[OOM-CERT-SERVICE] Implement signature PKIMessage protection

- Add signature protection
- Refactor password-based protection code
- Add JUnit tests

Issue-ID: OOM-2753
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I398568a35e52a816c32646c8915db5c287ede401

8 files changed, 262 insertions, 90 deletions

diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
index 2573c978..03d1a9d2 100644
--- a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
+++ b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
@@ -154,6 +154,7 @@ public class CsrModel {
                 throw new KeyDecryptionException("Converting Private Key failed", e.getCause());
             }
         }
+
         private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey)
             throws KeyDecryptionException {
             try {
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
index 38e7e3f8..68b78f23 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
@@ -83,6 +83,8 @@ public class CmpClientImpl implements CmpClient {
         validate(csrModel, server, httpClient, notBefore, notAfter);
         KeyPair keyPair = new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey());
 
+        final String iak = server.getAuthentication().getIak();
+        final PkiMessageProtection pkiMessageProtection = new PasswordBasedProtection(iak);
         final CreateCertRequest certRequest =
                 CmpMessageBuilder.of(CreateCertRequest::new)
                         .with(CreateCertRequest::setIssuerDn, server.getIssuerDN())
@@ -91,8 +93,8 @@ public class CmpClientImpl implements CmpClient {
                         .with(CreateCertRequest::setSubjectKeyPair, keyPair)
                         .with(CreateCertRequest::setNotBefore, notBefore)
                         .with(CreateCertRequest::setNotAfter, notAfter)
-                        .with(CreateCertRequest::setInitAuthPassword, server.getAuthentication().getIak())
                         .with(CreateCertRequest::setSenderKid, server.getAuthentication().getRv())
+                        .with(CreateCertRequest::setProtection, pkiMessageProtection)
                         .build();
 
         final PKIMessage pkiMessage = certRequest.generateCertReq();
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
index 0255b82e..c4be54ce 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
@@ -1,6 +1,7 @@
 /*-
  * ============LICENSE_START=======================================================
  *  Copyright (C) 2020 Nordix Foundation.
+ *  Copyright (C) 2021 Nokia.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,34 +21,22 @@
 
 package org.onap.oom.certservice.cmpv2client.impl;
 
-import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes;
-
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.security.InvalidKeyException;
 import java.security.KeyPair;
-import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Signature;
 import java.security.SignatureException;
 import java.util.Date;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
 
 import org.bouncycastle.asn1.ASN1EncodableVector;
-import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.DERBitString;
-import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DEROutputStream;
 import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.DERTaggedObject;
-import org.bouncycastle.asn1.cmp.PBMParameter;
-import org.bouncycastle.asn1.cmp.PKIBody;
-import org.bouncycastle.asn1.cmp.PKIHeader;
-import org.bouncycastle.asn1.cmp.PKIMessage;
 import org.bouncycastle.asn1.crmf.CertRequest;
 import org.bouncycastle.asn1.crmf.OptionalValidity;
 import org.bouncycastle.asn1.crmf.POPOSigningKey;
@@ -71,12 +60,6 @@ import org.slf4j.LoggerFactory;
 public final class CmpMessageHelper {
 
     private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class);
-    private static final AlgorithmIdentifier OWF_ALGORITHM =
-            new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
-    private static final AlgorithmIdentifier MAC_ALGORITHM =
-            new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
-    private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
-            new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
     private static final boolean CRITICAL_FALSE = false;
 
     private CmpMessageHelper() {
@@ -172,65 +155,6 @@ public final class CmpMessageHelper {
         return proofOfPossession;
     }
 
