Merge "Fix sonar issues in Mapper1_0"
[aaf/authz.git] / auth / auth-certman / src / main / java / org / onap / aaf / auth / cm / ca / CA.java
1 /**
2  * ============LICENSE_START====================================================
3  * org.onap.aaf
4  * ===========================================================================
5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6  * ===========================================================================
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  * 
11  *      http://www.apache.org/licenses/LICENSE-2.0
12  * 
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  * ============LICENSE_END====================================================
19  *
20  */
21 package org.onap.aaf.auth.cm.ca;
22
23 import java.io.File;
24 import java.io.FileInputStream;
25 import java.io.IOException;
26 import java.security.MessageDigest;
27 import java.security.Principal;
28 import java.util.ArrayList;
29 import java.util.Collections;
30 import java.util.HashSet;
31 import java.util.List;
32 import java.util.Set;
33
34 import org.bouncycastle.asn1.x500.style.BCStyle;
35 import org.onap.aaf.auth.cm.cert.CSRMeta;
36 import org.onap.aaf.auth.cm.cert.RDN;
37 import org.onap.aaf.cadi.Access;
38 import org.onap.aaf.cadi.Access.Level;
39 import org.onap.aaf.cadi.cm.CertException;
40 import org.onap.aaf.misc.env.Trans;
41 import org.onap.aaf.misc.env.util.Split;
42
43 public abstract class CA {
44         private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for ";
45         //TODO figuring out what is an Issuing CA is a matter of convention.  Consider SubClassing for Open Source
46         public static final String ISSUING_CA = "Issuing CA";
47         public static final String CM_CA_PREFIX = "cm_ca.";
48         public static final String CM_CA_BASE_SUBJECT = ".baseSubject";
49         protected static final String CM_PUBLIC_DIR = "cm_public_dir";
50         private static final String CM_TRUST_CAS = "cm_trust_cas";
51         protected static final String CM_BACKUP_CAS = "cm_backup_cas";
52
53         public static final Set<String> EMPTY = Collections.unmodifiableSet(new HashSet<String>());
54
55         
56         private final String name;
57         private final String env;
58         private MessageDigest messageDigest;
59         private final String permType;
60         private Set<String> caIssuerDNs;
61         private final ArrayList<String> idDomains;
62         private String[] trustedCAs;
63         private List<RDN> rdns; 
64
65
66         protected CA(Access access, String caName, String env) throws IOException, CertException {
67                 trustedCAs = new String[4]; // starting array
68                 this.name = caName;
69                 this.env = env;
70                 permType = access.getProperty(CM_CA_PREFIX + name + ".perm_type",null);
71                 if(permType==null) {
72                         throw new CertException(CM_CA_PREFIX + name + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
73                 }
74                 caIssuerDNs = new HashSet<>();
75                 
76                 String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT;
77                 
78                 String fields = access.getProperty(tag, null);
79                 if(fields==null) {
80                         throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
81                 }
82                 access.log(Level.INFO, tag, "=",fields);
83                 rdns = RDN.parse('/',fields);
84                 for(RDN rdn : rdns) {
85                         if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject
86                                 throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT);
87                         }
88                 }
89                 
90                 idDomains = new ArrayList<>();
91                 StringBuilder sb = null;
92                 for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) {
93                         if(s.length()>0) {
94                                 if(sb==null) {
95                                         sb = new StringBuilder();
96                                 } else {
97                                         sb.append(", ");
98                                 }
99                                 idDomains.add(s);
100                                 sb.append(s);
101                         }
102                 }
103                 if(sb!=null) {
104                         access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb);
105                 }
106                 
107                 String dataDir = access.getProperty(CM_PUBLIC_DIR,null);
108                 if(dataDir!=null) {
109                         File data = new File(dataDir);
110                         byte[] bytes;
111                         if(data.exists()) {
112                                 String trustCas = access.getProperty(CM_TRUST_CAS,null);
113                                 if(trustCas!=null) {
114                                         for(String fname : Split.splitTrim(',', trustCas)) {
115                                                 File crt = new File(data,fname);
116                                                 if(crt.exists()) {
117                                                         access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath());
118                                                         bytes = new byte[(int)crt.length()];
119                                                         FileInputStream fis = new FileInputStream(crt);
120                                                         try {
121                                                                 int read = fis.read(bytes);
122                                                                 if(read>0) {    
123                                                                         addTrustedCA(new String(bytes));
124                                                                 }
125                                                         } finally {
126                                                                 fis.close();
127                                                         }
128                                                 } else {
129                                                         access.printf(Level.INIT, "FAILED to Load CA Cert from %s", crt.getAbsolutePath());
130                                                 }
131                                         }
132                                 } else {
133                                         access.printf(Level.INIT, "Cannot load external TRUST CAs: No property %s",CM_TRUST_CAS);
134                                 }
135                         } else {
136                                 access.printf(Level.INIT, "Cannot load external TRUST CAs: %s doesn't exist, or is not accessible",data.getAbsolutePath());
137                         }
138                 }
139         }
140
141         protected void addCaIssuerDN(String issuerDN) {
142                 caIssuerDNs.add(issuerDN);
143         }
144         
145         protected synchronized void addTrustedCA(final String crtString) {
146                 String crt;
147                 if(crtString.endsWith("\n")) {
148                         crt = crtString;
149                 } else {
150                         crt = crtString + '\n';
151                 }
152                 for(int i=0;i<trustedCAs.length;++i) {
153                         if(trustedCAs[i]==null) {
154                                 trustedCAs[i]=crt;
155                                 return;
156                         }
157                 }
158                 String[] temp = new String[trustedCAs.length+5];
159                 System.arraycopy(trustedCAs,0,temp, 0, trustedCAs.length);
160                 temp[trustedCAs.length]=crt;
161                 trustedCAs = temp;
162         }
163         
164         public Set<String> getCaIssuerDNs() {
165                 return caIssuerDNs;
166         }
167         
168         public String[] getTrustedCAs() {
169                 return trustedCAs;
170         }
171         
172         public String getEnv() {
173                 return env;
174         }
175
176         protected void setMessageDigest(MessageDigest md) {
177                 messageDigest = md;
178         }
179
180         /*
181          * End Required Constructor calls
182          */
183
184         public String getName() {
185                 return name;
186         }
187         
188         
189         public String getPermType() {
190                 return permType;
191         }
192         
193         public abstract X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException;
194
195         /* (non-Javadoc)
196          * @see org.onap.aaf.auth.cm.ca.CA#inPersonalDomains(java.security.Principal)
197          */
198         public boolean inPersonalDomains(Principal p) {
199                 int at = p.getName().indexOf('@');
200                 if(at>=0) {
201                         return idDomains.contains(p.getName().substring(at+1));
202                 } else {
203                         return false;
204                 }
205         }
206
207         public MessageDigest messageDigest() {
208                 return messageDigest;
209         }
210
211         public CSRMeta newCSRMeta() {
212                 return new CSRMeta(rdns);
213         }
214 }