diff options
Diffstat (limited to 'certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java')
-rw-r--r-- | certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java | 330 |
1 files changed, 166 insertions, 164 deletions
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java index 48b2336f..6fcc5f14 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java +++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java @@ -37,6 +37,7 @@ import java.util.List; import javax.crypto.Mac; import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; + import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; @@ -69,176 +70,177 @@ import org.slf4j.LoggerFactory; public final class CmpMessageHelper { - private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class); - private static final AlgorithmIdentifier OWF_ALGORITHM = - new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); - private static final AlgorithmIdentifier MAC_ALGORITHM = - new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.9")); - private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = - new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); - - private CmpMessageHelper() {} - - /** - * Creates an Optional Validity, which is used to specify how long the returned cert should be - * valid for. - * - * @param notBefore Date specifying certificate is not valid before this date. - * @param notAfter Date specifying certificate is not valid after this date. - * @return {@link OptionalValidity} that can be set for certificate on external CA. - */ - public static OptionalValidity generateOptionalValidity( - final Date notBefore, final Date notAfter) { - LOG.info("Generating Optional Validity from Date objects"); - ASN1EncodableVector optionalValidityV = new ASN1EncodableVector(); - if (notBefore != null) { - Time nb = new Time(notBefore); - optionalValidityV.add(new DERTaggedObject(true, 0, nb)); + private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class); + private static final AlgorithmIdentifier OWF_ALGORITHM = + new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); + private static final AlgorithmIdentifier MAC_ALGORITHM = + new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.9")); + private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = + new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); + + private CmpMessageHelper() { } - if (notAfter != null) { - Time na = new Time(notAfter); - optionalValidityV.add(new DERTaggedObject(true, 1, na)); + + /** + * Creates an Optional Validity, which is used to specify how long the returned cert should be + * valid for. + * + * @param notBefore Date specifying certificate is not valid before this date. + * @param notAfter Date specifying certificate is not valid after this date. + * @return {@link OptionalValidity} that can be set for certificate on external CA. + */ + public static OptionalValidity generateOptionalValidity( + final Date notBefore, final Date notAfter) { + LOG.info("Generating Optional Validity from Date objects"); + ASN1EncodableVector optionalValidityV = new ASN1EncodableVector(); + if (notBefore != null) { + Time nb = new Time(notBefore); + optionalValidityV.add(new DERTaggedObject(true, 0, nb)); + } + if (notAfter != null) { + Time na = new Time(notAfter); + optionalValidityV.add(new DERTaggedObject(true, 1, na)); + } + return OptionalValidity.getInstance(new DERSequence(optionalValidityV)); } - return OptionalValidity.getInstance(new DERSequence(optionalValidityV)); - } - - /** - * Create Extensions from Subject Alternative Names. - * - * @return {@link Extensions}. - */ - public static Extensions generateExtension(final List<String> sansList) - throws CmpClientException { - LOG.info("Generating Extensions from Subject Alternative Names"); - final ExtensionsGenerator extGenerator = new ExtensionsGenerator(); - final GeneralName[] sansGeneralNames = getGeneralNames(sansList); - // KeyUsage - try { - final KeyUsage keyUsage = - new KeyUsage( - KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation); - extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage)); - extGenerator.addExtension( - Extension.subjectAlternativeName, false, new GeneralNames(sansGeneralNames)); - } catch (IOException ioe) { - CmpClientException cmpClientException = - new CmpClientException( - "Exception occurred while creating extensions for PKIMessage", ioe); - LOG.error("Exception occurred while creating extensions for PKIMessage"); - throw cmpClientException; + + /** + * Create Extensions from Subject Alternative Names. + * + * @return {@link Extensions}. + */ + public static Extensions generateExtension(final List<String> sansList) + throws CmpClientException { + LOG.info("Generating Extensions from Subject Alternative Names"); + final ExtensionsGenerator extGenerator = new ExtensionsGenerator(); + final GeneralName[] sansGeneralNames = getGeneralNames(sansList); + // KeyUsage + try { + final KeyUsage keyUsage = + new KeyUsage( + KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation); + extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage)); + extGenerator.addExtension( + Extension.subjectAlternativeName, false, new GeneralNames(sansGeneralNames)); + } catch (IOException ioe) { + CmpClientException cmpClientException = + new CmpClientException( + "Exception occurred while creating extensions for PKIMessage", ioe); + LOG.error("Exception occurred while creating extensions for PKIMessage"); + throw cmpClientException; + } + return extGenerator.generate(); } - return extGenerator.generate(); - } - public static GeneralName[] getGeneralNames(List<String> sansList) { - final List<GeneralName> nameList = new ArrayList<>(); - for (String san : sansList) { - nameList.add(new GeneralName(GeneralName.dNSName, san)); + public static GeneralName[] getGeneralNames(List<String> sansList) { + final List<GeneralName> nameList = new ArrayList<>(); + for (String san : sansList) { + nameList.add(new GeneralName(GeneralName.dNSName, san)); + } + final GeneralName[] sansGeneralNames = new GeneralName[nameList.size()]; + nameList.toArray(sansGeneralNames); + return sansGeneralNames; } - final GeneralName[] sansGeneralNames = new GeneralName[nameList.size()]; - nameList.toArray(sansGeneralNames); - return sansGeneralNames; - } - - /** - * Method generates Proof-of-Possession (POP) of Private Key. To allow a CA/RA to properly - * validity binding between an End Entity and a Key Pair, the PKI Operations specified here make - * it possible for an End Entity to prove that it has possession of the Private Key corresponding - * to the Public Key for which a Certificate is requested. - * - * @param certRequest Certificate request that requires proof of possession - * @param keypair keypair associated with the subject sending the certificate request - * @return {@link ProofOfPossession}. - * @throws CmpClientException A general-purpose Cmp client exception. - */ - public static ProofOfPossession generateProofOfPossession( - final CertRequest certRequest, final KeyPair keypair) throws CmpClientException { - ProofOfPossession proofOfPossession; - try (final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) { - final DEROutputStream derOutputStream = new DEROutputStream(byteArrayOutputStream); - derOutputStream.writeObject(certRequest); - - byte[] popoProtectionBytes = byteArrayOutputStream.toByteArray(); - final String sigalg = PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(); - final Signature signature = Signature.getInstance(sigalg, BouncyCastleProvider.PROVIDER_NAME); - signature.initSign(keypair.getPrivate()); - signature.update(popoProtectionBytes); - DERBitString bs = new DERBitString(signature.sign()); - - proofOfPossession = - new ProofOfPossession( - new POPOSigningKey( - null, new AlgorithmIdentifier(new ASN1ObjectIdentifier(sigalg)), bs)); - } catch (IOException - | NoSuchProviderException - | NoSuchAlgorithmException - | InvalidKeyException - | SignatureException ex) { - CmpClientException cmpClientException = - new CmpClientException( - "Exception occurred while creating proof of possession for PKIMessage", ex); - LOG.error("Exception occurred while creating proof of possession for PKIMessage"); - throw cmpClientException; + + /** + * Method generates Proof-of-Possession (POP) of Private Key. To allow a CA/RA to properly + * validity binding between an End Entity and a Key Pair, the PKI Operations specified here make + * it possible for an End Entity to prove that it has possession of the Private Key corresponding + * to the Public Key for which a Certificate is requested. + * + * @param certRequest Certificate request that requires proof of possession + * @param keypair keypair associated with the subject sending the certificate request + * @return {@link ProofOfPossession}. + * @throws CmpClientException A general-purpose Cmp client exception. + */ + public static ProofOfPossession generateProofOfPossession( + final CertRequest certRequest, final KeyPair keypair) throws CmpClientException { + ProofOfPossession proofOfPossession; + try (ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) { + final DEROutputStream derOutputStream = new DEROutputStream(byteArrayOutputStream); + derOutputStream.writeObject(certRequest); + + byte[] popoProtectionBytes = byteArrayOutputStream.toByteArray(); + final String sigalg = PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(); + final Signature signature = Signature.getInstance(sigalg, BouncyCastleProvider.PROVIDER_NAME); + signature.initSign(keypair.getPrivate()); + signature.update(popoProtectionBytes); + DERBitString bs = new DERBitString(signature.sign()); + + proofOfPossession = + new ProofOfPossession( + new POPOSigningKey( + null, new AlgorithmIdentifier(new