From 9b682503a32af10dd6335c897e73e0e63f688210 Mon Sep 17 00:00:00 2001
From: EmmettCox <emmett.cox@est.tech>
Date: Thu, 27 Feb 2020 17:19:47 +0000
Subject: Authenticate response from CMP server

Issue-ID: AAF-1037
Signed-off-by: EmmettCox <emmett.cox@est.tech>
Change-Id: I6f52627a169359067ddd928d1e895e8d6237c7b5
---
 .../cmpv2client/impl/CmpClientImpl.java            | 60 +++++++++++++++++++---
 1 file changed, 54 insertions(+), 6 deletions(-)

(limited to 'certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java')

diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java
index 7dacfc80..29bd671d 100644
--- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpClientImpl.java
@@ -20,9 +20,13 @@
 
 package org.onap.aaf.certservice.cmpv2client.impl;
 
+import java.security.PublicKey;
 import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.checkIfCmpResponseContainsError;
 import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.getCertfromByteArray;
 import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseHelper.verifyAndReturnCertChainAndTrustSTore;
+import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseValidationHelper.checkImplicitConfirm;
+import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseValidationHelper.verifyPasswordBasedProtection;
+import static org.onap.aaf.certservice.cmpv2client.impl.CmpResponseValidationHelper.verifySignature;
 
 import java.io.IOException;
 import java.security.cert.CertificateParsingException;
@@ -38,7 +42,9 @@ import org.bouncycastle.asn1.cmp.CMPCertificate;
 import org.bouncycastle.asn1.cmp.CertRepMessage;
 import org.bouncycastle.asn1.cmp.CertResponse;
 import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
 import org.bouncycastle.asn1.cmp.PKIMessage;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
 import org.onap.aaf.certservice.cmpv2client.api.CmpClient;
 import org.onap.aaf.certservice.cmpv2client.external.CSRMeta;
@@ -51,7 +57,7 @@ import org.slf4j.LoggerFactory;
  */
 public class CmpClientImpl implements CmpClient {
 
-  private final Logger LOG = LoggerFactory.getLogger(CmpClientImpl.class);
+  private static final Logger LOG = LoggerFactory.getLogger(CmpClientImpl.class);
   private final CloseableHttpClient httpClient;
 
   private static final String DEFAULT_PROFILE = "RA";
@@ -82,6 +88,7 @@ public class CmpClientImpl implements CmpClient {
             .with(CreateCertRequest::setNotBefore, notBefore)
             .with(CreateCertRequest::setNotAfter, notAfter)
             .with(CreateCertRequest::setInitAuthPassword, csrMeta.password())
+            .with(CreateCertRequest::setSenderKid, csrMeta.senderKid())
             .build();
 
     final PKIMessage pkiMessage = certRequest.generateCertReq();
@@ -96,6 +103,45 @@ public class CmpClientImpl implements CmpClient {
     return createCertificate(caName, profile, csrMeta, csr, null, null);
   }
 
+  private void checkCmpResponse(
+      final PKIMessage respPkiMessage, final PublicKey publicKey, final String initAuthPassword)
+      throws CmpClientException {
+    final PKIHeader header = respPkiMessage.getHeader();
+    final AlgorithmIdentifier protectionAlgo = header.getProtectionAlg();
+    verifySignatureWithPublicKey(respPkiMessage, publicKey);
+    verifyProtectionWithProtectionAlgo(respPkiMessage, initAuthPassword, header, protectionAlgo);
+  }
+
+  private void verifySignatureWithPublicKey(PKIMessage respPkiMessage, PublicKey publicKey)
+      throws CmpClientException {
+    if (Objects.nonNull(publicKey)) {
+      LOG.debug("Verifying signature of the response.");
+      verifySignature(respPkiMessage, publicKey);
+    } else {
+      LOG.error("Public Key is not available, therefore cannot verify signature");
+      throw new CmpClientException(
+          "Public Key is not available, therefore cannot verify signature");
+    }
+  }
+
+  private void verifyProtectionWithProtectionAlgo(
+      PKIMessage respPkiMessage,
+      String initAuthPassword,
+      PKIHeader header,
+      AlgorithmIdentifier protectionAlgo)
+      throws CmpClientException {
+    if (Objects.nonNull(protectionAlgo)) {
+      LOG.debug("Verifying PasswordBased Protection of the Response.");
+      verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo);
+      checkImplicitConfirm(header);
+    } else {
+      LOG.error(
+          "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
+      throw new CmpClientException(
+          "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
+    }
+  }
+
   private List<List<X509Certificate>> checkCmpCertRepMessage(final PKIMessage respPkiMessage)
       throws CmpClientException {
     final PKIBody pkiBody = respPkiMessage.getBody();
@@ -128,10 +174,11 @@ public class CmpClientImpl implements CmpClient {
         certResponse.getCertifiedKeyPair().getCertOrEncCert().getCertificate();
     final Optional<X509Certificate> leafCertificate =
         getCertfromByteArray(cmpCertificate.getEncoded(), X509Certificate.class);
-    ArrayList<X509Certificate> certChain = new ArrayList<>();
-    ArrayList<X509Certificate> trustStore = new ArrayList<>();
-    return verifyAndReturnCertChainAndTrustSTore(
-        respPkiMessage, certRepMessage, leafCertificate.get(), certChain, trustStore);
+    if (leafCertificate.isPresent()) {
+      return verifyAndReturnCertChainAndTrustSTore(
+          respPkiMessage, certRepMessage, leafCertificate.get());
+    }
+    return Collections.emptyList();
   }
 
   private CertResponse getCertificateResponseContainingNewCertificate(
@@ -184,8 +231,9 @@ public class CmpClientImpl implements CmpClient {
     final byte[] respBytes = cmpv2HttpClient.postRequest(pkiMessage, csrMeta.caUrl(), caName);
     try {
       final PKIMessage respPkiMessage = PKIMessage.getInstance(respBytes);
-      LOG.info("Recieved response from Server");
+      LOG.info("Received response from Server");
       checkIfCmpResponseContainsError(respPkiMessage);
+      checkCmpResponse(respPkiMessage, csrMeta.keypair().getPublic(), csrMeta.password());
       return checkCmpCertRepMessage(respPkiMessage);
     } catch (IllegalArgumentException iae) {
       CmpClientException cmpClientException =
-- 
cgit 1.2.3-korg