summaryrefslogtreecommitdiffstats
path: root/auth
diff options
context:
space:
mode:
Diffstat (limited to 'auth')
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java22
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java34
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java8
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java34
-rw-r--r--auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java62
5 files changed, 76 insertions, 84 deletions
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
index c90dcccf..ea726480 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
@@ -53,7 +53,8 @@ public abstract class CA {
public static final Set<String> EMPTY = Collections.unmodifiableSet(new HashSet<String>());
- private final String name,env;
+ private final String name;
+ private final String env;
private MessageDigest messageDigest;
private final String permType;
private Set<String> caIssuerDNs;
@@ -70,7 +71,7 @@ public abstract class CA {
if(permType==null) {
throw new CertException(CM_CA_PREFIX + name + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
}
- caIssuerDNs = new HashSet<String>();
+ caIssuerDNs = new HashSet<>();
String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT;
@@ -79,13 +80,14 @@ public abstract class CA {
throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
}
access.log(Level.INFO, tag, "=",fields);
- for(RDN rdn : rdns = RDN.parse('/',fields)) {
+ rdns = RDN.parse('/',fields);
+ for(RDN rdn : rdns) {
if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject
throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT);
}
}
- idDomains = new ArrayList<String>();
+ idDomains = new ArrayList<>();
StringBuilder sb = null;
for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) {
if(s.length()>0) {
@@ -102,14 +104,14 @@ public abstract class CA {
access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb);
}
- String data_dir = access.getProperty(CM_PUBLIC_DIR,null);
- if(data_dir!=null) {
- File data = new File(data_dir);
+ String dataDir = access.getProperty(CM_PUBLIC_DIR,null);
+ if(dataDir!=null) {
+ File data = new File(dataDir);
byte[] bytes;
if(data.exists()) {
- String trust_cas = access.getProperty(CM_TRUST_CAS,null);
- if(trust_cas!=null) {
- for(String fname : Split.splitTrim(',', trust_cas)) {
+ String trustCas = access.getProperty(CM_TRUST_CAS,null);
+ if(trustCas!=null) {
+ for(String fname : Split.splitTrim(',', trustCas)) {
File crt = new File(data,fname);
if(crt.exists()) {
access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath());
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
index 0d494acd..ee73dbdc 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
@@ -59,21 +59,21 @@ public class JscepCA extends CA {
static final String CA_PREFIX = "http://";
static final String CA_POSTFIX="/certsrv/mscep_admin/mscep.dll";
- private final static String MS_PROFILE="1";
- private final static int MAX_RETRY=3;
+ private static final String MS_PROFILE="1";
+ private static final int MAX_RETRY=3;
public static final long INVALIDATE_TIME = 1000*60*10L; // 10 mins
// package on purpose
- private Map<String,X509ChainWithIssuer> mxcwi_s;
- private Map<Client,X509ChainWithIssuer> mxcwi_c;
+ private Map<String,X509ChainWithIssuer> mxcwiS;
+ private Map<Client,X509ChainWithIssuer> mxcwiC;
private JscepClientLocator clients;
public JscepCA(final Access access, final String name, final String env, String [][] params) throws IOException, CertException, LocatorException {
super(access, name, env);
- mxcwi_s = new ConcurrentHashMap<String,X509ChainWithIssuer>();
- mxcwi_c = new ConcurrentHashMap<Client,X509ChainWithIssuer>();
+ mxcwiS = new ConcurrentHashMap<>();
+ mxcwiC = new ConcurrentHashMap<>();
if(params.length<2) {
throw new CertException("No Trust Chain parameters are included");
@@ -110,7 +110,7 @@ public class JscepCA extends CA {
dir = dir + '/';
}
String path;
- List<FileReader> frs = new ArrayList<FileReader>(params.length-1);
+ List<FileReader> frs = new ArrayList<>(params.length-1);
try {
for(int j=1; j<params[i].length; ++j) { // first 3 taken up, see above
