Refactoring validator creation.

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 * Changing namespace.
 * Introducing modules peppol-security and peppol-common.
+* Renaming SecurityException to PeppolSecurityException.
 
 ## 0.9.2
 

peppol-lookup/src/main/java/no/difi/vefa/peppol/lookup/LookupClient.java

@@ -1,9 +1,8 @@
 package no.difi.vefa.peppol.lookup;
 
 import no.difi.vefa.peppol.common.api.EndpointNotFoundException;
-import no.difi.vefa.peppol.common.api.PeppolException;
 import no.difi.vefa.peppol.security.api.CertificateValidator;
-import no.difi.vefa.peppol.security.api.SecurityException;
+import no.difi.vefa.peppol.security.api.PeppolSecurityException;
 import no.difi.vefa.peppol.common.model.*;
 import no.difi.vefa.peppol.lookup.api.*;
 import org.slf4j.Logger;
@@ -43,7 +42,7 @@ public List<DocumentIdentifier> getDocumentIdentifiers(ParticipantIdentifier par
         return metadataReader.parseDocumentIdentifiers(metadataFetcher.fetch(provider));
     }
 
-    public ServiceMetadata getServiceMetadata(ParticipantIdentifier participantIdentifier, DocumentIdentifier documentIdentifier) throws LookupException, SecurityException {
+    public ServiceMetadata getServiceMetadata(ParticipantIdentifier participantIdentifier, DocumentIdentifier documentIdentifier) throws LookupException, PeppolSecurityException {
         URI location = metadataLocator.lookup(participantIdentifier);
         URI provider = metadataProvider.resolveServiceMetadata(location, participantIdentifier, documentIdentifier);
 
@@ -57,8 +56,7 @@ public ServiceMetadata getServiceMetadata(ParticipantIdentifier participantIdent
         return serviceMetadata;
     }
 
-    public Endpoint getEndpoint(ParticipantIdentifier participantIdentifier, DocumentIdentifier documentIdentifier, ProcessIdentifier processIdentifier, TransportProfile... transportProfiles) throws LookupException, SecurityException, EndpointNotFoundException {
-        ServiceMetadata serviceMetadata = getServiceMetadata(participantIdentifier, documentIdentifier);
+    public Endpoint getEndpoint(ServiceMetadata serviceMetadata, ProcessIdentifier processIdentifier, TransportProfile... transportProfiles) throws PeppolSecurityException, EndpointNotFoundException {
         Endpoint endpoint = serviceMetadata.getEndpoint(processIdentifier, transportProfiles);
 
         if (endpointCertificateValidator != null)
@@ -67,13 +65,8 @@ public Endpoint getEndpoint(ParticipantIdentifier participantIdentifier, Documen
         return endpoint;
     }
 
-    public Endpoint getEndpoint(ServiceMetadata serviceMetadata, ProcessIdentifier processIdentifier, TransportProfile... transportProfiles) throws SecurityException, EndpointNotFoundException {
-        Endpoint endpoint = serviceMetadata.getEndpoint(processIdentifier, transportProfiles);
-
-        if (endpointCertificateValidator != null)
-            endpointCertificateValidator.validate(endpoint.getCertificate());
-
-        return endpoint;
+    public Endpoint getEndpoint(ParticipantIdentifier participantIdentifier, DocumentIdentifier documentIdentifier, ProcessIdentifier processIdentifier, TransportProfile... transportProfiles) throws LookupException, PeppolSecurityException, EndpointNotFoundException {
+        ServiceMetadata serviceMetadata = getServiceMetadata(participantIdentifier, documentIdentifier);
+        return getEndpoint(serviceMetadata, processIdentifier, transportProfiles);
     }
-
 }

peppol-lookup/src/main/java/no/difi/vefa/peppol/lookup/LookupClientBuilder.java

@@ -1,6 +1,5 @@
 package no.difi.vefa.peppol.lookup;
 
