Skip to content

Commit

Permalink
Make ValidityPeriods return validity periods instead of object builders
Browse files Browse the repository at this point in the history
  • Loading branch information
@lolepezy
lolepezy committed Nov 29, 2023
1 parent 6dd1282 commit 07d8e61
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 47 deletions.
41 changes: 23 additions & 18 deletions src/main/java/net/ripe/rpki/ta/TA.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import net.ripe.ipresource.IpResourceSet;
import net.ripe.ipresource.IpResourceType;
import net.ripe.rpki.commons.crypto.CertificateRepositoryObject;
import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms;
import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder;
import net.ripe.rpki.commons.crypto.crl.X509Crl;
Expand Down Expand Up @@ -60,6 +61,8 @@ public class TA {
@Getter
private TAState state;

private final ValidityPeriods validityPeriods;

public static TA initialise(Config config) throws GeneralSecurityException, IOException {
final KeyPairFactory keyPairFactory = new KeyPairFactory(config.getKeystoreProvider());
final KeyPair rootKeyPair = keyPairFactory.withProvider(config.getKeypairGeneratorProvider()).generate();
Expand All @@ -75,6 +78,7 @@ public static TA load(Config config) throws IOException {

private TA(TAState state) {
this.state = state;
this.validityPeriods = new ValidityPeriods(state.getConfig());
}

private static TAState createTaState(Config config, KeyPair keyPair) throws GeneralSecurityException, IOException {
Expand Down Expand Up @@ -152,14 +156,15 @@ private static X509ResourceCertificate issueRootCertificate(
final BigInteger serial,
final String signatureProvider
) {
final X509ResourceCertificateBuilder taBuilder = ValidityPeriods.taCertificateBuilder();
final X509ResourceCertificateBuilder taBuilder = new X509ResourceCertificateBuilder();

taBuilder.withCa(true);
taBuilder.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign);
taBuilder.withIssuerDN(trustAnchorName);
taBuilder.withSubjectDN(trustAnchorName);
taBuilder.withSerial(serial);
taBuilder.withResources(ALL_RESOURCES_SET);
taBuilder.withValidityPeriod(ValidityPeriods.taCertificate());
taBuilder.withPublicKey(rootKeyPair.getPublic());
taBuilder.withSigningKeyPair(rootKeyPair);
taBuilder.withSignatureProvider(signatureProvider);
Expand All @@ -173,14 +178,15 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair
final X509CertificateInformationAccessDescriptor[] extraSiaDescriptors,
final X509ResourceCertificate currentTaCertificate,
final BigInteger serial) {
final X509ResourceCertificateBuilder taCertificateBuilder = ValidityPeriods.taCertificateBuilder();
final X509ResourceCertificateBuilder taCertificateBuilder = new X509ResourceCertificateBuilder();

taCertificateBuilder.withCa(true);
taCertificateBuilder.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign);
taCertificateBuilder.withIssuerDN(state.getConfig().getTrustAnchorName());
taCertificateBuilder.withSubjectDN(state.getConfig().getTrustAnchorName());
taCertificateBuilder.withSerial(serial);
taCertificateBuilder.withResources(ALL_RESOURCES_SET);
taCertificateBuilder.withValidityPeriod(ValidityPeriods.taCertificate());
taCertificateBuilder.withPublicKey(rootKeyPair.getPublic());
taCertificateBuilder.withSigningKeyPair(rootKeyPair);
taCertificateBuilder.withSignatureProvider(getSignatureProvider());
Expand Down Expand Up @@ -443,10 +449,13 @@ private Map<URI, CertificateRepositoryObject> updateObjectsToBePublished(final S

