X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=cadi%2Faaf%2Fsrc%2Fmain%2Fjava%2Forg%2Fonap%2Faaf%2Fcadi%2Fconfigure%2FPlaceArtifactInKeystore.java;h=67b3df099c6ba3d18608bc2d0a04d3bee9c415ab;hb=355b886d817295d2bca5af28f01576bf4a3ded18;hp=c54139194240b9fbc96e02ec8ff454a11b425f09;hpb=87da9feacd0abb0d60b98cc00c4755121fc73bbb;p=aaf%2Fauthz.git diff --git a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java index c5413919..67b3df09 100644 --- a/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java +++ b/cadi/aaf/src/main/java/org/onap/aaf/cadi/configure/PlaceArtifactInKeystore.java @@ -42,109 +42,126 @@ import certman.v1_0.Artifacts.Artifact; import certman.v1_0.CertInfo; public class PlaceArtifactInKeystore extends ArtifactDir { - private String kst; + private String kst; - public PlaceArtifactInKeystore(String kst) { - this.kst = kst; - } + public PlaceArtifactInKeystore(String kst) { + this.kst = kst; + } - @Override - public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException { - File fks = new File(dir,arti.getNs()+'.'+(kst==Agent.PKCS12?"p12":kst)); - try { - KeyStore jks = KeyStore.getInstance(kst); - if(fks.exists()) { - File backup = File.createTempFile(fks.getName()+'.', ".backup",dir); - fks.renameTo(backup); - } + @Override + public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException { + final String ext = (kst==Agent.PKCS12?"p12":kst); + File fks = new File(dir,arti.getNs()+'.'+ext); + try { + KeyStore jks = KeyStore.getInstance(kst); + if (fks.exists()) { + File backup = File.createTempFile(fks.getName()+'.', ".backup",dir); + fks.renameTo(backup); + } - // Get the Cert(s)... Might include Trust store - Collection certColl = Factory.toX509Certificate(certInfo.getCerts()); - // find where the trusts end in 1.0 API - - X509Certificate x509; - List chainList = new ArrayList<>(); - Set caSet = new HashSet<>(); - for(Certificate c : certColl) { - x509 = (X509Certificate)c; - // Is a Root (self-signed, anyway) - if(x509.getSubjectDN().equals(x509.getIssuerDN())) { - caSet.add(x509); - } else { - chainList.add(x509); - } - } -// chainList.addAll(caSet); - //Collections.reverse(chainList); + // Get the Cert(s)... Might include Trust store + Collection certColl = Factory.toX509Certificate(certInfo.getCerts()); + // find where the trusts end in 1.0 API + + X509Certificate x509; + List chainList = new ArrayList<>(); + Set caSet = new HashSet<>(); + X509Certificate curr = null; + for (Certificate c : certColl) { + x509 = (X509Certificate)c; + // Is a Root (self-signed, anyway) + if (x509.getSubjectDN().equals(x509.getIssuerDN())) { + caSet.add(x509); + } else { + // Expect Certs in Trust Chain Order. + if(curr==null) { + chainList.add(x509); + curr=x509; + } else { + // Only Add Cert next on the list + if(curr.getIssuerDN().equals(x509.getSubjectDN())) { + chainList.add(x509); + curr=x509; + } + } + } + } - // Properties, etc - // Add CADI Keyfile Entry to Properties - addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getNs() + ".keyfile"); - // Set Keystore Password - addProperty(Config.CADI_KEYSTORE,fks.getAbsolutePath()); - String keystorePass = Symm.randomGen(Agent.PASS_SIZE); - addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass); - char[] keystorePassArray = keystorePass.toCharArray(); - jks.load(null,keystorePassArray); // load in - - // Add Private Key/Cert Entry for App - // Note: Java SSL security classes, while having a separate key from keystore, - // is documented to not actually work. - // java.security.UnrecoverableKeyException: Cannot recover key - // You can create a custom Key Manager to make it work, but Practicality - // dictates that you live with the default, meaning, they are the same - String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE); - PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey()); - addEncProperty(Config.CADI_KEY_PASSWORD, keyPass); - addProperty(Config.CADI_ALIAS, arti.getMechid()); -// Set attribs = new HashSet<>(); -// if(kst.equals("pkcs12")) { -// // Friendly Name -// attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs())); -// } -// - KeyStore.ProtectionParameter protParam = - new KeyStore.PasswordProtection(keyPass.toCharArray()); - - Certificate[] trustChain = new Certificate[chainList.size()]; - chainList.toArray(trustChain); - KeyStore.PrivateKeyEntry pkEntry = - new KeyStore.PrivateKeyEntry(pk, trustChain); - jks.setEntry(arti.getMechid(), - pkEntry, protParam); + // Properties, etc + // Add CADI Keyfile Entry to Properties + File keyfile = new File(arti.getDir()+'/'+arti.getNs() + ".keyfile"); + PropHolder props = PropHolder.get(arti, "cred.props"); + props.add(Config.CADI_KEYFILE,keyfile.getAbsolutePath()); - // Write out - write(fks,Chmod.to400,jks,keystorePassArray); - - // Change out to TrustStore - // NOTE: PKCS12 does NOT support Trusted Entries. Put in JKS Always - fks = new File(dir,arti.getNs()+".trust.jks"); - if(fks.exists()) { - File backup = File.createTempFile(fks.getName()+'.', ".backup",dir); - fks.renameTo(backup); - } + // Set Keystore Password + props.add(Config.CADI_KEYSTORE,fks.getAbsolutePath()); + String keystorePass = Symm.randomGen(Agent.PASS_SIZE); + String encP = props.addEnc(Config.CADI_KEYSTORE_PASSWORD,keystorePass); + // Since there are now more than one Keystore type, the keystore password property might + // be overwritten, making the store useless without key. So we write it specifically + // as well. + props.add(Config.CADI_KEYSTORE_PASSWORD+'_'+ext,encP); + char[] keystorePassArray = keystorePass.toCharArray(); + jks.load(null,keystorePassArray); // load in + + // Add Private Key/Cert Entry for App + // Note: Java SSL security classes, while having a separate key from keystore, + // is documented to not actually work. + // java.security.UnrecoverableKeyException: Cannot recover key + // You can create a custom Key Manager to make it work, but Practicality + // dictates that you live with the default, meaning, they are the same + String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE); + PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey()); + props.addEnc(Config.CADI_KEY_PASSWORD, keyPass); + props.add(Config.CADI_ALIAS, arti.getMechid()); +// Set attribs = new HashSet<>(); +// if (kst.equals("pkcs12")) { +// // Friendly Name +// attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs())); +// } +// + KeyStore.ProtectionParameter protParam = + new KeyStore.PasswordProtection(keyPass.toCharArray()); + + Certificate[] trustChain = new Certificate[chainList.size()]; + chainList.toArray(trustChain); + KeyStore.PrivateKeyEntry pkEntry = + new KeyStore.PrivateKeyEntry(pk, trustChain); + jks.setEntry(arti.getMechid(), + pkEntry, protParam); - jks = KeyStore.getInstance(Agent.JKS); - - // Set Truststore Password - addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath()); - String trustStorePass = Symm.randomGen(Agent.PASS_SIZE); - addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass); - char[] truststorePassArray = trustStorePass.toCharArray(); - jks.load(null,truststorePassArray); // load in - - // Add Trusted Certificates, but PKCS12 doesn't support - Certificate[] trustCAs = new Certificate[caSet.size()]; - caSet.toArray(trustCAs); - for(int i=0; i