
@Override public SignerInfo getSignerInfo(byte[] signerId) { DBObject query = getDBObjectForSignerId(signerId); DBCollection signerInfoCollection = getSignerInfoCollection(); DBObject signerInfoDBObject = signerInfoCollection.findOne(query); // Sub-class contract specifies return null when not found SignerInfo signerInfo = null; if (signerInfoDBObject != null) { byte[] protobuff = (byte[]) signerInfoDBObject.get("protoBuff"); try { signerInfo = new SignerInfo(ProtocolSignerInfo.parseFrom(protobuff)); } catch (InvalidProtocolBufferException e) { LOG.log(Level.SEVERE, "Couldn't parse the protobuff stored in MongoDB: " + protobuff, e); } catch (SignatureException e) { LOG.log(Level.SEVERE, "Couldn't parse the certificate chain or domain properly", e); } } return signerInfo; }
@Override public SignerInfo getSignerInfo(byte[] signerId) throws SignatureException { synchronized(certPathStore) { SignerInfo signerInfo = certPathStore.getSignerInfo(signerId); File signerFile = new File(signerIdToFileName(signerId)); if (signerInfo == null) { if (signerFile.exists()) { FileInputStream file = null; try { file = new FileInputStream(signerFile); ProtocolSignerInfo data = ProtocolSignerInfo.newBuilder().mergeFrom(file).build(); signerInfo = new SignerInfo(data); } catch (SignatureException | IOException e) { throw new SignatureException("Failed to parse signer info from file: " + signerFile.getAbsolutePath(), e); } finally { FileUtils.closeAndIgnoreException(file, signerFile, LOG); } } } return signerInfo; } }
@Override public void putSignerInfo(ProtocolSignerInfo protoSignerInfo) throws SignatureException { synchronized(certPathStore) { SignerInfo signerInfo = new SignerInfo(protoSignerInfo); File signerFile = new File(signerIdToFileName(signerInfo.getSignerId())); FileOutputStream file = null; try { file = new FileOutputStream(signerFile); file.write(protoSignerInfo.toByteArray()); file.flush(); certPathStore.putSignerInfo(protoSignerInfo); } catch (IOException e) { throw new SignatureException("Failed to write signer info to file: " + signerFile.getAbsolutePath(), e); } finally { FileUtils.closeAndIgnoreException(file, signerFile, LOG); } } } }
@Override public void postSignerInfo(String destinationDomain, ProtocolSignerInfo signerInfo, PostSignerInfoResponseListener listener) { try { certificateManager.storeSignerInfo(signerInfo); } catch (SignatureException e) { String error = "verification failure from domain " + signerInfo.getDomain(); LOG.warning("incoming postSignerInfo: " + error, e); listener.onFailure(FederationErrors.badRequest(error)); return; } listener.onSuccess(); }
/** * The domain that this signer claims to belong to. It is the responsibility * of the client of this interface to verify that the domain matches the * principal to which the target certificate of the certificate chain was * issued. */ public String getDomain() { return protobuf.getDomain(); }
/** * Returns the hash algorithm used to calculate the signer id from the cert * chain. */ public HashAlgorithm getHashAlgorithm() { return protobuf.getHashAlgorithm(); }
/** * Public constructor from a protobuf. * * @param protobuf * @throws SignatureException */ public SignerInfo(ProtocolSignerInfo protobuf) throws SignatureException { this.protobuf = protobuf; this.certChain = getCertificatesFromListOfByteArrays( protobuf.getCertificateList()); this.signerId = calculateSignerId(this.certChain); }
@Override public void putSignerInfo(ProtocolSignerInfo protocolSignerInfo) throws SignatureException { SignerInfo signerInfo = new SignerInfo(protocolSignerInfo); byte[] signerId = signerInfo.getSignerId(); // Not using a modifier here because rebuilding the object is not a lot of // work. Doing implicit upsert by using save with a DBOBject that has an _id // set. DBObject signerInfoDBObject = getDBObjectForSignerId(signerId); signerInfoDBObject.put("protoBuff", protocolSignerInfo.toByteArray()); getSignerInfoCollection().save(signerInfoDBObject); }
public void testGetSignerId_fromProtobuf() throws Exception { ProtocolSignerInfo protobuf = ProtocolSignerInfo.newBuilder() .setHashAlgorithm(HashAlgorithm.SHA256) .addCertificate(ByteString.copyFrom( CertConstantUtil.SERVER_PUB_CERT.getEncoded())) .addCertificate(ByteString.copyFrom( CertConstantUtil.INTERMEDIATE_PUB_CERT.getEncoded())) .setDomain(DOMAIN) .build(); signerInfo = new SignerInfo(protobuf); assertEquals("zBYbw+lLkXGao+LfNWbv/faS+yAlsAmUfCNqXBxeFtI=", base64(signerInfo.getSignerId())); }
public void testGetSignerId_fromProtobuf() throws Exception { ProtocolSignerInfo protobuf = ProtocolSignerInfo.newBuilder() .setHashAlgorithm(HashAlgorithm.SHA256) .addCertificate(ByteString.copyFrom( CertConstantUtil.SERVER_PUB_CERT.getEncoded())) .addCertificate(ByteString.copyFrom( CertConstantUtil.INTERMEDIATE_PUB_CERT.getEncoded())) .setDomain(DOMAIN) .build(); signerInfo = new SignerInfo(protobuf); assertEquals("zBYbw+lLkXGao+LfNWbv/faS+yAlsAmUfCNqXBxeFtI=", base64(signerInfo.getSignerId())); }