aboutsummaryrefslogtreecommitdiffstats
path: root/certService/src/main
diff options
context:
space:
mode:
Diffstat (limited to 'certService/src/main')
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java1
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java4
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java78
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java13
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java17
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java100
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java76
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java63
8 files changed, 262 insertions, 90 deletions
diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
index 2573c978..03d1a9d2 100644
--- a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
+++ b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
@@ -154,6 +154,7 @@ public class CsrModel {
throw new KeyDecryptionException("Converting Private Key failed", e.getCause());
}
}
+
private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey)
throws KeyDecryptionException {
try {
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
index 38e7e3f8..68b78f23 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
@@ -83,6 +83,8 @@ public class CmpClientImpl implements CmpClient {
validate(csrModel, server, httpClient, notBefore, notAfter);
KeyPair keyPair = new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey());
+ final String iak = server.getAuthentication().getIak();
+ final PkiMessageProtection pkiMessageProtection = new PasswordBasedProtection(iak);
final CreateCertRequest certRequest =
CmpMessageBuilder.of(CreateCertRequest::new)
.with(CreateCertRequest::setIssuerDn, server.getIssuerDN())
@@ -91,8 +93,8 @@ public class CmpClientImpl implements CmpClient {
.with(CreateCertRequest::setSubjectKeyPair, keyPair)
.with(CreateCertRequest::setNotBefore, notBefore)
.with(CreateCertRequest::setNotAfter, notAfter)
- .with(CreateCertRequest::setInitAuthPassword, server.getAuthentication().getIak())
.with(CreateCertRequest::setSenderKid, server.getAuthentication().getRv())
+ .with(CreateCertRequest::setProtection, pkiMessageProtection)
.build();
final PKIMessage pkiMessage = certRequest.generateCertReq();
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
index 0255b82e..c4be54ce 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
@@ -1,6 +1,7 @@
/*-
* ============LICENSE_START=======================================================
* Copyright (C) 2020 Nordix Foundation.
+ * Copyright (C) 2021 Nokia.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -20,34 +21,22 @@
package org.onap.oom.certservice.cmpv2client.impl;
-import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes;
-
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
-import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Date;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.ASN1EncodableVector;
-import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERBitString;
-import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
-import org.bouncycastle.asn1.cmp.PBMParameter;
-import org.bouncycastle.asn1.cmp.PKIBody;
-import org.bouncycastle.asn1.cmp.PKIHeader;
-import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.crmf.CertRequest;
import org.bouncycastle.asn1.crmf.OptionalValidity;
import org.bouncycastle.asn1.crmf.POPOSigningKey;
@@ -71,12 +60,6 @@ import org.slf4j.LoggerFactory;
public final class CmpMessageHelper {
private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class);
- private static final AlgorithmIdentifier OWF_ALGORITHM =
- new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
- private static final AlgorithmIdentifier MAC_ALGORITHM =
- new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
- private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
- new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
private static final boolean CRITICAL_FALSE = false;
private CmpMessageHelper() {
@@ -172,65 +155,6 @@ public final class CmpMessageHelper {
return proofOfPossession;
}
- /**
- * Generic code to create Algorithm Identifier for protection of PKIMessage.
- *
- * @return Algorithm Identifier
- */
- public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) {
- ASN1Integer iteration = new ASN1Integer(iterations);
- DEROctetString derSalt = new DEROctetString(salt);
-
- PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
- return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
- }
-
- /**
- * Adds protection to the PKIMessage via a specified protection algorithm.
- *
- * @param password password used to authenticate PkiMessage with external CA
- * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage
- * @param pkiBody Body of PKIMessage containing specific details for certificate request
- * @return Protected Pki Message
- * @throws CmpClientException Wraps several exceptions into one general-purpose exception.
- */
- public static PKIMessage protectPkiMessage(
- PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt)
- throws CmpClientException {
-
- byte[] raSecret = password.getBytes();
- byte[] basekey = new byte[raSecret.length + salt.length];
- System.arraycopy(raSecret, 0, basekey, 0, raSecret.length);
- System.arraycopy(salt, 0, basekey, raSecret.length, salt.length);
- byte[] out;
- try {
- MessageDigest dig =
- MessageDigest.getInstance(
- OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
- for (int i = 0; i < iterations; i++) {
- basekey = dig.digest(basekey);
- dig.reset();
- }
- byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
- Mac mac =
- Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
- SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId());
- mac.init(key);
- mac.reset();
- mac.update(protectedBytes, 0, protectedBytes.length);
- out = mac.doFinal();
- } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Exception occurred while generating proof of possession for PKIMessage", ex);
- LOG.error("Exception occured while generating the proof of possession for PKIMessage");
- throw cmpClientException;
- }
- DERBitString bs = new DERBitString(out);
-
- return new PKIMessage(pkiHeader, pkiBody, bs);
- }
-
private static KeyUsage getKeyUsage() {
return new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
index 281f6f5e..8912e88c 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
@@ -1,6 +1,7 @@
/*-
* ============LICENSE_START=======================================================
* Copyright (C) 2020 Nordix Foundation.
