aaf/src/src/main/java/com/att/cadi/cm/PlaceArtifactInKeystore.java

   1 /*******************************************************************************\r
   2  * ============LICENSE_START====================================================\r
   3  * * org.onap.aai\r
   4  * * ===========================================================================\r
   5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
   6  * * Copyright © 2017 Amdocs\r
   7  * * ===========================================================================\r
   8  * * Licensed under the Apache License, Version 2.0 (the "License");\r
   9  * * you may not use this file except in compliance with the License.\r
  10  * * You may obtain a copy of the License at\r
  11  * * \r
  12  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
  13  * * \r
  14  *  * Unless required by applicable law or agreed to in writing, software\r
  15  * * distributed under the License is distributed on an "AS IS" BASIS,\r
  16  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  17  * * See the License for the specific language governing permissions and\r
  18  * * limitations under the License.\r
  19  * * ============LICENSE_END====================================================\r
  20  * *\r
  21  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
  22  * *\r
  23  ******************************************************************************/\r
  24 package com.att.cadi.cm;\r
  25 \r
  26 import java.io.File;\r
  27 import java.security.KeyStore;\r
  28 import java.security.PrivateKey;\r
  29 import java.security.cert.Certificate;\r
  30 import java.security.cert.X509Certificate;\r
  31 import java.util.Collection;\r
  32 \r
  33 import com.att.cadi.CadiException;\r
  34 import com.att.cadi.Symm;\r
  35 import com.att.cadi.config.Config;\r
  36 import com.att.cadi.util.Chmod;\r
  37 import com.att.inno.env.Trans;\r
  38 \r
  39 import certman.v1_0.Artifacts.Artifact;\r
  40 import certman.v1_0.CertInfo;\r
  41 \r
  42 public class PlaceArtifactInKeystore extends ArtifactDir {\r
  43         private String kst;\r
  44         //TODO get ROOT DNs or Trusted DNs from Certificate Manager.\r
  45         private static String[] rootDNs = new String[]{                 \r
  46                         "CN=ATT CADI Root CA - Test, O=ATT, OU=CSO, C=US",      \r
  47                         "CN=ATT AAF CADI CA, OU=CSO, O=ATT, C=US"\r
  48         };\r
  49 \r
  50         public PlaceArtifactInKeystore(String kst) {\r
  51                 this.kst = kst;\r
  52         }\r
  53 \r
  54         @Override\r
  55         public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {\r
  56                 File fks = new File(dir,arti.getAppName()+'.'+kst);\r
  57                 try {\r
  58                         KeyStore jks = KeyStore.getInstance(kst);\r
  59                         if(fks.exists()) {\r
  60                                 fks.delete();\r
  61                         }       \r
  62 \r
  63                         // Get the Cert(s)... Might include Trust store\r
  64                         Collection<? extends Certificate> certColl = Factory.toX509Certificate(trans, certInfo.getCerts());\r
  65                         Certificate[] certs = new Certificate[certColl.size()];\r
  66                         certColl.toArray(certs);\r
  67                         \r
  68                         boolean first = true;\r
  69                         StringBuilder issuers = new StringBuilder();\r
  70                         for(Certificate c : certs) {\r
  71                                 if(c instanceof X509Certificate) {\r
  72                                         X509Certificate xc = (X509Certificate)c;\r
  73                                         String issuer = xc.getIssuerDN().toString();\r
  74                                         for(String root : rootDNs) {\r
  75                                                 if(root.equals(issuer)) {\r
  76                                                         if(first) {\r
  77                                                                 first=false;\r
  78                                                         } else {\r
  79                                                                 issuers.append(":");\r
  80                                                         }\r
  81                                                         if(xc.getSubjectDN().toString().contains("Issuing CA")) {\r
  82                                                                 issuers.append(xc.getSubjectDN());\r
  83                                                         }\r
  84                                                 }\r
  85                                         }\r
  86                                 }\r
  87                         }\r
  88                         addProperty(Config.CADI_X509_ISSUERS,issuers.toString());\r
  89 \r
  90                         // Add CADI Keyfile Entry to Properties\r
  91                         addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getAppName() + ".keyfile");\r
  92                         // Set Keystore Password\r
  93                         addProperty(Config.CADI_KEYSTORE,fks.getCanonicalPath());\r
  94                         String keystorePass = Symm.randomGen(CmAgent.PASS_SIZE);\r
  95                         addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass);\r
  96                         char[] keystorePassArray = keystorePass.toCharArray();\r
  97                         jks.load(null,keystorePassArray); // load in\r
  98                         \r
  99                         // Add Private Key/Cert Entry for App\r
 100                         // Note: Java SSL security classes, while having a separate key from keystore,\r
 101                         // is documented to not actually work. \r
 102                         // java.security.UnrecoverableKeyException: Cannot recover key\r
 103                         // You can create a custom Key Manager to make it work, but Practicality  \r
 104                         // dictates that you live with the default, meaning, they are the same\r
 105                         String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);\r
 106                         PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());\r
 107                         addEncProperty(Config.CADI_KEY_PASSWORD, keyPass);\r
 108                         addProperty(Config.CADI_ALIAS, arti.getMechid());\r
 109 //                      Set<Attribute> attribs = new HashSet<Attribute>();\r
 110 //                      if(kst.equals("pkcs12")) {\r
 111 //                              // Friendly Name\r
 112 //                              attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getAppName()));\r
 113 //                      } \r
 114 //                      \r
 115                         KeyStore.ProtectionParameter protParam = \r
 116                                         new KeyStore.PasswordProtection(keyPass.toCharArray());\r
 117                         \r
 118                         KeyStore.PrivateKeyEntry pkEntry = \r
 119                                 new KeyStore.PrivateKeyEntry(pk, new Certificate[] {certs[0]});\r
 120                         jks.setEntry(arti.getMechid(), \r
 121                                         pkEntry, protParam);\r
 122                 \r
 123                         // Write out\r
 124                         write(fks,Chmod.to400,jks,keystorePassArray);\r
 125                         \r
 126                         // Change out to TrustStore\r
 127                         fks = new File(dir,arti.getAppName()+".trust."+kst);\r
 128                         jks = KeyStore.getInstance(kst);\r
 129                         \r
 130                         // Set Truststore Password\r
 131                         addProperty(Config.CADI_TRUSTSTORE,fks.getCanonicalPath());\r
 132                         String trustStorePass = Symm.randomGen(CmAgent.PASS_SIZE);\r
 133                         addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);\r
 134                         char[] truststorePassArray = trustStorePass.toCharArray();\r
 135                         jks.load(null,truststorePassArray); // load in\r
 136                         \r
 137                         // Add Trusted Certificates\r
 138                         for(int i=1; i<certs.length;++i) {\r
 139                                 jks.setCertificateEntry("cadi_" + arti.getCa() + '_' + i, certs[i]);\r
 140                         }\r
 141                         // Write out\r
 142                         write(fks,Chmod.to400,jks,truststorePassArray);\r
 143 \r
 144                 } catch (Exception e) {\r
 145                         throw new CadiException(e);\r
 146                 }\r
 147                 return false;\r
 148         }\r
 149 \r
 150 }\r