private X509Crl createNewCrl(final SignCtx signCtx) {
final X500Principal issuer = signCtx.taCertificate.getSubject();
final X509CrlBuilder builder = ValidityPeriods.crlBuilder(state.getConfig())
final ValidityPeriod validityPeriod = validityPeriods.crl();
final X509CrlBuilder builder = new X509CrlBuilder()
.withAuthorityKeyIdentifier(signCtx.keyPair.getPublic())
.withNumber(nextCrlNumber(signCtx.taState))
.withIssuerDN(issuer)
.withThisUpdateTime(validityPeriod.getNotValidBefore())
.withNextUpdateTime(validityPeriod.getNotValidAfter())
.withSignatureProvider(getSignatureProvider());
fillRevokedObjects(builder, signCtx.taState.getSignedProductionCertificates());
fillRevokedObjects(builder, signCtx.taState.getPreviousTaCertificates());
Expand Down Expand Up @@ -496,7 +505,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif
)
};

final X509ResourceCertificateBuilder builder = ValidityPeriods.allResourcesCertificateBuilder();
final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder();
builder.withCa(true);
builder.withIssuerDN(issuer);
builder.withSubjectDN(request.getSubjectDN());
Expand All @@ -507,6 +516,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif
builder.withAuthorityKeyIdentifier(true);
builder.withCrlDistributionPoints(TaNames.crlPublicationUri(taProductsPublicationUri, issuer));
builder.withResources(ALL_RESOURCES_SET);
builder.withValidityPeriod(validityPeriods.allResourcesCertificate());
builder.withSubjectInformationAccess(request.getSubjectInformationAccess());
builder.withSignatureProvider(getSignatureProvider());
builder.withAuthorityInformationAccess(taAIA);
Expand All @@ -516,7 +526,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif
private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair, final SignCtx signCtx) {
X500Principal eeSubject = new X500Principal("CN=" + KeyPairUtil.getAsciiHexEncodedPublicKeyHash(eeKeyPair.getPublic()));

RpkiSignedObjectEeCertificateBuilder builder = ValidityPeriods.eeCertBuilder(state.getConfig());
RpkiSignedObjectEeCertificateBuilder builder = new RpkiSignedObjectEeCertificateBuilder();

final X500Principal caName = signCtx.taCertificate.getSubject();
final URI taCertificatePublicationUri = signCtx.taState.getConfig().getTaCertificatePublicationUri();
Expand All @@ -525,6 +535,7 @@ private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair
builder.withSerial(nextIssuedCertSerial(signCtx.taState));
builder.withPublicKey(eeKeyPair.getPublic());
builder.withSigningKeyPair(signCtx.keyPair);
builder.withValidityPeriod(validityPeriods.eeCert());
builder.withParentResourceCertificatePublicationUri(TaNames.certificatePublicationUri(taCertificatePublicationUri, caName));
builder.withCrlUri(TaNames.crlPublicationUri(signCtx.taState.getConfig().getTaProductsPublicationUri(), caName));
builder.withCorrespondingCmsPublicationPoint(TaNames.manifestPublicationUri(signCtx.taState.getConfig().getTaProductsPublicationUri(), caName));
Expand All @@ -534,10 +545,13 @@ private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair
}

private ManifestCmsBuilder createBasicManifestBuilder(X509ResourceCertificate eeCertificate, final SignCtx signCtx) {
return ValidityPeriods.manifestBuilder(state.getConfig()).
withCertificate(eeCertificate).
withManifestNumber(nextManifestNumber(signCtx.taState)).
withSignatureProvider(getSignatureProvider());
ValidityPeriod validityPeriod = validityPeriods.manifest();
return new ManifestCmsBuilder().
withCertificate(eeCertificate)
.withNextUpdateTime(validityPeriod.getNotValidBefore())
.withThisUpdateTime(validityPeriod.getNotValidAfter())
.withManifestNumber(nextManifestNumber(signCtx.taState))
.withSignatureProvider(getSignatureProvider());
}

private BigInteger nextCrlNumber(final TAState taState) {
Expand Down Expand Up @@ -579,15 +593,6 @@ private void revokeAllIssuedResourceCertificates(final TAState taState) {
taState.getSignedProductionCertificates().forEach(SignedResourceCertificate::revoke);
}