+ * Copyright (C) 2021 Nokia.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,6 +30,7 @@ import java.util.Objects;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
+import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
@@ -127,12 +129,13 @@ public final class CmpUtil {
}
/**
- * Generates a PKIHeader Builder object.
+ * Generates a PKIHeader object.
*
* @param subjectDn distinguished name of Subject
* @param issuerDn distinguished name of external CA
* @param protectionAlg protection Algorithm used to protect PKIMessage
- * @return PKIHeaderBuilder
+ * @param senderKid sender identifier for receiver used for verification
+ * @return PKIHeader
*/
static PKIHeader generatePkiHeader(
X500Name subjectDn, X500Name issuerDn, AlgorithmIdentifier protectionAlg, String senderKid) {
@@ -146,8 +149,12 @@ public final class CmpUtil {
pkiHeaderBuilder.setTransactionID(new DEROctetString(createRandomBytes()));
pkiHeaderBuilder.setProtectionAlg(protectionAlg);
pkiHeaderBuilder.setGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm));
- pkiHeaderBuilder.setSenderKID(new DEROctetString(senderKid.getBytes()));
+ pkiHeaderBuilder.setSenderKID(mapToAsn1OctetString(senderKid));
return pkiHeaderBuilder.build();
}
+
+ private static ASN1OctetString mapToAsn1OctetString(String string) {
+ return string != null ? new DEROctetString(string.getBytes()) : null;
+ }
}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
index d277a204..0ed493b7 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
@@ -1,6 +1,7 @@
/*-
* ============LICENSE_START=======================================================
* Copyright (C) 2020 Nordix Foundation.
+ * Copyright (C) 2021 Nokia.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -20,7 +21,6 @@
package org.onap.oom.certservice.cmpv2client.impl;
-import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes;
import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt;
import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generatePkiHeader;
@@ -28,6 +28,7 @@ import java.security.KeyPair;
import java.util.Date;
import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIMessage;
@@ -49,17 +50,15 @@ import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
*/
class CreateCertRequest {
+ private PkiMessageProtection pkiMessageProtection;
private X500Name issuerDn;
private X500Name subjectDn;
private GeneralName[] sansArray;
private KeyPair subjectKeyPair;
private Date notBefore;
private Date notAfter;
- private String initAuthPassword;
private String senderKid;
- private static final int ITERATIONS = createRandomInt(1000);
- private static final byte[] SALT = createRandomBytes();
private final int certReqId = createRandomInt(Integer.MAX_VALUE);
private final AlgorithmIdentifier signingAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
.find("SHA256withRSA");
@@ -88,8 +87,8 @@ class CreateCertRequest {
this.notAfter = notAfter;
}
- public void setInitAuthPassword(String initAuthPassword) {
- this.initAuthPassword = initAuthPassword;
+ public void setProtection(PkiMessageProtection pkiMessageProtection) {
+ this.pkiMessageProtection = pkiMessageProtection;
}
public void setSenderKid(String senderKid) {
@@ -126,11 +125,11 @@ class CreateCertRequest {
generatePkiHeader(
subjectDn,
issuerDn,
- CmpMessageHelper.protectionAlgoIdentifier(ITERATIONS, SALT),
+ pkiMessageProtection.getAlgorithmIdentifier(),
senderKid);
final PKIBody pkiBody = new PKIBody(PKIBody.TYPE_INIT_REQ, certReqMessages);
- return CmpMessageHelper.protectPkiMessage(
- pkiHeader, pkiBody, initAuthPassword, ITERATIONS, SALT);
+ final DERBitString messageProtection = this.pkiMessageProtection.generatePkiMessageProtection(pkiHeader, pkiBody);
+ return new PKIMessage(pkiHeader, pkiBody, messageProtection);
}
}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java
new file mode 100644
index 00000000..621415c0
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java
@@ -0,0 +1,100 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.cmp.PBMParameter;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes;
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt;
+
+/**
+ * Implementation of password-based PKIMessage protection
+ */
+public class PasswordBasedProtection extends PkiMessageProtection {
+
+ private static final int ITERATIONS = createRandomInt(1000);
+ private static final byte[] SALT = createRandomBytes();
+ private static final AlgorithmIdentifier OWF_ALGORITHM =
+ new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
+ private static final AlgorithmIdentifier MAC_ALGORITHM =
