X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-certman%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fcm%2Fca%2FCA.java;h=275ad549b2ee09778f30aab032e8020d037f9320;hb=be1edcb6830745015f5de72e820f40f36dd571ad;hp=521c501649a463d1cbfb841b1d08b2cc14ceff0a;hpb=71037c39a37d3549dcfe31926832a657744fbe05;p=aaf%2Fauthz.git diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java index 521c5016..275ad549 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -30,180 +30,224 @@ import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Set; +import java.util.regex.Pattern; import org.bouncycastle.asn1.x500.style.BCStyle; import org.onap.aaf.auth.cm.cert.CSRMeta; import org.onap.aaf.auth.cm.cert.RDN; import org.onap.aaf.cadi.Access; import org.onap.aaf.cadi.Access.Level; -import org.onap.aaf.cadi.cm.CertException; +import org.onap.aaf.cadi.config.Config; +import org.onap.aaf.cadi.configure.CertException; import org.onap.aaf.misc.env.Trans; import org.onap.aaf.misc.env.util.Split; public abstract class CA { - private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for "; - //TODO figuring out what is an Issuing CA is a matter of convention. Consider SubClassing for Open Source - public static final String ISSUING_CA = "Issuing CA"; - public static final String CM_CA_PREFIX = "cm_ca."; - public static final String CM_CA_BASE_SUBJECT = ".baseSubject"; - protected static final String CM_PUBLIC_DIR = "cm_public_dir"; - private static final String CM_TRUST_CAS = "cm_trust_cas"; - protected static final String CM_BACKUP_CAS = "cm_backup_cas"; - - public static final Set EMPTY = Collections.unmodifiableSet(new HashSet()); - - - private final String name,env; - private MessageDigest messageDigest; - private final String permType; - private Set caIssuerDNs; - private final ArrayList idDomains; - private String[] trustedCAs; - private List rdns; - - - protected CA(Access access, String caName, String env) throws IOException, CertException { - trustedCAs = new String[4]; // starting array - this.name = caName; - this.env = env; - permType = access.getProperty(CM_CA_PREFIX + name + ".perm_type",null); - if(permType==null) { - throw new CertException(CM_CA_PREFIX + name + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); - } - caIssuerDNs = new HashSet(); - - String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT; - - String fields = access.getProperty(tag, null); - if(fields==null) { - throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); - } - for(RDN rdn : rdns = RDN.parse('/',fields)) { - if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject - throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT); - } - } - - idDomains = new ArrayList(); - StringBuilder sb = null; - for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) { - if(s.length()>0) { - if(sb==null) { - sb = new StringBuilder(); - } else { - sb.append(", "); - } - idDomains.add(s); - sb.append(s); - } - } - if(sb!=null) { - access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb); - } - - String data_dir = access.getProperty(CM_PUBLIC_DIR,null); - if(data_dir!=null) { - File data = new File(data_dir); - byte[] bytes; - if(data.exists()) { - String trust_cas = access.getProperty(CM_TRUST_CAS,null); - if(trust_cas!=null) { - for(String fname : Split.splitTrim(',', trust_cas)) { - File crt = new File(data,fname); - if(crt.exists()) { - access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath()); - bytes = new byte[(int)crt.length()]; - FileInputStream fis = new FileInputStream(crt); - try { - fis.read(bytes); - addTrustedCA(new String(bytes)); - } finally { - fis.close(); - } - } else { - access.printf(Level.INIT, "FAILED to Load CA Cert from %s", crt.getAbsolutePath()); - } - } - } else { - access.printf(Level.INIT, "Cannot load external TRUST CAs: No property %s",CM_TRUST_CAS); - } - } else { - access.printf(Level.INIT, "Cannot load external TRUST CAs: %s doesn't exist, or is not accessible",data.getAbsolutePath()); - } - } - } - - protected void addCaIssuerDN(String issuerDN) { - caIssuerDNs.add(issuerDN); - } - - protected synchronized void addTrustedCA(final String crtString) { - String crt; - if(crtString.endsWith("\n")) { - crt = crtString; - } else { - crt = crtString + '\n'; - } - for(int i=0;i getCaIssuerDNs() { - return caIssuerDNs; - } - - public String[] getTrustedCAs() { - return trustedCAs; - } - - public String getEnv() { - return env; - } - - protected void setMessageDigest(MessageDigest md) { - messageDigest = md; - } - - /* - * End Required Constructor calls - */ - - public String getName() { - return name; - } - - - public String getPermType() { - return permType; - } - - public abstract X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException; - - /* (non-Javadoc) - * @see org.onap.aaf.auth.cm.ca.CA#inPersonalDomains(java.security.Principal) - */ - public boolean