auth/auth-certman/src/main/java/org/onap/aaf/auth/cm/ca/CA.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21 package org.onap.aaf.auth.cm.ca;
  22
  23 import java.io.File;
  24 import java.io.FileInputStream;
  25 import java.io.IOException;
  26 import java.security.MessageDigest;
  27 import java.security.Principal;
  28 import java.util.ArrayList;
  29 import java.util.Collections;
  30 import java.util.HashSet;
  31 import java.util.List;
  32 import java.util.Set;
  33
  34 import org.bouncycastle.asn1.x500.style.BCStyle;
  35 import org.onap.aaf.auth.cm.cert.CSRMeta;
  36 import org.onap.aaf.auth.cm.cert.RDN;
  37 import org.onap.aaf.cadi.Access;
  38 import org.onap.aaf.cadi.Access.Level;
  39 import org.onap.aaf.cadi.cm.CertException;
  40 import org.onap.aaf.misc.env.Trans;
  41 import org.onap.aaf.misc.env.util.Split;
  42
  43 public abstract class CA {
  44         private static final String MUST_EXIST_TO_CREATE_CSRS_FOR = " must exist to create CSRs for ";
  45         //TODO figuring out what is an Issuing CA is a matter of convention.  Consider SubClassing for Open Source
  46         public static final String ISSUING_CA = "Issuing CA";
  47         public static final String CM_CA_PREFIX = "cm_ca.";
  48         public static final String CM_CA_BASE_SUBJECT = ".baseSubject";
  49         protected static final String CM_PUBLIC_DIR = "cm_public_dir";
  50         private static final String CM_TRUST_CAS = "cm_trust_cas";
  51         protected static final String CM_BACKUP_CAS = "cm_backup_cas";
  52
  53         public static final Set<String> EMPTY = Collections.unmodifiableSet(new HashSet<String>());
  54
  55
  56         private final String name;
  57         private final String env;
  58         private MessageDigest messageDigest;
  59         private final String permType;
  60         private Set<String> caIssuerDNs;
  61         private final ArrayList<String> idDomains;
  62         private String[] trustedCAs;
  63         private List<RDN> rdns;
  64
  65
  66         protected CA(Access access, String caName, String env) throws IOException, CertException {
  67                 trustedCAs = new String[4]; // starting array
  68                 this.name = caName;
  69                 this.env = env;
  70                 permType = access.getProperty(CM_CA_PREFIX + name + ".perm_type",null);
  71                 if(permType==null) {
  72                         throw new CertException(CM_CA_PREFIX + name + ".perm_type" + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
  73                 }
  74                 caIssuerDNs = new HashSet<>();
  75
  76                 String tag = CA.CM_CA_PREFIX+caName+CA.CM_CA_BASE_SUBJECT;
  77
  78                 String fields = access.getProperty(tag, null);
  79                 if(fields==null) {
  80                         throw new CertException(tag + MUST_EXIST_TO_CREATE_CSRS_FOR + caName);
  81                 }
  82                 access.log(Level.INFO, tag, "=",fields);
  83                 rdns = RDN.parse('/',fields);
  84                 for(RDN rdn : rdns) {
  85                         if(rdn.aoi==BCStyle.EmailAddress) { // Cert Specs say Emails belong in Subject
  86                                 throw new CertException("email address is not allowed in " + CM_CA_BASE_SUBJECT);
  87                         }
  88                 }
  89
  90                 idDomains = new ArrayList<>();
  91                 StringBuilder sb = null;
  92                 for(String s : Split.splitTrim(',', access.getProperty(CA.CM_CA_PREFIX+caName+".idDomains", ""))) {
  93                         if(s.length()>0) {
  94                                 if(sb==null) {
  95                                         sb = new StringBuilder();
  96                                 } else {
  97                                         sb.append(", ");
  98                                 }
  99                                 idDomains.add(s);
 100                                 sb.append(s);
 101                         }
 102                 }
 103                 if(sb!=null) {
 104                         access.printf(Level.INIT, "CA '%s' supports Personal Certificates for %s", caName, sb);
 105                 }
 106
 107                 String dataDir = access.getProperty(CM_PUBLIC_DIR,null);
 108                 if(dataDir!=null) {
 109                         File data = new File(dataDir);
 110                         byte[] bytes;
 111                         if(data.exists()) {
 112                                 String trustCas = access.getProperty(CM_TRUST_CAS,null);