private DateTime calculateNextUpdateTime(final DateTime now) {
final DateTime minimum = now.plus(state.getConfig().getMinimumValidityPeriod());
DateTime result = now;
while (result.isBefore(minimum)) {
result = result.plus(state.getConfig().getUpdatePeriod());
}
return result;
}

private String getSignatureProvider() {
return state.getConfig().getSignatureProvider();
}
Expand Down
52 changes: 23 additions & 29 deletions src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
package net.ripe.rpki.ta.util;

import net.ripe.rpki.commons.crypto.ValidityPeriod;
import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder;
import net.ripe.rpki.commons.crypto.crl.X509CrlBuilder;
import net.ripe.rpki.commons.crypto.x509cert.RpkiSignedObjectEeCertificateBuilder;
import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder;
import net.ripe.rpki.ta.config.Config;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
Expand All @@ -24,40 +20,38 @@ public static synchronized DateTime now() {
return globalNow;
}

public static ManifestCmsBuilder manifestBuilder(Config config) {
final ManifestCmsBuilder builder = new ManifestCmsBuilder();
final DateTime thisUpdateTime = ValidityPeriods.now();
final DateTime nextUpdateTime = calculateNextUpdateTime(config, thisUpdateTime);
return builder
.withNextUpdateTime(nextUpdateTime)
.withThisUpdateTime(thisUpdateTime);
}
private final Config config;

public static RpkiSignedObjectEeCertificateBuilder eeCertBuilder(Config config) {
final RpkiSignedObjectEeCertificateBuilder builder = new RpkiSignedObjectEeCertificateBuilder();
final DateTime thisUpdateTime = ValidityPeriods.now();
final DateTime nextUpdateTime = calculateNextUpdateTime(config, thisUpdateTime);
builder.withValidityPeriod(new ValidityPeriod(thisUpdateTime, nextUpdateTime));
return builder;
public ValidityPeriods(Config config) {
this.config = config;
}

public static X509ResourceCertificateBuilder allResourcesCertificateBuilder() {
final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder();
public ValidityPeriod allResourcesCertificate() {
final DateTime notValidBefore = ValidityPeriods.now();
return builder.withValidityPeriod(new ValidityPeriod(notValidBefore, calculateTaCertValidityNotAfter(notValidBefore)));
return new ValidityPeriod(notValidBefore, calculateTaCertValidityNotAfter(notValidBefore));
}

public static X509ResourceCertificateBuilder taCertificateBuilder() {
final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder();
public static ValidityPeriod taCertificate() {
final DateTime notValidBefore = ValidityPeriods.now();
return builder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS)));
return new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS));
}

public ValidityPeriod crl() {
return cmsValidityPeriod();
}

public ValidityPeriod manifest() {
return cmsValidityPeriod();
}

public ValidityPeriod eeCert() {
return cmsValidityPeriod();
}

public static X509CrlBuilder crlBuilder(Config config) {
private ValidityPeriod cmsValidityPeriod() {
final DateTime thisUpdateTime = ValidityPeriods.now();
return new X509CrlBuilder()
.withThisUpdateTime(thisUpdateTime)
.withNextUpdateTime(calculateNextUpdateTime(config, thisUpdateTime));
final DateTime nextUpdateTime = calculateNextUpdateTime(thisUpdateTime);
return new ValidityPeriod(thisUpdateTime, nextUpdateTime);
}

/**
Expand All @@ -67,7 +61,7 @@ private static DateTime calculateTaCertValidityNotAfter(final DateTime dateTime)
return new DateTime(dateTime.getYear() + 1, 1, 1, 0, 0, 0, 0, DateTimeZone.UTC).plusMonths(6);
}

private static DateTime calculateNextUpdateTime(Config config, final DateTime now) {
private DateTime calculateNextUpdateTime(final DateTime now) {
final DateTime minimum = now.plus(config.getMinimumValidityPeriod());
DateTime result = now;
while (result.isBefore(minimum)) {
Expand Down

0 comments on commit 07d8e61

Please sign in to comment.