1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
/*******************************************************************************
* ============LICENSE_START====================================================
* * org.onap.aaf
* * ===========================================================================
* * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
* * ===========================================================================
* * Licensed under the Apache License, Version 2.0 (the "License");
* * you may not use this file except in compliance with the License.
* * You may obtain a copy of the License at
* *
* * http://www.apache.org/licenses/LICENSE-2.0
* *
* * Unless required by applicable law or agreed to in writing, software
* * distributed under the License is distributed on an "AS IS" BASIS,
* * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* * See the License for the specific language governing permissions and
* * limitations under the License.
* * ============LICENSE_END====================================================
* *
* * ECOMP is a trademark and service mark of AT&T Intellectual Property.
* *
******************************************************************************/
package com.att.cadi.cm;
import java.io.File;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collection;
import com.att.cadi.CadiException;
import com.att.cadi.Symm;
import com.att.cadi.config.Config;
import com.att.cadi.util.Chmod;
import com.att.inno.env.Trans;
import certman.v1_0.Artifacts.Artifact;
import certman.v1_0.CertInfo;
public class PlaceArtifactInKeystore extends ArtifactDir {
private String kst;
//TODO get ROOT DNs or Trusted DNs from Certificate Manager.
// private static String[] rootDNs = new String[]{
// "CN=ATT CADI Root CA - Test, O=ATT, OU=CSO, C=US", // Lab. delete eventually
// "CN=ATT AAF CADI TEST CA, OU=CSO, O=ATT, C=US",
// "CN=ATT AAF CADI CA, OU=CSO, O=ATT, C=US"
// };
public PlaceArtifactInKeystore(String kst) {
this.kst = kst;
}
@Override
public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
File fks = new File(dir,arti.getAppName()+'.'+kst);
try {
KeyStore jks = KeyStore.getInstance(kst);
if(fks.exists()) {
fks.delete();
}
// Get the Cert(s)... Might include Trust store
Collection<? extends Certificate> certColl = Factory.toX509Certificate(certInfo.getCerts());
X509Certificate[] certs = new X509Certificate[certColl.size()];
certColl.toArray(certs);
// Add CADI Keyfile Entry to Properties
addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getAppName() + ".keyfile");
// Set Keystore Password
addProperty(Config.CADI_KEYSTORE,fks.getAbsolutePath());
String keystorePass = Symm.randomGen(CmAgent.PASS_SIZE);
addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
char[] keystorePassArray = keystorePass.toCharArray();
jks.load(null,keystorePassArray); // load in
// Add Private Key/Cert Entry for App
// Note: Java SSL security classes, while having a separate key from keystore,
// is documented to not actually work.
// java.security.UnrecoverableKeyException: Cannot recover key
// You can create a custom Key Manager to make it work, but Practicality
// dictates that you live with the default, meaning, they are the same
String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);
PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
addEncProperty(Config.CADI_KEY_PASSWORD, keyPass);
addProperty(Config.CADI_ALIAS, arti.getMechid());
// Set<Attribute> attribs = new HashSet<Attribute>();
// if(kst.equals("pkcs12")) {
// // Friendly Name
// attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getAppName()));
// }
//
KeyStore.ProtectionParameter protParam =
new KeyStore.PasswordProtection(keyPass.toCharArray());
KeyStore.PrivateKeyEntry pkEntry =
new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]});
jks.setEntry(arti.getMechid(),
pkEntry, protParam);
// Write out
write(fks,Chmod.to400,jks,keystorePassArray);
// Change out to TrustStore
fks = new File(dir,arti.getAppName()+".trust."+kst);
jks = KeyStore.getInstance(kst);
// Set Truststore Password
addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
String trustStorePass = Symm.randomGen(CmAgent.PASS_SIZE);
addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
char[] truststorePassArray = trustStorePass.toCharArray();
jks.load(null,truststorePassArray); // load in
// Add Trusted Certificates
for(int i=1; i<certs.length;++i) {
jks.setCertificateEntry("cadi_root_" + arti.getCa() + '_' + i, certs[i]);
}
// Write out
write(fks,Chmod.to644,jks,truststorePassArray);
} catch (Exception e) {
throw new CadiException(e);
}
return false;
}
}
|