From 4a3dd4e2da2cd120e65a6705f03fc3a3c9537d3b Mon Sep 17 00:00:00 2001 From: Piotr Marcinkiewicz Date: Wed, 23 Jun 2021 16:40:34 +0200 Subject: [PATCH] [OOM-CERT-SERVICE] Implement signature PKIMessage protection - Add signature protection - Refactor password-based protection code - Add JUnit tests Issue-ID: OOM-2753 Signed-off-by: Piotr Marcinkiewicz Change-Id: I398568a35e52a816c32646c8915db5c287ede401 --- .../certservice/certification/model/CsrModel.java | 1 + .../cmpv2client/impl/CmpClientImpl.java | 4 +- .../cmpv2client/impl/CmpMessageHelper.java | 78 +---------- .../oom/certservice/cmpv2client/impl/CmpUtil.java | 13 +- .../cmpv2client/impl/CreateCertRequest.java | 17 ++- .../cmpv2client/impl/PasswordBasedProtection.java | 100 +++++++++++++ .../cmpv2client/impl/PkiMessageProtection.java | 76 ++++++++++ .../cmpv2client/impl/SignatureProtection.java | 63 +++++++++ .../impl/PasswordBasedProtectionTest.java | 154 +++++++++++++++++++++ .../certservice/cmpv2client/impl/PkiTestUtils.java | 101 ++++++++++++++ .../cmpv2client/impl/SignatureProtectionTest.java | 94 +++++++++++++ 11 files changed, 611 insertions(+), 90 deletions(-) create mode 100644 certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java create mode 100644 certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java create mode 100644 certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java create mode 100644 certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java create mode 100644 certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java create mode 100644 certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java index 2573c978..03d1a9d2 100644 --- a/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java +++ b/certService/src/main/java/org/onap/oom/certservice/certification/model/CsrModel.java @@ -154,6 +154,7 @@ public class CsrModel { throw new KeyDecryptionException("Converting Private Key failed", e.getCause()); } } + private PublicKey convertingPemPublicKeyToJavaSecurityPublicKey(PemObject publicKey) throws KeyDecryptionException { try { diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java index 38e7e3f8..68b78f23 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpClientImpl.java @@ -83,6 +83,8 @@ public class CmpClientImpl implements CmpClient { validate(csrModel, server, httpClient, notBefore, notAfter); KeyPair keyPair = new KeyPair(csrModel.getPublicKey(), csrModel.getPrivateKey()); + final String iak = server.getAuthentication().getIak(); + final PkiMessageProtection pkiMessageProtection = new PasswordBasedProtection(iak); final CreateCertRequest certRequest = CmpMessageBuilder.of(CreateCertRequest::new) .with(CreateCertRequest::setIssuerDn, server.getIssuerDN()) @@ -91,8 +93,8 @@ public class CmpClientImpl implements CmpClient { .with(CreateCertRequest::setSubjectKeyPair, keyPair) .with(CreateCertRequest::setNotBefore, notBefore) .with(CreateCertRequest::setNotAfter, notAfter) - .with(CreateCertRequest::setInitAuthPassword, server.getAuthentication().getIak()) .with(CreateCertRequest::setSenderKid, server.getAuthentication().getRv()) + .with(CreateCertRequest::setProtection, pkiMessageProtection) .build(); final PKIMessage pkiMessage = certRequest.generateCertReq(); diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java index 0255b82e..c4be54ce 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java @@ -1,6 +1,7 @@ /*- * ============LICENSE_START======================================================= * Copyright (C) 2020 Nordix Foundation. + * Copyright (C) 2021 Nokia. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,34 +21,22 @@ package org.onap.oom.certservice.cmpv2client.impl; -import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes; - import java.io.ByteArrayOutputStream; import java.io.IOException; import java.security.InvalidKeyException; import java.security.KeyPair; -import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.Signature; import java.security.SignatureException; import java.util.Date; -import javax.crypto.Mac; -import javax.crypto.SecretKey; -import javax.crypto.spec.SecretKeySpec; import org.bouncycastle.asn1.ASN1EncodableVector; -import org.bouncycastle.asn1.ASN1Integer; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.asn1.DERBitString; -import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.DEROutputStream; import