From ee8b5cb717a4b7e37ef84e3e585be832d7d1794b Mon Sep 17 00:00:00 2001 From: Piotr Marcinkiewicz Date: Thu, 17 Dec 2020 16:03:07 +0100 Subject: [OOM-CERT-SERVICE] Align implementation with RFC4210 - change MAC algorithm - limit iterations to random value from 1000-2000 range - correct caName validation to allow URL safe characters Issue-ID: OOM-2656 Signed-off-by: Piotr Marcinkiewicz Change-Id: I2c320607e7a02996cd249f45ac224e3f3a8aa3c9 --- certService/pom.xml | 4 ++-- .../oom/certservice/cmpv2client/impl/CmpMessageHelper.java | 2 +- .../certservice/cmpv2client/impl/CreateCertRequest.java | 10 +++++++++- certService/version.properties | 2 +- certServiceClient/pom.xml | 4 ++-- .../configuration/factory/ClientConfigurationFactory.java | 2 +- .../validation/client/ClientEnvsValueValidators.java | 6 +++--- .../validation/client/ClientEnvsValueValidatorsTest.java | 14 +++++++------- certServiceClient/version.properties | 2 +- certServiceK8sExternalProvider/pom.xml | 2 +- certServicePostProcessor/pom.xml | 4 ++-- pom.xml | 2 +- version.properties | 2 +- 13 files changed, 32 insertions(+), 24 deletions(-) diff --git a/certService/pom.xml b/certService/pom.xml index e6a8672e..fa5ca41f 100644 --- a/certService/pom.xml +++ b/certService/pom.xml @@ -18,10 +18,10 @@ org.onap.oom.platform.cert-service oom-certservice - 2.3.1-SNAPSHOT + 2.3.2-SNAPSHOT oom-certservice-api - 2.3.1-SNAPSHOT + 2.3.2-SNAPSHOT oom-certservice-api OOM Certification Service Api jar diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java index 5c61aa9f..2a77873e 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java @@ -72,7 +72,7 @@ public final class CmpMessageHelper { private static final AlgorithmIdentifier OWF_ALGORITHM = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); private static final AlgorithmIdentifier MAC_ALGORITHM = - new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.9")); + new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2")); private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java index 8d82b85b..d277a204 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java @@ -27,6 +27,7 @@ import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generatePkiHeade import java.security.KeyPair; import java.util.Date; +import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.cmp.PKIBody; import org.bouncycastle.asn1.cmp.PKIHeader; import org.bouncycastle.asn1.cmp.PKIMessage; @@ -36,8 +37,10 @@ import org.bouncycastle.asn1.crmf.CertRequest; import org.bouncycastle.asn1.crmf.CertTemplateBuilder; import org.bouncycastle.asn1.crmf.ProofOfPossession; import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; /** @@ -55,9 +58,11 @@ class CreateCertRequest { private String initAuthPassword; private String senderKid; - private static final int ITERATIONS = createRandomInt(5000); + private static final int ITERATIONS = createRandomInt(1000); private static final byte[] SALT = createRandomBytes(); private final int certReqId = createRandomInt(Integer.MAX_VALUE); + private final AlgorithmIdentifier signingAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder() + .find("SHA256withRSA"); public void setIssuerDn(X500Name issuerDn) { this.issuerDn = issuerDn; @@ -104,6 +109,9 @@ class CreateCertRequest { .setSubject(subjectDn) .setExtensions(CmpMessageHelper.generateExtension(sansArray)) .setValidity(CmpMessageHelper.generateOptionalValidity(notBefore, notAfter)) + .setVersion(2) + .setSerialNumber(new ASN1Integer(0L)) + .setSigningAlg(signingAlgorithm) .setPublicKey( SubjectPublicKeyInfo.getInstance(subjectKeyPair.getPublic().getEncoded())); diff --git a/certService/version.properties b/certService/version.properties index f1c5779d..29a89d0c 100644 --- a/certService/version.properties +++ b/certService/version.properties @@ -1,6 +1,6 @@ major=2 minor=3 -patch=1 +patch=2 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT diff --git a/certServiceClient/pom.xml b/certServiceClient/pom.xml index b1b2af92..799d9aac 100644 --- a/certServiceClient/pom.xml +++ b/certServiceClient/pom.xml @@ -18,12 +18,12 @@ oom-certservice org.onap.oom.platform.cert-service - 2.3.1-SNAPSHOT + 2.3.2-SNAPSHOT 4.0.0 oom-certservice-client - 2.3.1-SNAPSHOT + 2.3.2-SNAPSHOT oom-certservice-client OOM Certification Service Api Client jar diff --git a/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/ClientConfigurationFactory.java b/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/ClientConfigurationFactory.java index f1541b04..2bd57f77 100644 --- a/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/ClientConfigurationFactory.java +++ b/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/factory/ClientConfigurationFactory.java @@ -59,7 +59,7 @@ public class ClientConfigurationFactory implements ConfigurationFactory new ClientConfigurationException(ClientConfigurationEnvs.OUTPUT_PATH + " is invalid.")); envsForClient.getCaName() - .filter(ClientEnvsValueValidators::isAlphaNumeric) + .filter(ClientEnvsValueValidators::isCaNameValid) .map(configuration::setCaName) .orElseThrow(() -> new