1 /*******************************************************************************
\r
2 * ============LICENSE_START====================================================
\r
4 * * ===========================================================================
\r
5 * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.
\r
6 * * Copyright © 2017 Amdocs
\r
7 * * ===========================================================================
\r
8 * * Licensed under the Apache License, Version 2.0 (the "License");
\r
9 * * you may not use this file except in compliance with the License.
\r
10 * * You may obtain a copy of the License at
\r
12 * * http://www.apache.org/licenses/LICENSE-2.0
\r
14 * * Unless required by applicable law or agreed to in writing, software
\r
15 * * distributed under the License is distributed on an "AS IS" BASIS,
\r
16 * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
\r
17 * * See the License for the specific language governing permissions and
\r
18 * * limitations under the License.
\r
19 * * ============LICENSE_END====================================================
\r
21 * * ECOMP is a trademark and service mark of AT&T Intellectual Property.
\r
23 ******************************************************************************/
\r
24 package com.att.authz.cm.ca;
\r
26 import java.io.File;
\r
27 import java.io.IOException;
\r
28 import java.math.BigInteger;
\r
29 import java.security.GeneralSecurityException;
\r
30 import java.security.KeyFactory;
\r
31 import java.security.cert.Certificate;
\r
32 import java.security.cert.CertificateException;
\r
33 import java.security.cert.X509Certificate;
\r
34 import java.security.interfaces.RSAPrivateKey;
\r
35 import java.security.spec.PKCS8EncodedKeySpec;
\r
36 import java.util.ArrayList;
\r
37 import java.util.Collection;
\r
38 import java.util.Date;
\r
39 import java.util.GregorianCalendar;
\r
40 import java.util.List;
\r
41 import java.security.SecureRandom;
\r
43 import org.bouncycastle.asn1.ASN1Sequence;
\r
44 import org.bouncycastle.asn1.x500.X500Name;
\r
45 import org.bouncycastle.asn1.x500.X500NameBuilder;
\r
46 import org.bouncycastle.asn1.x500.style.BCStyle;
\r
47 import org.bouncycastle.asn1.x509.BasicConstraints;
\r
48 import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
\r
49 import org.bouncycastle.asn1.x509.Extension;
\r
50 import org.bouncycastle.asn1.x509.GeneralName;
\r
51 import org.bouncycastle.asn1.x509.GeneralNames;
\r
52 import org.bouncycastle.asn1.x509.KeyPurposeId;
\r
53 import org.bouncycastle.asn1.x509.KeyUsage;
\r
54 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
\r
55 import org.bouncycastle.cert.X509v3CertificateBuilder;
\r
56 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
\r
57 import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
\r
58 import org.bouncycastle.operator.OperatorCreationException;
\r
60 import com.att.authz.cm.cert.BCFactory;
\r
61 import com.att.authz.cm.cert.CSRMeta;
\r
62 import com.att.authz.cm.cert.StandardFields;
\r
63 import com.att.authz.common.Define;
\r
64 import com.att.cadi.cm.CertException;
\r
65 import com.att.cadi.cm.Factory;
\r
66 import com.att.inno.env.Env;
\r
67 import com.att.inno.env.TimeTaken;
\r
68 import com.att.inno.env.Trans;
\r
70 public class DevlCA extends CA {
\r
73 private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {
\r
74 KeyPurposeId.id_kp_serverAuth, // WebServer
\r
75 KeyPurposeId.id_kp_clientAuth};// WebClient
\r
77 private X509Certificate caCert;
\r
78 private final RSAPrivateKey caKey;
\r
79 private final X500Name issuer;
\r
80 private final SecureRandom random = new SecureRandom();
\r
81 private byte[] serialish = new byte[24];
\r
83 public DevlCA(Trans trans, String name, String dirString) throws IOException, CertException {
\r
84 super(name, new StandardFields() {
\r
86 public void set(CSRMeta csr) {
\r
88 csr.o("ATT Services, Inc.");
\r
93 }, Define.ROOT_NS+".ca" // Permission Type for validation
\r
95 File dir = new File(dirString);
\r
97 throw new CertException(dirString + " does not exist");
\r
100 File ca = new File(dir,"ca.crt");
\r
102 byte[] bytes = Factory.decode(ca);
\r
103 Collection<? extends Certificate> certs;
\r
105 certs = Factory.toX509Certificate(bytes);
\r
106 } catch (CertificateException e) {
\r
107 throw new CertException(e);
\r
109 List<String> lTrust = new ArrayList<String>();
\r
111 for(Certificate c : certs) {
\r
113 caCert = (X509Certificate)c;
\r
115 lTrust.add(Factory.toString(trans,c));
\r
121 this.setTrustChain(new String[]{Factory.toString(trans,caCert)});
\r
124 * Private key needs to be converted to "DER" format, with no password.
