Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature/ae 2321 pades #640

Draft
wants to merge 19 commits into
base: main
Choose a base branch
from
Draft

Feature/ae 2321 pades #640

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
bb7ceb5
Test getting signature
solita-juhohaa Nov 7, 2024
6effb4b
Add bouncycastle dependency
solita-juhohaa Nov 7, 2024
2b326ae
Add easyrsa default files
solita-juhohaa Nov 13, 2024
aab242a
Add additional x509-types
solita-juhohaa Nov 13, 2024
dd95dd4
Add helper scripts
solita-juhohaa Nov 13, 2024
aa065f1
Make root and int ocsp URIs different
solita-juhohaa Nov 13, 2024
af0bcd5
Add targets to script
solita-juhohaa Nov 13, 2024
f0cac8c
Add functionality to install certs
solita-juhohaa Nov 13, 2024
b3226a0
Get ocsp uri from certificate
solita-juhohaa Nov 14, 2024
d647db8
Can make OCSP requests
solita-juhohaa Nov 15, 2024
762c78b
Commit easyrsa generated CAs
solita-juhohaa Nov 18, 2024
ea70499
Change OCSP responder ports
solita-juhohaa Nov 18, 2024
ba4187d
Add function to get last relevant signature
solita-juhohaa Nov 19, 2024
405c473
Add pdf signed with the same certs as in tests
solita-juhohaa Nov 19, 2024
e0def58
Can get signature from signed pdf
solita-juhohaa Nov 19, 2024
d774f70
Start implementing the example
solita-juhohaa Nov 20, 2024
bc76f3f
Fix local kms's private key to be the same as in the chain
solita-juhohaa Nov 21, 2024
61f8bb7
Get the certificates from a signed pdf
solita-juhohaa Nov 21, 2024
6562ec0
Almost works but certificate needs some extensions
solita-juhohaa Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 26 additions & 26 deletions etp-core/docker/kms/seed.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,32 +6,32 @@ Keys:
KeyUsage: SIGN_VERIFY
PrivateKeyPem: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC4n0dWSfuw3Qap
RdszDBH4gXItD6zLl2kOGE2qicYcfCU3xCXOzH+nX4SEFAFYXQtWy/l+90/UJdkO
8ysk4lqiOTSFOkB1RJ3iyLA6ByOyCNMvA5NQrXr8GHB7hD9J7moCYo/uot9ZjElq
OwyPgbKlDOZPscu8AOgbry3p7WflVdujyMGZs0kNcoP5ayybCBwezq/ilDOyGkGE
xYam3kj9XekUmd9/M1RFqj6t4YG6dpOQ04v3VEWqo9Ofc0+wgbuFYG09+MISr4eo
2hcgjJ5GLaqXSIhxC8MW3W0W36GvEx7x79UOupYc2hVkPMdxhTgrlS1+GAxNujvX
vw+Cfy2bAgMBAAECggEAEsWDI9dm4289t6VWKcUO6LUErmc7GwI8mMXI08+pWIkY
4agsbe/mBNcV6rX8AweG2R7pMcskjz3/6WC5IMlxDLCDUg5/sky1PvNH08aZDweN
rWiQKHJTIGG9whlKtBItLivmVY2y5vB4IHh7iPXXe6epnS3HOMjg0LvJj9DnMO6S
0sXSiJQK+oZx5R0qO7khKve7yoMltitdZP9HuBShqnnbJqdABOBwVFETHj2/jJBi
gdlIdUBhAKBLYD0EwOvPSbyEpAhuXgpPGHZRihOQp6lG4GXpKyMFFyleSc0ExO9h
JXs3jgoOulyn+8lQwaM2Q6P9fun+fiqQOIjYWwHLrQKBgQD24VS4gD9K0PX7tpTl
