X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Faaf%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Fconfigure%2FPlaceArtifactInKeystore.java;h=18d74fba6b6c740d2af86b0d39815660feb82a5b;hb=3d1706fcbe7f95830ff6fd23cf679ee55c6d0595;hp=cb282605ee70fd543871ede5fb47bd01a77cd369;hpb=6261a19e61138e861f5c7eaf37835205f19f1fe0;p=aaf%2Fauthz.git

diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java
index cb282605..18d74fba 100644
--- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java
+++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java
@@ -28,7 +28,6 @@ import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -43,108 +42,126 @@ import certman.v1_0.Artifacts.Artifact;
 import certman.v1_0.CertInfo;
 
 public class PlaceArtifactInKeystore extends ArtifactDir {
-	private String kst;
+    private String kst;
 
-	public PlaceArtifactInKeystore(String kst) {
-		this.kst = kst;
-	}
+    public PlaceArtifactInKeystore(String kst) {
+        this.kst = kst;
+    }
 
-	@Override
-	public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
-		File fks = new File(dir,arti.getNs()+'.'+kst);
-		try {
-			KeyStore jks = KeyStore.getInstance(kst);
-			if(fks.exists()) {
-				File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
-				fks.renameTo(backup);
-			}	
+    @Override
+    public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
+        final String ext = (kst==Agent.PKCS12?"p12":kst);
+        File fks = new File(dir,arti.getNs()+'.'+ext);
+        try {
+            KeyStore jks = KeyStore.getInstance(kst);
+            if (fks.exists()) {
+                File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
+                fks.renameTo(backup);
+            }    
 
-			// Get the Cert(s)... Might include Trust store
-			Collection<? extends Certificate> certColl = Factory.toX509Certificate(certInfo.getCerts());
-			// find where the trusts end in 1.0 API
-		
-			X509Certificate x509;
-			List<X509Certificate> chainList = new ArrayList<>();
-			Set<X509Certificate> caSet = new HashSet<>();
-			for(Certificate c : certColl) {
-				x509 = (X509Certificate)c;
-				// Is a Root (self-signed, anyway)
-				if(x509.getSubjectDN().equals(x509.getIssuerDN())) {
-					caSet.add(x509);
-				} else {
-					chainList.add(x509);
-				}
-			}
-//			chainList.addAll(caSet);
-			//Collections.reverse(chainList);
+            // Get the Cert(s)... Might include Trust store
+            Collection<? extends Certificate> certColl = Factory.toX509Certificate(certInfo.getCerts());
+            // find where the trusts end in 1.0 API
+        
+            X509Certificate x509;
+            List<X509Certificate> chainList = new ArrayList<>();
+            Set<X509Certificate> caSet = new HashSet<>();
+            X509Certificate curr = null;
+            for (Certificate c : certColl) {
+                x509 = (X509Certificate)c;
+                // Is a Root (self-signed, anyway)
+                if (x509.getSubjectDN().equals(x509.getIssuerDN())) {
+                    caSet.add(x509);
+                } else {
+                    // Expect Certs in Trust Chain Order. 
+                    if(curr==null) {
+                        chainList.add(x509);
+                        curr=x509;
+                    } else {
+                        // Only Add Cert next on the list
+                        if(curr.getIssuerDN().equals(x509.getSubjectDN())) {
+                            chainList.add(x509);
+                            curr=x509;
+                        }
+                    }
+                }
+            }
 
-			// Properties, etc
-			// Add CADI Keyfile Entry to Properties
-			addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getNs() + ".keyfile");
-			// Set Keystore Password
-			addProperty(Config.CADI_KEYSTORE,fks.getAbsolutePath());
-			String keystorePass = Symm.randomGen(Agent.PASS_SIZE);
-			addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
-			char[] keystorePassArray = keystorePass.toCharArray();
-			jks.load(null,keystorePassArray); // load in
-			
-			// Add Private Key/Cert Entry for App
-			// Note: Java SSL security classes, while having a separate key from keystore,
-			// is documented to not actually work. 
-			// java.security.UnrecoverableKeyException: Cannot recover key
-			// You can create a custom Key Manager to make it work, but Practicality  
-			// dictates that you live with the default, meaning, they are the same
-			String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);
-			PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
-			addEncProperty(Config.CADI_KEY_PASSWORD, keyPass);
-			addProperty(Config.CADI_ALIAS, arti.getMechid());
-//			Set<Attribute> attribs = new HashSet<>();
-//			if(kst.equals("pkcs12")) {
-//				// Friendly Name
-//				attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs()));
-//			} 
-//			
-			KeyStore.ProtectionParameter protParam = 
-					new KeyStore.PasswordProtection(keyPass.toCharArray());
-			
-			Certificate[] trustChain = new Certificate[chainList.size()];
-			chainList.toArray(trustChain);
-			KeyStore.PrivateKeyEntry pkEntry = 
-				new KeyStore.PrivateKeyEntry(pk, trustChain);
-			jks.setEntry(arti.getMechid(), 
-					pkEntry, protParam);
+            // Properties, etc
+            // Add CADI Keyfile Entry to Properties
+            File keyfile = new File(arti.getDir()+'/'+arti.getNs() + ".keyfile");
+            PropHolder props = PropHolder.get(arti, "cred.props");
+            props.add(Config.CADI_KEYFILE,keyfile.getAbsolutePath());
 
