diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java new file mode 100644 index 0000000000..9332e5b1cf --- /dev/null +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java @@ -0,0 +1,99 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.hadoop.hdds.security.x509.certificate.authority; + +import org.apache.hadoop.hdds.security.x509.certificates.CertificateSignRequest; +import org.apache.hadoop.hdds.security.x509.exceptions.SCMSecurityException; +import org.apache.hadoop.hdds.security.x509.SecurityConfig; +import org.bouncycastle.cert.X509CertificateHolder; + +import java.security.cert.X509Certificate; +import java.util.concurrent.Future; + +/** + * Interface for Certificate Authority. This can be extended to talk to external + * CAs later or HSMs later. + */ +public interface CertificateServer { + /** + * Initialize the Certificate Authority. + * + * @param securityConfig - Security Configuration. + * @param type - The Type of CertificateServer we are creating, we make this + * explicit so that when we read code it is visible to the users. + * @throws SCMSecurityException - Throws if the init fails. + */ + void init(SecurityConfig securityConfig, CAType type) + throws SCMSecurityException; + + /** + * Returns the CA Certificate for this CA. + * + * @return X509CertificateHolder - Certificate for this CA. + * @throws SCMSecurityException -- usually thrown if this CA is not + * initialized. + */ + X509CertificateHolder getCACertificate() + throws SCMSecurityException; + + /** + * Request a Certificate based on Certificate Signing Request. + * + * @param csr - Certificate Signing Request. + * @return A future that will have this certificate when this request is + * approved. + * @throws SCMSecurityException - on Error. + */ + Future requestCertificate(CertificateSignRequest csr, + CertificateApprover approver) throws SCMSecurityException; + + /** + * Revokes a Certificate issued by this CertificateServer. + * + * @param certificate - Certificate to revoke + * @param approver - Approval process to follow. + * @return Future that tells us what happened. + * @throws SCMSecurityException - on Error. + */ + Future revokeCertificate(X509Certificate certificate, + CertificateApprover approver) throws SCMSecurityException; + + /** + * TODO : CRL, OCSP etc. Later. This is the start of a CertificateServer + * framework. + */ + + /** + * Approval Types for a certificate request. + */ + enum CertificateApprover { + KERBEROS_TRUSTED, /* The Request came from a DN using Kerberos Identity*/ + MANUAL, /* Wait for a Human being to approve this certificate */ + TESTING_AUTOMATIC /* For testing purpose, Automatic Approval. */ + } + + /** + * Make it explicit what type of CertificateServer we are creating here. + */ + enum CAType { + SELF_SIGNED_CA, + INTERMEDIARY_CA + } +} diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/package-info.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/package-info.java new file mode 100644 index 0000000000..af53904eeb --- /dev/null +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/package-info.java @@ -0,0 +1,22 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +/** + * Classes related to Certificate Life Cycle or Certificate Authority Server. + */ +package org.apache.hadoop.hdds.security.x509.certificate.authority; \ No newline at end of file diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java new file mode 100644 index 0000000000..1b6f576a27 --- /dev/null +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/CertificateClient.java @@ -0,0 +1,159 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.hadoop.hdds.security.x509.certificate.client; + +import org.apache.hadoop.hdds.security.x509.certificates.CertificateSignRequest; +import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException; + +import java.io.InputStream; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.cert.CertStore; +import java.security.cert.X509Certificate; +import java.util.List; + +/** + * Certificate client provides and interface to certificate operations that + * needs to be performed by all clients in the Ozone eco-system. + */ +public interface CertificateClient { + + /** + * Returns the private key of the specified component if it exists on the + * local system. + * + * @param component - String name like DN, OM, SCM etc. + * @return private key or Null if there is no data. + */ + PrivateKey getPrivateKey(String component); + + /** + * Returns the public key of the specified component if it exists on the local + * system. + * + * @param component - String name like DN, OM, SCM etc. + * @return public key or Null if there is no data. + */ + PublicKey getPublicKey(String component); + + /** + * Returns the certificate of the specified component if it exists on the + * local system. + * + * @param component - String name like DN, OM, SCM etc. + * @return certificate or Null if there is no data. + */ + X509Certificate getCertificate(String component); + + /** + * Verifies if this certificate is part of a trusted chain. + * + * @return true if it trusted, false otherwise. + */ + boolean verifyCertificate(X509Certificate certificate); + + /** + * Creates digital signature over the data stream using the components private + * key. + * + * @param stream - Data stream to sign. + * @return byte array - containing the signature. + */ + byte[] signDataStream(InputStream stream, String component) + throws CertificateException; + + /** + * Verifies a digital Signature, given the signature and the certificate of + * the signer. + * @param stream - Data Stream. + * @param signature - Byte Array containing the signature. + * @param cert - Certificate of the Signer. + * @return true if verified, false if not. + */ + boolean verifySignature(InputStream stream, byte[] signature, + X509Certificate cert); + + /** + * Returns a CSR builder that can be used to creates a Certificate sigining + * request. + * + * @return CertificateSignRequest.Builder + */ + CertificateSignRequest.Builder getCSRBuilder(); + + /** + * Get the certificate of well-known entity from SCM. + * + * @param query - String Query, please see the implementation for the + * discussion on the query formats. + * @return X509Certificate or null if not found. + */ + X509Certificate queryCertificate(String query); + + /** + * Stores the private key of a specified component. + * + * @param key - private key + * @param component - name of the component. + * @throws CertificateException + */ + void storePrivateKey(PrivateKey key, String component) + throws CertificateException; + + /** + * Stores the public key of a specified component. + * + * @param key - public key + * @throws CertificateException + */ + void storePublicKey(PublicKey key, String component) + throws CertificateException; + + /** + * Stores the Certificate of a specific component. + * + * @param certificate - X509 Certificate + * @param component - Name of the component. + * @throws CertificateException + */ + void storeCertificate(X509Certificate certificate, String component) + throws CertificateException; + + /** + * Stores the trusted chain of certificates for a specific component. + * + * @param certStore - Cert Store. + * @param component - Trust Chain. + * @throws CertificateException + */ + void storeTrustChain(CertStore certStore, + String component) throws CertificateException; + + /** + * Stores the trusted chain of certificates for a specific component. + * + * @param certificates - List of Certificates. + * @param component - String component. + * @throws CertificateException + */ + void storeTrustChain(List certificates, + String component) throws CertificateException; + +} diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/package-info.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/package-info.java new file mode 100644 index 0000000000..dea609bd24 --- /dev/null +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/client/package-info.java @@ -0,0 +1,22 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ +/** + * Classes related to creating and using certificates. + */ +package org.apache.hadoop.hdds.security.x509.certificate.client; \ No newline at end of file