aboutsummaryrefslogtreecommitdiffstats
path: root/certService/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'certService/src/main')
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/CertServiceApplication.java2
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java13
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java4
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java4
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/api/advice/CertificationExceptionAdvice.java4
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/api/advice/ReloadConfigExceptionAdvice.java2
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/api/configuration/OpenApiConfig.java2
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/CertificationData.java3
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java28
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/Pkcs10CertificationRequestFactory.java (renamed from certService/src/main/java/org/onap/aaf/certservice/certification/PKCS10CertificationRequestFactory.java)6
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java24
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CsrMetaBuilder.java (renamed from certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java)28
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RsaContentSignerBuilder.java (renamed from certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java)3
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java7
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpServersConfigLoader.java2
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Authentication.java14
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java2
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Cmpv2Server.java23
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2Url.java (renamed from certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2URL.java)8
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2UrlValidator.java (renamed from certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2URLValidator.java)28
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/PortNumberViolation.java2
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/RequestTypeViolation.java4
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/UrlServerViolation.java (renamed from certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/URLServerViolation.java)2
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/exception/CsrDecryptionException.java1
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/exception/DecryptionException.java3
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/certification/exception/KeyDecryptionException.java1
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/api/CmpClient.java99
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/CmpClientException.java36
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/PkiErrorException.java32
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CsrMeta.java (renamed from certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java)14
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/Factory.java18
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/Rdn.java (renamed from certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java)35
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java360
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageBuilder.java54
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java330
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseHelper.java574
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseValidationHelper.java335
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpUtil.java186
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/Cmpv2HttpClient.java81
-rw-r--r--certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CreateCertRequest.java169
40 files changed, 1301 insertions, 1242 deletions
diff --git a/certService/src/main/java/org/onap/aaf/certservice/CertServiceApplication.java b/certService/src/main/java/org/onap/aaf/certservice/CertServiceApplication.java
index 087cf259..11478965 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/CertServiceApplication.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/CertServiceApplication.java
@@ -25,7 +25,7 @@ import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.PropertySource;
@SpringBootApplication
-@PropertySource(value={"classpath:application.properties"})
+@PropertySource(value = {"classpath:application.properties"})
public class CertServiceApplication {
// We are excluding this line in Sonar due to fact that
diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java
index fe941f58..74f64061 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java
@@ -60,9 +60,8 @@ public class CertificationController {
/**
* Request for signing certificate by given CA.
*
- *
- * @param caName the name of Certification Authority that will sign root certificate
- * @param encodedCsr Certificate Sign Request encoded in Base64 form
+ * @param caName the name of Certification Authority that will sign root certificate
+ * @param encodedCsr Certificate Sign Request encoded in Base64 form
* @param encodedPrivateKey Private key for CSR, needed for PoP, encoded in Base64 form
* @return JSON containing trusted certificates and certificate chain
*/
@@ -79,13 +78,13 @@ public class CertificationController {
@Operation(
summary = "sign certificate",
description = "Web endpoint for requesting certificate signing. Used by system components to gain certificate signed by CA.",
- tags = { "CertificationService" })
+ tags = {"CertificationService"})
public ResponseEntity<CertificationModel> signCertificate(
- @Parameter(description="Name of certification authority that will sign CSR.")
+ @Parameter(description = "Name of certification authority that will sign CSR.")
@PathVariable String caName,
- @Parameter(description="Certificate signing request in form of PEM object encoded in Base64 (with header and footer).")
+ @Parameter(description = "Certificate signing request in form of PEM object encoded in Base64 (with header and footer).")
@RequestHeader("CSR") String encodedCsr,
- @Parameter(description="Private key in form of PEM object encoded in Base64 (with header and footer).")
+ @Parameter(description = "Private key in form of PEM object encoded in Base64 (with header and footer).")
@RequestHeader("PK") String encodedPrivateKey
) throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException {
caName = caName.replaceAll("[\n|\r|\t]", "_");
diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java b/certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java
index 288957ca..f900edf9 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/api/ReadinessController.java
@@ -33,7 +33,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@Tag(name = "CertificationService")
-public class ReadinessController {
+public final class ReadinessController {
private final CmpServersConfig cmpServersConfig;
@@ -50,7 +50,7 @@ public class ReadinessController {
@Operation(
summary = "check is container is ready",
description = "Web endpoint for checking if service is ready to be used.",
- tags = { "CertificationService" })
+ tags = {"CertificationService"})
public ResponseEntity<String> checkReady() {
if (cmpServersConfig.isReady()) {
return new ResponseEntity<>(HttpStatus.OK);
diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java b/certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java
index c52cf4f2..e812ce0d 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/api/ReloadConfigController.java
@@ -37,7 +37,7 @@ import org.springframework.web.bind.annotation.RestController;
@RestController
@Tag(name = "CertificationService")
-public class ReloadConfigController {
+public final class ReloadConfigController {
private final CmpServersConfig cmpServersConfig;
@@ -55,7 +55,7 @@ public class ReloadConfigController {
@Operation(
summary = "reload service configuration from file",
description = "Web endpoint for performing configuration reload. Used to reload configuration file from file.",
- tags = { "CertificationService" })
+ tags = {"CertificationService"})
public ResponseEntity<String> reloadConfiguration() throws CmpServersConfigLoadingException {
cmpServersConfig.reloadConfiguration();
return new ResponseEntity<>(HttpStatus.OK);
diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/advice/CertificationExceptionAdvice.java b/certService/src/main/java/org/onap/aaf/certservice/api/advice/CertificationExceptionAdvice.java
index f75e93c9..a40fea8f 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/api/advice/CertificationExceptionAdvice.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/api/advice/CertificationExceptionAdvice.java
@@ -35,7 +35,7 @@ import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestControllerAdvice;
@RestControllerAdvice(assignableTypes = CertificationController.class)
-public class CertificationExceptionAdvice {
+public final class CertificationExceptionAdvice {
private static final Logger LOGGER = LoggerFactory.getLogger(CertificationExceptionAdvice.class);
@@ -92,7 +92,7 @@ public class CertificationExceptionAdvice {
private ResponseEntity<ErrorResponseModel> getErrorResponseEntity(String errorMessage, HttpStatus status) {
ErrorResponseModel errorResponse = new ErrorResponseModel(errorMessage);
return new ResponseEntity<>(
- errorResponse,
+ errorResponse,
status
);
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/advice/ReloadConfigExceptionAdvice.java b/certService/src/main/java/org/onap/aaf/certservice/api/advice/ReloadConfigExceptionAdvice.java
index bf83ece2..4a4073ff 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/api/advice/ReloadConfigExceptionAdvice.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/api/advice/ReloadConfigExceptionAdvice.java
@@ -30,7 +30,7 @@ import org.springframework.web.bind.annotation.ExceptionHandler;
import org.springframework.web.bind.annotation.RestControllerAdvice;
@RestControllerAdvice(assignableTypes = ReloadConfigController.class)
-public class ReloadConfigExceptionAdvice {
+public final class ReloadConfigExceptionAdvice {
private static final Logger LOGGER = LoggerFactory.getLogger(ReloadConfigExceptionAdvice.class);
diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/configuration/OpenApiConfig.java b/certService/src/main/java/org/onap/aaf/certservice/api/configuration/OpenApiConfig.java
index 18327048..503b2818 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/api/configuration/OpenApiConfig.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/api/configuration/OpenApiConfig.java
@@ -30,7 +30,7 @@ import org.springframework.context.annotation.Configuration;
public class OpenApiConfig {
@Bean
- public OpenAPI customOpenAPI() {
+ public OpenAPI customOpenApi() {
return new OpenAPI()
.components(new Components())
.info(
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationData.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationData.java
index a347762e..bce72977 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationData.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationData.java
@@ -23,7 +23,8 @@ package org.onap.aaf.certservice.certification;
final class CertificationData {
- private CertificationData() {}
+ private CertificationData() {
+ }
private static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n";
private static final String END_CERTIFICATE = "-----END CERTIFICATE-----";
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java
index 501ed6d0..b4f94b93 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java
@@ -40,8 +40,8 @@ public class CsrModelFactory {
private final PemObjectFactory pemObjectFactory
= new PemObjectFactory();
- private final PKCS10CertificationRequestFactory certificationRequestFactory
- = new PKCS10CertificationRequestFactory();
+ private final Pkcs10CertificationRequestFactory certificationRequestFactory
+ = new Pkcs10CertificationRequestFactory();
public CsrModel createCsrModel(StringBase64 csr, StringBase64 privateKey)
@@ -57,15 +57,15 @@ public class CsrModelFactory {
return privateKey.asString()
.flatMap(pemObjectFactory::createPemObject)
.orElseThrow(
- () -> new KeyDecryptionException("Incorrect Key, decryption failed")
- );
+ () -> new KeyDecryptionException("Incorrect Key, decryption failed")
+ );
}
private PKCS10CertificationRequest decodeCsr(StringBase64 csr)
throws CsrDecryptionException {
return csr.asString()
.flatMap(pemObjectFactory::createPemObject)
- .flatMap(certificationRequestFactory::createKCS10CertificationRequest)
+ .flatMap(certificationRequestFactory::createPkcs10CertificationRequest)
.orElseThrow(
() -> new CsrDecryptionException("Incorrect CSR, decryption failed")
);
@@ -84,20 +84,28 @@ public class CsrModelFactory {
try {
String decodedString = new String(decoder.decode(value));
return Optional.of(decodedString);
- } catch(RuntimeException e) {
+ } catch (RuntimeException e) {
LOGGER.error("Exception occurred during decoding:", e);
return Optional.empty();
}
}
@Override
- public boolean equals(Object o) {
- if (this == o) return true;
- if (o == null || getClass() != o.getClass()) return false;
- StringBase64 that = (StringBase64) o;
+ public boolean equals(Object otherObject) {
+ if (this == otherObject) {
+ return true;
+ }
+ if (otherObject == null || getClass() != otherObject.getClass()) {
+ return false;
+ }
+ StringBase64 that = (StringBase64) otherObject;
return Objects.equals(value, that.value);
}
+ @Override
+ public int hashCode() {
+ return value.hashCode();
+ }
}
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/PKCS10CertificationRequestFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/Pkcs10CertificationRequestFactory.java
index b255b7c2..1b00a815 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/PKCS10CertificationRequestFactory.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/Pkcs10CertificationRequestFactory.java
@@ -29,11 +29,11 @@ import org.slf4j.LoggerFactory;
import java.io.IOException;
import java.util.Optional;
-public class PKCS10CertificationRequestFactory {
+public class Pkcs10CertificationRequestFactory {
- private static final Logger LOGGER = LoggerFactory.getLogger(PKCS10CertificationRequestFactory.class);
+ private static final Logger LOGGER = LoggerFactory.getLogger(Pkcs10CertificationRequestFactory.class);
- public Optional<PKCS10CertificationRequest> createKCS10CertificationRequest(PemObject pemObject) {
+ public Optional<PKCS10CertificationRequest> createPkcs10CertificationRequest(PemObject pemObject) {
try {
LOGGER.debug("Creating certification request from pem object");
return Optional.of(new PKCS10CertificationRequest(pemObject.getContent()));
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java
index be39f1f3..c9e61b02 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java
@@ -54,15 +54,15 @@ public class Cmpv2ClientAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(Cmpv2ClientAdapter.class);
private final CmpClient cmpClient;
- private final CSRMetaBuilder csrMetaBuilder;
- private final RSAContentSignerBuilder rsaContentSignerBuilder;
+ private final CsrMetaBuilder csrMetaBuilder;
+ private final RsaContentSignerBuilder rsaContentSignerBuilder;
private final X509CertificateBuilder x509CertificateBuilder;
private final CertificateFactoryProvider certificateFactoryProvider;
@Autowired
- public Cmpv2ClientAdapter(CmpClient cmpClient, CSRMetaBuilder csrMetaBuilder,
- RSAContentSignerBuilder rsaContentSignerBuilder, X509CertificateBuilder x509CertificateBuilder,
- CertificateFactoryProvider certificateFactoryProvider) {
+ public Cmpv2ClientAdapter(CmpClient cmpClient, CsrMetaBuilder csrMetaBuilder,
+ RsaContentSignerBuilder rsaContentSignerBuilder, X509CertificateBuilder x509CertificateBuilder,
+ CertificateFactoryProvider certificateFactoryProvider) {
this.cmpClient = cmpClient;
this.csrMetaBuilder = csrMetaBuilder;
this.rsaContentSignerBuilder = rsaContentSignerBuilder;
@@ -83,12 +83,12 @@ public class Cmpv2ClientAdapter {
throws CmpClientException, Cmpv2ClientAdapterException {
List<List<X509Certificate>> certificates = cmpClient.createCertificate(server.getCaName(),
server.getCaMode().getProfile(), csrMetaBuilder.build(csrModel, server),
- convertCSRToX509Certificate(csrModel.getCsr(), csrModel.getPrivateKey()));
- return new CertificationModel(convertFromX509CertificateListToPEMList(certificates.get(0)),
- convertFromX509CertificateListToPEMList(certificates.get(1)));
+ convertCsrToX509Certificate(csrModel.getCsr(), csrModel.getPrivateKey()));
+ return new CertificationModel(convertFromX509CertificateListToPemList(certificates.get(0)),
+ convertFromX509CertificateListToPemList(certificates.get(1)));
}
- private String convertFromX509CertificateToPEM(X509Certificate certificate) {
+ private String convertFromX509CertificateToPem(X509Certificate certificate) {
StringWriter sw = new StringWriter();
try (PemWriter pw = new PemWriter(sw)) {
PemObjectGenerator gen = new JcaMiscPEMGenerator(certificate);
@@ -99,7 +99,7 @@ public class Cmpv2ClientAdapter {
return sw.toString();
}
- private X509Certificate convertCSRToX509Certificate(PKCS10CertificationRequest csr, PrivateKey privateKey)
+ private X509Certificate convertCsrToX509Certificate(PKCS10CertificationRequest csr, PrivateKey privateKey)
throws Cmpv2ClientAdapterException {
try {
X509v3CertificateBuilder certificateGenerator = x509CertificateBuilder.build(csr);
@@ -112,8 +112,8 @@ public class Cmpv2ClientAdapter {
}
}
- private List<String> convertFromX509CertificateListToPEMList(List<X509Certificate> certificates) {
- return certificates.stream().map(this::convertFromX509CertificateToPEM).filter(cert -> !cert.isEmpty())
+ private List<String> convertFromX509CertificateListToPemList(List<X509Certificate> certificates) {
+ return certificates.stream().map(this::convertFromX509CertificateToPem).filter(cert -> !cert.isEmpty())
.collect(Collectors.toList());
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CsrMetaBuilder.java
index 1959d638..cf35efa1 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CsrMetaBuilder.java
@@ -31,16 +31,16 @@ import org.bouncycastle.asn1.x500.style.IETFUtils;
import org.bouncycastle.cert.CertException;
import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server;
import org.onap.aaf.certservice.certification.model.CsrModel;
-import org.onap.aaf.certservice.cmpv2client.external.CSRMeta;
-import org.onap.aaf.certservice.cmpv2client.external.RDN;
+import org.onap.aaf.certservice.cmpv2client.external.CsrMeta;
+import org.onap.aaf.certservice.cmpv2client.external.Rdn;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;
@Component
-class CSRMetaBuilder {
+class CsrMetaBuilder {
- private static final Logger LOGGER = LoggerFactory.getLogger(CSRMetaBuilder.class);
+ private static final Logger LOGGER = LoggerFactory.getLogger(CsrMetaBuilder.class);
/**
* Creates CSRMeta from CsrModel and Cmpv2Server
@@ -49,8 +49,8 @@ class CSRMetaBuilder {
* @param server Cmp Server configuration from cmpServers.json
* @return AAF native model for CSR metadata
*/
- CSRMeta build(CsrModel csrModel, Cmpv2Server server) {
- CSRMeta csrMeta = createCsrMeta(csrModel);
+ CsrMeta build(CsrModel csrModel, Cmpv2Server server) {
+ CsrMeta csrMeta = createCsrMeta(csrModel);
addSans(csrModel, csrMeta);
csrMeta.setKeyPair(new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey()));
csrMeta.setPassword(server.getAuthentication().getIak());
@@ -61,30 +61,30 @@ class CSRMetaBuilder {
return csrMeta;
}
- private CSRMeta createCsrMeta(CsrModel csrModel) {
- return new CSRMeta((Arrays.stream(csrModel.getSubjectData().getRDNs()).map(this::convertFromBcRDN)
+ private CsrMeta createCsrMeta(CsrModel csrModel) {
+ return new CsrMeta((Arrays.stream(csrModel.getSubjectData().getRDNs()).map(this::convertFromBcRdn)
.filter(Optional::isPresent).map(Optional::get).collect(Collectors.toList())));
}
- private void addSans(CsrModel csrModel, CSRMeta csrMeta) {
+ private void addSans(CsrModel csrModel, CsrMeta csrMeta) {
csrModel.getSans().forEach(csrMeta::addSan);
}
- private Optional<RDN> convertFromBcRDN(org.bouncycastle.asn1.x500.RDN rdn) {
- RDN result = null;
+ private Optional<Rdn> convertFromBcRdn(org.bouncycastle.asn1.x500.RDN rdn) {
+ Rdn result = null;
try {
- result = convertRDN(rdn);
+ result = convertRdn(rdn);
} catch (CertException e) {
LOGGER.error("Exception occurred during convert of RDN", e);
}
return Optional.ofNullable(result);
}
- private RDN convertRDN(org.bouncycastle.asn1.x500.RDN rdn) throws CertException {
+ private Rdn convertRdn(org.bouncycastle.asn1.x500.RDN rdn) throws CertException {
AttributeTypeAndValue rdnData = rdn.getFirst();
String tag = BCStyle.INSTANCE.oidToDisplayName(rdnData.getType());
String value = IETFUtils.valueToString(rdnData.getValue());
- return new RDN(tag, value);
+ return new Rdn(tag, value);
}
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RsaContentSignerBuilder.java
index 266c22e2..bda89235 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RsaContentSignerBuilder.java
@@ -17,6 +17,7 @@
* limitations under the License.