+0Srwerrybmfn/K5VLLCq+HVv/bmcLnOiFiuUng0itU4kmlWNoYIQi+F3ppmqx1L
ty+5pO2ncf+U7+WdZ+AmbHWAb7uF4NOj0u/4JEv0qRaFU7f6Rm4bnSFnN/JXC/B0
z07yVf7d+mRtDZfdJQeypT4d9wKBgQC/cTFs/Z27e2FL+wfv9PEkQKf1Q1PbMKy+
q4/irpP2VobuVfKYsOpQoef4wn0lvfZW8xS9Xz8h/m4eqCMwQNVe2N5AnjH7RSWn
Ea/P6uPRvdxeUG0IsMXI54ZK6nq8HvTyk/FATRjCieCuNiIA4aRJhzRDEhR/TLHi
t/oeYfbUfQKBgFV1frw3OLGPT/cIJtbNeeHyyH1CYQ0OcxkQZqjYkt5JCxCN6OPD
ct81EQMvI8vncqszSIZHUugGPHBZv1RcXxrmKpYR8iT+Pf+U25SxaqNBCiq3vssw
03yUI+7XMUKJzl/GTYslg1CVnz/elCf7MxrUBduVN3pAgFc+4EFIzg3VAoGBAJZf
vSkVVY5sbZKXDjcHuVp2hvd5+SZU53ulmxG9e2+lq7sOO86AOK05X9LgQhkhS5wk
uAfABwEWrzzZaTp/0pn70ygCmtP6DodatzSkFmsrrStQFTUcVV9nrO6vm9SkpFbe
qkONy4MTdi6hSrhShQ9UalK8oukTPy8MwCSZYp6pAoGBAMGC5wc48lJ+/cleDGFS
o52gzthL3VjOyJy+MhBHGnrlXI5D7JzXrmqE3QT5c9PlY6nHwKoLBYACA3iAG/Uq
XZwezEMslKalTS8RGjar3Clg/pZf/yQhLCXGhPf0HNZXmdmAPM1CV+U9i+TFUqkQ
pKm6V9LU/aRLwawffJ3KGUCj
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCQwViOXlKh2vqj
GMvbuOgDsFK3nqTs9glb2UhCGPua+KKjfJh0MXtQc9f6bhIn+S+WEelGGFUQdDbH
N8gsur0CKNFe7K13w+5MolebWvwuOW/rw9neIFJiEr6kC/O4E+724eXuKycWYS2V
ylIb8wUGWuefqwJ/dv58Xb/oX5yRY+vsM9OrPVFD0eNXQ8GdJ/1TaMpzBrtDhs4P
AGO8qCmpc3kq8XqsyKj1Cvxpo3K/gNF3yPYwyjtK5QUTDkvUoL2dOderjnmc7xlW
+T/WrhHk0Qmr4D9BVltccXWF4Ut4IMWR7Bi8ysliRY70bVihFpR9zxU/CJOs5Xm1
GlrHx4uXAgMBAAECggEANjFkbXxrlDPupJPackqh9guTlDHdDee4rj3E+xXuUGDo
RquVSd7ii0arY5LE0llMkvLmsfrXEd9oSKIeG3zX2RCd/ds+wDlGpEMc6EkiY03W
lF4Q2UOhhBz/aVweJNq1mpEM62MVcZ/1GICTx+nuBiiPUawMtdq/QKE6gQ0WiSle
2PT3rCIqxN9kwg9ndVhIrg4ZWbdPQD9rTWEKdRg85r1xDmIC9jWXTe2797XEu7t7
fBp0BzC5mRHxFKuRX01Q+JyUMuEfTOG7urcN00x7jT6krPS9Ln1PHVHfy9NJ86WR
qTjcc8JjaMTExsF02TMTI+yNI+BklxAjV+YYxzTasQKBgQDDR+E3wudps0vweOYA
aMn+H2/lwthITs5/xpeTaNndhzOYs9zUXZmnMhToRboXzJbgYe1Eivm1p1X4E2ON
Kpi1RqGaQ5PnsbSmzPc9j60+sO4h6nLUAuyQiFAB/UaXglOPAp72vcBksXeIKRem
Ubk5bRgiAeFEXIoqga2tWGadcQKBgQC9w7GrqrcAybmlqesyKLBsk+CcB1rMa6Sw
imZnv1Mi2jnpKIysBlbNLg8oVJPsZEUwVaVvvaCPTYP6l5pyV4NiUL746zJnqWPq
Z2FPtWU99vyxg5zm6KRMkS/n/TOqa0gNj+VTEhba1OTG8FSu8DFo8+j0Kbxc84+N
fZrMa6RVhwKBgCdFwWlxbRC42kDWT4sth9HviJVwhgaksqrHyZv/rjD7C8leAr9C
w6/4RnQf8bjvkDg3+XubZ3S83nExlQfC1Us/lShtBsXF20rgVaivyGufMYTonYc9
v02h3FVKFnRJ5XwRTt7YcmTNu/hKK1NrhBCkfAH61s7kvXSm98Kw0JJBAoGAB6Wo
NkPF5ik66vsi+D19hpKa/Y6qUQyRcW/SWqHyJrhmlwfES3Zh7xjJEZX+9ArCYwVA
inU40C2OgP21AqCWMdMRLxTDTjwcQ6jw2fZ0Yv/eBQVJwGBlppQ/OvkQKPDz0WAY
HLXg5+amZYHv17DkPNd/br9z0Mcb5NbH8y7vS2cCgYEAhbyGBoWK9jnVj3hlwckz
19ZZ83E6KHmbaO8htEMYHdr5NgQfd2rpLzSZzOr0XWP2f5xJtHCgKgy8yWwo524g
Tlpg4xrOl9fCJ4amQxiZTpz6ITGgsqh738iQnDaSnzzm/P2oWHOspU3XA1qAZGay
eA0QjI/F24X5yskP8ddlYbk=
-----END PRIVATE KEY-----

