From a1ea4473296be0f02671ad8152d72327fc53a520 Mon Sep 17 00:00:00 2001 From: Tomasz Wrobel Date: Tue, 29 Jun 2021 11:51:51 +0200 Subject: [OOM-CERT-SERVICE] Add handling cmp response when PBM value is missing. Issue-ID: OOM-2753 Signed-off-by: Tomasz Wrobel Change-Id: I38de28c994b5c83f936b3b5ea47d024a96f4733e --- .../cmpv2client/impl/CmpClientImpl.java | 37 ++++++++++++---------- 1 file changed, 20 insertions(+), 17 deletions(-) (limited to 'certService/src/main/java') diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java index a673869d..7f17260c 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java @@ -39,6 +39,7 @@ import java.util.Date; import java.util.Objects; import java.util.Optional; import org.apache.http.impl.client.CloseableHttpClient; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.cmp.CMPCertificate; import org.bouncycastle.asn1.cmp.CertRepMessage; import org.bouncycastle.asn1.cmp.CertResponse; @@ -67,6 +68,7 @@ public class CmpClientImpl implements CmpClient { private static final String DEFAULT_CA_NAME = "Certification Authority"; private static final String DEFAULT_PROFILE = CaMode.RA.getProfile(); + private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); public CmpClientImpl(CloseableHttpClient httpClient) { this.httpClient = httpClient; @@ -112,7 +114,18 @@ public class CmpClientImpl implements CmpClient { final PKIHeader header = respPkiMessage.getHeader(); final AlgorithmIdentifier protectionAlgo = header.getProtectionAlg(); verifySignatureWithPublicKey(respPkiMessage, publicKey); - verifyProtectionWithProtectionAlgo(respPkiMessage, initAuthPassword, header, protectionAlgo); + if (isPasswordBasedMacAlgorithm(protectionAlgo)) { + LOG.info("CMP response is protected by Password Base Mac Algorithm. Attempt to verify protection"); + verifyPasswordBasedMacProtection(respPkiMessage, initAuthPassword, header, protectionAlgo); + } + } + + private boolean isPasswordBasedMacAlgorithm(AlgorithmIdentifier protectionAlgo) throws CmpClientException { + if (Objects.isNull(protectionAlgo)) { + LOG.error("CMP response does not contain Protection Algorithm field"); + throw new CmpClientException("CMP response does not contain Protection Algorithm field"); + } + return PASSWORD_BASED_MAC.equals(protectionAlgo.getAlgorithm()); } private void verifySignatureWithPublicKey(PKIMessage respPkiMessage, PublicKey publicKey) @@ -127,22 +140,12 @@ public class CmpClientImpl implements CmpClient { } } - private void verifyProtectionWithProtectionAlgo( - PKIMessage respPkiMessage, - String initAuthPassword, - PKIHeader header, - AlgorithmIdentifier protectionAlgo) - throws CmpClientException { - if (Objects.nonNull(protectionAlgo)) { - LOG.debug("Verifying PasswordBased Protection of the Response."); - verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo); - checkImplicitConfirm(header); - } else { - LOG.error( - "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm"); - throw new CmpClientException( - "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm"); - } + private void verifyPasswordBasedMacProtection(PKIMessage respPkiMessage, String initAuthPassword, + PKIHeader header, AlgorithmIdentifier protectionAlgo) + throws CmpClientException { + LOG.debug("Verifying PasswordBased Protection of the Response."); + verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo); + checkImplicitConfirm(header); } private Cmpv2CertificationModel checkCmpCertRepMessage(final PKIMessage respPkiMessage) -- cgit 1.2.3-korg