1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.cadi.cm;
\r
26 import java.io.File;
\r
27 import java.security.KeyStore;
\r
28 import java.security.PrivateKey;
\r
29 import java.security.cert.Certificate;
\r
30 import java.security.cert.X509Certificate;
\r
31 import java.util.Collection;
\r
33 import com.att.cadi.CadiException;
\r
34 import com.att.cadi.Symm;
\r
35 import com.att.cadi.config.Config;
\r
36 import com.att.cadi.util.Chmod;
\r
37 import com.att.inno.env.Trans;
\r
39 import certman.v1_0.Artifacts.Artifact;
\r
40 import certman.v1_0.CertInfo;
\r
42 public class PlaceArtifactInKeystore extends ArtifactDir {
\r
44 //TODO get ROOT DNs or Trusted DNs from Certificate Manager.
\r
45 private static String[] rootDNs = new String[]{
\r
46 "CN=ATT CADI Root CA - Test, O=ATT, OU=CSO, C=US",
\r
47 "CN=ATT AAF CADI CA, OU=CSO, O=ATT, C=US"
\r
50 public PlaceArtifactInKeystore(String kst) {
\r
55 public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
\r
56 File fks = new File(dir,arti.getAppName()+'.'+kst);
\r
58 KeyStore jks = KeyStore.getInstance(kst);
\r
63 // Get the Cert(s)... Might include Trust store
\r
64 Collection<? extends Certificate> certColl = Factory.toX509Certificate(trans, certInfo.getCerts());
\r
65 Certificate[] certs = new Certificate[certColl.size()];
\r
66 certColl.toArray(certs);
\r
68 boolean first = true;
\r
69 StringBuilder issuers = new StringBuilder();
\r
70 for(Certificate c : certs) {
\r
71 if(c instanceof X509Certificate) {
\r
72 X509Certificate xc = (X509Certificate)c;
\r
73 String issuer = xc.getIssuerDN().toString();
\r
74 for(String root : rootDNs) {
\r
75 if(root.equals(issuer)) {
\r
79 issuers.append(":");
\r
81 if(xc.getSubjectDN().toString().contains("Issuing CA")) {
\r
82 issuers.append(xc.getSubjectDN());
\r
88 addProperty(Config.CADI_X509_ISSUERS,issuers.toString());
\r
90 // Add CADI Keyfile Entry to Properties
\r
91 addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getAppName() + ".keyfile");
\r
92 // Set Keystore Password
\r
93 addProperty(Config.CADI_KEYSTORE,fks.getCanonicalPath());
\r
94 String keystorePass = Symm.randomGen(CmAgent.PASS_SIZE);
\r
95 addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
\r
96 char[] keystorePassArray = keystorePass.toCharArray();
\r
97 jks.load(null,keystorePassArray); // load in
\r
99 // Add Private Key/Cert Entry for App
\r
100 // Note: Java SSL security classes, while having a separate key from keystore,
\r
101 // is documented to not actually work.
\r
102 // java.security.UnrecoverableKeyException: Cannot recover key
\r
103 // You can create a custom Key Manager to make it work, but Practicality
\r
104 // dictates that you live with the default, meaning, they are the same
\r
105 String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);
\r
106 PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
\r
107 addEncProperty(Config.CADI_KEY_PASSWORD, keyPass);
\r
108 addProperty(Config.CADI_ALIAS, arti.getMechid());
\r
109 // Set<Attribute> attribs = new HashSet<Attribute>();
\r
110 // if(kst.equals("pkcs12")) {
\r
111 // // Friendly Name
\r
112 // attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getAppName()));
\r
115 KeyStore.ProtectionParameter protParam =
\r
116 new KeyStore.PasswordProtection(keyPass.toCharArray());
\r
118 KeyStore.PrivateKeyEntry pkEntry =
\r
119 new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]});
\r
120 jks.setEntry(arti.getMechid(),
\r
121 pkEntry, protParam);
\r
124 write(fks,Chmod.to400,jks,keystorePassArray);
\r
126 // Change out to TrustStore
\r
127 fks = new File(dir,arti.getAppName()+".trust."+kst);
\r
128 jks = KeyStore.getInstance(kst);
\r
130 // Set Truststore Password
\r
131 addProperty(Config.CADI_TRUSTSTORE,fks.getCanonicalPath());
\r
132 String trustStorePass = Symm.randomGen(CmAgent.PASS_SIZE);
\r
133 addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
\r
134 char[] truststorePassArray = trustStorePass.toCharArray();
\r
135 jks.load(null,truststorePassArray); // load in
\r
137 // Add Trusted Certificates
\r
138 for(int i=1; i<certs.length;++i) {
\r
139 jks.setCertificateEntry("cadi_" + arti.getCa() + '_' + i, certs[i]);
\r
142 write(fks,Chmod.to400,jks,truststorePassArray);
\r
144 } catch (Exception e) {
\r
145 throw new CadiException(e);
\r