From d43531d4072653b86cc86459816e54806ad589c2 Mon Sep 17 00:00:00 2001 From: Bartosz Gardziejewski Date: Thu, 27 Feb 2020 10:26:32 +0100 Subject: Create adapter for Cmpv2Client connected-with: https://gerrit.onap.org/r/c/aaf/certservice/+/102401 Issue-ID: AAF-997 Signed-off-by: Bartosz Gardziejewski Signed-off-by: Tomasz Golabek Change-Id: Ieb85cd9c93f7a5470fca37a9de4bead3c543199a --- .../certservice/api/CertificationController.java | 18 ++-- .../CertificationExceptionController.java | 40 ++++++- .../certification/CertificationModelFactory.java | 40 ++++--- .../certification/CertificationProvider.java | 47 ++++++++ .../certservice/certification/CsrModelFactory.java | 10 ++ .../certification/adapter/CSRMetaBuilder.java | 87 +++++++++++++++ .../adapter/CertificateFactoryProvider.java | 42 ++++++++ .../certification/adapter/Cmpv2ClientAdapter.java | 120 +++++++++++++++++++++ .../adapter/RSAContentSignerBuilder.java | 45 ++++++++ .../adapter/X509CertificateBuilder.java | 56 ++++++++++ .../configuration/CmpClientConfig.java | 49 +++++++++ .../configuration/Cmpv2ServerProvider.java | 11 +- .../certification/configuration/model/CaMode.java | 12 ++- .../exception/Cmpv2ClientAdapterException.java | 28 +++++ .../certservice/certification/model/CsrModel.java | 44 ++++---- .../certservice/cmpv2client/external/CSRMeta.java | 8 ++ .../aaf/certservice/cmpv2client/external/RDN.java | 1 + .../main/resources/scripts/ejbca-configuration.sh | 2 + 18 files changed, 602 insertions(+), 58 deletions(-) create mode 100644 certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java create mode 100644 certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java create mode 100644 certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java create mode 100644 certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java create mode 100644 certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java create mode 100644 certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java create mode 100644 certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java create mode 100644 certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java (limited to 'certService/src/main') diff --git a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java index e663909c..abb6811b 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java +++ b/certService/src/main/java/org/onap/aaf/certservice/api/CertificationController.java @@ -24,9 +24,13 @@ import com.google.gson.Gson; import org.onap.aaf.certservice.certification.CertificationModelFactory; import org.onap.aaf.certservice.certification.CsrModelFactory; import org.onap.aaf.certservice.certification.CsrModelFactory.StringBase64; +import org.onap.aaf.certservice.certification.configuration.Cmpv2ServerProvider; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; import org.onap.aaf.certservice.certification.exception.DecryptionException; import org.onap.aaf.certservice.certification.model.CertificationModel; import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -43,12 +47,10 @@ public class CertificationController { private static final Logger LOGGER = LoggerFactory.getLogger(CertificationController.class); - private final CsrModelFactory csrModelFactory; private final CertificationModelFactory certificationModelFactory; @Autowired - CertificationController(CsrModelFactory csrModelFactory, CertificationModelFactory certificationModelFactory) { - this.csrModelFactory = csrModelFactory; + CertificationController(CertificationModelFactory certificationModelFactory) { this.certificationModelFactory = certificationModelFactory; } @@ -66,17 +68,11 @@ public class CertificationController { @PathVariable String caName, @RequestHeader("CSR") String encodedCsr, @RequestHeader("PK") String encodedPrivateKey - ) throws DecryptionException { - + ) throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { caName = caName.replaceAll("[\n|\r|\t]", "_"); LOGGER.info("Received certificate signing request for CA named: {}", caName); - CsrModel csrModel = csrModelFactory.createCsrModel( - new StringBase64(encodedCsr), - new StringBase64(encodedPrivateKey) - ); - LOGGER.debug("Received CSR meta data: \n{}", csrModel); CertificationModel certificationModel = certificationModelFactory - .createCertificationModel(csrModel, caName); + .createCertificationModel(encodedCsr, encodedPrivateKey, caName); return new ResponseEntity<>(new Gson().toJson(certificationModel), HttpStatus.OK); } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java index 130a5167..d649f147 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationExceptionController.java @@ -21,10 +21,12 @@ package org.onap.aaf.certservice.certification; import com.google.gson.Gson; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; import org.onap.aaf.certservice.certification.exception.CsrDecryptionException; import org.onap.aaf.certservice.certification.exception.ErrorResponseModel; import org.onap.aaf.certservice.certification.exception.KeyDecryptionException; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.http.HttpStatus; @@ -40,19 +42,51 @@ public class CertificationExceptionController { @ExceptionHandler(value = CsrDecryptionException.class) public ResponseEntity handle(CsrDecryptionException exception) { LOGGER.error("Exception occurred during decoding certificate sign request:", exception); - return getErrorResponseEntity("Wrong certificate signing request (CSR) format", HttpStatus.BAD_REQUEST); + return getErrorResponseEntity( + "Wrong certificate signing request (CSR) format", + HttpStatus.BAD_REQUEST + ); } @ExceptionHandler(value = KeyDecryptionException.class) public ResponseEntity handle(KeyDecryptionException exception) { LOGGER.error("Exception occurred during decoding key:", exception); - return getErrorResponseEntity("Wrong key (PK) format", HttpStatus.BAD_REQUEST); + return getErrorResponseEntity( + "Wrong key (PK) format", + HttpStatus.BAD_REQUEST + ); } @ExceptionHandler(value = Cmpv2ServerNotFoundException.class) public ResponseEntity handle(Cmpv2ServerNotFoundException exception) { LOGGER.error("Exception occurred selecting CMPv2 server:", exception); - return getErrorResponseEntity("Certification authority not found for given CAName", HttpStatus.NOT_FOUND); + return getErrorResponseEntity( + "Certification authority not found for given CAName", + HttpStatus.NOT_FOUND + ); + } + + @ExceptionHandler(value = CmpClientException.class) + public ResponseEntity handle(CmpClientException exception) { + LOGGER.error("Exception occurred calling cmp client:", exception); + return getErrorResponseEntity( + "Exception occurred during call to cmp client", + HttpStatus.INTERNAL_SERVER_ERROR + ); + } + + @ExceptionHandler(value = RuntimeException.class) + public ResponseEntity handle(RuntimeException exception) throws CmpClientException { + throw new CmpClientException("Runtime exception occurred calling cmp client business logic", exception); + } + + @ExceptionHandler(value = Cmpv2ClientAdapterException.class) + public ResponseEntity handle(Cmpv2ClientAdapterException exception) { + LOGGER.error("Exception occurred parsing cmp client response:", exception); + return getErrorResponseEntity( + "Exception occurred parsing cmp client response", + HttpStatus.INTERNAL_SERVER_ERROR + ); } private ResponseEntity getErrorResponseEntity(String errorMessage, HttpStatus status) { diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java index 69b83465..1d586c17 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationModelFactory.java @@ -22,9 +22,12 @@ package org.onap.aaf.certservice.certification; import org.onap.aaf.certservice.certification.configuration.Cmpv2ServerProvider; import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; +import org.onap.aaf.certservice.certification.exception.DecryptionException; import org.onap.aaf.certservice.certification.model.CertificationModel; import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; @@ -42,28 +45,35 @@ public class CertificationModelFactory { private static final Logger LOGGER = LoggerFactory.getLogger(CertificationModelFactory.class); + private final CsrModelFactory csrModelFactory; private final Cmpv2ServerProvider cmpv2ServerProvider; + private final CertificationProvider certificationProvider; @Autowired - CertificationModelFactory(Cmpv2ServerProvider cmpv2ServerProvider) { + CertificationModelFactory( + CsrModelFactory csrModelFactory, + Cmpv2ServerProvider cmpv2ServerProvider, + CertificationProvider certificationProvider + ) { this.cmpv2ServerProvider = cmpv2ServerProvider; + this.csrModelFactory = csrModelFactory; + this.certificationProvider = certificationProvider; } - public CertificationModel createCertificationModel(CsrModel csr, String caName) { - LOGGER.info("Generating certification model for CA named: {}, and certificate signing request:\n{}", - caName, csr); - - return cmpv2ServerProvider - .getCmpv2Server(caName) - .map(this::generateCertificationModel) - .orElseThrow(() -> new Cmpv2ServerNotFoundException("No server found for given CA name")); - } + public CertificationModel createCertificationModel(String encodedCsr, String encodedPrivateKey, String caName) + throws DecryptionException, CmpClientException, Cmpv2ClientAdapterException { + CsrModel csrModel = csrModelFactory.createCsrModel( + new CsrModelFactory.StringBase64(encodedCsr), + new CsrModelFactory.StringBase64(encodedPrivateKey) + ); + LOGGER.debug("Received CSR meta data: \n{}", csrModel); - private CertificationModel generateCertificationModel(Cmpv2Server cmpv2Server) { + Cmpv2Server cmpv2Server = cmpv2ServerProvider.getCmpv2Server(caName); LOGGER.debug("Found server for given CA name: \n{}", cmpv2Server); - return new CertificationModel( - Arrays.asList(ENTITY_CERT, INTERMEDIATE_CERT), - Arrays.asList(CA_CERT, EXTRA_CA_CERT) - ); + + LOGGER.info("Sending sign request for certification model for CA named: {}, and certificate signing request:\n{}", + caName, csrModel); + return certificationProvider.signCsr(csrModel, cmpv2Server); } + } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java new file mode 100644 index 00000000..fa2d88ab --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CertificationProvider.java @@ -0,0 +1,47 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification; + +import org.onap.aaf.certservice.certification.adapter.Cmpv2ClientAdapter; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; +import org.onap.aaf.certservice.certification.model.CertificationModel; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +@Service +public class CertificationProvider { + + private final Cmpv2ClientAdapter cmpv2ClientAdapter; + + @Autowired + public CertificationProvider(Cmpv2ClientAdapter cmpv2ClientAdapter) { + this.cmpv2ClientAdapter = cmpv2ClientAdapter; + } + + CertificationModel signCsr(CsrModel csrModel, Cmpv2Server server) + throws CmpClientException, Cmpv2ClientAdapterException { + return cmpv2ClientAdapter.callCmpClient(csrModel, server); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java b/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java index 6f356c1a..9ce65e6a 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/CsrModelFactory.java @@ -21,6 +21,7 @@ package org.onap.aaf.certservice.certification; import java.util.Base64; +import java.util.Objects; import java.util.Optional; import org.bouncycastle.pkcs.PKCS10CertificationRequest; @@ -89,6 +90,15 @@ public class CsrModelFactory { return Optional.empty(); } } + + @Override + public boolean equals(Object o) { + if (this == o) return true; + if (o == null || getClass() != o.getClass()) return false; + StringBase64 that = (StringBase64) o; + return Objects.equals(value, that.value); + } + } } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java new file mode 100644 index 00000000..184d724a --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CSRMetaBuilder.java @@ -0,0 +1,87 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.security.KeyPair; +import java.util.Arrays; +import java.util.Objects; +import java.util.Optional; +import java.util.stream.Collectors; +import org.bouncycastle.asn1.x500.style.BCStyle; +import org.bouncycastle.asn1.x500.style.IETFUtils; +import org.bouncycastle.cert.CertException; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.external.CSRMeta; +import org.onap.aaf.certservice.cmpv2client.external.RDN; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.stereotype.Component; + +@Component +class CSRMetaBuilder { + + private static final Logger LOGGER = LoggerFactory.getLogger(CSRMetaBuilder.class); + + /** + * Creates CSRMeta from CsrModel and Cmpv2Server + * + * @param csrModel Certificate Signing Request from Service external API + * @param server Cmp Server configuration from cmpServers.json + * @return AAF native model for CSR metadata + */ + CSRMeta build(CsrModel csrModel, Cmpv2Server