Merge "Fix sonar issues in Mapper1_0"
[aaf/authz.git] / auth / auth-certman / src / main / java / org / onap / aaf / auth / cm / ca / JscepCA.java
1 /**
2  * ============LICENSE_START====================================================
3  * org.onap.aaf
4  * ===========================================================================
5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6  * ===========================================================================
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  * 
11  *      http://www.apache.org/licenses/LICENSE-2.0
12  * 
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  * ============LICENSE_END====================================================
19  *
20  */
21 package org.onap.aaf.auth.cm.ca;
22
23 import java.io.FileReader;
24 import java.io.IOException;
25 import java.net.Authenticator;
26 import java.net.MalformedURLException;
27 import java.net.PasswordAuthentication;
28 import java.net.URL;
29 import java.security.cert.CertStoreException;
30 import java.security.cert.Certificate;
31 import java.security.cert.CertificateException;
32 import java.security.cert.X509Certificate;
33 import java.util.ArrayList;
34 import java.util.List;
35 import java.util.Map;
36 import java.util.concurrent.ConcurrentHashMap;
37
38 import org.bouncycastle.operator.OperatorCreationException;
39 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
40 import org.jscep.client.Client;
41 import org.jscep.client.ClientException;
42 import org.jscep.client.EnrollmentResponse;
43 import org.jscep.client.verification.CertificateVerifier;
44 import org.jscep.transaction.TransactionException;
45 import org.onap.aaf.auth.cm.cert.BCFactory;
46 import org.onap.aaf.auth.cm.cert.CSRMeta;
47 import org.onap.aaf.cadi.Access;
48 import org.onap.aaf.cadi.LocatorException;
49 import org.onap.aaf.cadi.Access.Level;
50 import org.onap.aaf.cadi.Locator.Item;
51 import org.onap.aaf.cadi.cm.CertException;
52 import org.onap.aaf.cadi.locator.HotPeerLocator;
53 import org.onap.aaf.misc.env.Env;
54 import org.onap.aaf.misc.env.TimeTaken;
55 import org.onap.aaf.misc.env.Trans;
56 import org.onap.aaf.misc.env.util.Split;
57
58 public class JscepCA extends CA {
59         static final String CA_PREFIX = "http://";
60         static final String CA_POSTFIX="/certsrv/mscep_admin/mscep.dll";
61
62         private static final String MS_PROFILE="1";
63         private static final int MAX_RETRY=3;
64         public static final long INVALIDATE_TIME = 1000*60*10L; // 10 mins
65
66         // package on purpose
67         private Map<String,X509ChainWithIssuer> mxcwiS;
68         private Map<Client,X509ChainWithIssuer> mxcwiC;
69
70
71         private JscepClientLocator clients;
72
73         public JscepCA(final Access access, final String name, final String env, String [][] params) throws IOException, CertException, LocatorException {
74                 super(access, name, env);
75                 mxcwiS = new ConcurrentHashMap<>();
76                 mxcwiC = new ConcurrentHashMap<>();
77                 
78                 if(params.length<2) {
79                         throw new CertException("No Trust Chain parameters are included");
80                 } 
81                 if(params[0].length<2) {
82                         throw new CertException("User/Password required for JSCEP");
83                 }
84                 final String id = params[0][0];
85                 final String pw = params[0][1]; 
86                 
87                 // Set this for NTLM password Microsoft
88                 Authenticator.setDefault(new Authenticator() {
89                           public PasswordAuthentication getPasswordAuthentication () {
90                             try {
91                                                 return new PasswordAuthentication (id,access.decrypt(pw,true).toCharArray());
92                                         } catch (IOException e) {
93                                                 access.log(e);
94                                         }
95                                         return null;
96                       }
97                 });
98                 
99                 StringBuilder urlstr = new StringBuilder();
100
101                 for(int i=1;i<params.length;++i) { // skip first section, which is user/pass
102                         // Work 
103                         if(i>1) {
104                                 urlstr.append(','); // delimiter
105                         }
106                         urlstr.append(params[i][0]);
107                         
108                         String dir = access.getProperty(CM_PUBLIC_DIR, "");
109                         if(!"".equals(dir) && !dir.endsWith("/")) {
110                                 dir = dir + '/';
111                         }
112                         String path;
113                         List<FileReader> frs = new ArrayList<>(params.length-1);
114                         try {
115                                 for(int j=1; j<params[i].length; ++j) { // first 3 taken up, see above
116                                         path = !params[i][j].contains("/")?dir+params[i][j]:params[i][j];
117                                         access.printf(Level.INIT, "Loading a TrustChain Member for %s from %s",name, path);
118                                         frs.add(new FileReader(path));
119                                 }
120                                 X509ChainWithIssuer xcwi = new X509ChainWithIssuer(frs);
121                                 addCaIssuerDN(xcwi.getIssuerDN());
122                                 mxcwiS.put(params[i][0],xcwi);
123                         } finally {
124                                 for(FileReader fr : frs) {
125                                         if(fr!=null) {
126                                                 fr.close();
127                                         }
128                                 }
129                         }
130                 }               
131                 clients = new JscepClientLocator(access,urlstr.toString());
132         }
133
134         // package on purpose
135         
136         @Override
137         public X509ChainWithIssuer sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
138                 TimeTaken tt = trans.start("Generating CSR and Keys for New Certificate", Env.SUB);
139                 PKCS10CertificationRequest csr;
140                 try {
141                         csr = csrmeta.generateCSR(trans);
