[44/50] [abbrv] hadoop git commit: HDDS-778. Add an interface for CA and Clients for Certificate operations Contributed by Anu Engineer.
HDDS-778. Add an interface for CA and Clients for Certificate operations Contributed by Anu Engineer. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/b94abf72 Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/b94abf72 Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/b94abf72 Branch: refs/heads/HDDS-4 Commit: b94abf720b61aebadeec139adfa6ed9fd2a94100 Parents: 95e9f9a Author: Anu Engineer Authored: Thu Nov 8 09:54:27 2018 -0800 Committer: Xiaoyu Yao Committed: Tue Dec 4 08:03:16 2018 -0800 -- .../authority/CertificateServer.java| 99 .../certificate/authority/package-info.java | 22 +++ .../certificate/client/CertificateClient.java | 159 +++ .../x509/certificate/client/package-info.java | 22 +++ 4 files changed, 302 insertions(+) -- http://git-wip-us.apache.org/repos/asf/hadoop/blob/b94abf72/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java -- diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java new file mode 100644 index 000..9332e5b --- /dev/null +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java @@ -0,0 +1,99 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.hadoop.hdds.security.x509.certificate.authority; + +import org.apache.hadoop.hdds.security.x509.certificates.CertificateSignRequest; +import org.apache.hadoop.hdds.security.x509.exceptions.SCMSecurityException; +import org.apache.hadoop.hdds.security.x509.SecurityConfig; +import org.bouncycastle.cert.X509CertificateHolder; + +import java.security.cert.X509Certificate; +import java.util.concurrent.Future; + +/** + * Interface for Certificate Authority. This can be extended to talk to external + * CAs later or HSMs later. + */ +public interface CertificateServer { + /** + * Initialize the Certificate Authority. + * + * @param securityConfig - Security Configuration. + * @param type - The Type of CertificateServer we are creating, we make this + * explicit so that when we read code it is visible to the users. + * @throws SCMSecurityException - Throws if the init fails. + */ + void init(SecurityConfig securityConfig, CAType type) + throws SCMSecurityException; + + /** + * Returns the CA Certificate for this CA. + * + * @return X509CertificateHolder - Certificate for this CA. + * @throws SCMSecurityException -- usually thrown if this CA is not + * initialized. + */ + X509CertificateHolder getCACertificate() + throws SCMSecurityException; + + /** + * Request a Certificate based on Certificate Signing Request. + * + * @param csr - Certificate Signing Request. + * @return A future that will have this certificate when this request is + * approved. + * @throws SCMSecurityException - on Error. + */ + Future requestCertificate(CertificateSignRequest csr, + CertificateApprover approver) throws SCMSecurityException; + + /** + * Revokes a Certificate issued by this CertificateServer. + * + * @param certificate - Certificate to revoke + * @param approver - Approval process to follow. + * @return Future that tells us what happened. + * @throws SCMSecurityException - on Error. + */ + Future revokeCertificate(X509Certificate certificate, + CertificateApprover approver) throws SCMSecurityException; + + /** + * TODO : CRL, OCSP etc. Later. This is the start of a CertificateServer + * framework. + */ + + /** + * Approval Types for a certificate request. + */ + enum CertificateApprover { +KERBEROS_TRUSTED, /* The Request came from a DN using Kerberos Identity*/ +MANUAL, /* Wait f
[44/50] [abbrv] hadoop git commit: HDDS-778. Add an interface for CA and Clients for Certificate operations Contributed by Anu Engineer.
HDDS-778. Add an interface for CA and Clients for Certificate operations Contributed by Anu Engineer. Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/4770e9de Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/4770e9de Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/4770e9de Branch: refs/heads/HDDS-4 Commit: 4770e9dea8199753962c6517bff96fd39fbfd826 Parents: 8bbc95e Author: Anu Engineer Authored: Thu Nov 8 09:54:27 2018 -0800 Committer: Xiaoyu Yao Committed: Thu Nov 29 11:57:47 2018 -0800 -- .../authority/CertificateServer.java| 99 .../certificate/authority/package-info.java | 22 +++ .../certificate/client/CertificateClient.java | 159 +++ .../x509/certificate/client/package-info.java | 22 +++ 4 files changed, 302 insertions(+) -- http://git-wip-us.apache.org/repos/asf/hadoop/blob/4770e9de/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java -- diff --git a/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java new file mode 100644 index 000..9332e5b --- /dev/null +++ b/hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java @@ -0,0 +1,99 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.apache.hadoop.hdds.security.x509.certificate.authority; + +import org.apache.hadoop.hdds.security.x509.certificates.CertificateSignRequest; +import org.apache.hadoop.hdds.security.x509.exceptions.SCMSecurityException; +import org.apache.hadoop.hdds.security.x509.SecurityConfig; +import org.bouncycastle.cert.X509CertificateHolder; + +import java.security.cert.X509Certificate; +import java.util.concurrent.Future; + +/** + * Interface for Certificate Authority. This can be extended to talk to external + * CAs later or HSMs later. + */ +public interface CertificateServer { + /** + * Initialize the Certificate Authority. + * + * @param securityConfig - Security Configuration. + * @param type - The Type of CertificateServer we are creating, we make this + * explicit so that when we read code it is visible to the users. + * @throws SCMSecurityException - Throws if the init fails. + */ + void init(SecurityConfig securityConfig, CAType type) + throws SCMSecurityException; + + /** + * Returns the CA Certificate for this CA. + * + * @return X509CertificateHolder - Certificate for this CA. + * @throws SCMSecurityException -- usually thrown if this CA is not + * initialized. + */ + X509CertificateHolder getCACertificate() + throws SCMSecurityException; + + /** + * Request a Certificate based on Certificate Signing Request. + * + * @param csr - Certificate Signing Request. + * @return A future that will have this certificate when this request is + * approved. + * @throws SCMSecurityException - on Error. + */ + Future requestCertificate(CertificateSignRequest csr, + CertificateApprover approver) throws SCMSecurityException; + + /** + * Revokes a Certificate issued by this CertificateServer. + * + * @param certificate - Certificate to revoke + * @param approver - Approval process to follow. + * @return Future that tells us what happened. + * @throws SCMSecurityException - on Error. + */ + Future revokeCertificate(X509Certificate certificate, + CertificateApprover approver) throws SCMSecurityException; + + /** + * TODO : CRL, OCSP etc. Later. This is the start of a CertificateServer + * framework. + */ + + /** + * Approval Types for a certificate request. + */ + enum CertificateApprover { +KERBEROS_TRUSTED, /* The Request came from a DN using Kerberos Identity*/ +MANUAL, /* Wait