path = !params[i][j].contains("/")?dir+params[i][j]:params[i][j];
@@ -119,7 +119,7 @@ public class JscepCA extends CA {
}
X509ChainWithIssuer xcwi = new X509ChainWithIssuer(frs);
addCaIssuerDN(xcwi.getIssuerDN());
- mxcwi_s.put(params[i][0],xcwi);
+ mxcwiS.put(params[i][0],xcwi);
} finally {
for(FileReader fr : frs) {
if(fr!=null) {
@@ -173,26 +173,16 @@ public class JscepCA extends CA {
break;
}
}
- X509ChainWithIssuer mxcwi = mxcwi_c.get(client);
+ X509ChainWithIssuer mxcwi = mxcwiC.get(client);
return new X509ChainWithIssuer(mxcwi,x509);
-// break;
+
} else if (er.isPending()) {
trans.checkpoint("Polling, waiting on CA to complete");
Thread.sleep(3000);
} else if (er.isFailure()) {
-// switch(er.getFailInfo()) {
-// case badMessageCheck:
-// throw new ClientException("Received BadMessageCheck from Jscep");
-// case badAlg:
-// case badCertId:
-// case badRequest:
-// case badTime:
-// default:
-// }
throw new CertException(clients.info(item)+':'+er.getFailInfo().toString());
}
}
- //i=MAX_RETRY;
} catch(LocatorException e) {
trans.error().log(e);
i=MAX_RETRY;
@@ -246,7 +236,7 @@ public class JscepCA extends CA {
}
);
// Map URL to Client, because Client doesn't expose Connection
- mxcwi_c.put(c,mxcwi_s.get(urlinfo));
+ mxcwiC.put(c, mxcwiS.get(urlinfo));
return c;
} catch (MalformedURLException e) {
throw new LocatorException(e);
@@ -260,7 +250,7 @@ public class JscepCA extends CA {
@Override
protected void _destroy(Client client) {
- mxcwi_c.remove(client);
+ mxcwiC.remove(client);
}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
index cd8886da..e2287c3b 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
@@ -97,7 +97,7 @@ public class LocalCA extends CA {
String fileName = f.getName();
if(fileName.endsWith(".key")) {
caKey = Factory.toPrivateKey(NullTrans.singleton(),f);
- List<FileReader> frs = new ArrayList<FileReader>(params.length-1);
+ List<FileReader> frs = new ArrayList<>(params.length-1);
try {
String dir = access.getProperty(CM_PUBLIC_DIR, "");
if(!"".equals(dir) && !dir.endsWith("/")) {
@@ -128,8 +128,8 @@ public class LocalCA extends CA {
KeyStore keyStore;
FileInputStream fis = null;
if(fileName.endsWith(".pkcs11")) {
- String ksType;
- p = Factory.getSecurityProvider(ksType="PKCS11",params);
+ String ksType="PKCS11";
+ p = Factory.getSecurityProvider(ksType,params);
keyStore = KeyStore.getInstance(ksType,p);
} else if(fileName.endsWith(".jks")) {
keyStore = KeyStore.getInstance("JKS");
@@ -216,7 +216,7 @@ public class LocalCA extends CA {
SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(new RSAKeyParameters(false,rpk.getModulus(),rpk.getPublicExponent()))
// new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))
);
- List<GeneralName> lsan = new ArrayList<GeneralName>();
+ List<GeneralName> lsan = new ArrayList<>();
for(String s : csrmeta.sans()) {
lsan.add(new GeneralName(GeneralName.dNSName,s));
}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java
index 6f3062bb..6ba5a37f 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java
@@ -45,24 +45,26 @@ public class X509ChainWithIssuer extends X509andChain {
Collection<? extends Certificate> certs;
X509Certificate x509;
for(Reader rdr : rdrs) {
- if(rdr!=null) { // cover for badly formed array
- byte[] bytes = Factory.decode(rdr);
- try {
- certs = Factory.toX509Certificate(bytes);
- } catch (CertificateException e) {
- throw new CertException(e);
+ if(rdr==null) { // cover for badly formed array
+ continue;
+ }
+ byte[] bytes = Factory.decode(rdr);
+ try {
+ certs = Factory.toX509Certificate(bytes);
+ } catch (CertificateException e) {
+ throw new CertException(e);
+ }
+ for(Certificate c : certs) {
+ x509=(X509Certificate)c;
+ Principal subject = x509.getSubjectDN();
+ if(subject==null) {
+ continue;
}
- for(Certificate c : certs) {
- x509=(X509Certificate)c;
- Principal subject = x509.getSubjectDN();
- if(subject!=null) {
- if(cert==null) { // first in Trust Chain
- issuerDN= subject.toString();
- }
- addTrustChainEntry(x509);
- cert=x509; // adding each time makes sure last one is signer.
