From cf754a84ed0407f6096148330c1c18eec7abcadc Mon Sep 17 00:00:00 2001 From: Mikhail Puzanov Date: Thu, 16 Nov 2023 17:06:14 +0100 Subject: [PATCH 1/9] Uae globalNow() instead of calling DataTime.now() in multiple places. --- src/main/java/net/ripe/rpki/ta/TA.java | 30 ++++++++++++++++++-------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java index bf7a803..736f2e1 100644 --- a/src/main/java/net/ripe/rpki/ta/TA.java +++ b/src/main/java/net/ripe/rpki/ta/TA.java @@ -82,7 +82,9 @@ private static TAState createTaState(Config config, KeyPair keyPair) throws Gene final TAStateBuilder taStateBuilder = new TAStateBuilder(config); final X509CertificateInformationAccessDescriptor[] descriptors = generateSiaDescriptors(config); final KeyStore keyStore = KeyStore.of(config); - final byte[] encoded = keyStore.encode(keyPair, issueRootCertificate(config.getTrustAnchorName(), keyPair, descriptors, BigInteger.ONE, config.getSignatureProvider())); + final X509ResourceCertificate rootCert = issueRootCertificate(config.getTrustAnchorName(), + keyPair, descriptors, BigInteger.ONE, config.getSignatureProvider()); + final byte[] encoded = keyStore.encode(keyPair, rootCert); return createTaState(taStateBuilder, encoded, keyStore, BigInteger.ONE); } @@ -164,7 +166,7 @@ private static X509ResourceCertificate issueRootCertificate( taBuilder.withSignatureProvider(signatureProvider); taBuilder.withAuthorityKeyIdentifier(false); - final DateTime now = DateTime.now(DateTimeZone.UTC); + final DateTime now = SignCtx.globalNow(); taBuilder.withValidityPeriod(new ValidityPeriod(now, now.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); taBuilder.withSubjectInformationAccess(descriptors); @@ -189,7 +191,7 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair taCertificateBuilder.withSignatureProvider(getSignatureProvider()); taCertificateBuilder.withAuthorityKeyIdentifier(false); - final DateTime now = DateTime.now(DateTimeZone.UTC); + final DateTime now = SignCtx.globalNow(); taCertificateBuilder.withValidityPeriod(new ValidityPeriod(now, now.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); taCertificateBuilder.withSubjectInformationAccess(merge(currentTaCertificate.getSubjectInformationAccess(), extraSiaDescriptors)); @@ -286,8 +288,7 @@ private Pair processRequest(final TrustAnchorReque final Pair decoded = keyStore.decode(state.getEncoded()); TAState newTAState = copyTAState(state); - SignCtx signCtx = new SignCtx(request, newTAState, DateTime.now(DateTimeZone.UTC), - decoded.getRight(), decoded.getLeft()); + SignCtx signCtx = new SignCtx(request, newTAState, decoded.getRight(), decoded.getLeft()); // First process revocation requests, before processing the "revoke all issued resource certificates" command // line option. Otherwise error responses are generated due to requesting a revocation for an already revoked @@ -328,7 +329,7 @@ private Pair processRequest(final TrustAnchorReque TAStateBuilder taStateBuilder = new TAStateBuilder(newTAState); taStateBuilder.withCrl(newTAState.getCrl()); newTAState = createTaState(taStateBuilder, keyStore.encode(keyPair, newTACertificate), keyStore, nextSerial); - signCtx = new SignCtx(request, newTAState, DateTime.now(DateTimeZone.UTC), newTACertificate, keyPair); + signCtx = new SignCtx(request, newTAState, newTACertificate, keyPair); } // Process sign requests _after_ revoking all issued certificates (command line option), to avoid immediately @@ -453,7 +454,7 @@ private X509Crl createNewCrl(final SignCtx signCtx) { return createNewCrl(signCtx.keyPair, signCtx.taState, signCtx.taCertificate.getSubject(), signCtx.now); } - private X509Crl createNewCrl(final KeyPair keyPair, final TAState taState, final X500Principal issuer, final DateTime now) { + private X509Crl createNewCrl(final KeyPair keyPair, final TAState taState, final X500Principal issuer, final DateTime now) { final X509CrlBuilder