authz-certman/src/main/java/com/att/authz/cm/ca/DevlCA.java

   1 /*******************************************************************************\r
   2  * ============LICENSE_START====================================================\r
   3  * * org.onap.aai\r
   4  * * ===========================================================================\r
   5  * * Copyright © 2017 AT&T Intellectual Property. All rights reserved.\r
   6  * * Copyright © 2017 Amdocs\r
   7  * * ===========================================================================\r
   8  * * Licensed under the Apache License, Version 2.0 (the "License");\r
   9  * * you may not use this file except in compliance with the License.\r
  10  * * You may obtain a copy of the License at\r
  11  * * \r
  12  *  *      http://www.apache.org/licenses/LICENSE-2.0\r
  13  * * \r
  14  *  * Unless required by applicable law or agreed to in writing, software\r
  15  * * distributed under the License is distributed on an "AS IS" BASIS,\r
  16  * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
  17  * * See the License for the specific language governing permissions and\r
  18  * * limitations under the License.\r
  19  * * ============LICENSE_END====================================================\r
  20  * *\r
  21  * * ECOMP is a trademark and service mark of AT&T Intellectual Property.\r
  22  * *\r
  23  ******************************************************************************/\r
  24 package com.att.authz.cm.ca;\r
  25 \r
  26 import java.io.File;\r
  27 import java.io.IOException;\r
  28 import java.math.BigInteger;\r
  29 import java.security.GeneralSecurityException;\r
  30 import java.security.KeyFactory;\r
  31 import java.security.cert.Certificate;\r
  32 import java.security.cert.CertificateException;\r
  33 import java.security.cert.X509Certificate;\r
  34 import java.security.interfaces.RSAPrivateKey;\r
  35 import java.security.spec.PKCS8EncodedKeySpec;\r
  36 import java.util.ArrayList;\r
  37 import java.util.Collection;\r
  38 import java.util.Date;\r
  39 import java.util.GregorianCalendar;\r
  40 import java.util.List;\r
  41 import java.security.SecureRandom;\r
  42 \r
  43 import org.bouncycastle.asn1.ASN1Sequence;\r
  44 import org.bouncycastle.asn1.x500.X500Name;\r
  45 import org.bouncycastle.asn1.x500.X500NameBuilder;\r
  46 import org.bouncycastle.asn1.x500.style.BCStyle;\r
  47 import org.bouncycastle.asn1.x509.BasicConstraints;\r
  48 import org.bouncycastle.asn1.x509.ExtendedKeyUsage;\r
  49 import org.bouncycastle.asn1.x509.Extension;\r
  50 import org.bouncycastle.asn1.x509.GeneralName;\r
  51 import org.bouncycastle.asn1.x509.GeneralNames;\r
  52 import org.bouncycastle.asn1.x509.KeyPurposeId;\r
  53 import org.bouncycastle.asn1.x509.KeyUsage;\r
  54 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;\r
  55 import org.bouncycastle.cert.X509v3CertificateBuilder;\r
  56 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;\r
  57 import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;\r
  58 import org.bouncycastle.operator.OperatorCreationException;\r
  59 \r
  60 import com.att.authz.cm.cert.BCFactory;\r
  61 import com.att.authz.cm.cert.CSRMeta;\r
  62 import com.att.authz.cm.cert.StandardFields;\r
  63 import com.att.authz.common.Define;\r
  64 import com.att.cadi.cm.CertException;\r
  65 import com.att.cadi.cm.Factory;\r
  66 import com.att.inno.env.Env;\r
  67 import com.att.inno.env.TimeTaken;\r
  68 import com.att.inno.env.Trans;\r
  69 \r
  70 public class DevlCA extends CA {\r
  71         \r
  72         // Extensions\r
  73         private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {\r
  74                                 KeyPurposeId.id_kp_serverAuth, // WebServer\r
  75                                 KeyPurposeId.id_kp_clientAuth};// WebClient\r
  76                                 \r
  77         private X509Certificate caCert;\r
  78         private final RSAPrivateKey caKey;\r
  79         private final X500Name issuer;\r
  80         private final SecureRandom random = new SecureRandom();\r
  81         private byte[] serialish = new byte[24];\r
  82 \r
  83         public DevlCA(Trans trans, String name, String dirString) throws IOException, CertException {\r
  84                 super(name, new StandardFields() {\r
  85                         @Override\r