server) { + CSRMeta csrMeta = createCsrMeta(csrModel); + addSans(csrModel, csrMeta); + csrMeta.keyPair(new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey())); + csrMeta.password(server.getAuthentication().getIak()); + csrMeta.setIssuerName(server.getIssuerDN()); + csrMeta.caUrl(server.getUrl()); + csrMeta.setName(csrModel.getSubjectData()); + csrMeta.senderKid(server.getAuthentication().getRv()); + return csrMeta; + } + + private CSRMeta createCsrMeta(CsrModel csrModel) { + return new CSRMeta((Arrays.stream(csrModel.getSubjectData().getRDNs()).map(this::convertFromBcRDN) + .filter(Optional::isPresent).map(Optional::get).collect(Collectors.toList()))); + } + + private void addSans(CsrModel csrModel, CSRMeta csrMeta) { + csrModel.getSans().forEach(csrMeta::san); + } + + private String convertRDNToString(org.bouncycastle.asn1.x500.RDN rdn) { + return BCStyle.INSTANCE.oidToDisplayName(rdn.getFirst().getType()) + "=" + IETFUtils.valueToString( + rdn.getFirst().getValue()); + } + + private Optional convertFromBcRDN(org.bouncycastle.asn1.x500.RDN rdn) { + RDN result = null; + try { + result = new RDN(convertRDNToString(rdn)); + } catch (CertException e) { + LOGGER.error("Exception occurred during convert of RDN", e); + } + return Optional.ofNullable(result); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java new file mode 100644 index 00000000..79f59363 --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/CertificateFactoryProvider.java @@ -0,0 +1,42 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.io.InputStream; +import java.security.NoSuchProviderException; +import java.security.Security; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.springframework.stereotype.Component; + +@Component +public class CertificateFactoryProvider { + + static { + Security.addProvider(new BouncyCastleProvider()); + } + + X509Certificate generateCertificate(InputStream inStream) throws CertificateException, NoSuchProviderException { + return (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(inStream); + } +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java new file mode 100644 index 00000000..be39f1f3 --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/Cmpv2ClientAdapter.java @@ -0,0 +1,120 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.StringWriter; +import java.security.NoSuchProviderException; +import java.security.PrivateKey; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.List; +import java.util.stream.Collectors; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.bouncycastle.util.io.pem.PemObjectGenerator; +import org.bouncycastle.util.io.pem.PemWriter; +import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ClientAdapterException; +import org.onap.aaf.certservice.certification.model.CertificationModel; +import org.onap.aaf.certservice.certification.model.CsrModel; +import org.onap.aaf.certservice.cmpv2client.api.CmpClient; +import org.onap.aaf.certservice.cmpv2client.exceptions.CmpClientException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +@Component +public class Cmpv2ClientAdapter { + + private static final Logger LOGGER = LoggerFactory.getLogger(Cmpv2ClientAdapter.class); + + private final CmpClient cmpClient; + private final CSRMetaBuilder csrMetaBuilder; + private final RSAContentSignerBuilder rsaContentSignerBuilder; + private final X509CertificateBuilder x509CertificateBuilder; + private final CertificateFactoryProvider certificateFactoryProvider; + + @Autowired + public Cmpv2ClientAdapter(CmpClient cmpClient, CSRMetaBuilder csrMetaBuilder, + RSAContentSignerBuilder rsaContentSignerBuilder, X509CertificateBuilder x509CertificateBuilder, + CertificateFactoryProvider certificateFactoryProvider) { + this.cmpClient = cmpClient; + this.csrMetaBuilder = csrMetaBuilder; + this.rsaContentSignerBuilder = rsaContentSignerBuilder; + this.x509CertificateBuilder = x509CertificateBuilder; + this.certificateFactoryProvider = certificateFactoryProvider; + } + + /** + * Uses CmpClient to call to Cmp Server and gather certificates data + * + * @param csrModel Certificate Signing Request from Service external API + * @param server Cmp Server configuration from cmpServers.json + * @return container for returned certificates + * @throws CmpClientException Exceptions which comes from