From b4030c1d7ebd848f28fb5000ac1d8f7e4fbfca85 Mon Sep 17 00:00:00 2001
From: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Date: Tue, 26 Jan 2021 10:45:10 +0100
Subject: [OOM-CERT-SERVICE] Fix KeyUsage extention sent to CMPv2 server

- fix setting key usage to digitalSignature & keyEncipherment & nonRepudiation
- set extended key usage to clientAuth & serverAuth

Issue-ID: OOM-2658
Signed-off-by: Piotr Marcinkiewicz <piotr.marcinkiewicz@nokia.com>
Change-Id: I5c00f622c3d117a63e4f48a3d2a90fd48cce3d0e
---
 .../cmpv2client/impl/CmpMessageHelper.java         | 23 +++++--
 .../cmpv2client/impl/CmpMessageHelperTest.java     | 70 ++++++++++++++++++++++
 2 files changed, 87 insertions(+), 6 deletions(-)
 create mode 100644 certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelperTest.java

diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
index 2a77873e..1e64a2e0 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
@@ -25,6 +25,7 @@ import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtecte
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.security.InvalidKeyException;
+import java.security.Key;
 import java.security.KeyPair;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -54,11 +55,13 @@ import org.bouncycastle.asn1.crmf.POPOSigningKey;
 import org.bouncycastle.asn1.crmf.ProofOfPossession;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
 import org.bouncycastle.asn1.x509.Extension;
 import org.bouncycastle.asn1.x509.Extensions;
 import org.bouncycastle.asn1.x509.ExtensionsGenerator;
 import org.bouncycastle.asn1.x509.GeneralName;
 import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
 import org.bouncycastle.asn1.x509.KeyUsage;
 import org.bouncycastle.asn1.x509.Time;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
@@ -75,6 +78,7 @@ public final class CmpMessageHelper {
             new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2"));
     private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
             new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
+    private static final boolean CRITICAL_FALSE = false;
 
     private CmpMessageHelper() {
     }
@@ -111,14 +115,11 @@ public final class CmpMessageHelper {
             throws CmpClientException {
         LOG.info("Generating Extensions from Subject Alternative Names");
         final ExtensionsGenerator extGenerator = new ExtensionsGenerator();
-        // KeyUsage
         try {
-            final KeyUsage keyUsage =
-                    new KeyUsage(
-                            KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
-            extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage));
+            extGenerator.addExtension(Extension.keyUsage, CRITICAL_FALSE, getKeyUsage());
+            extGenerator.addExtension(Extension.extendedKeyUsage, CRITICAL_FALSE, getExtendedKeyUsage());
             extGenerator.addExtension(
-                    Extension.subjectAlternativeName, false, new GeneralNames(sansArray));
+                    Extension.subjectAlternativeName, CRITICAL_FALSE, new GeneralNames(sansArray));
         } catch (IOException ioe) {
             CmpClientException cmpClientException =
                     new CmpClientException(
@@ -230,4 +231,14 @@ public final class CmpMessageHelper {
 
         return new PKIMessage(pkiHeader, pkiBody, bs);
     }
+
+    private static KeyUsage getKeyUsage() {
+        return new KeyUsage(
+            KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
+    }
+
+    private static ExtendedKeyUsage getExtendedKeyUsage() {
+        return new ExtendedKeyUsage(
+            new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth});
+    }
 }
diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelperTest.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelperTest.java
new file mode 100644
index 00000000..0aae26a4
--- /dev/null
+++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelperTest.java
@@ -0,0 +1,70 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-api
+ * ================================================================================
+ * Copyright (C) 2021 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+package org.onap.oom.certservice.cmpv2client.impl;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.Extensions;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.junit.jupiter.api.Test;
+import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException;
+
+public class CmpMessageHelperTest {
+
+    private final KeyUsage expectedKeyUsage = new KeyUsage(
+        KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
+    private final ExtendedKeyUsage expectedExtendedKeyUsage = new ExtendedKeyUsage(
+        new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth});
+
+    @Test
+    void shouldSetSansInExtensions() throws CmpClientException {
+        //when
+        Extensions extensions = CmpMessageHelper.generateExtension(getTestSans());
+        //then
+        GeneralName[] sans = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames();
+        assertArrayEquals(sans, getTestSans());
+    }
+
+    @Test
+    void shouldSetKeyUsagesInExtensions() throws CmpClientException {
+        //when
+        Extensions extensions = CmpMessageHelper.generateExtension(getTestSans());
+        //then
+        KeyUsage actualKeyUsage = KeyUsage.fromExtensions(extensions);
+        ExtendedKeyUsage actualExtendedKeyUsage = ExtendedKeyUsage.fromExtensions(extensions);
+        assertEquals(this.expectedKeyUsage, actualKeyUsage);
+        assertEquals(this.expectedExtendedKeyUsage, actualExtendedKeyUsage);
+    }
+
+    private GeneralName[] getTestSans() {
+        return new GeneralName[]{
+            new GeneralName(GeneralName.dNSName, "tetHostName"),
+            new GeneralName(GeneralName.iPAddress, "1.2.3.4")
+        };
+    }
+
+}
-- 
cgit 1.2.3-korg