  86                         public void set(CSRMeta csr) {\r
  87                                 // Standard Fields\r
  88                                 csr.o("ATT Services, Inc.");\r
  89                                 csr.l("St Louis");\r
  90                                 csr.st("Missouri");\r
  91                                 csr.c("US");\r
  92                         }\r
  93                 }, Define.ROOT_NS+".ca" // Permission Type for validation\r
  94                 );\r
  95                 File dir = new File(dirString);\r
  96                 if(!dir.exists()) {\r
  97                         throw new CertException(dirString + " does not exist");\r
  98                 }\r
  99                 \r
 100                 File ca = new File(dir,"ca.crt");\r
 101                 if(ca.exists()) {\r
 102                         byte[] bytes = Factory.decode(ca);\r
 103                         Collection<? extends Certificate> certs;\r
 104                         try {\r
 105                                 certs = Factory.toX509Certificate(bytes);\r
 106                         } catch (CertificateException e) {\r
 107                                 throw new CertException(e);\r
 108                         }\r
 109                         List<String> lTrust = new ArrayList<String>();\r
 110                         caCert=null;\r
 111                         for(Certificate c : certs) {\r
 112                                 if(caCert==null) {\r
 113                                         caCert = (X509Certificate)c;\r
 114                                 } else {\r
 115                                         lTrust.add(Factory.toString(trans,c));\r
 116                                 }\r
 117                                 break;\r
 118                         }\r
 119                 }\r
 120                 \r
 121                 this.setTrustChain(new String[]{Factory.toString(trans,caCert)});\r
 122                                 \r
 123                         /*\r
 124                          * Private key needs to be converted to "DER" format, with no password.  \r
 125                          *      Use chmod 400 on key\r
 126                          * \r
 127                          *  openssl pkcs8 -topk8 -outform DER -nocrypt -in ca.key -out ca.der\r
 128                          *\r
 129                          */\r
 130                         ca = new File(dir,"ca.der");\r
 131                         if(ca.exists()) {\r
 132                                 byte[] bytes = Factory.binary(ca);\r
 133                                 \r
 134 //                                      EncryptedPrivateKeyInfo ekey=new EncryptedPrivateKeyInfo(bytes);\r
 135 //                                  Cipher cip=Cipher.getInstance(ekey.getAlgName());\r
 136 //                                  PBEKeySpec pspec=new PBEKeySpec("password".toCharArray());\r
 137 //                                  SecretKeyFactory skfac=SecretKeyFactory.getInstance(ekey.getAlgName());\r
 138 //                                  Key pbeKey=skfac.generateSecret(pspec);\r
 139 //                                  AlgorithmParameters algParams=ekey.getAlgParameters();\r
 140 //                                  cip.init(Cipher.DECRYPT_MODE,pbeKey,algParams);\r
 141                                         \r
 142                                 KeyFactory keyFactory;\r
 143                                 try {\r
 144                                         keyFactory = KeyFactory.getInstance("RSA");\r
 145                                         PKCS8EncodedKeySpec privSpec = new PKCS8EncodedKeySpec(bytes);\r
 146                                                 \r
 147                             caKey = (RSAPrivateKey) keyFactory.generatePrivate(privSpec);\r
 148                                 } catch (GeneralSecurityException e) {\r
 149                                         throw new CertException(e);\r
 150                                 }\r
 151                                 \r
 152                                 X500NameBuilder xnb = new X500NameBuilder();\r
 153                                 xnb.addRDN(BCStyle.C,"US");\r
 154                                 xnb.addRDN(BCStyle.ST,"Missouri");\r
 155                                 xnb.addRDN(BCStyle.L,"Arnold");\r
