diff options
author | Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2020-12-17 16:03:07 +0100 |
---|---|---|
committer | Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2021-01-04 10:44:06 +0000 |
commit | 7d9906432263c37bbea44d74d15e9eaea19e310d (patch) | |
tree | 18616f924ab32ea2350ce18e8a37ec87a516f5d6 | |
parent | 4f922581cabd32996b880b0f5ff9a5ae7cbc2c57 (diff) |
[OOM-CERT-SERVICE] Align implementation with RFC42102.1.1
- change MAC algorithm
- limit iterations to random value from 1000-2000 range
- correct caName validation to allow URL safe characters
Issue-ID: OOM-2656
(cherry picked from commit ee8b5cb717a4b7e37ef84e3e585be832d7d1794b)
Change-Id: I031382d208caa5eb659bb51f9d165344ca2e83b9
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
12 files changed, 33 insertions, 25 deletions
diff --git a/certService/pom.xml b/certService/pom.xml index f1f27988..9cff262b 100644 --- a/certService/pom.xml +++ b/certService/pom.xml @@ -18,10 +18,10 @@ <parent> <groupId>org.onap.oom.platform.cert-service</groupId> <artifactId>oom-certservice</artifactId> - <version>2.1.0-SNAPSHOT</version> + <version>2.1.1-SNAPSHOT</version> </parent> <artifactId>oom-certservice-api</artifactId> - <version>2.1.0-SNAPSHOT</version> + <version>2.1.1-SNAPSHOT</version> <name>oom-certservice-api</name> <description>OOM Certification Service Api</description> <packaging>jar</packaging> diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java index 844f85be..89dd7453 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java @@ -74,7 +74,7 @@ public final class CmpMessageHelper { private static final AlgorithmIdentifier OWF_ALGORITHM = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); private static final AlgorithmIdentifier MAC_ALGORITHM = - new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.9")); + new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2")); private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java index a0ba13d6..29ebac0f 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java @@ -28,6 +28,7 @@ import java.security.KeyPair; import java.util.Date; import java.util.List; +import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.cmp.PKIBody; import org.bouncycastle.asn1.cmp.PKIHeader; import org.bouncycastle.asn1.cmp.PKIMessage; @@ -37,7 +38,9 @@ import org.bouncycastle.asn1.crmf.CertRequest; import org.bouncycastle.asn1.crmf.CertTemplateBuilder; import org.bouncycastle.asn1.crmf.ProofOfPossession; import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; /** @@ -55,9 +58,11 @@ class CreateCertRequest { private String initAuthPassword; private String senderKid; - private static final int ITERATIONS = createRandomInt(5000); + private static final int ITERATIONS = createRandomInt(1000); private static final byte[] SALT = createRandomBytes(); private final int certReqId = createRandomInt(Integer.MAX_VALUE); + private final AlgorithmIdentifier signingAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder() + .find("SHA256withRSA"); public void setIssuerDn(X500Name issuerDn) { this.issuerDn = issuerDn; @@ -104,6 +109,9 @@ class CreateCertRequest { .setSubject(subjectDn) .setExtensions(CmpMessageHelper.generateExtension(sansList)) .setValidity(CmpMessageHelper.generateOptionalValidity(notBefore, notAfter)) + .setVersion(2) + .setSerialNumber(new ASN1Integer(0L)) + .setSigningAlg(signingAlgorithm) .setPublicKey( SubjectPublicKeyInfo.getInstance(subjectKeyPair.getPublic().getEncoded())); diff --git a/certService/version.properties b/certService/version.properties index 00ef5645..3c5fba7f 100644 --- a/certService/version.properties +++ b/certService/version.properties @@ -1,6 +1,6 @@ -major=1 -minor=2 -patch=0 +major=2 +minor=1 +patch=1 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT diff --git a/certServiceClient/pom.xml b/certServiceClient/pom.xml index 50dd2b55..4c2bae90 100644 --- a/certServiceClient/pom.xml +++ b/certServiceClient/pom.xml @@ -18,12 +18,12 @@ <parent> <artifactId>oom-certservice</artifactId> <groupId>org.onap.oom.platform.cert-service</groupId> - <version>2.1.0-SNAPSHOT</version> + <version>2.1.1-SNAPSHOT</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>oom-certservice-client</artifactId> - <version>2.1.0-SNAPSHOT</version> + <version>2.1.1-SNAPSHOT</version> <name>oom-certservice-client</name> <description>OOM Certification Service Api Client</description> <packaging>jar</packaging> diff --git a/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/AbstractConfigurationFactory.java b/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/AbstractConfigurationFactory.java index 293ac2d1..b28a6921 100644 --- a/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/AbstractConfigurationFactory.java +++ b/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/AbstractConfigurationFactory.java @@ -38,8 +38,8 @@ public abstract class AbstractConfigurationFactory<T extends ConfigurationModel> return path.matches("^/|(/[a-zA-Z0-9_-]+)+/?