builder = new X509CrlBuilder() .withAuthorityKeyIdentifier(keyPair.getPublic()) .withNumber(nextCrlNumber(taState)) @@ -629,13 +630,24 @@ private static class SignCtx { final X509ResourceCertificate taCertificate; final KeyPair keyPair; - private SignCtx(TrustAnchorRequest request, TAState taState, DateTime now, X509ResourceCertificate taCertificate, KeyPair keyPair) { + private SignCtx(TrustAnchorRequest request, TAState taState, X509ResourceCertificate taCertificate, KeyPair keyPair) { this.request = request; this.taState = taState; - this.now = now; + this.now = SignCtx.globalNow(); this.taCertificate = taCertificate; this.keyPair = keyPair; } + + static DateTime globalNow; + + // Since this program runs within a script, we can safely assume that all + // calls to "now" can be replaced with a value calculated only once. + static synchronized DateTime globalNow() { + if (globalNow == null) { + globalNow = DateTime.now(DateTimeZone.UTC); + } + return globalNow; + } } } From 1024a31b6187618870b12890a3abd5ebaf33d996 Mon Sep 17 00:00:00 2001 From: Mikhail Puzanov Date: Thu, 16 Nov 2023 17:08:49 +0100 Subject: [PATCH 2/9] Use SignCtx.globalNow() everywhere --- src/main/java/net/ripe/rpki/ta/TA.java | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java index 736f2e1..d9676a4 100644 --- a/src/main/java/net/ripe/rpki/ta/TA.java +++ b/src/main/java/net/ripe/rpki/ta/TA.java @@ -451,7 +451,7 @@ private Map updateObjectsToBePublished(final S } private X509Crl createNewCrl(final SignCtx signCtx) { - return createNewCrl(signCtx.keyPair, signCtx.taState, signCtx.taCertificate.getSubject(), signCtx.now); + return createNewCrl(signCtx.keyPair, signCtx.taState, signCtx.taCertificate.getSubject(), SignCtx.globalNow()); } private X509Crl createNewCrl(final KeyPair keyPair, final TAState taState, final X500Principal issuer, final DateTime now) { @@ -477,7 +477,7 @@ private void fillRevokedObjects(X509CrlBuilder builder, List Date: Thu, 16 Nov 2023 17:10:44 +0100 Subject: [PATCH 3/9] Adjust readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 224bdd0..141f222 100644 --- a/README.md +++ b/README.md @@ -16,6 +16,7 @@ Changelog --------- ### main: + * Use the same timestamp for signing all the objects (TA certificate, MFT, CRL) * Publish docker image to GHCR insetead of dockerhub * Updated github actions * Add feature to revoke objects that TA0 knows off, but are not requested From 4f73bd32cd18a21a78e62d9e1f8201f06efabbc9 Mon Sep 17 00:00:00 2001 From: Mikhail Puzanov Date: Mon, 20 Nov 2023 15:23:22 +0100 Subject: [PATCH 4/9] Introduce separate Timing class, more explicit naming --- src/main/java/net/ripe/rpki/ta/TA.java | 67 +++++++++---------- .../legacy/SignedObjectTracker.java | 33 ++------- .../java/net/ripe/rpki/ta/util/Timing.java | 18 +++++ 3 files changed, 56 insertions(+), 62 deletions(-) create mode 100644 src/main/java/net/ripe/rpki/ta/util/Timing.java diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java index d9676a4..75e2005 100644 --- a/src/main/java/net/ripe/rpki/ta/TA.java +++ b/src/main/java/net/ripe/rpki/ta/TA.java @@ -34,6 +34,7 @@ import net.ripe.rpki.ta.serializers.legacy.SignedObjectTracker; import net.ripe.rpki.ta.serializers.legacy.SignedResourceCertificate; import net.ripe.rpki.ta.util.PublishedObjectsUtil; +import net.ripe.rpki.ta.util.Timing; import org.apache.commons.lang3.tuple.Pair; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.x509.KeyUsage; @@ -166,9 +167,8 @@ private static X509ResourceCertificate issueRootCertificate( taBuilder.withSignatureProvider(signatureProvider); taBuilder.withAuthorityKeyIdentifier(false); - final DateTime now = SignCtx.globalNow(); - taBuilder.withValidityPeriod(new ValidityPeriod(now, now.