[OOM-CERT-SERVICE] Refactor CertService API code

- move conversion StringBase64 to PrivateKey to separate class
- move protection algorithm classes to separate package
- adjust modifiers and test to above changes

Issue-ID: OOM-2753
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: Ifafa38162acfcd59d5177dbc478a6209e97a18e3

3 files changed, 239 insertions, 0 deletions

diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java
new file mode 100644
index 00000000..c9d79e2d
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PasswordBasedProtection.java
@@ -0,0 +1,100 @@
+/*-
+ * ============LICENSE_START=======================================================
+ *  Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl.protections;
+
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.cmp.PBMParameter;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes;
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt;
+
+/**
+ * Implementation of password-based PKIMessage protection
+ */
+public class PasswordBasedProtection extends PkiMessageProtection {
+
+    private static final int ITERATIONS = createRandomInt(1000);
+    private static final byte[] SALT = createRandomBytes();
+    private static final AlgorithmIdentifier OWF_ALGORITHM =
+            new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
+    private static final AlgorithmIdentifier MAC_ALGORITHM =
+            new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
+    private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
+            new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
+
+    private final String initAuthPassword;
+
+    public PasswordBasedProtection(String initAuthPassword) {
+        this.initAuthPassword = initAuthPassword;
+    }
+
+    @Override
+    public AlgorithmIdentifier getAlgorithmIdentifier() {
+        ASN1Integer iteration = new ASN1Integer(ITERATIONS);
+        DEROctetString derSalt = new DEROctetString(SALT);
+
+        PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
+        return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
+    }
+
+    @Override
+    byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException {
+        byte[] baseKey = generateBaseKey();
+        return generateMacBytes(baseKey, protectedBytes);
+    }
+
+    private byte[] generateBaseKey() throws NoSuchAlgorithmException, NoSuchProviderException {
+        byte[] raSecret = initAuthPassword.getBytes();
+        byte[] baseKey = new byte[raSecret.length + SALT.length];
+        System.arraycopy(raSecret, 0, baseKey, 0, raSecret.length);
+        System.arraycopy(SALT, 0, baseKey, raSecret.length, SALT.length);
+        MessageDigest dig =
+                MessageDigest.getInstance(
+                        OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+        for (int i = 0; i < ITERATIONS; i++) {
+            baseKey = dig.digest(baseKey);
+            dig.reset();
+        }
+        return baseKey;
+    }
+
+    private byte[] generateMacBytes(byte[] baseKey, byte[] protectedBytes) throws GeneralSecurityException {
+        Mac mac = Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+        SecretKey key = new SecretKeySpec(baseKey, MAC_ALGORITHM.getAlgorithm().getId());
+        mac.init(key);
+        mac.reset();
+        mac.update(protectedBytes, 0, protectedBytes.length);
+        return mac.doFinal();
+    }
+
+}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PkiMessageProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PkiMessageProtection.java
new file mode 100644
index 00000000..235d4bbf
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/PkiMessageProtection.java
@@ -0,0 +1,76 @@
+/*-
+ * ============LICENSE_START=======================================================
+ *  Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl.protections;
+
+import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.GeneralSecurityException;
+
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes;
+
+/**
+ * Representation of PKIMessage protection. Complies with RFC4210 (Certificate Management Protocol
+ * (CMP)) and RFC4211 (Certificate Request Message Format (CRMF)) standards.
+ */
+public abstract class PkiMessageProtection {
+
+    private static final Logger LOG = LoggerFactory.getLogger(PkiMessageProtection.class);
+
+    /**
+     * Takes PKIHeader and PKIBody as parameters and generates protection bytes.
+     *
+     * @return bytes representing protection wrapped into DERBitString object.
+     */
+    public DERBitString generatePkiMessageProtection(PKIHeader pkiHeader, PKIBody pkiBody) throws CmpClientException {
+        try {
+            byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
+            byte[] protectionBytes = generateProtectionBytes(protectedBytes);
+            return new DERBitString(protectionBytes);
+        } catch (GeneralSecurityException ex) {
+            CmpClientException cmpClientException =
+                    new CmpClientException(
+                            "Exception occurred while generating protection for PKIMessage", ex);
+            LOG.error("Exception occurred while generating the protection for PKIMessage");
+            throw cmpClientException;
+        }
+    }
+
+    /**
+     * Returns Algorithm Identifier for protection of PKIMessage.
+     *
+     * @return Algorithm Identifier.
+     */
+    public abstract AlgorithmIdentifier getAlgorithmIdentifier();
+
+    /**
+     * Takes encoded bytes of PKIMessage (PKIHeader and PKIBody) and generates protection bytes.
+     *
+     * @return bytes representing protection.
+     */
+    abstract byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException;
+
+}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/SignatureProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/SignatureProtection.java
new file mode 100644
index 00000000..faf99c96
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/protections/SignatureProtection.java
@@ -0,0 +1,63 @@
+/*-
+ * ============LICENSE_START=======================================================
+ *  Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl.protections;
+
+
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.Signature;
+
+/**
+ * Implementation of signature PKIMessage protection
+ */
+public class SignatureProtection extends PkiMessageProtection {
+
+    private static final AlgorithmIdentifier SHA256_RSA_ALGORITHM = new DefaultSignatureAlgorithmIdentifierFinder()
+            .find("SHA256withRSA");
+
+    private final PrivateKey oldPrivateKey;
+
+    public SignatureProtection(PrivateKey privateKey) {
+        this.oldPrivateKey = privateKey;
+    }
+
+    @Override
+    public AlgorithmIdentifier getAlgorithmIdentifier() {
+        return SHA256_RSA_ALGORITHM;
+    }
+
+    @Override
+    byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException {
+        Signature signature =
+                Signature.getInstance(
+                        PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(),
+                        BouncyCastleProvider.PROVIDER_NAME);
+        signature.initSign(oldPrivateKey);
+        signature.update(protectedBytes, 0, protectedBytes.length);
+        return signature.sign();
+    }
+
+}