inPersonalDomains(Principal p) { - int at = p.getName().indexOf('@'); - if(at>=0) { - return idDomains.contains(p.getName().substring(at+1)); - } else { - return false; - } - } - - public MessageDigest messageDigest() { - return messageDigest; - } - - public CSRMeta newCSRMeta() { - return new CSRMeta(rdns); - } + public static final Pattern IPV4_PATTERN = Pattern.compile("\\A(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}\\z"); + public static final Pattern IPV6_PATTERN = Pattern.compile("\\A(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\\z"); + + + private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for "; + //TODO figuring out what is an Issuing CA is a matter of convention. Consider SubClassing for Open Source + public static final String ISSUING_CA = "Issuing CA"; + public static final String CM_CA_PREFIX = "cm_ca."; + public static final String CM_CA_BASE_SUBJECT = ".baseSubject"; + public static final String CM_CA_ENV_TAG = ".env_tag"; + protected static final String CM_PUBLIC_DIR = "cm_public_dir"; + private static final String CM_TRUST_CAS = "cm_trust_cas"; + protected static final String CM_BACKUP_CAS = "cm_backup_cas"; + + public static final Set EMPTY = Collections.unmodifiableSet(new HashSet<>()); + + + private final String name; + private final String env; + private MessageDigest messageDigest; + private final String permNS; + private final String permType; + private final ArrayList idDomains; + private String[] trustedCAs; + private String[] caIssuerDNs; + private List rdns; + private final boolean env_tag; + + + protected CA(Access access, String caName, String env) throws IOException, CertException { + trustedCAs = new String[4]; // starting array + this.name = caName; + this.env = env; + this.env_tag = env==null || env.isEmpty()?false: + Boolean.parseBoolean(access.getProperty(CM_CA_ENV_TAG, Boolean.FALSE.toString())); + permNS=null; + String prefix = CM_CA_PREFIX + name; + permType = access.getProperty(prefix + ".perm_type",null); + if (permType==null) { + throw new CertException(prefix + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); + } + caIssuerDNs = Split.splitTrim(':', access.getProperty(Config.CADI_X509_ISSUERS, null)); + + String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT; + + String fields = access.getProperty(tag, null); + if (fields==null) { + throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName); + } + access.log(Level.INFO, tag, "=",fields); + rdns = RDN.parse('/',fields); + for (RDN rdn : rdns) { + if (rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject + throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT); + } + } + + idDomains = new ArrayList<>(); + StringBuilder sb = null; + for (String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) { + if (s.length()>0) { + if (sb==null) { + sb = new StringBuilder(); + } else { + sb.append(", "); + } + idDomains.add(s); + sb.append(s); + } + } + if (sb!=null) { + access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb); + } + + String dataDir = access.getProperty(CM_PUBLIC_DIR,null); + if (dataDir!=null) { + File data = new File(dataDir); + byte[] bytes; + if (data.exists()) { + String trustCas = access.getProperty(CM_TRUST_CAS,null); + if (trustCas!=null) { + for (String fname : Split.splitTrim(',', trustCas)) { + File crt; + if (fname.contains("/")) { + crt = new File(fname); + } else { + crt = new File(data,fname); + } + if (crt.exists()) { + access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath()); + bytes = new byte[(int)crt.length()]; + FileInputStream fis = new FileInputStream(crt); + try { + int read = fis.read(bytes); + if (read>0) { + addTrustedCA(new String(bytes)); + } + } finally { + fis.close(); + } + } else { + access.printf(Level.INIT, "FAILED to Load CA Cert from %s", crt.getAbsolutePath()); + } + } + } else { + access.printf(Level.INIT, "Cannot load external TRUST CAs: No property %s",CM_TRUST_CAS); + } + } else { + access.printf(Level.INIT, "Cannot load external TRUST CAs: %s doesn't exist, or is not accessible",data.getAbsolutePath()); + } + } + } + + protected void addCaIssuerDN(String issuerDN) { + boolean changed = true; + for (String id : caIssuerDNs) { + if (id.equals(issuerDN)) { + changed = false; + break; + } + } + if (changed) { + String[] newsa = new String[caIssuerDNs.length+1]; + newsa[0]=issuerDN; + System.arraycopy(caIssuerDNs, 0, newsa, 1, caIssuerDNs.length); + caIssuerDNs = newsa; + } + } + + protected synchronized void addTrustedCA(final String crtString) { + String crt; + if (crtString.endsWith("\n")) { + crt = crtString; + } else { + crt = crtString + '\n'; + } + for (int i=0;i=0) { + return idDomains.contains(p.getName().substring(at+1)); + } else { + return false; + } + } + + public MessageDigest messageDigest() { + return messageDigest; + } + + public CSRMeta newCSRMeta() { + return new CSRMeta(rdns); + } + }