HDDS-778. Add an interface for CA and Clients for Certificate operations

Contributed by Anu Engineer.
2018-11-08 09:54:27 -08:00 · 2018-11-08 09:54:27 -08:00 · 6ad794b1b6
parent 53120e2e6c
commit 6ad794b1b6
4 changed files with 302 additions and 0 deletions
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java
@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.hadoop.hdds.security.x509.certificate.authority;
+
+import org.apache.hadoop.hdds.security.x509.certificates.CertificateSignRequest;
+import org.apache.hadoop.hdds.security.x509.exceptions.SCMSecurityException;
+import org.apache.hadoop.hdds.security.x509.SecurityConfig;
+import org.bouncycastle.cert.X509CertificateHolder;
+
+import java.security.cert.X509Certificate;
+import java.util.concurrent.Future;
+
+/**
+ * Interface for Certificate Authority. This can be extended to talk to external
+ * CAs later or HSMs later.
+ */
+public interface CertificateServer {
+  /**
+   * Initialize the Certificate Authority.
+   *
+   * @param securityConfig - Security Configuration.
+   * @param type - The Type of CertificateServer we are creating, we make this
+   * explicit so that when we read code it is visible to the users.
+   * @throws SCMSecurityException - Throws if the init fails.
+   */
+  void init(SecurityConfig securityConfig, CAType type)
+      throws SCMSecurityException;
+
+  /**
+   * Returns the CA Certificate for this CA.
+   *
+   * @return X509CertificateHolder - Certificate for this CA.
+   * @throws SCMSecurityException -- usually thrown if this CA is not
+   *                              initialized.
+   */
+  X509CertificateHolder getCACertificate()
+      throws SCMSecurityException;
+
+  /**
+   * Request a Certificate based on Certificate Signing Request.
+   *
+   * @param csr - Certificate Signing Request.
+   * @return A future that will have this certificate when this request is
+   * approved.
+   * @throws SCMSecurityException - on Error.
+   */
+  Future<X509CertificateHolder> requestCertificate(CertificateSignRequest csr,
+      CertificateApprover approver) throws SCMSecurityException;
+
+  /**
+   * Revokes a Certificate issued by this CertificateServer.
+   *
+   * @param certificate - Certificate to revoke
+   * @param approver - Approval process to follow.
+   * @return Future that tells us what happened.
+   * @throws SCMSecurityException - on Error.
+   */
+  Future<Boolean> revokeCertificate(X509Certificate certificate,
+      CertificateApprover approver) throws SCMSecurityException;
+
+  /**
+   * TODO : CRL, OCSP etc. Later. This is the start of a CertificateServer
+   * framework.
+   */
+
+  /**
+   * Approval Types for a certificate request.
+   */
+  enum CertificateApprover {
+    KERBEROS_TRUSTED, /* The Request came from a DN using Kerberos Identity*/
+    MANUAL, /* Wait for a Human being to approve this certificate */
+    TESTING_AUTOMATIC /* For testing purpose, Automatic Approval. */
+  }
+
+  /**
+   * Make it explicit what type of CertificateServer we are creating here.
+   */
+  enum CAType {
+    SELF_SIGNED_CA,
+    INTERMEDIARY_CA
+  }
+}
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/package-info.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/package-info.java
@ -0,0 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+/**
+ * Classes related to Certificate Life Cycle or Certificate Authority Server.
+ */
+package org.apache.hadoop.hdds.security.x509.certificate.authority;
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java
@ -0,0 +1,159 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.hadoop.hdds.security.x509.certificate.client;
+
+import org.apache.hadoop.hdds.security.x509.certificates.CertificateSignRequest;
+import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
+
+import java.io.InputStream;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.CertStore;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+/**
+ * Certificate client provides and interface to certificate operations that
+ * needs to be performed by all clients in the Ozone eco-system.
+ */
+public interface CertificateClient {
+
+  /**
+   * Returns the private key of the specified component if it exists on the
+   * local system.
+   *
+   * @param component - String name like DN, OM, SCM etc.
+   * @return private key or Null if there is no data.
+   */
+  PrivateKey getPrivateKey(String component);
+
+  /**
+   * Returns the public key of the specified component if it exists on the local
+   * system.
+   *
+   * @param component - String name like DN, OM, SCM etc.
+   * @return public key or Null if there is no data.
+   */
+  PublicKey getPublicKey(String component);
+
+  /**
+   * Returns the certificate  of the specified component if it exists on the
+   * local system.
+   *
+   * @param component - String name like DN, OM, SCM etc.
+   * @return certificate or Null if there is no data.
+   */
+  X509Certificate getCertificate(String component);
+
+  /**
+   * Verifies if this certificate is part of a trusted chain.
+   *
+   * @return true if it trusted, false otherwise.
+   */
+  boolean verifyCertificate(X509Certificate certificate);
+
+  /**
+   * Creates digital signature over the data stream using the components private
+   * key.
+   *
+   * @param stream - Data stream to sign.
+   * @return byte array - containing the signature.
+   */
+  byte[] signDataStream(InputStream stream, String component)
+      throws CertificateException;
+
+  /**
+   * Verifies a digital Signature, given the signature and the certificate of
+   * the signer.
+   * @param stream - Data Stream.
+   * @param signature - Byte Array containing the signature.
+   * @param cert - Certificate of the Signer.
+   * @return true if verified, false if not.
+   */
+  boolean verifySignature(InputStream stream, byte[] signature,
+      X509Certificate cert);
+
+  /**
+   * Returns a CSR builder that can be used to creates a Certificate sigining
+   * request.
+   *
+   * @return CertificateSignRequest.Builder
+   */
+  CertificateSignRequest.Builder getCSRBuilder();
+
+  /**
+   * Get the certificate of well-known entity from SCM.
+   *
+   * @param query - String Query, please see the implementation for the
+   * discussion on the query formats.
+   * @return X509Certificate or null if not found.
+   */
+  X509Certificate queryCertificate(String query);
+
+  /**
+   * Stores the private key of a specified component.
+   *
+   * @param key - private key
+   * @param component - name of the component.
+   * @throws CertificateException
+   */
+  void storePrivateKey(PrivateKey key, String component)
+      throws CertificateException;
+
+  /**
+   * Stores the public key of a specified component.
+   *
+   * @param key - public key
+   * @throws CertificateException
+   */
+  void storePublicKey(PublicKey key, String component)
+      throws CertificateException;
+
+  /**
+   * Stores the Certificate of a specific component.
+   *
+   * @param certificate - X509 Certificate
+   * @param component - Name of the component.
+   * @throws CertificateException
+   */
+  void storeCertificate(X509Certificate certificate, String component)
+      throws CertificateException;
+
+  /**
+   * Stores the trusted chain of certificates for a specific component.
+   *
+   * @param certStore - Cert Store.
+   * @param component - Trust Chain.
+   * @throws CertificateException
+   */
+  void storeTrustChain(CertStore certStore,
+      String component) throws CertificateException;
+
+  /**
+   * Stores the trusted chain of certificates for a specific component.
+   *
+   * @param certificates - List of Certificates.
+   * @param component - String component.
+   * @throws CertificateException
+   */
+  void storeTrustChain(List<X509Certificate> certificates,
+      String component) throws CertificateException;
+
+}
--- a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/package-info.java
+++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/package-info.java
@ -0,0 +1,22 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+/**
+ * Classes related to creating and using certificates.
+ */
+package org.apache.hadoop.hdds.security.x509.certificate.client;