142                         if(trans.info().isLoggable()) {
143                                 trans.info().log(BCFactory.toString(csr));
144                         } 
145                         if(trans.info().isLoggable()) {
146                                 trans.info().log(csr);
147                         }
148                 } finally {
149                         tt.done();
150                 }
151                 
152                 tt = trans.start("Enroll CSR", Env.SUB);
153                 Client client = null;
154                 Item item = null;
155                 for(int i=0; i<MAX_RETRY;++i) {
156                         try {
157                                 item = clients.best();
158                                 client = clients.get(item);
159                                 
160                                 EnrollmentResponse er = client.enrol(
161                                                 csrmeta.initialConversationCert(trans),
162                                                 csrmeta.keypair(trans).getPrivate(),
163                                                 csr,
164                                                 MS_PROFILE /* profile... MS can't deal with blanks*/);
165                                 
166                                 while(true) {
167                                         if(er.isSuccess()) {
168                                                 trans.checkpoint("Cert from " + clients.info(item));
169                                                 X509Certificate x509 = null;
170                                                 for( Certificate cert : er.getCertStore().getCertificates(null)) {
171                                                         if(x509==null) {
172                                                                 x509 = (X509Certificate)cert;
173                                                                 break;
174                                                         }
175                                                 }
176                                                 X509ChainWithIssuer mxcwi = mxcwiC.get(client);
177                                                 return new X509ChainWithIssuer(mxcwi,x509);
178
179                                         } else if (er.isPending()) {
180                                                 trans.checkpoint("Polling, waiting on CA to complete");
181                                                 Thread.sleep(3000);
182                                         } else if (er.isFailure()) {
183                                                 throw new CertException(clients.info(item)+':'+er.getFailInfo().toString());
184                                         }
185                                 }
186                         } catch(LocatorException e) {
187                                 trans.error().log(e);
188                                 i=MAX_RETRY;
189                         } catch (ClientException e) {
190                                 trans.error().log(e,"SCEP Client Error, Temporarily Invalidating Client: " + clients.info(item));
191                                 try  { 
192                                         clients.invalidate(client);
193                                         if(!clients.hasItems()) {
194                                                 clients.refresh();
195                                         }
196                                 } catch (LocatorException e1) {
197                                         trans.error().log(e,clients.info(item));
198                                         i=MAX_RETRY;  // can't go any further
199                                 }
200                         } catch (InterruptedException|TransactionException|CertificateException|OperatorCreationException | CertStoreException e) {
201                                 trans.error().log(e);
202                                 i=MAX_RETRY;
203                         } finally {
204                                 tt.done();
205                         }
206                 }
207                 
208                 return null;
209         }
210         
211         /**
212          * Locator specifically for Jscep Clients.
213          * 
214          * Class based client for access to common Map
215          */
216         private class JscepClientLocator extends HotPeerLocator<Client> {
217
218                 protected JscepClientLocator(Access access, String urlstr)throws LocatorException {
219                         super(access, urlstr, JscepCA.INVALIDATE_TIME,
220                                 access.getProperty("cadi_latitude","39.833333"), //Note: Defaulting to GEO center of US
221                                 access.getProperty("cadi_longitude","-98.583333")
222                                 );
223                 }
224
225                 @Override
226                 protected Client _newClient(String urlinfo) throws LocatorException {
227                         try {
228                                 String[] info = Split.split('/', urlinfo);
229                                 Client c = new Client(new URL(JscepCA.CA_PREFIX + info[0] + JscepCA.CA_POSTFIX), 
230                                                 new CertificateVerifier() {
231                                                 @Override
232                                                 public boolean verify(X509Certificate cert) {
233                                                         //TODO checkIssuer
234                                                         return true;
235                                                 }
236                                         }
237                                 );
238                                 // Map URL to Client, because Client doesn't expose Connection
239                                 mxcwiC.put(c, mxcwiS.get(urlinfo));
240                                 return c;
241                         } catch (MalformedURLException e) {
242                                 throw new LocatorException(e);
243                         }
244                 }
245
246                 @Override
247                 protected Client _invalidate(Client client) {
248                         return null;
249                 }
250
251                 @Override
252                 protected void _destroy(Client client) {
253                         mxcwiC.remove(client);
254                 }
255                 
256                 
257         }
258 }