Aliases:
Expand Down
138 changes: 138 additions & 0 deletions etp-core/docker/ocsp-test-pki/create-root-pki-easyrsa.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@
#! /usr/bin/env nix-shell
#! nix-shell -I channel:nixos-24.05-small --pure -i bash -p openssl git

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

PKI_ROOT_DIR="${SCRIPT_DIR}/pki-root"
PKI_INT_DIR="${SCRIPT_DIR}/pki-int"

SOME_REQ_NAME="some_certificate"

OCSP_REQ_NAME="ocsp_responder"
OCSP_LOGS_DIR="${SCRIPT_DIR}/logs/"
OCSP_ROOT_LOG="${OCSP_LOGS_DIR}/ocsp-root.log"
OCSP_INT_LOG="${OCSP_LOGS_DIR}/ocsp-int.log"

clean() {
echo "Cleaning"
rm -r "${PKI_ROOT_DIR}"
rm -r "${PKI_INT_DIR}"
rm -r "${OCSP_LOGS_DIR}"
}

easyrsa_root() {
./easyrsa --pki-dir="${PKI_ROOT_DIR}" "$@"
}

easyrsa_int() {
./easyrsa --pki-dir="${PKI_INT_DIR}" "$@"
}

create_root_ca() {
easyrsa_root init-pki

cp -r "${SCRIPT_DIR}/x509-types" "${PKI_ROOT_DIR}/x509-types"

easyrsa_root build-ca nopass

echo "authorityInfoAccess = OCSP;URI:http://localhost:2060/" >> "${PKI_ROOT_DIR}"/x509-types/COMMON
}

create_int_ca() {
easyrsa_int init-pki

cp -r "${SCRIPT_DIR}/x509-types" "${PKI_INT_DIR}/x509-types"

easyrsa_int build-ca subca nopass

echo "authorityInfoAccess = OCSP;URI:http://localhost:2061/" >> "${PKI_INT_DIR}"/x509-types/COMMON
}

create_int_ca_cert() {
easyrsa_root import-req "${PKI_INT_DIR}/reqs/ca.req" "int_ca"
easyrsa_root sign-req ca "int_ca"
cp "${PKI_ROOT_DIR}/issued/int_ca.crt" "${PKI_INT_DIR}/ca.crt"
}

create_root_ocsp_cert() {
easyrsa_root gen-req "${OCSP_REQ_NAME}" nopass
easyrsa_root sign-req ocsp "${OCSP_REQ_NAME}"
}

create_int_ocsp_cert() {
easyrsa_int gen-req "${OCSP_REQ_NAME}" nopass
easyrsa_int sign-req ocsp "${OCSP_REQ_NAME}"
}

