aboutsummaryrefslogtreecommitdiffstats
path: root/certService/src
diff options
context:
space:
mode:
Diffstat (limited to 'certService/src')
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java1
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java4
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java78
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java13
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java17
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java100
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java76
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java63
-rw-r--r--certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java154
-rw-r--r--certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java101
-rw-r--r--certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java94
11 files changed, 611 insertions, 90 deletions
diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
index 2573c978..03d1a9d2 100644
--- a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
+++ b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java
@@ -154,6 +154,7 @@ public class CsrModel {
throw new KeyDecryptionException("Converting Private Key failed", e.getCause());
}
}
+
private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey)
throws KeyDecryptionException {
try {
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
index 38e7e3f8..68b78f23 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
@@ -83,6 +83,8 @@ public class CmpClientImpl implements CmpClient {
validate(csrModel, server, httpClient, notBefore, notAfter);
KeyPair keyPair = new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey());
+ final String iak = server.getAuthentication().getIak();
+ final PkiMessageProtection pkiMessageProtection = new PasswordBasedProtection(iak);
final CreateCertRequest certRequest =
CmpMessageBuilder.of(CreateCertRequest::new)
.with(CreateCertRequest::setIssuerDn, server.getIssuerDN())
@@ -91,8 +93,8 @@ public class CmpClientImpl implements CmpClient {
.with(CreateCertRequest::setSubjectKeyPair, keyPair)
.with(CreateCertRequest::setNotBefore, notBefore)
.with(CreateCertRequest::setNotAfter, notAfter)
- .with(CreateCertRequest::setInitAuthPassword, server.getAuthentication().getIak())
.with(CreateCertRequest::setSenderKid, server.getAuthentication().getRv())
+ .with(CreateCertRequest::setProtection, pkiMessageProtection)
.build();
final PKIMessage pkiMessage = certRequest.generateCertReq();
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
index 0255b82e..c4be54ce 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
@@ -1,6 +1,7 @@
/*-
* ============LICENSE_START=======================================================
* Copyright (C) 2020 Nordix Foundation.
+ * Copyright (C) 2021 Nokia.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -20,34 +21,22 @@
package org.onap.oom.certservice.cmpv2client.impl;
-import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes;
-
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
-import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Date;
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.ASN1EncodableVector;
-import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERBitString;
-import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
-import org.bouncycastle.asn1.cmp.PBMParameter;
-import org.bouncycastle.asn1.cmp.PKIBody;
-import org.bouncycastle.asn1.cmp.PKIHeader;
-import org.bouncycastle.asn1.cmp.PKIMessage;
import org.bouncycastle.asn1.crmf.CertRequest;
import org.bouncycastle.asn1.crmf.OptionalValidity;
import org.bouncycastle.asn1.crmf.POPOSigningKey;
@@ -71,12 +60,6 @@ import org.slf4j.LoggerFactory;
public final class CmpMessageHelper {
private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class);
- private static final AlgorithmIdentifier OWF_ALGORITHM =
- new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
- private static final AlgorithmIdentifier MAC_ALGORITHM =
- new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
- private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
- new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
private static final boolean CRITICAL_FALSE = false;
private CmpMessageHelper() {
@@ -172,65 +155,6 @@ public final class CmpMessageHelper {
return proofOfPossession;
}
- /**
- * Generic code to create Algorithm Identifier for protection of PKIMessage.
- *
- * @return Algorithm Identifier
- */
- public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) {
- ASN1Integer iteration = new ASN1Integer(iterations);
- DEROctetString derSalt = new DEROctetString(salt);
-
- PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
- return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
- }
-
- /**
- * Adds protection to the PKIMessage via a specified protection algorithm.
- *
- * @param password password used to authenticate PkiMessage with external CA
- * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage
- * @param pkiBody Body of PKIMessage containing specific details for certificate request
- * @return Protected Pki Message
- * @throws CmpClientException Wraps several exceptions into one general-purpose exception.
