diff --git a/ansible/roles/xroad-cs/tasks/ubuntu.yml b/ansible/roles/xroad-cs/tasks/ubuntu.yml index 8ffc2b56f2..1828c48a7e 100644 --- a/ansible/roles/xroad-cs/tasks/ubuntu.yml +++ b/ansible/roles/xroad-cs/tasks/ubuntu.yml @@ -6,13 +6,15 @@ vtype: "string" # parametrize if you add a different type of question to item list value: "{{ item.value }}" with_items: - - { question: "xroad-common/username", value: "{{ xroad_ui_user }}" } - - { question: "xroad-common/database-host", value: "{{ database_host }}" } - - { question: "xroad-common/admin-subject", value: "/CN={{ inventory_hostname }}" } - - { question: "xroad-common/admin-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" } - - { question: "xroad-common/service-subject", value: "/CN={{ inventory_hostname }}" } - - { question: "xroad-common/service-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" } - - { question: "xroad-common/skip-cs-db-migrations", value: "false" } + - { question: "xroad-common/username", value: "{{ xroad_ui_user }}" } + - { question: "xroad-common/database-host", value: "{{ database_host }}" } + - { question: "xroad-common/admin-subject", value: "/CN={{ inventory_hostname }}" } + - { question: "xroad-common/admin-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" } + - { question: "xroad-common/service-subject", value: "/CN={{ inventory_hostname }}" } + - { question: "xroad-common/service-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" } + - { question: "xroad-common/global-conf-subject", value: "/CN={{ inventory_hostname }}" } + - { question: "xroad-common/global-conf-altsubject", value: "IP:{{ ansible_default_ipv4.address }},DNS:{{ inventory_hostname }}" } + - { question: "xroad-common/skip-cs-db-migrations", value: "false" } tags: - install-xroad-cs-packages diff --git a/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md b/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md index 7989ec2399..1d67f84207 100644 --- a/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md +++ b/doc/Manuals/ig-cs_x-road_6_central_server_installation_guide.md @@ -1,6 +1,6 @@ # X-Road: Central Server Installation Guide -Version: 2.35 +Version: 2.36 Doc. ID: IG-CS --- @@ -52,7 +52,8 @@ Doc. ID: IG-CS | 23.05.2023 | 2.32 | Backup Encryption Configuration | Eneli Reimets | | 31.05.2023 | 2.33 | Add Central Server network diagram | Petteri Kivimäki | | 28.06.2023 | 2.34 | Update database properties to the new Spring datasource version | Raido Kaju | -| 13.09.2023 | 2.35 | Database integrity check errors before center upgrade | Eneli reimets | +| 13.09.2023 | 2.35 | Database integrity check errors before center upgrade | Eneli Reimets | +| 14.10.2023 | 2.36 | Add Global configuration distribution over https | Eneli Reimets | ## Table of Contents @@ -164,6 +165,7 @@ Caution: Data necessary for the functioning of the operating system is not inclu | 1.8 | | Central Server public IP address, NAT address | | 1.9 | | Information about the user interface TLS certificate | | 1.10 | | Information about the services TLS certificate | +| 1.11 | | Information about the global configuration TLS certificate | It is strongly recommended to protect the Central Server from unwanted access using a firewall (hardware or software based). The firewall can be applied to both incoming and outgoing connections depending on the security requirements of the environment where the Central Server is deployed. It is recommended to allow incoming traffic to specific ports only from explicitly defined sources using IP filtering. **Special attention should be paid with the firewall configuration since incorrect configuration may leave the Central Server vulnerable to exploits and attacks.** @@ -178,7 +180,7 @@ The table below lists the required connections between different components. Ple **Connection Type** | **Source** | **Target** | **Target Ports** | **Protocol** | **Note** | -----------|-----------------------------------|-------------------------------|------------|-----------|---------------------------------------------------------------------------------------------| Out | Monitoring Security Server | X-Road Member Security Server | 5500, 5577 | tcp | Operational and environmental monitoring data collection | -In | X-Road Member Security Server | Central Server | 80 | tcp | Global configuration distribution | +In | X-Road Member Security Server | Central Server | 80, 443 | tcp | Global configuration distribution | In | X-Road Member Security Server | Central Server | 4001 | tcp | Authentication certificate registration requests from X-Road Members' Security Servers | In | Management Security Server | Central Server | 4002 | tcp | Source in the internal network. Management service requests from Management Security Server | In | X-Road Member Security Server | Management Security Server | 5500, 5577 | tcp | Management service requests from X-Road Members' Security Servers | @@ -305,6 +307,11 @@ Upon the first installation of the Central Server software, the system asks for The certificate owner’s Distinguished Name must be entered in the format: `/CN=server.domain.tld` All IP addresses and domain names in use must be entered as alternative names in the format: `IP:1.2.3.4,IP:4.3.2.1,DNS:servername,DNS:servername2.domain.tld` +- Identification of the TLS certificate that is used for securing the HTTPS access point used for global configuration distribution (reference data: 1.7; 1.11). The name and IP addresses detected from the operating system are suggested as default values. + + The certificate owner’s Distinguished Name must be entered in the format: `/CN=server.domain.tld`. + All IP addresses and domain names in use must be entered as alternative names in the format: `IP:1.2.3.4,IP:4.3.2.1,DNS:servername,DNS:servername2.domain.tld` + ### 2.8 Installing the Support for Hardware Tokens To configure support for hardware security tokens (smartcard, USB token, Hardware Security Module), act as follows. diff --git a/doc/Manuals/img/ig-cs_network_diagram.drawio b/doc/Manuals/img/ig-cs_network_diagram.drawio index 6498bd6566..449458de3a 100644 --- a/doc/Manuals/img/ig-cs_network_diagram.drawio +++ b/doc/Manuals/img/ig-cs_network_diagram.drawio @@ -1,6 +1,6 @@ - + - + @@ -101,10 +101,10 @@ - + - + @@ -139,8 +139,8 @@ - - + + @@ -149,14 +149,13 @@ - - + - + @@ -164,14 +163,13 @@ - - + - + diff --git a/doc/Manuals/img/ig-cs_network_diagram.png b/doc/Manuals/img/ig-cs_network_diagram.png index 86abb4fbea..1a5ec41848 100644 Binary files a/doc/Manuals/img/ig-cs_network_diagram.png and b/doc/Manuals/img/ig-cs_network_diagram.png differ diff --git a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java index 336fcdd18f..13c4b77928 100644 --- a/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java +++ b/src/addons/hwtoken/src/main/java/ee/ria/xroad/signer/tokenmanager/token/HardwareTokenWorker.java @@ -49,20 +49,9 @@ import iaik.pkcs.pkcs11.wrapper.PKCS11Constants; import iaik.pkcs.pkcs11.wrapper.PKCS11Exception; import lombok.extern.slf4j.Slf4j; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; import javax.xml.bind.DatatypeConverter; -import java.io.ByteArrayOutputStream; -import java.io.OutputStream; -import