From c060284812fbbc18fcf22eb628c47c251505fe50 Mon Sep 17 00:00:00 2001
From: Instrumental <jonathan.gathman@att.com>
Date: Mon, 2 Jul 2018 09:40:49 -0500
Subject: Update CM to us Local Intermediate Certs

Issue-ID: AAF-384
Change-Id: Iefd36c5b9ab8011ac696cb85e74c54edb63cb40a
Signed-off-by: Instrumental <jonathan.gathman@att.com>
---
 .../src/main/java/org/onap/aaf/auth/cm/ca/CA.java  | 31 +++++++++++---
 .../main/java/org/onap/aaf/auth/cm/ca/JscepCA.java |  2 +-
 .../main/java/org/onap/aaf/auth/cm/ca/LocalCA.java | 50 ++++++++++++++--------
 .../onap/aaf/auth/cm/ca/X509ChainWithIssuer.java   | 24 ++++++-----
 .../java/org/onap/aaf/auth/cm/ca/X509andChain.java | 13 +++---
 .../java/org/onap/aaf/auth/cm/cert/BCFactory.java  |  4 +-
 .../java/org/onap/aaf/auth/cm/cert/CSRMeta.java    |  4 +-
 .../main/java/org/onap/aaf/auth/cm/cert/RDN.java   |  2 +-
 .../java/org/onap/aaf/auth/cm/data/CertReq.java    |  2 +-
 .../java/org/onap/aaf/auth/cm/data/CertResp.java   | 13 +++---
 .../org/onap/aaf/auth/cm/facade/FacadeImpl.java    |  4 +-
 .../org/onap/aaf/auth/cm/mapper/Mapper1_0.java     | 14 ++++--
 .../org/onap/aaf/auth/cm/mapper/Mapper2_0.java     |  7 ++-
 .../org/onap/aaf/auth/cm/service/CMService.java    |  6 +--
 .../java/org/onap/aaf/auth/cm/ca/JU_AppCA.java     |  3 +-
 .../org/onap/aaf/auth/cm/cert/JU_BCFactory.java    |  2 +-
 .../org/onap/aaf/auth/cm/test/CertmanTest.java     |  2 +-
 17 files changed, 113 insertions(+), 70 deletions(-)

(limited to 'auth/auth-certman')

diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
index ea726480..ac3e1a54 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java
@@ -36,7 +36,8 @@ import org.onap.aaf.auth.cm.cert.CSRMeta;
 import org.onap.aaf.auth.cm.cert.RDN;
 import org.onap.aaf.cadi.Access;
 import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.config.Config;
+import org.onap.aaf.cadi.configure.CertException;
 import org.onap.aaf.misc.env.Trans;
 import org.onap.aaf.misc.env.util.Split;
 
@@ -57,9 +58,9 @@ public abstract class CA {
 	private final String env;
 	private MessageDigest messageDigest;
 	private final String permType;
-	private Set<String> caIssuerDNs;
 	private final ArrayList<String> idDomains;
 	private String[] trustedCAs;
+	private String[] caIssuerDNs;
 	private List<RDN> rdns; 
 
 
@@ -71,7 +72,7 @@ public abstract class CA {
 		if(permType==null) {
 			throw new CertException(CM_CA_PREFIX + name + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
 		}
-		caIssuerDNs = new HashSet<>();
+		caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null));
 		
 		String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT;
 		