- */
- public static PKIMessage protectPkiMessage(
- PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt)
- throws CmpClientException {
-
- byte[] raSecret = password.getBytes();
- byte[] basekey = new byte[raSecret.length + salt.length];
- System.arraycopy(raSecret, 0, basekey, 0, raSecret.length);
- System.arraycopy(salt, 0, basekey, raSecret.length, salt.length);
- byte[] out;
- try {
- MessageDigest dig =
- MessageDigest.getInstance(
- OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
- for (int i = 0; i < iterations; i++) {
- basekey = dig.digest(basekey);
- dig.reset();
- }
- byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
- Mac mac =
- Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
- SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId());
- mac.init(key);
- mac.reset();
- mac.update(protectedBytes, 0, protectedBytes.length);
- out = mac.doFinal();
- } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) {
- CmpClientException cmpClientException =
- new CmpClientException(
- "Exception occurred while generating proof of possession for PKIMessage", ex);
- LOG.error("Exception occured while generating the proof of possession for PKIMessage");
- throw cmpClientException;
- }
- DERBitString bs = new DERBitString(out);
-
- return new PKIMessage(pkiHeader, pkiBody, bs);
- }
-
private static KeyUsage getKeyUsage() {
return new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
index 281f6f5e..8912e88c 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
@@ -1,6 +1,7 @@
/*-
* ============LICENSE_START=======================================================
* Copyright (C) 2020 Nordix Foundation.
+ * Copyright (C) 2021 Nokia.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -29,6 +30,7 @@ import java.util.Objects;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
+import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.DEROctetString;
import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
@@ -127,12 +129,13 @@ public final class CmpUtil {
}
/**
- * Generates a PKIHeader Builder object.
+ * Generates a PKIHeader object.
*
* @param subjectDn distinguished name of Subject
* @param issuerDn distinguished name of external CA
* @param protectionAlg protection Algorithm used to protect PKIMessage
- * @return PKIHeaderBuilder
+ * @param senderKid sender identifier for receiver used for verification
+ * @return PKIHeader
*/
static PKIHeader generatePkiHeader(
X500Name subjectDn, X500Name issuerDn, AlgorithmIdentifier protectionAlg, String senderKid) {
@@ -146,8 +149,12 @@ public final class CmpUtil {
pkiHeaderBuilder.setTransactionID(new DEROctetString(createRandomBytes()));
pkiHeaderBuilder.setProtectionAlg(protectionAlg);
pkiHeaderBuilder.setGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm));
- pkiHeaderBuilder.setSenderKID(new DEROctetString(senderKid.getBytes()));
+ pkiHeaderBuilder.setSenderKID(mapToAsn1OctetString(senderKid));
return pkiHeaderBuilder.build();
}
+
+ private static ASN1OctetString mapToAsn1OctetString(String string) {
+ return string != null ? new DEROctetString(string.getBytes()) : null;
+ }
}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
index d277a204..0ed493b7 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java
@@ -1,6 +1,7 @@
/*-
* ============LICENSE_START=======================================================
* Copyright (C) 2020 Nordix Foundation.
+ * Copyright (C) 2021 Nokia.
* ================================================================================
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -20,7 +21,6 @@
package org.onap.oom.certservice.cmpv2client.impl;
-import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes;
import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt;
import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generatePkiHeader;
@@ -28,6 +28,7 @@ import java.security.KeyPair;
import java.util.Date;
import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.cmp.PKIBody;
import org.bouncycastle.asn1.cmp.PKIHeader;
import org.bouncycastle.asn1.cmp.PKIMessage;
@@ -49,17 +50,15 @@ import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
*/
class CreateCertRequest {
+ private PkiMessageProtection pkiMessageProtection;
private X500Name issuerDn;
private X500Name subjectDn;
private GeneralName[] sansArray;
private KeyPair subjectKeyPair;
private Date notBefore;
private Date notAfter;
- private String initAuthPassword;
private String senderKid;
- private static final int ITERATIONS = createRandomInt(1000);
