X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-certman%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fcm%2Fca%2FJscepCA.java;h=e7b4ef4fe8c74c44289f82503a786f88e117fde9;hb=43ee275875f09ec439a2d0aa182c79773c63f018;hp=000b6dd5c4fcde2cf282302173c1bfa4ad85dd35;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git

diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
index 000b6dd5..e7b4ef4f 100644
--- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
+++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/JscepCA.java
@@ -4,12 +4,14 @@
  * ===========================================================================
  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
  * ===========================================================================
+ * Modifications Copyright (C) 2018 IBM.
+ * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -26,28 +28,23 @@ import java.net.Authenticator;
 import java.net.MalformedURLException;
 import java.net.PasswordAuthentication;
 import java.net.URL;
-import java.security.cert.CertStoreException;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
-import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.jscep.client.Client;
 import org.jscep.client.ClientException;
 import org.jscep.client.EnrollmentResponse;
-import org.jscep.client.verification.CertificateVerifier;
-import org.jscep.transaction.TransactionException;
 import org.onap.aaf.auth.cm.cert.BCFactory;
 import org.onap.aaf.auth.cm.cert.CSRMeta;
 import org.onap.aaf.cadi.Access;
-import org.onap.aaf.cadi.LocatorException;
 import org.onap.aaf.cadi.Access.Level;
 import org.onap.aaf.cadi.Locator.Item;
+import org.onap.aaf.cadi.LocatorException;
 import org.onap.aaf.cadi.configure.CertException;
 import org.onap.aaf.cadi.locator.HotPeerLocator;
 import org.onap.aaf.misc.env.Env;
@@ -74,19 +71,20 @@ public class JscepCA extends CA {
          super(access, name, env);
          mxcwiS = new ConcurrentHashMap<>();
          mxcwiC = new ConcurrentHashMap<>();
-         
-         if(params.length<2) {
+
+         if (params.length<2) {
              throw new CertException("No Trust Chain parameters are included");
-         } 
-         if(params[0].length<2) {
+         }
+         if (params[0].length<2) {
              throw new CertException("User/Password required for JSCEP");
          }
          final String id = params[0][0];
-         final String pw = params[0][1]; 
-        
+         final String pw = params[0][1];
+
         // Set this for NTLM password Microsoft
         Authenticator.setDefault(new Authenticator() {
-              public PasswordAuthentication getPasswordAuthentication () {
+            @Override
+            public PasswordAuthentication getPasswordAuthentication () {
                     try {
                         return new PasswordAuthentication (id,access.decrypt(pw,true).toCharArray());
                     } catch (IOException e) {
@@ -95,24 +93,24 @@ public class JscepCA extends CA {
                     return null;
               }
         });
-        
+
         StringBuilder urlstr = new StringBuilder();
 
-        for(int i=1;i<params.length;++i) { // skip first section, which is user/pass
-            // Work 
-            if(i>1) {
+        for (int i=1;i<params.length;++i) { // skip first section, which is user/pass
+            // Work
+            if (i>1) {
                 urlstr.append(','); // delimiter
             }
             urlstr.append(params[i][0]);
-            
+
             String dir = access.getProperty(CM_PUBLIC_DIR, "");
-            if(!"".equals(dir) && !dir.endsWith("/")) {
+            if (!"".equals(dir) && !dir.endsWith("/")) {
                 dir = dir + '/';
             }
             String path;
             List<FileReader> frs = new ArrayList<>(params.length-1);
             try {
-                for(int j=1; j<params[i].length; ++j) { // first 3 taken up, see above
+                for (int j=1; j<params[i].length; ++j) { // first 3 taken up, see above
                     path = !params[i][j].contains("/")?dir+params[i][j]:params[i][j];
                     access.printf(Level.INIT, "Loading a TrustChain Member for %s from %s",name, path);
                     frs.add(new FileReader(path));
@@ -121,54 +119,54 @@ public class JscepCA extends CA {
                 addCaIssuerDN(xcwi.getIssuerDN());
                 mxcwiS.put(params[i][0],xcwi);
             } finally {
-                for(FileReader fr : frs) {
-                    if(fr!=null) {
+                for (FileReader fr : frs) {
+                    if (fr!=null) {
                         fr.close();
                     }
                 }
             }
-        }        
+        }
         clients = new JscepClientLocator(access,urlstr.toString());
     }
 