-    /**
-     * Generic code to create Algorithm Identifier for protection of PKIMessage.
-     *
-     * @return Algorithm Identifier
-     */
-    public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) {
-        ASN1Integer iteration = new ASN1Integer(iterations);
-        DEROctetString derSalt = new DEROctetString(salt);
-
-        PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
-        return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
-    }
-
-    /**
-     * Adds protection to the PKIMessage via a specified protection algorithm.
-     *
-     * @param password  password used to authenticate PkiMessage with external CA
-     * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage
-     * @param pkiBody   Body of PKIMessage containing specific details for certificate request
-     * @return Protected Pki Message
-     * @throws CmpClientException Wraps several exceptions into one general-purpose exception.
-     */
-    public static PKIMessage protectPkiMessage(
-            PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt)
-            throws CmpClientException {
-
-        byte[] raSecret = password.getBytes();
-        byte[] basekey = new byte[raSecret.length + salt.length];
-        System.arraycopy(raSecret, 0, basekey, 0, raSecret.length);
-        System.arraycopy(salt, 0, basekey, raSecret.length, salt.length);
-        byte[] out;
-        try {
-            MessageDigest dig =
-                    MessageDigest.getInstance(
-                            OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
-            for (int i = 0; i < iterations; i++) {
-                basekey = dig.digest(basekey);
-                dig.reset();
-            }
-            byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
-            Mac mac =
-                    Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
-            SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId());
-            mac.init(key);
-            mac.reset();
-            mac.update(protectedBytes, 0, protectedBytes.length);
-            out = mac.doFinal();
-        } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) {
-            CmpClientException cmpClientException =
-                    new CmpClientException(
-                            "Exception occurred while generating proof of possession for PKIMessage", ex);
-            LOG.error("Exception occured while generating the proof of possession for PKIMessage");
-            throw cmpClientException;
-        }
-        DERBitString bs = new DERBitString(out);
-
-        return new PKIMessage(pkiHeader, pkiBody, bs);
-    }
-
     private static KeyUsage getKeyUsage() {
         return new KeyUsage(
             KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
index 281f6f5e..8912e88c 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
@@ -1,6 +1,7 @@
 /*-
  * ============LICENSE_START=======================================================
  *  Copyright (C) 2020 Nordix Foundation.
+ *  Copyright (C) 2021 Nokia.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -29,6 +30,7 @@ import java.util.Objects;
 import org.bouncycastle.asn1.ASN1Encodable;
 import org.bouncycastle.asn1.ASN1EncodableVector;
 import org.bouncycastle.asn1.ASN1GeneralizedTime;
+import org.bouncycastle.asn1.ASN1OctetString;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DEROutputStream;
 import org.bouncycastle.asn1.DERSequence;
@@ -127,12 +129,13 @@ public final class CmpUtil {
     }
 
     /**
-     * Generates a PKIHeader Builder object.
+     * Generates a PKIHeader object.
      *
      * @param subjectDn     distinguished name of Subject
      * @param issuerDn      distinguished name of external CA
      * @param protectionAlg protection Algorithm used to protect PKIMessage
-     * @return PKIHeaderBuilder
+     * @param senderKid     sender identifier for receiver used for verification
+     * @return PKIHeader
      */
     static PKIHeader generatePkiHeader(
             X500Name subjectDn, X500Name issuerDn, AlgorithmIdentifier protectionAlg, String senderKid) {
@@ -146,8 +149,12 @@ public final class CmpUtil {
         pkiHeaderBuilder.setTransactionID(new DEROctetString(createRandomBytes()));
         pkiHeaderBuilder.setProtectionAlg(protectionAlg);
         pkiHeaderBuilder.setGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm));
-        pkiHeaderBuilder.setSenderKID(new DEROctetString(senderKid.getBytes()));
+        pkiHeaderBuilder.setSenderKID(mapToAsn1OctetString(senderKid));
 
         return pkiHeaderBuilder.build();
     }
+
+    private static ASN1OctetString mapToAsn1OctetString(String string) {
+        return string != null ? new DEROctetString(string.getBytes()) : null;
+    }
 }
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
index d277a204..0ed493b7 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
@@ -1,6 +1,7 @@
 /*-
  * ============LICENSE_START=======================================================
  *  Copyright (C) 2020 Nordix Foundation.
+ *  Copyright (C) 2021 Nokia.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,7 +21,6 @@
 
 package org.onap.oom.certservice.cmpv2client.impl;
 
-import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes;
 import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt;
 import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generatePkiHeader;
 
@@ -28,6 +28,7 @@ import java.security.KeyPair;
 import java.util.Date;
 
 import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.DERBitString;
 import org.bouncycastle.asn1.cmp.PKIBody;
 import org.bouncycastle.asn1.cmp.PKIHeader;
 import org.bouncycastle.asn1.cmp.PKIMessage;
@@ -49,17 +50,15 @@ import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
  */
 class CreateCertRequest {
 
+    private PkiMessageProtection pkiMessageProtection;
     private X500Name issuerDn;
     private X500Name subjectDn;
     private GeneralName[] sansArray;
     private KeyPair subjectKeyPair;
     private Date notBefore;
     private Date notAfter;
-    private String initAuthPassword;
     private String senderKid;
 
-    private static final int ITERATIONS = createRandomInt(1000);
-    private static final byte[] SALT = createRandomBytes();
     private final int certReqId = createRandomInt(Integer.MAX_VALUE);
     private final AlgorithmIdentifier signingAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
             .find("SHA256withRSA");
@@ -88,8 +87,8 @@ class CreateCertRequest {
         this.notAfter = notAfter;
     }
 
-    public void setInitAuthPassword(String initAuthPassword) {
-        this.initAuthPassword = initAuthPassword;
+    public void setProtection(PkiMessageProtection pkiMessageProtection) {
+        this.pkiMessageProtection = pkiMessageProtection;
     }
 
     public void setSenderKid(String senderKid) {
@@ -126,11 +125,11 @@ class CreateCertRequest {
                 generatePkiHeader(
                         subjectDn,
                         issuerDn,
-                        CmpMessageHelper.protectionAlgoIdentifier(ITERATIONS, SALT),
+                        pkiMessageProtection.getAlgorithmIdentifier(),
                         senderKid);
         final PKIBody pkiBody = new PKIBody(PKIBody.TYPE_INIT_REQ, certReqMessages);
 
-        return CmpMessageHelper.protectPkiMessage(
-                pkiHeader, pkiBody, initAuthPassword, ITERATIONS, SALT);
+        final DERBitString messageProtection = this.pkiMessageProtection.generatePkiMessageProtection(pkiHeader, pkiBody);
+        return new PKIMessage(pkiHeader, pkiBody, messageProtection);
     }
 }
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java
new file mode 100644
index 00000000..621415c0
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java
@@ -0,0 +1,100 @@
+/*-
+ * ============LICENSE_START=======================================================
+ *  Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.cmp.PBMParameter;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes;
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt;
+
+/**
+ * Implementation of password-based PKIMessage protection
+ */
+public class PasswordBasedProtection extends PkiMessageProtection {
+
+    private static final int ITERATIONS = createRandomInt(1000);
+    private static final byte[] SALT = createRandomBytes();
+    private static final AlgorithmIdentifier OWF_ALGORITHM =
+            new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
+    private static final AlgorithmIdentifier MAC_ALGORITHM =
+            new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
+    private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
+            new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
+
+    private final String initAuthPassword;
+
+    PasswordBasedProtection(String initAuthPassword) {
+        this.initAuthPassword = initAuthPassword;
+    }
+
+    @Override
+    AlgorithmIdentifier getAlgorithmIdentifier() {
+        ASN1Integer iteration = new ASN1Integer(ITERATIONS);
+        DEROctetString derSalt = new DEROctetString(SALT);
+
+        PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
+        return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
+    }
+
+    @Override
+    byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException {
+        byte[] baseKey = generateBaseKey();
+        return generateMacBytes(baseKey, protectedBytes);
+    }
+
+    private byte[] generateBaseKey() throws NoSuchAlgorithmException, NoSuchProviderException {
+        byte[] raSecret = initAuthPassword.getBytes();
+        byte[] baseKey = new byte[raSecret.length + SALT.length];
+        System.arraycopy(raSecret, 0, baseKey, 0, raSecret.length);
+        System.arraycopy(SALT, 0, baseKey, raSecret.length, SALT.length);
+        MessageDigest dig =
+                MessageDigest.getInstance(
+                        OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+        for (int i = 0; i < ITERATIONS; i++) {
+            baseKey = dig.digest(baseKey);
+            dig.reset();
+        }
+        return baseKey;
+    }
+
+    private byte[] generateMacBytes(byte[] baseKey, byte[] protectedBytes) throws GeneralSecurityException {
+        Mac mac = Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+        SecretKey key = new SecretKeySpec(baseKey, MAC_ALGORITHM.getAlgorithm().getId());
+        mac.init(key);
+        mac.reset();
+        mac.update(protectedBytes, 0, protectedBytes.length);
+        return mac.doFinal();
+    }
+
+}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java
new file mode 100644
index 00000000..d32ed588
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java
@@ -0,0 +1,76 @@
+/*-
+ * ============LICENSE_START=======================================================
+ *  Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.GeneralSecurityException;
+
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes;
+
+/**
+ * Representation of PKIMessage protection. Complies with RFC4210 (Certificate Management Protocol
+ * (CMP)) and RFC4211 (Certificate Request Message Format (CRMF)) standards.
+ */
+public abstract class PkiMessageProtection {
+
+    private static final Logger LOG = LoggerFactory.getLogger(PkiMessageProtection.class);
+
+    /**
+     * Takes PKIHeader and PKIBody as parameters and generates protection bytes.
+     *
+     * @return bytes representing protection wrapped into DERBitString object.
+     */
+    DERBitString generatePkiMessageProtection(PKIHeader pkiHeader, PKIBody pkiBody) throws CmpClientException {
+        try {
+            byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
+            byte[] protectionBytes = generateProtectionBytes(protectedBytes);
+            return new DERBitString(protectionBytes);
+        } catch (GeneralSecurityException ex) {
+            CmpClientException cmpClientException =
+                    new CmpClientException(
+                            "Exception occurred while generating protection for PKIMessage", ex);
+            LOG.error("Exception occurred while generating the protection for PKIMessage");
+            throw cmpClientException;
+        }
+    }
+
+    /**
+     * Takes encoded bytes of PKIMessage (PKIHeader and PKIBody) and generates protection bytes.
+     *
+     * @return bytes representing protection.
+     */
+    abstract byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException;
+
+    /**
+     * Returns Algorithm Identifier for protection of PKIMessage.
+     *
+     * @return Algorithm Identifier.
+     */
+    abstract AlgorithmIdentifier getAlgorithmIdentifier();
+
+}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java
new file mode 100644
index 00000000..ad778430
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java
@@ -0,0 +1,63 @@
+/*-
+ * ============LICENSE_START=======================================================
+ *  Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.Signature;
+
+/**
+ * Implementation of signature PKIMessage protection
+ */
+public class SignatureProtection extends PkiMessageProtection {
+
+    private static final AlgorithmIdentifier SHA256_RSA_ALGORITHM = new DefaultSignatureAlgorithmIdentifierFinder()
+            .find("SHA256withRSA");
+
+    private final PrivateKey oldPrivateKey;
+
+    SignatureProtection(PrivateKey privateKey) {
+        this.oldPrivateKey = privateKey;
+    }
+
+    @Override
+    AlgorithmIdentifier getAlgorithmIdentifier() {
+        return SHA256_RSA_ALGORITHM;
+    }
+
+    @Override
+    byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException {
+        Signature signature =
+                Signature.getInstance(
+                        PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(),
+                        BouncyCastleProvider.PROVIDER_NAME);
+        signature.initSign(oldPrivateKey);
+        signature.update(protectedBytes, 0, protectedBytes.length);
+        return signature.sign();
+    }
+
+}