* ============LICENSE_END=========================================================
*/
+
package org.onap.aaf.certservice.certification.adapter;
import java.io.IOException;
@@ -31,7 +32,7 @@ import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.springframework.stereotype.Component;
@Component
-public class RSAContentSignerBuilder {
+public class RsaContentSignerBuilder {
ContentSigner build(PKCS10CertificationRequest csr, PrivateKey privateKey)
throws IOException, OperatorCreationException {
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java
index 21b873e6..329098ac 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java
@@ -17,6 +17,7 @@
* limitations under the License.
* ============LICENSE_END=========================================================
*/
+
package org.onap.aaf.certservice.certification.configuration;
import org.apache.http.impl.client.CloseableHttpClient;
@@ -31,18 +32,18 @@ import org.springframework.web.context.annotation.RequestScope;
public class CmpClientConfig {
@Bean
- CmpClient cmpClient(CloseableHttpClient closeableHttpClient){
+ CmpClient cmpClient(CloseableHttpClient closeableHttpClient) {
return new CmpClientImpl(closeableHttpClient);
}
@Bean
@RequestScope
- CloseableHttpClient closeableHttpClient(HttpClientBuilder httpClientBuilder){
+ CloseableHttpClient closeableHttpClient(HttpClientBuilder httpClientBuilder) {
return httpClientBuilder.build();
}
@Bean
- HttpClientBuilder httpClientBuilder(){
+ HttpClientBuilder httpClientBuilder() {
return HttpClientBuilder.create();
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpServersConfigLoader.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpServersConfigLoader.java
index 1072d630..696ae564 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpServersConfigLoader.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpServersConfigLoader.java
@@ -40,7 +40,7 @@ class CmpServersConfigLoader {
private final Cmpv2ServerConfigurationValidator validator;
@Autowired
- public CmpServersConfigLoader(Cmpv2ServerConfigurationValidator validator) {
+ CmpServersConfigLoader(Cmpv2ServerConfigurationValidator validator) {
this.validator = validator;
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Authentication.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Authentication.java
index 3785cf8e..e4c15518 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Authentication.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Authentication.java
@@ -25,11 +25,13 @@ import org.hibernate.validator.constraints.Length;
public class Authentication {
+ private static final int MAX_IAK_RV_LENGTH = 256;
+
@NotNull
- @Length(min = 1, max = 256)
+ @Length(min = 1, max = MAX_IAK_RV_LENGTH)
private String iak;
@NotNull
- @Length(min = 1, max = 256)
+ @Length(min = 1, max = MAX_IAK_RV_LENGTH)
private String rv;
public String getIak() {
@@ -50,9 +52,9 @@ public class Authentication {
@Override
public String toString() {
- return "Authentication{" +
- " iak=*****" +
- ", rv=*****" +
- '}';
+ return "Authentication{"
+ + " iak=*****"
+ + ", rv=*****"
+ + '}';
}
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java
index 2186b6ff..374feb3b 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java
@@ -29,7 +29,7 @@ public enum CaMode {
this.profile = profile;
}
- public String getProfile(){
+ public String getProfile() {
return profile;
}
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Cmpv2Server.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Cmpv2Server.java
index 20b83b82..51d91966 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Cmpv2Server.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/Cmpv2Server.java
@@ -22,23 +22,26 @@ package org.onap.aaf.certservice.certification.configuration.model;
import javax.validation.Valid;
import javax.validation.constraints.NotNull;
+
import org.bouncycastle.asn1.x500.X500Name;
import org.hibernate.validator.constraints.Length;
-import org.onap.aaf.certservice.certification.configuration.validation.constraints.Cmpv2URL;
+import org.onap.aaf.certservice.certification.configuration.validation.constraints.Cmpv2Url;
public class Cmpv2Server {
+ private static final int MAX_CA_NAME_LENGTH = 128;
+
@NotNull
@Valid
private Authentication authentication;
@NotNull
private CaMode caMode;
@NotNull
- @Length(min = 1, max = 128)
+ @Length(min = 1, max = MAX_CA_NAME_LENGTH)
private String caName;
@NotNull
private X500Name issuerDN;
- @Cmpv2URL
+ @Cmpv2Url
private String url;
public Authentication getAuthentication() {
@@ -83,13 +86,13 @@ public class Cmpv2Server {
@Override
public String toString() {
- return "Cmpv2Server{" +
- "authentication=" + authentication +
- ", caMode=" + caMode +
- ", caName='" + caName + '\'' +
- ", issuerDN='" + issuerDN + '\'' +
- ", url='" + url + '\'' +
- '}';
+ return "Cmpv2Server{"
+ + "authentication=" + authentication
+ + ", caMode=" + caMode
+ + ", caName='" + caName + '\''
+ + ", issuerDN='" + issuerDN + '\''
+ + ", url='" + url + '\''
+ + '}';
}
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2URL.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2Url.java
index 7c942548..a5450a25 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2URL.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2Url.java
@@ -29,11 +29,13 @@ import static java.lang.annotation.ElementType.ANNOTATION_TYPE;
import static java.lang.annotation.ElementType.FIELD;
import static java.lang.annotation.RetentionPolicy.RUNTIME;
-@Target( { FIELD, ANNOTATION_TYPE })
+@Target({FIELD, ANNOTATION_TYPE})
@Retention(RUNTIME)
-@Constraint(validatedBy = Cmpv2URLValidator.class)
-public @interface Cmpv2URL {
+@Constraint(validatedBy = Cmpv2UrlValidator.class)
+public @interface Cmpv2Url {
String message() default "Server URL is invalid.";
+
Class<?>[] groups() default {};
+
Class<? extends Payload>[] payload() default {};
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2URLValidator.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2UrlValidator.java
index b3224c45..7ce3bb6c 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2URLValidator.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/Cmpv2UrlValidator.java
@@ -23,7 +23,7 @@ package org.onap.aaf.certservice.certification.configuration.validation.constrai
import org.onap.aaf.certservice.certification.configuration.validation.constraints.violations.PortNumberViolation;
import org.onap.aaf.certservice.certification.configuration.validation.constraints.violations.RequestTypeViolation;
-import org.onap.aaf.certservice.certification.configuration.validation.constraints.violations.URLServerViolation;
+import org.onap.aaf.certservice.certification.configuration.validation.constraints.violations.UrlServerViolation;
import javax.validation.ConstraintValidator;
import javax.validation.ConstraintValidatorContext;
@@ -31,25 +31,25 @@ import java.util.Arrays;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
-class Cmpv2URLValidator implements ConstraintValidator<Cmpv2URL, String> {
+class Cmpv2UrlValidator implements ConstraintValidator<Cmpv2Url, String> {
- private final List<URLServerViolation> violations;
+ private final List<UrlServerViolation> violations;
- public Cmpv2URLValidator() {
+ Cmpv2UrlValidator() {
this.violations = Arrays.asList(
new PortNumberViolation(),
new RequestTypeViolation()
);
}
- @Override
- public boolean isValid(String url, ConstraintValidatorContext context) {
- AtomicBoolean isValid = new AtomicBoolean(true);
- violations.forEach(violation -> {
- if (!violation.validate(url)) {
- isValid.set(false);
- }
- });
- return isValid.get();
- }
+ @Override
+ public boolean isValid(String url, ConstraintValidatorContext context) {
+ AtomicBoolean isValid = new AtomicBoolean(true);
+ violations.forEach(violation -> {
+ if (!violation.validate(url)) {
+ isValid.set(false);
+ }
+ });
+ return isValid.get();
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/PortNumberViolation.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/PortNumberViolation.java
index acde0417..96f30149 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/PortNumberViolation.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/PortNumberViolation.java
@@ -23,7 +23,7 @@ package org.onap.aaf.certservice.certification.configuration.validation.constrai
import java.net.MalformedURLException;
import java.net.URL;
-public class PortNumberViolation implements URLServerViolation {
+public class PortNumberViolation implements UrlServerViolation {
private static final int MIN_PORT = 1;
private static final int MAX_PORT = 65535;
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/RequestTypeViolation.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/RequestTypeViolation.java
index 7fbbdf34..67a5c3c4 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/RequestTypeViolation.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/RequestTypeViolation.java
@@ -27,9 +27,9 @@ import java.util.Collections;
import java.util.List;
import java.util.concurrent.atomic.AtomicBoolean;
-public class RequestTypeViolation implements URLServerViolation {
+public class RequestTypeViolation implements UrlServerViolation {
- private final static List<String> VALID_REQUESTS = Collections.singletonList("http");
+ private static final List<String> VALID_REQUESTS = Collections.singletonList("http");
@Override
public boolean validate(String serverUrl) {
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/URLServerViolation.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/UrlServerViolation.java
index e5a110d2..5452beb4 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/URLServerViolation.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/validation/constraints/violations/UrlServerViolation.java
@@ -20,6 +20,6 @@
package org.onap.aaf.certservice.certification.configuration.validation.constraints.violations;
-public interface URLServerViolation {
+public interface UrlServerViolation {
boolean validate(String url);
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/CsrDecryptionException.java b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/CsrDecryptionException.java
index 0bb46258..ed434e07 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/CsrDecryptionException.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/CsrDecryptionException.java
@@ -24,6 +24,7 @@ public class CsrDecryptionException extends DecryptionException {
public CsrDecryptionException(String message, Throwable cause) {
super(message, cause);
}
+
public CsrDecryptionException(String message) {
super(message);
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/DecryptionException.java b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/DecryptionException.java
index ee0fb202..6d8f7073 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/DecryptionException.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/DecryptionException.java
@@ -21,10 +21,13 @@
package org.onap.aaf.certservice.certification.exception;
public class DecryptionException extends Exception {
+
public DecryptionException(String message, Throwable cause) {
super(message, cause);
}
+
public DecryptionException(String message) {
super(message);
}
+
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/KeyDecryptionException.java b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/KeyDecryptionException.java
index 7970c393..d4814d6a 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/KeyDecryptionException.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/KeyDecryptionException.java
@@ -24,6 +24,7 @@ public class KeyDecryptionException extends DecryptionException {
public KeyDecryptionException(String message, Throwable cause) {
super(message, cause);
}
+
public KeyDecryptionException(String message) {
super(message);
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/api/CmpClient.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/api/CmpClient.java
index 150f15d5..8f9d20bd 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/api/CmpClient.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/api/CmpClient.java
@@ -23,8 +23,9 @@ package org.onap.aaf.certservice.cmpv2client.api;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.List;
+
import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
-import org.onap.aaf.certservice.cmpv2client.external.CSRMeta;
+import org.onap.aaf.certservice.cmpv2client.external.CsrMeta;
/**
* This class represent CmpV2Client Interface for obtaining X.509 Digital Certificates in a Public
@@ -33,53 +34,53 @@ import org.onap.aaf.certservice.cmpv2client.external.CSRMeta;
*/
public interface CmpClient {
- /**
- * Requests for a External Root CA Certificate to be created for the passed public keyPair wrapped
- * in a CSRMeta with common details, accepts self-signed certificate. Basic Authentication using
- * IAK/RV, Verification of the signature (proof-of-possession) on the request is performed and an
- * Exception thrown if verification fails or issue encountered in fetching certificate from CA.
- *
- * @param caName Information about the External Root Certificate Authority (CA) performing the
- * event CA Name. Could be {@code null}.
- * @param profile Profile on CA server Client/RA Mode configuration on Server. Could be {@code
- * null}.
- * @param csrMeta Certificate Signing Request Meta Data. Must not be {@code null}.
- * @param csr Certificate Signing Request {.cer} file. Must not be {@code null}.
- * @param notBefore An optional validity to set in the created certificate, Certificate not valid
- * before this date.
- * @param notAfter An optional validity to set in the created certificate, Certificate not valid
- * after this date.
- * @return {@link X509Certificate} The newly created Certificate.
- * @throws CmpClientException if client error occurs.
- */
- List<List<X509Certificate>> createCertificate(
- String caName,
- String profile,
- CSRMeta csrMeta,
- X509Certificate csr,
- Date notBefore,
- Date notAfter)
- throws CmpClientException;
+ /**
+ * Requests for a External Root CA Certificate to be created for the passed public keyPair wrapped
+ * in a CSRMeta with common details, accepts self-signed certificate. Basic Authentication using
+ * IAK/RV, Verification of the signature (proof-of-possession) on the request is performed and an
+ * Exception thrown if verification fails or issue encountered in fetching certificate from CA.
+ *
+ * @param caName Information about the External Root Certificate Authority (CA) performing the
+ * event CA Name. Could be {@code null}.
+ * @param profile Profile on CA server Client/RA Mode configuration on Server. Could be {@code
+ * null}.
+ * @param csrMeta Certificate Signing Request Meta Data. Must not be {@code null}.
+ * @param csr Certificate Signing Request {.cer} file. Must not be {@code null}.
+ * @param notBefore An optional validity to set in the created certificate, Certificate not valid
+ * before this date.
+ * @param notAfter An optional validity to set in the created certificate, Certificate not valid
+ * after this date.
+ * @return {@link X509Certificate} The newly created Certificate.
+ * @throws CmpClientException if client error occurs.
+ */
+ List<List<X509Certificate>> createCertificate(
+ String caName,
+ String profile,
+ CsrMeta csrMeta,
+ X509Certificate csr,
+ Date notBefore,
+ Date notAfter)
+ throws CmpClientException;
- /**
- * Requests for a External Root CA Certificate to be created for the passed public keyPair wrapped
- * in a CSRMeta with common details, accepts self-signed certificate. Basic Authentication using
- * IAK/RV, Verification of the signature (proof-of-possession) on the request is performed and an
- * Exception thrown if verification fails or issue encountered in fetching certificate from CA.
- *
- * @param caName Information about the External Root Certificate Authority (CA) performing the
- * event CA Name. Could be {@code null}.
- * @param profile Profile on CA server Client/RA Mode configuration on Server. Could be {@code
- * null}.
- * @param csrMeta Certificate Signing Request Meta Data. Must not be {@code null}.
- * @param csr Certificate Signing Request {.cer} file. Must not be {@code null}.
- * @return {@link X509Certificate} The newly created Certificate.
- * @throws CmpClientException if client error occurs.
- */
- List<List<X509Certificate>> createCertificate(
- String caName,
- String profile,
- CSRMeta csrMeta,
- X509Certificate csr)
- throws CmpClientException;
+ /**
+ * Requests for a External Root CA Certificate to be created for the passed public keyPair wrapped
+ * in a CSRMeta with common details, accepts self-signed certificate. Basic Authentication using
+ * IAK/RV, Verification of the signature (proof-of-possession) on the request is performed and an
+ * Exception thrown if verification fails or issue encountered in fetching certificate from CA.
+ *
+ * @param caName Information about the External Root Certificate Authority (CA) performing the
+ * event CA Name. Could be {@code null}.
+ * @param profile Profile on CA server Client/RA Mode configuration on Server. Could be {@code
+ * null}.
+ * @param csrMeta Certificate Signing Request Meta Data. Must not be {@code null}.
+ * @param csr Certificate Signing Request {.cer} file. Must not be {@code null}.
+ * @return {@link X509Certificate} The newly created Certificate.
+ * @throws CmpClientException if client error occurs.
+ */
+ List<List<X509Certificate>> createCertificate(
+ String caName,
+ String profile,
+ CsrMeta csrMeta,
+ X509Certificate csr)
+ throws CmpClientException;
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/CmpClientException.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/CmpClientException.java
index 06bdfd80..2a04306a 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/CmpClientException.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/CmpClientException.java
@@ -20,23 +20,31 @@
package org.onap.aaf.certservice.cmpv2client.exceptions;
-/** The CmpClientException wraps all exceptions occur internally to Cmpv2Client Api code. */
+/**
+ * The CmpClientException wraps all exceptions occur internally to Cmpv2Client Api code.
