2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Modifications Copyright (C) 2018 IBM.
8 * ================================================================================
9 * Licensed under the Apache License, Version 2.0 (the "License");
10 * you may not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
13 * http://www.apache.org/licenses/LICENSE-2.0
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS,
17 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 * ============LICENSE_END====================================================
23 package org.onap.aaf.auth.cm.ca;
25 import java.io.FileReader;
26 import java.io.IOException;
27 import java.net.Authenticator;
28 import java.net.MalformedURLException;
29 import java.net.PasswordAuthentication;
31 import java.security.cert.Certificate;
32 import java.security.cert.X509Certificate;
33 import java.util.ArrayList;
34 import java.util.List;
36 import java.util.concurrent.ConcurrentHashMap;
39 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
40 import org.jscep.client.Client;
41 import org.jscep.client.ClientException;
42 import org.jscep.client.EnrollmentResponse;
43 import org.jscep.client.verification.CertificateVerifier;
44 import org.onap.aaf.auth.cm.cert.BCFactory;
45 import org.onap.aaf.auth.cm.cert.CSRMeta;
46 import org.onap.aaf.cadi.Access;
47 import org.onap.aaf.cadi.LocatorException;
48 import org.onap.aaf.cadi.Access.Level;
49 import org.onap.aaf.cadi.Locator.Item;
50 import org.onap.aaf.cadi.configure.CertException;
51 import org.onap.aaf.cadi.locator.HotPeerLocator;
52 import org.onap.aaf.misc.env.Env;
53 import org.onap.aaf.misc.env.TimeTaken;
54 import org.onap.aaf.misc.env.Trans;
55 import org.onap.aaf.misc.env.util.Split;
57 public class JscepCA extends CA {
58 static final String CA_PREFIX = "http://";
59 static final String CA_POSTFIX="/certsrv/mscep_admin/mscep.dll";
61 private static final String MS_PROFILE="1";
62 private static final int MAX_RETRY=3;
63 public static final long INVALIDATE_TIME = 1000*60*10L; // 10 mins
66 private Map<String,X509ChainWithIssuer> mxcwiS;
67 private Map<Client,X509ChainWithIssuer> mxcwiC;
70 private JscepClientLocator clients;
72 public JscepCA(final Access access, final String name, final String env, String [][] params) throws IOException, CertException, LocatorException {
73 super(access, name, env);
74 mxcwiS = new ConcurrentHashMap<>();
75 mxcwiC = new ConcurrentHashMap<>();
77 if (params.length<2) {
78 throw new CertException("No Trust Chain parameters are included");
80 if (params[0].length<2) {
81 throw new CertException("User/Password required for JSCEP");
83 final String id = params[0][0];
84 final String pw = params[0][1];
86 // Set this for NTLM password Microsoft
87 Authenticator.setDefault(new Authenticator() {
88 public PasswordAuthentication getPasswordAuthentication () {
90 return new PasswordAuthentication (id,access.decrypt(pw,true).toCharArray());
91 } catch (IOException e) {
98 StringBuilder urlstr = new StringBuilder();
100 for (int i=1;i<params.length;++i) { // skip first section, which is user/pass
103 urlstr.append(','); // delimiter
105 urlstr.append(params[i][0]);
107 String dir = access.getProperty(CM_PUBLIC_DIR, "");
108 if (!"".equals(dir) && !dir.endsWith("/")) {
112 List<FileReader> frs = new ArrayList<>(params.length-1);
114 for (int j=1; j<params[i].length; ++j) { // first 3 taken up, see above
115 path = !params[i][j].contains("/")?dir+params[i][j]:params[i][j];
116 access.printf(Level.INIT, "Loading a TrustChain Member for %s from %s",name, path);
117 frs.add(new FileReader(path));
119 X509ChainWithIssuer xcwi = new X509ChainWithIssuer(frs);
120 addCaIssuerDN(xcwi.getIssuerDN());
121 mxcwiS.put(params[i][0],xcwi);
123 for (FileReader fr : frs) {
130 clients = new JscepClientLocator(access,urlstr.toString());
133 // package on purpose
136 public X509ChainWithIssuer sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
137 TimeTaken tt = trans.start("Generating CSR and Keys for New Certificate", Env.SUB);
138 PKCS10CertificationRequest csr;
140 csr = csrmeta.generateCSR(trans);
141 if (trans.info().isLoggable()) {
142 trans.info().log(BCFactory.toString(csr));
144 if (trans.info().isLoggable()) {
145 trans.info().log(csr);
151 tt = trans.start("Enroll CSR", Env.SUB);
152 Client client = null;
154 for (int i=0; i<MAX_RETRY;++i) {
156 item = clients.best();
157 client = clients.get(item);
159 EnrollmentResponse er = client.enrol(
160 csrmeta.initialConversationCert(trans),
161 csrmeta.keypair(trans).getPrivate(),
163 MS_PROFILE /* profile... MS can't deal with blanks*/);
166 if (er.isSuccess()) {
167 trans.checkpoint("Cert from " + clients.info(item));
168 X509Certificate x509 = null;
169 for ( Certificate cert : er.getCertStore().getCertificates(null)) {
171 x509 = (X509Certificate)cert;
175 X509ChainWithIssuer mxcwi = mxcwiC.get(client);
176 return new X509ChainWithIssuer(mxcwi,x509);
178 } else if (er.isPending()) {
179 trans.checkpoint("Polling, waiting on CA to complete");
181 } else if (er.isFailure()) {
182 throw new CertException(clients.info(item)+':'+er.getFailInfo().toString());
185 } catch (LocatorException e) {
186 trans.error().log(e);
188 } catch (ClientException e) {
189 trans.error().log(e,"SCEP Client Error, Temporarily Invalidating Client: " + clients.info(item));
191 clients.invalidate(client);
192 if (!clients.hasItems()) {
195 } catch (LocatorException e1) {
196 trans.error().log(e,clients.info(item));
197 i=MAX_RETRY; // can't go any further
199 } catch (Exception e) {
200 trans.error().log(e);
211 * Locator specifically for Jscep Clients.
213 * Class based client for access to common Map
215 private class JscepClientLocator extends HotPeerLocator<Client> {
217 protected JscepClientLocator(Access access, String urlstr)throws LocatorException {
218 super(access, urlstr, JscepCA.INVALIDATE_TIME,
219 access.getProperty("cadi_latitude","39.833333"), //Note: Defaulting to GEO center of US
220 access.getProperty("cadi_longitude","-98.583333")
225 protected Client _newClient(String urlinfo) throws LocatorException {
227 String[] info = Split.split('/', urlinfo);
228 Client c = new Client(new URL(JscepCA.CA_PREFIX + info[0] + JscepCA.CA_POSTFIX),
229 new CertificateVerifier() {
231 public boolean verify(X509Certificate cert) {
237 // Map URL to Client, because Client doesn't expose Connection
238 mxcwiC.put(c, mxcwiS.get(urlinfo));
240 } catch (MalformedURLException e) {
241 throw new LocatorException(e);
246 protected Client _invalidate(Client client) {
251 protected void _destroy(Client client) {
252 mxcwiC.remove(client);