- private static final byte[] SALT = createRandomBytes();
private final int certReqId = createRandomInt(Integer.MAX_VALUE);
private final AlgorithmIdentifier signingAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
.find("SHA256withRSA");
@@ -88,8 +87,8 @@ class CreateCertRequest {
this.notAfter = notAfter;
}
- public void setInitAuthPassword(String initAuthPassword) {
- this.initAuthPassword = initAuthPassword;
+ public void setProtection(PkiMessageProtection pkiMessageProtection) {
+ this.pkiMessageProtection = pkiMessageProtection;
}
public void setSenderKid(String senderKid) {
@@ -126,11 +125,11 @@ class CreateCertRequest {
generatePkiHeader(
subjectDn,
issuerDn,
- CmpMessageHelper.protectionAlgoIdentifier(ITERATIONS, SALT),
+ pkiMessageProtection.getAlgorithmIdentifier(),
senderKid);
final PKIBody pkiBody = new PKIBody(PKIBody.TYPE_INIT_REQ, certReqMessages);
- return CmpMessageHelper.protectPkiMessage(
- pkiHeader, pkiBody, initAuthPassword, ITERATIONS, SALT);
+ final DERBitString messageProtection = this.pkiMessageProtection.generatePkiMessageProtection(pkiHeader, pkiBody);
+ return new PKIMessage(pkiHeader, pkiBody, messageProtection);
}
}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java
new file mode 100644
index 00000000..621415c0
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java
@@ -0,0 +1,100 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.cmp.PBMParameter;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes;
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt;
+
+/**
+ * Implementation of password-based PKIMessage protection
+ */
+public class PasswordBasedProtection extends PkiMessageProtection {
+
+ private static final int ITERATIONS = createRandomInt(1000);
+ private static final byte[] SALT = createRandomBytes();
+ private static final AlgorithmIdentifier OWF_ALGORITHM =
+ new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
+ private static final AlgorithmIdentifier MAC_ALGORITHM =
+ new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
+ private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
+ new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
+
+ private final String initAuthPassword;
+
+ PasswordBasedProtection(String initAuthPassword) {
+ this.initAuthPassword = initAuthPassword;
+ }
+
+ @Override
+ AlgorithmIdentifier getAlgorithmIdentifier() {
+ ASN1Integer iteration = new ASN1Integer(ITERATIONS);
+ DEROctetString derSalt = new DEROctetString(SALT);
+
+ PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
+ return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
+ }
+
+ @Override
+ byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException {
+ byte[] baseKey = generateBaseKey();
+ return generateMacBytes(baseKey, protectedBytes);
+ }
+
+ private byte[] generateBaseKey() throws NoSuchAlgorithmException, NoSuchProviderException {
+ byte[] raSecret = initAuthPassword.getBytes();
+ byte[] baseKey = new byte[raSecret.length + SALT.length];
+ System.arraycopy(raSecret, 0, baseKey, 0, raSecret.length);
+ System.arraycopy(SALT, 0, baseKey, raSecret.length, SALT.length);
+ MessageDigest dig =
+ MessageDigest.getInstance(
+ OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+ for (int i = 0; i < ITERATIONS; i++) {
+ baseKey = dig.digest(baseKey);
+ dig.reset();
+ }
+ return baseKey;
+ }
+
+ private byte[] generateMacBytes(byte[] baseKey, byte[] protectedBytes) throws GeneralSecurityException {
+ Mac mac = Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+ SecretKey key = new SecretKeySpec(baseKey, MAC_ALGORITHM.getAlgorithm().getId());
+ mac.init(key);
+ mac.reset();
+ mac.update(protectedBytes, 0, protectedBytes.length);
+ return mac.doFinal();
+ }
+
+}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java
new file mode 100644
index 00000000..d32ed588
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java
@@ -0,0 +1,76 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.security.GeneralSecurityException;
+
+import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes;
+
+/**
+ * Representation of PKIMessage protection. Complies with RFC4210 (Certificate Management Protocol
+ * (CMP)) and RFC4211 (Certificate Request Message Format (CRMF)) standards.
+ */
+public abstract class PkiMessageProtection {
+
+ private static final Logger LOG = LoggerFactory.getLogger(PkiMessageProtection.class);
+
+ /**
+ * Takes PKIHeader and PKIBody as parameters and generates protection bytes.
+ *
+ * @return bytes representing protection wrapped into DERBitString object.