java.security.PublicKey; -import java.security.cert.CertPath; -import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; @@ -74,10 +63,7 @@ import static ee.ria.xroad.common.ErrorCodes.X_KEY_NOT_FOUND; import static ee.ria.xroad.common.ErrorCodes.X_TOKEN_READONLY; import static ee.ria.xroad.common.ErrorCodes.X_UNSUPPORTED_SIGN_ALGORITHM; -import static ee.ria.xroad.common.ErrorCodes.translateException; -import static ee.ria.xroad.common.util.CryptoUtils.calculateDigest; import static ee.ria.xroad.common.util.CryptoUtils.encodeBase64; -import static ee.ria.xroad.common.util.CryptoUtils.getDigestAlgorithmId; import static ee.ria.xroad.common.util.CryptoUtils.readCertificate; import static ee.ria.xroad.signer.tokenmanager.TokenManager.addCert; import static ee.ria.xroad.signer.tokenmanager.TokenManager.addKey; @@ -435,27 +421,6 @@ protected byte[] sign(String keyId, String signatureAlgorithmId, byte[] data) th } } - protected byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey) throws Exception { - log.trace("signCertificate({}, {}, {})", keyId, signatureAlgorithmId, subjectName); - - assertKeyAvailable(keyId); - KeyInfo keyInfo = getKeyInfo(keyId); - CertificateInfo certificateInfo = keyInfo.getCerts().get(0); - X509Certificate issuerX509Certificate = readCertificate(certificateInfo.getCertificateBytes()); - - ContentSigner contentSigner = new HardwareTokenContentSigner(keyId, signatureAlgorithmId); - - JcaX509v3CertificateBuilder certificateBuilder = getCertificateBuilder(subjectName, publicKey, - issuerX509Certificate); - X509CertificateHolder certHolder = certificateBuilder.build(contentSigner); - X509Certificate signedCert = new JcaX509CertificateConverter().getCertificate(certHolder); - - CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC"); - CertPath certPath = certificateFactory.generateCertPath(Arrays.asList(signedCert, issuerX509Certificate)); - return certPath.getEncoded("PEM"); - } - - // ------------------------------------------------------------------------ private void findKeysNotInConf() throws Exception { @@ -800,57 +765,4 @@ private static boolean hasCert(KeyInfo key, byte[] certBytes) { return false; } - - private class HardwareTokenContentSigner implements ContentSigner { - - private final ByteArrayOutputStream out; - private final String keyId; - private final String signatureAlgorithmId; - - HardwareTokenContentSigner(String keyId, String signatureAlgorithmId) { - this.keyId = keyId; - this.signatureAlgorithmId = signatureAlgorithmId; - out = new ByteArrayOutputStream(); - } - - @Override - public byte[] getSignature() { - try { - assertActiveSession(); - pinVerificationPerSigningLogin(); - byte[] dataToSign = out.toByteArray(); - RSAPrivateKey privateKey = getPrivateKey(keyId); - if (privateKey == null) { - throw CodedException.tr(X_KEY_NOT_FOUND, "key_not_found_on_token", "Key '%s' not found on token '%s'", - keyId, tokenId); - } - log.debug("Signing with key '{}' and signature algorithm '{}'", keyId, signatureAlgorithmId); - Mechanism signatureMechanism = signMechanisms.get(signatureAlgorithmId); - if (signatureMechanism == null) { - throw CodedException.tr(X_UNSUPPORTED_SIGN_ALGORITHM, "unsupported_sign_algorithm", - "Unsupported signature algorithm '%s'", signatureAlgorithmId); - } - activeSession.signInit(signatureMechanism, privateKey); - String digestAlgorithmId = getDigestAlgorithmId(signatureAlgorithmId); - byte[] digest = calculateDigest(digestAlgorithmId, dataToSign); - byte[] dataDigestToSign = SignerUtil.createDataToSign(digest, signatureAlgorithmId); - return activeSession.sign(dataDigestToSign); - } catch (Exception e) { - log.error(e.getMessage()); - throw translateException(e); - } finally { - pinVerificationPerSigningLogout(); - } - } - - @Override - public OutputStream getOutputStream() { - return out; - } - - @Override - public AlgorithmIdentifier getAlgorithmIdentifier() { - return new DefaultSignatureAlgorithmIdentifierFinder().find(signatureAlgorithmId); - } - } } diff --git a/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java b/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java index 11fe5707a3..0d3347a572 100644 --- a/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java +++ b/src/central-server/admin-service/core-api/src/main/java/org/niis/xroad/cs/admin/api/facade/SignerProxyFacade.java @@ -31,7 +31,6 @@ import ee.ria.xroad.signer.protocol.dto.KeyUsageInfo; import ee.ria.xroad.signer.protocol.dto.TokenInfo; -import java.security.PublicKey; import java.util.Date; import java.util.List; @@ -92,6 +91,4 @@ byte[] generateSelfSignedCert(String keyId, ClientId.Conf memberId, KeyUsageInfo */ byte[] sign(String keyId, String signatureAlgorithmId, byte[] digest) throws Exception; - byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey) throws Exception; - } diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java index d12592ed3b..255a6b532b 100644 --- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java +++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeImpl.java @@ -44,7 +44,6 @@ import javax.annotation.PostConstruct; import javax.annotation.PreDestroy; -import java.security.PublicKey; import java.util.Date; import java.util.List; @@ -149,10 +148,4 @@ public String getSignMechanism(String keyId) throws Exception { public byte[] sign(String keyId, String signatureAlgorithmId, byte[] digest) throws Exception { return SignerProxy.sign(keyId, signatureAlgorithmId, digest); } - - @Override - public byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey) throws Exception { - return SignerProxy.signCertificate(keyId, signatureAlgorithmId, subjectName, publicKey); - } - } diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java index a3648db052..5ada13bdfb 100644 --- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java +++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/facade/SignerProxyFacadeMockHttpImpl.java @@ -50,7 +50,6 @@ import org.springframework.stereotype.Component; import org.springframework.web.client.RestTemplate; -import java.security.PublicKey; import java.util.Date; import java.util.List; import java.util.Map; @@ -163,9 +162,4 @@ public byte[] sign(String keyId, String signatureAlgorithmId, byte[] digest) { throw new NotImplementedException("sign not implemented getSignMechanism."); } - @Override - public byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey) { - throw new NotImplementedException("sign not implemented signCertificate."); - } - } diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationAnchorServiceImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationAnchorServiceImpl.java index 79745c41c9..f31cba4b9f 100644 --- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationAnchorServiceImpl.java +++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationAnchorServiceImpl.java @@ -69,7 +69,6 @@ import java.util.Optional; import static org.niis.xroad.common.exception.util.CommonDeviationMessage.INTERNAL_ERROR; -import static org.niis.xroad.cs.admin.api.domain.ConfigurationSourceType.EXTERNAL; import static org.niis.xroad.cs.admin.api.domain.ConfigurationSourceType.INTERNAL; import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.ERROR_RECREATING_ANCHOR; import