Cmp Client + * @throws Cmpv2ClientAdapterException Exceptions which comes from Adapter itself + */ + public CertificationModel callCmpClient(CsrModel csrModel, Cmpv2Server server) + throws CmpClientException, Cmpv2ClientAdapterException { + List> certificates = cmpClient.createCertificate(server.getCaName(), + server.getCaMode().getProfile(), csrMetaBuilder.build(csrModel, server), + convertCSRToX509Certificate(csrModel.getCsr(), csrModel.getPrivateKey())); + return new CertificationModel(convertFromX509CertificateListToPEMList(certificates.get(0)), + convertFromX509CertificateListToPEMList(certificates.get(1))); + } + + private String convertFromX509CertificateToPEM(X509Certificate certificate) { + StringWriter sw = new StringWriter(); + try (PemWriter pw = new PemWriter(sw)) { + PemObjectGenerator gen = new JcaMiscPEMGenerator(certificate); + pw.writeObject(gen); + } catch (IOException e) { + LOGGER.error("Exception occurred during convert of X509 certificate", e); + } + return sw.toString(); + } + + private X509Certificate convertCSRToX509Certificate(PKCS10CertificationRequest csr, PrivateKey privateKey) + throws Cmpv2ClientAdapterException { + try { + X509v3CertificateBuilder certificateGenerator = x509CertificateBuilder.build(csr); + ContentSigner signer = rsaContentSignerBuilder.build(csr, privateKey); + X509CertificateHolder holder = certificateGenerator.build(signer); + return certificateFactoryProvider + .generateCertificate(new ByteArrayInputStream(holder.toASN1Structure().getEncoded())); + } catch (IOException | CertificateException | OperatorCreationException | NoSuchProviderException e) { + throw new Cmpv2ClientAdapterException(e); + } + } + + private List convertFromX509CertificateListToPEMList(List certificates) { + return certificates.stream().map(this::convertFromX509CertificateToPEM).filter(cert -> !cert.isEmpty()) + .collect(Collectors.toList()); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java new file mode 100644 index 00000000..266c22e2 --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/RSAContentSignerBuilder.java @@ -0,0 +1,45 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aaf.certservice.certification.adapter; + +import java.io.IOException; +import java.security.PrivateKey; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.crypto.util.PrivateKeyFactory; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.springframework.stereotype.Component; + +@Component +public class RSAContentSignerBuilder { + + ContentSigner build(PKCS10CertificationRequest csr, PrivateKey privateKey) + throws IOException, OperatorCreationException { + AlgorithmIdentifier sigAlgId = csr.getSignatureAlgorithm(); + AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); + + return new BcRSAContentSignerBuilder(sigAlgId, digAlgId) + .build(PrivateKeyFactory.createKey(privateKey.getEncoded())); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java new file mode 100644 index 00000000..f96cec8e --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/adapter/X509CertificateBuilder.java @@ -0,0 +1,56 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.adapter; + +import java.io.IOException; +import java.math.BigInteger; +import java.security.SecureRandom; +import java.time.LocalDateTime; +import java.time.ZoneOffset; +import java.util.Date; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.pkcs.PKCS10CertificationRequest; +import org.springframework.stereotype.Component; + +@Component +public class X509CertificateBuilder { + + private static final int SECURE_NEXT_BYTES = 16; + private static final int VALID_PERIOD_IN_DAYS = 365; + + X509v3CertificateBuilder build(PKCS10CertificationRequest csr) throws IOException { + return new X509v3CertificateBuilder(csr.getSubject(), createSerial(), + Date.from(LocalDateTime.now().toInstant(ZoneOffset.UTC)), + Date.from(LocalDateTime.now().plusDays(VALID_PERIOD_IN_DAYS).toInstant(ZoneOffset.UTC)), + new PKCS10CertificationRequest(csr.getEncoded()).getSubject(), + SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(csr.getSubjectPublicKeyInfo().getEncoded()))); + + } + + private BigInteger createSerial() { + byte[] serial = new byte[SECURE_NEXT_BYTES]; + new SecureRandom().nextBytes(serial); + return new BigInteger(serial).abs(); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java