+ */
+ DERBitString generatePkiMessageProtection(PKIHeader pkiHeader, PKIBody pkiBody) throws CmpClientException {
+ try {
+ byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
+ byte[] protectionBytes = generateProtectionBytes(protectedBytes);
+ return new DERBitString(protectionBytes);
+ } catch (GeneralSecurityException ex) {
+ CmpClientException cmpClientException =
+ new CmpClientException(
+ "Exception occurred while generating protection for PKIMessage", ex);
+ LOG.error("Exception occurred while generating the protection for PKIMessage");
+ throw cmpClientException;
+ }
+ }
+
+ /**
+ * Takes encoded bytes of PKIMessage (PKIHeader and PKIBody) and generates protection bytes.
+ *
+ * @return bytes representing protection.
+ */
+ abstract byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException;
+
+ /**
+ * Returns Algorithm Identifier for protection of PKIMessage.
+ *
+ * @return Algorithm Identifier.
+ */
+ abstract AlgorithmIdentifier getAlgorithmIdentifier();
+
+}
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java
new file mode 100644
index 00000000..ad778430
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java
@@ -0,0 +1,63 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.Signature;
+
+/**
+ * Implementation of signature PKIMessage protection
+ */
+public class SignatureProtection extends PkiMessageProtection {
+
+ private static final AlgorithmIdentifier SHA256_RSA_ALGORITHM = new DefaultSignatureAlgorithmIdentifierFinder()
+ .find("SHA256withRSA");
+
+ private final PrivateKey oldPrivateKey;
+
+ SignatureProtection(PrivateKey privateKey) {
+ this.oldPrivateKey = privateKey;
+ }
+
+ @Override
+ AlgorithmIdentifier getAlgorithmIdentifier() {
+ return SHA256_RSA_ALGORITHM;
+ }
+
+ @Override
+ byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException {
+ Signature signature =
+ Signature.getInstance(
+ PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(),
+ BouncyCastleProvider.PROVIDER_NAME);
+ signature.initSign(oldPrivateKey);
+ signature.update(protectedBytes, 0, protectedBytes.length);
+ return signature.sign();
+ }
+
+}
diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java
new file mode 100644
index 00000000..b280a2e6
--- /dev/null
+++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java
@@ -0,0 +1,154 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.cmp.PBMParameter;
+import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.cert.cmp.CMPException;
+import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
+import org.bouncycastle.cert.crmf.PKMACBuilder;
+import org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
+
+import java.security.Security;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getProtectedPkiMessage;
+import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiHeader;
+
+class PasswordBasedProtectionTest {
+
+ private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
+ private static final AlgorithmIdentifier SHA_1_ALGORITHM = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
+ private static final AlgorithmIdentifier H_MAC_SHA_1_ALGORITHM = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
+ private static final int MIN_ITERATION_COUNT = 1000;
+ private static final int MAX_ITERATION_COUNT = 2000;
+ private static final int SALT_LENGTH = 16;
+
+ @BeforeAll
+ static void setUp() {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ @AfterAll
+ static void clean() {
+ Security.removeProvider("BC");
+ }
+
+ @Test
+ void shouldReturnPasswordBasedMacAlgorithmWhenGetAlgorithmMethodCalled() {
+ //Given
+ PasswordBasedProtection protection = new PasswordBasedProtection(null);
+ //When
+ AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier();
+ //Then
+ assertEquals(PASSWORD_BASED_MAC, algorithmIdentifier.getAlgorithm());
+ }
+
+ @Test
+ void shouldSetPasswordBasedParametersWhenGetAlgorithmMethodCalled() {
+ //Given
+ PasswordBasedProtection protection = new PasswordBasedProtection(null);
+ //When
+ AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier();
+ //Then
+ assertTrue(algorithmIdentifier.getParameters() instanceof PBMParameter);
+ }
+
+ @Test
