diff options
| author |   Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2021-07-13 15:41:57 +0200 |
|---|---|---|
| committer | Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2021-07-13 14:08:38 +0000 |
| commit | dd84c4aad3b0ebb9af61e1c45c95a033121c5153 (patch) | |
| tree | 3bb62b0687f9c8aad22f82f8d41bd57f6c3cad6a | |
| parent | 78b60d22b8779d1fbf3e27287b9774862f71404b (diff) | |
[OOM-CERT-SERVICE] Refactor CertService API code
- move conversion StringBase64 to PrivateKey to separate class
- move protection algorithm classes to separate package
- adjust modifiers and test to above changes
Issue-ID: OOM-2753
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: Ifafa38162acfcd59d5177dbc478a6209e97a18e3
18 files changed, 277 insertions, 176 deletions
diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/CertificationProvider.java b/certService/src/main/java/org/onap/oom/certservice/certification/CertificationProvider.java index 94e778e3..f7fe2c64 100644 --- a/certService/src/main/java/org/onap/oom/certservice/certification/CertificationProvider.java +++ b/certService/src/main/java/org/onap/oom/certservice/certification/CertificationProvider.java @@ -70,7 +70,7 @@ public class CertificationProvider { return getCertificationResponseModel(certificates); } - private static List<String> convertFromX509CertificateListToPemList(List<X509Certificate> certificates) { + private List<String> convertFromX509CertificateListToPemList(List<X509Certificate> certificates) { return certificates.stream().map(CertificationProvider::convertFromX509CertificateToPem).filter(cert -> !cert.isEmpty()) .collect(Collectors.toList()); } diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/conversion/CsrModelFactory.java b/certService/src/main/java/org/onap/oom/certservice/certification/conversion/CsrModelFactory.java index e4ee4c10..6f80f793 100644 --- a/certService/src/main/java/org/onap/oom/certservice/certification/conversion/CsrModelFactory.java +++ b/certService/src/main/java/org/onap/oom/certservice/certification/conversion/CsrModelFactory.java @@ -21,13 +21,13 @@ package org.onap.oom.certservice.certification.conversion; import org.bouncycastle.pkcs.PKCS10CertificationRequest; -import org.bouncycastle.util.io.pem.PemObject; import org.onap.oom.certservice.certification.exception.CsrDecryptionException; import org.onap.oom.certservice.certification.exception.DecryptionException; -import org.onap.oom.certservice.certification.exception.KeyDecryptionException; import org.onap.oom.certservice.certification.model.CsrModel; import org.springframework.stereotype.Service; +import java.security.PrivateKey; + @Service public class CsrModelFactory { @@ -36,23 +36,14 @@ public class CsrModelFactory { = new PemObjectFactory(); private final Pkcs10CertificationRequestFactory certificationRequestFactory = new Pkcs10CertificationRequestFactory(); - + private final StringBase64ToPrivateKeyConverter stringBase64ToPrivateKeyConverter + = new StringBase64ToPrivateKeyConverter(); public CsrModel createCsrModel(StringBase64 csr, StringBase64 privateKey) throws DecryptionException { PKCS10CertificationRequest decodedCsr = decodeCsr(csr); - PemObject decodedPrivateKey = decodePrivateKey(privateKey); - return new CsrModel.CsrModelBuilder(decodedCsr, decodedPrivateKey).build(); - } - - private PemObject decodePrivateKey(StringBase64 privateKey) - throws KeyDecryptionException { - - return privateKey.asString() - .flatMap(pemObjectFactory::createPemObject) - .orElseThrow( - () -> new KeyDecryptionException("Incorrect Key, decryption failed") - ); + PrivateKey javaPrivateKey = stringBase64ToPrivateKeyConverter.convert(privateKey); + return new CsrModel.CsrModelBuilder(decodedCsr, javaPrivateKey).build(); } private PKCS10CertificationRequest decodeCsr(StringBase64 csr) diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/conversion/OldCertificateModelFactory.java b/certService/src/main/java/org/onap/oom/certservice/certification/conversion/OldCertificateModelFactory.java index f5c199f6..fba5259c 100644 --- a/certService/src/main/java/org/onap/oom/certservice/certification/conversion/OldCertificateModelFactory.java +++ b/certService/src/main/java/org/onap/oom/certservice/certification/conversion/OldCertificateModelFactory.java @@ -20,19 +20,10 @@ package org.onap.oom.certservice.certification.conversion; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.cert.CertificateEncodingException; -import java.security.cert.CertificateParsingException; -import