+ */
public class CmpClientException extends Exception {
- private static final long serialVersionUID = 1L;
+ private static final long serialVersionUID = 1L;
- /** Creates a new instance with detail message. */
- public CmpClientException(String message) {
- super(message);
- }
+ /**
+ * Creates a new instance with detail message.
+ */
+ public CmpClientException(String message) {
+ super(message);
+ }
- /** Creates a new instance with detail Throwable cause. */
- public CmpClientException(Throwable cause) {
- super(cause);
- }
+ /**
+ * Creates a new instance with detail Throwable cause.
+ */
+ public CmpClientException(Throwable cause) {
+ super(cause);
+ }
- /** Creates a new instance with detail message and Throwable cause. */
- public CmpClientException(String message, Throwable cause) {
- super(message, cause);
- }
+ /**
+ * Creates a new instance with detail message and Throwable cause.
+ */
+ public CmpClientException(String message, Throwable cause) {
+ super(message, cause);
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/PkiErrorException.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/PkiErrorException.java
index 9e6b9286..62411fbd 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/PkiErrorException.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/exceptions/PkiErrorException.java
@@ -22,20 +22,26 @@ package org.onap.aaf.certservice.cmpv2client.exceptions;
public class PkiErrorException extends Exception {
- private static final long serialVersionUID = 1L;
+ private static final long serialVersionUID = 1L;
- /** Creates a new instance with detail message. */
- public PkiErrorException(String message) {
- super(message);
- }
+ /**
+ * Creates a new instance with detail message.
+ */
+ public PkiErrorException(String message) {
+ super(message);
+ }
- /** Creates a new instance with detail Throwable cause. */
- public PkiErrorException(Throwable cause) {
- super(cause);
- }
+ /**
+ * Creates a new instance with detail Throwable cause.
+ */
+ public PkiErrorException(Throwable cause) {
+ super(cause);
+ }
- /** Creates a new instance with detail message and Throwable cause. */
- public PkiErrorException(String message, Throwable cause) {
- super(message, cause);
- }
+ /**
+ * Creates a new instance with detail message and Throwable cause.
+ */
+ public PkiErrorException(String message, Throwable cause) {
+ super(message, cause);
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CsrMeta.java
index 470a070f..4c4e784c 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CsrMeta.java
@@ -20,17 +20,19 @@
* ============LICENSE_END====================================================
*
*/
+
package org.onap.aaf.certservice.cmpv2client.external;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.List;
+
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.asn1.x509.Certificate;
-public class CSRMeta {
+public class CsrMeta {
private String cn;
private String mechID;
@@ -41,7 +43,7 @@ public class CSRMeta {
private String issuerEmail;
private String password;
private String caUrl;
- private List<RDN> rdns;
+ private List<Rdn> rdns;
private ArrayList<String> sanList = new ArrayList<>();
private KeyPair keyPair;
private X500Name name;
@@ -49,7 +51,7 @@ public class CSRMeta {
private Certificate certificate;
private String senderKid;
- public CSRMeta(List<RDN> rdns) {
+ public CsrMeta(List<Rdn> rdns) {
this.rdns = rdns;
}
@@ -65,7 +67,7 @@ public class CSRMeta {
nameBuilder.addRDN(BCStyle.OU, mechID + ':' + environment);
}
}
- for (RDN rdn : rdns) {
+ for (Rdn rdn : rdns) {
nameBuilder.addRDN(rdn.getAoi(), rdn.getValue());
}
name = nameBuilder.build();
@@ -85,8 +87,8 @@ public class CSRMeta {
return issuerName;
}
- public void addSan(String v) {
- sanList.add(v);
+ public void addSan(String san) {
+ sanList.add(san);
}
public List<String> getSans() {
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/Factory.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/Factory.java
index e570f9ab..9e95ab2f 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/Factory.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/Factory.java
@@ -20,6 +20,7 @@
* ============LICENSE_END====================================================
*
*/
+
package org.onap.aaf.certservice.cmpv2client.external;
import org.slf4j.Logger;
@@ -30,30 +31,31 @@ import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
-public class Factory {
+public final class Factory {
private static final Logger LOGGER = LoggerFactory.getLogger(Factory.class);
- private static final KeyPairGenerator keygen;
- private static final SecureRandom random;
+ private static final KeyPairGenerator KEY_PAIR_GENERATOR;
+ private static final SecureRandom SECURE_RANDOM;
private static final String KEY_ALGORITHM = "RSA";
private static final int KEY_LENGTH = 2048;
static {
- random = new SecureRandom();
+ SECURE_RANDOM = new SecureRandom();
KeyPairGenerator tempKeygen;
try {
tempKeygen = KeyPairGenerator.getInstance(KEY_ALGORITHM);
- tempKeygen.initialize(KEY_LENGTH, random);
+ tempKeygen.initialize(KEY_LENGTH, SECURE_RANDOM);
} catch (NoSuchAlgorithmException e) {
tempKeygen = null;
LOGGER.error("Given KEY_ALGORITHM is invalid.", e);
}
- keygen = tempKeygen;
+ KEY_PAIR_GENERATOR = tempKeygen;
}
- private Factory() { }
+ private Factory() {
+ }
public static KeyPair generateKeyPair() {
- return keygen.generateKeyPair();
+ return KEY_PAIR_GENERATOR.generateKeyPair();
}
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/Rdn.java
index 229fd76b..25017b8a 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/Rdn.java
@@ -20,6 +20,7 @@
* ============LICENSE_END====================================================
*
*/
+
package org.onap.aaf.certservice.cmpv2client.external;
import java.util.ArrayList;
@@ -31,7 +32,7 @@ import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.CertException;
-public class RDN {
+public class Rdn {
private String tag;
private String value;
@@ -41,18 +42,14 @@ public class RDN {
return value;
}
- public ASN1ObjectIdentifier getAoi() {
- return aoi;
- }
-
- public RDN(final String tag, final String value) throws CertException {
+ public Rdn(final String tag, final String value) throws CertException {
this.tag = tag;
this.value = value;
this.aoi = getAoi(tag);
}
- public RDN(final String tagValue) throws CertException {
- List<String> tv = parseRDN("=", tagValue);
+ public Rdn(final String tagValue) throws CertException {
+ List<String> tv = parseRdn("=", tagValue);
this.tag = tv.get(0);
this.value = tv.get(1);
this.aoi = getAoi(this.tag);
@@ -65,7 +62,7 @@ public class RDN {
* @param value Value to be splitted
* @return List of splitted and trimmed strings
*/
- public static List<String> parseRDN(String splitBy, String value) {
+ static List<String> parseRdn(String splitBy, String value) {
String[] splitted = value.split(splitBy);
return Arrays.stream(splitted)
.map(String::trim)
@@ -80,24 +77,24 @@ public class RDN {
* @throws CertException
*/
- public static List<RDN> parse(final char delim, final String dnString) throws CertException {
- List<RDN> lrnd = new ArrayList<>();
+ public static List<Rdn> parse(final char delim, final String dnString) throws CertException {
+ List<Rdn> lrnd = new ArrayList<>();
StringBuilder sb = new StringBuilder();
boolean inQuotes = false;
for (int i = 0; i < dnString.length(); ++i) {
- char c = dnString.charAt(i);
+ char currentCharacter = dnString.charAt(i);
if (inQuotes) {
- if ('"' == c) {
+ if ('"' == currentCharacter) {
inQuotes = false;
} else {
sb.append(dnString.charAt(i));
}
} else {
- if ('"' == c) {
+ if ('"' == currentCharacter) {
inQuotes = true;
- } else if (delim == c) {
+ } else if (delim == currentCharacter) {
if (sb.length() > 0) {
- lrnd.add(new RDN(sb.toString()));
+ lrnd.add(new Rdn(sb.toString()));
sb.setLength(0);
}
} else {
@@ -106,7 +103,7 @@ public class RDN {
}
}
if (sb.indexOf("=") > 0) {
- lrnd.add(new RDN(sb.toString()));
+ lrnd.add(new Rdn(sb.toString()));
}
return lrnd;
}
@@ -116,6 +113,10 @@ public class RDN {
return tag + '=' + value;
}
+ ASN1ObjectIdentifier getAoi() {
+ return aoi;
+ }
+
ASN1ObjectIdentifier getAoi(String tag) throws CertException {
switch (tag.toLowerCase()) {
case "cn":
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java
index e77e8b0f..39a0877c 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java
@@ -21,6 +21,7 @@
package org.onap.aaf.certservice.cmpv2client.impl;
import java.security.PublicKey;
+
import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.checkIfCmpResponseContainsError;
import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.getCertfromByteArray;
import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore;
@@ -37,6 +38,7 @@ import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
+
import org.apache.http.impl.client.CloseableHttpClient;
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertRepMessage;
@@ -47,7 +49,7 @@ import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
import org.onap.aaf.certservice.cmpv2client.api.CmpClient;
-import org.onap.aaf.certservice.cmpv2client.external.CSRMeta;
+import org.onap.aaf.certservice.cmpv2client.external.CsrMeta;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -57,190 +59,190 @@ import org.slf4j.LoggerFactory;
*/
public class CmpClientImpl implements CmpClient {
- private static final Logger LOG = LoggerFactory.getLogger(CmpClientImpl.class);
- private final CloseableHttpClient httpClient;
-
- private static final String DEFAULT_PROFILE = "RA";
- private static final String DEFAULT_CA_NAME = "Certification Authority";
-
- public CmpClientImpl(CloseableHttpClient httpClient) {
- this.httpClient = httpClient;
- }
-
- @Override
- public List<List<X509Certificate>> createCertificate(
- String caName,
- String profile,
- CSRMeta csrMeta,
- X509Certificate cert,
- Date notBefore,
- Date notAfter)
- throws CmpClientException {
- // Validate inputs for Certificate Request
- validate(csrMeta, cert, caName, profile, httpClient, notBefore, notAfter);
-
- final CreateCertRequest certRequest =
- CmpMessageBuilder.of(CreateCertRequest::new)
- .with(CreateCertRequest::setIssuerDn, csrMeta.getIssuerX500Name())
- .with(CreateCertRequest::setSubjectDn, csrMeta.getX500Name())
- .with(CreateCertRequest::setSansList, csrMeta.getSans())
- .with(CreateCertRequest::setSubjectKeyPair, csrMeta.getKeyPair())
- .with(CreateCertRequest::setNotBefore, notBefore)
- .with(CreateCertRequest::setNotAfter, notAfter)
- .with(CreateCertRequest::setInitAuthPassword, csrMeta.getPassword())
- .with(CreateCertRequest::setSenderKid, csrMeta.getSenderKid())
- .build();
-
- final PKIMessage pkiMessage = certRequest.generateCertReq();
- Cmpv2HttpClient cmpv2HttpClient = new Cmpv2HttpClient(httpClient);
- return retrieveCertificates(caName, csrMeta, pkiMessage, cmpv2HttpClient);
- }
-
- @Override
- public List<List<X509Certificate>> createCertificate(
- String caName, String profile, CSRMeta csrMeta, X509Certificate csr)
- throws CmpClientException {
- return createCertificate(caName, profile, csrMeta, csr, null, null);
- }
-
- private void checkCmpResponse(
- final PKIMessage respPkiMessage, final PublicKey publicKey, final String initAuthPassword)
- throws CmpClientException {
- final PKIHeader header = respPkiMessage.getHeader();
- final AlgorithmIdentifier protectionAlgo = header.getProtectionAlg();
- verifySignatureWithPublicKey(respPkiMessage, publicKey);
- verifyProtectionWithProtectionAlgo(respPkiMessage, initAuthPassword, header, protectionAlgo);
- }
-
- private void verifySignatureWithPublicKey(PKIMessage respPkiMessage, PublicKey publicKey)
- throws CmpClientException {
- if (Objects.nonNull(publicKey)) {
- LOG.debug("Verifying signature of the response.");
- verifySignature(respPkiMessage, publicKey);
- } else {
- LOG.error("Public Key is not available, therefore cannot verify signature");
- throw new CmpClientException(
- "Public Key is not available, therefore cannot verify signature");
+ private static final Logger LOG = LoggerFactory.getLogger(CmpClientImpl.class);
+ private final CloseableHttpClient httpClient;
+
+ private static final String DEFAULT_PROFILE = "RA";
+ private static final String DEFAULT_CA_NAME = "Certification Authority";
+
+ public CmpClientImpl(CloseableHttpClient httpClient) {
+ this.httpClient = httpClient;
}
- }
-
- private void verifyProtectionWithProtectionAlgo(
- PKIMessage respPkiMessage,
- String initAuthPassword,
- PKIHeader header,
- AlgorithmIdentifier protectionAlgo)
- throws CmpClientException {
- if (Objects.nonNull(protectionAlgo)) {
- LOG.debug("Verifying PasswordBased Protection of the Response.");
- verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo);
- checkImplicitConfirm(header);
- } else {
- LOG.error(
- "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
- throw new CmpClientException(
- "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
+
+ @Override
+ public List<List<X509Certificate>> createCertificate(
+ String caName,
+ String profile,
+ CsrMeta csrMeta,
+ X509Certificate cert,
+ Date notBefore,
+ Date notAfter)
+ throws CmpClientException {
+ // Validate inputs for Certificate Request
+ validate(csrMeta, cert, caName, profile, httpClient, notBefore, notAfter);
+
+ final CreateCertRequest certRequest =
+ CmpMessageBuilder.of(CreateCertRequest::new)
+ .with(CreateCertRequest::setIssuerDn, csrMeta.getIssuerX500Name())
+ .with(CreateCertRequest::setSubjectDn, csrMeta.getX500Name())
+ .with(CreateCertRequest::setSansList, csrMeta.getSans())
+ .with(CreateCertRequest::setSubjectKeyPair, csrMeta.getKeyPair())
+ .with(CreateCertRequest::setNotBefore, notBefore)
+ .with(CreateCertRequest::setNotAfter, notAfter)
+ .with(CreateCertRequest::setInitAuthPassword, csrMeta.getPassword())
+ .with(CreateCertRequest::setSenderKid, csrMeta.getSenderKid())
+ .build();
+
+ final PKIMessage pkiMessage = certRequest.generateCertReq();
+ Cmpv2HttpClient cmpv2HttpClient = new Cmpv2HttpClient(httpClient);
+ return retrieveCertificates(caName, csrMeta, pkiMessage, cmpv2HttpClient);
}
- }
-
- private List<List<X509Certificate>> checkCmpCertRepMessage(final PKIMessage respPkiMessage)
- throws CmpClientException {
- final PKIBody pkiBody = respPkiMessage.getBody();
- if (Objects.nonNull(pkiBody) && pkiBody.getContent() instanceof CertRepMessage) {
- final CertRepMessage certRepMessage = (CertRepMessage) pkiBody.getContent();
- if (Objects.nonNull(certRepMessage)) {
- final CertResponse certResponse =
- getCertificateResponseContainingNewCertificate(certRepMessage);
- try {
- return verifyReturnCertChainAndTrustStore(respPkiMessage, certRepMessage, certResponse);
- } catch (IOException | CertificateParsingException ex) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Exception occurred while retrieving Certificates from response", ex);
- LOG.error("Exception occurred while retrieving Certificates from response", ex);
- throw cmpClientException;
+
+ @Override
+ public List<List<X509Certificate>> createCertificate(
+ String caName, String profile, CsrMeta csrMeta, X509Certificate csr)
+ throws CmpClientException {
+ return createCertificate(caName, profile, csrMeta, csr, null, null);
+ }
+
+ private void checkCmpResponse(
+ final PKIMessage respPkiMessage, final PublicKey publicKey, final String initAuthPassword)
+ throws CmpClientException {
+ final PKIHeader header = respPkiMessage.getHeader();
+ final AlgorithmIdentifier protectionAlgo = header.getProtectionAlg();
+ verifySignatureWithPublicKey(respPkiMessage, publicKey);
+ verifyProtectionWithProtectionAlgo(respPkiMessage, initAuthPassword, header, protectionAlgo);
+ }
+
+ private void verifySignatureWithPublicKey(PKIMessage respPkiMessage, PublicKey publicKey)
+ throws CmpClientException {
+ if (Objects.nonNull(publicKey)) {
+ LOG.debug("Verifying signature of the response.");
+ verifySignature(respPkiMessage, publicKey);
+ } else {
+ LOG.error("Public Key is not available, therefore cannot verify signature");
+ throw new CmpClientException(
+ "Public Key is not available, therefore cannot verify signature");
+ }
+ }
+
+ private void verifyProtectionWithProtectionAlgo(
+ PKIMessage respPkiMessage,
+ String initAuthPassword,
+ PKIHeader header,
+ AlgorithmIdentifier protectionAlgo)
+ throws CmpClientException {
+ if (Objects.nonNull(protectionAlgo)) {
+ LOG.debug("Verifying PasswordBased Protection of the Response.");
+ verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo);
+ checkImplicitConfirm(header);
+ } else {
+ LOG.error(
+ "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
+ throw new CmpClientException(
+ "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
+ }
+ }
+
+ private List<List<X509Certificate>> checkCmpCertRepMessage(final PKIMessage respPkiMessage)
+ throws CmpClientException {
+ final PKIBody pkiBody = respPkiMessage.getBody();
+ if (Objects.nonNull(pkiBody) && pkiBody.getContent() instanceof CertRepMessage) {
+ final CertRepMessage certRepMessage = (CertRepMessage) pkiBody.getContent();
+ if (Objects.nonNull(certRepMessage)) {
+ final CertResponse certResponse =
+ getCertificateResponseContainingNewCertificate(certRepMessage);
+ try {
+ return verifyReturnCertChainAndTrustStore(respPkiMessage, certRepMessage, certResponse);
+ } catch (IOException | CertificateParsingException ex) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Exception occurred while retrieving Certificates from response", ex);
+ LOG.error("Exception occurred while retrieving Certificates from response", ex);
+ throw cmpClientException;
+ }
+ } else {
+ return new ArrayList<>(Collections.emptyList());
+ }
}
- } else {
return new ArrayList<>(Collections.emptyList());
- }
}
- return new ArrayList<>(Collections.emptyList());
- }
-
- private List<List<X509Certificate>> verifyReturnCertChainAndTrustStore(
- PKIMessage respPkiMessage, CertRepMessage certRepMessage, CertResponse certResponse)
- throws CertificateParsingException, CmpClientException, IOException {
- LOG.info("Verifying certificates returned as part of CertResponse.");
- final CMPCertificate cmpCertificate =
- certResponse.getCertifiedKeyPair().getCertOrEncCert().getCertificate();
- final Optional<X509Certificate> leafCertificate =
- getCertfromByteArray(cmpCertificate.getEncoded(), X509Certificate.class);
- if (leafCertificate.isPresent()) {
- return verifyAndReturnCertChainAndTrustSTore(
- respPkiMessage, certRepMessage, leafCertificate.get());
+
+ private List<List<X509Certificate>> verifyReturnCertChainAndTrustStore(
+ PKIMessage respPkiMessage, CertRepMessage certRepMessage, CertResponse certResponse)
+ throws CertificateParsingException, CmpClientException, IOException {
+ LOG.info("Verifying certificates returned as part of CertResponse.");
+ final CMPCertificate cmpCertificate =
+ certResponse.getCertifiedKeyPair().getCertOrEncCert().getCertificate();
+ final Optional<X509Certificate> leafCertificate =
+ getCertfromByteArray(cmpCertificate.getEncoded(), X509Certificate.class);
+ if (leafCertificate.isPresent()) {
+ return verifyAndReturnCertChainAndTrustSTore(
+ respPkiMessage, certRepMessage, leafCertificate.get());
+ }
+ return Collections.emptyList();
}
- return Collections.emptyList();
- }
-
- private CertResponse getCertificateResponseContainingNewCertificate(
- CertRepMessage certRepMessage) {
- return certRepMessage.getResponse()[0];
- }
-
- /**
- * Validate inputs for Certificate Creation.
