2 * Copyright 2016-2017, Nokia Corporation
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 package org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util;
19 import org.apache.commons.codec.binary.Base64;
21 import java.io.ByteArrayInputStream;
22 import java.io.InputStream;
23 import java.security.KeyFactory;
24 import java.security.KeyStore;
25 import java.security.KeyStore.TrustedCertificateEntry;
26 import java.security.NoSuchAlgorithmException;
27 import java.security.PrivateKey;
28 import java.security.cert.Certificate;
29 import java.security.cert.CertificateFactory;
30 import java.security.spec.InvalidKeySpecException;
31 import java.security.spec.PKCS8EncodedKeySpec;
32 import java.util.Collection;
33 import java.util.HashSet;
34 import java.util.Optional;
37 import static java.util.Optional.empty;
38 import static java.util.Optional.of;
39 import static org.onap.vfc.nfvo.driver.vnfm.svnfm.nokia.util.CbamUtils.fatalFailure;
40 import static org.slf4j.LoggerFactory.getLogger;
43 * Create Truststore from the given certificates and keys
45 public final class StoreLoader {
47 public static final String PASS_ALIAS = "password";
48 private static final String RSA = "RSA";
49 private static final String X_509 = "X.509";
50 private static final String SUN = "SUN";
51 private static final String JKS = "JKS";
52 private static final String RSA_PRIVATE_KEY = "RSA PRIVATE KEY";
53 private static final String CERTIFICATE = "CERTIFICATE";
54 private static org.slf4j.Logger logger = getLogger(StoreLoader.class);
56 private StoreLoader() {
59 private static String getScope(String content, String scope) {
60 int rindex = content.indexOf(begin(scope));
61 int lindex = content.indexOf(end(scope));
62 if (rindex == -1 || lindex == -1) {
65 return content.substring(rindex, lindex) + end(scope);
69 * @param content the content of the PEM ( a PEM may contain multiple certificates)
70 * @return the collection of certificates in the PEM
72 public static Set<String> getCertifacates(String content) {
73 String lastCertificate = "";
74 Set<String> certificates = new HashSet<>();
76 lastCertificate = getScope(content, CERTIFICATE);
77 content = content.replace(lastCertificate, "");
78 if (!"".equals(lastCertificate)) {
79 certificates.add(lastCertificate);
81 } while (!"".equals(lastCertificate));
85 private static byte[] toDer(String pem, String scope) {
86 return Base64.decodeBase64(pem
87 .replace(begin(scope), "")
88 .replace(end(scope), "")
89 .replaceAll("\\s", ""));
92 private static String begin(String scope) {
93 return "-----BEGIN " + scope + "-----";
96 private static String end(String scope) {
97 return "-----END " + scope + "-----";
101 * Create new truststore from the given certificate
103 * @param pem the certificate which used to create the store
104 * @param storePassword the password to protect the store
105 * @param keyPassword the password to protect the key
106 * @return the created key store
108 public static KeyStore loadStore(String pem, String storePassword, String keyPassword) {
109 Optional<PrivateKey> privateKey = generatePrivateKey(pem);
110 Optional<Certificate[]> certs = createCertificates(pem);
112 KeyStore ks = KeyStore.getInstance(JKS, SUN);
113 ks.load(null, storePassword.toCharArray());
114 if (privateKey.isPresent()) {
115 ks.setKeyEntry(PASS_ALIAS, privateKey.get(), keyPassword.toCharArray(), certs.orElse(null));
116 } else if (certs.isPresent()) {
118 for (Certificate cert : certs.get()) {
119 TrustedCertificateEntry ts = new TrustedCertificateEntry(cert);
120 ks.setEntry(PASS_ALIAS + index, ts, null);
125 } catch (Exception e) {
126 throw new UserInvisibleError("Unable to create keystore", e);
130 private static Optional<Certificate[]> createCertificates(String pem) {
131 Set<Certificate> certificates = new HashSet<>();
133 for (String certificate : getCertifacates(pem)) {
134 CertificateFactory certFactory = CertificateFactory.getInstance(X_509);
136 InputStream is = new ByteArrayInputStream(toDer(certificate, CERTIFICATE));
137 Collection<? extends Certificate> c = certFactory.generateCertificates(is);
138 certificates.addAll(c);
140 } catch (Exception e) {
141 throw fatalFailure(logger, "Unable to load certificates", e);
144 if (!certificates.isEmpty()) {
145 return of(certificates.toArray(new Certificate[certificates.size()]));
151 private static Optional<PrivateKey> generatePrivateKey(String pem) {
153 String key = getScope(pem, RSA_PRIVATE_KEY);
154 if (!key.isEmpty()) {
155 KeyFactory keyFactory = KeyFactory.getInstance(RSA);
156 PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(toDer(key, RSA_PRIVATE_KEY));
157 return of(keyFactory.generatePrivate(keySpec));
160 } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
161 throw fatalFailure(logger, "Unable to load key", e);