From 153a7ac15d804178e7c52f69117e1a9478862df1 Mon Sep 17 00:00:00 2001
From: EmmettCox <emmett.cox@est.tech>
Date: Mon, 17 Feb 2020 13:54:05 +0000
Subject: Refactoring of Cmpv2Client code for sending CertRequest

Issue-ID: AAF-1036
Signed-off-by: EmmettCox <emmett.cox@est.tech>
Change-Id: Ic0d95b35abb3ca2406b77bbe6e0cd51da0968684
---
 .../cmpv2client/impl/CmpMessageHelper.java         | 241 +++++++++++++++++++++
 1 file changed, 241 insertions(+)
 create mode 100644 certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java

(limited to 'certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java')

diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java
new file mode 100644
index 00000000..8c470c7f
--- /dev/null
+++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/impl/CmpMessageHelper.java
@@ -0,0 +1,241 @@
+/*
+ * Copyright (C) 2020 Ericsson Software Technology AB. All rights reserved.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License
+ */
+
+package org.onap.aaf.certservice.cmpv2client.impl;
+
+import static org.onap.aaf.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Optional;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import org.bouncycastle.asn1.ASN1EncodableVector;
+import org.bouncycastle.asn1.ASN1Integer;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.DEROutputStream;
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.DERTaggedObject;
+import org.bouncycastle.asn1.cmp.PBMParameter;
+import org.bouncycastle.asn1.cmp.PKIBody;
+import org.bouncycastle.asn1.cmp.PKIHeader;
+import org.bouncycastle.asn1.cmp.PKIMessage;
+import org.bouncycastle.asn1.crmf.CertRequest;
+import org.bouncycastle.asn1.crmf.OptionalValidity;
+import org.bouncycastle.asn1.crmf.POPOSigningKey;
+import org.bouncycastle.asn1.crmf.ProofOfPossession;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.Extensions;
+import org.bouncycastle.asn1.x509.ExtensionsGenerator;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.asn1.x509.Time;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public final class CmpMessageHelper {
+
+  private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class);
+  private static final AlgorithmIdentifier OWF_ALGORITHM =
+      new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26"));
+  private static final AlgorithmIdentifier MAC_ALGORITHM =
+      new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.2.840.113549.2.9"));
+  private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC =
+      new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
+
+  private CmpMessageHelper() {}
+
+  /**
+   * Creates an Optional Validity, which is used to specify how long the returned cert should be
+   * valid for.
+   *
+   * @param notBefore Date specifying certificate is not valid before this date.
+   * @param notAfter Date specifying certificate is not valid after this date.
+   * @return {@link OptionalValidity} that can be set for certificate on external CA.
+   */
+  public static OptionalValidity generateOptionalValidity(
+      final Date notBefore, final Date notAfter) {
+    LOG.info("Generating Optional Validity from Date objects");
+    ASN1EncodableVector optionalValidityV = new ASN1EncodableVector();
+    if (notBefore != null) {
+      Time nb = new Time(notBefore);
+      optionalValidityV.add(new DERTaggedObject(true, 0, nb));
+    }
+    if (notAfter != null) {
+      Time na = new Time(notAfter);
+      optionalValidityV.add(new DERTaggedObject(true, 1, na));
+    }
+    return OptionalValidity.getInstance(new DERSequence(optionalValidityV));
+  }
+
+  /**
+   * Create Extensions from Subject Alternative Names.
+   *
+   * @return {@link Extensions}.
+   */
+  public static Extensions generateExtension(final List<String> sansList)
+      throws CmpClientException {
+    LOG.info("Generating Extensions from Subject Alternative Names");
+    final ExtensionsGenerator extGenerator = new ExtensionsGenerator();
+    final GeneralName[] sansGeneralNames = getGeneralNames(sansList);
+    // KeyUsage
+    try {
+      final KeyUsage keyUsage =
+          new KeyUsage(
+              KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation);
+      extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage));
+      extGenerator.addExtension(
+          Extension.subjectAlternativeName, false, new GeneralNames(sansGeneralNames));
+    } catch (IOException ioe) {
+      CmpClientException cmpClientException =
+          new CmpClientException(
+              "Exception occurred while creating proof of possession for PKIMessage", ioe);
+      LOG.error("Exception occurred while creating proof of possession for PKIMessage");
+      throw cmpClientException;
+    }
+    return extGenerator.generate();
+  }
+
+  public static GeneralName[] getGeneralNames(List<String> sansList) {
+    final List<GeneralName> nameList = new ArrayList<>();