-import no.difi.vefa.peppol.security.api.CertificateValidator;
 import no.difi.vefa.peppol.lookup.api.MetadataFetcher;
 import no.difi.vefa.peppol.lookup.api.MetadataLocator;
 import no.difi.vefa.peppol.lookup.api.MetadataProvider;
@@ -9,8 +8,8 @@
 import no.difi.vefa.peppol.lookup.locator.BusdoxLocator;
 import no.difi.vefa.peppol.lookup.provider.DefaultProvider;
 import no.difi.vefa.peppol.lookup.reader.MultiReader;
-import no.difi.vefa.peppol.security.context.PeppolProduction;
-import no.difi.vefa.peppol.security.context.PeppolTest;
+import no.difi.vefa.peppol.security.api.CertificateValidator;
+import no.difi.vefa.peppol.security.context.PeppolContext;
 import no.difi.vefa.peppol.security.util.DifiCertificateValidator;
 
 public class LookupClientBuilder {
@@ -20,17 +19,19 @@ public static LookupClientBuilder newInstance() {
     }
 
     public static LookupClientBuilder forProduction() {
+        PeppolContext peppolContext = new PeppolContext("production");
         return newInstance()
                 .locator(new BusdoxLocator(BusdoxLocator.OPENPEPPOL_PRODUCTION))
-                .endpointCertificateValidator(new DifiCertificateValidator(PeppolProduction.apValidator()))
-                .providerCertificateValidator(new DifiCertificateValidator(PeppolProduction.smpValidator()));
+                .endpointCertificateValidator(new DifiCertificateValidator(peppolContext.apValidator()))
+                .providerCertificateValidator(new DifiCertificateValidator(peppolContext.smpValidator()));
     }
 
     public static LookupClientBuilder forTest() {
+        PeppolContext peppolContext = new PeppolContext("test");
         return newInstance()
                 .locator(new BusdoxLocator(BusdoxLocator.OPENPEPPOL_TEST))
-                .endpointCertificateValidator(new DifiCertificateValidator(PeppolTest.apValidator()))
-                .providerCertificateValidator(new DifiCertificateValidator(PeppolTest.smpValidator()));
+                .endpointCertificateValidator(new DifiCertificateValidator(peppolContext.apValidator()))
+                .providerCertificateValidator(new DifiCertificateValidator(peppolContext.smpValidator()));
     }
 
     LookupClientBuilder() {

peppol-lookup/src/main/java/no/difi/vefa/peppol/lookup/api/MetadataReader.java

@@ -2,13 +2,14 @@
 
 import no.difi.vefa.peppol.common.model.DocumentIdentifier;
 import no.difi.vefa.peppol.common.model.ServiceMetadata;
+import no.difi.vefa.peppol.security.api.PeppolSecurityException;
 
 import java.util.List;
 
 public interface MetadataReader {
 
     List<DocumentIdentifier> parseDocumentIdentifiers(FetcherResponse fetcherResponse) throws LookupException;
 
-    ServiceMetadata parseServiceMetadata(FetcherResponse fetcherResponse) throws LookupException, no.difi.vefa.peppol.security.api.SecurityException;
+    ServiceMetadata parseServiceMetadata(FetcherResponse fetcherResponse) throws LookupException, PeppolSecurityException;
 
 }

peppol-lookup/src/main/java/no/difi/vefa/peppol/lookup/reader/BdxrReader.java

@@ -3,7 +3,7 @@
 import no.difi.vefa.peppol.lookup.api.FetcherResponse;
 import no.difi.vefa.peppol.lookup.api.LookupException;
 import no.difi.vefa.peppol.lookup.api.MetadataReader;
-import no.difi.vefa.peppol.security.api.SecurityException;
+import no.difi.vefa.peppol.security.api.PeppolSecurityException;
 import no.difi.vefa.peppol.common.model.*;
 import no.difi.vefa.peppol.security.xmldsig.XmldsigVerifier;
 import no.difi.vefa.peppol.common.util.DomUtils;
@@ -57,7 +57,7 @@ public List<DocumentIdentifier> parseDocumentIdentifiers(FetcherResponse fetcher
     }
 
