Skip to content

Commit

Permalink
Import cmc project from ca-engine
Browse files Browse the repository at this point in the history
  • Loading branch information
Razumain committed Jan 27, 2022
1 parent aa5d76b commit 5ab74a0
Show file tree
Hide file tree
Showing 71 changed files with 7,632 additions and 1 deletion.
32 changes: 32 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
.DS_Store

*.class

# Mobile Tools for Java (J2ME)
.mtj.tmp/

# Package Files #
*.jar
*.war
*.ear

.metadata
.classpath
.project
.settings
.springBeans
target
Servers
logs
generated
MANIFEST.MF
test-output
.factorypath

# Intelij
*.iml
.idea
out

# virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
hs_err_pid*
177 changes: 176 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1 +1,176 @@
# ca-cmc
# CMC API for Certification Authority integration
____

This is an implementation of a CMC API for the CA engine with a narrowed scope to provide the essential functions of the CA via an open restful API.

This CMC implementation supports two classes of requests:

- Requests from an authorized RA (issue, revoke and get certificate)
- Requests for additional administrative operations

The main difference between these classes of requests is that the request from an authorized RA relies purely on standard CMC request and response data defined in RFC 5272 while requests for additional administrative operations makes use of custom request and response data objects defined for this implementation profile.

## Response and request syntax
### Generic request and response syntax

This implementation of CMC is based on full PKI requests and full PKI responses only. All requests and responses have the form of CMS signatures carrying a CMC request or response data according to RFC 5272.

The PKIData structure of requests only contains a controlSequence for control attributes and optionally a reqSequence for any certificate requests.

The PKIResponse structure of responses only contains a controlSequence

the cmcSequence and the otherMsgSequence in both requests and responses are always empty.

The following control attributes are used in requests:

Control attribute | Usage | Presence
---|---|---
senderNonce | A unique byte array value | SHALL be present in all requests
regInfo | Carry implementation specific data for each request type | Conditional on request type
getCert | Used only in requests to get a specific certificate | SHALL be present in getCert requests and SHALL NOT be present in any other request
lraPOPWitness | Used with CRMF certificate requests | SHALL be present when CRMF certificate request format is used
revokeRequest | Used only in requests to revoke a certificate | SHALL be present in revoke requests and SHALL NOT be present in any other request


The following control attributes are used in responses:

Control attribute | Usage | Presence
---|---|---
recipientNonce | The nonce value of the corresponding request | SHALL be present in all responses
responseInfo | Carry implementation specific data for each request type | Conditional on request type
statusInfoV2 | Status information of the response | SHALL be present in all responses

All control attributes above are defined in RFC 5272.


### Requests from authorized RA

Standard requests from an authorized RA is limited to the following functions:

- Certificate requests
- Certificate revocation
- Obtaining a specific certificate from the CA database

The reason for this set of functions is that the scope of this implementation is limited to a specific use case where the RA acts as the exclusive entity that is authorized to request or revoke certificates on behalf of certificate subjects. The certificate subject has no direct contact with the CA in this scenario. As such we eliminate all need for a state machine and callback scenarios with multiple entities where for example one entity requests the certificate and another entity approves the certificate or similar. This reduces the protocol to a simple request/response protocol where the result is delivered directly as a response to any supported request.

#### Certificate requests

Certificate requests makes use of one of the following request formats:

- PKCS#10
- CRMF

The PKCS#10 format MAY be used when the private key of the certificate subject is available to sign the certificate request as part of a POP process (Proof Of Possession). This can be achieved in several ways, for example where the actual subject provides a signed PKCS#10 to the RA or where the RA generates the key on behalf of the subject and therefore has access to the key to sign the PKCS#10 request.

In all other cases where the RA can't provide a PKCS#10 request signed by the certificate subject's private key, the RA must assert to the certificate subjects POP of the private key by other means and assert this through the lraPOPWitness control attribute. In these cases, the PKCS#10 request format can't be used and therefore the Certificate Request Message Format (CRMF) must be used.