     // package on purpose
-    
+
     @Override
     public X509ChainWithIssuer sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
         TimeTaken tt = trans.start("Generating CSR and Keys for New Certificate", Env.SUB);
         PKCS10CertificationRequest csr;
         try {
             csr = csrmeta.generateCSR(trans);
-            if(trans.info().isLoggable()) {
+            if (trans.info().isLoggable()) {
                 trans.info().log(BCFactory.toString(csr));
-            } 
-            if(trans.info().isLoggable()) {
+            }
+            if (trans.info().isLoggable()) {
                 trans.info().log(csr);
             }
         } finally {
             tt.done();
         }
-        
+
         tt = trans.start("Enroll CSR", Env.SUB);
         Client client = null;
         Item item = null;
-        for(int i=0; i<MAX_RETRY;++i) {
+        for (int i=0; i<MAX_RETRY;++i) {
             try {
                 item = clients.best();
                 client = clients.get(item);
-                
+
                 EnrollmentResponse er = client.enrol(
                         csrmeta.initialConversationCert(trans),
                         csrmeta.keypair(trans).getPrivate(),
                         csr,
                         MS_PROFILE /* profile... MS can't deal with blanks*/);
-                
-                while(true) {
-                    if(er.isSuccess()) {
+
+                while (true) {
+                    if (er.isSuccess()) {
                         trans.checkpoint("Cert from " + clients.info(item));
                         X509Certificate x509 = null;
-                        for( Certificate cert : er.getCertStore().getCertificates(null)) {
-                            if(x509==null) {
+                        for ( Certificate cert : er.getCertStore().getCertificates(null)) {
+                            if (x509==null) {
                                 x509 = (X509Certificate)cert;
                                 break;
                             }
@@ -183,34 +181,34 @@ public class JscepCA extends CA {
                         throw new CertException(clients.info(item)+':'+er.getFailInfo().toString());
                     }
                 }
-            } catch(LocatorException e) {
+            } catch (LocatorException e) {
                 trans.error().log(e);
                 i=MAX_RETRY;
             } catch (ClientException e) {
                 trans.error().log(e,"SCEP Client Error, Temporarily Invalidating Client: " + clients.info(item));
-                try  { 
+                try  {
                     clients.invalidate(client);
-                    if(!clients.hasItems()) {
+                    if (!clients.hasItems()) {
                         clients.refresh();
                     }
                 } catch (LocatorException e1) {
                     trans.error().log(e,clients.info(item));
                     i=MAX_RETRY;  // can't go any further
                 }
-            } catch (InterruptedException|TransactionException|CertificateException|OperatorCreationException | CertStoreException e) {
+            } catch (Exception e) {
                 trans.error().log(e);
                 i=MAX_RETRY;
             } finally {
                 tt.done();
             }
         }
-        
+
         return null;
     }
-    
+
     /**
      * Locator specifically for Jscep Clients.
-     * 
+     *
      * Class based client for access to common Map
      */
     private class JscepClientLocator extends HotPeerLocator<Client> {
@@ -226,14 +224,8 @@ public class JscepCA extends CA {
         protected Client _newClient(String urlinfo) throws LocatorException {
             try {
                 String[] info = Split.split('/', urlinfo);
-                Client c = new Client(new URL(JscepCA.CA_PREFIX + info[0] + JscepCA.CA_POSTFIX), 
-                        new CertificateVerifier() {
-                        @Override
-                        public boolean verify(X509Certificate cert) {
-                            //TODO checkIssuer
-                            return true;
-                        }
-                    }
+                Client c = new Client(new URL(JscepCA.CA_PREFIX + info[0] + JscepCA.CA_POSTFIX),
+                        cert -> true
                 );
                 // Map URL to Client, because Client doesn't expose Connection
                 mxcwiC.put(c, mxcwiS.get(urlinfo));
@@ -252,7 +244,7 @@ public class JscepCA extends CA {
         protected void _destroy(Client client) {
             mxcwiC.remove(client);
         }
-        
-        
+
+
     }
 }