1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.cadi.cm;
\r
26 import java.io.File;
\r
27 import java.security.KeyStore;
\r
28 import java.security.PrivateKey;
\r
29 import java.security.cert.Certificate;
\r
30 import java.security.cert.X509Certificate;
\r
31 import java.util.Collection;
\r
33 import com.att.cadi.CadiException;
\r
34 import com.att.cadi.Symm;
\r
35 import com.att.cadi.config.Config;
\r
36 import com.att.cadi.util.Chmod;
\r
37 import com.att.inno.env.Trans;
\r
39 import certman.v1_0.Artifacts.Artifact;
\r
40 import certman.v1_0.CertInfo;
\r
42 public class PlaceArtifactInKeystore extends ArtifactDir {
\r
44 //TODO get ROOT DNs or Trusted DNs from Certificate Manager.
\r
45 // private static String[] rootDNs = new String[]{
\r
46 // "CN=ATT CADI Root CA - Test, O=ATT, OU=CSO, C=US", // Lab. delete eventually
\r
47 // "CN=ATT AAF CADI TEST CA, OU=CSO, O=ATT, C=US",
\r
48 // "CN=ATT AAF CADI CA, OU=CSO, O=ATT, C=US"
\r
51 public PlaceArtifactInKeystore(String kst) {
\r
56 public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
\r
57 File fks = new File(dir,arti.getAppName()+'.'+kst);
\r
59 KeyStore jks = KeyStore.getInstance(kst);
\r
64 // Get the Cert(s)... Might include Trust store
\r
65 Collection<? extends Certificate> certColl = Factory.toX509Certificate(certInfo.getCerts());
\r
66 X509Certificate[] certs = new X509Certificate[certColl.size()];
\r
67 certColl.toArray(certs);
\r
70 // Add CADI Keyfile Entry to Properties
\r
71 addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getAppName() + ".keyfile");
\r
72 // Set Keystore Password
\r
73 addProperty(Config.CADI_KEYSTORE,fks.getAbsolutePath());
\r
74 String keystorePass = Symm.randomGen(CmAgent.PASS_SIZE);
\r
75 addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
\r
76 char[] keystorePassArray = keystorePass.toCharArray();
\r
77 jks.load(null,keystorePassArray); // load in
\r
79 // Add Private Key/Cert Entry for App
\r
80 // Note: Java SSL security classes, while having a separate key from keystore,
\r
81 // is documented to not actually work.
\r
82 // java.security.UnrecoverableKeyException: Cannot recover key
\r
83 // You can create a custom Key Manager to make it work, but Practicality
\r
84 // dictates that you live with the default, meaning, they are the same
\r
85 String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);
\r
86 PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
\r
87 addEncProperty(Config.CADI_KEY_PASSWORD, keyPass);
\r
88 addProperty(Config.CADI_ALIAS, arti.getMechid());
\r
89 // Set<Attribute> attribs = new HashSet<Attribute>();
\r
90 // if(kst.equals("pkcs12")) {
\r
92 // attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getAppName()));
\r
95 KeyStore.ProtectionParameter protParam =
\r
96 new KeyStore.PasswordProtection(keyPass.toCharArray());
\r
98 KeyStore.PrivateKeyEntry pkEntry =
\r
99 new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]});
\r
100 jks.setEntry(arti.getMechid(),
\r
101 pkEntry, protParam);
\r
104 write(fks,Chmod.to400,jks,keystorePassArray);
\r
106 // Change out to TrustStore
\r
107 fks = new File(dir,arti.getAppName()+".trust."+kst);
\r
108 jks = KeyStore.getInstance(kst);
\r
110 // Set Truststore Password
\r
111 addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
\r
112 String trustStorePass = Symm.randomGen(CmAgent.PASS_SIZE);
\r
113 addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
\r
114 char[] truststorePassArray = trustStorePass.toCharArray();
\r
115 jks.load(null,truststorePassArray); // load in
\r
117 // Add Trusted Certificates
\r
118 for(int i=1; i<certs.length;++i) {
\r
119 jks.setCertificateEntry("cadi_root_" + arti.getCa() + '_' + i, certs[i]);
\r
122 write(fks,Chmod.to644,jks,truststorePassArray);
\r
124 } catch (Exception e) {
\r
125 throw new CadiException(e);
\r