Merge "[OOM-CERT-SERVICE] Add handling cmp response when PBM value is missing."

diff --combined certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
index 68b78f2,7f17260..06e785a
--- 1/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
--- 2/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java
@@@ -39,6 -39,7 +39,7 @@@ import java.util.Date
  import java.util.Objects;
  import java.util.Optional;
  import org.apache.http.impl.client.CloseableHttpClient;
+ import org.bouncycastle.asn1.ASN1ObjectIdentifier;
  import org.bouncycastle.asn1.cmp.CMPCertificate;
  import org.bouncycastle.asn1.cmp.CertRepMessage;
  import org.bouncycastle.asn1.cmp.CertResponse;
@@@ -67,6 -68,7 +68,7 @@@ public class CmpClientImpl implements C
  
      private static final String DEFAULT_CA_NAME = "Certification Authority";
      private static final String DEFAULT_PROFILE = CaMode.RA.getProfile();
+     private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13");
  
      public CmpClientImpl(CloseableHttpClient httpClient) {
          this.httpClient = httpClient;
@@@ -83,8 -85,6 +85,8 @@@
          validate(csrModel, server, httpClient, notBefore, notAfter);
          KeyPair keyPair = new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey());
  
 +        final String iak = server.getAuthentication().getIak();
 +        final PkiMessageProtection pkiMessageProtection = new PasswordBasedProtection(iak);
          final CreateCertRequest certRequest =
                  CmpMessageBuilder.of(CreateCertRequest::new)
                          .with(CreateCertRequest::setIssuerDn, server.getIssuerDN())
@@@ -93,8 -93,8 +95,8 @@@
                          .with(CreateCertRequest::setSubjectKeyPair, keyPair)
                          .with(CreateCertRequest::setNotBefore, notBefore)
                          .with(CreateCertRequest::setNotAfter, notAfter)
 -                        .with(CreateCertRequest::setInitAuthPassword, server.getAuthentication().getIak())
                          .with(CreateCertRequest::setSenderKid, server.getAuthentication().getRv())
 +                        .with(CreateCertRequest::setProtection, pkiMessageProtection)
                          .build();
  
          final PKIMessage pkiMessage = certRequest.generateCertReq();
@@@ -114,7 -114,18 +116,18 @@@
          final PKIHeader header = respPkiMessage.getHeader();
          final AlgorithmIdentifier protectionAlgo = header.getProtectionAlg();
          verifySignatureWithPublicKey(respPkiMessage, publicKey);
-         verifyProtectionWithProtectionAlgo(respPkiMessage, initAuthPassword, header, protectionAlgo);
+         if (isPasswordBasedMacAlgorithm(protectionAlgo)) {
+             LOG.info("CMP response is protected by Password Base Mac Algorithm. Attempt to verify protection");
+             verifyPasswordBasedMacProtection(respPkiMessage, initAuthPassword, header, protectionAlgo);
+         }
+     }
+ 
+     private boolean isPasswordBasedMacAlgorithm(AlgorithmIdentifier protectionAlgo) throws CmpClientException {
+         if (Objects.isNull(protectionAlgo)) {
+             LOG.error("CMP response does not contain Protection Algorithm field");
+             throw new CmpClientException("CMP response does not contain Protection Algorithm field");
+         }
+         return PASSWORD_BASED_MAC.equals(protectionAlgo.getAlgorithm());
      }
  
      private void verifySignatureWithPublicKey(PKIMessage respPkiMessage, PublicKey publicKey)
@@@ -129,22 -140,12 +142,12 @@@
          }
      }
  
-     private void verifyProtectionWithProtectionAlgo(
-             PKIMessage respPkiMessage,
-             String initAuthPassword,
-             PKIHeader header,
-             AlgorithmIdentifier protectionAlgo)
-             throws CmpClientException {
-         if (Objects.nonNull(protectionAlgo)) {
-             LOG.debug("Verifying PasswordBased Protection of the Response.");
-             verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo);
-             checkImplicitConfirm(header);
-         } else {
-             LOG.error(
-                     "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
-             throw new CmpClientException(
-                     "Protection Algorithm is not available when expecting PBE protected response containing protection algorithm");
-         }
+     private void verifyPasswordBasedMacProtection(PKIMessage respPkiMessage, String initAuthPassword,
+         PKIHeader header, AlgorithmIdentifier protectionAlgo)
+         throws CmpClientException {
+         LOG.debug("Verifying PasswordBased Protection of the Response.");
+         verifyPasswordBasedProtection(respPkiMessage, initAuthPassword, protectionAlgo);
+         checkImplicitConfirm(header);
      }
  
      private Cmpv2CertificationModel checkCmpCertRepMessage(final PKIMessage respPkiMessage)
@@@ -182,15 -183,13 +185,15 @@@
      }
  
      private void logServerResponse(CertResponse certResponse) {
 -        LOG.info("Response status code: {}", certResponse.getStatus().getStatus().toString());
 +        if (LOG.isInfoEnabled()) {
 +            LOG.info("Response status code: {}", certResponse.getStatus().getStatus());
 +        }
          if (certResponse.getStatus().getStatusString() != null) {
              String serverMessage = certResponse.getStatus().getStatusString().getStringAt(0).getString();
              LOG.warn("Response status text: {}", serverMessage);
          }
 -        if (certResponse.getStatus().getFailInfo() != null) {
 -            LOG.warn("Response fail info:   {}", certResponse.getStatus().getFailInfo().toString());
 +        if (LOG.isWarnEnabled() && certResponse.getStatus().getFailInfo() != null) {
 +            LOG.warn("Response fail info:   {}", certResponse.getStatus().getFailInfo());
          }
      }