From 07d8e61298f4eed2c0e0a75bea38aefbcf7ad7a8 Mon Sep 17 00:00:00 2001 From: Mikhail Puzanov Date: Wed, 29 Nov 2023 17:49:43 +0100 Subject: [PATCH] Make ValidityPeriods return validity periods instead of object builders --- src/main/java/net/ripe/rpki/ta/TA.java | 41 ++++++++------- .../ripe/rpki/ta/util/ValidityPeriods.java | 52 ++++++++----------- 2 files changed, 46 insertions(+), 47 deletions(-) diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java index 29da79c..fb9e49e 100644 --- a/src/main/java/net/ripe/rpki/ta/TA.java +++ b/src/main/java/net/ripe/rpki/ta/TA.java @@ -9,6 +9,7 @@ import net.ripe.ipresource.IpResourceSet; import net.ripe.ipresource.IpResourceType; import net.ripe.rpki.commons.crypto.CertificateRepositoryObject; +import net.ripe.rpki.commons.crypto.ValidityPeriod; import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms; import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder; import net.ripe.rpki.commons.crypto.crl.X509Crl; @@ -60,6 +61,8 @@ public class TA { @Getter private TAState state; + private final ValidityPeriods validityPeriods; + public static TA initialise(Config config) throws GeneralSecurityException, IOException { final KeyPairFactory keyPairFactory = new KeyPairFactory(config.getKeystoreProvider()); final KeyPair rootKeyPair = keyPairFactory.withProvider(config.getKeypairGeneratorProvider()).generate(); @@ -75,6 +78,7 @@ public static TA load(Config config) throws IOException { private TA(TAState state) { this.state = state; + this.validityPeriods = new ValidityPeriods(state.getConfig()); } private static TAState createTaState(Config config, KeyPair keyPair) throws GeneralSecurityException, IOException { @@ -152,7 +156,7 @@ private static X509ResourceCertificate issueRootCertificate( final BigInteger serial, final String signatureProvider ) { - final X509ResourceCertificateBuilder taBuilder = ValidityPeriods.taCertificateBuilder(); + final X509ResourceCertificateBuilder taBuilder = new X509ResourceCertificateBuilder(); taBuilder.withCa(true); taBuilder.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign); @@ -160,6 +164,7 @@ private static X509ResourceCertificate issueRootCertificate( taBuilder.withSubjectDN(trustAnchorName); taBuilder.withSerial(serial); taBuilder.withResources(ALL_RESOURCES_SET); + taBuilder.withValidityPeriod(ValidityPeriods.taCertificate()); taBuilder.withPublicKey(rootKeyPair.getPublic()); taBuilder.withSigningKeyPair(rootKeyPair); taBuilder.withSignatureProvider(signatureProvider); @@ -173,7 +178,7 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair final X509CertificateInformationAccessDescriptor[] extraSiaDescriptors, final X509ResourceCertificate currentTaCertificate, final BigInteger serial) { - final X509ResourceCertificateBuilder taCertificateBuilder = ValidityPeriods.taCertificateBuilder(); + final X509ResourceCertificateBuilder taCertificateBuilder = new X509ResourceCertificateBuilder(); taCertificateBuilder.withCa(true); taCertificateBuilder.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign); @@ -181,6 +186,7 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair taCertificateBuilder.withSubjectDN(state.getConfig().getTrustAnchorName()); taCertificateBuilder.withSerial(serial); taCertificateBuilder.withResources(ALL_RESOURCES_SET); + taCertificateBuilder.withValidityPeriod(ValidityPeriods.taCertificate()); taCertificateBuilder.withPublicKey(rootKeyPair.getPublic()); taCertificateBuilder.withSigningKeyPair(rootKeyPair); taCertificateBuilder.withSignatureProvider(getSignatureProvider()); @@ -443,10 +449,13 @@ private Map updateObjectsToBePublished(final S private X509Crl createNewCrl(final SignCtx signCtx) { final X500Principal issuer = signCtx.taCertificate.getSubject(); - final X509CrlBuilder builder = ValidityPeriods.crlBuilder(state.getConfig()) + final ValidityPeriod