     @Override
-    public ServiceMetadata parseServiceMetadata(FetcherResponse fetcherResponse) throws LookupException, SecurityException{
+    public ServiceMetadata parseServiceMetadata(FetcherResponse fetcherResponse) throws LookupException, PeppolSecurityException {
         try {
             Document doc = DomUtils.parse(fetcherResponse.getInputStream());
 

peppol-lookup/src/main/java/no/difi/vefa/peppol/lookup/reader/BusdoxReader.java

@@ -3,7 +3,7 @@
 import no.difi.vefa.peppol.lookup.api.FetcherResponse;
 import no.difi.vefa.peppol.lookup.api.LookupException;
 import no.difi.vefa.peppol.lookup.api.MetadataReader;
-import no.difi.vefa.peppol.security.api.SecurityException;
+import no.difi.vefa.peppol.security.api.PeppolSecurityException;
 import no.difi.vefa.peppol.common.model.*;
 import no.difi.vefa.peppol.security.xmldsig.XmldsigVerifier;
 import no.difi.vefa.peppol.common.util.DomUtils;
@@ -57,7 +57,7 @@ public List<DocumentIdentifier> parseDocumentIdentifiers(FetcherResponse fetcher
     }
 
     @Override
-    public ServiceMetadata parseServiceMetadata(FetcherResponse fetcherResponse) throws LookupException, SecurityException {
+    public ServiceMetadata parseServiceMetadata(FetcherResponse fetcherResponse) throws LookupException, PeppolSecurityException {
         try {
             Document doc = DomUtils.parse(fetcherResponse.getInputStream());
 

peppol-lookup/src/main/java/no/difi/vefa/peppol/lookup/reader/MultiReader.java

@@ -6,7 +6,7 @@
 import no.difi.vefa.peppol.lookup.api.FetcherResponse;
 import no.difi.vefa.peppol.lookup.api.LookupException;
 import no.difi.vefa.peppol.lookup.api.MetadataReader;
-import no.difi.vefa.peppol.security.api.SecurityException;
+import no.difi.vefa.peppol.security.api.PeppolSecurityException;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -32,7 +32,7 @@ else if (BdxrReader.NAMESPACE.equalsIgnoreCase(fetcherResponse.getNamespace()))
     }
 
     @Override
-    public ServiceMetadata parseServiceMetadata(FetcherResponse fetcherResponse) throws LookupException, SecurityException {
+    public ServiceMetadata parseServiceMetadata(FetcherResponse fetcherResponse) throws LookupException, PeppolSecurityException {
         if (fetcherResponse.getNamespace() == null)
             fetcherResponse = detect(fetcherResponse);
 

peppol-security/src/main/java/no/difi/vefa/peppol/security/api/CertificateValidator.java

@@ -3,5 +3,5 @@
 import java.security.cert.X509Certificate;
 
 public interface CertificateValidator {
-    void validate(X509Certificate certificate) throws SecurityException;
+    void validate(X509Certificate certificate) throws PeppolSecurityException;
 }

peppol-security/src/main/java/no/difi/vefa/peppol/security/api/SecurityException.java → peppol-security/src/main/java/no/difi/vefa/peppol/security/api/PeppolSecurityException.java

@@ -2,15 +2,15 @@
 
 import no.difi.vefa.peppol.common.api.PeppolException;
 
-public class SecurityException extends PeppolException {
+public class PeppolSecurityException extends PeppolException {
 
     private static final long serialVersionUID = 6928682319726226728L;
 
-    public SecurityException(String message) {
+    public PeppolSecurityException(String message) {
         super(message);
     }
 