static org.niis.xroad.cs.admin.api.exception.ErrorMessage.INSTANCE_IDENTIFIER_NOT_SET; @@ -189,9 +188,7 @@ private String buildAnchorXml(final ConfigurationSourceType configurationType, } private String buildGlobalDownloadUrl(final ConfigurationSourceType sourceType, final String haNodeName, final boolean isHttps) { - final var csAddress = sourceType.equals(EXTERNAL) && isHttps - ? systemParameterService.getCentralServerAddress(haNodeName) + ":4443" // make port into sys prop? - : systemParameterService.getCentralServerAddress(haNodeName); + final var csAddress = systemParameterService.getCentralServerAddress(haNodeName); final String sourceDirectory = sourceType.equals(INTERNAL) ? SystemProperties.getCenterInternalDirectory() : SystemProperties.getCenterExternalDirectory(); diff --git a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImpl.java b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImpl.java index 2076874076..03d00e1c41 100644 --- a/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImpl.java +++ b/src/central-server/admin-service/core/src/main/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImpl.java @@ -188,9 +188,7 @@ public File getConfigurationPartFile(String contentIdentifier, int version) { @Override public GlobalConfDownloadUrl getGlobalDownloadUrl(ConfigurationSourceType sourceType) { - final String csAddress = sourceType.equals(EXTERNAL) - ? systemParameterService.getCentralServerAddress() + ":4443" - : systemParameterService.getCentralServerAddress(); + final String csAddress = systemParameterService.getCentralServerAddress(); final String sourceDirectory = sourceType.equals(INTERNAL) ? SystemProperties.getCenterInternalDirectory() : SystemProperties.getCenterExternalDirectory(); diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationAnchorServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationAnchorServiceImplTest.java index 8d44df3a82..d920835475 100644 --- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationAnchorServiceImplTest.java +++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationAnchorServiceImplTest.java @@ -324,7 +324,7 @@ void shouldSuccessfullyRecreateExternal() { XmlAssert.assertThat(xml).withNamespaceContext(namespace) .valueByXPath("//ns3:configurationAnchor/source[3]/downloadURL") - .isEqualTo("https://cs:4443/externalconf"); + .isEqualTo("https://cs/externalconf"); XmlAssert.assertThat(xml).withNamespaceContext(namespace) .valueByXPath("//ns3:configurationAnchor/source[3]/verificationCert[1]") .isEqualTo(Base64Utils.encodeToString(CERT1.getBytes(UTF_8))); @@ -334,7 +334,7 @@ void shouldSuccessfullyRecreateExternal() { XmlAssert.assertThat(xml).withNamespaceContext(namespace) .valueByXPath("//ns3:configurationAnchor/source[4]/downloadURL") - .isEqualTo("https://cs2:4443/externalconf"); + .isEqualTo("https://cs2/externalconf"); XmlAssert.assertThat(xml).withNamespaceContext(namespace) .valueByXPath("//ns3:configurationAnchor/source[4]/verificationCert[1]") .isEqualTo(Base64Utils.encodeToString(CERT3.getBytes(UTF_8))); diff --git a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImplTest.java b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImplTest.java index 3277072765..bf139672e1 100644 --- a/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImplTest.java +++ b/src/central-server/admin-service/core/src/test/java/org/niis/xroad/cs/admin/core/service/ConfigurationServiceImplTest.java @@ -226,7 +226,7 @@ void shouldGetExternalGlobalDownloadUrl() { final GlobalConfDownloadUrl result = configurationService.getGlobalDownloadUrl(EXTERNAL); - assertThat(result.getUrl()).isEqualTo("https://" + CENTRAL_SERVICE + ":4443/externalconf"); + assertThat(result.getUrl()).isEqualTo("https://" + CENTRAL_SERVICE + "/externalconf"); } } diff --git a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfGenerationServiceImpl.java b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfGenerationServiceImpl.java index 31f24165c0..d26d5cc43a 100644 --- a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfGenerationServiceImpl.java +++ b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfGenerationServiceImpl.java @@ -87,7 +87,6 @@ public class GlobalConfGenerationServiceImpl implements GlobalConfGenerationServ private final PrivateParametersGenerator privateParametersGenerator; private final SharedParametersGenerator sharedParametersGenerator; private final ApplicationEventPublisher eventPublisher; - private final GlobalConfTLSCertificateGenerator tlsCertificateGenerator; @SneakyThrows @Override @@ -125,8 +124,6 @@ public void generate() { log.debug("Global conf generated"); success = true; - - tlsCertificateGenerator.updateGlobalConfTLSCertificates(internalSigningKey, externalSigningKey); } finally { eventPublisher.publishEvent(success ? SUCCESS : FAILURE); } diff --git a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfTLSCertificateGenerator.java b/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfTLSCertificateGenerator.java deleted file mode 100644 index c2b0d83660..0000000000 --- a/src/central-server/admin-service/globalconf-generator/src/main/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfTLSCertificateGenerator.java +++ /dev/null @@ -1,94 +0,0 @@ -/* - * The MIT License - * - * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS) - * Copyright (c) 2018 Estonian Information System Authority (RIA), - * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK) - * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK) - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ -package org.niis.xroad.cs.admin.globalconf.generator; - -import ee.ria.xroad.common.SystemProperties; -import ee.ria.xroad.common.util.AtomicSave; -import ee.ria.xroad.common.util.CryptoUtils; - -import lombok.RequiredArgsConstructor; -import lombok.SneakyThrows; -import lombok.extern.slf4j.Slf4j; -import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKey; -import org.niis.xroad.cs.admin.api.facade.SignerProxyFacade; -import org.niis.xroad.cs.admin.api.service.SystemParameterService; -import org.springframework.stereotype.Component; - -import java.nio.file.Files; -import java.nio.file.Path; -import java.security.PublicKey; -import java.security.SignatureException; -import java.security.cert.X509Certificate; - -import static ee.ria.xroad.common.util.CryptoUtils.getSignatureAlgorithmId; -import static ee.ria.xroad.common.util.CryptoUtils.readCertificate; - -@Component -@RequiredArgsConstructor -@Slf4j -public class GlobalConfTLSCertificateGenerator { - - private final SignerProxyFacade signerProxyFacade; - private final SystemParameterService systemParameterService; - - @SneakyThrows - void updateGlobalConfTLSCertificates( - ConfigurationSigningKey internalSigningKey, - ConfigurationSigningKey externalSigningKey) { - Path internalConfTLSCertPath = Path.of(SystemProperties.getConfPath() + "ssl/internal-conf.crt"); - Path externalConfTLSCertPath = Path.of(SystemProperties.getConfPath() + "ssl/external-conf.crt"); - Path centralAdminServiceCertPath = Path.of(SystemProperties.getConfPath() + "ssl/center-admin-service.crt"); - X509Certificate