Responses to a successful certificate request is provided in a signed PKIResponse object. The certificate that was issued, if any, is provided among the CMS certificates as defined in RFC 5272.

#### Revocation requests

Revocation requests make use of the revokeRequest control attribute, specifying the issuer name, certificate serial number of the certificate to revoke, reason code and revocation date.

Successful revocation status is delivered in the response using the statusInfoV2 control attribute.

#### Get cert requests

The GetCert request makes use of the getCert control attribute to specify the issuer and the certificate serial number of the certificate to return. Returned certificate is included in the response exactly in the same way as when certificates are issued. i.e., in the set of certificates in the CMS SingedData structure.

### Request for administrative operations

All requests for administrative operations make use of the regInfo control attribute to hold custom request data and uses the responseInfo control attribute to return data in responses related to these custom requests.

The following administrative operations are currently supported:

- Get information about the target CA
- List all certificate serial numbers
- Get Certificates from the CA repository

All admin service requests provide request data as a JSON string. This JSON string is a JSON serialization of the class se.swedenconnect.ca.cmc.model.admin.AdminCMCData

AdminCMCData holds two data parameters:

```
/** Type of admin request */
private AdminRequestType adminRequestType;
/** Admin request/response data */
private String data;
```

The data string holds another JSON string that contains the JSON serialization of the data object associated with the specified AdminRequestType declaration.

The following table illustrate what data objects that are passed as request and response database

AdminRequestType | Request data | Response data
---|---|---
caInfo | absent | se.swedenconnect.ca.cmc.model.admin.response.CAInformation
listCerts | se.swedenconnect.ca.cmc.model.admin.request.ListCerts | List<se.swedenconnect.ca.cmc.model.admin.response.CertificateData>
allCertSerials | absent | List<String> (Serialnumbers as hex strings)


## CMC API

This CMC API integration library provides java classes that can be used by both the client and the CA to implement this API.

### CA integration

A API for the CA is implemented using the interface class se.swedenconnect.ca.cmc.api.CMCCaApi

This interface is implemented by the AbstractCMCCaApi and by the AbstractAdminCMCCaApi classes where AbstractCMCCaApi holds basic functions that should be valid for any implementation and where AbstractCMCCaApi adds a typical implementation of all custom admin functions. Finally there is a complete default implementation. The class DefaultCMCCaApi. The complete implementation must also provide functions for generating the final certificate content of any issued certificates.

The CMCCaApi has one function:
> CMCResponse processRequest (CMCRequest cmcRequest)
This function takes a CMCRequest as input and feeds that into the CA service and then returns the result of that operation in the form of a CMCResponse.


The DefaultCMCCaApi can be instantiated as follows:

```
CAService ca = getCAService(); //provide an implementation of the CA service interface
ContentSigner contentSigner = getContentSigner(); // Provide a CMS Content signer
List<X509Certificate> cmsSignerCerts = getResponseSignerCerts(); // Provide the CMS signer certificates
X509Certificate trustedClientCert = getTrustedClientCert(); // Provide a trusted client CMS signer certificate
CMCResponseFactory cmcResponseFactory = new CMCResponseFactory(cmsSignerCerts, contentSigner);
CMCRequestParser cmcRequestParser = new CMCRequestParser(new DefaultCMCValidator(trustedClientCert),
new DefaultCMCReplayChecker());
CMCCaApi cmcCaApi = new DefaultCMCCaApi(ca, cmcRequestParser, cmcResponseFactory);
```

All requests to the CA is then handled by processing incoming CMC requests and returning the resulting CMC response by executing the function as follows:

CMCResponse response = cmcCaApi.processRequest(cmcRequest)

### Client integration

The client which may be an RA or a CA admin service, implements functioins to generate CMC Requests and to parse the CMCResponses returned from the CA.

CMCReqeusts are created by an object of the se.swedenconnect.ca.cmc.api.CMCReqeustFactory class which may be instantiated as a Bean in a Spring application.

CMCResponses are parsed by an object of the se.swedenconnect.ca.cmc.api.CMCResponseParser class, which also can be instantiated as a Bean.