org.bouncycastle.asn1.DERSequence; import org.bouncycastle.asn1.DERTaggedObject; -import org.bouncycastle.asn1.cmp.PBMParameter; -import org.bouncycastle.asn1.cmp.PKIBody; -import org.bouncycastle.asn1.cmp.PKIHeader; -import org.bouncycastle.asn1.cmp.PKIMessage; import org.bouncycastle.asn1.crmf.CertRequest; import org.bouncycastle.asn1.crmf.OptionalValidity; import org.bouncycastle.asn1.crmf.POPOSigningKey; @@ -71,12 +60,6 @@ import org.slf4j.LoggerFactory; public final class CmpMessageHelper { private static final Logger LOG = LoggerFactory.getLogger(CmpMessageHelper.class); - private static final AlgorithmIdentifier OWF_ALGORITHM = - new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); - private static final AlgorithmIdentifier MAC_ALGORITHM = - new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2")); - private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = - new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); private static final boolean CRITICAL_FALSE = false; private CmpMessageHelper() { @@ -172,65 +155,6 @@ public final class CmpMessageHelper { return proofOfPossession; } - /** - * Generic code to create Algorithm Identifier for protection of PKIMessage. - * - * @return Algorithm Identifier - */ - public static AlgorithmIdentifier protectionAlgoIdentifier(int iterations, byte[] salt) { - ASN1Integer iteration = new ASN1Integer(iterations); - DEROctetString derSalt = new DEROctetString(salt); - - PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM); - return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp); - } - - /** - * Adds protection to the PKIMessage via a specified protection algorithm. - * - * @param password password used to authenticate PkiMessage with external CA - * @param pkiHeader Header of PKIMessage containing generic details for any PKIMessage - * @param pkiBody Body of PKIMessage containing specific details for certificate request - * @return Protected Pki Message - * @throws CmpClientException Wraps several exceptions into one general-purpose exception. - */ - public static PKIMessage protectPkiMessage( - PKIHeader pkiHeader, PKIBody pkiBody, String password, int iterations, byte[] salt) - throws CmpClientException { - - byte[] raSecret = password.getBytes(); - byte[] basekey = new byte[raSecret.length + salt.length]; - System.arraycopy(raSecret, 0, basekey, 0, raSecret.length); - System.arraycopy(salt, 0, basekey, raSecret.length, salt.length); - byte[] out; - try { - MessageDigest dig = - MessageDigest.getInstance( - OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); - for (int i = 0; i < iterations; i++) { - basekey = dig.digest(basekey); - dig.reset(); - } - byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody); - Mac mac = - Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); - SecretKey key = new SecretKeySpec(basekey, MAC_ALGORITHM.getAlgorithm().getId()); - mac.init(key); - mac.reset(); - mac.update(protectedBytes, 0, protectedBytes.length); - out = mac.doFinal(); - } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException ex) { - CmpClientException cmpClientException = - new CmpClientException( - "Exception occurred while generating proof of possession for PKIMessage", ex); - LOG.error("Exception occured while generating the proof of possession for PKIMessage"); - throw cmpClientException; - } - DERBitString bs = new DERBitString(out); - - return new PKIMessage(pkiHeader, pkiBody, bs); - } - private static KeyUsage getKeyUsage() { return new KeyUsage( KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation); diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java index 281f6f5e..8912e88c 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java @@ -1,6 +1,7 @@ /*- * ============LICENSE_START======================================================= * Copyright (C) 2020 Nordix Foundation. + * Copyright (C) 2021 Nokia. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,6 +30,7 @@ import java.util.Objects; import org.bouncycastle.asn1.ASN1Encodable; import org.bouncycastle.asn1.ASN1EncodableVector; import org.bouncycastle.asn1.ASN1GeneralizedTime; +import org.bouncycastle.asn1.ASN1OctetString; import org.bouncycastle.asn1.DEROctetString; import org.bouncycastle.asn1.DEROutputStream; import org.bouncycastle.asn1.DERSequence; @@ -127,12 +129,13 @@ public final class CmpUtil { } /** - * Generates a PKIHeader Builder object. + * Generates a PKIHeader object. * * @param subjectDn distinguished name of Subject * @param issuerDn distinguished name of external CA * @param protectionAlg protection Algorithm used to protect PKIMessage - * @return PKIHeaderBuilder + * @param senderKid sender identifier for receiver used for verification + * @return PKIHeader */ static PKIHeader generatePkiHeader( X500Name subjectDn, X500Name issuerDn, AlgorithmIdentifier protectionAlg, String senderKid) { @@ -146,8 +149,12 @@ public final class CmpUtil { pkiHeaderBuilder.setTransactionID(new DEROctetString(createRandomBytes())); pkiHeaderBuilder.setProtectionAlg(protectionAlg); pkiHeaderBuilder.setGeneralInfo(new InfoTypeAndValue(CMPObjectIdentifiers.it_implicitConfirm)); - pkiHeaderBuilder.setSenderKID(new DEROctetString(senderKid.getBytes())); + pkiHeaderBuilder.setSenderKID(mapToAsn1OctetString(senderKid)); return pkiHeaderBuilder.build(); } + + private static ASN1OctetString mapToAsn1OctetString(String string) { + return string != null ? new DEROctetString(string.getBytes()) : null; + } } diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java index d277a204..0ed493b7 100644 --- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CreateCertRequest.java @@ -1,6 +1,7 @@ /*- * ============LICENSE_START======================================================= * Copyright (C) 2020 Nordix Foundation. + * Copyright (C) 2021 Nokia. * ================================================================================ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -20,7 +21,6 @@ package org.onap.oom.certservice.cmpv2client.impl; -import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes; import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt; import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generatePkiHeader; @@ -28,6 +28,7 @@ import java.security.KeyPair; import java.util.Date; import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.cmp.PKIBody; import org.bouncycastle.asn1.cmp.PKIHeader; import org.bouncycastle.asn1.cmp.PKIMessage; @@ -49,17 +50,15 @@ import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; */ class CreateCertRequest { + private PkiMessageProtection pkiMessageProtection; private X500Name issuerDn; private X500Name subjectDn; private GeneralName[] sansArray; private KeyPair subjectKeyPair; private Date notBefore; private Date notAfter; - private String initAuthPassword; private String senderKid; - private static final int ITERATIONS = createRandomInt(1000); - private static final byte[] SALT = createRandomBytes(); private final int certReqId = createRandomInt(Integer.MAX_VALUE); private final AlgorithmIdentifier signingAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder() .find("SHA256withRSA"); @@ -88,8 +87,8 @@ class CreateCertRequest { this.notAfter = notAfter; } - public void setInitAuthPassword(String initAuthPassword) { - this.initAuthPassword = initAuthPassword; + public void setProtection(PkiMessageProtection pkiMessageProtection) { + this.pkiMessageProtection = pkiMessageProtection; } public void setSenderKid(String senderKid) { @@ -126,11 +125,11 @@ class CreateCertRequest { generatePkiHeader( subjectDn, issuerDn, - CmpMessageHelper.protectionAlgoIdentifier(ITERATIONS, SALT), + pkiMessageProtection.getAlgorithmIdentifier(), senderKid); final PKIBody pkiBody = new PKIBody(PKIBody.TYPE_INIT_REQ, certReqMessages); - return CmpMessageHelper.protectPkiMessage( - pkiHeader, pkiBody, initAuthPassword, ITERATIONS, SALT); + final DERBitString messageProtection = this.pkiMessageProtection.generatePkiMessageProtection(pkiHeader, pkiBody); + return new PKIMessage(pkiHeader, pkiBody, messageProtection); } } diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java new file mode 100644 index 00000000..621415c0 --- /dev/null +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtection.java @@ -0,0 +1,100 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.cmpv2client.impl; + +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.cmp.PBMParameter; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; + +import javax.crypto.Mac; +import javax.crypto.SecretKey; +import javax.crypto.spec.SecretKeySpec; +import java.security.GeneralSecurityException; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; + +import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomBytes; +import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.createRandomInt; + +/** + * Implementation