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); - + final DateTime notValidBefore = Timing.now(); + taBuilder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); taBuilder.withSubjectInformationAccess(descriptors); return taBuilder.build(); @@ -191,8 +191,8 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair taCertificateBuilder.withSignatureProvider(getSignatureProvider()); taCertificateBuilder.withAuthorityKeyIdentifier(false); - final DateTime now = SignCtx.globalNow(); - taCertificateBuilder.withValidityPeriod(new ValidityPeriod(now, now.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); + final DateTime notValidBefore = Timing.now(); + taCertificateBuilder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); taCertificateBuilder.withSubjectInformationAccess(merge(currentTaCertificate.getSubjectInformationAccess(), extraSiaDescriptors)); @@ -451,21 +451,19 @@ private Map updateObjectsToBePublished(final S } private X509Crl createNewCrl(final SignCtx signCtx) { - return createNewCrl(signCtx.keyPair, signCtx.taState, signCtx.taCertificate.getSubject(), SignCtx.globalNow()); - } - - private X509Crl createNewCrl(final KeyPair keyPair, final TAState taState, final X500Principal issuer, final DateTime now) { + final X500Principal issuer = signCtx.taCertificate.getSubject(); + final DateTime thisUpdateTime = Timing.now(); final X509CrlBuilder builder = new X509CrlBuilder() - .withAuthorityKeyIdentifier(keyPair.getPublic()) - .withNumber(nextCrlNumber(taState)) + .withAuthorityKeyIdentifier(signCtx.keyPair.getPublic()) + .withNumber(nextCrlNumber(signCtx.taState)) .withIssuerDN(issuer) - .withThisUpdateTime(now) - .withNextUpdateTime(calculateNextUpdateTime(now)) + .withThisUpdateTime(thisUpdateTime) + .withNextUpdateTime(calculateNextUpdateTime(thisUpdateTime)) .withSignatureProvider(getSignatureProvider()); - fillRevokedObjects(builder, taState.getSignedProductionCertificates()); - fillRevokedObjects(builder, taState.getPreviousTaCertificates()); - fillRevokedObjects(builder, taState.getSignedManifests()); - return builder.build(keyPair.getPrivate()); + fillRevokedObjects(builder, signCtx.taState.getSignedProductionCertificates()); + fillRevokedObjects(builder, signCtx.taState.getPreviousTaCertificates()); + fillRevokedObjects(builder, signCtx.taState.getSignedManifests()); + return builder.build(signCtx.keyPair.getPrivate()); } private void fillRevokedObjects(X509CrlBuilder builder, List revokedObjects) { @@ -477,15 +475,16 @@ private void fillRevokedObjects(X509CrlBuilder builder, List Date: Tue, 28 Nov 2023 16:59:58 +0100 Subject: [PATCH 5/9] Move all validity period-related code to one class --- src/main/java/net/ripe/rpki/ta/TA.java | 53 +++---------- .../legacy/SignedObjectTracker.java | 6 +- .../java/net/ripe/rpki/ta/util/Timing.java | 18 ----- .../ripe/rpki/ta/util/ValidityPeriods.java | 74 +++++++++++++++++++ 4 files changed, 88 insertions(+), 63 deletions(-) delete mode 100644 src/main/java/net/ripe/rpki/ta/util/Timing.java create mode 100644 src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java index 75e2005..f5bc54c 100644 --- a/src/main/java/net/ripe/rpki/ta/TA.java +++ b/src/main/java/net/ripe/rpki/ta/TA.java @@ -9,7 +9,6 @@ import net.ripe.ipresource.IpResourceSet; import net.ripe.ipresource.IpResourceType; import net.ripe.rpki.commons.crypto.CertificateRepositoryObject; -import net.ripe.rpki.commons.crypto.ValidityPeriod; import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms; import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder; import net.ripe.rpki.commons.crypto.crl.X509Crl; @@ -34,7 +33,7 @@ import net.ripe.rpki.ta.serializers.legacy.SignedObjectTracker; import net.ripe.rpki.ta.serializers.legacy.SignedResourceCertificate; import net.ripe.rpki.ta.util.PublishedObjectsUtil; -import net.ripe.rpki.ta.util.Timing; +import net.ripe.rpki.ta.util.ValidityPeriods; import org.apache.commons.lang3.tuple.Pair; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.x509.KeyUsage; @@ -55,7 +54,6 @@ @Slf4j(topic = "TA") public class TA { - private static final int TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS = 100; public static final IpResourceSet ALL_RESOURCES_SET = IpResourceSet.parse("AS0-AS4294967295, 0/0, 0::/0"); @@ -154,7 +152,7 @@ private static X509ResourceCertificate issueRootCertificate( final BigInteger serial, final String signatureProvider ) { - final X509ResourceCertificateBuilder taBuilder = new X509ResourceCertificateBuilder(); + final X509ResourceCertificateBuilder taBuilder = ValidityPeriods.taCertificateBuilder(); taBuilder.withCa(true); taBuilder.