- *
- * @param csrMeta CSRMeta Object containing variables for creating a Certificate Request.
- * @param cert Certificate object needed to validate response from CA server.
- * @param incomingCaName Date specifying certificate is not valid before this date.
- * @param incomingProfile Date specifying certificate is not valid after this date.
- * @throws IllegalArgumentException if Before Date is set after the After Date.
- */
- private void validate(
- final CSRMeta csrMeta,
- final X509Certificate cert,
- final String incomingCaName,
- final String incomingProfile,
- final CloseableHttpClient httpClient,
- final Date notBefore,
- final Date notAfter) {
-
- String caName;
- String caProfile;
- caName = CmpUtil.isNullOrEmpty(incomingCaName) ? incomingCaName : DEFAULT_CA_NAME;
- caProfile = CmpUtil.isNullOrEmpty(incomingProfile) ? incomingProfile : DEFAULT_PROFILE;
- LOG.info(
- "Validate before creating Certificate Request for CA :{} in Mode {} ", caName, caProfile);
-
- CmpUtil.notNull(csrMeta, "CSRMeta Instance");
- CmpUtil.notNull(csrMeta.getX500Name(), "Subject DN");
- CmpUtil.notNull(csrMeta.getIssuerX500Name(), "Issuer DN");
- CmpUtil.notNull(csrMeta.getPassword(), "IAK/RV Password");
- CmpUtil.notNull(cert, "Certificate Signing Request (CSR)");
- CmpUtil.notNull(csrMeta.getCaUrl(), "External CA URL");
- CmpUtil.notNull(csrMeta.getKeyPairOrGenerateIfNull(), "Subject KeyPair");
- CmpUtil.notNull(httpClient, "Closeable Http Client");
-
- if (notBefore != null && notAfter != null && notBefore.compareTo(notAfter) > 0) {
- throw new IllegalArgumentException("Before Date is set after the After Date");
+
+ private CertResponse getCertificateResponseContainingNewCertificate(
+ CertRepMessage certRepMessage) {
+ return certRepMessage.getResponse()[0];
}
- }
-
- private List<List<X509Certificate>> retrieveCertificates(
- String caName, CSRMeta csrMeta, PKIMessage pkiMessage, Cmpv2HttpClient cmpv2HttpClient)
- throws CmpClientException {
- final byte[] respBytes = cmpv2HttpClient.postRequest(pkiMessage, csrMeta.getCaUrl(), caName);
- try {
- final PKIMessage respPkiMessage = PKIMessage.getInstance(respBytes);
- LOG.info("Received response from Server");
- checkIfCmpResponseContainsError(respPkiMessage);
- checkCmpResponse(respPkiMessage, csrMeta.getKeyPairOrGenerateIfNull().getPublic(), csrMeta.getPassword());
- return checkCmpCertRepMessage(respPkiMessage);
- } catch (IllegalArgumentException iae) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Error encountered while processing response from CA server ", iae);
- LOG.error("Error encountered while processing response from CA server ", iae);
- throw cmpClientException;
+
+ /**
+ * Validate inputs for Certificate Creation.
+ *
+ * @param csrMeta CSRMeta Object containing variables for creating a Certificate Request.
+ * @param cert Certificate object needed to validate response from CA server.
+ * @param incomingCaName Date specifying certificate is not valid before this date.
+ * @param incomingProfile Date specifying certificate is not valid after this date.
+ * @throws IllegalArgumentException if Before Date is set after the After Date.
+ */
+ private void validate(
+ final CsrMeta csrMeta,
+ final X509Certificate cert,
+ final String incomingCaName,
+ final String incomingProfile,
+ final CloseableHttpClient httpClient,
+ final Date notBefore,
+ final Date notAfter) {
+
+ String caName;
+ String caProfile;
+ caName = CmpUtil.isNullOrEmpty(incomingCaName) ? incomingCaName : DEFAULT_CA_NAME;
+ caProfile = CmpUtil.isNullOrEmpty(incomingProfile) ? incomingProfile : DEFAULT_PROFILE;
+ LOG.info(
+ "Validate before creating Certificate Request for CA :{} in Mode {} ", caName, caProfile);
+
+ CmpUtil.notNull(csrMeta, "CSRMeta Instance");
+ CmpUtil.notNull(csrMeta.getX500Name(), "Subject DN");
+ CmpUtil.notNull(csrMeta.getIssuerX500Name(), "Issuer DN");
+ CmpUtil.notNull(csrMeta.getPassword(), "IAK/RV Password");
+ CmpUtil.notNull(cert, "Certificate Signing Request (CSR)");
+ CmpUtil.notNull(csrMeta.getCaUrl(), "External CA URL");
+ CmpUtil.notNull(csrMeta.getKeyPairOrGenerateIfNull(), "Subject KeyPair");
+ CmpUtil.notNull(httpClient, "Closeable Http Client");
+
+ if (notBefore != null && notAfter != null && notBefore.compareTo(notAfter) > 0) {
+ throw new IllegalArgumentException("Before Date is set after the After Date");
+ }
+ }
+
+ private List<List<X509Certificate>> retrieveCertificates(
+ String caName, CsrMeta csrMeta, PKIMessage pkiMessage, Cmpv2HttpClient cmpv2HttpClient)
+ throws CmpClientException {
+ final byte[] respBytes = cmpv2HttpClient.postRequest(pkiMessage, csrMeta.getCaUrl(), caName);
+ try {
+ final PKIMessage respPkiMessage = PKIMessage.getInstance(respBytes);
+ LOG.info("Received response from Server");
+ checkIfCmpResponseContainsError(respPkiMessage);
+ checkCmpResponse(respPkiMessage, csrMeta.getKeyPairOrGenerateIfNull().getPublic(), csrMeta.getPassword());
+ return checkCmpCertRepMessage(respPkiMessage);
+ } catch (IllegalArgumentException iae) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Error encountered while processing response from CA server ", iae);
+ LOG.error("Error encountered while processing response from CA server ", iae);
+ throw cmpClientException;
+ }
}
- }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageBuilder.java
index 2ab9b2cf..1f370f93 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageBuilder.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageBuilder.java
@@ -26,30 +26,32 @@ import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Supplier;
-/** Generic Builder Class for creating CMP Message. */
-public class CmpMessageBuilder<T> {
-
- private final Supplier<T> instantiator;
- private final List<Consumer<T>> instanceModifiers = new ArrayList<>();
-
- public CmpMessageBuilder(Supplier<T> instantiator) {
- this.instantiator = instantiator;
- }
-
- public static <T> CmpMessageBuilder<T> of(Supplier<T> instantiator) {
- return new CmpMessageBuilder<>(instantiator);
- }
-
- public <U> CmpMessageBuilder<T> with(BiConsumer<T, U> consumer, U value) {
- Consumer<T> c = instance -> consumer.accept(instance, value);
- instanceModifiers.add(c);
- return this;
- }
-
- public T build() {
- T value = instantiator.get();
- instanceModifiers.forEach(modifier -> modifier.accept(value));
- instanceModifiers.clear();
- return value;
- }
+/**
+ * Generic Builder Class for creating CMP Message.
+ */
+public final class CmpMessageBuilder<T> {
+
+ private final Supplier<T> instantiator;
+ private final List<Consumer<T>> instanceModifiers = new ArrayList<>();
+
+ public CmpMessageBuilder(Supplier<T> instantiator) {
+ this.instantiator = instantiator;
+ }
+
+ public static <T> CmpMessageBuilder<T> of(Supplier<T> instantiator) {
+ return new CmpMessageBuilder<>(instantiator);
+ }
+
+ public <U> CmpMessageBuilder<T> with(BiConsumer<T, U> consumer, U value) {
+ Consumer<T> valueConsumer = instance -> consumer.accept(instance, value);
+ instanceModifiers.add(valueConsumer);
+ return this;
+ }
+
+ public T build() {
+ T value = instantiator.get();
+ instanceModifiers.forEach(modifier -> modifier.accept(value));
+ instanceModifiers.clear();
+ return value;
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java
index 48b2336f..6fcc5f14 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java
@@ -37,6 +37,7 @@ import java.util.List;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
+
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
@@ -69,176 +70,177 @@ import org.slf4j.LoggerFactory;
public final class CmpMessageHelper {
- private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class);
- private static final AlgorithmIdentifier OWF_ALGORITHM =
- new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
- private static final AlgorithmIdentifier MAC_ALGORITHM =
- new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.9"));
- private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
- new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
-
- private CmpMessageHelper() {}
-
- /**
- * Creates an Optional Validity, which is used to specify how long the returned cert should be
- * valid for.
- *
- * @param notBefore Date specifying certificate is not valid before this date.
- * @param notAfter Date specifying certificate is not valid after this date.
- * @return {@link OptionalValidity} that can be set for certificate on external CA.
- */
- public static OptionalValidity generateOptionalValidity(
- final Date notBefore, final Date notAfter) {
- LOG.info("Generating Optional Validity from Date objects");
- ASN1EncodableVector optionalValidityV = new ASN1EncodableVector();
- if (notBefore != null) {
- Time nb = new Time(notBefore);
- optionalValidityV.add(new DERTaggedObject(true, 0, nb));
+ private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class);
+ private static final AlgorithmIdentifier OWF_ALGORITHM =
+ new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
+ private static final AlgorithmIdentifier MAC_ALGORITHM =
+ new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.9"));
+ private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
+ new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
+
+ private CmpMessageHelper() {
}
- if (notAfter != null) {
- Time na = new Time(notAfter);
- optionalValidityV.add(new DERTaggedObject(true, 1, na));
+
+ /**
+ * Creates an Optional Validity, which is used to specify how long the returned cert should be
+ * valid for.
+ *
+ * @param notBefore Date specifying certificate is not valid before this date.
+ * @param notAfter Date specifying certificate is not valid after this date.
+ * @return {@link OptionalValidity} that can be set for certificate on external CA.
+ */
+ public static OptionalValidity generateOptionalValidity(
+ final Date notBefore, final Date notAfter) {
+ LOG.info("Generating Optional Validity from Date objects");
+ ASN1EncodableVector optionalValidityV = new ASN1EncodableVector();
+ if (notBefore != null) {
+ Time nb = new Time(notBefore);
+ optionalValidityV.add(new DERTaggedObject(true, 0, nb));
+ }
+ if (notAfter != null) {
+ Time na = new Time(notAfter);
+ optionalValidityV.add(new DERTaggedObject(true, 1, na));
+ }
+ return OptionalValidity.getInstance(new DERSequence(optionalValidityV));
}
- return OptionalValidity.getInstance(new DERSequence(optionalValidityV));
- }
-
- /**
- * Create Extensions from Subject Alternative Names.
- *
- * @return {@link Extensions}.
- */
- public static Extensions generateExtension(final List<String> sansList)
- throws CmpClientException {
- LOG.info("Generating Extensions from Subject Alternative Names");
- final ExtensionsGenerator extGenerator = new ExtensionsGenerator();
- final GeneralName[] sansGeneralNames = getGeneralNames(sansList);
- // KeyUsage
- try {
- final KeyUsage keyUsage =
- new KeyUsage(
- KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
- extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage));
- extGenerator.addExtension(
- Extension.subjectAlternativeName, false, new GeneralNames(sansGeneralNames));
- } catch (IOException ioe) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Exception occurred while creating extensions for PKIMessage", ioe);
- LOG.error("Exception occurred while creating extensions for PKIMessage");
- throw cmpClientException;
+
+ /**
+ * Create Extensions from Subject Alternative Names.
+ *
+ * @return {@link Extensions}.
+ */
+ public static Extensions generateExtension(final List<String> sansList)
+ throws CmpClientException {
+ LOG.info("Generating Extensions from Subject Alternative Names");
+ final ExtensionsGenerator extGenerator = new ExtensionsGenerator();
+ final GeneralName[] sansGeneralNames = getGeneralNames(sansList);
+ // KeyUsage
+ try {
+ final KeyUsage keyUsage =
+ new KeyUsage(
+ KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
+ extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage));
+ extGenerator.addExtension(
+ Extension.subjectAlternativeName, false, new GeneralNames(sansGeneralNames));
+ } catch (IOException ioe) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Exception occurred while creating extensions for PKIMessage", ioe);
+ LOG.error("Exception occurred while creating extensions for PKIMessage");
+ throw cmpClientException;
+ }
+ return extGenerator.generate();
}
- return extGenerator.generate();
- }
- public static GeneralName[] getGeneralNames(List<String> sansList) {
- final List<GeneralName> nameList = new ArrayList<>();
- for (String san : sansList) {
- nameList.add(new GeneralName(GeneralName.dNSName, san));
+ public static GeneralName[] getGeneralNames(List<String> sansList) {
+ final List<GeneralName> nameList = new ArrayList<>();
+ for (String san : sansList) {
+ nameList.add(new GeneralName(GeneralName.dNSName, san));
+ }
+ final GeneralName[] sansGeneralNames = new GeneralName[nameList.size()];
+ nameList.toArray(sansGeneralNames);
+ return sansGeneralNames;
}
- final GeneralName[] sansGeneralNames = new GeneralName[nameList.size()];
- nameList.toArray(sansGeneralNames);
- return sansGeneralNames;
- }
-
- /**
- * Method generates Proof-of-Possession (POP) of Private Key. To allow a CA/RA to properly
- * validity binding between an End Entity and a Key Pair, the PKI Operations specified here make
- * it possible for an End Entity to prove that it has possession of the Private Key corresponding
- * to the Public Key for which a Certificate is requested.
- *
- * @param certRequest Certificate request that requires proof of possession
- * @param keypair keypair associated with the subject sending the certificate request
- * @return {@link ProofOfPossession}.
- * @throws CmpClientException A general-purpose Cmp client exception.