new file mode 100644 index 00000000..21b873e6 --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/CmpClientConfig.java @@ -0,0 +1,49 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ +package org.onap.aaf.certservice.certification.configuration; + +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.http.impl.client.HttpClientBuilder; +import org.onap.aaf.certservice.cmpv2client.api.CmpClient; +import org.onap.aaf.certservice.cmpv2client.impl.CmpClientImpl; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.web.context.annotation.RequestScope; + +@Configuration +public class CmpClientConfig { + + @Bean + CmpClient cmpClient(CloseableHttpClient closeableHttpClient){ + return new CmpClientImpl(closeableHttpClient); + } + + @Bean + @RequestScope + CloseableHttpClient closeableHttpClient(HttpClientBuilder httpClientBuilder){ + return httpClientBuilder.build(); + } + + @Bean + HttpClientBuilder httpClientBuilder(){ + return HttpClientBuilder.create(); + } + +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java index 755bfeb0..190bb28a 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/Cmpv2ServerProvider.java @@ -21,11 +21,10 @@ package org.onap.aaf.certservice.certification.configuration; import org.onap.aaf.certservice.certification.configuration.model.Cmpv2Server; +import org.onap.aaf.certservice.certification.exception.Cmpv2ServerNotFoundException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; -import java.util.Optional; - @Component public class Cmpv2ServerProvider { @@ -36,11 +35,9 @@ public class Cmpv2ServerProvider { this.cmpServersConfig = cmpServersConfig; } - public Optional getCmpv2Server(String caName) { - return cmpServersConfig.getCmpServers() - .stream() - .filter(server -> server.getCaName().equals(caName)) - .findFirst(); + public Cmpv2Server getCmpv2Server(String caName) { + return cmpServersConfig.getCmpServers().stream().filter(server -> server.getCaName().equals(caName)).findFirst() + .orElseThrow(() -> new Cmpv2ServerNotFoundException("No server found for given CA name")); } } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java index f226bc58..2186b6ff 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/configuration/model/CaMode.java @@ -21,5 +21,15 @@ package org.onap.aaf.certservice.certification.configuration.model; public enum CaMode { - RA, CLIENT + RA("RA"), CLIENT("Client"); + + private String profile; + + CaMode(String profile) { + this.profile = profile; + } + + public String getProfile(){ + return profile; + } } diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java new file mode 100644 index 00000000..1b26da7b --- /dev/null +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/exception/Cmpv2ClientAdapterException.java @@ -0,0 +1,28 @@ +/* + * ============LICENSE_START======================================================= + * Cert Service + * ================================================================================ + * Copyright (C) 2020 Nokia. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + +package org.onap.aaf.certservice.certification.exception; + +public class Cmpv2ClientAdapterException extends Exception { + + public Cmpv2ClientAdapterException(Throwable cause) { + super(cause); + } +} diff --git a/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java index b59f4e3a..a29658f4 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java +++ b/certService/src/main/java/org/onap/aaf/certservice/certification/model/CsrModel.java @@ -29,6 +29,7 @@ import java.security.spec.InvalidKeySpecException; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; import java.util.Arrays; +import java.util.Collections; import java.util.List; import java.util.Objects; import java.util.stream.Collectors; @@ -54,9 +55,8 @@ public class CsrModel { private final PublicKey publicKey; private final List sans; - CsrModel( - PKCS10CertificationRequest csr, X500Name subjectData, - PrivateKey privateKey, PublicKey publicKey, List sans) { + CsrModel(PKCS10CertificationRequest csr, X500Name subjectData, PrivateKey privateKey, PublicKey publicKey, + List sans) { this.csr = csr; this.subjectData = subjectData; this.privateKey = privateKey; @@ -86,8 +86,7 @@ public class CsrModel { @Override public String toString() { - return "Subject: { " + subjectData - + " ,SANs: " + sans + " }"; + return "Subject: { " + subjectData + " ,SANs: " + sans + " }"; } public static class CsrModelBuilder { @@ -95,9 +94,7 @@ public class CsrModel { private final PKCS10CertificationRequest csr; private final PemObject privateKey; - public CsrModel build() - throws DecryptionException - { + public CsrModel build() throws DecryptionException { X500Name subjectData = getSubjectData(); PrivateKey javaPrivateKey = convertingPemPrivateKeyToJavaSecurityPrivateKey(getPrivateKey()); @@ -129,20 +126,26 @@ public class CsrModel { } private List getSansData() { - Extensions extensions = - Extensions.getInstance(csr.getAttributes()[0].getAttrValues().getObjectAt(0)); - GeneralName[] arrayOfAlternativeNames = - GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames(); - - return Arrays.stream(arrayOfAlternativeNames) - .map(GeneralName::getName) - .map(Objects::toString) - .collect(Collectors.toList()); + if (!isAttrsEmpty() && !isAttrsValuesEmpty()) { + Extensions extensions = Extensions.getInstance(csr.getAttributes()[0].getAttrValues().getObjectAt(0)); + GeneralName[] arrayOfAlternativeNames = + GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName).getNames(); + return Arrays.stream(arrayOfAlternativeNames).map(GeneralName::getName).map(Objects::toString) + .collect(Collectors.toList()); + } + return Collections.emptyList(); + } + + private boolean isAttrsValuesEmpty() { + return csr.getAttributes()[0].getAttrValues().size() == 0; + } + + private boolean isAttrsEmpty() { + return csr.getAttributes().length == 0; } private PrivateKey convertingPemPrivateKeyToJavaSecurityPrivateKey(PemObject privateKey) - throws KeyDecryptionException - { + throws KeyDecryptionException { try { KeyFactory factory = KeyFactory.getInstance("RSA"); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKey.getContent()); @@ -153,8 +156,7 @@ public class CsrModel { } private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey) - throws KeyDecryptionException - { + throws KeyDecryptionException { try { KeyFactory factory = KeyFactory.getInstance("RSA"); X509EncodedKeySpec keySpec = new X509EncodedKeySpec(publicKey.getContent()); diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java index e9f7a483..de11b5bb 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java +++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/CSRMeta.java @@ -207,4 +207,12 @@ public class CSRMeta { public void issuerEmail(String issuerEmail) { this.issuerEmail = issuerEmail; } + + public void setIssuerName(X500Name issuerName) { + this.issuerName = issuerName; + } + + public void setName(X500Name name) { + this.name = name; + } } diff --git a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java index 512a76e1..69445b2e 100644 --- a/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java +++ b/certService/src/main/java/org/onap/aaf/certservice/cmpv2client/external/RDN.java @@ -75,6 +75,7 @@ public class RDN { break; // surname case "email": case "EMAIL": + case "E": case "emailaddress": case "EMAILADDRESS": aoi = BCStyle.EmailAddress; diff --git a/certService/src/main/resources/scripts/ejbca-configuration.sh b/certService/src/main/resources/scripts/ejbca-configuration.sh index cdff77de..705f40ca 100755 --- a/certService/src/main/resources/scripts/ejbca-configuration.sh +++ b/certService/src/main/resources/scripts/ejbca-configuration.sh @@ -8,9 +8,11 @@ configureEjbca() { ejbca.sh config cmp addalias --alias cmpRA ejbca.sh config cmp updatealias --alias cmpRA --key operationmode --value ra ejbca.sh ca editca --caname ManagementCA --field cmpRaAuthSecret --value mypassword + ejbca.sh config cmp updatealias --alias cmpRA --key responseprotection --value pbe ejbca.sh config cmp dumpalias --alias cmpRA ejbca.sh config cmp addalias --alias cmp ejbca.sh config cmp updatealias --alias cmp --key allowautomatickeyupdate --value true + ejbca.sh config cmp updatealias --alias cmp --key responseprotection --value pbe ejbca.sh ra addendentity --username Node123 --dn "CN=Node123" --caname ManagementCA --password mypassword --type 1 --token USERGENERATED ejbca.sh ra setclearpwd --username Node123 --password mypassword ejbca.sh config cmp updatealias --alias cmp --key extractusernamecomponent --value CN -- cgit 1.2.3-korg