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign); @@ -166,9 +164,6 @@ private static X509ResourceCertificate issueRootCertificate( taBuilder.withSigningKeyPair(rootKeyPair); taBuilder.withSignatureProvider(signatureProvider); taBuilder.withAuthorityKeyIdentifier(false); - - final DateTime notValidBefore = Timing.now(); - taBuilder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); taBuilder.withSubjectInformationAccess(descriptors); return taBuilder.build(); @@ -178,7 +173,7 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair final X509CertificateInformationAccessDescriptor[] extraSiaDescriptors, final X509ResourceCertificate currentTaCertificate, final BigInteger serial) { - final X509ResourceCertificateBuilder taCertificateBuilder = new X509ResourceCertificateBuilder(); + final X509ResourceCertificateBuilder taCertificateBuilder = ValidityPeriods.taCertificateBuilder(); taCertificateBuilder.withCa(true); taCertificateBuilder.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign); @@ -190,10 +185,6 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair taCertificateBuilder.withSigningKeyPair(rootKeyPair); taCertificateBuilder.withSignatureProvider(getSignatureProvider()); taCertificateBuilder.withAuthorityKeyIdentifier(false); - - final DateTime notValidBefore = Timing.now(); - taCertificateBuilder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); - taCertificateBuilder.withSubjectInformationAccess(merge(currentTaCertificate.getSubjectInformationAccess(), extraSiaDescriptors)); return taCertificateBuilder.build(); @@ -452,7 +443,7 @@ private Map updateObjectsToBePublished(final S private X509Crl createNewCrl(final SignCtx signCtx) { final X500Principal issuer = signCtx.taCertificate.getSubject(); - final DateTime thisUpdateTime = Timing.now(); + final DateTime thisUpdateTime = ValidityPeriods.now(); final X509CrlBuilder builder = new X509CrlBuilder() .withAuthorityKeyIdentifier(signCtx.keyPair.getPublic()) .withNumber(nextCrlNumber(signCtx.taState)) @@ -475,16 +466,13 @@ private void fillRevokedObjects(X509CrlBuilder builder, List Date: Tue, 28 Nov 2023 17:12:41 +0100 Subject: [PATCH 6/9] Refactor CRL validity period --- src/main/java/net/ripe/rpki/ta/TA.java | 5 +---- .../java/net/ripe/rpki/ta/util/ValidityPeriods.java | 10 +++++++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java index f5bc54c..29da79c 100644 --- a/src/main/java/net/ripe/rpki/ta/TA.java +++ b/src/main/java/net/ripe/rpki/ta/TA.java @@ -443,13 +443,10 @@ private Map updateObjectsToBePublished(final S private X509Crl createNewCrl(final SignCtx signCtx) { final X500Principal issuer = signCtx.taCertificate.getSubject(); - final DateTime thisUpdateTime = ValidityPeriods.now(); - final X509CrlBuilder builder = new X509CrlBuilder() + final X509CrlBuilder builder = ValidityPeriods.crlBuilder(state.getConfig()) .withAuthorityKeyIdentifier(signCtx.keyPair.getPublic()) .withNumber(nextCrlNumber(signCtx.taState)) .withIssuerDN(issuer) - .withThisUpdateTime(thisUpdateTime) - .withNextUpdateTime(calculateNextUpdateTime(thisUpdateTime)) .withSignatureProvider(getSignatureProvider()); fillRevokedObjects(builder, signCtx.taState.getSignedProductionCertificates()); fillRevokedObjects(builder, signCtx.taState.getPreviousTaCertificates()); diff --git a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java