From fd94a0f31c85d941330b43dcb2baa8ad4aa39270 Mon Sep 17 00:00:00 2001 From: Tomasz Wrobel Date: Wed, 18 Nov 2020 07:55:55 +0100 Subject: [OOM CERT-SERVICE-API] Add support for URI, IP, E-mail in SANs Issue-ID: OOM-2632 Change-Id: I903c31ebe05521e281753cb847001ba99275f758 Signed-off-by: Tomasz Wrobel --- .../certservice/certification/model/CsrModel.java | 39 +++++++++++----------- .../cmpv2client/impl/CmpClientImpl.java | 2 +- .../cmpv2client/impl/CmpMessageHelper.java | 17 ++-------- .../cmpv2client/impl/CreateCertRequest.java | 10 +++--- 4 files changed, 27 insertions(+), 41 deletions(-) (limited to 'certService/src/main/java/org') diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java index 7cba1949..2573c978 100644 --- a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java +++ b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java @@ -29,11 +29,8 @@ import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.Arrays; -import java.util.Collections; -import java.util.List; -import java.util.Objects; -import java.util.stream.Collectors; +import java.util.stream.Collectors; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.asn1.x509.Extensions; @@ -53,10 +50,10 @@ public class CsrModel { private final X500Name subjectData; private final PrivateKey privateKey; private final PublicKey publicKey; - private final List sans; + private final GeneralName[] sans; public CsrModel(PKCS10CertificationRequest csr, X500Name subjectData, PrivateKey privateKey, PublicKey publicKey, - List sans) { + GeneralName[] sans) { this.csr = csr; this.subjectData = subjectData; this.privateKey = privateKey; @@ -80,18 +77,24 @@ public class CsrModel { return publicKey; } - public List getSans() { + public GeneralName[] getSans() { return sans; } @Override public String toString() { - return "Subject: { " + subjectData + " ,SANs: " + sans + " }"; + return "CSR: { Subject: { " + subjectData + " }, SANs: [" + getSansInReadableFormat() + "] }"; } - public static class CsrModelBuilder { + private String getSansInReadableFormat() { + return Arrays.stream(this.sans) + .map(generalName -> generalName.getName().toString()) + .collect(Collectors.joining(", ")); + } + public static class CsrModelBuilder { private final PKCS10CertificationRequest csr; + private final PemObject privateKey; public CsrModel build() throws DecryptionException { @@ -99,7 +102,7 @@ public class CsrModel { X500Name subjectData = getSubjectData(); PrivateKey javaPrivateKey = convertingPemPrivateKeyToJavaSecurityPrivateKey(getPrivateKey()); PublicKey javaPublicKey = convertingPemPublicKeyToJavaSecurityPublicKey(getPublicKey()); - List sans = getSansData(); + GeneralName[] sans = getSansData(); return new CsrModel(csr, subjectData, javaPrivateKey, javaPublicKey, sans); } @@ -125,15 +128,12 @@ public class CsrModel { return csr.getSubject(); } - private List getSansData() { + private GeneralName[] getSansData() { if (!isAttrsEmpty() && !isAttrsValuesEmpty()) { Extensions extensions = Extensions.getInstance(csr.getAttributes()[0].getAttrValues().getObjectAt(0)); - GeneralName[] arrayOfAlternativeNames = - GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames(); - return Arrays.stream(arrayOfAlternativeNames).map(GeneralName::getName).map(Objects::toString) - .collect(Collectors.toList()); + return GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames(); } - return Collections.emptyList(); + return new GeneralName[0]; } private boolean isAttrsValuesEmpty() { @@ -145,7 +145,7 @@ public class CsrModel { } private PrivateKey convertingPemPrivateKeyToJavaSecurityPrivateKey(PemObject privateKey) - throws KeyDecryptionException { + throws KeyDecryptionException { try { KeyFactory factory = KeyFactory.getInstance("RSA"); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKey.getContent()); @@ -154,9 +154,8 @@ public class CsrModel { throw new KeyDecryptionException("Converting Private Key failed", e.getCause()); } } - private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey) - throws KeyDecryptionException { + throws KeyDecryptionException { try { KeyFactory factory = KeyFactory.getInstance("RSA"); X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKey.getContent()); @@ -165,6 +164,6 @@ public class CsrModel { throw new KeyDecryptionException("Converting Public Key from CSR