- */
- public static ProofOfPossession generateProofOfPossession(
- final CertRequest certRequest, final KeyPair keypair) throws CmpClientException {
- ProofOfPossession proofOfPossession;
- try (final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
- final DEROutputStream derOutputStream = new DEROutputStream(byteArrayOutputStream);
- derOutputStream.writeObject(certRequest);
-
- byte[] popoProtectionBytes = byteArrayOutputStream.toByteArray();
- final String sigalg = PKCSObjectIdentifiers.sha256WithRSAEncryption.getId();
- final Signature signature = Signature.getInstance(sigalg, BouncyCastleProvider.PROVIDER_NAME);
- signature.initSign(keypair.getPrivate());
- signature.update(popoProtectionBytes);
- DERBitString bs = new DERBitString(signature.sign());
-
- proofOfPossession =
- new ProofOfPossession(
- new POPOSigningKey(
- null, new AlgorithmIdentifier(new ASN1ObjectIdentifier(sigalg)), bs));
- } catch (IOException
- | NoSuchProviderException
- | NoSuchAlgorithmException
- | InvalidKeyException
- | SignatureException ex) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Exception occurred while creating proof of possession for PKIMessage", ex);
- LOG.error("Exception occurred while creating proof of possession for PKIMessage");
- throw cmpClientException;
+
+ /**
+ * Method generates Proof-of-Possession (POP) of Private Key. To allow a CA/RA to properly
+ * validity binding between an End Entity and a Key Pair, the PKI Operations specified here make
+ * it possible for an End Entity to prove that it has possession of the Private Key corresponding
+ * to the Public Key for which a Certificate is requested.
+ *
+ * @param certRequest Certificate request that requires proof of possession
+ * @param keypair keypair associated with the subject sending the certificate request
+ * @return {@link ProofOfPossession}.
+ * @throws CmpClientException A general-purpose Cmp client exception.
+ */
+ public static ProofOfPossession generateProofOfPossession(
+ final CertRequest certRequest, final KeyPair keypair) throws CmpClientException {
+ ProofOfPossession proofOfPossession;
+ try (ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
+ final DEROutputStream derOutputStream = new DEROutputStream(byteArrayOutputStream);
+ derOutputStream.writeObject(certRequest);
+
+ byte[] popoProtectionBytes = byteArrayOutputStream.toByteArray();
+ final String sigalg = PKCSObjectIdentifiers.sha256WithRSAEncryption.getId();
+ final Signature signature = Signature.getInstance(sigalg, BouncyCastleProvider.PROVIDER_NAME);
+ signature.initSign(keypair.getPrivate());
+ signature.update(popoProtectionBytes);
+ DERBitString bs = new DERBitString(signature.sign());
+
+ proofOfPossession =
+ new ProofOfPossession(
+ new POPOSigningKey(
+ null, new AlgorithmIdentifier(new ASN1ObjectIdentifier(sigalg)), bs));
+ } catch (IOException
+ | NoSuchProviderException
+ | NoSuchAlgorithmException
+ | InvalidKeyException
+ | SignatureException ex) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Exception occurred while creating proof of possession for PKIMessage", ex);
+ LOG.error("Exception occurred while creating proof of possession for PKIMessage");
+ throw cmpClientException;
+ }
+ return proofOfPossession;
}
- return proofOfPossession;
- }
-
- /**
- * Generic code to create Algorithm Identifier for protection of PKIMessage.
- *
- * @return Algorithm Identifier
- */
- public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) {
- ASN1Integer iteration = new ASN1Integer(iterations);
- DEROctetString derSalt = new DEROctetString(salt);
-
- PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
- return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
- }
-
- /**
- * Adds protection to the PKIMessage via a specified protection algorithm.
- *
- * @param password password used to authenticate PkiMessage with external CA
- * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage
- * @param pkiBody Body of PKIMessage containing specific details for certificate request
- * @return Protected Pki Message
- * @throws CmpClientException Wraps several exceptions into one general-purpose exception.
- */
- public static PKIMessage protectPkiMessage(
- PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt)
- throws CmpClientException {
-
- byte[] raSecret = password.getBytes();
- byte[] basekey = new byte[raSecret.length + salt.length];
- System.arraycopy(raSecret, 0, basekey, 0, raSecret.length);
- System.arraycopy(salt, 0, basekey, raSecret.length, salt.length);
- byte[] out;
- try {
- MessageDigest dig =
- MessageDigest.getInstance(
- OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
- for (int i = 0; i < iterations; i++) {
- basekey = dig.digest(basekey);
- dig.reset();
- }
- byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
- Mac mac =
- Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
- SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId());
- mac.init(key);
- mac.reset();
- mac.update(protectedBytes, 0, protectedBytes.length);
- out = mac.doFinal();
- } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Exception occurred while generating proof of possession for PKIMessage", ex);
- LOG.error("Exception occured while generating the proof of possession for PKIMessage");
- throw cmpClientException;
+
+ /**
+ * Generic code to create Algorithm Identifier for protection of PKIMessage.
+ *
+ * @return Algorithm Identifier
+ */
+ public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) {
+ ASN1Integer iteration = new ASN1Integer(iterations);
+ DEROctetString derSalt = new DEROctetString(salt);
+
+ PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
+ return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
}
- DERBitString bs = new DERBitString(out);
- return new PKIMessage(pkiHeader, pkiBody, bs);
- }
+ /**
+ * Adds protection to the PKIMessage via a specified protection algorithm.
+ *
+ * @param password password used to authenticate PkiMessage with external CA
+ * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage
+ * @param pkiBody Body of PKIMessage containing specific details for certificate request
+ * @return Protected Pki Message
+ * @throws CmpClientException Wraps several exceptions into one general-purpose exception.
+ */
+ public static PKIMessage protectPkiMessage(
+ PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt)
+ throws CmpClientException {
+
+ byte[] raSecret = password.getBytes();
+ byte[] basekey = new byte[raSecret.length + salt.length];
+ System.arraycopy(raSecret, 0, basekey, 0, raSecret.length);
+ System.arraycopy(salt, 0, basekey, raSecret.length, salt.length);
+ byte[] out;
+ try {
+ MessageDigest dig =
+ MessageDigest.getInstance(
+ OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+ for (int i = 0; i < iterations; i++) {
+ basekey = dig.digest(basekey);
+ dig.reset();
+ }
+ byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
+ Mac mac =
+ Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+ SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId());
+ mac.init(key);
+ mac.reset();
+ mac.update(protectedBytes, 0, protectedBytes.length);
+ out = mac.doFinal();
+ } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Exception occurred while generating proof of possession for PKIMessage", ex);
+ LOG.error("Exception occured while generating the proof of possession for PKIMessage");
+ throw cmpClientException;
+ }
+ DERBitString bs = new DERBitString(out);
+
+ return new PKIMessage(pkiHeader, pkiBody, bs);
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseHelper.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseHelper.java
index 60d91c5f..b2a7b29e 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseHelper.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseHelper.java
@@ -43,6 +43,7 @@ import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
+
import org.bouncycastle.asn1.cmp.CMPCertificate;
import org.bouncycastle.asn1.cmp.CertRepMessage;
import org.bouncycastle.asn1.cmp.ErrorMsgContent;
@@ -54,318 +55,319 @@ import org.onap.aaf.certservice.cmpv2client.exceptions.PkiErrorException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-public class CmpResponseHelper {
-
- private static final Logger LOG = LoggerFactory.getLogger(CmpResponseHelper.class);
+public final class CmpResponseHelper {
- private CmpResponseHelper() {}
+ private static final Logger LOG = LoggerFactory.getLogger(CmpResponseHelper.class);
- public static void checkIfCmpResponseContainsError(PKIMessage respPkiMessage)
- throws CmpClientException {
- if (respPkiMessage.getBody().getType() == PKIBody.TYPE_ERROR) {
- final ErrorMsgContent errorMsgContent =
- (ErrorMsgContent) respPkiMessage.getBody().getContent();
- PkiErrorException pkiErrorException =
- new PkiErrorException(
- errorMsgContent.getPKIStatusInfo().getStatusString().getStringAt(0).getString());
- CmpClientException cmpClientException =
- new CmpClientException("Error in the PkiMessage response", pkiErrorException);
- LOG.error("Error in the PkiMessage response: {} ", pkiErrorException.getMessage());
- throw cmpClientException;
+ private CmpResponseHelper() {
}
- }
-
- /**
- * @param cert byte array that contains certificate
- * @param returnType the type of Certificate to be returned, for example X509Certificate.class.
- * Certificate.class can be used if certificate type is unknown.
- * @throws CertificateParsingException if the byte array does not contain a proper certificate.
- */
- public static <T extends Certificate> Optional<X509Certificate> getCertfromByteArray(
- byte[] cert, Class<T> returnType) throws CertificateParsingException, CmpClientException {
- LOG.debug("Retrieving certificate of type {} from byte array.", returnType);
- return getCertfromByteArray(cert, BouncyCastleProvider.PROVIDER_NAME, returnType);
- }
- /**
- * @param cert byte array that contains certificate
- * @param provider provider used to generate certificate from bytes
- * @param returnType the type of Certificate to be returned, for example X509Certificate.class.
- * Certificate.class can be used if certificate type is unknown.
- * @throws CertificateParsingException if the byte array does not contain a proper certificate.
- */
- public static <T extends Certificate> Optional<X509Certificate> getCertfromByteArray(
- byte[] cert, String provider, Class<T> returnType)
- throws CertificateParsingException, CmpClientException {
- String prov = provider;
- if (provider == null) {
- prov = BouncyCastleProvider.PROVIDER_NAME;
+ public static void checkIfCmpResponseContainsError(PKIMessage respPkiMessage)
+ throws CmpClientException {
+ if (respPkiMessage.getBody().getType() == PKIBody.TYPE_ERROR) {
+ final ErrorMsgContent errorMsgContent =
+ (ErrorMsgContent) respPkiMessage.getBody().getContent();
+ PkiErrorException pkiErrorException =
+ new PkiErrorException(
+ errorMsgContent.getPKIStatusInfo().getStatusString().getStringAt(0).getString());
+ CmpClientException cmpClientException =
+ new CmpClientException("Error in the PkiMessage response", pkiErrorException);
+ LOG.error("Error in the PkiMessage response: {} ", pkiErrorException.getMessage());
+ throw cmpClientException;
+ }
}
- if (returnType.equals(X509Certificate.class)) {
- return parseX509Certificate(prov, cert);
+ /**
+ * @param cert byte array that contains certificate
+ * @param returnType the type of Certificate to be returned, for example X509Certificate.class.
+ * Certificate.class can be used if certificate type is unknown.
+ * @throws CertificateParsingException if the byte array does not contain a proper certificate.
+ */
+ public static <T extends Certificate> Optional<X509Certificate> getCertfromByteArray(
+ byte[] cert, Class<T> returnType) throws CertificateParsingException, CmpClientException {
+ LOG.debug("Retrieving certificate of type {} from byte array.", returnType);
+ return getCertfromByteArray(cert, BouncyCastleProvider.PROVIDER_NAME, returnType);
}
- return Optional.empty();
- }
- /**
- * Check the certificate with CA certificate.
- *
- * @param caCertChain Collection of X509Certificates. May not be null, an empty list or a
- * Collection with null entries.
- * @throws CmpClientException if verification failed
- */
- public static void verify(List<X509Certificate> caCertChain) throws CmpClientException {
- int iterator = 1;
- while (iterator < caCertChain.size()) {
- verify(caCertChain.get(iterator - 1), caCertChain.get(iterator), null);
- iterator += 1;
+ /**
+ * @param cert byte array that contains certificate
+ * @param provider provider used to generate certificate from bytes
+ * @param returnType the type of Certificate to be returned, for example X509Certificate.class.
+ * Certificate.class can be used if certificate type is unknown.
+ * @throws CertificateParsingException if the byte array does not contain a proper certificate.
+ */
+ public static <T extends Certificate> Optional<X509Certificate> getCertfromByteArray(
+ byte[] cert, String provider, Class<T> returnType)
+ throws CertificateParsingException, CmpClientException {
+ String prov = provider;
+ if (provider == null) {
+ prov = BouncyCastleProvider.PROVIDER_NAME;
+ }
+
+ if (returnType.equals(X509Certificate.class)) {
+ return parseX509Certificate(prov, cert);
+ }
+ return Optional.empty();
}
- }
- /**
- * Check the certificate with CA certificate.
- *
- * @param certificate X.509 certificate to verify. May not be null.
- * @param caCertChain Collection of X509Certificates. May not be null, an empty list or a
- * Collection with null entries.
- * @param date Date to verify at, or null to use current time.
- * @param pkixCertPathCheckers optional PKIXCertPathChecker implementations to use during cert
- * path validation
- * @throws CmpClientException if certificate could not be validated
- */
- public static void verify(
- X509Certificate certificate,
- X509Certificate caCertChain,
- Date date,
- PKIXCertPathChecker... pkixCertPathCheckers)
- throws CmpClientException {
- try {
- verifyCertificates(certificate, caCertChain, date, pkixCertPathCheckers);
- } catch (CertPathValidatorException cpve) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Invalid certificate or certificate not issued by specified CA: ", cpve);
- LOG.error("Invalid certificate or certificate not issued by specified CA: ", cpve);
- throw cmpClientException;
- } catch (CertificateException ce) {
- CmpClientException cmpClientException =
- new CmpClientException("Something was wrong with the supplied certificate", ce);
- LOG.error("Something was wrong with the supplied certificate", ce);
- throw cmpClientException;
- } catch (NoSuchProviderException nspe) {
- CmpClientException cmpClientException =
- new CmpClientException("BouncyCastle provider not found.", nspe);
- LOG.error("BouncyCastle provider not found.", nspe);
- throw cmpClientException;
- } catch (NoSuchAlgorithmException nsae) {
- CmpClientException cmpClientException =
- new CmpClientException("Algorithm PKIX was not found.", nsae);
- LOG.error("Algorithm PKIX was not found.", nsae);
- throw cmpClientException;
- } catch (InvalidAlgorithmParameterException iape) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Either ca certificate chain was empty,"
- + " or the certificate was on an inappropriate type for a PKIX path checker.",
- iape);
- LOG.error(
- "Either ca certificate chain was empty, "
- + "or the certificate was on an inappropriate type for a PKIX path checker.",
- iape);
- throw cmpClientException;
+ /**
+ * Check the certificate with CA certificate.
+ *
+ * @param caCertChain Collection of X509Certificates. May not be null, an empty list or a
+ * Collection with null entries.
+ * @throws CmpClientException if verification failed
+ */
+ public static void verify(List<X509Certificate> caCertChain) throws CmpClientException {
+ int iterator = 1;
+ while (iterator < caCertChain.size()) {
+ verify(caCertChain.get(iterator - 1), caCertChain.get(iterator), null);
+ iterator += 1;
+ }
}
- }
- public static void verifyCertificates(
- X509Certificate certificate,
- X509Certificate caCertChain,
- Date date,
- PKIXCertPathChecker[] pkixCertPathCheckers)
- throws CertificateException, NoSuchProviderException, InvalidAlgorithmParameterException,
- NoSuchAlgorithmException, CertPathValidatorException {
- LOG.debug(
- "Verifying certificate {} as part of cert chain with certificate {}",
- certificate.getSubjectDN().getName(),
- caCertChain.getSubjectDN().getName());
- CertPath cp = getCertPath(certificate);
- PKIXParameters params = getPkixParameters(caCertChain, date, pkixCertPathCheckers);
- CertPathValidator cpv =
- CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
- PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
- if (LOG.isDebugEnabled()) {
- LOG.debug("Certificate verify result:{} ", result);
+ /**
+ * Check the certificate with CA certificate.
+ *
+ * @param certificate X.509 certificate to verify. May not be null.
+ * @param caCertChain Collection of X509Certificates. May not be null, an empty list or a
+ * Collection with null entries.
+ * @param date Date to verify at, or null to use current time.