ClientConfigurationException(ClientConfigurationEnvs.CA_NAME + " is invalid.")); diff --git a/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/validation/client/ClientEnvsValueValidators.java b/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/validation/client/ClientEnvsValueValidators.java index 503b7e46..86d1e0f0 100644 --- a/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/validation/client/ClientEnvsValueValidators.java +++ b/certServiceClient/src/main/java/org/onap/oom/certservice/client/configuration/validation/client/ClientEnvsValueValidators.java @@ -20,11 +20,11 @@ package org.onap.oom.certservice.client.configuration.validation.client; public final class ClientEnvsValueValidators { - private static final String ALPHA_NUMERIC_REGEX = "^[a-zA-Z0-9]*$"; + private static final String CA_NAME_REGEX = "^[a-zA-Z0-9_.~-]{1,128}$"; private static final String VALID_PATH_REGEX = "^/|(/[a-zA-Z0-9_-]+)+/?$"; - public static boolean isAlphaNumeric(String caName) { - return caName.matches(ALPHA_NUMERIC_REGEX); + public static boolean isCaNameValid(String caName) { + return caName.matches(CA_NAME_REGEX); } public static boolean isPathValid(String path) { diff --git a/certServiceClient/src/test/java/org/onap/oom/certservice/client/configuration/validation/client/ClientEnvsValueValidatorsTest.java b/certServiceClient/src/test/java/org/onap/oom/certservice/client/configuration/validation/client/ClientEnvsValueValidatorsTest.java index 9ed46c1a..d219873f 100644 --- a/certServiceClient/src/test/java/org/onap/oom/certservice/client/configuration/validation/client/ClientEnvsValueValidatorsTest.java +++ b/certServiceClient/src/test/java/org/onap/oom/certservice/client/configuration/validation/client/ClientEnvsValueValidatorsTest.java @@ -21,7 +21,7 @@ package org.onap.oom.certservice.client.configuration.validation.client; import static org.assertj.core.api.Assertions.assertThat; -import static org.onap.oom.certservice.client.configuration.validation.client.ClientEnvsValueValidators.isAlphaNumeric; +import static org.onap.oom.certservice.client.configuration.validation.client.ClientEnvsValueValidators.isCaNameValid; import static org.onap.oom.certservice.client.configuration.validation.client.ClientEnvsValueValidators.isPathValid; import org.junit.jupiter.params.ParameterizedTest; @@ -29,15 +29,15 @@ import org.junit.jupiter.params.provider.ValueSource; class ClientEnvsValueValidatorsTest { @ParameterizedTest - @ValueSource(strings = {"caname", "caname1", "123caName", "ca1name"}) - void shouldAcceptValidAlphanumeric(String caName) { - assertThat(isAlphaNumeric(caName)).isTrue(); + @ValueSource(strings = {"caname", "caname1", "123caName", "ca1name", "ca_name", "ca-name", "ca.na~me"}) + void shouldAcceptValidCaName(String caName) { + assertThat(isCaNameValid(caName)).isTrue(); } @ParameterizedTest - @ValueSource(strings = {"44caname$", "#caname1", "1c_aname", "ca1-name"}) - void shouldRejectInvalidAlphanumeric(String caName) { - assertThat(isAlphaNumeric(caName)).isFalse(); + @ValueSource(strings = {"44caname$", "#caname1", "1c[aname]", "ca1/name", "", " "}) + void shouldRejectInvalidCaName(String caName) { + assertThat(isCaNameValid(caName)).isFalse(); } @ParameterizedTest diff --git a/certServiceClient/version.properties b/certServiceClient/version.properties index f1c5779d..29a89d0c 100644 --- a/certServiceClient/version.properties +++ b/certServiceClient/version.properties @@ -1,6 +1,6 @@ major=2 minor=3 -patch=1 +patch=2 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT diff --git a/certServiceK8sExternalProvider/pom.xml b/certServiceK8sExternalProvider/pom.xml index fe1d657f..c6454f65 100644 --- a/certServiceK8sExternalProvider/pom.xml +++ b/certServiceK8sExternalProvider/pom.xml @@ -5,7 +5,7 @@ oom-certservice org.onap.oom.platform.cert-service - 2.3.1-SNAPSHOT + 2.3.2-SNAPSHOT 4.0.0 diff --git a/certServicePostProcessor/pom.xml b/certServicePostProcessor/pom.xml index 66444649..346c6adf 100644 --- a/certServicePostProcessor/pom.xml +++ b/certServicePostProcessor/pom.xml @@ -5,12 +5,12 @@ oom-certservice org.onap.oom.platform.cert-service - 2.3.1-SNAPSHOT + 2.3.2-SNAPSHOT 4.0.0 oom-certservice-post-processor - 2.3.1-SNAPSHOT + 2.3.2-SNAPSHOT oom-certservice-post-processor An application which conducts certificate post-processing like: merging truststores, copying keystores. jar diff --git a/pom.xml b/pom.xml index 7dee166c..85b278f9 100644 --- a/pom.xml +++ b/pom.xml @@ -23,7 +23,7 @@ org.onap.oom.platform.cert-service oom-certservice - 2.3.1-SNAPSHOT + 2.3.2-SNAPSHOT oom-certservice OOM Certification Service pom diff --git a/version.properties b/version.properties index f1c5779d..29a89d0c 100644 --- a/version.properties +++ b/version.properties @@ -1,6 +1,6 @@ major=2 minor=3 -patch=1 +patch=2 base_version=${major}.${minor}.${patch} release_version=${base_version} snapshot_version=${base_version}-SNAPSHOT -- cgit 1.2.3-korg