certToSign = readCertificate(Files.readAllBytes(centralAdminServiceCertPath)); - PublicKey publicKeyToSign = certToSign.getPublicKey(); - updateGlobalConfTLSCertIfNeeded(internalSigningKey, internalConfTLSCertPath, publicKeyToSign); - updateGlobalConfTLSCertIfNeeded(externalSigningKey, externalConfTLSCertPath, publicKeyToSign); - } - - private void updateGlobalConfTLSCertIfNeeded(ConfigurationSigningKey signingKey, Path confTLSCertPath, - PublicKey publicKeyToSign) throws Exception { - X509Certificate confTLSCertificate = readCertificate(Files.readAllBytes(confTLSCertPath)); - X509Certificate signingCertificate = readCertificate(signingKey.getCert()); - try { - confTLSCertificate.verify(signingCertificate.getPublicKey(), "BC"); - } catch (SignatureException e) { - log.debug("Renewing TLS cert for {}, reason: {}", confTLSCertPath, e.getMessage()); - signAndSaveGlobalConfTLSCertificate(signingKey, confTLSCertPath.toString(), publicKeyToSign); - } - } - - private void signAndSaveGlobalConfTLSCertificate(ConfigurationSigningKey signingKey, String tlsCertPath, - PublicKey publicKeyToSign) throws Exception { - String signMechanismName = signerProxyFacade.getSignMechanism(signingKey.getKeyIdentifier()); - String signatureAlgorithmId = getSignatureAlgorithmId(systemParameterService.getConfSignDigestAlgoId(), - signMechanismName); - final byte[] signedCertificate = signerProxyFacade.signCertificate(signingKey.getKeyIdentifier(), signatureAlgorithmId, - "CN=" + systemParameterService.getCentralServerAddress(), publicKeyToSign); - AtomicSave.execute(tlsCertPath, "tmp_cert", - out -> CryptoUtils.writeCertificateChainPem(signedCertificate, out)); - - } -} diff --git a/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfTLSCertificateGeneratorTest.java b/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfTLSCertificateGeneratorTest.java deleted file mode 100644 index b0efc4648e..0000000000 --- a/src/central-server/admin-service/globalconf-generator/src/test/java/org/niis/xroad/cs/admin/globalconf/generator/GlobalConfTLSCertificateGeneratorTest.java +++ /dev/null @@ -1,154 +0,0 @@ -/* - * The MIT License - *

- * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS) - * Copyright (c) 2018 Estonian Information System Authority (RIA), - * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK) - * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK) - *

- * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - *

- * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - *

- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ -package org.niis.xroad.cs.admin.globalconf.generator; - -import ee.ria.xroad.common.SystemProperties; -import ee.ria.xroad.common.util.CryptoUtils; - -import lombok.SneakyThrows; -import org.junit.jupiter.api.AfterEach; -import org.junit.jupiter.api.BeforeAll; -import org.junit.jupiter.api.Test; -import org.junit.jupiter.api.extension.ExtendWith; -import org.mockito.InjectMocks; -import org.mockito.Mock; -import org.mockito.junit.jupiter.MockitoExtension; -import org.niis.xroad.cs.admin.api.domain.ConfigurationSigningKey; -import org.niis.xroad.cs.admin.api.facade.SignerProxyFacade; -import org.niis.xroad.cs.admin.api.service.SystemParameterService; - -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.nio.file.StandardCopyOption; -import java.security.PublicKey; -import java.security.cert.X509Certificate; - -import static ee.ria.xroad.common.util.CryptoUtils.readCertificate; -import static org.assertj.core.api.Assertions.assertThat; -import static org.mockito.ArgumentMatchers.any; -import static org.mockito.Mockito.never; -import static org.mockito.Mockito.verify; -import static org.mockito.Mockito.when; - -@ExtendWith(MockitoExtension.class) -public class GlobalConfTLSCertificateGeneratorTest { - - @Mock - SignerProxyFacade signerProxyFacade; - @Mock - SystemParameterService systemParameterService; - @InjectMocks - GlobalConfTLSCertificateGenerator tlsCertificateGenerator; - - private static final String INTERNAL_KEY_ID = "INTERNAL-KEY-ID"; - private static final String EXTERNAL_KEY_ID = "EXTERNAL-KEY-ID"; - private static final String CENTRAL_SERVICE = "cs"; - private final Path internalConfCrtPath = Path.of(SystemProperties.getConfPath() + "ssl/internal-conf.crt"); - private final Path externalConfCrtPath = Path.of(SystemProperties.getConfPath() + "ssl/external-conf.crt"); - private final Path initialInternalConfCrtPath = Path.of(SystemProperties.getConfPath() + "initial-internal-conf.crt"); - private final Path initialExternalConfCrtPath = Path.of(SystemProperties.getConfPath() + "initial-external-conf.crt"); - private final Path signedInternalConfCrtPath = Path.of(SystemProperties.getConfPath() + "signed-internal-conf.crt"); - private final Path signedExternalConfCrtPath = Path.of(SystemProperties.getConfPath() + "signed-external-conf.crt"); - private final Path internalSigningCrtPath = Path.of(SystemProperties.getConfPath() + "internal-signing.crt"); - private final Path externalSigningCrtPath = Path.of(SystemProperties.getConfPath() + "external-signing.crt"); - private final Path centerAdminServiceCrtPath = Path.of(SystemProperties.getConfPath() + "ssl/center-admin-service.crt"); - - @BeforeAll - public static void setup() { - System.setProperty(SystemProperties.CONF_PATH, "src/test/resources/"); - } - - @AfterEach - public void after() throws Exception { - Files.deleteIfExists(internalConfCrtPath); - Files.deleteIfExists(externalConfCrtPath); - } - - @SneakyThrows - @Test - void shouldUpdateGlobalConfTLSCertificates() { - Files.copy(initialInternalConfCrtPath, internalConfCrtPath, StandardCopyOption.REPLACE_EXISTING); - Files.copy(initialExternalConfCrtPath, externalConfCrtPath, StandardCopyOption.REPLACE_EXISTING); - when(signerProxyFacade.getSignMechanism(INTERNAL_KEY_ID)).thenReturn(CryptoUtils.CKM_RSA_PKCS_NAME); - when(signerProxyFacade.getSignMechanism(EXTERNAL_KEY_ID)).thenReturn(CryptoUtils.CKM_RSA_PKCS_NAME); - X509Certificate signedInternalConfCert = getX509Certificate(signedInternalConfCrtPath); - X509Certificate signedExternalConfCert = getX509Certificate(signedExternalConfCrtPath); - X509Certificate certToSign = getX509Certificate(centerAdminServiceCrtPath); - PublicKey publicKeyToSign = certToSign.getPublicKey(); - when(signerProxyFacade.signCertificate(INTERNAL_KEY_ID, CryptoUtils.SHA512WITHRSA_ID, "CN=" + CENTRAL_SERVICE, publicKeyToSign)) - .thenReturn(signedInternalConfCert.getEncoded(), signedExternalConfCert.getEncoded()); - when(signerProxyFacade.signCertificate(EXTERNAL_KEY_ID, CryptoUtils.SHA512WITHRSA_ID, "CN=" + CENTRAL_SERVICE, publicKeyToSign)) - .thenReturn(signedExternalConfCert.getEncoded()); - when(systemParameterService.getConfSignDigestAlgoId()).thenReturn(CryptoUtils.SHA512_ID); - when(systemParameterService.getCentralServerAddress()).thenReturn(CENTRAL_SERVICE); - ConfigurationSigningKey internalConfSigningKey = - getConfigurationSigningKey(INTERNAL_KEY_ID, internalSigningCrtPath); - ConfigurationSigningKey externalConfSigningKey = - getConfigurationSigningKey(EXTERNAL_KEY_ID, externalSigningCrtPath); - - tlsCertificateGenerator.updateGlobalConfTLSCertificates(internalConfSigningKey, externalConfSigningKey); - - verify(signerProxyFacade) - .signCertificate(INTERNAL_KEY_ID, CryptoUtils.SHA512WITHRSA_ID, "CN=" + CENTRAL_SERVICE, publicKeyToSign); - verify(signerProxyFacade) - .signCertificate(EXTERNAL_KEY_ID, CryptoUtils.SHA512WITHRSA_ID, "CN=" + CENTRAL_SERVICE, publicKeyToSign); - - X509Certificate internalConfCrt = getX509Certificate(internalConfCrtPath); - assertThat(signedInternalConfCert.equals(internalConfCrt)).isTrue(); - X509Certificate externalConfCrt = getX509Certificate(externalConfCrtPath); - assertThat(signedExternalConfCert.equals(externalConfCrt)).isTrue(); - } - - @SneakyThrows - @Test - void shouldNotUpdateGlobalConfTLSCertificates() { - Files.copy(signedInternalConfCrtPath, internalConfCrtPath, StandardCopyOption.REPLACE_EXISTING); - Files.copy(signedExternalConfCrtPath, externalConfCrtPath, StandardCopyOption.REPLACE_EXISTING); - ConfigurationSigningKey internalConfSigningKey = - getConfigurationSigningKey(INTERNAL_KEY_ID, internalSigningCrtPath); - ConfigurationSigningKey externalConfSigningKey = - getConfigurationSigningKey(EXTERNAL_KEY_ID, externalSigningCrtPath); - - tlsCertificateGenerator.updateGlobalConfTLSCertificates(internalConfSigningKey, externalConfSigningKey); - - verify(signerProxyFacade, never()).getSignMechanism(any()); - verify(signerProxyFacade, never()).signCertificate(any(), any(), any(), any()); - } - - private static X509Certificate getX509Certificate(Path certPath) throws IOException { - return readCertificate(Files.readAllBytes(certPath)); - } - - private static ConfigurationSigningKey getConfigurationSigningKey(String keyId, Path signingKeyCert) throws IOException { - ConfigurationSigningKey confSigningKey = new ConfigurationSigningKey(); - confSigningKey.setKeyIdentifier(keyId); - confSigningKey.setCert(Files.readAllBytes(signingKeyCert)); - return confSigningKey; - } - -} diff --git a/src/central-server/admin-service/int-test/src/intTest/java/org/niis/xroad/cs/test/glue/ConfigurationInfoApiStepDefs.java b/src/central-server/admin-service/int-test/src/intTest/java/org/niis/xroad/cs/test/glue/ConfigurationInfoApiStepDefs.java index ccc60d0fee..72d9d5e1ed 100644 --- a/src/central-server/admin-service/int-test/src/intTest/java/org/niis/xroad/cs/test/glue/ConfigurationInfoApiStepDefs.java +++ b/src/central-server/admin-service/int-test/src/intTest/java/org/niis/xroad/cs/test/glue/ConfigurationInfoApiStepDefs.java @@ -165,8 +165,7 @@ public void viewSourceDownloadUrl(String configurationType) { final ResponseEntity response = configurationSourcesApi .getDownloadUrl(ConfigurationTypeDto.fromValue(configurationType)); - String expectedPort = configurationType.equals("EXTERNAL") ? ":4443" : ""; - String expectedDownloadUrl = "https://cs" + expectedPort + "/" + configurationType.toLowerCase() + "conf"; + String expectedDownloadUrl = "https://cs/" + configurationType.toLowerCase() + "conf"; validate(response) .assertion(equalsStatusCodeAssertion(OK)) .assertion(equalsAssertion(expectedDownloadUrl, "body.url", "Response contains global download url")) diff --git a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/CryptoUtils.java b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/CryptoUtils.java index 59f1b53dea..0d81ae193b 100644 --- a/src/common/common-util/src/main/java/ee/ria/xroad/common/util/CryptoUtils.java +++ b/src/common/common-util/src/main/java/ee/ria/xroad/common/util/CryptoUtils.java @@ -791,20 +791,4 @@ public static void writeCertificatePem(byte[] certBytes, OutputStream out) writer.writeObject(readCertificate(certBytes)); } } - - /** - * Writes the given certificate chain bytes into the provided output stream in PEM format. - * @param certBytes bytes content of the certificate chain - * @param out output stream for writing the PEM formatted certificate chain - * @throws IOException if an I/O error occurred - */ - public static void writeCertificateChainPem(byte[] certBytes, OutputStream out) - throws IOException { - try (JcaPEMWriter writer = new JcaPEMWriter(new OutputStreamWriter(out))) { - Collection chain = readCertificates(certBytes); - for (X509Certificate cert : chain) { - writer.writeObject(cert); - } - } - } } diff --git a/src/packages/src/xroad/common/center/etc/sudoers.d/xroad-nginx-reload b/src/packages/src/xroad/common/center/etc/sudoers.d/xroad-nginx-reload deleted file mode 100644 index 1ed63af858..0000000000 --- a/src/packages/src/xroad/common/center/etc/sudoers.d/xroad-nginx-reload +++ /dev/null @@ -1,2 +0,0 @@ -# For xroad cron job that reloads nginx so that new certificates would be loaded -xroad ALL=(root) NOPASSWD: /usr/sbin/service nginx reload diff --git a/src/packages/src/xroad/common/center/etc/xroad/nginx/xroad-public.conf b/src/packages/src/xroad/common/center/etc/xroad/nginx/xroad-public.conf index 8d2d9aac24..4b19a9a840 100644 --- a/src/packages/src/xroad/common/center/etc/xroad/nginx/xroad-public.conf +++ b/src/packages/src/xroad/common/center/etc/xroad/nginx/xroad-public.conf @@ -20,22 +20,10 @@ server { server { listen 443 ssl; listen [::]:443 ssl; - ssl_certificate /etc/xroad/ssl/internal-conf.crt; - ssl_certificate_key /etc/xroad/ssl/center-admin-service.key; + ssl_certificate /etc/xroad/ssl/global-conf.crt; + ssl_certificate_key /etc/xroad/ssl/global-conf.key; - location ~ ^/internalconf$ { - try_files /V$version$uri =404; - expires -1; - } -} - -server { - listen 4443 ssl; - listen [::]:4443 ssl; - ssl_certificate /etc/xroad/ssl/external-conf.crt; - ssl_certificate_key /etc/xroad/ssl/center-admin-service.key; - - location ~ ^/externalconf$ { + location ~ ^/(internal|external)conf$ { try_files /V$version$uri =404; expires -1; } diff --git a/src/packages/src/xroad/common/center/usr/share/xroad/scripts/reload_nginx_if_global_conf_cert_changed.sh b/src/packages/src/xroad/common/center/usr/share/xroad/scripts/reload_nginx_if_global_conf_cert_changed.sh deleted file mode 100755 index c18147a6b1..0000000000 --- a/src/packages/src/xroad/common/center/usr/share/xroad/scripts/reload_nginx_if_global_conf_cert_changed.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash - -if [[ -n $(find /etc/xroad/ssl -type f -regextype posix-extended -regex '.*(internal|external)-conf\.crt' -mmin -6) ]] -then - sudo service nginx reload -fi \ No newline at end of file diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-center.cron.d b/src/packages/src/xroad/ubuntu/generic/xroad-center.cron.d index fd78eac639..8ae813ac49 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-center.cron.d +++ b/src/packages/src/xroad/ubuntu/generic/xroad-center.cron.d @@ -3,6 +3,3 @@ # backup retention policy, delete backups older that 30 days 10 * * * * xroad find /var/lib/xroad/backup -type f -name "cs-automatic-backup*.gpg" -mtime 30 -delete - -# reload nginx, if configuration https certificates have changed -*/5 * * * * xroad /usr/share/xroad/scripts/reload_nginx_if_global_conf_cert_changed.sh diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-center.postinst b/src/packages/src/xroad/ubuntu/generic/xroad-center.postinst index 793386c460..fc0d451980 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-center.postinst +++ b/src/packages/src/xroad/ubuntu/generic/xroad-center.postinst @@ -225,21 +225,6 @@ create_certificates() { fi done - if [[ ! -r /etc/xroad/ssl/internal-conf.crt ]]; then - log "Generating TLS certificate for internal configuration from center-admin-service.crt" - cp /etc/xroad/ssl/center-admin-service.crt /etc/xroad/ssl/internal-conf.crt - chmod -f 660 /etc/xroad/ssl/internal-conf.crt - chown -f xroad:xroad /etc/xroad/ssl/internal-conf.crt - fi - - - if [[ ! -r /etc/xroad/ssl/external-conf.crt ]]; then - log "Generating TLS certificate for external configuration from center-admin-service.crt" - cp /etc/xroad/ssl/center-admin-service.crt /etc/xroad/ssl/external-conf.crt - chmod -f 660 /etc/xroad/ssl/external-conf.crt - chown -f xroad:xroad /etc/xroad/ssl/external-conf.crt - fi - while :; do if [[ ! -r /etc/xroad/ssl/internal.crt || ! -r /etc/xroad/ssl/internal.key || ! -r /etc/xroad/ssl/internal.p12 ]]; then log "Generating new internal.