 156                                 xnb.addRDN(BCStyle.O,"ATT Services, Inc.");\r
 157                                 xnb.addRDN(BCStyle.OU,"AAF");\r
 158                                 xnb.addRDN(BCStyle.CN,"aaf.att.com");\r
 159                                 xnb.addRDN(BCStyle.EmailAddress,"DL-aaf-support@att.com");\r
 160                                 issuer = xnb.build();\r
 161                 } else {\r
 162                         throw new CertException(ca.getPath() + " does not exist");\r
 163                 }\r
 164         }\r
 165 \r
 166         /* (non-Javadoc)\r
 167          * @see com.att.authz.cm.service.CA#sign(org.bouncycastle.pkcs.PKCS10CertificationRequest)\r
 168          */\r
 169         @Override\r
 170         public X509Certificate sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {\r
 171                 GregorianCalendar gc = new GregorianCalendar();\r
 172                 Date start = gc.getTime();\r
 173                 gc.add(GregorianCalendar.DAY_OF_MONTH, 1);\r
 174                 Date end = gc.getTime();\r
 175                 X509Certificate x509;\r
 176                 TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);\r
 177                 try {\r
 178                         BigInteger bi;\r
 179                         synchronized(serialish) {\r
 180                                 random.nextBytes(serialish);\r
 181                                 bi = new BigInteger(serialish);\r
 182                         }\r
 183                                 \r
 184                         X509v3CertificateBuilder xcb = new X509v3CertificateBuilder(\r
 185                                         issuer,\r
 186                                         bi, // replace with Serialnumber scheme\r
 187                                         start,\r
 188                                         end,\r
 189                                         csrmeta.x500Name(),\r
 190 //                                      SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(caCert.getPublicKey().getEn)\r
 191                                         new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))\r
 192                                         );\r
 193                         List<GeneralName> lsan = new ArrayList<GeneralName>();\r
 194                         for(String s : csrmeta.sans()) {\r
 195                                 lsan.add(new GeneralName(GeneralName.dNSName,s));\r
 196                         }\r
 197                         GeneralName[] sans = new GeneralName[lsan.size()];\r
 198                         lsan.toArray(sans);\r
 199 \r
 200                     JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();\r
 201                     xcb         .addExtension(Extension.basicConstraints,\r
 202                         false, new BasicConstraints(false))\r
 203                             .addExtension(Extension.keyUsage,\r
 204                                 true, new KeyUsage(KeyUsage.digitalSignature\r
 205                                                  | KeyUsage.keyEncipherment))\r
 206                             .addExtension(Extension.extendedKeyUsage,\r
 207                                           true, new ExtendedKeyUsage(ASN_WebUsage))\r
 208 \r
 209                     .addExtension(Extension.authorityKeyIdentifier,\r
 210                                           false, extUtils.createAuthorityKeyIdentifier(caCert))\r
 211                             .addExtension(Extension.subjectKeyIdentifier,\r
 212                                           false, extUtils.createSubjectKeyIdentifier(caCert.getPublicKey()))\r
 213                             .addExtension(Extension.subjectAlternativeName,\r
 214                                         false, new GeneralNames(sans))\r
 215                                                            ;\r
 216         \r
 217                         x509 = new JcaX509CertificateConverter().getCertificate(\r
 218                                         xcb.build(BCFactory.contentSigner(caKey)));\r
 219                 } catch (GeneralSecurityException|OperatorCreationException e) {\r
 220                         throw new CertException(e);\r
 221                 } finally {\r
 222                         tt.done();\r
 223                 }\r
 224                 return x509;\r
 225         }\r
 226 \r
 227 }\r