2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.configure;
25 import java.security.KeyStore;
26 import java.security.PrivateKey;
27 import java.security.cert.Certificate;
28 import java.security.cert.X509Certificate;
29 import java.util.ArrayList;
30 import java.util.Collection;
31 import java.util.HashSet;
32 import java.util.List;
35 import org.onap.aaf.cadi.CadiException;
36 import org.onap.aaf.cadi.Symm;
37 import org.onap.aaf.cadi.config.Config;
38 import org.onap.aaf.cadi.util.Chmod;
39 import org.onap.aaf.misc.env.Trans;
41 import certman.v1_0.Artifacts.Artifact;
42 import certman.v1_0.CertInfo;
44 public class PlaceArtifactInKeystore extends ArtifactDir {
47 public PlaceArtifactInKeystore(String kst) {
52 public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
53 final String ext = (kst==Agent.PKCS12?"p12":kst);
54 File fks = new File(dir,arti.getNs()+'.'+ext);
56 KeyStore jks = KeyStore.getInstance(kst);
58 File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
62 // Get the Cert(s)... Might include Trust store
63 Collection<? extends Certificate> certColl = Factory.toX509Certificate(certInfo.getCerts());
64 // find where the trusts end in 1.0 API
67 List<X509Certificate> chainList = new ArrayList<>();
68 Set<X509Certificate> caSet = new HashSet<>();
69 X509Certificate curr = null;
70 for (Certificate c : certColl) {
71 x509 = (X509Certificate)c;
72 // Is a Root (self-signed, anyway)
73 if (x509.getSubjectDN().equals(x509.getIssuerDN())) {
76 // Expect Certs in Trust Chain Order.
81 // Only Add Cert next on the list
82 if(curr.getIssuerDN().equals(x509.getSubjectDN())) {
91 // Add CADI Keyfile Entry to Properties
92 File keyfile = new File(arti.getDir()+'/'+arti.getNs() + ".keyfile");
93 PropHolder props = PropHolder.get(arti, "cred.props");
94 props.add(Config.CADI_KEYFILE,keyfile.getAbsolutePath());
96 // Set Keystore Password
97 props.add(Config.CADI_KEYSTORE,fks.getAbsolutePath());
98 String keystorePass = Symm.randomGen(Agent.PASS_SIZE);
99 String encP = props.addEnc(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
100 // Since there are now more than one Keystore type, the keystore password property might
101 // be overwritten, making the store useless without key. So we write it specifically
103 props.add(Config.CADI_KEYSTORE_PASSWORD+'_'+ext,encP);
104 char[] keystorePassArray = keystorePass.toCharArray();
105 jks.load(null,keystorePassArray); // load in
107 // Add Private Key/Cert Entry for App
108 // Note: Java SSL security classes, while having a separate key from keystore,
109 // is documented to not actually work.
110 // java.security.UnrecoverableKeyException: Cannot recover key
111 // You can create a custom Key Manager to make it work, but Practicality
112 // dictates that you live with the default, meaning, they are the same
113 String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);
114 PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
115 props.addEnc(Config.CADI_KEY_PASSWORD, keyPass);
116 props.add(Config.CADI_ALIAS, arti.getMechid());
117 // Set<Attribute> attribs = new HashSet<>();
118 // if (kst.equals("pkcs12")) {
120 // attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs()));
123 KeyStore.ProtectionParameter protParam =
124 new KeyStore.PasswordProtection(keyPass.toCharArray());
126 Certificate[] trustChain = new Certificate[chainList.size()];
127 chainList.toArray(trustChain);
128 KeyStore.PrivateKeyEntry pkEntry =
129 new KeyStore.PrivateKeyEntry(pk, trustChain);
130 jks.setEntry(arti.getMechid(),
134 write(fks,Chmod.to644,jks,keystorePassArray);
136 // Change out to TrustStore
137 // NOTE: PKCS12 does NOT support Trusted Entries. Put in JKS Always
138 fks = new File(dir,arti.getNs()+".trust.jks");
140 File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
141 fks.renameTo(backup);
144 jks = KeyStore.getInstance(Agent.JKS);
146 // Set Truststore Password
147 props.add(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
148 String trustStorePass = Symm.randomGen(Agent.PASS_SIZE);
149 props.addEnc(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
150 char[] truststorePassArray = trustStorePass.toCharArray();
151 jks.load(null,truststorePassArray); // load in
153 // Add Trusted Certificates, but PKCS12 doesn't support
154 Certificate[] trustCAs = new Certificate[caSet.size()];
155 caSet.toArray(trustCAs);
156 for (int i=0; i<trustCAs.length;++i) {
157 jks.setCertificateEntry("ca_" + arti.getCa() + '_' + i, trustCAs[i]);
160 write(fks,Chmod.to644,jks,truststorePassArray);
162 } catch (Exception e) {
163 throw new CadiException(e);