java.security.cert.X509Certificate; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.PKCS8EncodedKeySpec; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.Certificate; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder; -import org.bouncycastle.util.io.pem.PemObject; import org.onap.oom.certservice.certification.X509CertificateParser; import org.onap.oom.certservice.certification.exception.CertificateDecryptionException; import org.onap.oom.certservice.certification.exception.KeyDecryptionException; @@ -41,13 +32,19 @@ import org.onap.oom.certservice.certification.model.OldCertificateModel; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import java.security.PrivateKey; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; + @Service public class OldCertificateModelFactory { private static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n"; private static final String END_CERTIFICATE = "-----END CERTIFICATE-----\n"; - private static final PemObjectFactory PEM_OBJECT_FACTORY = new PemObjectFactory(); + private final StringBase64ToPrivateKeyConverter stringBase64ToPrivateKeyConverter + = new StringBase64ToPrivateKeyConverter(); private final PemStringToCertificateConverter pemStringToCertificateConverter; private final X509CertificateParser x509CertificateParser; @@ -68,14 +65,13 @@ public class OldCertificateModelFactory { final X500Name subjectData = x509CertificateParser.getSubject(x509Certificate); final GeneralName[] sans = x509CertificateParser.getSans(x509Certificate); final Certificate certificate = new JcaX509CertificateHolder(x509Certificate).toASN1Structure(); - final PrivateKey oldPrivateKey = getOldPrivateKeyObject(encodedOldPrivateKey); + final PrivateKey oldPrivateKey = stringBase64ToPrivateKeyConverter.convert(new StringBase64(encodedOldPrivateKey)); return new OldCertificateModel(certificate, subjectData, sans, oldPrivateKey); } catch (StringToCertificateConversionException e) { throw new CertificateDecryptionException("Cannot convert certificate", e); - } catch (CertificateParsingException e) { throw new CertificateDecryptionException("Cannot read Subject Alternative Names from certificate"); - } catch (NoSuchAlgorithmException | KeyDecryptionException | CertificateEncodingException | InvalidKeySpecException e) { + } catch (KeyDecryptionException | CertificateEncodingException e) { throw new CertificateDecryptionException("Cannot convert certificate or key", e); } } @@ -91,17 +87,4 @@ public class OldCertificateModelFactory { return !(certificateChain.contains(BEGIN_CERTIFICATE) && certificateChain.contains(END_CERTIFICATE)); } - private PrivateKey getOldPrivateKeyObject(String encodedOldPrivateKey) - throws KeyDecryptionException, InvalidKeySpecException, NoSuchAlgorithmException { - - StringBase64 stringBase64 = new StringBase64(encodedOldPrivateKey); - PemObject pemObject = stringBase64.asString() - .flatMap(PEM_OBJECT_FACTORY::createPemObject) - .orElseThrow( - () -> new KeyDecryptionException("Incorrect Key, decryption failed") - ); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(pemObject.getContent()); - KeyFactory keyFactory = KeyFactory.getInstance("RSA"); - return keyFactory.generatePrivate(keySpec); - } } diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/conversion/StringBase64ToPrivateKeyConverter.java b/certService/src/main/java/org/onap/oom/certservice/certification/conversion/StringBase64ToPrivateKeyConverter.java new file mode 100644 index 00000000..1ea752b1 --- /dev/null +++ b/certService/src/main/java/org/onap/oom/certservice/certification/conversion/StringBase64ToPrivateKeyConverter.java @@ -0,0 +1,55 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.certification.conversion; + +import org.bouncycastle.util.io.pem.PemObject; +import org.onap.oom.certservice.certification.exception.KeyDecryptionException; + +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; + +public class StringBase64ToPrivateKeyConverter { + + private final PemObjectFactory pemObjectFactory = new PemObjectFactory(); + + public PrivateKey convert(StringBase64 privateKey) throws KeyDecryptionException { + PemObject decodedPrivateKey = createDecodedPrivateKey(privateKey); + try { + KeyFactory factory = KeyFactory.getInstance("RSA"); + PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(decodedPrivateKey.getContent()); + return factory.generatePrivate(keySpec); + } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { + throw new KeyDecryptionException("Converting Private Key failed", e.getCause()); + } + } + + private PemObject createDecodedPrivateKey(StringBase64 privateKey) throws KeyDecryptionException { + return