2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
21 package org.onap.aaf.auth.cm.ca;
23 import java.io.FileReader;
24 import java.io.IOException;
25 import java.net.Authenticator;
26 import java.net.MalformedURLException;
27 import java.net.PasswordAuthentication;
29 import java.security.cert.CertStoreException;
30 import java.security.cert.Certificate;
31 import java.security.cert.CertificateException;
32 import java.security.cert.X509Certificate;
33 import java.util.ArrayList;
34 import java.util.List;
36 import java.util.concurrent.ConcurrentHashMap;
38 import org.bouncycastle.operator.OperatorCreationException;
39 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
40 import org.jscep.client.Client;
41 import org.jscep.client.ClientException;
42 import org.jscep.client.EnrollmentResponse;
43 import org.jscep.client.verification.CertificateVerifier;
44 import org.jscep.transaction.TransactionException;
45 import org.onap.aaf.auth.cm.cert.BCFactory;
46 import org.onap.aaf.auth.cm.cert.CSRMeta;
47 import org.onap.aaf.cadi.Access;
48 import org.onap.aaf.cadi.LocatorException;
49 import org.onap.aaf.cadi.Access.Level;
50 import org.onap.aaf.cadi.Locator.Item;
51 import org.onap.aaf.cadi.cm.CertException;
52 import org.onap.aaf.cadi.locator.HotPeerLocator;
53 import org.onap.aaf.misc.env.Env;
54 import org.onap.aaf.misc.env.TimeTaken;
55 import org.onap.aaf.misc.env.Trans;
56 import org.onap.aaf.misc.env.util.Split;
58 public class JscepCA extends CA {
59 static final String CA_PREFIX = "http://";
60 static final String CA_POSTFIX="/certsrv/mscep_admin/mscep.dll";
62 private final static String MS_PROFILE="1";
63 private final static int MAX_RETRY=3;
64 public static final long INVALIDATE_TIME = 1000*60*10; // 10 mins
67 private Map<String,X509ChainWithIssuer> mxcwi_s;
68 private Map<Client,X509ChainWithIssuer> mxcwi_c;
71 private JscepClientLocator clients;
73 public JscepCA(final Access access, final String name, final String env, String [][] params) throws IOException, CertException, LocatorException {
74 super(access, name, env);
75 mxcwi_s = new ConcurrentHashMap<String,X509ChainWithIssuer>();
76 mxcwi_c = new ConcurrentHashMap<Client,X509ChainWithIssuer>();
79 throw new CertException("No Trust Chain parameters are included");
81 if(params[0].length<2) {
82 throw new CertException("User/Password required for JSCEP");
84 final String id = params[0][0];
85 final String pw = params[0][1];
87 // Set this for NTLM password Microsoft
88 Authenticator.setDefault(new Authenticator() {
89 public PasswordAuthentication getPasswordAuthentication () {
91 return new PasswordAuthentication (id,access.decrypt(pw,true).toCharArray());
92 } catch (IOException e) {
99 StringBuilder urlstr = new StringBuilder();
101 for(int i=1;i<params.length;++i) { // skip first section, which is user/pass
104 urlstr.append(','); // delimiter
106 urlstr.append(params[i][0]);
108 String dir = access.getProperty(CM_PUBLIC_DIR, "");
109 if(!"".equals(dir) && !dir.endsWith("/")) {
113 List<FileReader> frs = new ArrayList<FileReader>(params.length-1);
115 for(int j=1; j<params[i].length; ++j) { // first 3 taken up, see above
116 path = !params[i][j].contains("/")?dir+params[i][j]:params[i][j];
117 access.printf(Level.INIT, "Loading a TrustChain Member for %s from %s",name, path);
118 frs.add(new FileReader(path));
120 X509ChainWithIssuer xcwi = new X509ChainWithIssuer(frs);
121 addCaIssuerDN(xcwi.getIssuerDN());
122 mxcwi_s.put(params[i][0],xcwi);
124 for(FileReader fr : frs) {
131 clients = new JscepClientLocator(access,urlstr.toString());
134 // package on purpose
137 public X509ChainWithIssuer sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
138 TimeTaken tt = trans.start("Generating CSR and Keys for New Certificate", Env.SUB);
139 PKCS10CertificationRequest csr;
141 csr = csrmeta.generateCSR(trans);
142 if(trans.info().isLoggable()) {
143 trans.info().log(BCFactory.toString(csr));
145 if(trans.info().isLoggable()) {
146 trans.info().log(csr);
152 tt = trans.start("Enroll CSR", Env.SUB);
153 Client client = null;
155 for(int i=0; i<MAX_RETRY;++i) {
157 item = clients.best();
158 client = clients.get(item);
160 EnrollmentResponse er = client.enrol(
161 csrmeta.initialConversationCert(trans),
162 csrmeta.keypair(trans).getPrivate(),
164 MS_PROFILE /* profile... MS can't deal with blanks*/);
168 trans.checkpoint("Cert from " + clients.info(item));
169 X509Certificate x509 = null;
170 for( Certificate cert : er.getCertStore().getCertificates(null)) {
172 x509 = (X509Certificate)cert;
176 X509ChainWithIssuer mxcwi = mxcwi_c.get(client);
177 return new X509ChainWithIssuer(mxcwi,x509);
179 } else if (er.isPending()) {
180 trans.checkpoint("Polling, waiting on CA to complete");
182 } else if (er.isFailure()) {
183 // switch(er.getFailInfo()) {
184 // case badMessageCheck:
185 // throw new ClientException("Received BadMessageCheck from Jscep");
192 throw new CertException(clients.info(item)+':'+er.getFailInfo().toString());
196 } catch(LocatorException e) {
197 trans.error().log(e);
199 } catch (ClientException e) {
200 trans.error().log(e,"SCEP Client Error, Temporarily Invalidating Client: " + clients.info(item));
202 clients.invalidate(client);
203 if(!clients.hasItems()) {
206 } catch (LocatorException e1) {
207 trans.error().log(e,clients.info(item));
208 i=MAX_RETRY; // can't go any further
210 } catch (InterruptedException|TransactionException|CertificateException|OperatorCreationException | CertStoreException e) {
211 trans.error().log(e);
222 * Locator specifically for Jscep Clients.
224 * Class based client for access to common Map
226 private class JscepClientLocator extends HotPeerLocator<Client> {
228 protected JscepClientLocator(Access access, String urlstr)throws LocatorException {
229 super(access, urlstr, JscepCA.INVALIDATE_TIME,
230 access.getProperty("cadi_latitude","39.833333"), //Note: Defaulting to GEO center of US
231 access.getProperty("cadi_longitude","-98.583333")
236 protected Client _newClient(String urlinfo) throws LocatorException {
238 String[] info = Split.split('/', urlinfo);
239 Client c = new Client(new URL(JscepCA.CA_PREFIX + info[0] + JscepCA.CA_POSTFIX),
240 new CertificateVerifier() {
242 public boolean verify(X509Certificate cert) {
248 // Map URL to Client, because Client doesn't expose Connection
249 mxcwi_c.put(c,mxcwi_s.get(urlinfo));
251 } catch (MalformedURLException e) {
252 throw new LocatorException(e);
257 protected Client _invalidate(Client client) {
262 protected void _destroy(Client client) {
263 mxcwi_c.remove(client);
Code Review / aaf / authz.git / blob