+ * @param pkixCertPathCheckers optional PKIXCertPathChecker implementations to use during cert
+ * path validation
+ * @throws CmpClientException if certificate could not be validated
+ */
+ public static void verify(
+ X509Certificate certificate,
+ X509Certificate caCertChain,
+ Date date,
+ PKIXCertPathChecker... pkixCertPathCheckers)
+ throws CmpClientException {
+ try {
+ verifyCertificates(certificate, caCertChain, date, pkixCertPathCheckers);
+ } catch (CertPathValidatorException cpve) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Invalid certificate or certificate not issued by specified CA: ", cpve);
+ LOG.error("Invalid certificate or certificate not issued by specified CA: ", cpve);
+ throw cmpClientException;
+ } catch (CertificateException ce) {
+ CmpClientException cmpClientException =
+ new CmpClientException("Something was wrong with the supplied certificate", ce);
+ LOG.error("Something was wrong with the supplied certificate", ce);
+ throw cmpClientException;
+ } catch (NoSuchProviderException nspe) {
+ CmpClientException cmpClientException =
+ new CmpClientException("BouncyCastle provider not found.", nspe);
+ LOG.error("BouncyCastle provider not found.", nspe);
+ throw cmpClientException;
+ } catch (NoSuchAlgorithmException nsae) {
+ CmpClientException cmpClientException =
+ new CmpClientException("Algorithm PKIX was not found.", nsae);
+ LOG.error("Algorithm PKIX was not found.", nsae);
+ throw cmpClientException;
+ } catch (InvalidAlgorithmParameterException iape) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Either ca certificate chain was empty,"
+ + " or the certificate was on an inappropriate type for a PKIX path checker.",
+ iape);
+ LOG.error(
+ "Either ca certificate chain was empty, "
+ + "or the certificate was on an inappropriate type for a PKIX path checker.",
+ iape);
+ throw cmpClientException;
+ }
}
- }
- public static PKIXParameters getPkixParameters(
- X509Certificate caCertChain, Date date, PKIXCertPathChecker[] pkixCertPathCheckers)
- throws InvalidAlgorithmParameterException {
- TrustAnchor anchor = new TrustAnchor(caCertChain, null);
- PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
- for (final PKIXCertPathChecker pkixCertPathChecker : pkixCertPathCheckers) {
- params.addCertPathChecker(pkixCertPathChecker);
+ public static void verifyCertificates(
+ X509Certificate certificate,
+ X509Certificate caCertChain,
+ Date date,
+ PKIXCertPathChecker[] pkixCertPathCheckers)
+ throws CertificateException, NoSuchProviderException, InvalidAlgorithmParameterException,
+ NoSuchAlgorithmException, CertPathValidatorException {
+ LOG.debug(
+ "Verifying certificate {} as part of cert chain with certificate {}",
+ certificate.getSubjectDN().getName(),
+ caCertChain.getSubjectDN().getName());
+ CertPath cp = getCertPath(certificate);
+ PKIXParameters params = getPkixParameters(caCertChain, date, pkixCertPathCheckers);
+ CertPathValidator cpv =
+ CertPathValidator.getInstance("PKIX", BouncyCastleProvider.PROVIDER_NAME);
+ PKIXCertPathValidatorResult result = (PKIXCertPathValidatorResult) cpv.validate(cp, params);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("Certificate verify result:{} ", result);
+ }
}
- params.setRevocationEnabled(false);
- params.setDate(date);
- return params;
- }
- public static CertPath getCertPath(X509Certificate certificate)
- throws CertificateException, NoSuchProviderException {
- ArrayList<X509Certificate> certlist = new ArrayList<>();
- certlist.add(certificate);
- return CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
- .generateCertPath(certlist);
- }
+ public static PKIXParameters getPkixParameters(
+ X509Certificate caCertChain, Date date, PKIXCertPathChecker[] pkixCertPathCheckers)
+ throws InvalidAlgorithmParameterException {
+ TrustAnchor anchor = new TrustAnchor(caCertChain, null);
+ PKIXParameters params = new PKIXParameters(Collections.singleton(anchor));
+ for (final PKIXCertPathChecker pkixCertPathChecker : pkixCertPathCheckers) {
+ params.addCertPathChecker(pkixCertPathChecker);
+ }
+ params.setRevocationEnabled(false);
+ params.setDate(date);
+ return params;
+ }
- /**
- * Parse a X509Certificate from an array of bytes
- *
- * @param provider a provider name
- * @param cert a byte array containing an encoded certificate
- * @return a decoded X509Certificate
- * @throws CertificateParsingException if the byte array wasn't valid, or contained a certificate
- * other than an X509 Certificate.
- */
- public static Optional<X509Certificate> parseX509Certificate(String provider, byte[] cert)
- throws CertificateParsingException, CmpClientException {
- LOG.debug("Parsing X509Certificate from bytes with provider {}", provider);
- final CertificateFactory cf = getCertificateFactory(provider);
- X509Certificate result;
- try {
- result =
- (X509Certificate)
- Objects.requireNonNull(cf).generateCertificate(new ByteArrayInputStream(cert));
- } catch (CertificateException ce) {
- throw new CertificateParsingException("Could not parse byte array as X509Certificate ", ce);
+ public static CertPath getCertPath(X509Certificate certificate)
+ throws CertificateException, NoSuchProviderException {
+ ArrayList<X509Certificate> certlist = new ArrayList<>();
+ certlist.add(certificate);
+ return CertificateFactory.getInstance("X.509", BouncyCastleProvider.PROVIDER_NAME)
+ .generateCertPath(certlist);
}
- if (result != null) {
- return Optional.of(result);
- } else {
- throw new CertificateParsingException("Could not parse byte array as X509Certificate.");
+
+ /**
+ * Parse a X509Certificate from an array of bytes
+ *
+ * @param provider a provider name
+ * @param cert a byte array containing an encoded certificate
+ * @return a decoded X509Certificate
+ * @throws CertificateParsingException if the byte array wasn't valid, or contained a certificate
+ * other than an X509 Certificate.
+ */
+ public static Optional<X509Certificate> parseX509Certificate(String provider, byte[] cert)
+ throws CertificateParsingException, CmpClientException {
+ LOG.debug("Parsing X509Certificate from bytes with provider {}", provider);
+ final CertificateFactory cf = getCertificateFactory(provider);
+ X509Certificate result;
+ try {
+ result =
+ (X509Certificate)
+ Objects.requireNonNull(cf).generateCertificate(new ByteArrayInputStream(cert));
+ } catch (CertificateException ce) {
+ throw new CertificateParsingException("Could not parse byte array as X509Certificate ", ce);
+ }
+ if (result != null) {
+ return Optional.of(result);
+ } else {
+ throw new CertificateParsingException("Could not parse byte array as X509Certificate.");
+ }
}
- }
- /**
- * Returns a CertificateFactory that can be used to create certificates from byte arrays and such.
- *
- * @param provider Security provider that should be used to create certificates, default BC is
- * null is passed.
- * @return CertificateFactory for creating certificate
- */
- public static CertificateFactory getCertificateFactory(final String provider)
- throws CmpClientException {
- LOG.debug("Creating certificate Factory to generate certificate using provider {}", provider);
- final String prov;
- prov = Objects.requireNonNullElse(provider, BouncyCastleProvider.PROVIDER_NAME);
- try {
- return CertificateFactory.getInstance("X.509", prov);
- } catch (NoSuchProviderException nspe) {
- CmpClientException cmpClientException = new CmpClientException("NoSuchProvider: ", nspe);
- LOG.error("NoSuchProvider: ", nspe);
- throw cmpClientException;
- } catch (CertificateException ce) {
- CmpClientException cmpClientException = new CmpClientException("CertificateException: ", ce);
- LOG.error("CertificateException: ", ce);
- throw cmpClientException;
+ /**
+ * Returns a CertificateFactory that can be used to create certificates from byte arrays and such.
+ *
+ * @param provider Security provider that should be used to create certificates, default BC is
+ * null is passed.
+ * @return CertificateFactory for creating certificate
+ */
+ public static CertificateFactory getCertificateFactory(final String provider)
+ throws CmpClientException {
+ LOG.debug("Creating certificate Factory to generate certificate using provider {}", provider);
+ final String prov;
+ prov = Objects.requireNonNullElse(provider, BouncyCastleProvider.PROVIDER_NAME);
+ try {
+ return CertificateFactory.getInstance("X.509", prov);
+ } catch (NoSuchProviderException nspe) {
+ CmpClientException cmpClientException = new CmpClientException("NoSuchProvider: ", nspe);
+ LOG.error("NoSuchProvider: ", nspe);
+ throw cmpClientException;
+ } catch (CertificateException ce) {
+ CmpClientException cmpClientException = new CmpClientException("CertificateException: ", ce);
+ LOG.error("CertificateException: ", ce);
+ throw cmpClientException;
+ }
}
- }
- /**
- * puts together certChain and Trust store and verifies the certChain
- *
- * @param respPkiMessage PKIMessage that may contain extra certs used for certchain
- * @param certRepMessage CertRepMessage that should contain rootCA for certchain
- * @param leafCertificate certificate returned from our original Cert Request
- * @return list of two lists, CertChain and TrustStore
- * @throws CertificateParsingException thrown if error occurs while parsing certificate
- * @throws IOException thrown if IOException occurs while parsing certificate
- * @throws CmpClientException thrown if error occurs during the verification of the certChain
- */
- public static List<List<X509Certificate>> verifyAndReturnCertChainAndTrustSTore(
- PKIMessage respPkiMessage, CertRepMessage certRepMessage, X509Certificate leafCertificate)
- throws CertificateParsingException, IOException, CmpClientException {
- List<X509Certificate> certChain =
- addExtraCertsToChain(respPkiMessage, certRepMessage, leafCertificate);
- List<String> certNames = getNamesOfCerts(certChain);
- LOG.debug("Verifying the following certificates in the cert chain: {}", certNames);
- verify(certChain);
- ArrayList<X509Certificate> trustStore = new ArrayList<>();
- final int rootCaIndex = certChain.size() - 1;
- trustStore.add(certChain.get(rootCaIndex));
- certChain.remove(rootCaIndex);
- List<List<X509Certificate>> listOfArray = new ArrayList<>();
- listOfArray.add(certChain);
- listOfArray.add(trustStore);
- return listOfArray;
- }
+ /**
+ * puts together certChain and Trust store and verifies the certChain
+ *
+ * @param respPkiMessage PKIMessage that may contain extra certs used for certchain
+ * @param certRepMessage CertRepMessage that should contain rootCA for certchain
+ * @param leafCertificate certificate returned from our original Cert Request
+ * @return list of two lists, CertChain and TrustStore
+ * @throws CertificateParsingException thrown if error occurs while parsing certificate
+ * @throws IOException thrown if IOException occurs while parsing certificate
+ * @throws CmpClientException thrown if error occurs during the verification of the certChain
+ */
+ public static List<List<X509Certificate>> verifyAndReturnCertChainAndTrustSTore(
+ PKIMessage respPkiMessage, CertRepMessage certRepMessage, X509Certificate leafCertificate)
+ throws CertificateParsingException, IOException, CmpClientException {
+ List<X509Certificate> certChain =
+ addExtraCertsToChain(respPkiMessage, certRepMessage, leafCertificate);
+ List<String> certNames = getNamesOfCerts(certChain);
+ LOG.debug("Verifying the following certificates in the cert chain: {}", certNames);
+ verify(certChain);
+ ArrayList<X509Certificate> trustStore = new ArrayList<>();
+ final int rootCaIndex = certChain.size() - 1;
+ trustStore.add(certChain.get(rootCaIndex));
+ certChain.remove(rootCaIndex);
+ List<List<X509Certificate>> listOfArray = new ArrayList<>();
+ listOfArray.add(certChain);
+ listOfArray.add(trustStore);
+ return listOfArray;
+ }
- public static List<String> getNamesOfCerts(List<X509Certificate> certChain) {
- List<String> certNames = new ArrayList<>();
- certChain.forEach(cert -> certNames.add(cert.getSubjectDN().getName()));
- return certNames;
- }
+ public static List<String> getNamesOfCerts(List<X509Certificate> certChain) {
+ List<String> certNames = new ArrayList<>();
+ certChain.forEach(cert -> certNames.add(cert.getSubjectDN().getName()));
+ return certNames;
+ }
- /**
- * checks whether PKIMessage contains extracerts to create certchain, if not creates from caPubs
- *
- * @param respPkiMessage PKIMessage that may contain extra certs used for certchain
- * @param certRepMessage CertRepMessage that should contain rootCA for certchain
- * @param leafCert certificate at top of certChain.
- * @throws CertificateParsingException thrown if error occurs while parsing certificate
- * @throws IOException thrown if IOException occurs while parsing certificate
- * @throws CmpClientException thrown if there are errors creating CertificateFactory
- */
- public static List<X509Certificate> addExtraCertsToChain(
- PKIMessage respPkiMessage, CertRepMessage certRepMessage, X509Certificate leafCert)
- throws CertificateParsingException, IOException, CmpClientException {
- List<X509Certificate> certChain = new ArrayList<>();
- certChain.add(leafCert);
- if (respPkiMessage.getExtraCerts() != null) {
- final CMPCertificate[] extraCerts = respPkiMessage.getExtraCerts();
- for (CMPCertificate cmpCert : extraCerts) {
- Optional<X509Certificate> cert =
- getCertfromByteArray(cmpCert.getEncoded(), X509Certificate.class);
- certChain =
- ifCertPresent(
- certChain,
- cert,
- "Adding certificate from extra certs {} to cert chain",
- "Couldn't add certificate from extra certs, certificate wasn't an X509Certificate");
- return certChain;
- }
- } else {
- final CMPCertificate respCmpCaCert = getRootCa(certRepMessage);
- Optional<X509Certificate> cert =
- getCertfromByteArray(respCmpCaCert.getEncoded(), X509Certificate.class);
- certChain =
- ifCertPresent(
- certChain,
- cert,
- "Adding certificate from CaPubs {} to TrustStore",
- "Couldn't add certificate from CaPubs, certificate wasn't an X509Certificate");
- return certChain;
+ /**
+ * checks whether PKIMessage contains extracerts to create certchain, if not creates from caPubs
+ *
+ * @param respPkiMessage PKIMessage that may contain extra certs used for certchain
+ * @param certRepMessage CertRepMessage that should contain rootCA for certchain
+ * @param leafCert certificate at top of certChain.
+ * @throws CertificateParsingException thrown if error occurs while parsing certificate
+ * @throws IOException thrown if IOException occurs while parsing certificate
+ * @throws CmpClientException thrown if there are errors creating CertificateFactory
+ */
+ public static List<X509Certificate> addExtraCertsToChain(
+ PKIMessage respPkiMessage, CertRepMessage certRepMessage, X509Certificate leafCert)
+ throws CertificateParsingException, IOException, CmpClientException {
+ List<X509Certificate> certChain = new ArrayList<>();
+ certChain.add(leafCert);
+ if (respPkiMessage.getExtraCerts() != null) {
+ final CMPCertificate[] extraCerts = respPkiMessage.getExtraCerts();
+ for (CMPCertificate cmpCert : extraCerts) {
+ Optional<X509Certificate> cert =
+ getCertfromByteArray(cmpCert.getEncoded(), X509Certificate.class);
+ certChain =
+ ifCertPresent(
+ certChain,
+ cert,
+ "Adding certificate from extra certs {} to cert chain",
+ "Couldn't add certificate from extra certs, certificate wasn't an X509Certificate");
+ return certChain;
+ }
+ } else {
+ final CMPCertificate respCmpCaCert = getRootCa(certRepMessage);
+ Optional<X509Certificate> cert =
+ getCertfromByteArray(respCmpCaCert.getEncoded(), X509Certificate.class);
+ certChain =
+ ifCertPresent(
+ certChain,
+ cert,
+ "Adding certificate from CaPubs {} to TrustStore",
+ "Couldn't add certificate from CaPubs, certificate wasn't an X509Certificate");
+ return certChain;
+ }
+ return Collections.emptyList();
}
- return Collections.emptyList();
- }
- public static List<X509Certificate> ifCertPresent(
- List<X509Certificate> certChain,
- Optional<X509Certificate> cert,
- String certPresentString,
- String certUnavailableString) {
- if (cert.isPresent()) {
- LOG.debug(certPresentString, cert.get().getSubjectDN().getName());
- certChain.add(cert.get());
- return certChain;
- } else {
- LOG.debug(certUnavailableString);
- return certChain;
+ public static List<X509Certificate> ifCertPresent(
+ List<X509Certificate> certChain,
+ Optional<X509Certificate> cert,
+ String certPresentString,
+ String certUnavailableString) {
+ if (cert.isPresent()) {
+ LOG.debug(certPresentString, cert.get().getSubjectDN().getName());
+ certChain.add(cert.get());
+ return certChain;
+ } else {
+ LOG.debug(certUnavailableString);
+ return certChain;
+ }
}
- }
- private static CMPCertificate getRootCa(CertRepMessage certRepMessage) {
- return certRepMessage.getCaPubs()[0];
- }
+ private static CMPCertificate getRootCa(CertRepMessage certRepMessage) {
+ return certRepMessage.getCaPubs()[0];
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseValidationHelper.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseValidationHelper.java
index 8191c69d..4b9f2cd1 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseValidationHelper.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpResponseValidationHelper.java
@@ -34,6 +34,7 @@ import java.util.Objects;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
+
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
@@ -55,184 +56,186 @@ import org.slf4j.LoggerFactory;
public final class CmpResponseValidationHelper {
- private static final Logger LOG = LoggerFactory.getLogger(CmpResponseValidationHelper.class);
+ private static final Logger LOG = LoggerFactory.getLogger(CmpResponseValidationHelper.class);
+
+ private CmpResponseValidationHelper() {
+ }
- private CmpResponseValidationHelper() {}
+ /**
+ * Create a base key to use for verifying the PasswordBasedMac on a PKIMessage
+ *
+ * @param pbmParamSeq parameters recieved in PKIMessage used with password
+ * @param initAuthPassword password used to decrypt the basekey
+ * @return bytes representing the basekey
+ * @throws CmpClientException thrown if algorithem exceptions occur for the message digest
+ */
+ public static byte[] getBaseKeyFromPbmParameters(
+ PBMParameter pbmParamSeq, String initAuthPassword) throws CmpClientException {
+ final int iterationCount = pbmParamSeq.getIterationCount().getPositiveValue().intValue();
+ LOG.info("Iteration count is: {}", iterationCount);
+ final AlgorithmIdentifier owfAlg = pbmParamSeq.getOwf();
+ LOG.info("One Way Function type is: {}", owfAlg.getAlgorithm().getId());
+ final byte[] salt = pbmParamSeq.getSalt().getOctets();
+ final byte[] raSecret = initAuthPassword != null ? initAuthPassword.getBytes() : new byte[0];
+ byte[] basekey = new byte[raSecret.length + salt.length];
+ System.arraycopy(raSecret, 0, basekey, 0, raSecret.length);
+ System.arraycopy(salt, 0, basekey, raSecret.length, salt.length);
+ try {
+ final MessageDigest messageDigest =
+ MessageDigest.getInstance(
+ owfAlg.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+ for (int i = 0; i < iterationCount; i++) {
+ basekey = messageDigest.digest(basekey);
+ messageDigest.reset();
+ }
+ } catch (NoSuchAlgorithmException | NoSuchProviderException ex) {
+ LOG.error("ProtectionBytes don't match passwordBasedProtection, authentication failed");
+ throw new CmpClientException(
+ "ProtectionBytes don't match passwordBasedProtection, authentication failed", ex);
+ }
+ return basekey;
+ }
- /**
- * Create a base key to use for verifying the PasswordBasedMac on a PKIMessage
- *
- * @param pbmParamSeq parameters recieved in PKIMessage used with password
- * @param initAuthPassword password used to decrypt the basekey
- * @return bytes representing the basekey
- * @throws CmpClientException thrown if algorithem exceptions occur for the message digest
- */
- public static byte[] getBaseKeyFromPbmParameters(
- PBMParameter pbmParamSeq, String initAuthPassword) throws CmpClientException {
- final int iterationCount = pbmParamSeq.getIterationCount().getPositiveValue().intValue();
- LOG.info("Iteration count is: {}", iterationCount);
- final AlgorithmIdentifier owfAlg = pbmParamSeq.getOwf();
- LOG.info("One Way Function type is: {}", owfAlg.getAlgorithm().getId());
- final byte[] salt = pbmParamSeq.getSalt().getOctets();
- final byte[] raSecret = initAuthPassword != null ? initAuthPassword.getBytes() : new byte[0];
- byte[] basekey = new byte[raSecret.length + salt.length];
- System.arraycopy(raSecret, 0, basekey, 0, raSecret.length);
- System.arraycopy(salt, 0, basekey, raSecret.length, salt.length);
- try {
- final MessageDigest messageDigest =
- MessageDigest.getInstance(
- owfAlg.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
- for (int i = 0; i < iterationCount; i++) {
- basekey = messageDigest.digest(basekey);
- messageDigest.reset();
- }
- } catch (NoSuchAlgorithmException | NoSuchProviderException ex) {
- LOG.error("ProtectionBytes don't match passwordBasedProtection, authentication failed");
- throw new CmpClientException(
- "ProtectionBytes don't match passwordBasedProtection, authentication failed", ex);
+ /**
+ * Verifies the signature of the response message using our public key
+ *
+ * @param respPkiMessage PKIMessage we wish to verify signature for
+ * @param pk public key used to verify signature.
