cadi/aaf/src/main/java/org/onap/aaf/cadi/cm/PlaceArtifactInKeystore.java

   1 /**
   2  * ============LICENSE_START====================================================
   3  * org.onap.aaf
   4  * ===========================================================================
   5  * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved.
   6  * ===========================================================================
   7  * Licensed under the Apache License, Version 2.0 (the "License");
   8  * you may not use this file except in compliance with the License.
   9  * You may obtain a copy of the License at
  10  *
  11  *      http://www.apache.org/licenses/LICENSE-2.0
  12  *
  13  * Unless required by applicable law or agreed to in writing, software
  14  * distributed under the License is distributed on an "AS IS" BASIS,
  15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16  * See the License for the specific language governing permissions and
  17  * limitations under the License.
  18  * ============LICENSE_END====================================================
  19  *
  20  */
  21
  22 package org.onap.aaf.cadi.cm;
  23
  24 import java.io.File;
  25 import java.security.KeyStore;
  26 import java.security.PrivateKey;
  27 import java.security.cert.Certificate;
  28 import java.security.cert.X509Certificate;
  29 import java.util.ArrayList;
  30 import java.util.Collection;
  31 import java.util.List;
  32
  33 import org.onap.aaf.cadi.CadiException;
  34 import org.onap.aaf.cadi.Symm;
  35 import org.onap.aaf.cadi.config.Config;
  36 import org.onap.aaf.cadi.util.Chmod;
  37 import org.onap.aaf.misc.env.Trans;
  38
  39 import certman.v1_0.Artifacts.Artifact;
  40 import certman.v1_0.CertInfo;
  41
  42 public class PlaceArtifactInKeystore extends ArtifactDir {
  43         private String kst;
  44         //TODO get ROOT DNs or Trusted DNs from Certificate Manager.
  45 //      private static String[] rootDNs = new String[]{
  46 //                      "CN=ATT CADI Root CA - Test, O=ATT, OU=CSO, C=US", // Lab.  delete eventually
  47 //                      "CN=ATT AAF CADI TEST CA, OU=CSO, O=ATT, C=US",
  48 //                      "CN=ATT AAF CADI CA, OU=CSO, O=ATT, C=US"
  49 //      };
  50
  51         public PlaceArtifactInKeystore(String kst) {
  52                 this.kst = kst;
  53         }
  54
  55         @Override
  56         public boolean _place(Trans trans, CertInfo certInfo, Artifact arti) throws CadiException {
  57                 File fks = new File(dir,arti.getNs()+'.'+kst);
  58                 try {
  59                         KeyStore jks = KeyStore.getInstance(kst);
  60                         if(fks.exists()) {
  61                                 fks.delete();
  62                         }
  63
  64                         // Get the Cert(s)... Might include Trust store
  65                         Collection<? extends Certificate> certColl = Factory.toX509Certificate(certInfo.getCerts());
  66                         // find where the trusts end in 1.0 API
  67
  68                         X509Certificate x509;
  69                         List<X509Certificate> certList = new ArrayList<X509Certificate>();
  70                         Certificate[] trustChain = null;
  71                         Certificate[] trustCAs;
  72                         for(Certificate c : certColl) {
  73                                 x509 = (X509Certificate)c;
  74                                 if(trustChain==null && x509.getSubjectDN().equals(x509.getIssuerDN())) {
  75                                         trustChain = new Certificate[certList.size()];
  76                                         certList.toArray(trustChain);
  77                                         certList.clear(); // reuse
  78                                 }
  79                                 certList.add(x509);
  80                         }
  81
  82                         // remainder should be Trust CAs
  83                         trustCAs = new Certificate[certList.size()];
  84                         certList.toArray(trustCAs);
  85
  86                         // Properties, etc
  87                         // Add CADI Keyfile Entry to Properties
  88                         addProperty(Config.CADI_KEYFILE,arti.getDir()+'/'+arti.getNs() + ".keyfile");
  89                         // Set Keystore Password
  90                         addProperty(Config.CADI_KEYSTORE,fks.getAbsolutePath());
  91                         String keystorePass = Symm.randomGen(CmAgent.PASS_SIZE);
  92                         addEncProperty(Config.CADI_KEYSTORE_PASSWORD,keystorePass);
  93                         char[] keystorePassArray = keystorePass.toCharArray();
  94                         jks.load(null,keystorePassArray); // load in
  95
  96                         // Add Private Key/Cert Entry for App
  97                         // Note: Java SSL security classes, while having a separate key from keystore,
  98                         // is documented to not actually work.
  99                         // java.security.UnrecoverableKeyException: Cannot recover key
 100                         // You can create a custom Key Manager to make it work, but Practicality
 101                         // dictates that you live with the default, meaning, they are the same
 102                         String keyPass = keystorePass; //Symm.randomGen(CmAgent.PASS_SIZE);
 103                         PrivateKey pk = Factory.toPrivateKey(trans, certInfo.getPrivatekey());
 104                         addEncProperty(Config.CADI_KEY_PASSWORD, keyPass);
 105                         addProperty(Config.CADI_ALIAS, arti.getMechid());
 106 //                      Set<Attribute> attribs = new HashSet<Attribute>();
 107 //                      if(kst.equals("pkcs12")) {
 108 //                              // Friendly Name
 109 //                              attribs.add(new PKCS12Attribute("1.2.840.113549.1.9.20", arti.getNs()));
 110 //                      }
 111 //
 112                         KeyStore.ProtectionParameter protParam =
 113                                         new KeyStore.PasswordProtection(keyPass.toCharArray());
 114
 115                         KeyStore.PrivateKeyEntry pkEntry =
 116                                 new KeyStore.PrivateKeyEntry(pk, trustChain);
 117                         jks.setEntry(arti.getMechid(),
 118                                         pkEntry, protParam);
 119
 120                         // Write out
 121                         write(fks,Chmod.to400,jks,keystorePassArray);
 122
 123                         // Change out to TrustStore
 124                         fks = new File(dir,arti.getNs()+".trust."+kst);
 125                         jks = KeyStore.getInstance(kst);
 126
 127                         // Set Truststore Password
 128                         addProperty(Config.CADI_TRUSTSTORE,fks.getAbsolutePath());
 129                         String trustStorePass = Symm.randomGen(CmAgent.PASS_SIZE);
 130                         addEncProperty(Config.CADI_TRUSTSTORE_PASSWORD,trustStorePass);
 131                         char[] truststorePassArray = trustStorePass.toCharArray();
 132                         jks.load(null,truststorePassArray); // load in
 133
 134                         // Add Trusted Certificates
 135                         for(int i=0; i<trustCAs.length;++i) {
 136                                 jks.setCertificateEntry("ca_" + arti.getCa() + '_' + i, trustCAs[i]);
 137                         }
 138                         // Write out
 139                         write(fks,Chmod.to644,jks,truststorePassArray);
 140
 141                 } catch (Exception e) {
 142                         throw new CadiException(e);
 143                 }
 144                 return false;
 145         }
 146
 147 }