@@ -112,7 +113,12 @@ public abstract class CA {
 				String trustCas = access.getProperty(CM_TRUST_CAS,null);
 				if(trustCas!=null) {
 					for(String fname : Split.splitTrim(',', trustCas)) {
-						File crt = new File(data,fname);
+						File crt;
+						if(fname.contains("/")) {
+							crt = new File(fname);
+						} else {
+							crt = new File(data,fname);
+						}
 						if(crt.exists()) {
 							access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath());
 							bytes = new byte[(int)crt.length()];
@@ -139,7 +145,19 @@ public abstract class CA {
 	}
 
 	protected void addCaIssuerDN(String issuerDN) {
-		caIssuerDNs.add(issuerDN);
+		boolean changed = true;
+		for(String id : caIssuerDNs) {
+			if(id.equals(issuerDN)) {
+				changed = false;
+				break;
+			}
+		}
+		if(changed) {
+			String[] newsa = new String[caIssuerDNs.length+1];
+			newsa[0]=issuerDN;
+			System.arraycopy(caIssuerDNs, 0, newsa, 1, caIssuerDNs.length);
+			caIssuerDNs = newsa;
+		}
 	}
 	
 	protected synchronized void addTrustedCA(final String crtString) {
@@ -161,7 +179,7 @@ public abstract class CA {
 		trustedCAs = temp;
 	}
 	
-	public Set<String> getCaIssuerDNs() {
+	public String[] getCaIssuerDNs() {
 		return caIssuerDNs;
 	}
 	
@@ -211,4 +229,5 @@ public abstract class CA {
 	public CSRMeta newCSRMeta() {
 		return new CSRMeta(rdns);
 	}
+
 }
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
index ee73dbdc..3f398381 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
@@ -48,7 +48,7 @@ import org.onap.aaf.cadi.Access;
 import org.onap.aaf.cadi.LocatorException;
 import org.onap.aaf.cadi.Access.Level;
 import org.onap.aaf.cadi.Locator.Item;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
 import org.onap.aaf.cadi.locator.HotPeerLocator;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
index e2287c3b..af2d2f6b 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java
@@ -39,6 +39,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.security.interfaces.RSAPublicKey;
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.Date;
 import java.util.GregorianCalendar;
 import java.util.List;
@@ -64,28 +65,33 @@ import org.onap.aaf.auth.cm.cert.RDN;
 import org.onap.aaf.auth.env.NullTrans;
 import org.onap.aaf.cadi.Access;
 import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
 import org.onap.aaf.misc.env.Trans;
 
 public class LocalCA extends CA {
 
+	private final static BigInteger ONE = new BigInteger("1");
 	// Extensions
 	private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {
 				KeyPurposeId.id_kp_serverAuth, // WebServer
-				KeyPurposeId.id_kp_clientAuth};// WebClient
-				
+				KeyPurposeId.id_kp_clientAuth // WebClient
+				};
+	
 	private final PrivateKey caKey;
 	private final X500Name issuer;
 	private final SecureRandom random = new SecureRandom();
-	private byte[] serialish;
+	private BigInteger serial;
 	private final X509ChainWithIssuer x509cwi; // "Cert" is CACert
-
+	
+	
 	public LocalCA(Access access, final String name, final String env, final String[][] params) throws IOException, CertException {
 		super(access, name, env);
-		serialish = new byte[24];
+	
+		serial = new BigInteger(64,random);
+
 		if(params.length<1 || params[0].length<2) {
 			throw new IOException("LocalCA expects cm_ca.<ca name>=org.onap.aaf.auth.cm.ca.LocalCA,<full path to key file>[;<Full Path to Trust Chain, ending with actual CA>]+");
 		}
@@ -180,7 +186,9 @@ public class LocalCA extends CA {
 		}
 		
 		X500NameBuilder xnb = new X500NameBuilder();
-		for(RDN rnd : RDN.parse(',', x509cwi.getIssuerDN())) {
+		List<RDN> rp = RDN.parse(',', x509cwi.getIssuerDN());
+		Collections.reverse(rp);
+		for(RDN rnd : rp) {
 			xnb.addRDN(rnd.aoi,rnd.value);
 		}
 		issuer = xnb.build();
@@ -201,9 +209,10 @@ public class LocalCA extends CA {
 		TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);
 		try {
 			BigInteger bi;
-			synchronized(serialish) {
-				random.nextBytes(serialish);
-				bi = new BigInteger(serialish);
+			
+			synchronized(ONE) {
+				bi = serial;
+				serial = serial.add(ONE);
 			}
 				