ASN1ObjectIdentifier(sigalg)), bs)); + } catch (IOException + | NoSuchProviderException + | NoSuchAlgorithmException + | InvalidKeyException + | SignatureException ex) { + CmpClientException cmpClientException = + new CmpClientException( + "Exception occurred while creating proof of possession for PKIMessage", ex); + LOG.error("Exception occurred while creating proof of possession for PKIMessage"); + throw cmpClientException; + } + return proofOfPossession; } - return proofOfPossession; - } - - /** - * Generic code to create Algorithm Identifier for protection of PKIMessage. - * - * @return Algorithm Identifier - */ - public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) { - ASN1Integer iteration = new ASN1Integer(iterations); - DEROctetString derSalt = new DEROctetString(salt); - - PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM); - return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp); - } - - /** - * Adds protection to the PKIMessage via a specified protection algorithm. - * - * @param password password used to authenticate PkiMessage with external CA - * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage - * @param pkiBody Body of PKIMessage containing specific details for certificate request - * @return Protected Pki Message - * @throws CmpClientException Wraps several exceptions into one general-purpose exception. - */ - public static PKIMessage protectPkiMessage( - PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt) - throws CmpClientException { - - byte[] raSecret = password.getBytes(); - byte[] basekey = new byte[raSecret.length + salt.length]; - System.arraycopy(raSecret, 0, basekey, 0, raSecret.length); - System.arraycopy(salt, 0, basekey, raSecret.length, salt.length); - byte[] out; - try { - MessageDigest dig = - MessageDigest.getInstance( - OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); - for (int i = 0; i < iterations; i++) { - basekey = dig.digest(basekey); - dig.reset(); - } - byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody); - Mac mac = - Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); - SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId()); - mac.init(key); - mac.reset(); - mac.update(protectedBytes, 0, protectedBytes.length); - out = mac.doFinal(); - } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) { - CmpClientException cmpClientException = - new CmpClientException( - "Exception occurred while generating proof of possession for PKIMessage", ex); - LOG.error("Exception occured while generating the proof of possession for PKIMessage"); - throw cmpClientException; + + /** + * Generic code to create Algorithm Identifier for protection of PKIMessage. + * + * @return Algorithm Identifier + */ + public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) { + ASN1Integer iteration = new ASN1Integer(iterations); + DEROctetString derSalt = new DEROctetString(salt); + + PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM); + return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp); } - DERBitString bs = new DERBitString(out); - return new PKIMessage(pkiHeader, pkiBody, bs); - } + /** + * Adds protection to the PKIMessage via a specified protection algorithm. + * + * @param password password used to authenticate PkiMessage with external CA + * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage + * @param pkiBody Body of PKIMessage containing specific details for certificate request + * @return Protected Pki Message + * @throws CmpClientException Wraps several exceptions into one general-purpose exception. + */ + public static PKIMessage protectPkiMessage( + PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt) + throws CmpClientException { + + byte[] raSecret = password.getBytes(); + byte[] basekey = new byte[raSecret.length + salt.length]; + System.arraycopy(raSecret, 0, basekey, 0, raSecret.length); + System.arraycopy(salt, 0, basekey, raSecret.length, salt.length); + byte[] out; + try { + MessageDigest dig = + MessageDigest.getInstance( + OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); + for (int i = 0; i < iterations; i++) { + basekey = dig.digest(basekey); + dig.reset(); + } + byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody); + Mac mac = + Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); + SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId()); + mac.init(key); + mac.reset(); + mac.update(protectedBytes, 0, protectedBytes.length); + out = mac.doFinal(); + } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) { + CmpClientException cmpClientException = + new CmpClientException( + "Exception occurred while generating proof of possession for PKIMessage", ex); + LOG.error("Exception occured while generating the proof of possession for PKIMessage"); + throw cmpClientException; + } + DERBitString bs = new DERBitString(out); + + return new PKIMessage(pkiHeader, pkiBody, bs); + } } |