[crt|key|p12] files " diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-center.preinst b/src/packages/src/xroad/ubuntu/generic/xroad-center.preinst index 0415c2f4c9..65e20d8f89 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-center.preinst +++ b/src/packages/src/xroad/ubuntu/generic/xroad-center.preinst @@ -1,4 +1,7 @@ #!/bin/bash + +. /usr/share/debconf/confmodule + if [ "$1" = "upgrade" ]; then if dpkg --compare-versions "#LAST_SUPPORTED_VERSION#" gt "$2"; then echo "ERROR: Upgrade supported from #LAST_SUPPORTED_VERSION# or newer" >&2 @@ -59,6 +62,69 @@ order by id;" fi +function handle_error { + ERR=$( 64)); then + HOST="$(hostname -s)" + fi + + LIST= + for i in $(ip addr | grep 'scope global' | tr '/' ' ' | awk '{print $2}'); do LIST+="IP:$i,"; done + ALT="${LIST}DNS:$(hostname -f),DNS:$(hostname -s)" + + while :; do + if [[ ! -r /etc/xroad/ssl/global-conf.crt || ! -r /etc/xroad/ssl/global-conf.key || ! -r /etc/xroad/ssl/global-conf.p12 ]]; then + echo "Generating new global-conf.[crt|key|p12] files " + db_subst xroad-common/global-conf-subject HOST "$HOST" + db_subst xroad-common/global-conf-altsubject ALT "$ALT" + RET= + db_get xroad-common/global-conf-subject + if [ -z "$RET" ]; then + db_set xroad-common/global-conf-subject "/CN=$HOST" + fi + RET= + db_get xroad-common/global-conf-altsubject + if [ -z "$RET" ]; then + db_set xroad-common/global-conf-altsubject "$ALT" + fi + db_input critical xroad-common/global-conf-subject || true + db_input critical xroad-common/global-conf-altsubject || true + db_go + RET= + db_get xroad-common/global-conf-subject + subj="$RET" + RET= + db_get xroad-common/global-conf-altsubject + altn="$RET" + if [ -z "$subj" ]; then + subj="/CN=$HOST" + fi + if [ -z "$altn" ]; then + altn="$ALT" + fi + db_go + rm -f /etc/xroad/ssl/global-conf.crt /etc/xroad/ssl/global-conf.key /etc/xroad/ssl/global-conf.p12 + echo "generating new global configuration TLS key/self-certificate with $subj and $altn" + /usr/share/xroad/scripts/generate_certificate.sh -n global-conf -s "${subj}" -a "${altn}" -p 2>/tmp/cert.err || handle_error + else + break + fi + done +} + +create_global_configuration_certicate + +db_stop + # Free potentially occupied ports when upgrading from legacy installation if [[ "$1" = "upgrade" ]]; then invoke-rc.d --quiet xroad-jetty stop &>/dev/null || true diff --git a/src/packages/src/xroad/ubuntu/generic/xroad-center.templates b/src/packages/src/xroad/ubuntu/generic/xroad-center.templates index baf17cf532..fa7abdd5ff 100644 --- a/src/packages/src/xroad/ubuntu/generic/xroad-center.templates +++ b/src/packages/src/xroad/ubuntu/generic/xroad-center.templates @@ -45,6 +45,26 @@ Description: Insert TLS certificate subject name alternatives . Server reports following ip addresses and hostnames: ${ALT} +Template: xroad-common/global-conf-subject +Type: string +Description: Insert TLS certificate subject name for Global configuration distribution over HTTPS [default=/CN=${HOST}] + This certificate will be used to secure download Global configuration over HTTPS. + . + Include most used hostname or IP address as common name (CN=..) value. General form is /C=EE/O=Company/OU=Org Unit/CN=server.name.tld + . + Server reports full hostname as: ${HOST} + +Template: xroad-common/global-conf-altsubject +Type: string +Description: Insert TLS certificate subject alternatives for Global configuration distribution over HTTPS [default=${ALT}] + This certificate will be used to secure download Global configuration over HTTPS. + . + Include all alternative names and IP addresses which will be used for secure download Global configuration over HTTPS + . + Format is IP:,DNS:,... + . + Server reports following ip addresses and hostnames: ${ALT} + Template: xroad-common/cert-generation-error Type: error Description: Error during certificate generation, please fix issues diff --git a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java index 79cb587b45..6b4e6a4d46 100644 --- a/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java +++ b/src/signer-protocol/src/intTest/java/ee/ria/xroad/signer/glue/SignerStepDefs.java @@ -51,7 +51,6 @@ import io.cucumber.java.en.Then; import io.cucumber.java.en.When; import lombok.RequiredArgsConstructor; -import org.bouncycastle.util.encoders.Base64; import org.junit.jupiter.api.Assertions; import java.io.BufferedReader; @@ -59,9 +58,6 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.net.ServerSocket; -import java.security.KeyFactory; -import java.security.PublicKey; -import java.security.spec.X509EncodedKeySpec; import java.util.Arrays; import java.util.Date; import java.util.List; @@ -327,18 +323,6 @@ public void certificateStatusCanBeChangedTo(String status) throws Exception { SignerProxy.setCertStatus(this.certInfo.getId(), status); } - @And("certificate can be signed using key {string} from token {string}") - public void certificateCanBeSignedUsingKeyFromToken(String keyName, String tokenId) throws Exception { - final KeyInfo key = findKeyInToken(tokenId, keyName); - byte[] keyBytes = Base64.decode(key.getPublicKey().getBytes()); - X509EncodedKeySpec x509publicKey = new X509EncodedKeySpec(keyBytes); - KeyFactory kf = KeyFactory.getInstance("RSA"); - PublicKey publicKey = kf.generatePublic(x509publicKey); - - final byte[] bytes = SignerProxy.signCertificate(key.getId(), SHA256WITHRSA_ID, "CN=cs", publicKey); - assertThat(bytes).isNotEmpty(); - } - private static Config getConf() { return ConfigFactory.load().getConfig("signer-integration-test") .withFallback(ConfigFactory.load()); diff --git a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature index fceccc4bc1..4a123c316b 100644 --- a/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature +++ b/src/signer-protocol/src/intTest/resources/behavior/0500-signer.feature @@ -47,32 +47,6 @@ Feature: 0500 - Signer Scenario: Sign Given digest can be signed using key "KeyX" from token "0" - Scenario: Generate/Regenerate cert request - When cert request is generated for token "0" key "Second key" for client "cs:test:member-2" - And token and key can be retrieved by cert request - Then cert request can be deleted - When cert request is generated for token "0" key "Second key" for client "cs:test:member-2" - And cert request is regenerated - - Scenario: Self signed