of password-based PKIMessage protection + */ +public class PasswordBasedProtection extends PkiMessageProtection { + + private static final int ITERATIONS = createRandomInt(1000); + private static final byte[] SALT = createRandomBytes(); + private static final AlgorithmIdentifier OWF_ALGORITHM = + new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); + private static final AlgorithmIdentifier MAC_ALGORITHM = + new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2")); + private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = + new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); + + private final String initAuthPassword; + + PasswordBasedProtection(String initAuthPassword) { + this.initAuthPassword = initAuthPassword; + } + + @Override + AlgorithmIdentifier getAlgorithmIdentifier() { + ASN1Integer iteration = new ASN1Integer(ITERATIONS); + DEROctetString derSalt = new DEROctetString(SALT); + + PBMParameter pp = new PBMParameter(derSalt, OWF_ALGORITHM, iteration, MAC_ALGORITHM); + return new AlgorithmIdentifier(PASSWORD_BASED_MAC, pp); + } + + @Override + byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException { + byte[] baseKey = generateBaseKey(); + return generateMacBytes(baseKey, protectedBytes); + } + + private byte[] generateBaseKey() throws NoSuchAlgorithmException, NoSuchProviderException { + byte[] raSecret = initAuthPassword.getBytes(); + byte[] baseKey = new byte[raSecret.length + SALT.length]; + System.arraycopy(raSecret, 0, baseKey, 0, raSecret.length); + System.arraycopy(SALT, 0, baseKey, raSecret.length, SALT.length); + MessageDigest dig = + MessageDigest.getInstance( + OWF_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); + for (int i = 0; i < ITERATIONS; i++) { + baseKey = dig.digest(baseKey); + dig.reset(); + } + return baseKey; + } + + private byte[] generateMacBytes(byte[] baseKey, byte[] protectedBytes) throws GeneralSecurityException { + Mac mac = Mac.getInstance(MAC_ALGORITHM.getAlgorithm().getId(), BouncyCastleProvider.PROVIDER_NAME); + SecretKey key = new SecretKeySpec(baseKey, MAC_ALGORITHM.getAlgorithm().getId()); + mac.init(key); + mac.reset(); + mac.update(protectedBytes, 0, protectedBytes.length); + return mac.doFinal(); + } + +} diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java new file mode 100644 index 00000000..d32ed588 --- /dev/null +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/PkiMessageProtection.java @@ -0,0 +1,76 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.cmpv2client.impl; + +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.bouncycastle.asn1.cmp.PKIHeader; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.security.GeneralSecurityException; + +import static org.onap.oom.certservice.cmpv2client.impl.CmpUtil.generateProtectedBytes; + +/** + * Representation of PKIMessage protection. Complies with RFC4210 (Certificate Management Protocol + * (CMP)) and RFC4211 (Certificate Request Message Format (CRMF)) standards. + */ +public abstract class PkiMessageProtection { + + private static final Logger LOG = LoggerFactory.getLogger(PkiMessageProtection.class); + + /** + * Takes PKIHeader and PKIBody as parameters and generates protection bytes. + * + * @return bytes representing protection wrapped into DERBitString object. + */ + DERBitString generatePkiMessageProtection(PKIHeader pkiHeader, PKIBody pkiBody) throws CmpClientException { + try { + byte[] protectedBytes = generateProtectedBytes(pkiHeader, pkiBody); + byte[] protectionBytes = generateProtectionBytes(protectedBytes); + return new DERBitString(protectionBytes); + } catch (GeneralSecurityException ex) { + CmpClientException cmpClientException = + new CmpClientException( + "Exception occurred while generating protection for PKIMessage", ex); + LOG.error("Exception occurred while generating the protection for PKIMessage"); + throw cmpClientException; + } + } + + /** + * Takes encoded bytes of PKIMessage (PKIHeader and PKIBody) and generates protection bytes. + * + * @return bytes representing protection. + */ + abstract byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException; + + /** + * Returns Algorithm Identifier for protection of PKIMessage. + * + * @return Algorithm Identifier. + */ + abstract AlgorithmIdentifier