The following illustrates typical instantiations of these classes:

```
ContentSigner contentSigner = getContentSigner(); // Provide a CMS Content signer for the client
List<X509Certificate> clientSignerCerts = getClientSignerCerts(); // Provide the CMS signer certificates
X509Certificate caSignerCert = getCaSignerCert(); // Provide the trusted CA signer certificate
PublicKey caPublicKey = getCAPublicKey(); // Provide the public key of the CA
CMCRequestFactory cmcRequestFactory = new CMCRequestFactory(clientSignerCerts, contentSigner);
CMCResponseParser cmcResponseParser = new CMCResponseParser(new DefaultCMCValidator(caSignerCert, caPublicKey);
```

A CMC request is then created by providing a CMCRequestModel as input to the cmcRequestFactory as follows:

> CMCRequest cmcRequest = cmcRequestFactory.getCMCRequest(requestModel);
Four different implementations of CMCRequestModel are provided:

- CMCCertificateRequestModel
- CMCRevokeRequestModel
- CMCGetCertRequestModel
- CMCAdminRequestModel
119 changes: 119 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
~ Copyright (c) 2021. Agency for Digital Government (DIGG)
~
~ Licensed under the Apache License, Version 2.0 (the "License");
~ you may not use this file except in compliance with the License.
~ You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing, software
~ distributed under the License is distributed on an "AS IS" BASIS,
~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
~ See the License for the specific language governing permissions and
~ limitations under the License.
-->

<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>se.swedenconnect.ca</groupId>
<artifactId>cmc</artifactId>
<version>1.0.3-SNAPSHOT</version>

<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>11</maven.compiler.target>
<ca.engine.version>1.0.4</ca.engine.version>
<slf4j.version>1.7.31</slf4j.version>
</properties>

<dependencies>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.16</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>se.swedenconnect.ca</groupId>
<artifactId>ca-engine</artifactId>
<version>${ca.engine.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk15on</artifactId>
<version>1.67</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.12.4</version>
</dependency>
<!-- Scope TEST -->
<dependency>
<groupId>se.idsec.sigval.base</groupId>
<artifactId>cert-validation</artifactId>
<version>1.0.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-simple</artifactId>
<version>${slf4j.version}</version>
<scope>test</scope>
</dependency>
</dependencies>

<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.0.0-M5</version>
<configuration>
<parallel>methods</parallel>
<threadCount>10</threadCount>
</configuration>
</plugin>
<!-- run mvn jacoco:report -->
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>0.8.5</version>
<executions>
<execution>
<goals>
<goal>prepare-agent</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.2.0</version>
<configuration>
<doctitle>CA engine - ${project.version}</doctitle>
<windowtitle>CA engine - ${project.version}</windowtitle>
<source>8</source>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.8.1</version>
<configuration>
<source>10</source>
<target>10</target>
</configuration>
</plugin>
</plugins>
</build>


</project>
43 changes: 43 additions & 0 deletions src/main/java/se/swedenconnect/ca/cmc/api/CMCCaApi.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
/*
* Copyright (c) 2021. Agency for Digital Government (DIGG)
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package se.swedenconnect.ca.cmc.api;

import se.swedenconnect.ca.cmc.api.data.CMCRequest;
import se.swedenconnect.ca.cmc.api.data.CMCResponse;

import java.io.IOException;
import java.security.cert.CertificateException;

/**
* The main interface for the CMC API
*
* @author Martin Lindström (martin@idsec.se)
* @author Stefan Santesson (stefan@idsec.se)
*/
public interface CMCCaApi {

/**
* Process a CMC Request in the context of a CA service. This function shall never throw an exception caused by
* errors in the request. Any such error condition is captured in an error response with appropriate error code
* and a suitable error message.
*
* @param cmcRequestBytes the CMC request providing a request for service
* @return a CMC response providing the status and result data as a result of the service request
*/
CMCResponse processRequest (byte[] cmcRequestBytes);

}
Loading

0 comments on commit 5ab74a0

Please sign in to comment.