certificate - Given token "0" key "First key" has 0 certificates - When self signed cert generated for token "0" key "First key", client "cs:test:member-1" - Then token "0" key "First key" has 1 certificates - And keyId can be retrieved by cert hash - And token and keyId can be retrieved by cert hash - And certificate can be signed using key "First key" from token "0" - - Scenario: Member info - Then member "cs:test:member-1" has 1 certificate - - Scenario: Cert status - Given self signed cert generated for token "0" key "KeyX", client "cs:test:member-2" - And certificate info can be retrieved by cert hash - Then certificate can be deactivated - And certificate can be activated - And certificate status can be changed to "deletion in progress" - And certificate can be deleted - Scenario: Miscellaneous checks * check token "0" key "First key" batch signing enabled diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java index c99b3cc750..a0889d0b07 100644 --- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java +++ b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/SignerProxy.java @@ -77,15 +77,12 @@ import ee.ria.xroad.signer.protocol.message.SetOcspResponses; import ee.ria.xroad.signer.protocol.message.SetTokenFriendlyName; import ee.ria.xroad.signer.protocol.message.Sign; -import ee.ria.xroad.signer.protocol.message.SignCertificate; -import ee.ria.xroad.signer.protocol.message.SignCertificateResponse; import ee.ria.xroad.signer.protocol.message.SignResponse; import ee.ria.xroad.signer.protocol.message.UpdateSoftwareTokenPin; import lombok.Value; import lombok.extern.slf4j.Slf4j; -import java.security.PublicKey; import java.util.Arrays; import java.util.Date; import java.util.List; @@ -552,13 +549,6 @@ public static boolean isHSMOperational() throws Exception { return ((GetHSMOperationalInfoResponse) execute(new GetHSMOperationalInfo())).isOperational(); } - public static byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey) - throws Exception { - final SignCertificateResponse signCertificateResponse = - execute(new SignCertificate(keyId, signatureAlgorithmId, subjectName, publicKey)); - return signCertificateResponse.getCertificateChain(); - } - private static T execute(Object message) throws Exception { return SignerClient.execute(message); } diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java deleted file mode 100644 index d97e793a2e..0000000000 --- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificate.java +++ /dev/null @@ -1,41 +0,0 @@ -/* - * The MIT License - * - * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS) - * Copyright (c) 2018 Estonian Information System Authority (RIA), - * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK) - * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK) - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ -package ee.ria.xroad.signer.protocol.message; - -import lombok.Value; - -import java.io.Serializable; -import java.security.PublicKey; - -@Value -public class SignCertificate implements Serializable { - - String keyId; - String signatureAlgorithmId; - String subjectName; - PublicKey publicKey; -} diff --git a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java b/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java deleted file mode 100644 index b24d0d7a31..0000000000 --- a/src/signer-protocol/src/main/java/ee/ria/xroad/signer/protocol/message/SignCertificateResponse.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * The MIT License - * - * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS) - * Copyright (c) 2018 Estonian Information System Authority (RIA), - * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK) - * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK) - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ -package ee.ria.xroad.signer.protocol.message; - -import lombok.ToString; -import lombok.Value; - -import java.io.Serializable; - -@Value -@ToString(exclude = "certificateChain") -public class SignCertificateResponse implements Serializable { - - byte[] certificateChain; -} diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java index af508f7a51..1a6f5869d4 100644 --- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java +++ b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/GenerateSelfSignedCertRequestHandler.java @@ -129,7 +129,7 @@ X509Certificate build(TokenAndKey tokenAndKey, GenerateSelfSignedCert message, P message.getNotBefore(), message.getNotAfter(), subject, publicKey); if (message.getKeyUsage() == KeyUsageInfo.SIGNING) { - KeyUsage keyUsage = new KeyUsage(KeyUsage.nonRepudiation | KeyUsage.keyCertSign); + KeyUsage keyUsage = new KeyUsage(KeyUsage.nonRepudiation); builder.addExtension(X509Extension.keyUsage, true, keyUsage); builder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(true)); diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java b/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java deleted file mode 100644 index 9178950905..0000000000 --- a/src/signer/src/main/java/ee/ria/xroad/signer/protocol/handler/SignCertificateRequestHandler.java +++ /dev/null @@ -1,41 +0,0 @@ -/* - * The MIT License - * - * Copyright (c) 2019- Nordic Institute for Interoperability Solutions (NIIS) - * Copyright (c) 2018 Estonian Information System Authority (RIA), - * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK) - * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK) - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ -package ee.ria.xroad.signer.protocol.handler; - -import ee.ria.xroad.signer.protocol.AbstractRequestHandler; -import ee.ria.xroad.signer.protocol.message.SignCertificate; - -import static ee.ria.xroad.signer.tokenmanager.TokenManager.findTokenIdForKeyId; - -public class SignCertificateRequestHandler extends AbstractRequestHandler { - @Override - protected Object handle(SignCertificate message) throws Exception { - tellToken(message, findTokenIdForKeyId(message.getKeyId())); - - return nothing(); - } -} diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java index 25013c260d..349a51be1e 100644 --- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java +++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/AbstractTokenWorker.java @@ -32,8 +32,6 @@ import ee.ria.xroad.signer.protocol.message.DeleteCert; import ee.ria.xroad.signer.protocol.message.DeleteKey; import ee.ria.xroad.signer.protocol.message.GenerateKey; -import ee.ria.xroad.signer.protocol.message.SignCertificate; -import ee.ria.xroad.signer.protocol.message.SignCertificateResponse; import ee.ria.xroad.signer.tokenmanager.TokenManager; import ee.ria.xroad.signer.util.AbstractUpdateableActor; import ee.ria.xroad.signer.util.CalculateSignature; @@ -42,16 +40,6 @@ import lombok.Value; import lombok.extern.slf4j.Slf4j; -import org.bouncycastle.asn1.x500.X500Name; -import org.bouncycastle.asn1.x509.BasicConstraints; -import org.bouncycastle.asn1.x509.Extension; -import org.bouncycastle.asn1.x509.KeyUsage; -import org.bouncycastle.cert.CertIOException; -import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; - -import java.math.BigInteger; -import java.security.PublicKey; -import java.security.cert.X509Certificate; import