HDDS-11895. Separate Root and Sub CA server implementation

hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/utils/CertificateSignRequest.java

@@ -172,8 +172,7 @@ public String toEncodedFormat() throws IOException {
     return str.toString();
   }
 
-  //TODO: this should be private once the server side of removing PKCS10CertReq class is done.
-  public PKCS10CertificationRequest generateCSR() throws IOException {
+  private PKCS10CertificationRequest generateCSR() throws IOException {
     X500Name dnName = getDistinguishedName(subject, scmID, clusterID);
     PKCS10CertificationRequestBuilder p10Builder =
         new JcaPKCS10CertificationRequestBuilder(dnName, keyPair.getPublic());

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateApprover.java

@@ -20,7 +20,6 @@
 package org.apache.hadoop.hdds.security.x509.certificate.authority;
 
 import org.apache.hadoop.hdds.security.SecurityConfig;
-import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 
 import java.io.IOException;
 import java.security.PrivateKey;
@@ -39,7 +38,7 @@ public interface CertificateApprover {
    * @param csr - Certificate Signing Request.
    * @return - Future that will contain Void if the certificate is considered valid otherwise an exception.
    */
-  CompletableFuture<Void> inspectCSR(PKCS10CertificationRequest csr);
+  CompletableFuture<Void> inspectCSR(String csr);
 
   /**
    * Sign function signs a Certificate.
@@ -63,7 +62,7 @@ X509Certificate sign(
       X509Certificate caCertificate,
       Date validFrom,
       Date validTill,
-      PKCS10CertificationRequest certificationRequest,
+      String certificationRequest,
       String scmId,
       String clusterId,
       String certSerialId)

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/CertificateServer.java

@@ -23,7 +23,6 @@
 import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
 import org.apache.hadoop.hdds.security.SecurityConfig;
 import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
-import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 
 import java.io.IOException;
 import java.security.cert.CertPath;
@@ -41,11 +40,9 @@ public interface CertificateServer {
    * Initialize the Certificate Authority.
    *
    * @param securityConfig - Security Configuration.
-   * @param type - The Type of CertificateServer we are creating, we make this
-   * explicit so that when we read code it is visible to the users.
    * @throws SCMSecurityException - Throws if the init fails.
    */
-  void init(SecurityConfig securityConfig, CAType type)
+  void init(SecurityConfig securityConfig)
       throws IOException;
 
   /**
@@ -95,7 +92,7 @@ X509Certificate getCertificate(String certSerialId)
    * @throws SCMSecurityException - on Error.
    */
   Future<CertPath> requestCertificate(
-      PKCS10CertificationRequest csr,
+      String csr,
       CertificateApprover.ApprovalType type, NodeType role,
       String certSerialId) throws SCMSecurityException;
 

hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/security/x509/certificate/authority/DefaultApprover.java

@@ -23,6 +23,7 @@
 import org.apache.hadoop.hdds.security.SecurityConfig;
 import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
 import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile;
+import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
 import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.pkcs.Attribute;
@@ -93,18 +94,18 @@ public DefaultApprover(PKIProfile pkiProfile, SecurityConfig config) {
   /**
    * Sign function signs a Certificate.
    *
-   * @param config - Security Config.
-   * @param caPrivate - CAs private Key.
+   * @param config        - Security Config.
+   * @param caPrivate     - CAs private Key.
    * @param caCertificate - CA Certificate.
-   * @param validFrom - Begin Da te
-   * @param validTill - End Date
-   * @param certificationRequest - Certification Request.
-   * @param scmId - SCM id.
-   * @param clusterId - Cluster id.
-   * @param certSerialId - the new certificate id.
+   * @param validFrom     - Begin Da te
+   * @param validTill     - End Date
+   * @param encodedCSR    - Certification Request in encoded format.
+   * @param scmId         - SCM id.
+   * @param clusterId     - Cluster id.
+   * @param certSerialId  - the new certificate id.
    * @return Signed Certificate.
-   * @throws IOException - On Error
-   * @throws CertificateException - on Error.
+   * @throws IOException               - On Error
+   * @throws OperatorCreationException - on Error.
    */
   @SuppressWarnings("ParameterNumber")
   @Override
@@ -114,7 +115,7 @@ public X509Certificate sign(
       X509Certificate caCertificate,
       Date validFrom,
       Date validTill,
-      PKCS10CertificationRequest certificationRequest,
+      String encodedCSR,
       String scmId,
       String clusterId,
       String certSerialId) throws IOException, CertificateException {
@@ -127,6 +128,7 @@ public X509Certificate sign(
 
     AsymmetricKeyParameter asymmetricKP = PrivateKeyFactory.createKey(caPrivate
         .getEncoded());
+    PKCS10CertificationRequest certificationRequest = CertificateSignRequest.getCertificationRequest(encodedCSR);
     SubjectPublicKeyInfo keyInfo =
         certificationRequest.getSubjectPublicKeyInfo();
 
@@ -287,8 +289,7 @@ boolean verfiyExtensions(PKCS10CertificationRequest request) {
    * @throws OperatorCreationException - On Error.
    * @throws PKCSException             - on Error.
    */
-  @VisibleForTesting
-  boolean verifyPkcs10Request(PKCS10CertificationRequest pkcs10Request)
+  private boolean verifyPkcs10Request(PKCS10CertificationRequest pkcs10Request)
       throws OperatorCreationException, PKCSException {
     ContentVerifierProvider verifierProvider = new
         JcaContentVerifierProviderBuilder()
@@ -302,7 +303,7 @@ boolean verifyPkcs10Request(PKCS10CertificationRequest pkcs10Request)
    * {@inheritDoc}
    */
   @Override
-  public CompletableFuture<Void> inspectCSR(PKCS10CertificationRequest csr) {
+  public CompletableFuture<Void> inspectCSR(String encodedCSR) {
     /**
      * The base approver executes the following algorithm to verify that a
      * CSR meets the PKI Profile criteria.
@@ -333,6 +334,7 @@ public CompletableFuture<Void> inspectCSR(PKCS10CertificationRequest csr) {
 
       // Step 1: Let us verify that Certificate is indeed signed by someone
       // who has access to the private key.
+      PKCS10CertificationRequest csr = CertificateSignRequest.getCertificationRequest(encodedCSR);
       if (!verifyPkcs10Request(csr)) {
         LOG.error("Failed to verify the signature in CSR.");
         response.completeExceptionally(new SCMSecurityException("Failed to " +
@@ -356,7 +358,7 @@ public CompletableFuture<Void> inspectCSR(PKCS10CertificationRequest csr) {
             "verify extensions."));
       }
 
-    } catch (OperatorCreationException | PKCSException e) {
+    } catch (OperatorCreationException | PKCSException | IOException e) {
       LOG.error("Approval Failure.", e);
       response.completeExceptionally(new SCMSecurityException(e));
     }