+ void shouldSetSha1ForOwfWhenGetAlgorithmMethodCalled() {
+ //Given
+ PasswordBasedProtection protection = new PasswordBasedProtection(null);
+ //When
+ AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier();
+ //Then
+ PBMParameter pbmParameters = (PBMParameter) algorithmIdentifier.getParameters();
+ assertEquals(SHA_1_ALGORITHM, pbmParameters.getOwf());
+ }
+
+ @Test
+ void shouldSetHMacSha1ForMacWhenGetAlgorithmMethodCalled() {
+ //Given
+ PasswordBasedProtection protection = new PasswordBasedProtection(null);
+ //When
+ AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier();
+ //Then
+ PBMParameter pbmParameters = (PBMParameter) algorithmIdentifier.getParameters();
+ assertEquals(H_MAC_SHA_1_ALGORITHM, pbmParameters.getMac());
+ }
+
+ @Test
+ void shouldSetSaltWhenGetAlgorithmMethodCalled() {
+ //Given
+ PasswordBasedProtection protection = new PasswordBasedProtection(null);
+ //When
+ AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier();
+ //Then
+ PBMParameter pbmParameters = (PBMParameter) algorithmIdentifier.getParameters();
+ assertTrue(pbmParameters.getSalt() instanceof DEROctetString);
+ DEROctetString salt = (DEROctetString) pbmParameters.getSalt();
+ assertEquals(SALT_LENGTH, salt.getOctets().length);
+ }
+
+ @Test
+ void shouldSetIterationCountWhenGetAlgorithmMethodCalled() {
+ //Given
+ PasswordBasedProtection protection = new PasswordBasedProtection(null);
+ //When
+ AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier();
+ //Then
+ PBMParameter pbmParameters = (PBMParameter) algorithmIdentifier.getParameters();
+ assertNotNull(pbmParameters.getIterationCount());
+ long iterationCount = pbmParameters.getIterationCount().getValue().longValue();
+ assertTrue(MIN_ITERATION_COUNT <= iterationCount && iterationCount < MAX_ITERATION_COUNT,
+ "Iteration count not in range");
+ }
+
+ @ParameterizedTest
+ @ValueSource(strings = {"test", "123"})
+ void shouldReturnProtectionByPasswordWhenGenerateProtectionMethodCalled(String initAuthPassword)
+ throws CmpClientException, CMPException {
+ //Given
+ PasswordBasedProtection protection = new PasswordBasedProtection(initAuthPassword);
+ PKIHeader pkiHeader = getTestPkiHeader(protection.getAlgorithmIdentifier());
+ PKIBody pkiBody = PkiTestUtils.getTestPkiBody(SHA_1_ALGORITHM);
+ //When
+ DERBitString messageProtection = protection.generatePkiMessageProtection(pkiHeader, pkiBody);
+ //Then
+ ProtectedPKIMessage protectedPkiMessage = getProtectedPkiMessage(pkiHeader, pkiBody, messageProtection);
+ PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator());
+ assertTrue(protectedPkiMessage.verify(pkMacBuilder, initAuthPassword.toCharArray()));
+ }
+
+}
diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java
new file mode 100644
index 00000000..7f7df455
--- /dev/null
+++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java
@@ -0,0 +1,101 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.DERGeneralizedTime;
+import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
+import org.bouncycastle.asn1.cmp.PKIHeaderBuilder;
+import org.bouncycastle.asn1.cmp.PKIMessage;
+import org.bouncycastle.asn1.crmf.CertReqMessages;
+import org.bouncycastle.asn1.crmf.CertReqMsg;
+import org.bouncycastle.asn1.crmf.CertRequest;
+import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.cert.cmp.GeneralPKIMessage;
+import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
+import org.bouncycastle.operator.ContentVerifierProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
+
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.util.Date;
+
+final class PkiTestUtils {
+
+ private static final String CN_TEST_SUBJECT = "CN=test1Subject";
+ private static final String CN_TEST_ISSUER = "CN=test2Issuer";
+ private static final int TEST_CERT_REQUEST_ID = 1432;
+ private static final int PVNO = 0;
+ private static final String BC_PROVIDER = "BC";
+ private static final String RSA = "RSA";
+
+ private PkiTestUtils() {
+ }
+
+ static PKIBody getTestPkiBody(AlgorithmIdentifier signingAlgorithm) {
+ CertTemplateBuilder certTemplateBuilder =
+ new CertTemplateBuilder()
+ .setIssuer(new X500Name(CN_TEST_ISSUER))