+ * @throws CmpClientException
+ */
+ public static void verifySignature(PKIMessage respPkiMessage, PublicKey pk)
+ throws CmpClientException {
+ final byte[] protBytes = getProtectedBytes(respPkiMessage);
+ final DERBitString derBitString = respPkiMessage.getProtection();
+ try {
+ final Signature signature =
+ Signature.getInstance(
+ PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(),
+ BouncyCastleProvider.PROVIDER_NAME);
+ signature.initVerify(pk);
+ signature.update(protBytes);
+ signature.verify(derBitString.getBytes());
+ } catch (NoSuchAlgorithmException
+ | NoSuchProviderException
+ | InvalidKeyException
+ | SignatureException e) {
+ CmpClientException clientException =
+ new CmpClientException("Signature Verification failed", e);
+ LOG.error("Signature Verification failed", e);
+ throw clientException;
+ }
}
- return basekey;
- }
- /**
- * Verifies the signature of the response message using our public key
- *
- * @param respPkiMessage PKIMessage we wish to verify signature for
- * @param pk public key used to verify signature.
- * @throws CmpClientException
- */
- public static void verifySignature(PKIMessage respPkiMessage, PublicKey pk)
- throws CmpClientException {
- final byte[] protBytes = getProtectedBytes(respPkiMessage);
- final DERBitString derBitString = respPkiMessage.getProtection();
- try {
- final Signature signature =
- Signature.getInstance(
- PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(),
- BouncyCastleProvider.PROVIDER_NAME);
- signature.initVerify(pk);
- signature.update(protBytes);
- signature.verify(derBitString.getBytes());
- } catch (NoSuchAlgorithmException
- | NoSuchProviderException
- | InvalidKeyException
- | SignatureException e) {
- CmpClientException clientException =
- new CmpClientException("Signature Verification failed", e);
- LOG.error("Signature Verification failed", e);
- throw clientException;
+ /**
+ * Converts the header and the body of a PKIMessage to an ASN1Encodable and returns the as a byte
+ * array
+ *
+ * @param msg PKIMessage to get protected bytes from
+ * @return the PKIMessage's header and body in byte array
+ */
+ public static byte[] getProtectedBytes(PKIMessage msg) throws CmpClientException {
+ return getProtectedBytes(msg.getHeader(), msg.getBody());
}
- }
- /**
- * Converts the header and the body of a PKIMessage to an ASN1Encodable and returns the as a byte
- * array
- *
- * @param msg PKIMessage to get protected bytes from
- * @return the PKIMessage's header and body in byte array
- */
- public static byte[] getProtectedBytes(PKIMessage msg) throws CmpClientException {
- return getProtectedBytes(msg.getHeader(), msg.getBody());
- }
- /**
- * Converts the header and the body of a PKIMessage to an ASN1Encodable and returns the as a byte
- * array
- *
- * @param header PKIHeader to be converted
- * @param body PKIMessage to be converted
- * @return the PKIMessage's header and body in byte array
- */
- public static byte[] getProtectedBytes(PKIHeader header, PKIBody body) throws CmpClientException {
- byte[] res;
- ASN1EncodableVector v = new ASN1EncodableVector();
- v.add(header);
- v.add(body);
- ASN1Encodable protectedPart = new DERSequence(v);
- try {
- ByteArrayOutputStream bao = new ByteArrayOutputStream();
- DEROutputStream out = new DEROutputStream(bao);
- out.writeObject(protectedPart);
- res = bao.toByteArray();
- } catch (IOException ioe) {
- CmpClientException cmpClientException =
- new CmpClientException("Error occured while getting protected bytes", ioe);
- LOG.error("Error occured while getting protected bytes", ioe);
- throw cmpClientException;
+ /**
+ * Converts the header and the body of a PKIMessage to an ASN1Encodable and returns the as a byte
+ * array
+ *
+ * @param header PKIHeader to be converted
+ * @param body PKIMessage to be converted
+ * @return the PKIMessage's header and body in byte array
+ */
+ public static byte[] getProtectedBytes(PKIHeader header, PKIBody body) throws CmpClientException {
+ byte[] res;
+ ASN1EncodableVector encodableVector = new ASN1EncodableVector();
+ encodableVector.add(header);
+ encodableVector.add(body);
+ ASN1Encodable protectedPart = new DERSequence(encodableVector);
+ try {
+ ByteArrayOutputStream bao = new ByteArrayOutputStream();
+ DEROutputStream out = new DEROutputStream(bao);
+ out.writeObject(protectedPart);
+ res = bao.toByteArray();
+ } catch (IOException ioe) {
+ CmpClientException cmpClientException =
+ new CmpClientException("Error occured while getting protected bytes", ioe);
+ LOG.error("Error occured while getting protected bytes", ioe);
+ throw cmpClientException;
+ }
+ return res;
}
- return res;
- }
- /**
- * verify the password based protection within the response message
- *
- * @param respPkiMessage PKIMessage we want to verify password based protection for
- * @param initAuthPassword password used to decrypt protection
- * @param protectionAlgo protection algorithm we can use to decrypt protection
- * @throws CmpClientException
- */
- public static void verifyPasswordBasedProtection(
- PKIMessage respPkiMessage, String initAuthPassword, AlgorithmIdentifier protectionAlgo)
- throws CmpClientException {
- final byte[] protectedBytes = getProtectedBytes(respPkiMessage);
- final PBMParameter pbmParamSeq = PBMParameter.getInstance(protectionAlgo.getParameters());
- if (Objects.nonNull(pbmParamSeq)) {
- try {
- byte[] basekey = getBaseKeyFromPbmParameters(pbmParamSeq, initAuthPassword);
- final Mac mac = getMac(protectedBytes, pbmParamSeq, basekey);
- final byte[] outBytes = mac.doFinal();
- final byte[] protectionBytes = respPkiMessage.getProtection().getBytes();
- if (!Arrays.equals(outBytes, protectionBytes)) {
- LOG.error("protectionBytes don't match passwordBasedProtection, authentication failed");
- throw new CmpClientException(
- "protectionBytes don't match passwordBasedProtection, authentication failed");
+ /**
+ * verify the password based protection within the response message
+ *
+ * @param respPkiMessage PKIMessage we want to verify password based protection for
+ * @param initAuthPassword password used to decrypt protection
+ * @param protectionAlgo protection algorithm we can use to decrypt protection
+ * @throws CmpClientException
+ */
+ public static void verifyPasswordBasedProtection(
+ PKIMessage respPkiMessage, String initAuthPassword, AlgorithmIdentifier protectionAlgo)
+ throws CmpClientException {
+ final byte[] protectedBytes = getProtectedBytes(respPkiMessage);
+ final PBMParameter pbmParamSeq = PBMParameter.getInstance(protectionAlgo.getParameters());
+ if (Objects.nonNull(pbmParamSeq)) {
+ try {
+ byte[] basekey = getBaseKeyFromPbmParameters(pbmParamSeq, initAuthPassword);
+ final Mac mac = getMac(protectedBytes, pbmParamSeq, basekey);
+ final byte[] outBytes = mac.doFinal();
+ final byte[] protectionBytes = respPkiMessage.getProtection().getBytes();
+ if (!Arrays.equals(outBytes, protectionBytes)) {
+ LOG.error("protectionBytes don't match passwordBasedProtection, authentication failed");
+ throw new CmpClientException(
+ "protectionBytes don't match passwordBasedProtection, authentication failed");
+ }
+ } catch (NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException ex) {
+ CmpClientException cmpClientException =
+ new CmpClientException("Error while validating CMP response ", ex);
+ LOG.error("Error while validating CMP response ", ex);
+ throw cmpClientException;
+ }
}
- } catch (NoSuchProviderException | NoSuchAlgorithmException | InvalidKeyException ex) {
- CmpClientException cmpClientException =
- new CmpClientException("Error while validating CMP response ", ex);
- LOG.error("Error while validating CMP response ", ex);
- throw cmpClientException;
- }
}
- }
- public static void checkImplicitConfirm(PKIHeader header) {
- InfoTypeAndValue[] infos = header.getGeneralInfo();
- if (Objects.nonNull(infos)) {
- if (CMPObjectIdentifiers.it_implicitConfirm.equals(getImplicitConfirm(infos))) {
- LOG.info("Implicit Confirm on certificate from server.");
- } else {
- LOG.debug("No Implicit confirm in Response");
- }
- } else {
- LOG.debug("No general Info in header of response, cannot verify implicit confirm");
+ public static void checkImplicitConfirm(PKIHeader header) {
+ InfoTypeAndValue[] infos = header.getGeneralInfo();
+ if (Objects.nonNull(infos)) {
+ if (CMPObjectIdentifiers.it_implicitConfirm.equals(getImplicitConfirm(infos))) {
+ LOG.info("Implicit Confirm on certificate from server.");
+ } else {
+ LOG.debug("No Implicit confirm in Response");
+ }
+ } else {
+ LOG.debug("No general Info in header of response, cannot verify implicit confirm");
+ }
}
- }
- public static ASN1ObjectIdentifier getImplicitConfirm(InfoTypeAndValue[] info) {
- return info[0].getInfoType();
- }
+ public static ASN1ObjectIdentifier getImplicitConfirm(InfoTypeAndValue[] info) {
+ return info[0].getInfoType();
+ }
- /**
- * Get cryptographical Mac we can use to decrypt our PKIMessage
- *
- * @param protectedBytes Protected bytes representing the PKIMessage
- * @param pbmParamSeq Parameters used to decrypt PKIMessage, including mac algorithm used
- * @param basekey Key used alongside mac Oid to create secret key for decrypting PKIMessage
- * @return Mac that's ready to return decrypted bytes
- * @throws NoSuchAlgorithmException Possibly thrown trying to get mac instance
- * @throws NoSuchProviderException Possibly thrown trying to get mac instance
- * @throws InvalidKeyException Possibly thrown trying to initialize mac using secretkey
- */
- public static Mac getMac(byte[] protectedBytes, PBMParameter pbmParamSeq, byte[] basekey)
- throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException {
- final AlgorithmIdentifier macAlg = pbmParamSeq.getMac();
- LOG.info("Mac type is: {}", macAlg.getAlgorithm().getId());
- final String macOid = macAlg.getAlgorithm().getId();
- final Mac mac = Mac.getInstance(macOid, BouncyCastleProvider.PROVIDER_NAME);
- final SecretKey key = new SecretKeySpec(basekey, macOid);
- mac.init(key);
- mac.reset();
- mac.update(protectedBytes, 0, protectedBytes.length);
- return mac;
- }
+ /**
+ * Get cryptographical Mac we can use to decrypt our PKIMessage
+ *
+ * @param protectedBytes Protected bytes representing the PKIMessage
+ * @param pbmParamSeq Parameters used to decrypt PKIMessage, including mac algorithm used
+ * @param basekey Key used alongside mac Oid to create secret key for decrypting PKIMessage
+ * @return Mac that's ready to return decrypted bytes
+ * @throws NoSuchAlgorithmException Possibly thrown trying to get mac instance
+ * @throws NoSuchProviderException Possibly thrown trying to get mac instance
+ * @throws InvalidKeyException Possibly thrown trying to initialize mac using secretkey
+ */
+ public static Mac getMac(byte[] protectedBytes, PBMParameter pbmParamSeq, byte[] basekey)
+ throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException {
+ final AlgorithmIdentifier macAlg = pbmParamSeq.getMac();
+ LOG.info("Mac type is: {}", macAlg.getAlgorithm().getId());
+ final String macOid = macAlg.getAlgorithm().getId();
+ final Mac mac = Mac.getInstance(macOid, BouncyCastleProvider.PROVIDER_NAME);
+ final SecretKey key = new SecretKeySpec(basekey, macOid);
+ mac.init(key);
+ mac.reset();
+ mac.update(protectedBytes, 0, protectedBytes.length);
+ return mac;
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpUtil.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpUtil.java
index 1bda4ac1..ced0fed0 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpUtil.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpUtil.java
@@ -25,6 +25,7 @@ import java.io.IOException;
import java.security.SecureRandom;
import java.util.Date;
import java.util.Objects;
+
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
@@ -45,105 +46,108 @@ import org.slf4j.LoggerFactory;
public final class CmpUtil {
- private static final Logger LOGGER = LoggerFactory.getLogger(CmpUtil.class);
- private static final SecureRandom secureRandom = new SecureRandom();
+ private static final Logger LOGGER = LoggerFactory.getLogger(CmpUtil.class);
+ private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+ public static final int RANDOM_BYTE_LENGTH = 16;
+ public static final int RANDOM_SEED = 1000;
- private CmpUtil() {}
+ private CmpUtil() {
+ }
- /**
- * Validates specified object reference is not null.
- *
- * @param argument T - the type of the reference.
- * @param message message - detail message to be used in the event that a NullPointerException is
- * thrown.
- * @return The Object if not null
- */
- public static <T> T notNull(T argument, String message) {
- return Objects.requireNonNull(argument, message + " must not be null");
- }
+ /**
+ * Validates specified object reference is not null.
+ *
+ * @param argument T - the type of the reference.
+ * @param message message - detail message to be used in the event that a NullPointerException is
+ * thrown.
+ * @return The Object if not null
+ */
+ public static <T> T notNull(T argument, String message) {
+ return Objects.requireNonNull(argument, message + " must not be null");
+ }
- /**
- * Validates String object reference is not null and not empty.
- *
- * @param stringArg String Object that need to be validated.
- * @return boolean
- */
- public static boolean isNullOrEmpty(String stringArg) {
- return (stringArg != null && !stringArg.trim().isEmpty());
- }
+ /**
+ * Validates String object reference is not null and not empty.
+ *
+ * @param stringArg String Object that need to be validated.
+ * @return boolean
+ */
+ public static boolean isNullOrEmpty(String stringArg) {
+ return (stringArg != null && !stringArg.trim().isEmpty());
+ }
- /**
- * Creates a random number than can be used for sendernonce, transactionId and salts.