+    for (String san : sansList) {
+      nameList.add(new GeneralName(GeneralName.dNSName, san));
+    }
+    final GeneralName[] sansGeneralNames = new GeneralName[nameList.size()];
+    nameList.toArray(sansGeneralNames);
+    return sansGeneralNames;
+  }
+
+  /**
+   * Method generates Proof-of-Possession (POP) of Private Key. To allow a CA/RA to properly
+   * validity binding between an End Entity and a Key Pair, the PKI Operations specified here make
+   * it possible for an End Entity to prove that it has possession of the Private Key corresponding
+   * to the Public Key for which a Certificate is requested.
+   *
+   * @param certRequest Certificate request that requires proof of possession
+   * @param keypair keypair associated with the subject sending the certificate request
+   * @return {@link ProofOfPossession}.
+   * @throws CmpClientException A general-purpose Cmp client exception.
+   */
+  public static ProofOfPossession generateProofOfPossession(
+      final CertRequest certRequest, final KeyPair keypair) throws CmpClientException {
+    ProofOfPossession proofOfPossession;
+    try (final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
+      final DEROutputStream derOutputStream = new DEROutputStream(byteArrayOutputStream);
+      derOutputStream.writeObject(certRequest);
+
+      byte[] popoProtectionBytes = byteArrayOutputStream.toByteArray();
+      final String sigalg = PKCSObjectIdentifiers.sha256WithRSAEncryption.getId();
+      final Signature signature = Signature.getInstance(sigalg, BouncyCastleProvider.PROVIDER_NAME);
+      signature.initSign(keypair.getPrivate());
+      signature.update(popoProtectionBytes);
+      DERBitString bs = new DERBitString(signature.sign());
+
+      proofOfPossession =
+          new ProofOfPossession(
+              new POPOSigningKey(
+                  null, new AlgorithmIdentifier(new ASN1ObjectIdentifier(sigalg)), bs));
+    } catch (IOException
+        | NoSuchProviderException
+        | NoSuchAlgorithmException
+        | InvalidKeyException
+        | SignatureException ex) {
+      CmpClientException cmpClientException =
+          new CmpClientException(
+              "Exception occurred while creating proof " + "of possession for PKIMessage", ex);
+      LOG.error("Exception occurred while creating proof of possession for PKIMessage");
+      throw cmpClientException;
+    }
+    return proofOfPossession;
+  }
+
+  /**
+   * Generic code to create Algorithm Identifier for protection of PKIMessage.
+   *
+   * @return Algorithm Identifier
+   */
+  public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) {
+    ASN1Integer iteration = new ASN1Integer(iterations);
+    DEROctetString derSalt = new DEROctetString(salt);
+
+    PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM);
+    return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp);
+  }
+
+  /**
+   * Adds protection to the PKIMessage via a specified protection algorithm.
+   *
+   * @param password password used to authenticate PkiMessage with external CA
+   * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage
+   * @param pkiBody Body of PKIMessage containing specific details for certificate request
+   * @return Protected Pki Message
+   * @throws CmpClientException Wraps several exceptions into one general-purpose exception.
+   */
+  public static PKIMessage protectPkiMessage(
+      PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt)
+      throws CmpClientException {
+
+    byte[] raSecret = password.getBytes();
+    byte[] basekey = new byte[raSecret.length + salt.length];
+    System.arraycopy(raSecret, 0, basekey, 0, raSecret.length);
+    System.arraycopy(salt, 0, basekey, raSecret.length, salt.length);
+    byte[] out;
+    try {
+      MessageDigest dig =
+          MessageDigest.getInstance(
+              OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+      for (int i = 0; i < iterations; i++) {
+        basekey = dig.digest(basekey);
+        dig.reset();
+      }
+      byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody);
+      Mac mac =
+          Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME);
+      SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId());
+      mac.init(key);
+      mac.reset();
+      mac.update(protectedBytes, 0, protectedBytes.length);
+      out = mac.doFinal();
+    } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) {
+      CmpClientException cmpClientException =
+          new CmpClientException(
+              "Exception occurred while generating " + "proof of possession for PKIMessage", ex);
+      LOG.error("Exception occured while generating the proof of possession for PKIMessage");
+      throw cmpClientException;
+    }
+    DERBitString bs = new DERBitString(out);
+
+    return new PKIMessage(pkiHeader, pkiBody, bs);
+  }
+}
-- 
cgit 1.2.3-korg