$"); } - public boolean isAlphaNumeric(String caName) { - return caName.matches("^[a-zA-Z0-9]*$"); + public boolean isCaNameValid(String caName) { + return caName.matches("^[a-zA-Z0-9_.~-]{1,128}$"); } public boolean isCommonNameValid(String commonName) { diff --git a/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/ClientConfigurationFactory.java b/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/ClientConfigurationFactory.java index 17cb2cc4..c9889419 100644 --- a/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/ClientConfigurationFactory.java +++ b/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/ClientConfigurationFactory.java @@ -56,7 +56,7 @@ public class ClientConfigurationFactory extends AbstractConfigurationFactory<Cli .orElseThrow(() -> new ClientConfigurationException(ClientConfigurationEnvs.OUTPUT_PATH + " is invalid.")); envsForClient.getCaName() - .filter(this::isAlphaNumeric) + .filter(this::isCaNameValid) .map(configuration::setCaName) .orElseThrow(() -> new ClientConfigurationException(ClientConfigurationEnvs.CA_NAME + " is invalid.")); diff --git a/certServiceClient/src/test/java/org/onap/oom/certservice/client/configuration/factory/AbstractConfigurationFactoryTest.java b/certServiceClient/src/test/java/org/onap/oom/certservice/client/configuration/factory/AbstractConfigurationFactoryTest.java index e55e55b6..efa3baf6 100644 --- a/certServiceClient/src/test/java/org/onap/oom/certservice/client/configuration/factory/AbstractConfigurationFactoryTest.java +++ b/certServiceClient/src/test/java/org/onap/oom/certservice/client/configuration/factory/AbstractConfigurationFactoryTest.java @@ -56,15 +56,15 @@ class AbstractConfigurationFactoryTest { } @ParameterizedTest - @ValueSource(strings = {"caname", "caname1", "123caName", "ca1name"}) - void shouldAcceptValidAlphanumeric(String caName) { - assertThat(cut.isAlphaNumeric(caName)).isTrue(); + @ValueSource(strings = {"caname", "caname1", "123caName", "ca1name", "ca_name", "ca-name", "ca.na~me"}) + void shouldAcceptValidCaName(String caName) { + assertThat(cut.isCaNameValid(caName)).isTrue(); } @ParameterizedTest - @ValueSource(strings = {"44caname$", "#caname1", "1c_aname", "ca1-name"}) - void shouldRejectInvalidAlphanumeric(String caName) { - assertThat(cut.isAlphaNumeric(caName)).isFalse(); + @ValueSource(strings = {"44caname$", "#caname1", "1c[aname]", "ca1/name", "", " "}) + void shouldRejectInvalidCaName(String caName) { + assertThat(cut.isCaNameValid(caName)).isFalse(); } @ParameterizedTest diff --git a/certServiceClient/version.properties b/certServiceClient/version.properties index 00ef5645..3c5fba7f 100644 --- a/certServiceClient/version.properties +++ b/certServiceClient/version.properties @@ -1,6 +1,6 @@ -major=1 -minor=2 -patch=0 +major=2 +minor=1 +patch=1 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT diff --git a/certServicePostProcessor/pom.xml b/certServicePostProcessor/pom.xml index 947d0666..484531e9 100644 --- a/certServicePostProcessor/pom.xml +++ b/certServicePostProcessor/pom.xml @@ -5,12 +5,12 @@ <parent> <artifactId>oom-certservice</artifactId> <groupId>org.onap.oom.platform.cert-service</groupId> - <version>2.1.0-SNAPSHOT</version> + <version>2.1.1-SNAPSHOT</version> </parent> <modelVersion>4.0.0</modelVersion> <artifactId>oom-certservice-post-processor</artifactId> - <version>2.1.0-SNAPSHOT</version> + <version>2.1.1-SNAPSHOT</version> <name>oom-certservice-post-processor</name> <description>An application which conducts certificate post-processing like: merging truststores, copying keystores.</description> <packaging>jar</packaging> @@ -23,7 +23,7 @@ </parent> <groupId>org.onap.oom.platform.cert-service</groupId> <artifactId>oom-certservice</artifactId> - <version>2.1.0-SNAPSHOT</version> + <version>2.1.1-SNAPSHOT</version> <name>oom-certservice</name> <description>OOM Certification Service</description> <packaging>pom</packaging> diff --git a/version.properties b/version.properties index 7a7808c0..3c5fba7f 100644 --- a/version.properties +++ b/version.properties @@ -1,6 +1,6 @@ major=2 minor=1 -patch=0 +patch=1 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT |