diff options
author | Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com> | 2021-01-26 10:45:10 +0100 |
---|---|---|
committer | Joanna Jeremicz <joanna.jeremicz@nokia.com> | 2021-01-27 10:00:16 +0100 |
commit | b4030c1d7ebd848f28fb5000ac1d8f7e4fbfca85 (patch) | |
tree | c9e29afab63029c1dce1a6772dfd270ff3237642 /certService/src | |
parent | 26ef1a575d819de4e1dae9f9044b1ab715f41b13 (diff) |
[OOM-CERT-SERVICE] Fix KeyUsage extention sent to CMPv2 server2.3.3
- fix setting key usage to digitalSignature & keyEncipherment & nonRepudiation
- set extended key usage to clientAuth & serverAuth
Issue-ID: OOM-2658
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I5c00f622c3d117a63e4f48a3d2a90fd48cce3d0e
Diffstat (limited to 'certService/src')
2 files changed, 87 insertions, 6 deletions
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java index 2a77873e..1e64a2e0 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java @@ -25,6 +25,7 @@ import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtecte import java.io.ByteArrayOutputStream; import java.io.IOException; import java.security.InvalidKeyException; +import java.security.Key; import java.security.KeyPair; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -54,11 +55,13 @@ import org.bouncycastle.asn1.crmf.POPOSigningKey; import org.bouncycastle.asn1.crmf.ProofOfPossession; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.ExtendedKeyUsage; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.Extensions; import org.bouncycastle.asn1.x509.ExtensionsGenerator; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.KeyPurposeId; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.asn1.x509.Time; import org.bouncycastle.jce.provider.BouncyCastleProvider; @@ -75,6 +78,7 @@ public final class CmpMessageHelper { new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2")); private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); + private static final boolean CRITICAL_FALSE = false; private CmpMessageHelper() { } @@ -111,14 +115,11 @@ public final class CmpMessageHelper { throws CmpClientException { LOG.info("Generating Extensions from Subject Alternative Names"); final ExtensionsGenerator extGenerator = new ExtensionsGenerator(); - // KeyUsage try { - final KeyUsage keyUsage = - new KeyUsage( - KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation); - extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage)); + extGenerator.addExtension(Extension.keyUsage, CRITICAL_FALSE, getKeyUsage()); + extGenerator.addExtension(Extension.extendedKeyUsage, CRITICAL_FALSE, getExtendedKeyUsage()); extGenerator.addExtension( - Extension.subjectAlternativeName, false, new GeneralNames(sansArray)); + Extension.subjectAlternativeName, CRITICAL_FALSE, new GeneralNames(sansArray)); } catch (IOException ioe) { CmpClientException cmpClientException = new CmpClientException( @@ -230,4 +231,14 @@ public final class CmpMessageHelper { return new PKIMessage(pkiHeader, pkiBody, bs); } + + private static KeyUsage getKeyUsage() { + return new KeyUsage( + KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation); + } + + private static ExtendedKeyUsage getExtendedKeyUsage() { + return new ExtendedKeyUsage( + new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth}); + } } diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelperTest.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelperTest.java new file mode 100644 index 00000000..0aae26a4 --- /dev/null +++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelperTest.java @@ -0,0 +1,70 @@ +/* + * ============LICENSE_START======================================================= + * oom-certservice-api + * ================================================================================ + * Copyright (C) 2021 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.cmpv2client.impl; + +import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; + +import org.bouncycastle.asn1.x509.ExtendedKeyUsage; +import org.bouncycastle.asn1.x509.Extension; +import org.bouncycastle.asn1.x509.Extensions; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.asn1.x509.GeneralNames; +import org.bouncycastle.asn1.x509.KeyPurposeId; +import org.bouncycastle.asn1.x509.KeyUsage; +import org.junit.jupiter.api.Test; +import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; + +public class CmpMessageHelperTest { + + private final KeyUsage expectedKeyUsage = new KeyUsage( + KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation); + private final ExtendedKeyUsage expectedExtendedKeyUsage = new ExtendedKeyUsage( + new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth}); + + @Test + void shouldSetSansInExtensions() throws CmpClientException { + //when + Extensions extensions = CmpMessageHelper.generateExtension(getTestSans()); + //then + GeneralName[] sans = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames(); + assertArrayEquals(sans, getTestSans()); + } + + @Test + void shouldSetKeyUsagesInExtensions() throws CmpClientException { + //when + Extensions extensions = CmpMessageHelper.generateExtension(getTestSans()); + //then + KeyUsage actualKeyUsage = KeyUsage.fromExtensions(extensions); + ExtendedKeyUsage actualExtendedKeyUsage = ExtendedKeyUsage.fromExtensions(extensions); + assertEquals(this.expectedKeyUsage, actualKeyUsage); + assertEquals(this.expectedExtendedKeyUsage, actualExtendedKeyUsage); + } + + private GeneralName[] getTestSans() { + return new GeneralName[]{ + new GeneralName(GeneralName.dNSName, "tetHostName"), + new GeneralName(GeneralName.iPAddress, "1.2.3.4") + }; + } + +} |