- *
- * @return bytes containing a random number string representing a nonce
- */
- static byte[] createRandomBytes() {
- LOGGER.info("Generating random array of bytes");
- byte[] randomBytes = new byte[16];
- secureRandom.nextBytes(randomBytes);
- return randomBytes;
- }
+ /**
+ * Creates a random number than can be used for sendernonce, transactionId and salts.
+ *
+ * @return bytes containing a random number string representing a nonce
+ */
+ static byte[] createRandomBytes() {
+ LOGGER.info("Generating random array of bytes");
+ byte[] randomBytes = new byte[RANDOM_BYTE_LENGTH];
+ SECURE_RANDOM.nextBytes(randomBytes);
+ return randomBytes;
+ }
- /**
- * Creates a random integer than can be used to represent a transactionId or determine the number
- * iterations in a protection algorithm.
- *
- * @return bytes containing a random number string representing a nonce
- */
- static int createRandomInt(int range) {
- LOGGER.info("Generating random integer");
- return secureRandom.nextInt(range) + 1000;
- }
+ /**
+ * Creates a random integer than can be used to represent a transactionId or determine the number
+ * iterations in a protection algorithm.
+ *
+ * @return bytes containing a random number string representing a nonce
+ */
+ static int createRandomInt(int range) {
+ LOGGER.info("Generating random integer");
+ return SECURE_RANDOM.nextInt(range) + RANDOM_SEED;
+ }
- /**
- * Generates protected bytes of a combined PKIHeader and PKIBody.
- *
- * @param header Header of PKIMessage containing common parameters
- * @param body Body of PKIMessage containing specific information for message
- * @return bytes representing the PKIHeader and PKIBody thats to be protected
- */
- static byte[] generateProtectedBytes(PKIHeader header, PKIBody body) throws CmpClientException {
- LOGGER.info("Generating array of bytes representing PkiHeader and PkiBody");
- byte[] res;
- ASN1EncodableVector vector = new ASN1EncodableVector();
- vector.add(header);
- vector.add(body);
- ASN1Encodable protectedPart = new DERSequence(vector);
- try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
- DEROutputStream out = new DEROutputStream(baos);
- out.writeObject(protectedPart);
- res = baos.toByteArray();
- } catch (IOException ioe) {
- CmpClientException cmpClientException =
- new CmpClientException("IOException occurred while creating protectedBytes", ioe);
- LOGGER.error("IOException occurred while creating protectedBytes");
- throw cmpClientException;
+ /**
+ * Generates protected bytes of a combined PKIHeader and PKIBody.
+ *
+ * @param header Header of PKIMessage containing common parameters
+ * @param body Body of PKIMessage containing specific information for message
+ * @return bytes representing the PKIHeader and PKIBody thats to be protected
+ */
+ static byte[] generateProtectedBytes(PKIHeader header, PKIBody body) throws CmpClientException {
+ LOGGER.info("Generating array of bytes representing PkiHeader and PkiBody");
+ byte[] res;
+ ASN1EncodableVector vector = new ASN1EncodableVector();
+ vector.add(header);
+ vector.add(body);
+ ASN1Encodable protectedPart = new DERSequence(vector);
+ try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
+ DEROutputStream out = new DEROutputStream(baos);
+ out.writeObject(protectedPart);
+ res = baos.toByteArray();
+ } catch (IOException ioe) {
+ CmpClientException cmpClientException =
+ new CmpClientException("IOException occurred while creating protectedBytes", ioe);
+ LOGGER.error("IOException occurred while creating protectedBytes");
+ throw cmpClientException;
+ }
+ return res;
}
- return res;
- }
- /**
- * Generates a PKIHeader Builder object.
- *
- * @param subjectDn distinguished name of Subject
- * @param issuerDn distinguished name of external CA
- * @param protectionAlg protection Algorithm used to protect PKIMessage
- * @return PKIHeaderBuilder
- */
- static PKIHeader generatePkiHeader(
- X500Name subjectDn, X500Name issuerDn, AlgorithmIdentifier protectionAlg, String senderKid) {
- LOGGER.info("Generating a Pki Header Builder");
- PKIHeaderBuilder pkiHeaderBuilder =
- new PKIHeaderBuilder(
- PKIHeader.CMP_2000, new GeneralName(subjectDn), new GeneralName(issuerDn));
+ /**
+ * Generates a PKIHeader Builder object.
+ *
+ * @param subjectDn distinguished name of Subject
+ * @param issuerDn distinguished name of external CA
+ * @param protectionAlg protection Algorithm used to protect PKIMessage
+ * @return PKIHeaderBuilder
+ */
+ static PKIHeader generatePkiHeader(
+ X500Name subjectDn, X500Name issuerDn, AlgorithmIdentifier protectionAlg, String senderKid) {
+ LOGGER.info("Generating a Pki Header Builder");
+ PKIHeaderBuilder pkiHeaderBuilder =
+ new PKIHeaderBuilder(
+ PKIHeader.CMP_2000, new GeneralName(subjectDn), new GeneralName(issuerDn));
- pkiHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
- pkiHeaderBuilder.setSenderNonce(new DEROctetString(createRandomBytes()));
- pkiHeaderBuilder.setTransactionID(new DEROctetString(createRandomBytes()));
- pkiHeaderBuilder.setProtectionAlg(protectionAlg);
- pkiHeaderBuilder.setGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm));
- pkiHeaderBuilder.setSenderKID(new DEROctetString(senderKid.getBytes()));
+ pkiHeaderBuilder.setMessageTime(new ASN1GeneralizedTime(new Date()));
+ pkiHeaderBuilder.setSenderNonce(new DEROctetString(createRandomBytes()));
+ pkiHeaderBuilder.setTransactionID(new DEROctetString(createRandomBytes()));
+ pkiHeaderBuilder.setProtectionAlg(protectionAlg);
+ pkiHeaderBuilder.setGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm));
+ pkiHeaderBuilder.setSenderKID(new DEROctetString(senderKid.getBytes()));
- return pkiHeaderBuilder.build();
- }
+ return pkiHeaderBuilder.build();
+ }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/Cmpv2HttpClient.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/Cmpv2HttpClient.java
index 682e410d..68c743d2 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/Cmpv2HttpClient.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/Cmpv2HttpClient.java
@@ -22,6 +22,7 @@ package org.onap.aaf.certservice.cmpv2client.impl;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
+
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ByteArrayEntity;
@@ -33,50 +34,50 @@ import org.slf4j.LoggerFactory;
class Cmpv2HttpClient {
- private static final Logger LOG = LoggerFactory.getLogger(Cmpv2HttpClient.class);
+ private static final Logger LOG = LoggerFactory.getLogger(Cmpv2HttpClient.class);
- private static final String CONTENT_TYPE = "Content-type";
- private static final String CMP_REQUEST_MIMETYPE = "application/pkixcmp";
- private final CloseableHttpClient httpClient;
+ private static final String CONTENT_TYPE = "Content-type";
+ private static final String CMP_REQUEST_MIMETYPE = "application/pkixcmp";
+ private final CloseableHttpClient httpClient;
- /**
- * constructor for Cmpv2HttpClient
- *
- * @param httpClient CloseableHttpClient used for sending/recieve request.
- */
- public Cmpv2HttpClient(CloseableHttpClient httpClient) {
- this.httpClient = httpClient;
- }
+ /**
+ * constructor for Cmpv2HttpClient
+ *
+ * @param httpClient CloseableHttpClient used for sending/recieve request.
+ */
+ Cmpv2HttpClient(CloseableHttpClient httpClient) {
+ this.httpClient = httpClient;
+ }
- /**
- * Send Post Request to Server
- *
- * @param pkiMessage PKIMessage to send to server
- * @param urlString url for the server we're sending request
- * @param caName name of CA server
- * @return PKIMessage received from CMPServer
- * @throws CmpClientException thrown if problems with connecting or parsing response to server
- */
- public byte[] postRequest(
- final PKIMessage pkiMessage, final String urlString, final String caName)
- throws CmpClientException {
- try (final ByteArrayOutputStream byteArrOutputStream = new ByteArrayOutputStream()) {
- final HttpPost postRequest = new HttpPost(urlString);
- final byte[] requestBytes = pkiMessage.getEncoded();
+ /**
+ * Send Post Request to Server
+ *
+ * @param pkiMessage PKIMessage to send to server
+ * @param urlString url for the server we're sending request
+ * @param caName name of CA server
+ * @return PKIMessage received from CMPServer
+ * @throws CmpClientException thrown if problems with connecting or parsing response to server
+ */
+ public byte[] postRequest(
+ final PKIMessage pkiMessage, final String urlString, final String caName)
+ throws CmpClientException {
+ try (ByteArrayOutputStream byteArrOutputStream = new ByteArrayOutputStream()) {
+ final HttpPost postRequest = new HttpPost(urlString);
+ final byte[] requestBytes = pkiMessage.getEncoded();
- postRequest.setEntity(new ByteArrayEntity(requestBytes));
- postRequest.setHeader(CONTENT_TYPE, CMP_REQUEST_MIMETYPE);
+ postRequest.setEntity(new ByteArrayEntity(requestBytes));
+ postRequest.setHeader(CONTENT_TYPE, CMP_REQUEST_MIMETYPE);
- try (CloseableHttpResponse response = httpClient.execute(postRequest)) {
- response.getEntity().writeTo(byteArrOutputStream);
- }
- return byteArrOutputStream.toByteArray();
- } catch (IOException ioe) {
- CmpClientException cmpClientException =
- new CmpClientException(
- String.format("IOException error while trying to connect CA %s", caName), ioe);
- LOG.error("IOException error {}, while trying to connect CA {}", ioe.getMessage(), caName);
- throw cmpClientException;
+ try (CloseableHttpResponse response = httpClient.execute(postRequest)) {
+ response.getEntity().writeTo(byteArrOutputStream);
+ }
+ return byteArrOutputStream.toByteArray();
+ } catch (IOException ioe) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ String.format("IOException error while trying to connect CA %s", caName), ioe);
+ LOG.error("IOException error {}, while trying to connect CA {}", ioe.getMessage(), caName);
+ throw cmpClientException;
+ }
}
- }
}
diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CreateCertRequest.java
index b185c92a..687c47d1 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CreateCertRequest.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CreateCertRequest.java
@@ -27,6 +27,7 @@ import static org.onap.aaf.certservice.cmpv2client.impl.CmpUtil.generatePkiHeade
import java.security.KeyPair;
import java.util.Date;
import java.util.List;
+
import org.bouncycastle.asn1.DERUTF8String;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIHeader;
@@ -48,88 +49,88 @@ import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
*/
class CreateCertRequest {
- private X500Name issuerDn;
- private X500Name subjectDn;
- private List<String> sansList;
- private KeyPair subjectKeyPair;
- private Date notBefore;
- private Date notAfter;
- private String initAuthPassword;
- private String senderKid;
-
- private static final int ITERATIONS = createRandomInt(5000);
- private static final byte[] SALT = createRandomBytes();
- private final int certReqId = createRandomInt(Integer.MAX_VALUE);
-
- public void setIssuerDn(X500Name issuerDn) {
- this.issuerDn = issuerDn;
- }
-
- public void setSubjectDn(X500Name subjectDn) {
- this.subjectDn = subjectDn;
- }
-
- public void setSansList(List<String> sansList) {
- this.sansList = sansList;
- }
-
- public void setSubjectKeyPair(KeyPair subjectKeyPair) {
- this.subjectKeyPair = subjectKeyPair;
- }
-
- public void setNotBefore(Date notBefore) {
- this.notBefore = notBefore;
- }
-
- public void setNotAfter(Date notAfter) {
- this.notAfter = notAfter;
- }
-
- public void setInitAuthPassword(String initAuthPassword) {
- this.initAuthPassword = initAuthPassword;
- }
-
- public void setSenderKid(String senderKid) {
- this.senderKid = senderKid;
- }
-
- /**
- * Method to create {@link PKIMessage} from {@link CertRequest},{@link ProofOfPossession}, {@link
- * CertReqMsg}, {@link CertReqMessages}, {@link PKIHeader} and {@link PKIBody}.
- *
- * @return {@link PKIMessage}
- */
- public PKIMessage generateCertReq() throws CmpClientException {
- final CertTemplateBuilder certTemplateBuilder =
- new CertTemplateBuilder()
- .setIssuer(issuerDn)
- .setSubject(subjectDn)
- .setExtensions(CmpMessageHelper.generateExtension(sansList))
- .setValidity(CmpMessageHelper.generateOptionalValidity(notBefore, notAfter))
- .setPublicKey(
- SubjectPublicKeyInfo.getInstance(subjectKeyPair.getPublic().getEncoded()));
-
- final CertRequest certRequest = new CertRequest(certReqId, certTemplateBuilder.build(), null);
- final ProofOfPossession proofOfPossession =
- CmpMessageHelper.generateProofOfPossession(certRequest, subjectKeyPair);
-
- final AttributeTypeAndValue[] attrTypeVal = {
- new AttributeTypeAndValue(
- CRMFObjectIdentifiers.id_regCtrl_regToken, new DERUTF8String(initAuthPassword))
- };
-
- final CertReqMsg certReqMsg = new CertReqMsg(certRequest, proofOfPossession, attrTypeVal);
- final CertReqMessages certReqMessages = new CertReqMessages(certReqMsg);
-
- final PKIHeader pkiHeader =
- generatePkiHeader(
- subjectDn,
- issuerDn,
- CmpMessageHelper.protectionAlgoIdentifier(ITERATIONS, SALT),
- senderKid);
- final PKIBody pkiBody = new PKIBody(PKIBody.TYPE_INIT_REQ, certReqMessages);
-
- return CmpMessageHelper.protectPkiMessage(
- pkiHeader, pkiBody, initAuthPassword, ITERATIONS, SALT);
- }
+ private X500Name issuerDn;
+ private X500Name subjectDn;
+ private List<String> sansList;
+ private KeyPair subjectKeyPair;
+ private Date notBefore;
+ private Date notAfter;
+ private String initAuthPassword;
+ private String senderKid;
+
+ private static final int ITERATIONS = createRandomInt(5000);
+ private static final byte[] SALT = createRandomBytes();
+ private final int certReqId = createRandomInt(Integer.MAX_VALUE);
+
+ public void setIssuerDn(X500Name issuerDn) {
+ this.issuerDn = issuerDn;
+ }
+
+ public void setSubjectDn(X500Name subjectDn) {
+ this.subjectDn = subjectDn;
+ }
+
+ public void setSansList(List<String> sansList) {
+ this.sansList = sansList;
+ }
+
+ public void setSubjectKeyPair(KeyPair subjectKeyPair) {
+ this.subjectKeyPair = subjectKeyPair;
+ }
+
+ public void setNotBefore(Date notBefore) {
+ this.notBefore = notBefore;
+ }
+
+ public void setNotAfter(Date notAfter) {
+ this.notAfter = notAfter;
+ }
+
+ public void setInitAuthPassword(String initAuthPassword) {
+ this.initAuthPassword = initAuthPassword;
+ }
+
+ public void setSenderKid(String senderKid) {
+ this.senderKid = senderKid;
+ }
+
+ /**
+ * Method to create {@link PKIMessage} from {@link CertRequest},{@link ProofOfPossession}, {@link
+ * CertReqMsg}, {@link CertReqMessages}, {@link PKIHeader} and {@link PKIBody}.
+ *
+ * @return {@link PKIMessage}
+ */
+ public PKIMessage generateCertReq() throws CmpClientException {
+ final CertTemplateBuilder certTemplateBuilder =
+ new CertTemplateBuilder()
+ .setIssuer(issuerDn)
+ .setSubject(subjectDn)
+ .setExtensions(CmpMessageHelper.generateExtension(sansList))
+ .setValidity(CmpMessageHelper.generateOptionalValidity(notBefore, notAfter))
+ .setPublicKey(
+ SubjectPublicKeyInfo.getInstance(subjectKeyPair.getPublic().getEncoded()));
+
+ final CertRequest certRequest = new CertRequest(certReqId, certTemplateBuilder.build(), null);
+ final ProofOfPossession proofOfPossession =
+ CmpMessageHelper.generateProofOfPossession(certRequest, subjectKeyPair);
+
+ final AttributeTypeAndValue[] attrTypeVal = {
+ new AttributeTypeAndValue(
+ CRMFObjectIdentifiers.id_regCtrl_regToken, new DERUTF8String(initAuthPassword))
+ };
+
+ final CertReqMsg certReqMsg = new CertReqMsg(certRequest, proofOfPossession, attrTypeVal);
+ final CertReqMessages certReqMessages = new CertReqMessages(certReqMsg);
+
+ final PKIHeader pkiHeader =
+ generatePkiHeader(
+ subjectDn,
+ issuerDn,
+ CmpMessageHelper.protectionAlgoIdentifier(ITERATIONS, SALT),
+ senderKid);
+ final PKIBody pkiBody = new PKIBody(PKIBody.TYPE_INIT_REQ, certReqMessages);
+
+ return CmpMessageHelper.protectPkiMessage(
+ pkiHeader, pkiBody, initAuthPassword, ITERATIONS, SALT);
+ }
}