index 059d7ba..97be859 100644 --- a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java +++ b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java @@ -2,6 +2,7 @@ import net.ripe.rpki.commons.crypto.ValidityPeriod; import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder; +import net.ripe.rpki.commons.crypto.crl.X509CrlBuilder; import net.ripe.rpki.commons.crypto.x509cert.RpkiSignedObjectEeCertificateBuilder; import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder; import net.ripe.rpki.ta.config.Config; @@ -40,8 +41,6 @@ public static RpkiSignedObjectEeCertificateBuilder eeCertBuilder(Config config) return builder; } - // - public static X509ResourceCertificateBuilder allResourcesCertificateBuilder() { final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder(); final DateTime notValidBefore = ValidityPeriods.now(); @@ -54,7 +53,6 @@ public static X509ResourceCertificateBuilder taCertificateBuilder() { return builder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); } - /** * Set end of validity period to 1st of July next year. */ @@ -71,4 +69,10 @@ private static DateTime calculateNextUpdateTime(Config config, final DateTime no return result; } + public static X509CrlBuilder crlBuilder(Config config) { + final DateTime thisUpdateTime = ValidityPeriods.now(); + return new X509CrlBuilder() + .withThisUpdateTime(thisUpdateTime) + .withNextUpdateTime(calculateNextUpdateTime(config, thisUpdateTime)); + } } From 6dd12825c0126d1f04d93deeb83e36044dfc94d2 Mon Sep 17 00:00:00 2001 From: Mikhail Puzanov Date: Tue, 28 Nov 2023 17:13:34 +0100 Subject: [PATCH 7/9] Formatting --- .../net/ripe/rpki/ta/util/ValidityPeriods.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java index 97be859..215625e 100644 --- a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java +++ b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java @@ -53,6 +53,13 @@ public static X509ResourceCertificateBuilder taCertificateBuilder() { return builder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); } + public static X509CrlBuilder crlBuilder(Config config) { + final DateTime thisUpdateTime = ValidityPeriods.now(); + return new X509CrlBuilder() + .withThisUpdateTime(thisUpdateTime) + .withNextUpdateTime(calculateNextUpdateTime(config, thisUpdateTime)); + } + /** * Set end of validity period to 1st of July next year. */ @@ -68,11 +75,4 @@ private static DateTime calculateNextUpdateTime(Config config, final DateTime no } return result; } - - public static X509CrlBuilder crlBuilder(Config config) { - final DateTime thisUpdateTime = ValidityPeriods.now(); - return new X509CrlBuilder() - .withThisUpdateTime(thisUpdateTime) - .withNextUpdateTime(calculateNextUpdateTime(config, thisUpdateTime)); - } } From 07d8e61298f4eed2c0e0a75bea38aefbcf7ad7a8 Mon Sep 17 00:00:00 2001 From: Mikhail Puzanov Date: Wed, 29 Nov 2023 17:49:43 +0100 Subject: [PATCH 8/9] Make ValidityPeriods return validity periods instead of object builders --- src/main/java/net/ripe/rpki/ta/TA.java | 41 ++++++++------- .../ripe/rpki/ta/util/ValidityPeriods.java | 52 ++++++++----------- 2 files changed, 46 insertions(+), 47 deletions(-) diff --git a/src/main/java/net/ripe/rpki/ta/TA.java b/src/main/java/net/ripe/rpki/ta/TA.java index 29da79c..fb9e49e 100644 --- a/src/main/java/net/ripe/rpki/ta/TA.java +++ b/src/main/java/net/ripe/rpki/ta/TA.java @@ -9,6 +9,7 @@ import net.ripe.ipresource.IpResourceSet; import net.ripe.ipresource.IpResourceType; import net.ripe.rpki.commons.crypto.CertificateRepositoryObject; +import net.ripe.rpki.commons.crypto.ValidityPeriod; import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms; import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder; import net.ripe.rpki.commons.crypto.crl.X509Crl; @@ -60,6 +61,8 @@ public class TA { @Getter private TAState state; + private final ValidityPeriods