-    public SecurityException(String message, Throwable cause) {
+    public PeppolSecurityException(String message, Throwable cause) {
         super(message, cause);
     }
 }

peppol-security/src/main/java/no/difi/vefa/peppol/security/context/PeppolContext.java

@@ -0,0 +1,83 @@
+package no.difi.vefa.peppol.security.context;
+
+
+import no.difi.certvalidator.Validator;
+import no.difi.certvalidator.ValidatorBuilder;
+import no.difi.certvalidator.api.CertificateBucket;
+import no.difi.certvalidator.api.CertificateBucketException;
+import no.difi.certvalidator.api.CrlCache;
+import no.difi.certvalidator.rule.*;
+import no.difi.certvalidator.util.KeyStoreCertificateBucket;
+import no.difi.certvalidator.util.SimpleCrlCache;
+import no.difi.certvalidator.util.SimplePrincipalNameProvider;
+import sun.security.provider.certpath.OCSP;
+
+import java.io.InputStream;
+import java.util.HashMap;
+import java.util.Map;
+
+public class PeppolContext {
+
+    private static final Map<String, String> apCn = new HashMap<String, String>() {{
+        put("test", "PEPPOL ACCESS POINT TEST CA");
+        put("production", "PEPPOL ACCESS POINT CA");
+    }};
+    private static final Map<String, String> smpCn = new HashMap<String, String>() {{
+        put("test", "PEPPOL SERVICE METADATA PUBLISHER TEST CA");
+        put("production", "PEPPOL SERVICE METADATA PUBLISHER CA");
+    }};
+
+    private CrlCache crlCache = new SimpleCrlCache();
+    private KeyStoreCertificateBucket keyStore;
+    private CertificateBucket rootCertificates;
+    private CertificateBucket intermediateApCertificates;
+    private CertificateBucket intermediateSmpCertificates;
+
+    private String scope;
+
+    public PeppolContext(String scope) {
+        try {
+            this.scope = scope;
+            keyStore = new KeyStoreCertificateBucket(getKeyStoreInputStream(scope), "peppol");
+
+            rootCertificates = keyStore.toSimple("peppol-root", "difi-root");
+            intermediateApCertificates = keyStore.toSimple("peppol-ap", "difi-ap");
+            intermediateSmpCertificates = keyStore.toSimple("peppol-smp", "difi-smp");
+        } catch (CertificateBucketException e) {
+            throw new RuntimeException(e.getMessage(), e);
+        }
+    }
+
+    public static InputStream getKeyStoreInputStream(String scope) {
+        return PeppolContext.class.getResourceAsStream(String.format("/peppol-%s.jks", scope));
+    }
+
+    public KeyStoreCertificateBucket getKeyStoreBucket() {
+        return keyStore;
+    }
+
+    public Validator apValidator() {
+        return generateValidator(intermediateApCertificates, apCn);
+    }
+
+    public Validator smpValidator() {
+        return generateValidator(intermediateSmpCertificates, smpCn);
+    }
+
+    private Validator generateValidator(CertificateBucket intermediateCertificates, Map<String, String> cnMap) {
+        ValidatorBuilder validatorBuilder = ValidatorBuilder.newInstance();
+        validatorBuilder.addRule(new ExpirationRule());
+        validatorBuilder.addRule(SigningRule.PublicSignedOnly());
+
+        if (cnMap != null && cnMap.containsKey(scope))
+            validatorBuilder.addRule(new PrincipalNameRule("CN", new SimplePrincipalNameProvider(cnMap.get(scope)), PrincipalNameRule.Principal.ISSUER));
+
+        validatorBuilder.addRule(new ChainRule(rootCertificates, intermediateCertificates));
+        validatorBuilder.addRule(new CRLRule(crlCache));
+
+        if (!"test".endsWith(scope)) // TODO Remove when OCSP for test certificates respond correct.
+            validatorBuilder.addRule(new OCSPRule(intermediateCertificates));
+
+        return validatorBuilder.build();
+    }
+}