 113                                 if(trustCas!=null) {
 114                                         for(String fname : Split.splitTrim(',', trustCas)) {
 115                                                 File crt = new File(data,fname);
 116                                                 if(crt.exists()) {
 117                                                         access.printf(Level.INIT, "Loading CA Cert from %s", crt.getAbsolutePath());
 118                                                         bytes = new byte[(int)crt.length()];
 119                                                         FileInputStream fis = new FileInputStream(crt);
 120                                                         try {
 121                                                                 int read = fis.read(bytes);
 122                                                                 if(read>0) {
 123                                                                         addTrustedCA(new String(bytes));
 124                                                                 }
 125                                                         } finally {
 126                                                                 fis.close();
 127                                                         }
 128                                                 } else {
 129                                                         access.printf(Level.INIT, "FAILED to Load CA Cert from %s", crt.getAbsolutePath());
 130                                                 }
 131                                         }
 132                                 } else {
 133                                         access.printf(Level.INIT, "Cannot load external TRUST CAs: No property %s",CM_TRUST_CAS);
 134                                 }
 135                         } else {
 136                                 access.printf(Level.INIT, "Cannot load external TRUST CAs: %s doesn't exist, or is not accessible",data.getAbsolutePath());
 137                         }
 138                 }
 139         }
 140
 141         protected void addCaIssuerDN(String issuerDN) {
 142                 caIssuerDNs.add(issuerDN);
 143         }
 144
 145         protected synchronized void addTrustedCA(final String crtString) {
 146                 String crt;
 147                 if(crtString.endsWith("\n")) {
 148                         crt = crtString;
 149                 } else {
 150                         crt = crtString + '\n';
 151                 }
 152                 for(int i=0;i<trustedCAs.length;++i) {
 153                         if(trustedCAs[i]==null) {
 154                                 trustedCAs[i]=crt;
 155                                 return;
 156                         }
 157                 }
 158                 String[] temp = new String[trustedCAs.length+5];
 159                 System.arraycopy(trustedCAs,0,temp, 0, trustedCAs.length);
 160                 temp[trustedCAs.length]=crt;
 161                 trustedCAs = temp;
 162         }
 163
 164         public Set<String> getCaIssuerDNs() {
 165                 return caIssuerDNs;
 166         }
 167
 168         public String[] getTrustedCAs() {
 169                 return trustedCAs;
 170         }
 171
 172         public String getEnv() {
 173                 return env;
 174         }
 175
 176         protected void setMessageDigest(MessageDigest md) {
 177                 messageDigest = md;
 178         }
 179
 180         /*
 181          * End Required Constructor calls
 182          */
 183
 184         public String getName() {
 185                 return name;
 186         }
 187
 188
 189         public String getPermType() {
 190                 return permType;
 191         }
 192
 193         public abstract X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException;
 194
 195         /* (non-Javadoc)
 196          * @see org.onap.aaf.auth.cm.ca.CA#inPersonalDomains(java.security.Principal)
 197          */
 198         public boolean inPersonalDomains(Principal p) {
 199                 int at = p.getName().indexOf('@');
 200                 if(at>=0) {
 201                         return idDomains.contains(p.getName().substring(at+1));
 202                 } else {
 203                         return false;
 204                 }
 205         }
 206
 207         public MessageDigest messageDigest() {
 208                 return messageDigest;
 209         }
 210
 211         public CSRMeta newCSRMeta() {
 212                 return new CSRMeta(rdns);
 213         }
 214 }