getAlgorithmIdentifier(); + +} diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java new file mode 100644 index 00000000..ad778430 --- /dev/null +++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtection.java @@ -0,0 +1,63 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.cmpv2client.impl; + + +import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; + +import java.security.GeneralSecurityException; +import java.security.PrivateKey; +import java.security.Signature; + +/** + * Implementation of signature PKIMessage protection + */ +public class SignatureProtection extends PkiMessageProtection { + + private static final AlgorithmIdentifier SHA256_RSA_ALGORITHM = new DefaultSignatureAlgorithmIdentifierFinder() + .find("SHA256withRSA"); + + private final PrivateKey oldPrivateKey; + + SignatureProtection(PrivateKey privateKey) { + this.oldPrivateKey = privateKey; + } + + @Override + AlgorithmIdentifier getAlgorithmIdentifier() { + return SHA256_RSA_ALGORITHM; + } + + @Override + byte[] generateProtectionBytes(byte[] protectedBytes) throws GeneralSecurityException { + Signature signature = + Signature.getInstance( + PKCSObjectIdentifiers.sha256WithRSAEncryption.getId(), + BouncyCastleProvider.PROVIDER_NAME); + signature.initSign(oldPrivateKey); + signature.update(protectedBytes, 0, protectedBytes.length); + return signature.sign(); + } + +} diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java new file mode 100644 index 00000000..b280a2e6 --- /dev/null +++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PasswordBasedProtectionTest.java @@ -0,0 +1,154 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.cmpv2client.impl; + +import org.bouncycastle.asn1.ASN1ObjectIdentifier; +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.DEROctetString; +import org.bouncycastle.asn1.cmp.PBMParameter; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.bouncycastle.asn1.cmp.PKIHeader; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cert.cmp.CMPException; +import org.bouncycastle.cert.cmp.ProtectedPKIMessage; +import org.bouncycastle.cert.crmf.PKMACBuilder; +import org.bouncycastle.cert.crmf.jcajce.JcePKMACValuesCalculator; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.ValueSource; +import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; + +import java.security.Security; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getProtectedPkiMessage; +import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiHeader; + +class PasswordBasedProtectionTest { + + private static final ASN1ObjectIdentifier PASSWORD_BASED_MAC = new ASN1ObjectIdentifier("1.2.840.113533.7.66.13"); + private static final AlgorithmIdentifier SHA_1_ALGORITHM = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.14.3.2.26")); + private static final AlgorithmIdentifier H_MAC_SHA_1_ALGORITHM = new AlgorithmIdentifier(new ASN1ObjectIdentifier("1.3.6.1.5.5.8.1.2")); + private static final int MIN_ITERATION_COUNT = 1000; + private static final int MAX_ITERATION_COUNT = 2000; + private static final int SALT_LENGTH = 16; + + @BeforeAll + static void setUp() { + Security.addProvider(new BouncyCastleProvider()); + } + + @AfterAll + static void clean() { + Security.removeProvider("BC"); + } + + @Test + void shouldReturnPasswordBasedMacAlgorithmWhenGetAlgorithmMethodCalled() { + //Given + PasswordBasedProtection protection = new PasswordBasedProtection(null); + //When + AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier(); + //Then + assertEquals(PASSWORD_BASED_MAC, algorithmIdentifier.getAlgorithm()); + } + + @Test + void shouldSetPasswordBasedParametersWhenGetAlgorithmMethodCalled() { + //Given + PasswordBasedProtection protection = new PasswordBasedProtection(null); + //When + AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier(); + //Then + assertTrue(algorithmIdentifier.getParameters() instanceof PBMParameter); + } + + @Test + void shouldSetSha1ForOwfWhenGetAlgorithmMethodCalled() { + //Given + PasswordBasedProtection protection = new PasswordBasedProtection(null); + //When + AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier(); + //Then + PBMParameter pbmParameters = (PBMParameter) algorithmIdentifier.getParameters(); + assertEquals(SHA_1_ALGORITHM, pbmParameters.getOwf()); + } + + @Test + void shouldSetHMacSha1ForMacWhenGetAlgorithmMethodCalled() { + //Given + PasswordBasedProtection