+ .setSubject(new X500Name(CN_TEST_SUBJECT))
+ .setSigningAlg(signingAlgorithm);
+
+ CertRequest certRequest = new CertRequest(TEST_CERT_REQUEST_ID, certTemplateBuilder.build(), null);
+ CertReqMsg certReqMsg = new CertReqMsg(certRequest, null, null);
+
+ CertReqMessages certReqMessages = new CertReqMessages(certReqMsg);
+ return new PKIBody(0, certReqMessages);
+ }
+
+ static PKIHeader getTestPkiHeader(AlgorithmIdentifier protectionAlgorithm) {
+ PKIHeaderBuilder pkiHeader = new PKIHeaderBuilder(
+ PVNO,
+ new GeneralName(new X500Name(CN_TEST_SUBJECT)),
+ new GeneralName(new X500Name(CN_TEST_ISSUER)));
+ pkiHeader.setProtectionAlg(protectionAlgorithm);
+ pkiHeader.setMessageTime(new DERGeneralizedTime(new Date()));
+ return pkiHeader.build();
+ }
+
+ static ProtectedPKIMessage getProtectedPkiMessage(PKIHeader pkiHeader, PKIBody pkiBody, DERBitString messageProtection) {
+ PKIMessage pkiMessage = new PKIMessage(pkiHeader, pkiBody, messageProtection);
+ GeneralPKIMessage generalPkiMessage = new GeneralPKIMessage(pkiMessage);
+ return new ProtectedPKIMessage(generalPkiMessage);
+ }
+
+ static KeyPair getKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException {
+ KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA, BC_PROVIDER);
+ return keyPairGenerator.generateKeyPair();
+ }
+
+ static ContentVerifierProvider getContentVerifierProvider(PublicKey publicKey) throws OperatorCreationException {
+ return new JcaContentVerifierProviderBuilder()
+ .setProvider(BC_PROVIDER)
+ .build(publicKey);
+ }
+}
diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java
new file mode 100644
index 00000000..ba382c42
--- /dev/null
+++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java
@@ -0,0 +1,94 @@
+/*-
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nokia.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.cert.cmp.CMPException;
+import org.bouncycastle.cert.cmp.ProtectedPKIMessage;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentVerifierProvider;
+import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.junit.jupiter.api.AfterAll;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
+
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.Security;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getProtectedPkiMessage;
+import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiBody;
+import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiHeader;
+
+class SignatureProtectionTest {
+
+ private static final String SHA256_RSA_OID = "1.2.840.113549.1.1.11";
+ private static final AlgorithmIdentifier SHA256_RSA_ALGORITHM = new DefaultSignatureAlgorithmIdentifierFinder()
+ .find("SHA256withRSA");
+ private static final String BC_PROVIDER = "BC";
+
+ @BeforeAll
+ static void setUp() {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ @AfterAll
+ static void clean() {
+ Security.removeProvider(BC_PROVIDER);
+ }
+
+ @Test
+ void shouldReturnExpectedAlgorithmWhenGetAlgorithmMethodCalled() {
+ //Given
+ SignatureProtection signatureProtection = new SignatureProtection(null);
+ //When
+ AlgorithmIdentifier algorithmIdentifier = signatureProtection.getAlgorithmIdentifier();
+ //Then
+ assertNotNull(algorithmIdentifier);
+ assertNotNull(algorithmIdentifier.getAlgorithm());
+ assertEquals(SHA256_RSA_OID, algorithmIdentifier.getAlgorithm().toString());
+ }
+
+ @Test
+ void shouldReturnProtectionByPkWhenGenerateProtectionMethodCalled()
+ throws GeneralSecurityException, CmpClientException, OperatorCreationException, CMPException {
+ //Given
+ KeyPair keyPair = PkiTestUtils.getKeyPair();
+ SignatureProtection signatureProtection = new SignatureProtection(keyPair.getPrivate());
+ PKIHeader pkiHeader = getTestPkiHeader(SHA256_RSA_ALGORITHM);
+ PKIBody pkiBody = getTestPkiBody(SHA256_RSA_ALGORITHM);
+ //When
+ DERBitString protection = signatureProtection.generatePkiMessageProtection(pkiHeader, pkiBody);
+ //Then
+ ProtectedPKIMessage protectedPkiMessage = getProtectedPkiMessage(pkiHeader, pkiBody, protection);
+ ContentVerifierProvider verifierProvider = PkiTestUtils.getContentVerifierProvider(keyPair.getPublic());
+ assertTrue(protectedPkiMessage.verify(verifierProvider));
+ }
+
+}