privateKey.asString() + .flatMap(pemObjectFactory::createPemObject) + .orElseThrow( + () -> new KeyDecryptionException("Incorrect Key, decryption failed") + ); + } + +} diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java index 96755832..cd88ff11 100644 --- a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java +++ b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java @@ -20,16 +20,6 @@ package org.onap.oom.certservice.certification.model; -import java.io.IOException; -import java.security.KeyFactory; -import java.security.NoSuchAlgorithmException; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.security.spec.InvalidKeySpecException; -import java.security.spec.PKCS8EncodedKeySpec; -import java.security.spec.X509EncodedKeySpec; -import java.util.Arrays; -import java.util.stream.Collectors; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.Extensions; @@ -41,6 +31,16 @@ import org.onap.oom.certservice.certification.exception.CsrDecryptionException; import org.onap.oom.certservice.certification.exception.DecryptionException; import org.onap.oom.certservice.certification.exception.KeyDecryptionException; +import java.io.IOException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.PublicKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.X509EncodedKeySpec; +import java.util.Arrays; +import java.util.stream.Collectors; + public class CsrModel { @@ -95,19 +95,18 @@ public class CsrModel { public static class CsrModelBuilder { private final PKCS10CertificationRequest csr; - private final PemObject privateKey; + private final PrivateKey privateKey; public CsrModel build() throws DecryptionException { X500Name subjectData = getSubjectData(); - PrivateKey javaPrivateKey = convertingPemPrivateKeyToJavaSecurityPrivateKey(getPrivateKey()); PublicKey javaPublicKey = convertingPemPublicKeyToJavaSecurityPublicKey(getPublicKey()); GeneralName[] sans = getSansData(); - return new CsrModel(csr, subjectData, javaPrivateKey, javaPublicKey, sans); + return new CsrModel(csr, subjectData, privateKey, javaPublicKey, sans); } - public CsrModelBuilder(PKCS10CertificationRequest csr, PemObject privateKey) { + public CsrModelBuilder(PKCS10CertificationRequest csr, PrivateKey privateKey) { this.csr = csr; this.privateKey = privateKey; } @@ -120,10 +119,6 @@ public class CsrModel { } } - private PemObject getPrivateKey() { - return privateKey; - } - private X500Name getSubjectData() { return csr.getSubject(); } @@ -144,17 +139,6 @@ public class CsrModel { return csr.getAttributes().length == 0; } - private PrivateKey convertingPemPrivateKeyToJavaSecurityPrivateKey(PemObject privateKey) - throws KeyDecryptionException { - try { - KeyFactory factory = KeyFactory.getInstance("RSA"); - PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKey.getContent()); - return factory.generatePrivate(keySpec); - } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { - throw new KeyDecryptionException("Converting Private Key failed", e.getCause()); - } - } - private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey) throws KeyDecryptionException { try { diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java index bbca91b6..58291650 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java @@ -22,19 +22,6 @@ package org.onap.oom.certservice.cmpv2client.impl; -import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseHelper.checkIfCmpResponseContainsError; -import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseHelper.getCertFromByteArray; -import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore; - -import java.io.IOException; -import java.security.KeyPair; -import java.security.Security; -import java.security.cert.CertificateParsingException; -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.Date; -import java.util.Objects; -import java.util.Optional; import org.apache.http.impl.client.CloseableHttpClient; import org.bouncycastle.asn1.cmp.CMPCertificate; import org.bouncycastle.asn1.cmp.CertRepMessage; @@ -48,11 +35,28 @@ import org.onap.oom.certservice.certification.model.CsrModel; import org.onap.oom.certservice.certification.model.OldCertificateModel; import org.onap.oom.certservice.cmpv2client.api.CmpClient; import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; +import org.onap.oom.certservice.cmpv2client.impl.protections.PasswordBasedProtection; +import org.onap.oom.certservice.cmpv2client.impl.protections.PkiMessageProtection; +import org.onap.oom.certservice.cmpv2client.impl.protections.SignatureProtection; import org.onap.oom.certservice.cmpv2client.model.Cmpv2CertificationModel; import