protection = new PasswordBasedProtection(null); + //When + AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier(); + //Then + PBMParameter pbmParameters = (PBMParameter) algorithmIdentifier.getParameters(); + assertEquals(H_MAC_SHA_1_ALGORITHM, pbmParameters.getMac()); + } + + @Test + void shouldSetSaltWhenGetAlgorithmMethodCalled() { + //Given + PasswordBasedProtection protection = new PasswordBasedProtection(null); + //When + AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier(); + //Then + PBMParameter pbmParameters = (PBMParameter) algorithmIdentifier.getParameters(); + assertTrue(pbmParameters.getSalt() instanceof DEROctetString); + DEROctetString salt = (DEROctetString) pbmParameters.getSalt(); + assertEquals(SALT_LENGTH, salt.getOctets().length); + } + + @Test + void shouldSetIterationCountWhenGetAlgorithmMethodCalled() { + //Given + PasswordBasedProtection protection = new PasswordBasedProtection(null); + //When + AlgorithmIdentifier algorithmIdentifier = protection.getAlgorithmIdentifier(); + //Then + PBMParameter pbmParameters = (PBMParameter) algorithmIdentifier.getParameters(); + assertNotNull(pbmParameters.getIterationCount()); + long iterationCount = pbmParameters.getIterationCount().getValue().longValue(); + assertTrue(MIN_ITERATION_COUNT <= iterationCount && iterationCount < MAX_ITERATION_COUNT, + "Iteration count not in range"); + } + + @ParameterizedTest + @ValueSource(strings = {"test", "123"}) + void shouldReturnProtectionByPasswordWhenGenerateProtectionMethodCalled(String initAuthPassword) + throws CmpClientException, CMPException { + //Given + PasswordBasedProtection protection = new PasswordBasedProtection(initAuthPassword); + PKIHeader pkiHeader = getTestPkiHeader(protection.getAlgorithmIdentifier()); + PKIBody pkiBody = PkiTestUtils.getTestPkiBody(SHA_1_ALGORITHM); + //When + DERBitString messageProtection = protection.generatePkiMessageProtection(pkiHeader, pkiBody); + //Then + ProtectedPKIMessage protectedPkiMessage = getProtectedPkiMessage(pkiHeader, pkiBody, messageProtection); + PKMACBuilder pkMacBuilder = new PKMACBuilder(new JcePKMACValuesCalculator()); + assertTrue(protectedPkiMessage.verify(pkMacBuilder, initAuthPassword.toCharArray())); + } + +} diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java new file mode 100644 index 00000000..7f7df455 --- /dev/null +++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/PkiTestUtils.java @@ -0,0 +1,101 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.cmpv2client.impl; + +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.DERGeneralizedTime; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.bouncycastle.asn1.cmp.PKIHeader; +import org.bouncycastle.asn1.cmp.PKIHeaderBuilder; +import org.bouncycastle.asn1.cmp.PKIMessage; +import org.bouncycastle.asn1.crmf.CertReqMessages; +import org.bouncycastle.asn1.crmf.CertReqMsg; +import org.bouncycastle.asn1.crmf.CertRequest; +import org.bouncycastle.asn1.crmf.CertTemplateBuilder; +import org.bouncycastle.asn1.x500.X500Name; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.asn1.x509.GeneralName; +import org.bouncycastle.cert.cmp.GeneralPKIMessage; +import org.bouncycastle.cert.cmp.ProtectedPKIMessage; +import org.bouncycastle.operator.ContentVerifierProvider; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder; + +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.util.Date; + +final class PkiTestUtils { + + private static final String CN_TEST_SUBJECT = "CN=test1Subject"; + private static final String CN_TEST_ISSUER = "CN=test2Issuer"; + private static final int TEST_CERT_REQUEST_ID = 1432; + private static final int PVNO = 0; + private static final String BC_PROVIDER = "BC"; + private static final String RSA = "RSA"; + + private PkiTestUtils() { + } + + static PKIBody getTestPkiBody(AlgorithmIdentifier signingAlgorithm) { + CertTemplateBuilder certTemplateBuilder = + new CertTemplateBuilder() + .setIssuer(new X500Name(CN_TEST_ISSUER)) + .setSubject(new X500Name(CN_TEST_SUBJECT)) + .setSigningAlg(signingAlgorithm); + + CertRequest certRequest = new CertRequest(TEST_CERT_REQUEST_ID, certTemplateBuilder.build(), null); + CertReqMsg certReqMsg = new CertReqMsg(certRequest, null, null); + + CertReqMessages certReqMessages = new CertReqMessages(certReqMsg); + return new PKIBody(0, certReqMessages); + } + + static PKIHeader