 			RSAPublicKey rpk = (RSAPublicKey)csrmeta.keypair(trans).getPublic();
@@ -225,20 +234,23 @@ public class LocalCA extends CA {
 
 		    JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
 		    	xcb.addExtension(Extension.basicConstraints,
-                    	false, new BasicConstraints(false))
+                    	false, new BasicConstraints(false
+                    			))
 		            .addExtension(Extension.keyUsage,
 		                true, new KeyUsage(KeyUsage.digitalSignature
-		                                 | KeyUsage.keyEncipherment))
+		                                 | KeyUsage.keyEncipherment 
+		                                 | KeyUsage.nonRepudiation))
 		            .addExtension(Extension.extendedKeyUsage,
 		                          true, new ExtendedKeyUsage(ASN_WebUsage))
-
                     .addExtension(Extension.authorityKeyIdentifier,
-		                          false, extUtils.createAuthorityKeyIdentifier(x509cwi.cert))
-		            .addExtension(Extension.subjectKeyIdentifier,
-		                          false, extUtils.createSubjectKeyIdentifier(x509cwi.cert.getPublicKey()))
+	                          false, extUtils.createAuthorityKeyIdentifier(x509cwi.cert))
+                    .addExtension(Extension.subjectKeyIdentifier,
+	                          false, extUtils.createSubjectKeyIdentifier(rpk))
 		            .addExtension(Extension.subjectAlternativeName,
 		            		false, new GeneralNames(sans))
-		                                           ;
+//		            .addExtension(MiscObjectIdentifiers.netscape, true, new NetscapeCertType(
+//		            		NetscapeCertType.sslClient|NetscapeCertType.sslClient))
+		            ;		            
 	
 			x509 = new JcaX509CertificateConverter().getCertificate(
 					xcb.build(BCFactory.contentSigner(caKey)));
@@ -248,7 +260,7 @@ public class LocalCA extends CA {
 			tt.done();
 		}
 		
-		return new X509ChainWithIssuer(x509cwi,x509);
+		return new X509andChain(x509,x509cwi.trustChain);
 	}
 
 }
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java
index 6ba5a37f..e31b9988 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509ChainWithIssuer.java
@@ -29,13 +29,14 @@ import java.security.cert.X509Certificate;
 import java.util.Collection;
 import java.util.List;
 
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
 
 public class X509ChainWithIssuer extends X509andChain {
 	private String issuerDN;
+	public X509Certificate caX509;
 
-	public X509ChainWithIssuer(X509ChainWithIssuer orig, X509Certificate x509) {
+	public X509ChainWithIssuer(X509ChainWithIssuer orig, X509Certificate x509) throws IOException, CertException {
 		super(x509,orig.trustChain);
 		issuerDN=orig.issuerDN;		
 	}
@@ -48,7 +49,8 @@ public class X509ChainWithIssuer extends X509andChain {
 			if(rdr==null) { // cover for badly formed array
 				continue;
 			}
-			byte[] bytes = Factory.decode(rdr);
+			
+			byte[] bytes = Factory.decode(rdr,null);
 			try {
 				certs = Factory.toX509Certificate(bytes);
 			} catch (CertificateException e) {
@@ -62,24 +64,24 @@ public class X509ChainWithIssuer extends X509andChain {
 				}
 				if(cert==null) { // first in Trust Chain
 					issuerDN = subject.toString();
+					cert=x509; // adding each time makes sure last one is signer.
 				}
 				addTrustChainEntry(x509);
-				cert=x509; // adding each time makes sure last one is signer.
 			}
 		}
 	}
 	
 	public X509ChainWithIssuer(Certificate[] certs) throws IOException, CertException {
 		X509Certificate x509;
-		for(Certificate c : certs) {
-			x509=(X509Certificate)c;
+		for(int i=certs.length-1; i>=0; --i) {
+			x509=(X509Certificate)certs[i];
 			Principal subject = x509.getSubjectDN();
 			if(subject!=null) {
-				if(cert==null) { // first in Trust Chain
-					issuerDN= subject.toString();
-				}
 				addTrustChainEntry(x509);
-				cert=x509; // adding each time makes sure last one is signer.
+				if(i==0) { // last one is signer
+					cert=x509; 
+					issuerDN= subject.toString(); 
+				}
 			}
 		}
 	}
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java
index 46a6393a..5141cc62 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/X509andChain.java
@@ -25,8 +25,8 @@ import java.security.cert.X509Certificate;
 import java.util.List;
 
 import org.onap.aaf.auth.env.NullTrans;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
 
 
 /**
@@ -45,14 +45,14 @@ public class X509andChain {
 		trustChain = null;
 	}
 	
-	public X509andChain(X509Certificate cert, String[] trustChain) {
+	public X509andChain(X509Certificate cert, String[] tc) throws IOException, CertException {
 		this.cert = cert;
-		this.trustChain = trustChain;
+		trustChain=tc;
 	}
 
-	public X509andChain(X509Certificate cert, List<String> chain) {
+	public X509andChain(X509Certificate cert, List<String> chain) throws IOException, CertException {
 		this.cert = cert;
-		trustChain = new String[chain.size()];
+		trustChain = new String[chain.size()+1];
 		chain.toArray(trustChain);
 	}
 	
@@ -67,6 +67,7 @@ public class X509andChain {
 			trustChain=temp;
 		}
 	}
+	
 
 	public X509Certificate getX509() {
 		return cert;
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java
index 7f4590f3..70ddd438 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/BCFactory.java
@@ -37,8 +37,8 @@ import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.onap.aaf.auth.cm.ca.CA;
 import org.onap.aaf.auth.cm.validation.CertmanValidator;
 import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
 import org.onap.aaf.misc.env.Env;
 import org.onap.aaf.misc.env.TimeTaken;
 import org.onap.aaf.misc.env.Trans;
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
index 2b763f7f..7d417d5f 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/CSRMeta.java
@@ -49,8 +49,8 @@ import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
 import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
 import org.onap.aaf.misc.env.Trans;
 
 public class CSRMeta {
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java
index 5b55f1ca..564a4b5d 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/cert/RDN.java
@@ -25,7 +25,7 @@ import java.util.List;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.x500.style.BCStyle;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
 import org.onap.aaf.cadi.util.Split;
 
 public class RDN {
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java
index aa0b9c26..d960945c 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertReq.java
@@ -28,7 +28,7 @@ import javax.xml.datatype.XMLGregorianCalendar;
 import org.onap.aaf.auth.cm.ca.CA;
 import org.onap.aaf.auth.cm.cert.BCFactory;
 import org.onap.aaf.auth.cm.cert.CSRMeta;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
 
 public class CertReq {
 	// These cannot be null
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java
index 595025e7..970bfb85 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/data/CertResp.java
@@ -25,12 +25,11 @@ import java.io.IOException;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.cert.X509Certificate;
-import java.util.Set;
 
 import org.onap.aaf.auth.cm.ca.CA;
 import org.onap.aaf.auth.cm.cert.CSRMeta;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
 import org.onap.aaf.misc.env.Trans;
 
 public class CertResp {
@@ -40,17 +39,15 @@ public class CertResp {
 	
 	private String privateKey, certString;
 	private String[] trustChain;
-	private String[] trustCAs;
 	private String[] notes;
 	
-	public CertResp(Trans trans, CA ca, X509Certificate x509, CSRMeta csrMeta, String[] trustChain, String[] trustCAs, String[] notes) throws IOException, GeneralSecurityException, CertException {
+	public CertResp(Trans trans, CA ca, X509Certificate x509, CSRMeta csrMeta, String[] trustChain, String[] notes) throws IOException, GeneralSecurityException, CertException {
 		keyPair = csrMeta.keypair(trans);
 		privateKey = Factory.toString(trans, keyPair.getPrivate());
 		certString = Factory.toString(trans,x509);
 		challenge=csrMeta.challenge();
 		this.ca = ca;
 		this.trustChain = trustChain;
-		this.trustCAs = trustCAs;
 		this.notes = notes;
 	}
 
