Update Certificate for all FQDNs

[aaf/authz.git] / auth / auth-certman / src / main / java / org / onap / aaf / auth / cm / cert / BCFactory.java

/**
 * ============LICENSE_START====================================================
 * org.onap.aaf
 * ===========================================================================
 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
 * ===========================================================================
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *      http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * ============LICENSE_END====================================================
 *
 */
package org.onap.aaf.auth.cm.cert;

import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SignatureException;
import java.util.List;

import org.bouncycastle.asn1.ASN1Object;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.onap.aaf.auth.cm.ca.CA;
import org.onap.aaf.auth.cm.validation.CertmanValidator;
import org.onap.aaf.cadi.Symm;
import org.onap.aaf.cadi.cm.CertException;
import org.onap.aaf.cadi.cm.Factory;
import org.onap.aaf.misc.env.Env;
import org.onap.aaf.misc.env.TimeTaken;
import org.onap.aaf.misc.env.Trans;


/**
 * Additional Factory mechanisms for CSRs, and BouncyCastle.  The main Factory
 * utilizes only Java abstractions, and is useful in Client code.
 * 
 * @author JonathanGathman
 *
 */
public class BCFactory extends Factory {
        private static final JcaContentSignerBuilder jcsb;


        static {
                // Bouncy
                jcsb = new JcaContentSignerBuilder(Factory.SIG_ALGO);
        }
        
        public static ContentSigner contentSigner(PrivateKey pk) throws OperatorCreationException {
                return jcsb.build(pk);
        }
        
        public static String toString(PKCS10CertificationRequest csr) throws IOException, CertException {
                if(csr==null) {
                        throw new CertException("x509 Certificate Request not built");
                }
                return textBuilder("CERTIFICATE REQUEST",csr.getEncoded());
        }

        public static PKCS10CertificationRequest toCSR(Trans trans, File file) throws IOException {
                TimeTaken tt = trans.start("Reconstitute CSR", Env.SUB);
                try {
                        FileReader fr = new FileReader(file);
                        return new PKCS10CertificationRequest(decode(strip(fr)));
                } finally {
                        tt.done();
                }
        }

        public static byte[] sign(Trans trans, ASN1Object toSign, PrivateKey pk) throws IOException, InvalidKeyException, SignatureException, NoSuchAlgorithmException {
                TimeTaken tt = trans.start("Encode Security Object", Env.SUB);
                try {
                        return sign(trans,toSign.getEncoded(),pk);
                } finally {
                        tt.done();
                }
        }
        
        public static CSRMeta createCSRMeta(CA ca, String mechid, String sponsorEmail, List<String> fqdns) throws CertException {
                CSRMeta csr = ca.newCSRMeta();
                boolean first = true;
                // Set CN (and SAN)
                for(String fqdn : fqdns) {
                        if(first) {
                                first = false;
                                csr.cn(fqdn);
                        }
                        csr.san(fqdn); // duplicate CN in SAN, per RFC 5280 section 4.2.1.6 
                }
                
                csr.challenge(new String(Symm.randomGen(24)));
                csr.mechID(mechid);
                csr.email(sponsorEmail);
                String errs;
                if((errs=validateApp(csr))!=null) {
                        throw new CertException(errs);
                }
                return csr;
        }
        
        private static String validateApp(CSRMeta csr) {
                CertmanValidator v = new CertmanValidator();
                if(v.nullOrBlank("cn", csr.cn())
                        .nullOrBlank("mechID", csr.mechID())
                        .nullOrBlank("email", csr.email())
                        .err()) {
                        return v.errs();
                } else {
                        return null;
                }
        }

        public static CSRMeta createPersonalCSRMeta(CA ca, String personal, String email) throws CertException {
                CSRMeta csr = ca.newCSRMeta();
                csr.cn(personal);
                csr.challenge(new String(Symm.randomGen(24)));
                csr.email(email);
                String errs;
                if((errs=validatePersonal(csr))!=null) {
                        throw new CertException(errs);
                }
                return csr;
        }

        private static String validatePersonal(CSRMeta csr) {
                CertmanValidator v = new CertmanValidator();
                if(v.nullOrBlank("cn", csr.cn())
                        .nullOrBlank("email", csr.email())
                        .err()) {
                        return v.errs();
                } else {
                        return null;
                }
        }
        

}