diff options
author | Pawel Baniewski <pawel.baniewski@nokia.com> | 2021-07-15 08:46:29 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2021-07-15 08:46:29 +0000 |
commit | f9f3ca33aaec818d658136d7f0e5acc6fd51aa0b (patch) | |
tree | f810bac85e8a1612b68e473e3ab82e6bebce833a /certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java | |
parent | 6972c0fca528be15a3d9dbbb4106f20b07474bb7 (diff) | |
parent | dd84c4aad3b0ebb9af61e1c45c95a033121c5153 (diff) |
Merge "[OOM-CERT-SERVICE] Refactor CertService API code"
Diffstat (limited to 'certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java')
-rw-r--r-- | certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java new file mode 100644 index 00000000..c9d79e2d --- /dev/null +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java @@ -0,0 +1,100 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.cmpv2client.impl.protections; + +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.cmp.PBMParameter; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; + +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.security.GeneralSecurityException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; + +import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes; +import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt; + +/** + * Implementation of password-based PKIMessage protection + */ +public class PasswordBasedProtection extends PkiMessageProtection { + + private static final int ITERATIONS = createRandomInt(1000); + private static final byte[] SALT = createRandomBytes(); + private static final AlgorithmIdentifier OWF_ALGORITHM = + new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); + private static final AlgorithmIdentifier MAC_ALGORITHM = + new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2")); + private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = + new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); + + private final String initAuthPassword; + + public PasswordBasedProtection(String initAuthPassword) { + this.initAuthPassword = initAuthPassword; + } + + @Override + public AlgorithmIdentifier getAlgorithmIdentifier() { + ASN1Integer iteration = new ASN1Integer(ITERATIONS); + DEROctetString derSalt = new DEROctetString(SALT); + + PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM); + return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp); + } + + @Override + byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException { + byte[] baseKey = generateBaseKey(); + return generateMacBytes(baseKey, protectedBytes); + } + + private byte[] generateBaseKey() throws NoSuchAlgorithmException, NoSuchProviderException { + byte[] raSecret = initAuthPassword.getBytes(); + byte[] baseKey = new byte[raSecret.length + SALT.length]; + System.arraycopy(raSecret, 0, baseKey, 0, raSecret.length); + System.arraycopy(SALT, 0, baseKey, raSecret.length, SALT.length); + MessageDigest dig = + MessageDigest.getInstance( + OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); + for (int i = 0; i < ITERATIONS; i++) { + baseKey = dig.digest(baseKey); + dig.reset(); + } + return baseKey; + } + + private byte[] generateMacBytes(byte[] baseKey, byte[] protectedBytes) throws GeneralSecurityException { + Mac mac = Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); + SecretKey key = new SecretKeySpec(baseKey, MAC_ALGORITHM.getAlgorithm().getId()); + mac.init(key); + mac.reset(); + mac.update(protectedBytes, 0, protectedBytes.length); + return mac.doFinal(); + } + +} |