org.onap.oom.certservice.cmpv2client.validation.CmpCertificationValidator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.IOException; +import java.security.KeyPair; +import java.security.Security; +import java.security.cert.CertificateParsingException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Date; +import java.util.Objects; +import java.util.Optional; + +import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseHelper.checkIfCmpResponseContainsError; +import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseHelper.getCertFromByteArray; +import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore; + /** * Implementation of the CmpClient Interface conforming to RFC4210 (Certificate Management Protocol * (CMP)) and RFC4211 (Certificate Request Message Format (CRMF)) standards. diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java index 8912e88c..a05a5b7a 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java @@ -21,12 +21,6 @@ package org.onap.oom.certservice.cmpv2client.impl; -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.security.SecureRandom; -import java.util.Date; -import java.util.Objects; - import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1GeneralizedTime; @@ -46,6 +40,12 @@ import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.security.SecureRandom; +import java.util.Date; +import java.util.Objects; + public final class CmpUtil { private static final Logger LOGGER = LoggerFactory.getLogger(CmpUtil.class); @@ -83,7 +83,7 @@ public final class CmpUtil { * * @return bytes containing a random number string representing a nonce */ - static byte[] createRandomBytes() { + public static byte[] createRandomBytes() { LOGGER.info("Generating random array of bytes"); byte[] randomBytes = new byte[RANDOM_BYTE_LENGTH]; SECURE_RANDOM.nextBytes(randomBytes); @@ -96,7 +96,7 @@ public final class CmpUtil { * * @return bytes containing a random number string representing a nonce */ - static int createRandomInt(int range) { + public static int createRandomInt(int range) { LOGGER.info("Generating random integer"); return SECURE_RANDOM.nextInt(range) + RANDOM_SEED; } @@ -108,7 +108,7 @@ public final class CmpUtil { * @param body Body of PKIMessage containing specific information for message * @return bytes representing the PKIHeader and PKIBody thats to be protected */ - static byte[] generateProtectedBytes(PKIHeader header, PKIBody body) throws CmpClientException { + public static byte[] generateProtectedBytes(PKIHeader header, PKIBody body) throws CmpClientException { LOGGER.info("Generating array of bytes representing PkiHeader and PkiBody"); byte[] res; ASN1EncodableVector vector = new ASN1EncodableVector(); diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java index c3283044..c7ed8b77 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java @@ -21,12 +21,6 @@ package org.onap.oom.certservice.cmpv2client.impl; -import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt; -import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generatePkiHeader; - -import java.security.KeyPair; -import java.util.Date; - import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.cmp.CMPCertificate; @@ -44,6 +38,13 @@ import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; +import org.onap.oom.certservice.cmpv2client.impl.protections.PkiMessageProtection; + +import java.security.KeyPair; +import java.util.Date; + +import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt; +import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generatePkiHeader; /** * Implementation of the CmpClient Interface conforming to RFC4210 (Certificate Management Protocol diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java index 621415c0..c9d79e2d 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package org.onap.oom.certservice.cmpv2client.impl; +package org.onap.oom.certservice.cmpv2client.impl.protections; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; @@ -54,12 +54,12 @@ public class PasswordBasedProtection extends PkiMessageProtection { private final String initAuthPassword; - PasswordBasedProtection(String initAuthPassword) { + public PasswordBasedProtection(String initAuthPassword) { this.initAuthPassword = initAuthPassword; } @Override - AlgorithmIdentifier getAlgorithmIdentifier() { + public AlgorithmIdentifier getAlgorithmIdentifier() { ASN1Integer iteration = new ASN1Integer(ITERATIONS); DEROctetString derSalt = new DEROctetString(SALT); diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PkiMessageProtection.java index d32ed588..235d4bbf 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PkiMessageProtection.