validityPeriod = validityPeriods.crl(); + final X509CrlBuilder builder = new X509CrlBuilder() .withAuthorityKeyIdentifier(signCtx.keyPair.getPublic()) .withNumber(nextCrlNumber(signCtx.taState)) .withIssuerDN(issuer) + .withThisUpdateTime(validityPeriod.getNotValidBefore()) + .withNextUpdateTime(validityPeriod.getNotValidAfter()) .withSignatureProvider(getSignatureProvider()); fillRevokedObjects(builder, signCtx.taState.getSignedProductionCertificates()); fillRevokedObjects(builder, signCtx.taState.getPreviousTaCertificates()); @@ -496,7 +505,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif ) }; - final X509ResourceCertificateBuilder builder = ValidityPeriods.allResourcesCertificateBuilder(); + final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder(); builder.withCa(true); builder.withIssuerDN(issuer); builder.withSubjectDN(request.getSubjectDN()); @@ -507,6 +516,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif builder.withAuthorityKeyIdentifier(true); builder.withCrlDistributionPoints(TaNames.crlPublicationUri(taProductsPublicationUri, issuer)); builder.withResources(ALL_RESOURCES_SET); + builder.withValidityPeriod(validityPeriods.allResourcesCertificate()); builder.withSubjectInformationAccess(request.getSubjectInformationAccess()); builder.withSignatureProvider(getSignatureProvider()); builder.withAuthorityInformationAccess(taAIA); @@ -516,7 +526,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair, final SignCtx signCtx) { X500Principal eeSubject = new X500Principal("CN=" + KeyPairUtil.getAsciiHexEncodedPublicKeyHash(eeKeyPair.getPublic())); - RpkiSignedObjectEeCertificateBuilder builder = ValidityPeriods.eeCertBuilder(state.getConfig()); + RpkiSignedObjectEeCertificateBuilder builder = new RpkiSignedObjectEeCertificateBuilder(); final X500Principal caName = signCtx.taCertificate.getSubject(); final URI taCertificatePublicationUri = signCtx.taState.getConfig().getTaCertificatePublicationUri(); @@ -525,6 +535,7 @@ private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair builder.withSerial(nextIssuedCertSerial(signCtx.taState)); builder.withPublicKey(eeKeyPair.getPublic()); builder.withSigningKeyPair(signCtx.keyPair); + builder.withValidityPeriod(validityPeriods.eeCert()); builder.withParentResourceCertificatePublicationUri(TaNames.certificatePublicationUri(taCertificatePublicationUri, caName)); builder.withCrlUri(TaNames.crlPublicationUri(signCtx.taState.getConfig().getTaProductsPublicationUri(), caName)); builder.withCorrespondingCmsPublicationPoint(TaNames.manifestPublicationUri(signCtx.taState.getConfig().getTaProductsPublicationUri(), caName)); @@ -534,10 +545,13 @@ private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair } private ManifestCmsBuilder createBasicManifestBuilder(X509ResourceCertificate eeCertificate, final SignCtx signCtx) { - return ValidityPeriods.manifestBuilder(state.getConfig()). - withCertificate(eeCertificate). - withManifestNumber(nextManifestNumber(signCtx.taState)). - withSignatureProvider(getSignatureProvider()); + ValidityPeriod validityPeriod = validityPeriods.manifest(); + return new ManifestCmsBuilder(). + withCertificate(eeCertificate) + .withNextUpdateTime(validityPeriod.getNotValidBefore()) + .withThisUpdateTime(validityPeriod.getNotValidAfter()) + .withManifestNumber(nextManifestNumber(signCtx.taState)) + .withSignatureProvider(getSignatureProvider()); } private BigInteger nextCrlNumber(final TAState taState) { @@ -579,15 +593,6 @@ private void revokeAllIssuedResourceCertificates(final TAState taState) { taState.getSignedProductionCertificates().forEach(SignedResourceCertificate::revoke); } - private DateTime calculateNextUpdateTime(final DateTime now) { - final DateTime minimum = now.plus(state.getConfig().getMinimumValidityPeriod()); - DateTime result = now; - while (result.isBefore(minimum)) { - result = result.plus(state.getConfig().getUpdatePeriod()); - } - return result; - } - private String getSignatureProvider() { return state.getConfig().getSignatureProvider(); } diff --git a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java index 215625e..b1d8011 100644 --- a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java +++ b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java @@ -1,10 +1,6 @@ package net.ripe.rpki.ta.util; import net.ripe.rpki.commons.crypto.ValidityPeriod; -import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder; -import net.ripe.rpki.commons.crypto.crl.X509CrlBuilder; -import net.ripe.rpki.commons.crypto.x509cert.RpkiSignedObjectEeCertificateBuilder; -import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder; import net.ripe.rpki.ta.config.Config; import org.joda.time.DateTime; import org.joda.time.DateTimeZone; @@ -24,40 +20,38 @@ public static synchronized DateTime now() { return globalNow; } - public static ManifestCmsBuilder manifestBuilder(Config config) { - final ManifestCmsBuilder builder = new ManifestCmsBuilder(); - final DateTime thisUpdateTime = ValidityPeriods.now(); - final DateTime nextUpdateTime = calculateNextUpdateTime(config, thisUpdateTime); - return builder - .withNextUpdateTime(nextUpdateTime) - .withThisUpdateTime(thisUpdateTime); - } + private final Config config; - public static RpkiSignedObjectEeCertificateBuilder eeCertBuilder(Config config) { - final RpkiSignedObjectEeCertificateBuilder builder = new RpkiSignedObjectEeCertificateBuilder(); - final DateTime thisUpdateTime = ValidityPeriods.now(); - final DateTime nextUpdateTime = calculateNextUpdateTime(config, thisUpdateTime); - builder.withValidityPeriod(new ValidityPeriod(thisUpdateTime, nextUpdateTime)); - return builder; + public ValidityPeriods(Config config) { + this.config = config; } - public static X509ResourceCertificateBuilder allResourcesCertificateBuilder() { - final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder(); + public ValidityPeriod allResourcesCertificate() { final DateTime notValidBefore = ValidityPeriods.now(); - return builder.withValidityPeriod(new ValidityPeriod(notValidBefore, calculateTaCertValidityNotAfter(notValidBefore))); + return new ValidityPeriod(notValidBefore, calculateTaCertValidityNotAfter(notValidBefore)); } - public static X509ResourceCertificateBuilder taCertificateBuilder() { - final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder(); + public static ValidityPeriod taCertificate() { final DateTime notValidBefore = ValidityPeriods.now(); - return builder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); + return new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS)); + } + + public ValidityPeriod crl() { + return cmsValidityPeriod(); + } + + public ValidityPeriod manifest() { + return cmsValidityPeriod(); + } + + public ValidityPeriod eeCert() { + return cmsValidityPeriod(); } - public static X509CrlBuilder crlBuilder(Config config) { + private ValidityPeriod cmsValidityPeriod() { final DateTime thisUpdateTime = ValidityPeriods.now(); - return new X509CrlBuilder() - .withThisUpdateTime(thisUpdateTime) - .withNextUpdateTime(calculateNextUpdateTime(config, thisUpdateTime)); + final DateTime nextUpdateTime = calculateNextUpdateTime(thisUpdateTime); + return new ValidityPeriod(thisUpdateTime, nextUpdateTime); } /** @@ -67,7 +61,7 @@ private static DateTime calculateTaCertValidityNotAfter(final DateTime dateTime) return new DateTime(dateTime.getYear() + 1, 1, 1, 0, 0, 0, 0, DateTimeZone.UTC).plusMonths(6); } - private static DateTime calculateNextUpdateTime(Config config, final DateTime now) { + private DateTime calculateNextUpdateTime(final DateTime now) { final DateTime minimum = now.plus(config.getMinimumValidityPeriod()); DateTime result = now; while (result.isBefore(minimum)) {