validityPeriods; + public static TA initialise(Config config) throws GeneralSecurityException, IOException { final KeyPairFactory keyPairFactory = new KeyPairFactory(config.getKeystoreProvider()); final KeyPair rootKeyPair = keyPairFactory.withProvider(config.getKeypairGeneratorProvider()).generate(); @@ -75,6 +78,7 @@ public static TA load(Config config) throws IOException { private TA(TAState state) { this.state = state; + this.validityPeriods = new ValidityPeriods(state.getConfig()); } private static TAState createTaState(Config config, KeyPair keyPair) throws GeneralSecurityException, IOException { @@ -152,7 +156,7 @@ private static X509ResourceCertificate issueRootCertificate( final BigInteger serial, final String signatureProvider ) { - final X509ResourceCertificateBuilder taBuilder = ValidityPeriods.taCertificateBuilder(); + final X509ResourceCertificateBuilder taBuilder = new X509ResourceCertificateBuilder(); taBuilder.withCa(true); taBuilder.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign); @@ -160,6 +164,7 @@ private static X509ResourceCertificate issueRootCertificate( taBuilder.withSubjectDN(trustAnchorName); taBuilder.withSerial(serial); taBuilder.withResources(ALL_RESOURCES_SET); + taBuilder.withValidityPeriod(ValidityPeriods.taCertificate()); taBuilder.withPublicKey(rootKeyPair.getPublic()); taBuilder.withSigningKeyPair(rootKeyPair); taBuilder.withSignatureProvider(signatureProvider); @@ -173,7 +178,7 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair final X509CertificateInformationAccessDescriptor[] extraSiaDescriptors, final X509ResourceCertificate currentTaCertificate, final BigInteger serial) { - final X509ResourceCertificateBuilder taCertificateBuilder = ValidityPeriods.taCertificateBuilder(); + final X509ResourceCertificateBuilder taCertificateBuilder = new X509ResourceCertificateBuilder(); taCertificateBuilder.withCa(true); taCertificateBuilder.withKeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign); @@ -181,6 +186,7 @@ private X509ResourceCertificate reIssueRootCertificate(final KeyPair rootKeyPair taCertificateBuilder.withSubjectDN(state.getConfig().getTrustAnchorName()); taCertificateBuilder.withSerial(serial); taCertificateBuilder.withResources(ALL_RESOURCES_SET); + taCertificateBuilder.withValidityPeriod(ValidityPeriods.taCertificate()); taCertificateBuilder.withPublicKey(rootKeyPair.getPublic()); taCertificateBuilder.withSigningKeyPair(rootKeyPair); taCertificateBuilder.withSignatureProvider(getSignatureProvider()); @@ -443,10 +449,13 @@ private Map updateObjectsToBePublished(final S private X509Crl createNewCrl(final SignCtx signCtx) { final X500Principal issuer = signCtx.taCertificate.getSubject(); - final X509CrlBuilder builder = ValidityPeriods.crlBuilder(state.getConfig()) + final ValidityPeriod validityPeriod = validityPeriods.crl(); + final X509CrlBuilder builder = new X509CrlBuilder() .withAuthorityKeyIdentifier(signCtx.keyPair.getPublic()) .withNumber(nextCrlNumber(signCtx.taState)) .withIssuerDN(issuer) + .withThisUpdateTime(validityPeriod.getNotValidBefore()) + .withNextUpdateTime(validityPeriod.getNotValidAfter()) .withSignatureProvider(getSignatureProvider()); fillRevokedObjects(builder, signCtx.taState.getSignedProductionCertificates()); fillRevokedObjects(builder, signCtx.taState.getPreviousTaCertificates()); @@ -496,7 +505,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif ) }; - final X509ResourceCertificateBuilder builder = ValidityPeriods.allResourcesCertificateBuilder(); + final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder(); builder.withCa(true); builder.withIssuerDN(issuer); builder.withSubjectDN(request.getSubjectDN()); @@ -507,6 +516,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif builder.withAuthorityKeyIdentifier(true); builder.withCrlDistributionPoints(TaNames.crlPublicationUri(taProductsPublicationUri, issuer)); builder.withResources(ALL_RESOURCES_SET); + builder.withValidityPeriod(validityPeriods.allResourcesCertificate()); builder.withSubjectInformationAccess(request.getSubjectInformationAccess()); builder.withSignatureProvider(getSignatureProvider()); builder.withAuthorityInformationAccess(taAIA); @@ -516,7 +526,7 @@ private X509ResourceCertificate signAllResourcesCertificate(final ResourceCertif private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair, final SignCtx signCtx) { X500Principal eeSubject = new X500Principal("CN=" + KeyPairUtil.getAsciiHexEncodedPublicKeyHash(eeKeyPair.getPublic())); - RpkiSignedObjectEeCertificateBuilder builder = ValidityPeriods.eeCertBuilder(state.getConfig()); + RpkiSignedObjectEeCertificateBuilder builder = new RpkiSignedObjectEeCertificateBuilder(); final X500Principal caName = signCtx.taCertificate.getSubject(); final URI taCertificatePublicationUri = signCtx.taState.getConfig().getTaCertificatePublicationUri(); @@ -525,6 +535,7 @@ private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair builder.withSerial(nextIssuedCertSerial(signCtx.taState)); builder.withPublicKey(eeKeyPair.getPublic()); builder.withSigningKeyPair(signCtx.keyPair); + builder.withValidityPeriod(validityPeriods.eeCert()); builder.withParentResourceCertificatePublicationUri(TaNames.certificatePublicationUri(taCertificatePublicationUri, caName)); builder.withCrlUri(TaNames.crlPublicationUri(signCtx.taState.getConfig().getTaProductsPublicationUri(), caName)); builder.withCorrespondingCmsPublicationPoint(TaNames.manifestPublicationUri(signCtx.taState.getConfig().getTaProductsPublicationUri(), caName)); @@ -534,10 +545,13 @@ private X509ResourceCertificate createEeCertificateForManifest(KeyPair eeKeyPair } private ManifestCmsBuilder createBasicManifestBuilder(X509ResourceCertificate eeCertificate, final SignCtx signCtx) { - return ValidityPeriods.manifestBuilder(state.getConfig()). - withCertificate(eeCertificate). - withManifestNumber(nextManifestNumber(signCtx.taState)). - withSignatureProvider(getSignatureProvider()); + ValidityPeriod validityPeriod = validityPeriods.manifest(); + return new ManifestCmsBuilder(). + withCertificate(eeCertificate) + .withNextUpdateTime(validityPeriod.getNotValidBefore()) + .withThisUpdateTime(validityPeriod.getNotValidAfter()) + .withManifestNumber(nextManifestNumber(signCtx.taState)) + .withSignatureProvider(getSignatureProvider()); } private BigInteger nextCrlNumber(final TAState taState) { @@ -579,15 +593,6 @@ private void revokeAllIssuedResourceCertificates(final TAState taState) { taState.getSignedProductionCertificates().forEach(SignedResourceCertificate::revoke); } - private DateTime calculateNextUpdateTime(final DateTime now) { - final DateTime minimum = now.plus(state.getConfig().getMinimumValidityPeriod()); - DateTime result = now; - while (result.isBefore(minimum)) { - result = result.plus(state.getConfig().getUpdatePeriod()); - } - return result; - } - private String getSignatureProvider() { return state.getConfig().getSignatureProvider(); } diff --git a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java index 215625e..b1d8011 100644 --- a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java +++ b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java @@ -1,10 +1,6 @@ package net.ripe.rpki.ta.util; import net.ripe.rpki.commons.crypto.ValidityPeriod; -import net.ripe.rpki.commons.crypto.cms.manifest.ManifestCmsBuilder; -import net.ripe.rpki.commons.crypto.crl.X509CrlBuilder; -import net.ripe.rpki.commons.crypto.x509cert.RpkiSignedObjectEeCertificateBuilder; -import net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificateBuilder; import net.ripe.rpki.ta.config.Config; import org.joda.time.DateTime; import org.joda.time.DateTimeZone; @@ -24,40 +20,38 @@ public static synchronized DateTime now() { return globalNow; } - public static ManifestCmsBuilder manifestBuilder(Config