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package org.onap.oom.certservice.cmpv2client.impl; +package org.onap.oom.certservice.cmpv2client.impl.protections; import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.cmp.PKIBody; @@ -45,7 +45,7 @@ public abstract class PkiMessageProtection { * * @return bytes representing protection wrapped into DERBitString object. */ - DERBitString generatePkiMessageProtection(PKIHeader pkiHeader, PKIBody pkiBody) throws CmpClientException { + public DERBitString generatePkiMessageProtection(PKIHeader pkiHeader, PKIBody pkiBody) throws CmpClientException { try { byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody); byte[] protectionBytes = generateProtectionBytes(protectedBytes); @@ -60,17 +60,17 @@ public abstract class PkiMessageProtection { } /** - * Takes encoded bytes of PKIMessage (PKIHeader and PKIBody) and generates protection bytes. + * Returns Algorithm Identifier for protection of PKIMessage. * - * @return bytes representing protection. + * @return Algorithm Identifier. */ - abstract byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException; + public abstract AlgorithmIdentifier getAlgorithmIdentifier(); /** - * Returns Algorithm Identifier for protection of PKIMessage. + * Takes encoded bytes of PKIMessage (PKIHeader and PKIBody) and generates protection bytes. * - * @return Algorithm Identifier. + * @return bytes representing protection. */ - abstract AlgorithmIdentifier getAlgorithmIdentifier(); + abstract byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException; } diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/SignatureProtection.java index ad778430..faf99c96 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/SignatureProtection.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package org.onap.oom.certservice.cmpv2client.impl; +package org.onap.oom.certservice.cmpv2client.impl.protections; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; @@ -40,12 +40,12 @@ public class SignatureProtection extends PkiMessageProtection { private final PrivateKey oldPrivateKey; - SignatureProtection(PrivateKey privateKey) { + public SignatureProtection(PrivateKey privateKey) { this.oldPrivateKey = privateKey; } @Override - AlgorithmIdentifier getAlgorithmIdentifier() { + public AlgorithmIdentifier getAlgorithmIdentifier() { return SHA256_RSA_ALGORITHM; } diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpCertificationValidator.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpCertificationValidator.java index 40a2a1d9..b9a04a47 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpCertificationValidator.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpCertificationValidator.java @@ -22,14 +22,7 @@ package org.onap.oom.certservice.cmpv2client.validation; -import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseValidationHelper.checkImplicitConfirm; -import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseValidationHelper.verifyPasswordBasedProtection; -import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseValidationHelper.verifySignature; -import java.security.PublicKey; -import java.util.Date; -import java.util.Objects; -import java.util.Optional; import org.apache.http.impl.client.CloseableHttpClient; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.cmp.CertResponse; @@ -46,13 +39,22 @@ import org.onap.oom.certservice.cmpv2client.impl.PkiStatus; import org.slf4j.Logger; import org.slf4j.LoggerFactory; +import java.security.PublicKey; +import java.util.Date; +import java.util.Objects; +import java.util.Optional; + +import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseValidationHelper.checkImplicitConfirm; +import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseValidationHelper.verifyPasswordBasedProtection; +import static org.onap.oom.certservice.cmpv2client.impl.CmpResponseValidationHelper.verifySignature; + public class CmpCertificationValidator { private static final String DEFAULT_CA_NAME = "Certification Authority"; private static final String DEFAULT_PROFILE = CaMode.RA.getProfile(); private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); private static final Logger LOG = LoggerFactory.getLogger(CmpCertificationValidator.class); - public static void validate( + public void validate( final CsrModel csrModel, final Cmpv2Server server, final CloseableHttpClient httpClient, diff --git a/certService/src/test/java/org/onap/oom/certservice/certification/conversion/CsrModelFactoryTest.java b/certService/src/test/java/org/onap/oom/certservice/certification/conversion/CsrModelFactoryTest.java index 26624867..54508e4b 100644 --- a/certService/src/test/java/org/onap/oom/certservice/certification/conversion/CsrModelFactoryTest.java +++ b/certService/src/test/java/org/onap/oom/certservice/certification/conversion/CsrModelFactoryTest.