- }
+ if(cert==null) { // first in Trust Chain
+ issuerDN = subject.toString();
}
+ addTrustChainEntry(x509);
+ cert=x509; // adding each time makes sure last one is signer.
}
}
}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
index 2541bea0..2b763f7f 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
@@ -60,17 +60,16 @@ public class CSRMeta {
private String email;
private String challenge;
private List<RDN> rdns;
-
- public CSRMeta(List<RDN> rdns) {
- this.rdns = rdns;
- }
-
- private ArrayList<String> sanList = new ArrayList<String>();
+ private ArrayList<String> sanList = new ArrayList<>();
private KeyPair keyPair;
private X500Name name = null;
private SecureRandom random = new SecureRandom();
- public X500Name x500Name() throws IOException {
+ public CSRMeta(List<RDN> rdns) {
+ this.rdns = rdns;
+ }
+
+ public X500Name x500Name() {
if(name==null) {
X500NameBuilder xnb = new X500NameBuilder();
xnb.addRDN(BCStyle.CN,cn);
@@ -99,7 +98,7 @@ public class CSRMeta {
}
int plus = email==null?0:1;
- if(sanList.size()>0) {
+ if(!sanList.isEmpty()) {
GeneralName[] gna = new GeneralName[sanList.size()+plus];
int i=-1;
for(String s : sanList) {
@@ -114,10 +113,7 @@ public class CSRMeta {
})
);
}
-
- if(email!=null) {
-
- }
+
try {
return builder.build(BCFactory.contentSigner(keypair(trans).getPrivate()));
} catch (OperatorCreationException e) {
@@ -129,27 +125,29 @@ public class CSRMeta {
public static void dump(PKCS10CertificationRequest csr) {
Attribute[] certAttributes = csr.getAttributes();
for (Attribute attribute : certAttributes) {
- if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
- Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
- GeneralNames gns = GeneralNames.fromExtensions(extensions,Extension.subjectAlternativeName);
- GeneralName[] names = gns.getNames();
- for(int k=0; k < names.length; k++) {
- String title = "";
- if(names[k].getTagNo() == GeneralName.dNSName) {
- title = "dNSName";
- } else if(names[k].getTagNo() == GeneralName.iPAddress) {
- title = "iPAddress";
- // Deprecated, but I don't see anything better to use.
- names[k].toASN1Object();
- } else if(names[k].getTagNo() == GeneralName.otherName) {
- title = "otherName";
- } else if(names[k].getTagNo() == GeneralName.rfc822Name) {
- title = "email";
- }
+ if (!attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
+ continue;
+ }
+
+ Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
+ GeneralNames gns = GeneralNames.fromExtensions(extensions,Extension.subjectAlternativeName);
+ GeneralName[] names = gns.getNames();
+ for(int k=0; k < names.length; k++) {
+ String title = "";
+ if(names[k].getTagNo() == GeneralName.dNSName) {
+ title = "dNSName";
+ } else if(names[k].getTagNo() == GeneralName.iPAddress) {
+ title = "iPAddress";
+ // Deprecated, but I don't see anything better to use.
+ names[k].toASN1Object();
+ } else if(names[k].getTagNo() == GeneralName.otherName) {
+ title = "otherName";
+ } else if(names[k].getTagNo() == GeneralName.rfc822Name) {
+ title = "email";
+ }
- System.out.println(title + ": "+ names[k].getName());
- }
- }
+ System.out.println(title + ": "+ names[k].getName());
+ }
}
}