config) { - final ManifestCmsBuilder builder = new ManifestCmsBuilder(); - final DateTime thisUpdateTime = ValidityPeriods.now(); - final DateTime nextUpdateTime = calculateNextUpdateTime(config, thisUpdateTime); - return builder - .withNextUpdateTime(nextUpdateTime) - .withThisUpdateTime(thisUpdateTime); - } + private final Config config; - public static RpkiSignedObjectEeCertificateBuilder eeCertBuilder(Config config) { - final RpkiSignedObjectEeCertificateBuilder builder = new RpkiSignedObjectEeCertificateBuilder(); - final DateTime thisUpdateTime = ValidityPeriods.now(); - final DateTime nextUpdateTime = calculateNextUpdateTime(config, thisUpdateTime); - builder.withValidityPeriod(new ValidityPeriod(thisUpdateTime, nextUpdateTime)); - return builder; + public ValidityPeriods(Config config) { + this.config = config; } - public static X509ResourceCertificateBuilder allResourcesCertificateBuilder() { - final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder(); + public ValidityPeriod allResourcesCertificate() { final DateTime notValidBefore = ValidityPeriods.now(); - return builder.withValidityPeriod(new ValidityPeriod(notValidBefore, calculateTaCertValidityNotAfter(notValidBefore))); + return new ValidityPeriod(notValidBefore, calculateTaCertValidityNotAfter(notValidBefore)); } - public static X509ResourceCertificateBuilder taCertificateBuilder() { - final X509ResourceCertificateBuilder builder = new X509ResourceCertificateBuilder(); + public static ValidityPeriod taCertificate() { final DateTime notValidBefore = ValidityPeriods.now(); - return builder.withValidityPeriod(new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS))); + return new ValidityPeriod(notValidBefore, notValidBefore.plusYears(TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS)); + } + + public ValidityPeriod crl() { + return cmsValidityPeriod(); + } + + public ValidityPeriod manifest() { + return cmsValidityPeriod(); + } + + public ValidityPeriod eeCert() { + return cmsValidityPeriod(); } - public static X509CrlBuilder crlBuilder(Config config) { + private ValidityPeriod cmsValidityPeriod() { final DateTime thisUpdateTime = ValidityPeriods.now(); - return new X509CrlBuilder() - .withThisUpdateTime(thisUpdateTime) - .withNextUpdateTime(calculateNextUpdateTime(config, thisUpdateTime)); + final DateTime nextUpdateTime = calculateNextUpdateTime(thisUpdateTime); + return new ValidityPeriod(thisUpdateTime, nextUpdateTime); } /** @@ -67,7 +61,7 @@ private static DateTime calculateTaCertValidityNotAfter(final DateTime dateTime) return new DateTime(dateTime.getYear() + 1, 1, 1, 0, 0, 0, 0, DateTimeZone.UTC).plusMonths(6); } - private static DateTime calculateNextUpdateTime(Config config, final DateTime now) { + private DateTime calculateNextUpdateTime(final DateTime now) { final DateTime minimum = now.plus(config.getMinimumValidityPeriod()); DateTime result = now; while (result.isBefore(minimum)) { From 61eb2b3666344dac4247eed0c9405ef1c34b72ed Mon Sep 17 00:00:00 2001 From: Mikhail Puzanov Date: Thu, 30 Nov 2023 09:53:18 +0100 Subject: [PATCH 9/9] Simplify singleton implementation --- src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java index b1d8011..fafddee 100644 --- a/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java +++ b/src/main/java/net/ripe/rpki/ta/util/ValidityPeriods.java @@ -9,14 +9,11 @@ public class ValidityPeriods { private static final int TA_CERTIFICATE_VALIDITY_TIME_IN_YEARS = 100; - static DateTime globalNow; - // Since this program runs within a script, we can safely assume that all // calls to "now" can be replaced with a value calculated only once. - public static synchronized DateTime now() { - if (globalNow == null) { - globalNow = DateTime.now(DateTimeZone.UTC); - } + private static final DateTime globalNow = DateTime.now(DateTimeZone.UTC); + + public static DateTime now() { return globalNow; }