-			// Write out
-			write(fks,Chmod.to400,jks,keystorePassArray);
-			
-			// Change out to TrustStore
-			fks = new File(dir,arti.getNs()+".trust."+kst);
-			if(fks.exists()) {
-				File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
-				fks.renameTo(backup);
-			}	
+            // Set Keystore Password
+            props.add(Config.CADI_KEYSTORE,fks.getAbsolutePath());
+            String keystorePass = Symm.randomGen(Agent.PASS_SIZE);
+            String encP = props.addEnc(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
+            // Since there are now more than one Keystore type, the keystore password property might
+            // be overwritten, making the store useless without key. So we write it specifically
+            // as well.
+            props.add(Config.CADI_KEYSTORE_PASSWORD+'_'+ext,encP);
+            char[] keystorePassArray = keystorePass.toCharArray();
+            jks.load(null,keystorePassArray); // load in
+            
+            // Add Private Key/Cert Entry for App
+            // Note: Java SSL security classes, while having a separate key from keystore,
+            // is documented to not actually work. 
+            // java.security.UnrecoverableKeyException: Cannot recover key
+            // You can create a custom Key Manager to make it work, but Practicality  
+            // dictates that you live with the default, meaning, they are the same
+            String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);
+            PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
+            props.addEnc(Config.CADI_KEY_PASSWORD, keyPass);
+            props.add(Config.CADI_ALIAS, arti.getMechid());
+//            Set<Attribute> attribs = new HashSet<>();
+//            if (kst.equals("pkcs12")) {
+//                // Friendly Name
+//                attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs()));
+//            } 
+//            
+            KeyStore.ProtectionParameter protParam = 
+                    new KeyStore.PasswordProtection(keyPass.toCharArray());
+            
+            Certificate[] trustChain = new Certificate[chainList.size()];
+            chainList.toArray(trustChain);
+            KeyStore.PrivateKeyEntry pkEntry = 
+                new KeyStore.PrivateKeyEntry(pk, trustChain);
+            jks.setEntry(arti.getMechid(), 
+                    pkEntry, protParam);
 
-			jks = KeyStore.getInstance(kst);
-			
-			// Set Truststore Password
-			addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
-			String trustStorePass = Symm.randomGen(Agent.PASS_SIZE);
-			addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
-			char[] truststorePassArray = trustStorePass.toCharArray();
-			jks.load(null,truststorePassArray); // load in
-			
-			// Add Trusted Certificates, but PKCS12 doesn't support
-			Certificate[] trustCAs = new Certificate[caSet.size()];
-			caSet.toArray(trustCAs);
-			for(int i=0; i<trustCAs.length;++i) {
-				jks.setCertificateEntry("ca_" + arti.getCa() + '_' + i, trustCAs[i]);
-			}
-			// Write out
-			write(fks,Chmod.to644,jks,truststorePassArray);
-			return true;
-		} catch (Exception e) {
-			throw new CadiException(e);
-		}
-	}
+            // Write out
+            write(fks,Chmod.to644,jks,keystorePassArray);
+            
+            // Change out to TrustStore
+            // NOTE: PKCS12 does NOT support Trusted Entries.  Put in JKS Always
+            fks = new File(dir,arti.getNs()+".trust.jks");
+            if (fks.exists()) {
+                File backup = File.createTempFile(fks.getName()+'.', ".backup",dir);
+                fks.renameTo(backup);
+            }    
+
+            jks = KeyStore.getInstance(Agent.JKS);
+            
+            // Set Truststore Password
+            props.add(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
+            String trustStorePass = Symm.randomGen(Agent.PASS_SIZE);
+            props.addEnc(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
+            char[] truststorePassArray = trustStorePass.toCharArray();
+            jks.load(null,truststorePassArray); // load in
+            
+            // Add Trusted Certificates, but PKCS12 doesn't support
+            Certificate[] trustCAs = new Certificate[caSet.size()];
+            caSet.toArray(trustCAs);
+            for (int i=0; i<trustCAs.length;++i) {
+                jks.setCertificateEntry("ca_" + arti.getCa() + '_' + i, trustCAs[i]);
+            }
+            // Write out
+            write(fks,Chmod.to644,jks,truststorePassArray);
+            return true;
+        } catch (Exception e) {
+            throw new CadiException(e);
+        }
+    }
 
 }