\r
125 * Use chmod 400 on key
\r
127 * openssl pkcs8 -topk8 -outform DER -nocrypt -in ca.key -out ca.der
\r
130 ca = new File(dir,"ca.der");
\r
132 byte[] bytes = Factory.binary(ca);
\r
134 // EncryptedPrivateKeyInfo ekey=new EncryptedPrivateKeyInfo(bytes);
\r
135 // Cipher cip=Cipher.getInstance(ekey.getAlgName());
\r
136 // PBEKeySpec pspec=new PBEKeySpec("password".toCharArray());
\r
137 // SecretKeyFactory skfac=SecretKeyFactory.getInstance(ekey.getAlgName());
\r
138 // Key pbeKey=skfac.generateSecret(pspec);
\r
139 // AlgorithmParameters algParams=ekey.getAlgParameters();
\r
140 // cip.init(Cipher.DECRYPT_MODE,pbeKey,algParams);
\r
142 KeyFactory keyFactory;
\r
144 keyFactory = KeyFactory.getInstance("RSA");
\r
145 PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(bytes);
\r
147 caKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec);
\r
148 } catch (GeneralSecurityException e) {
\r
149 throw new CertException(e);
\r
152 X500NameBuilder xnb = new X500NameBuilder();
\r
153 xnb.addRDN(BCStyle.C,"US");
\r
154 xnb.addRDN(BCStyle.ST,"Missouri");
\r
155 xnb.addRDN(BCStyle.L,"Arnold");
\r
156 xnb.addRDN(BCStyle.O,"ATT Services, Inc.");
\r
157 xnb.addRDN(BCStyle.OU,"AAF");
\r
158 xnb.addRDN(BCStyle.CN,"aaf.att.com");
\r
159 xnb.addRDN(BCStyle.EmailAddress,"DL-aaf-support@att.com");
\r
160 issuer = xnb.build();
\r
162 throw new CertException(ca.getPath() + " does not exist");
\r
167 * @see com.att.authz.cm.service.CA#sign(org.bouncycastle.pkcs.PKCS10CertificationRequest)
\r
170 public X509Certificate sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
\r
171 GregorianCalendar gc = new GregorianCalendar();
\r
172 Date start = gc.getTime();
\r
173 gc.add(GregorianCalendar.DAY_OF_MONTH, 1);
\r
174 Date end = gc.getTime();
\r
175 X509Certificate x509;
\r
176 TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);
\r
179 synchronized(serialish) {
\r
180 random.nextBytes(serialish);
\r
181 bi = new BigInteger(serialish);
\r
184 X509v3CertificateBuilder xcb = new X509v3CertificateBuilder(
\r
186 bi, // replace with Serialnumber scheme
\r
189 csrmeta.x500Name(),
\r
190 // SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(caCert.getPublicKey().getEn)
\r
191 new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))
\r
193 List<GeneralName> lsan = new ArrayList<GeneralName>();
\r
194 for(String s : csrmeta.sans()) {
\r
195 lsan.add(new GeneralName(GeneralName.dNSName,s));
\r
197 GeneralName[] sans = new GeneralName[lsan.size()];
\r
198 lsan.toArray(sans);
\r
200 JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
\r
201 xcb .addExtension(Extension.basicConstraints,
\r
202 false, new BasicConstraints(false))
\r
203 .addExtension(Extension.keyUsage,
\r
204 true, new KeyUsage(KeyUsage.digitalSignature
\r
205 | KeyUsage.keyEncipherment))
\r
206 .addExtension(Extension.extendedKeyUsage,
\r
207 true, new ExtendedKeyUsage(ASN_WebUsage))
\r
209 .addExtension(Extension.authorityKeyIdentifier,
\r
210 false, extUtils.createAuthorityKeyIdentifier(caCert))
\r
211 .addExtension(Extension.subjectKeyIdentifier,
\r
212 false, extUtils.createSubjectKeyIdentifier(caCert.getPublicKey()))
\r
213 .addExtension(Extension.subjectAlternativeName,
\r
214 false, new GeneralNames(sans))
\r
217 x509 = new JcaX509CertificateConverter().getCertificate(
\r
218 xcb.build(BCFactory.contentSigner(caKey)));
\r
219 } catch (GeneralSecurityException|OperatorCreationException e) {
\r
220 throw new CertException(e);
\r