X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=auth%2Fauth-certman%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fauth%2Fcm%2Fca%2FLocalCA.java;h=f7de90ea06bb2f1e464140bab113f577c92c61b5;hb=be1edcb6830745015f5de72e820f40f36dd571ad;hp=b7d78f05ee1721946ce2e99f38a8da890061c626;hpb=4b5a7d721d994a49057e9bfb403c7bff1b376660;p=aaf%2Fauthz.git diff --git a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java index b7d78f05..f7de90ea 100644 --- a/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java +++ b/auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/LocalCA.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -72,86 +72,84 @@ import org.onap.aaf.misc.env.TimeTaken; import org.onap.aaf.misc.env.Trans; public class LocalCA extends CA { - private final static BigInteger ONE = new BigInteger("1"); // Extensions private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] { KeyPurposeId.id_kp_serverAuth, // WebServer KeyPurposeId.id_kp_clientAuth // WebClient }; - + private final PrivateKey caKey; private final X500Name issuer; - private final SecureRandom random = new SecureRandom(); private BigInteger serial; private final X509ChainWithIssuer x509cwi; // "Cert" is CACert - - + + public LocalCA(Access access, final String name, final String env, final String[][] params) throws IOException, CertException { super(access, name, env); - - serial = new BigInteger(64,random); - if(params.length<1 || params[0].length<2) { + serial = new BigInteger(64,new SecureRandom()); + + if (params.length<1 || params[0].length<2) { throw new IOException("LocalCA expects cm_ca.=org.onap.aaf.auth.cm.ca.LocalCA,[;]+"); } - + // Read in the Private Key String configured; File f = new File(params[0][0]); - if(f.exists() && f.isFile()) { + if (f.exists() && f.isFile()) { String fileName = f.getName(); - if(fileName.endsWith(".key")) { + if (fileName.endsWith(".key")) { caKey = Factory.toPrivateKey(NullTrans.singleton(),f); List frs = new ArrayList<>(params.length-1); try { String dir = access.getProperty(CM_PUBLIC_DIR, ""); - if(!"".equals(dir) && !dir.endsWith("/")) { + if (!"".equals(dir) && !dir.endsWith("/")) { dir = dir + '/'; } String path; - for(int i=1; i; enc:>"); } try { Provider p; KeyStore keyStore; FileInputStream fis = null; - if(fileName.endsWith(".pkcs11")) { + if (fileName.endsWith(".pkcs11")) { String ksType="PKCS11"; p = Factory.getSecurityProvider(ksType,params); keyStore = KeyStore.getInstance(ksType,p); - } else if(fileName.endsWith(".jks")) { + } else if (fileName.endsWith(".jks")) { keyStore = KeyStore.getInstance("JKS"); fis = new FileInputStream(f); - } else if(fileName.endsWith(".p12") || fileName.endsWith(".pkcs12")) { + } else if (fileName.endsWith(".p12") || fileName.endsWith(".pkcs12")) { keyStore = KeyStore.getInstance("PKCS12"); fis = new FileInputStream(f); } else { throw new CertException("Unknown Keystore type from filename " + fileName); } - + KeyStore.ProtectionParameter keyPass; try { String pass = access.decrypt(params[0][2]/*encrypted passcode*/, true); - if(pass==null) { + if (pass==null || pass.isEmpty()) { throw new CertException("Passcode for " + fileName + " cannot be decrypted."); } char[] ksPass = pass.toCharArray(); @@ -160,21 +158,22 @@ public class LocalCA extends CA { keyStore.load(fis,ksPass); } finally { - if (fis != null) + if (fis != null) { fis.close(); + } } Entry entry; - if(fileName.endsWith(".pkcs11")) { + if (fileName.endsWith(".pkcs11")) { entry = keyStore.getEntry(params[0][1]/*alias*/, null); } else { entry = keyStore.getEntry(params[0][1]/*alias*/, keyPass); } - if(entry==null) { + if (entry==null) { throw new CertException("There is no Keystore entry with name '" + params[0][1] +'\''); } PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry)entry; caKey = privateKeyEntry.getPrivateKey(); - + x509cwi = new X509ChainWithIssuer(privateKeyEntry.getCertificateChain()); configured = "keystore \"" + fileName + "\", alias " + params[0][1]; } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | UnrecoverableEntryException e) { @@ -184,11 +183,11 @@ public class LocalCA extends CA { } else { throw new CertException("Private Key, " + f.getPath() + ", does not exist"); } - + X500NameBuilder xnb = new X500NameBuilder(); List rp = RDN.parse(',', x509cwi.getIssuerDN()); Collections.reverse(rp); - for(RDN rnd : rp) { + for (RDN rnd : rp) { xnb.addRDN(rnd.aoi,rnd.value); } issuer = xnb.build(); @@ -203,18 +202,18 @@ public class LocalCA extends CA { public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException { GregorianCalendar gc = new GregorianCalendar(); Date start = gc.getTime(); - gc.add(GregorianCalendar.MONTH, 6); + gc.add(GregorianCalendar.MONTH, 12); Date end = gc.getTime(); X509Certificate x509; TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB); try { BigInteger bi; - + synchronized(ONE) { bi = serial; serial = serial.add(ONE); } - + RSAPublicKey rpk = (RSAPublicKey)csrmeta.keypair(trans).getPublic(); X509v3CertificateBuilder xcb = new X509v3CertificateBuilder( issuer, @@ -226,8 +225,14 @@ public class LocalCA extends CA { // new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded())) ); List lsan = new ArrayList<>(); - for(String s : csrmeta.sans()) { - lsan.add(new GeneralName(GeneralName.dNSName,s)); + // Email + lsan.add(new GeneralName(GeneralName.rfc822Name,csrmeta.email())); + for (String s : csrmeta.sans()) { + if(IPV4_PATTERN.matcher(s).matches() || IPV6_PATTERN.matcher(s).matches()) { + lsan.add(new GeneralName(GeneralName.iPAddress,s)); + } else { + lsan.add(new GeneralName(GeneralName.dNSName,s)); + } } GeneralName[] sans = new GeneralName[lsan.size()]; lsan.toArray(sans); @@ -238,7 +243,7 @@ public class LocalCA extends CA { )) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature - | KeyUsage.keyEncipherment + | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation)) .addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(ASN_WebUsage)) @@ -250,8 +255,8 @@ public class LocalCA extends CA { false, new GeneralNames(sans)) // .addExtension(MiscObjectIdentifiers.netscape, true, new NetscapeCertType( // NetscapeCertType.sslClient|NetscapeCertType.sslClient)) - ; - + ; + x509 = new JcaX509CertificateConverter().getCertificate( xcb.build(BCFactory.contentSigner(caKey))); } catch (GeneralSecurityException|OperatorCreationException e) { @@ -259,7 +264,7 @@ public class LocalCA extends CA { } finally { tt.done(); } - + return new X509andChain(x509,x509cwi.trustChain); }