diff options
author | baniewsk <pawel.baniewski@nokia.com> | 2020-07-29 16:01:27 +0200 |
---|---|---|
committer | Pawel <pawel.kasperkiewicz@nokia.com> | 2020-08-05 14:18:54 +0200 |
commit | b8c4e6867d6b26652f4382e93665c220769cdc9f (patch) | |
tree | bb60a44b012731e3ee6fdffe2466f5ed7d6b5c7b /certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java | |
parent | fc31c9e47b3e08f8914dcd1f0c5b6d18aa625567 (diff) |
Removing AAF references from Cert-Service in OOM repo.
Certificates regenerated
External files (from legacy AAF) removed
Still left:
* Sonar link,
* Link to documentation,
* Names of K8s resources in RTD documentation,
* Link to CSITs
Issue-ID: OOM-2526
Signed-off-by: Pawel Baniewski <pawel.baniewski@nokia.com>
Change-Id: I675f7485160b9b8e46e9ea573550e62ed28ca607
Diffstat (limited to 'certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java')
-rw-r--r-- | certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java | 242 |
1 files changed, 0 insertions, 242 deletions
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java deleted file mode 100644 index 87991132..00000000 --- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java +++ /dev/null @@ -1,242 +0,0 @@ -/*- - * ============LICENSE_START======================================================= - * Copyright (C) 2020 Nordix Foundation. - * ================================================================================ - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * SPDX-License-Identifier: Apache-2.0 - * ============LICENSE_END========================================================= - */ - -package org.onap.aaf.certservice.cmpv2client.impl; - -import java.security.KeyPair; -import java.security.PublicKey; - -import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.checkIfCmpResponseContainsError; -import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.getCertFromByteArray; -import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore; -import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseValidationHelper.checkImplicitConfirm; -import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseValidationHelper.verifyPasswordBasedProtection; -import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseValidationHelper.verifySignature; - -import java.io.IOException; -import java.security.cert.CertificateParsingException; -import java.security.cert.X509Certificate; -import java.util.Collections; -import java.util.Date; -import java.util.Objects; -import java.util.Optional; - -import org.apache.http.impl.client.CloseableHttpClient; -import org.bouncycastle.asn1.cmp.CMPCertificate; -import org.bouncycastle.asn1.cmp.CertRepMessage; -import org.bouncycastle.asn1.cmp.CertResponse; -import org.bouncycastle.asn1.cmp.PKIBody; -import org.bouncycastle.asn1.cmp.PKIHeader; -import org.bouncycastle.asn1.cmp.PKIMessage; -import org.bouncycastle.asn1.x509.AlgorithmIdentifier; -import org.onap.aaf.certservice.certification.configuration.model.CaMode; -import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; -import org.onap.aaf.certservice.certification.model.CsrModel; -import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; -import org.onap.aaf.certservice.cmpv2client.api.CmpClient; -import org.onap.aaf.certservice.cmpv2client.model.Cmpv2CertificationModel; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -/** - * Implementation of the CmpClient Interface conforming to RFC4210 (Certificate Management Protocol - * (CMP)) and RFC4211 (Certificate Request Message Format (CRMF)) standards. - */ -public class CmpClientImpl implements CmpClient { - - private static final Logger LOG = LoggerFactory.getLogger(CmpClientImpl.class); - private final CloseableHttpClient httpClient; - - private static final String DEFAULT_CA_NAME = "Certification Authority"; - private static final String DEFAULT_PROFILE = CaMode.RA.getProfile(); - - public CmpClientImpl(CloseableHttpClient httpClient) { - this.httpClient = httpClient; - } - - @Override - public Cmpv2CertificationModel createCertificate( - CsrModel csrModel, - Cmpv2Server server, - Date notBefore, - Date notAfter) - throws CmpClientException { - - validate(csrModel, server, httpClient, notBefore, notAfter); - KeyPair keyPair = new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey()); - - final CreateCertRequest certRequest = - CmpMessageBuilder.of(CreateCertRequest::new) - .with(CreateCertRequest::setIssuerDn, server.getIssuerDN()) - .with(CreateCertRequest::setSubjectDn, csrModel.getSubjectData()) - .with(CreateCertRequest::setSansList, csrModel.getSans()) - .with(CreateCertRequest::setSubjectKeyPair, keyPair) - .with(CreateCertRequest::setNotBefore, notBefore) - .with(CreateCertRequest::setNotAfter, notAfter) - .with(CreateCertRequest::setInitAuthPassword, server.getAuthentication().getIak()) - .with(CreateCertRequest::setSenderKid, server.getAuthentication().getRv()) - .build(); - - final PKIMessage pkiMessage = certRequest.generateCertReq(); - Cmpv2HttpClient cmpv2HttpClient = new Cmpv2HttpClient(httpClient); - return retrieveCertificates(csrModel, server, pkiMessage, cmpv2HttpClient); - } - - @Override - public Cmpv2CertificationModel createCertificate(CsrModel csrModel, Cmpv2Server server) - throws CmpClientException { - return createCertificate(csrModel, server, null, null); - } - - private void checkCmpResponse( - final PKIMessage respPkiMessage, final PublicKey publicKey, final String initAuthPassword) - throws CmpClientException { - final PKIHeader header = respPkiMessage.getHeader(); - final AlgorithmIdentifier protectionAlgo = header.getProtectionAlg(); - verifySignatureWithPublicKey(respPkiMessage, publicKey); - verifyProtectionWithProtectionAlgo(respPkiMessage, initAuthPassword, header, protectionAlgo); - } - - private void verifySignatureWithPublicKey(PKIMessage respPkiMessage, PublicKey publicKey) - throws CmpClientException { - if (Objects.nonNull(publicKey)) { - LOG.debug("Verifying signature of the response."); - verifySignature(respPkiMessage, publicKey); - } else { - LOG.error("Public Key is not available, therefore cannot verify signature"); - throw new CmpClientException( - "Public Key is not available, therefore cannot verify signature"); - } - } - - private void verifyProtectionWithProtectionAlgo( - PKIMessage respPkiMessage, - String initAuthPassword, - PKIHeader header, - AlgorithmIdentifier protectionAlgo) - throws CmpClientException { - if (Objects.nonNull(protectionAlgo)) { - LOG.debug("Verifying PasswordBased Protection of the Response."); - verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo); - checkImplicitConfirm(header); - } else { - LOG.error( - "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm"); - throw new CmpClientException( - "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm"); - } - } - - private Cmpv2CertificationModel checkCmpCertRepMessage(final PKIMessage respPkiMessage) - throws CmpClientException { - final PKIBody pkiBody = respPkiMessage.getBody(); - if (Objects.nonNull(pkiBody) && pkiBody.getContent() instanceof CertRepMessage) { - final CertRepMessage certRepMessage = (CertRepMessage) pkiBody.getContent(); - if (Objects.nonNull(certRepMessage)) { - final CertResponse certResponse = - getCertificateResponseContainingNewCertificate(certRepMessage); - try { - return verifyReturnCertChainAndTrustStore(respPkiMessage, certRepMessage, certResponse); - } catch (IOException | CertificateParsingException ex) { - CmpClientException cmpClientException = - new CmpClientException( - "Exception occurred while retrieving Certificates from response", ex); - LOG.error("Exception occurred while retrieving Certificates from response", ex); - throw cmpClientException; - } - } else { - return new Cmpv2CertificationModel(Collections.emptyList(), Collections.emptyList()); - } - } - return new Cmpv2CertificationModel(Collections.emptyList(), Collections.emptyList()); - } - - private Cmpv2CertificationModel verifyReturnCertChainAndTrustStore( - PKIMessage respPkiMessage, CertRepMessage certRepMessage, CertResponse certResponse) - throws CertificateParsingException, CmpClientException, IOException { - LOG.info("Verifying certificates returned as part of CertResponse."); - final CMPCertificate cmpCertificate = - certResponse.getCertifiedKeyPair().getCertOrEncCert().getCertificate(); - final Optional<X509Certificate> leafCertificate = - getCertFromByteArray(cmpCertificate.getEncoded(), X509Certificate.class); - if (leafCertificate.isPresent()) { - return verifyAndReturnCertChainAndTrustSTore( - respPkiMessage, certRepMessage, leafCertificate.get()); - } - return new Cmpv2CertificationModel(Collections.emptyList(), Collections.emptyList()); - } - - private CertResponse getCertificateResponseContainingNewCertificate( - CertRepMessage certRepMessage) { - return certRepMessage.getResponse()[0]; - } - - /** - * Validate inputs for Certificate Creation. - * - * @param csrModel Certificate Signing Request model. Must not be {@code null}. - * @param server CMPv2 Server. Must not be {@code null}. - * @throws IllegalArgumentException if Before Date is set after the After Date. - */ - private static void validate( - final CsrModel csrModel, - final Cmpv2Server server, - final CloseableHttpClient httpClient, - final Date notBefore, - final Date notAfter) { - - String caName = CmpUtil.isNullOrEmpty(server.getCaName()) ? server.getCaName() : DEFAULT_CA_NAME; - String profile = server.getCaMode() != null ? server.getCaMode().getProfile() : DEFAULT_PROFILE; - LOG.info( - "Validate before creating Certificate Request for CA :{} in Mode {} ", caName, profile); - - CmpUtil.notNull(csrModel, "CsrModel Instance"); - CmpUtil.notNull(csrModel.getSubjectData(), "Subject DN"); - CmpUtil.notNull(csrModel.getPrivateKey(), "Subject private key"); - CmpUtil.notNull(csrModel.getPublicKey(), "Subject public key"); - CmpUtil.notNull(server.getIssuerDN(), "Issuer DN"); - CmpUtil.notNull(server.getUrl(), "External CA URL"); - CmpUtil.notNull(server.getAuthentication().getIak(), "IAK/RV Password"); - CmpUtil.notNull(httpClient, "Closeable Http Client"); - - if (notBefore != null && notAfter != null && notBefore.compareTo(notAfter) > 0) { - throw new IllegalArgumentException("Before Date is set after the After Date"); - } - } - - private Cmpv2CertificationModel retrieveCertificates( - CsrModel csrModel, Cmpv2Server server, PKIMessage pkiMessage, Cmpv2HttpClient cmpv2HttpClient) - throws CmpClientException { - final byte[] respBytes = cmpv2HttpClient.postRequest(pkiMessage, server.getUrl(), server.getCaName()); - try { - final PKIMessage respPkiMessage = PKIMessage.getInstance(respBytes); - LOG.info("Received response from Server"); - checkIfCmpResponseContainsError(respPkiMessage); - checkCmpResponse(respPkiMessage, csrModel.getPublicKey(), server.getAuthentication().getIak()); - return checkCmpCertRepMessage(respPkiMessage); - } catch (IllegalArgumentException iae) { - CmpClientException cmpClientException = - new CmpClientException( - "Error encountered while processing response from CA server ", iae); - LOG.error("Error encountered while processing response from CA server ", iae); - throw cmpClientException; - } - } -} |