+ new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
+ private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
+ new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
+
+ private final String initAuthPassword;
+
+ PasswordBasedProtection(String initAuthPassword) {
+ this.initAuthPassword = initAuthPassword;
+ }
+
+ @Override
+ AlgorithmIdentifier getAlgorithmIdentifier() {
+ ASN1Integer iteration = new ASN1Integer(ITERATIONS);
+ DEROctetString derSalt = new DEROctetString(SALT);
+
+ PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
+ return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
+ }
+
+ @Override
+ byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException {
+ byte[] baseKey = generateBaseKey();
+ return generateMacBytes(baseKey, protectedBytes);
+ }
+
+ private byte[] generateBaseKey() throws NoSuchAlgorithmException, NoSuchProviderException {
+ byte[] raSecret = initAuthPassword.getBytes();
+ byte[] baseKey = new byte[raSecret.length + SALT.length];
+ System.arraycopy(raSecret, 0, baseKey, 0, raSecret.length);
+ System.arraycopy(SALT, 0, baseKey, raSecret.length, SALT.length);
+ MessageDigest dig =
+ MessageDigest.getInstance(
+ OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+ for (int i = 0; i < ITERATIONS; i++) {
+ baseKey = dig.digest(baseKey);
+ dig.reset();
+ }
+ return baseKey;
+ }
+
+ private byte[] generateMacBytes(byte[] baseKey, byte[] protectedBytes) throws GeneralSecurityException {
+ Mac mac = Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+ SecretKey key = new SecretKeySpec(baseKey, MAC_ALGORITHM.getAlgorithm().getId());
+ mac.init(key);
+ mac.reset();
+ mac.update(protectedBytes, 0, protectedBytes.length);
+ return mac.doFinal();
+ }
+
+}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java
new file mode 100644
index 00000000..d32ed588
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java
@@ -0,0 +1,76 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.GeneralSecurityException;
+
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes;
+
+/**
+ * Representation of PKIMessage protection. Complies with RFC4210 (Certificate Management Protocol
+ * (CMP)) and RFC4211 (Certificate Request Message Format (CRMF)) standards.
+ */
+public abstract class PkiMessageProtection {
+
+ private static final Logger LOG = LoggerFactory.getLogger(PkiMessageProtection.class);
+
+ /**
+ * Takes PKIHeader and PKIBody as parameters and generates protection bytes.
+ *
+ * @return bytes representing protection wrapped into DERBitString object.
+ */
+ DERBitString generatePkiMessageProtection(PKIHeader pkiHeader, PKIBody pkiBody) throws CmpClientException {
+ try {
+ byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
+ byte[] protectionBytes = generateProtectionBytes(protectedBytes);
+ return new DERBitString(protectionBytes);
+ } catch (GeneralSecurityException ex) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Exception occurred while generating protection for PKIMessage", ex);
+ LOG.error("Exception occurred while generating the protection for PKIMessage");
+ throw cmpClientException;
+ }
+ }
+
+ /**
+ * Takes encoded bytes of PKIMessage (PKIHeader and PKIBody) and generates protection bytes.
+ *
+ * @return bytes representing protection.
+ */
+ abstract byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException;
+
+ /**
+ * Returns Algorithm Identifier for protection of PKIMessage.
+ *
+ * @return Algorithm Identifier.
+ */
+ abstract AlgorithmIdentifier getAlgorithmIdentifier();
+
+}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java
new file mode 100644
index 00000000..ad778430
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java
@@ -0,0 +1,63 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.Signature;
+
+/**
+ * Implementation of signature PKIMessage protection
+ */
+public class SignatureProtection extends PkiMessageProtection {
+
+ private static final AlgorithmIdentifier SHA256_RSA_ALGORITHM = new DefaultSignatureAlgorithmIdentifierFinder()
+ .find("SHA256withRSA");
+
+ private final PrivateKey oldPrivateKey;
+
+ SignatureProtection(PrivateKey privateKey) {
+ this.oldPrivateKey = privateKey;
+ }
+
+ @Override
+ AlgorithmIdentifier getAlgorithmIdentifier() {
+ return SHA256_RSA_ALGORITHM;
+ }
+
+ @Override
+ byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException {
+ Signature signature =
+ Signature.getInstance(
+ PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(),
+ BouncyCastleProvider.PROVIDER_NAME);
+ signature.initSign(oldPrivateKey);
+ signature.update(protectedBytes, 0, protectedBytes.length);
+ return signature.sign();
+ }
+
+}