create_leaf_cert() {
easyrsa_int gen-req "${SOME_REQ_NAME}" nopass
easyrsa_int sign-req dsign "${SOME_REQ_NAME}"
}

start_root_ocsp_responder() {
openssl ocsp \
-index "${PKI_ROOT_DIR}/index.txt" \
-port 2060 \
-rsigner "${PKI_ROOT_DIR}/issued/${OCSP_REQ_NAME}.crt" \
-rkey "${PKI_ROOT_DIR}/private/${OCSP_REQ_NAME}.key" \
-CA "${PKI_ROOT_DIR}/ca.crt" \
-text \
-out "${OCSP_ROOT_LOG}"
}

start_int_ocsp_responder() {
openssl ocsp \
-index "${PKI_INT_DIR}/index.txt" \
-port 2061 \
-rsigner "${PKI_INT_DIR}/issued/${OCSP_REQ_NAME}.crt" \
-rkey "${PKI_INT_DIR}/private/${OCSP_REQ_NAME}.key" \
-CA "${PKI_INT_DIR}/ca.crt" \
-text \
-out "${OCSP_INT_LOG}"
}

get_cert_pem() {
sed -n '/BEGIN CERTIFICATE/,/END CERTIFICATE/p' "$1"
}

PROJECT_ROOT=$(git rev-parse --show-toplevel)
CERTS_DIR="${PROJECT_ROOT}/etp-core/etp-backend/src/test/resources/system-signature"
ROOT_CERT_FILE=${CERTS_DIR}/local-signing-root.pem.crt
INT_CERT_FILE=${CERTS_DIR}/local-signing-int.pem.crt
LEAF_CERT_FILE=${CERTS_DIR}/local-signing-leaf.pem.crt

install_certs_to_dev() {
get_cert_pem "${PKI_ROOT_DIR}/ca.crt" > "${ROOT_CERT_FILE}"
get_cert_pem "${PKI_INT_DIR}/ca.crt" > "${INT_CERT_FILE}"
get_cert_pem "${PKI_INT_DIR}/issued/${SOME_REQ_NAME}.crt" > "${LEAF_CERT_FILE}"
echo "hmm"
}

case "$1" in
clean)
clean
;;
start_root_ocsp)
mkdir -p "${OCSP_LOGS_DIR}"
start_root_ocsp_responder
;;
start_int_ocsp)
mkdir -p "${OCSP_LOGS_DIR}"
start_int_ocsp_responder
;;
install_certs)
install_certs_to_dev
;;
build)
create_root_ca
create_int_ca
create_int_ca_cert
create_root_ocsp_cert
create_int_ocsp_cert
create_leaf_cert
;;
*)
echo "See the script for targets."
exit 1
;;
esac
1 change: 1 addition & 0 deletions etp-core/docker/ocsp-test-pki/easyrsa
View file
Open in desktop
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tämä on vain linkki easyrsa:aan

Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
../../../../easy-rsa/easyrsa3/easyrsa
88 changes: 88 additions & 0 deletions etp-core/docker/ocsp-test-pki/logs/ocsp-int.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D400C058FC5CF4203C162D8714B1F9B7C6015085
Issuer Key Hash: 349950A5B055D478A28DD8B99D71B82708DC389D
Serial Number: 2A9CA93992A09BDC571978753A01868B
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: CN = ocsp_responder
Produced At: Nov 20 12:06:30 2024 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: D400C058FC5CF4203C162D8714B1F9B7C6015085
Issuer Key Hash: 349950A5B055D478A28DD8B99D71B82708DC389D
Serial Number: 2A9CA93992A09BDC571978753A01868B
Cert Status: good
This Update: Nov 20 12:06:30 2024 GMT