@@ -76,7 +73,7 @@ public class CertResp {
 		return notes;
 	}
 	
-	public Set<String> caIssuerDNs() {
+	public String[] caIssuerDNs() {
 		return ca.getCaIssuerDNs();
 	}
 	
@@ -89,6 +86,6 @@ public class CertResp {
 	}
 	
 	public String[] trustCAs() {
-		return trustCAs;
+		return ca.getTrustedCAs();
 	}
 }
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java
index 0598ee60..51a905a4 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/facade/FacadeImpl.java
@@ -58,8 +58,8 @@ import org.onap.aaf.auth.env.AuthzEnv;
 import org.onap.aaf.auth.env.AuthzTrans;
 import org.onap.aaf.auth.layer.Result;
 import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.cm.CertException;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.CertException;
+import org.onap.aaf.cadi.configure.Factory;
 import org.onap.aaf.misc.env.APIException;
 import org.onap.aaf.misc.env.Data;
 import org.onap.aaf.misc.env.Env;
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java
index 16517c95..c06734f4 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper1_0.java
@@ -31,8 +31,8 @@ import org.onap.aaf.auth.cm.data.CertReq;
 import org.onap.aaf.auth.cm.data.CertResp;
 import org.onap.aaf.auth.cm.validation.CertmanValidator;
 import org.onap.aaf.auth.dao.cass.ArtiDAO;
-import org.onap.aaf.auth.dao.cass.CertDAO;
 import org.onap.aaf.auth.dao.cass.ArtiDAO.Data;
+import org.onap.aaf.auth.dao.cass.CertDAO;
 import org.onap.aaf.auth.env.AuthzTrans;
 import org.onap.aaf.auth.layer.Result;
 import org.onap.aaf.cadi.util.FQI;
@@ -108,7 +108,9 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
 		if((value=cin.challenge())!=null) {
 			cout.setChallenge(value);
 		}
+		// In Version 1, Cert is always first
 		cout.getCerts().add(cin.asCertString());
+		// Follow with Trust Chain
 		if(cin.trustChain()!=null) {
 			for(String c : cin.trustChain()) {
 				if(c!=null) {
@@ -116,12 +118,15 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
 				}
 			}
 		}
+
 		// Adding all the Certs in one response is a mistake.  Makes it very hard for Agent to setup
 		// Certs in keystore versus Truststore.  Separate in Version 2_0
 		if(cin.trustCAs()!=null) {
 			for(String c : cin.trustCAs()) {
 				if(c!=null) {
-					cout.getCerts().add(c);
+					if(!cout.getCerts().contains(c)) {
+						cout.getCerts().add(c);
+					}
 				}
 			}
 		}
@@ -138,7 +143,10 @@ public class Mapper1_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
 			}
 			cout.setNotes(sb.toString());
 		}
-		cout.getCaIssuerDNs().addAll(cin.caIssuerDNs());
+		List<String> caIssuerDNs = cout.getCaIssuerDNs();
+		for(String s : cin.caIssuerDNs()) {
+			caIssuerDNs.add(s);
+		}
 		cout.setEnv(cin.env());
 		return Result.ok(cout);
 
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java
index 13123bdf..76f7d9be 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/mapper/Mapper2_0.java
@@ -127,7 +127,12 @@ public class Mapper2_0 implements Mapper<BaseRequest,CertInfo,Artifacts,Error> {
 				}
 				cout.setNotes(sb.toString());
 			}
-			cout.getCaIssuerDNs().addAll(cin.caIssuerDNs());
+			
+			List<String> caIssuerDNs = cout.getCaIssuerDNs();
+			for(String s : cin.caIssuerDNs()) {
+				caIssuerDNs.add(s);
+			}
+
 			cout.setEnv(cin.env());
 			return Result.ok(cout);
 		} else {
diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
index 4ef5472a..8d39f540 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/service/CMService.java
@@ -59,7 +59,7 @@ import org.onap.aaf.auth.org.Organization.Identity;
 import org.onap.aaf.auth.org.OrganizationException;
 import org.onap.aaf.cadi.Hash;
 import org.onap.aaf.cadi.aaf.AAFPermission;
-import org.onap.aaf.cadi.cm.Factory;
+import org.onap.aaf.cadi.configure.Factory;
 import org.onap.aaf.cadi.util.FQI;
 import org.onap.aaf.misc.env.APIException;
 import org.onap.aaf.misc.env.util.Chrono;
@@ -317,7 +317,7 @@ public class CMService {
 				crdd.type = CredDAO.CERT_SHA256_RSA;
 				credDAO.create(trans, crdd);
 				
-				CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), ca.getTrustedCAs(), compileNotes(notes));
+				CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(),compileNotes(notes));
 				return Result.ok(cr);
 			} catch (Exception e) {
 				trans.error().log(e);
@@ -398,7 +398,7 @@ public class CMService {
 				cdd.x509=Factory.toString(trans, x509);
 				certDAO.create(trans, cdd);
 				
-				CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), ca.getTrustedCAs(), compileNotes(null));
+				CertResp cr = new CertResp(trans, ca, x509, csrMeta, x509ac.getTrustChain(), compileNotes(null));
 				return Result.ok(cr);
 			} catch (Exception e) {
 				trans.error().log(e);
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_AppCA.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_AppCA.java
index f6d5cab1..d81ea9bc 100644
--- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_AppCA.java
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/ca/JU_AppCA.java
@@ -52,10 +52,9 @@ import org.junit.runner.RunWith;
 import org.mockito.Mock;
 import org.mockito.Mockito;
 import org.mockito.runners.MockitoJUnitRunner;
-import org.onap.aaf.auth.cm.ca.CA;
 import org.onap.aaf.auth.cm.cert.CSRMeta;
 import org.onap.aaf.auth.dao.cached.CachedCertDAO;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
 import org.onap.aaf.misc.env.Trans;
 
 //TODO: Gabe [JUnit] Import does not exist
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_BCFactory.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_BCFactory.java
index 856d09c2..337bc9ed 100644
--- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_BCFactory.java
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/cert/JU_BCFactory.java
@@ -41,7 +41,7 @@ import org.junit.rules.ExpectedException;
 import org.junit.runner.RunWith;
 import org.mockito.Mockito;
 import org.mockito.runners.MockitoJUnitRunner;
-import org.onap.aaf.cadi.cm.CertException;
+import org.onap.aaf.cadi.configure.CertException;
 import org.onap.aaf.misc.env.TimeTaken;
 import org.onap.aaf.misc.env.Trans;
 
diff --git a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java
index 7d3f25ca..5ec96f25 100644
--- a/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java
+++ b/auth/auth-certman/src/test/java/org/onap/aaf/auth/cm/test/CertmanTest.java
@@ -41,8 +41,8 @@ import org.onap.aaf.cadi.Locator.Item;
 import org.onap.aaf.cadi.client.Future;
 import org.onap.aaf.cadi.client.Rcli;
 import org.onap.aaf.cadi.client.Retryable;
-import org.onap.aaf.cadi.cm.Factory;
 import org.onap.aaf.cadi.config.SecurityInfoC;
+import org.onap.aaf.cadi.configure.Factory;
 import org.onap.aaf.cadi.http.HBasicAuthSS;
 import org.onap.aaf.cadi.http.HMangr;
 import org.onap.aaf.cadi.locator.DNSLocator;
-- 
cgit 1.2.3-korg