static ee.ria.xroad.common.ErrorCodes.X_CANNOT_SIGN; import static ee.ria.xroad.common.ErrorCodes.X_FAILED_TO_GENERATE_R_KEY; @@ -110,8 +98,6 @@ protected void onMessage(Object message) throws Exception { handleDeleteCert((DeleteCert) message); } else if (message instanceof CalculateSignature) { handleCalculateSignature((CalculateSignature) message); - } else if (message instanceof SignCertificate) { - handleSignCertificate((SignCertificate) message); } else { unhandled(message); } @@ -203,17 +189,6 @@ private void handleCalculateSignature(CalculateSignature signRequest) { } } - private void handleSignCertificate(SignCertificate message) { - try { - byte[] certificate = signCertificate(message.getKeyId(), message.getSignatureAlgorithmId(), - message.getSubjectName(), message.getPublicKey()); - sendResponse(new SignCertificateResponse(certificate)); - } catch (Exception e) { - log.error("Error while signing certificate with key '{}'", message.getKeyId(), e); - throw translateError(customizeException(e)).withPrefix(X_CANNOT_SIGN); - } - } - // ------------------------------------------------------------------------ protected abstract void activateToken(ActivateToken message) throws Exception; @@ -225,33 +200,12 @@ private void handleSignCertificate(SignCertificate message) { protected abstract byte[] sign(String keyId, String signatureAlgorithmId, byte[] data) throws Exception; - protected abstract byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, - PublicKey publicKey) throws Exception; - protected void assertKeyAvailable(String keyId) { if (!isKeyAvailable(keyId)) { throw keyNotAvailable(keyId); } } - protected static JcaX509v3CertificateBuilder getCertificateBuilder(String subjectName, - PublicKey publicKey, - X509Certificate issuerX509Certificate) - throws CertIOException { - JcaX509v3CertificateBuilder certificateBuilder = - new JcaX509v3CertificateBuilder( - new X500Name(issuerX509Certificate.getSubjectX500Principal().getName()), - BigInteger.ONE, - issuerX509Certificate.getNotBefore(), - issuerX509Certificate.getNotAfter(), - new X500Name(subjectName), - publicKey - ); - certificateBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); - certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); - return certificateBuilder; - } - // ------------------------------------------------------------------------ @Value diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java index f053a813c2..61093a1177 100644 --- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java +++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/SoftwareTokenWorker.java @@ -30,7 +30,6 @@ import ee.ria.xroad.common.util.CryptoUtils; import ee.ria.xroad.common.util.PasswordStore; import ee.ria.xroad.common.util.TokenPinPolicy; -import ee.ria.xroad.signer.protocol.dto.CertificateInfo; import ee.ria.xroad.signer.protocol.dto.KeyInfo; import ee.ria.xroad.signer.protocol.dto.TokenInfo; import ee.ria.xroad.signer.protocol.dto.TokenStatusInfo; @@ -43,11 +42,6 @@ import lombok.extern.slf4j.Slf4j; import org.apache.commons.io.FileUtils; -import org.bouncycastle.cert.X509CertificateHolder; -import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; -import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; -import org.bouncycastle.operator.ContentSigner; -import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import java.io.File; import java.io.FileNotFoundException; @@ -61,12 +55,8 @@ import java.security.KeyPair; import java.security.KeyStore; import java.security.PrivateKey; -import java.security.PublicKey; import java.security.Signature; -import java.security.cert.CertPath; import java.security.cert.Certificate; -import java.security.cert.CertificateFactory; -import java.security.cert.X509Certificate; import java.util.Arrays; import java.util.HashMap; import java.util.Map; @@ -76,9 +66,7 @@ import static ee.ria.xroad.common.ErrorCodes.X_UNSUPPORTED_SIGN_ALGORITHM; import static ee.ria.xroad.common.util.CryptoUtils.encodeBase64; import static ee.ria.xroad.common.util.CryptoUtils.loadPkcs12KeyStore; -import static ee.ria.xroad.common.util.CryptoUtils.readCertificate; import static ee.ria.xroad.signer.tokenmanager.TokenManager.addKey; -import static ee.ria.xroad.signer.tokenmanager.TokenManager.getKeyInfo; import static ee.ria.xroad.signer.tokenmanager.TokenManager.isTokenActive; import static ee.ria.xroad.signer.tokenmanager.TokenManager.listKeys; import static ee.ria.xroad.signer.tokenmanager.TokenManager.setKeyAvailable; @@ -247,27 +235,6 @@ private static void checkSignatureAlgorithm(String signatureAlgorithmId) throws } } - protected byte[] signCertificate(String keyId, String signatureAlgorithmId, String subjectName, PublicKey publicKey) throws Exception { - log.trace("signCertificate({}, {}, {})", keyId, signatureAlgorithmId, subjectName); - checkSignatureAlgorithm(signatureAlgorithmId); - assertTokenAvailable(); - assertKeyAvailable(keyId); - KeyInfo keyInfo = getKeyInfo(keyId); - CertificateInfo certificateInfo = keyInfo.getCerts().get(0); - X509Certificate issuerX509Certificate = readCertificate(certificateInfo.getCertificateBytes()); - PrivateKey privateKey = getPrivateKey(keyId); - JcaX509v3CertificateBuilder certificateBuilder = getCertificateBuilder(subjectName, publicKey, - issuerX509Certificate); - - log.debug("Signing certificate with key '{}' and signature algorithm '{}'", keyId, signatureAlgorithmId); - ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithmId).build(privateKey); - X509CertificateHolder certHolder = certificateBuilder.build(signer); - X509Certificate signedCert = new JcaX509CertificateConverter().getCertificate(certHolder); - CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC"); - CertPath certPath = certificateFactory.generateCertPath(Arrays.asList(signedCert, issuerX509Certificate)); - return certPath.getEncoded("PEM"); - } - // ------------------------------------------------------------------------ private void updateStatus() { diff --git a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java index dd68d0e743..489407b7f4 100644 --- a/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java +++ b/src/signer/src/main/java/ee/ria/xroad/signer/tokenmanager/token/TokenSigner.java @@ -28,7 +28,6 @@ import ee.ria.xroad.common.CodedException; import ee.ria.xroad.signer.protocol.ComponentNames; import ee.ria.xroad.signer.protocol.message.Sign; -import ee.ria.xroad.signer.protocol.message.SignCertificate; import ee.ria.xroad.signer.protocol.message.SignResponse; import ee.ria.xroad.signer.util.CalculateSignature; import ee.ria.xroad.signer.util.CalculatedSignature; @@ -58,8 +57,6 @@ public void onReceive(Object message) throws Exception { handleSignRequest((Sign) message); } else if (message instanceof CalculatedSignature) { handleCalculatedSignature((CalculatedSignature) message); - } else if (message instanceof SignCertificate) { - handleSignCertificate((SignCertificate) message); } else { unhandled(message); } @@ -103,9 +100,4 @@ private void sendResponse(ActorRef client, Object message) { } } } - - private void handleSignCertificate(SignCertificate message) { - tokenWorker.tell(message, getSelf()); - } - }