getTestPkiHeader(AlgorithmIdentifier protectionAlgorithm) { + PKIHeaderBuilder pkiHeader = new PKIHeaderBuilder( + PVNO, + new GeneralName(new X500Name(CN_TEST_SUBJECT)), + new GeneralName(new X500Name(CN_TEST_ISSUER))); + pkiHeader.setProtectionAlg(protectionAlgorithm); + pkiHeader.setMessageTime(new DERGeneralizedTime(new Date())); + return pkiHeader.build(); + } + + static ProtectedPKIMessage getProtectedPkiMessage(PKIHeader pkiHeader, PKIBody pkiBody, DERBitString messageProtection) { + PKIMessage pkiMessage = new PKIMessage(pkiHeader, pkiBody, messageProtection); + GeneralPKIMessage generalPkiMessage = new GeneralPKIMessage(pkiMessage); + return new ProtectedPKIMessage(generalPkiMessage); + } + + static KeyPair getKeyPair() throws NoSuchAlgorithmException, NoSuchProviderException { + KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(RSA, BC_PROVIDER); + return keyPairGenerator.generateKeyPair(); + } + + static ContentVerifierProvider getContentVerifierProvider(PublicKey publicKey) throws OperatorCreationException { + return new JcaContentVerifierProviderBuilder() + .setProvider(BC_PROVIDER) + .build(publicKey); + } +} diff --git a/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java new file mode 100644 index 00000000..ba382c42 --- /dev/null +++ b/certService/src/test/java/org/onap/oom/certservice/cmpv2client/impl/SignatureProtectionTest.java @@ -0,0 +1,94 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nokia. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.onap.oom.certservice.cmpv2client.impl; + +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.cmp.PKIBody; +import org.bouncycastle.asn1.cmp.PKIHeader; +import org.bouncycastle.asn1.x509.AlgorithmIdentifier; +import org.bouncycastle.cert.cmp.CMPException; +import org.bouncycastle.cert.cmp.ProtectedPKIMessage; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.ContentVerifierProvider; +import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; +import org.bouncycastle.operator.OperatorCreationException; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.onap.oom.certservice.cmpv2client.exceptions.CmpClientException; + +import java.security.GeneralSecurityException; +import java.security.KeyPair; +import java.security.Security; + +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; +import static org.junit.jupiter.api.Assertions.assertTrue; +import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getProtectedPkiMessage; +import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiBody; +import static org.onap.oom.certservice.cmpv2client.impl.PkiTestUtils.getTestPkiHeader; + +class SignatureProtectionTest { + + private static final String SHA256_RSA_OID = "1.2.840.113549.1.1.11"; + private static final AlgorithmIdentifier SHA256_RSA_ALGORITHM = new DefaultSignatureAlgorithmIdentifierFinder() + .find("SHA256withRSA"); + private static final String BC_PROVIDER = "BC"; + + @BeforeAll + static void setUp() { + Security.addProvider(new BouncyCastleProvider()); + } + + @AfterAll + static void clean() { + Security.removeProvider(BC_PROVIDER); + } + + @Test + void shouldReturnExpectedAlgorithmWhenGetAlgorithmMethodCalled() { + //Given + SignatureProtection signatureProtection = new SignatureProtection(null); + //When + AlgorithmIdentifier algorithmIdentifier = signatureProtection.getAlgorithmIdentifier(); + //Then + assertNotNull(algorithmIdentifier); + assertNotNull(algorithmIdentifier.getAlgorithm()); + assertEquals(SHA256_RSA_OID, algorithmIdentifier.getAlgorithm().toString()); + } + + @Test + void shouldReturnProtectionByPkWhenGenerateProtectionMethodCalled() + throws GeneralSecurityException, CmpClientException, OperatorCreationException, CMPException { + //Given + KeyPair keyPair = PkiTestUtils.getKeyPair(); + SignatureProtection signatureProtection = new SignatureProtection(keyPair.getPrivate()); + PKIHeader pkiHeader = getTestPkiHeader(SHA256_RSA_ALGORITHM); + PKIBody pkiBody = getTestPkiBody(SHA256_RSA_ALGORITHM); + //When + DERBitString protection = signatureProtection.generatePkiMessageProtection(pkiHeader, pkiBody); + //Then + ProtectedPKIMessage protectedPkiMessage = getProtectedPkiMessage(pkiHeader, pkiBody, protection); + ContentVerifierProvider verifierProvider = PkiTestUtils.getContentVerifierProvider(keyPair.getPublic()); + assertTrue(protectedPkiMessage.verify(verifierProvider)); + } + +} -- 2.16.6