summaryrefslogtreecommitdiffstats
path: root/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
diff options
context:
space:
mode:
Diffstat (limited to 'core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java')
-rw-r--r--core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java257
1 files changed, 0 insertions, 257 deletions
diff --git a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java b/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
deleted file mode 100644
index 36217cc..0000000
--- a/core/src/main/java/org/onap/aaf/cadi/taf/cert/X509Taf.java
+++ /dev/null
@@ -1,257 +0,0 @@
-/*******************************************************************************
- * ============LICENSE_START====================================================
- * * org.onap.aaf
- * * ===========================================================================
- * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
- * * ===========================================================================
- * * Licensed under the Apache License, Version 2.0 (the "License");
- * * you may not use this file except in compliance with the License.
- * * You may obtain a copy of the License at
- * *
- * * http://www.apache.org/licenses/LICENSE-2.0
- * *
- * * Unless required by applicable law or agreed to in writing, software
- * * distributed under the License is distributed on an "AS IS" BASIS,
- * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * * See the License for the specific language governing permissions and
- * * limitations under the License.
- * * ============LICENSE_END====================================================
- * *
- * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
- * *
- ******************************************************************************/
-package org.onap.aaf.cadi.taf.cert;
-
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.security.GeneralSecurityException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.Signature;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
-import java.security.cert.X509Certificate;
-import java.util.ArrayList;
-
-import javax.net.ssl.TrustManagerFactory;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.CachedPrincipal;
-import org.onap.aaf.cadi.CadiException;
-import org.onap.aaf.cadi.Lur;
-import org.onap.aaf.cadi.Symm;
-import org.onap.aaf.cadi.Access.Level;
-import org.onap.aaf.cadi.CachedPrincipal.Resp;
-import org.onap.aaf.cadi.Taf.LifeForm;
-import org.onap.aaf.cadi.config.Config;
-import org.onap.aaf.cadi.config.SecurityInfo;
-import org.onap.aaf.cadi.config.SecurityInfoC;
-import org.onap.aaf.cadi.lur.LocalPermission;
-import org.onap.aaf.cadi.principal.TGuardPrincipal;
-import org.onap.aaf.cadi.principal.X509Principal;
-import org.onap.aaf.cadi.taf.HttpTaf;
-import org.onap.aaf.cadi.taf.TafResp;
-import org.onap.aaf.cadi.taf.TafResp.RESP;
-import org.onap.aaf.cadi.util.Split;
-
-public class X509Taf implements HttpTaf {
-
- public static final CertificateFactory certFactory;
- public static final MessageDigest messageDigest;
- public static final TrustManagerFactory tmf;
- private Access access;
- private CertIdentity[] certIdents;
- private Lur lur;
- private ArrayList<String> cadiIssuers;
- private String env;
- private SecurityInfo si;
-
- static {
- try {
- certFactory = CertificateFactory.getInstance("X.509");
- messageDigest = MessageDigest.getInstance("SHA-256"); // use this to clone
- tmf = TrustManagerFactory.getInstance(SecurityInfoC.SslKeyManagerFactoryAlgorithm);
- } catch (Exception e) {
- throw new RuntimeException("X.509 and SHA-256 are required for X509Taf",e);
- }
- }
-
- public X509Taf(Access access, Lur lur, CertIdentity ... cis) throws CertificateException, NoSuchAlgorithmException, CadiException {
- this.access = access;
- env = access.getProperty(Config.AAF_ENV,null);
- if(env==null) {
- throw new CadiException("X509Taf requires Environment ("+Config.AAF_ENV+") to be set.");
- }
- this.lur = lur;
- this.cadiIssuers = new ArrayList<String>();
- for(String ci : access.getProperty(Config.CADI_X509_ISSUERS, "CN=ATT CADI Issuing CA 01, OU=CSO, O=ATT, C=US:CN=ATT CADI Issuing CA 02, OU=CSO, O=ATT, C=US").split(":")) {
- cadiIssuers.add(ci);
- }
- try {
- Class<?> dci = access.classLoader().loadClass("com.att.authz.cadi.DirectCertIdentity");
- CertIdentity temp[] = new CertIdentity[cis.length+1];
- System.arraycopy(cis, 0, temp, 1, cis.length);
- temp[0] = (CertIdentity) dci.newInstance();
- certIdents=temp;
- } catch (Exception e) {
- certIdents = cis;
- }
-
- try {
- si = new SecurityInfo(access);
- } catch (GeneralSecurityException | IOException e1) {
- throw new CadiException(e1);
- }
- }
-
- public static final X509Certificate getCert(byte[] certBytes) throws CertificateException {
- ByteArrayInputStream bais = new ByteArrayInputStream(certBytes);
- return (X509Certificate)certFactory.generateCertificate(bais);
- }
-
- public static final byte[] getFingerPrint(byte[] ba) {
- MessageDigest md;
- try {
- md = (MessageDigest)messageDigest.clone();
- } catch (CloneNotSupportedException e) {
- // should never get here
- return new byte[0];
- }
- md.update(ba);
- return md.digest();
- }
-
- public TafResp validate(LifeForm reading, HttpServletRequest req, HttpServletResponse resp) {
- // Check for Mutual SSL
- try {
- X509Certificate[] certarr = (X509Certificate[])req.getAttribute("javax.servlet.request.X509Certificate");
- if(certarr!=null && certarr.length>0) {
- si.checkClientTrusted(certarr);
- // Note: If the Issuer is not in the TrustStore, it's not added to the Cert list
- if(cadiIssuers.contains(certarr[0].getIssuerDN().toString())) {
- String x500 = certarr[0].getSubjectDN().getName();
- int ou=x500.indexOf("OU=");
- if(ou>0) {
- ou+=3;
- int comma = x500.indexOf(',',ou);
- if(comma>0) {
- String id= x500.substring(ou,comma);
- String idenv[] = id.split(":");
- if(idenv.length==1 || (idenv.length>1 && env.equals(idenv[1]))) {
- return new X509HttpTafResp(access,
- new X509Principal(idenv[0], certarr[0],null),
- id + " validated by CADI x509", RESP.IS_AUTHENTICATED);
- }
- }
- }
- }
- }
-
- byte[] array = null;
- byte[] certBytes = null;
- X509Certificate cert=null;
- String responseText=null;
- String authHeader = req.getHeader("Authorization");
-
- if(certarr!=null) { // If cert !=null, Cert is Tested by Mutual Protocol.
- if(authHeader!=null) { // This is only intended to be a Secure Connection, not an Identity
- return new X509HttpTafResp(access, null, "Certificate verified, but another Identity is presented", RESP.TRY_ANOTHER_TAF);
- }
- cert = certarr[0];
- responseText = ", validated by Mutual SSL Protocol";
- } else { // If cert == null, Get Declared Cert (in header), but validate by having them sign something
- if(authHeader != null && authHeader.startsWith("x509 ")) {
- ByteArrayOutputStream baos = new ByteArrayOutputStream(authHeader.length());
- try {
- array = authHeader.getBytes();
- ByteArrayInputStream bais = new ByteArrayInputStream(array);
- Symm.base64noSplit.decode(bais, baos, 5);
- certBytes = baos.toByteArray();
- cert = getCert(certBytes);
-
- /**
- * Identity from CERT if well know CA and specific encoded information
- */
- // If found Identity doesn't work, try SignedStuff Protocol
-// cert.checkValidity();
-// cert.--- GET FINGERPRINT?
- String stuff = req.getHeader("Signature");
- if(stuff==null)
- return new X509HttpTafResp(access, null, "Header entry 'Signature' required to validate One way X509 Certificate", RESP.TRY_ANOTHER_TAF);
- String data = req.getHeader("Data");
-// if(data==null)
-// return new X509HttpTafResp(access, null, "No signed Data to validate with X509 Certificate", RESP.TRY_ANOTHER_TAF);
-
- // Note: Data Pos shows is "<signatureType> <data>"
-// int dataPos = (stuff.indexOf(' ')); // determine what is Algorithm
- // Get Signature
- bais = new ByteArrayInputStream(stuff.getBytes());
- baos = new ByteArrayOutputStream(stuff.length());
- Symm.base64noSplit.decode(bais, baos);
- array = baos.toByteArray();
-// Signature sig = Signature.getInstance(stuff.substring(0, dataPos)); // get Algorithm from first part of Signature
-
- Signature sig = Signature.getInstance(cert.getSigAlgName());
- sig.initVerify(cert.getPublicKey());
- sig.update(data.getBytes());
- if(!sig.verify(array)) {
- access.log(Level.ERROR, "Signature doesn't Match");
- return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
- }
- responseText = ", validated by Signed Data";
- } catch (Exception e) {
- access.log(e, "Exception while validating Cert");
- return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
- }
-
- } else {
- return new X509HttpTafResp(access, null, "No Certificate Info on Transaction", RESP.TRY_ANOTHER_TAF);
- }
- }
-
- // A cert has been found, match Identify
- Principal prin=null;
-
- for(int i=0;prin==null && i<certIdents.length;++i) {
- if((prin=certIdents[i].identity(req, cert, certBytes))!=null) {
- responseText = prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText;
-// xresp = new X509HttpTafResp(
-// access,
-// prin,
-// prin.getName() + " matches Certificate " + cert.getSubjectX500Principal().getName() + responseText,
-// RESP.IS_AUTHENTICATED);
-
- }
- }
-
- // if Principal is found, check for "AS_USER" and whether this entity is trusted to declare
- if(prin!=null) {
- String as_user=req.getHeader(Config.CADI_USER_CHAIN);
- if(as_user!=null) {
- if(as_user.startsWith("TGUARD ") && lur.fish(prin, new LocalPermission("com.att.aaf.trust|"+prin.getName()+"|tguard"))) {
- prin = new TGuardPrincipal(as_user.substring(7));
- responseText=prin.getName() + " set via trust of " + responseText;
- }
- }
- return new X509HttpTafResp(
- access,
- prin,
- responseText,
- RESP.IS_AUTHENTICATED);
- }
- } catch(Exception e) {
- return new X509HttpTafResp(access, null, e.getMessage(), RESP.TRY_ANOTHER_TAF);
- }
-
- return new X509HttpTafResp(access, null, "Certificate NOT verified", RESP.TRY_ANOTHER_TAF);
- }
-
- public Resp revalidate(CachedPrincipal prin) {
- return null;
- }
-
-}