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * Cert Service * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,13 +20,6 @@ package org.onap.oom.certservice.certification.conversion; -import static org.junit.jupiter.api.Assertions.assertThrows; -import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.onap.oom.certservice.certification.TestData.TEST_CSR; -import static org.onap.oom.certservice.certification.TestData.TEST_PK; -import static org.onap.oom.certservice.certification.TestData.TEST_WRONG_CSR; -import static org.onap.oom.certservice.certification.TestData.TEST_WRONG_PEM; - import org.bouncycastle.util.encoders.Base64; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; @@ -36,6 +29,13 @@ import org.onap.oom.certservice.certification.exception.DecryptionException; import org.onap.oom.certservice.certification.exception.KeyDecryptionException; import org.onap.oom.certservice.certification.model.CsrModel; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.onap.oom.certservice.certification.TestData.TEST_CSR; +import static org.onap.oom.certservice.certification.TestData.TEST_PK; +import static org.onap.oom.certservice.certification.TestData.TEST_WRONG_CSR; +import static org.onap.oom.certservice.certification.TestData.TEST_WRONG_PEM; + class CsrModelFactoryTest { @@ -58,7 +58,6 @@ class CsrModelFactoryTest { assertTrue(decryptedCsr.toString() .contains(TestData.EXPECTED_CERT_SUBJECT)); - System.out.println(decryptedCsr.toString()); assertTrue(decryptedCsr.toString() .contains(TestData.EXPECTED_CERT_SANS)); } diff --git a/certService/src/test/java/org/onap/oom/certservice/certification/conversion/StringBase64ToPrivateKeyConverterTest.java b/certService/src/test/java/org/onap/oom/certservice/certification/conversion/StringBase64ToPrivateKeyConverterTest.java new file mode 100644 index 00000000..7a722b2c --- /dev/null +++ b/certService/src/test/java/org/onap/oom/certservice/certification/conversion/StringBase64ToPrivateKeyConverterTest.java @@ -0,0 +1,89 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.certification.conversion; + +import org.bouncycastle.util.encoders.Base64; +import org.junit.jupiter.api.Test; +import org.onap.oom.certservice.certification.exception.KeyDecryptionException; + +import java.security.PrivateKey; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertThrows; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.onap.oom.certservice.certification.TestData.TEST_PEM; +import static org.onap.oom.certservice.certification.TestData.TEST_PK; + +class StringBase64ToPrivateKeyConverterTest { + + private static final String RSA = "RSA"; + public static final String PKCS_8 = "PKCS#8"; + + @Test + void shouldUseProperAlgorithmWhenConverting() throws KeyDecryptionException { + // Given + StringBase64ToPrivateKeyConverter stringBase64ToPrivateKeyConverter = new StringBase64ToPrivateKeyConverter(); + String encodedPK = new String(Base64.encode(TEST_PK.getBytes())); + // When + PrivateKey privateKey = stringBase64ToPrivateKeyConverter.convert(new StringBase64(encodedPK)); + // Then + assertEquals(RSA, privateKey.getAlgorithm()); + } + + @Test + void shouldUsePkcs8FormatWhenConverting() throws KeyDecryptionException { + // Given + StringBase64ToPrivateKeyConverter stringBase64ToPrivateKeyConverter = new StringBase64ToPrivateKeyConverter(); + String encodedPK = new String(Base64.encode(TEST_PK.getBytes())); + // When + PrivateKey privateKey = stringBase64ToPrivateKeyConverter.convert(new StringBase64(encodedPK)); + // Then + assertEquals(PKCS_8, privateKey.getFormat()); + } + + @Test + void shouldCorrectlyConvertWhenPrivateKeyPemIsProper() throws KeyDecryptionException { + // Given + StringBase64ToPrivateKeyConverter stringBase64ToPrivateKeyConverter = new StringBase64ToPrivateKeyConverter(); + String encodedPK = new String(Base64.encode(TEST_PK.getBytes())); + // When + PrivateKey privateKey = stringBase64ToPrivateKeyConverter.convert(new StringBase64(encodedPK)); + // Then + assertNotNull(privateKey.getEncoded()); + } + + @Test + void shouldThrowExceptionWhenPrivateKeyPemIsNotProperPrivateKey() { + // Given + StringBase64ToPrivateKeyConverter stringBase64ToPrivateKeyConverter = new StringBase64ToPrivateKeyConverter(); + StringBase64 privateKey = new StringBase64(TEST_PEM); + // When + Exception exception = assertThrows( + KeyDecryptionException.class, () -> stringBase64ToPrivateKeyConverter.convert(privateKey)); + + String expectedMessage = "Incorrect Key, decryption failed"; + String actualMessage = exception.getMessage(); + // Then + assertTrue(actualMessage.contains(expectedMessage)); + } + +} diff --git a/certService/src/test/java/org/onap/oom/certservice/certification/model/CsrModelTest.java b/certService/src/test/java/org/onap/oom/certservice/certification/model/CsrModelTest.java index 72837e56..c3bd4d78 100644 --- a/certService/src/test/java/org/onap/oom/certservice/certification/model/CsrModelTest.java +++ b/certService/src/test/java/org/onap/oom/certservice/certification/model/CsrModelTest.java @@ -2,7 +2,7 @@ * ============LICENSE_START======================================================= * PROJECT * ================================================================================ - * Copyright (C) 2020 Nokia. All rights reserved. + * Copyright (C) 2020-2021 Nokia. All rights reserved. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,21 +20,26 @@ package org.onap.oom.certservice.certification.model; -import java.util.Arrays; -import java.util.List; -import java.util.stream.Collectors; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.pkcs.PKCS10CertificationRequest; import org.bouncycastle.util.io.pem.PemObject; import org.junit.jupiter.api.Test; -import org.onap.oom.certservice.certification.conversion.Pkcs10CertificationRequestFactory; -import org.onap.oom.certservice.certification.conversion.PemObjectFactory; import org.onap.oom.certservice.certification.TestData; +import org.onap.oom.certservice.certification.conversion.PemObjectFactory; +import org.onap.oom.certservice.certification.conversion.Pkcs10CertificationRequestFactory; import org.onap.oom.certservice.certification.exception.CsrDecryptionException; import org.onap.oom.certservice.certification.exception.DecryptionException; import org.onap.oom.certservice.certification.exception.KeyDecryptionException; import java.io.IOException; +import java.security.KeyFactory; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.spec.InvalidKeySpecException; +import java.security.spec.PKCS8EncodedKeySpec; +import java.util.Arrays; +import java.util.List; +import java.util.stream.Collectors; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.Assertions.assertThrows; @@ -57,7 +62,7 @@ class CsrModelTest { @Test void shouldByConstructedAndReturnProperFields() throws DecryptionException, IOException { // Given - PemObject testPrivateKey = getPemPrivateKey(); + PrivateKey testPrivateKey = getPemPrivateKey(); PemObject testPublicKey = generateTestPublicKey(); PKCS10CertificationRequest testCsr = generateTestCertificationRequest(); @@ -70,7 +75,7 @@ class CsrModelTest { assertThat(csrModel.getCsr()) .isEqualTo(testCsr); assertThat(csrModel.getPrivateKey().getEncoded()) - .contains(testPrivateKey.getContent()); + .isEqualTo(testPrivateKey.getEncoded()); assertThat(csrModel.getPublicKey().getEncoded()) .contains(testPublicKey.getContent()); assertThat(sansList) @@ -84,7 +89,7 @@ class CsrModelTest { @Test void shouldThrowExceptionWhenPublicKeyIsNotCorrect() throws DecryptionException, IOException { // Given - PemObject testPrivateKey = getPemPrivateKey(); + PrivateKey testPrivateKey = getPemPrivateKey(); PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class); SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class); when(testCsr.getSubjectPublicKeyInfo()) @@ -106,33 +111,9 @@ class CsrModelTest { } @Test - void shouldThrowExceptionWhenPrivateKeyPemIsNotProperPrivateKey() throws KeyDecryptionException, IOException { - // Given - PemObject testPrivateKey = getPemWrongKey(); - PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class); - SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class); - when(testCsr.getSubjectPublicKeyInfo()) - .thenReturn(wrongKryInfo); - when(wrongKryInfo.getEncoded()) - .thenThrow(new IOException()); - - // When - Exception exception = assertThrows( - KeyDecryptionException.class, - () -> new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build() - ); - - String expectedMessage = "Converting Private Key failed"; - String actualMessage = exception.getMessage(); - - // Then - assertTrue(actualMessage.contains(expectedMessage)); - } - - @Test void shouldThrowExceptionWhenPublicKeyPemIsNotProperPublicKey() throws KeyDecryptionException, IOException { // Given - PemObject testPrivateKey = getPemPrivateKey(); + PrivateKey testPrivateKey = getPemPrivateKey(); PemObject testPublicKey = getPemWrongKey(); PKCS10CertificationRequest testCsr = mock(PKCS10CertificationRequest.class); SubjectPublicKeyInfo wrongKryInfo = mock(SubjectPublicKeyInfo.class); @@ -154,11 +135,12 @@ class CsrModelTest { assertTrue(actualMessage.contains(expectedMessage)); } - private PemObject getPemPrivateKey() throws KeyDecryptionException { + private PrivateKey getPemPrivateKey() throws KeyDecryptionException { PemObjectFactory pemObjectFactory = new PemObjectFactory(); - return pemObjectFactory.createPemObject(TEST_PK).orElseThrow( - () -> new KeyDecryptionException("Private key decoding fail") + PemObject pemObject = pemObjectFactory.createPemObject(TEST_PK).orElseThrow( + () -> new KeyDecryptionException("Private key decoding fail") ); + return convertToPrivateKey(pemObject); } private PemObject getPemWrongKey() throws KeyDecryptionException { @@ -172,7 +154,7 @@ class CsrModelTest { PemObject testPrivateKey = pemObjectFactory.createPemObject(TEST_PK).orElseThrow( () -> new DecryptionException("Incorrect Private Key, decryption failed") ); - return new CsrModel.CsrModelBuilder(testCsr, testPrivateKey).build(); + return new CsrModel.CsrModelBuilder(testCsr, convertToPrivateKey(testPrivateKey)).build(); } private PemObject generateTestPublicKey() throws DecryptionException, IOException { @@ -189,4 +171,15 @@ class CsrModelTest { ); } + private PrivateKey convertToPrivateKey(PemObject privateKey) + throws KeyDecryptionException { + try { + KeyFactory factory = KeyFactory.getInstance("RSA"); + PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKey.getContent()); + return factory.generatePrivate(keySpec); + } catch (NoSuchAlgorithmException | InvalidKeySpecException e) { + throw new KeyDecryptionException("Converting Private Key failed", e.getCause()); + } + } + } diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtectionTest.java index b280a2e6..c249fab7 100644 --- a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java +++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtectionTest.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package org.onap.oom.certservice.cmpv2client.impl; +package org.onap.oom.certservice.cmpv2client.impl.protections; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.DERBitString; @@ -44,8 +44,8 @@ import java.security.Security; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getProtectedPkiMessage; -import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiHeader; +import static org.onap.oom.certservice.cmpv2client.impl.protections.PkiTestUtils.getProtectedPkiMessage; +import static org.onap.oom.certservice.cmpv2client.impl.protections.PkiTestUtils.getTestPkiHeader; class PasswordBasedProtectionTest { diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/protections/PkiTestUtils.java index 7f7df455..74af51c1 100644 --- a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java +++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/protections/PkiTestUtils.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package org.onap.oom.certservice.cmpv2client.impl; +package org.onap.oom.certservice.cmpv2client.impl.protections; import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.DERGeneralizedTime; diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/protections/SignatureProtectionTest.java index ba382c42..a97a3c6e 100644 --- a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java +++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/protections/SignatureProtectionTest.java @@ -18,7 +18,7 @@ * ============LICENSE_END========================================================= */ -package org.onap.oom.certservice.cmpv2client.impl; +package org.onap.oom.certservice.cmpv2client.impl.protections; import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.cmp.PKIBody; @@ -42,9 +42,9 @@ import java.security.Security; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; -import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getProtectedPkiMessage; -import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiBody; -import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiHeader; +import static org.onap.oom.certservice.cmpv2client.impl.protections.PkiTestUtils.getProtectedPkiMessage; +import static org.onap.oom.certservice.cmpv2client.impl.protections.PkiTestUtils.getTestPkiBody; +import static org.onap.oom.certservice.cmpv2client.impl.protections.PkiTestUtils.getTestPkiHeader; class SignatureProtectionTest { |