failed", e.getCause()); } } - } + } } diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java index f5eddb58..6ff274c5 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java @@ -86,7 +86,7 @@ public class CmpClientImpl implements CmpClient { CmpMessageBuilder.of(CreateCertRequest::new) .with(CreateCertRequest::setIssuerDn, server.getIssuerDN()) .with(CreateCertRequest::setSubjectDn, csrModel.getSubjectData()) - .with(CreateCertRequest::setSansList, csrModel.getSans()) + .with(CreateCertRequest::setSansArray, csrModel.getSans()) .with(CreateCertRequest::setSubjectKeyPair, keyPair) .with(CreateCertRequest::setNotBefore, notBefore) .with(CreateCertRequest::setNotAfter, notAfter) diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java index 844f85be..5c61aa9f 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java @@ -31,9 +31,7 @@ import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Signature; import java.security.SignatureException; -import java.util.ArrayList; import java.util.Date; -import java.util.List; import javax.crypto.Mac; import javax.crypto.SecretKey; import javax.crypto.spec.SecretKeySpec; @@ -109,11 +107,10 @@ public final class CmpMessageHelper { * * @return {@link Extensions}. */ - public static Extensions generateExtension(final List sansList) + public static Extensions generateExtension(final GeneralName[] sansArray) throws CmpClientException { LOG.info("Generating Extensions from Subject Alternative Names"); final ExtensionsGenerator extGenerator = new ExtensionsGenerator(); - final GeneralName[] sansGeneralNames = getGeneralNames(sansList); // KeyUsage try { final KeyUsage keyUsage = @@ -121,7 +118,7 @@ public final class CmpMessageHelper { KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation); extGenerator.addExtension(Extension.keyUsage, false, new DERBitString(keyUsage)); extGenerator.addExtension( - Extension.subjectAlternativeName, false, new GeneralNames(sansGeneralNames)); + Extension.subjectAlternativeName, false, new GeneralNames(sansArray)); } catch (IOException ioe) { CmpClientException cmpClientException = new CmpClientException( @@ -132,16 +129,6 @@ public final class CmpMessageHelper { return extGenerator.generate(); } - public static GeneralName[] getGeneralNames(List sansList) { - final List nameList = new ArrayList<>(); - for (String san : sansList) { - nameList.add(new GeneralName(GeneralName.dNSName, san)); - } - final GeneralName[] sansGeneralNames = new GeneralName[nameList.size()]; - nameList.toArray(sansGeneralNames); - return sansGeneralNames; - } - /** * Method generates Proof-of-Possession (POP) of Private Key. To allow a CA/RA to properly * validity binding between an End Entity and a Key Pair, the PKI Operations specified here make diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java index a0ba13d6..8d82b85b 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java @@ -26,7 +26,6 @@ import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generatePkiHeade import java.security.KeyPair; import java.util.Date; -import java.util.List; import org.bouncycastle.asn1.cmp.PKIBody; import org.bouncycastle.asn1.cmp.PKIHeader; @@ -37,6 +36,7 @@ import org.bouncycastle.asn1.crmf.CertRequest; import org.bouncycastle.asn1.crmf.CertTemplateBuilder; import org.bouncycastle.asn1.crmf.ProofOfPossession; import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; @@ -48,7 +48,7 @@ class CreateCertRequest { private X500Name issuerDn; private X500Name subjectDn; - private List sansList; + private GeneralName[] sansArray; private KeyPair subjectKeyPair; private Date notBefore; private Date notAfter; @@ -67,8 +67,8 @@ class CreateCertRequest { this.subjectDn = subjectDn; } - public void setSansList(List sansList) { - this.sansList = sansList; + public void setSansArray(GeneralName[] sansArray) { + this.sansArray = sansArray; } public void setSubjectKeyPair(KeyPair subjectKeyPair) { @@ -102,7 +102,7 @@ class CreateCertRequest { new CertTemplateBuilder() .setIssuer(issuerDn) .setSubject(subjectDn) - .setExtensions(CmpMessageHelper.generateExtension(sansList)) + .setExtensions(CmpMessageHelper.generateExtension(sansArray)) .setValidity(CmpMessageHelper.generateOptionalValidity(notBefore, notAfter)) .setPublicKey( SubjectPublicKeyInfo.getInstance(subjectKeyPair.getPublic().getEncoded())); -- cgit 1.2.3-korg