Signature Algorithm: sha256WithRSAEncryption
Signature Value:
c3:fa:ca:14:99:17:57:23:b8:43:93:42:78:67:7a:c0:81:ef:
d5:81:5a:06:72:84:3c:f4:15:a5:f8:7b:71:b7:bb:c8:b0:ab:
80:cb:86:d5:59:f1:c8:ff:77:38:40:e6:c6:cb:10:0c:30:37:
43:a9:e5:b8:1d:46:ca:0d:cc:44:cd:76:6c:7e:cc:15:38:06:
c8:2e:dc:2d:98:ed:41:f8:b4:b8:4d:c5:66:ff:47:d9:ab:e4:
60:34:56:9a:ca:6c:98:1f:23:b2:3a:7a:ee:cf:3d:13:0c:5f:
03:02:d7:f6:91:4b:96:eb:d7:a4:10:64:7e:3f:3e:e2:b0:32:
05:90:fd:ca:37:2f:ec:a8:e2:1f:fd:c2:1c:08:f0:b1:c3:8c:
ee:12:bc:58:39:59:96:b0:2b:de:16:c9:31:b0:9a:a9:53:36:
6a:a8:58:b3:24:45:00:3b:d6:9e:f9:af:a1:f8:8f:8d:98:2c:
f0:49:45:8e:ff:eb:0f:04:c4:47:54:83:c6:3e:80:e3:20:d8:
a5:c4:70:90:d1:ff:ef:35:f4:fb:a2:a9:76:13:80:3c:b1:70:
7e:a2:55:f0:9d:a2:7d:6a:95:55:4c:58:39:ba:20:34:86:e1:
b1:84:18:48:84:d3:44:65:8f:72:2c:f4:b5:22:c1:fc:21:94:
77:81:08:40
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
99:8d:f4:27:c5:c1:f4:f1:f8:2a:f8:de:40:19:aa:7a
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Easy-RSA Sub-CA
Validity
Not Before: Nov 13 18:10:05 2024 GMT
Not After : Feb 16 18:10:05 2027 GMT
Subject: CN=ocsp_responder
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ef:aa:5b:8b:ad:f6:bc:e2:67:1a:99:68:09:9e:
6c:9d:cb:e3:9d:df:e0:0d:26:a5:cc:11:9d:fd:ca:
b9:85:87:1c:bc:8f:4a:c1:6c:03:00:e5:8a:c2:1e:
f6:f1:db:d6:0d:4f:4a:0b:8f:01:19:5f:5c:1f:35:
9a:60:70:6b:e4:73:65:36:4e:9f:35:20:7c:9e:c7:
8b:d1:0e:cc:3b:1d:12:ac:20:37:85:73:b0:3c:79:
9d:1e:5b:ec:ee:2c:c5:9f:38:71:58:b1:08:75:f7:
40:2f:1a:9e:21:f0:79:df:97:69:6a:b9:ef:13:8c:
5b:14:a8:08:06:1f:48:8e:91:2f:c7:63:4f:f8:14:
30:ca:0a:ba:12:5e:6d:0b:fd:9f:47:c5:7d:19:a6:
16:40:c8:f0:18:e2:5a:34:4f:9f:c6:51:c7:05:66:
09:4d:de:e1:34:48:83:f3:66:62:57:9b:7e:fc:04:
03:c5:c1:00:54:72:06:a2:43:05:c8:e5:d1:22:d6:
7e:55:bb:5b:7b:66:b1:fd:60:c7:3b:03:53:27:b5:
b2:b4:5b:f2:0a:32:94:7c:36:77:e7:ca:39:4d:4b:
22:f4:0c:10:eb:88:7d:23:1b:28:1d:18:2b:b4:0f:
15:b2:69:b5:df:f8:e0:76:cc:61:f4:a8:d9:83:79:
0a:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
OCSP - URI:http://localhost:2061/
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
OCSP Signing
X509v3 Subject Key Identifier:
87:D9:F3:BD:E0:1B:EE:0A:3C:E4:46:0D:F4:11:21:75:AC:B7:5E:EE
X509v3 Authority Key Identifier:
34:99:50:A5:B0:55:D4:78:A2:8D:D8:B9:9D:71:B8:27:08:DC:38:9D

5 changes: 5 additions & 0 deletions etp-core/docker/ocsp-test-pki/make_ocsp_req.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# OCSP Request
openssl ocsp -CAfile pki/ca.crt \
-issuer pki/ca.crt \
-cert pki/issued/some_certificate.crt \
-url http://localhost:2560 -resp_text
Loading
Loading