2 * ============LICENSE_START====================================================
4 * ===========================================================================
5 * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
6 * ===========================================================================
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
11 * http://www.apache.org/licenses/LICENSE-2.0
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 * ============LICENSE_END====================================================
22 package org.onap.aaf.cadi.cm;
25 import java.security.KeyStore;
26 import java.security.PrivateKey;
27 import java.security.cert.Certificate;
28 import java.security.cert.X509Certificate;
29 import java.util.ArrayList;
30 import java.util.Collection;
31 import java.util.List;
33 import org.onap.aaf.cadi.CadiException;
34 import org.onap.aaf.cadi.Symm;
35 import org.onap.aaf.cadi.config.Config;
36 import org.onap.aaf.cadi.util.Chmod;
37 import org.onap.aaf.misc.env.Trans;
39 import certman.v1_0.Artifacts.Artifact;
40 import certman.v1_0.CertInfo;
42 public class PlaceArtifactInKeystore extends ArtifactDir {
44 //TODO get ROOT DNs or Trusted DNs from Certificate Manager.
45 // private static String[] rootDNs = new String[]{
46 // "CN=ATT CADI Root CA - Test, O=ATT, OU=CSO, C=US", // Lab. delete eventually
47 // "CN=ATT AAF CADI TEST CA, OU=CSO, O=ATT, C=US",
48 // "CN=ATT AAF CADI CA, OU=CSO, O=ATT, C=US"
51 public PlaceArtifactInKeystore(String kst) {
56 public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
57 File fks = new File(dir,arti.getNs()+'.'+kst);
59 KeyStore jks = KeyStore.getInstance(kst);
64 // Get the Cert(s)... Might include Trust store
65 Collection<? extends Certificate> certColl = Factory.toX509Certificate(certInfo.getCerts());
66 // find where the trusts end in 1.0 API
69 List<X509Certificate> certList = new ArrayList<X509Certificate>();
70 Certificate[] trustChain = null;
71 Certificate[] trustCAs;
72 for(Certificate c : certColl) {
73 x509 = (X509Certificate)c;
74 if(trustChain==null && x509.getSubjectDN().equals(x509.getIssuerDN())) {
75 trustChain = new Certificate[certList.size()];
76 certList.toArray(trustChain);
77 certList.clear(); // reuse
82 // remainder should be Trust CAs
83 trustCAs = new Certificate[certList.size()];
84 certList.toArray(trustCAs);
87 // Add CADI Keyfile Entry to Properties
88 addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getNs() + ".keyfile");
89 // Set Keystore Password
90 addProperty(Config.CADI_KEYSTORE,fks.getAbsolutePath());
91 String keystorePass = Symm.randomGen(CmAgent.PASS_SIZE);
92 addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
93 char[] keystorePassArray = keystorePass.toCharArray();
94 jks.load(null,keystorePassArray); // load in
96 // Add Private Key/Cert Entry for App
97 // Note: Java SSL security classes, while having a separate key from keystore,
98 // is documented to not actually work.
99 // java.security.UnrecoverableKeyException: Cannot recover key
100 // You can create a custom Key Manager to make it work, but Practicality
101 // dictates that you live with the default, meaning, they are the same
102 String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);
103 PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
104 addEncProperty(Config.CADI_KEY_PASSWORD, keyPass);
105 addProperty(Config.CADI_ALIAS, arti.getMechid());
106 // Set<Attribute> attribs = new HashSet<Attribute>();
107 // if(kst.equals("pkcs12")) {
109 // attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs()));
112 KeyStore.ProtectionParameter protParam =
113 new KeyStore.PasswordProtection(keyPass.toCharArray());
115 KeyStore.PrivateKeyEntry pkEntry =
116 new KeyStore.PrivateKeyEntry(pk, trustChain);
117 jks.setEntry(arti.getMechid(),
121 write(fks,Chmod.to400,jks,keystorePassArray);
123 // Change out to TrustStore
124 fks = new File(dir,arti.getNs()+".trust."+kst);
125 jks = KeyStore.getInstance(kst);
127 // Set Truststore Password
128 addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
129 String trustStorePass = Symm.randomGen(CmAgent.PASS_SIZE);
130 addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
131 char[] truststorePassArray = trustStorePass.toCharArray();
132 jks.load(null,truststorePassArray); // load in
134 // Add Trusted Certificates
135 for(int i=0; i<trustCAs.length;++i) {
136 jks.setCertificateEntry("ca_" + arti.getCa() + '_' + i, trustCAs[i]);
139 write(fks,Chmod.to644,jks,truststorePassArray);
141 } catch (Exception e) {
142 throw new CadiException(e);