* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
import org.onap.aaf.misc.env.Trans;
public class LocalCA extends CA {
-
private final static BigInteger ONE = new BigInteger("1");
// Extensions
private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {
KeyPurposeId.id_kp_serverAuth, // WebServer
KeyPurposeId.id_kp_clientAuth // WebClient
};
-
+
private final PrivateKey caKey;
private final X500Name issuer;
- private final SecureRandom random = new SecureRandom();
private BigInteger serial;
private final X509ChainWithIssuer x509cwi; // "Cert" is CACert
-
-
+
+
public LocalCA(Access access, final String name, final String env, final String[][] params) throws IOException, CertException {
super(access, name, env);
-
- serial = new BigInteger(64,random);
+
+ serial = new BigInteger(64,new SecureRandom());
if (params.length<1 || params[0].length<2) {
throw new IOException("LocalCA expects cm_ca.<ca name>=org.onap.aaf.auth.cm.ca.LocalCA,<full path to key file>[;<Full Path to Trust Chain, ending with actual CA>]+");
}
-
+
// Read in the Private Key
String configured;
File f = new File(params[0][0]);
} else {
throw new CertException("Unknown Keystore type from filename " + fileName);
}
-
+
KeyStore.ProtectionParameter keyPass;
try {
String pass = access.decrypt(params[0][2]/*encrypted passcode*/, true);
- if (pass==null) {
+ if (pass==null || pass.isEmpty()) {
throw new CertException("Passcode for " + fileName + " cannot be decrypted.");
}
char[] ksPass = pass.toCharArray();
keyStore.load(fis,ksPass);
} finally {
- if (fis != null)
+ if (fis != null) {
fis.close();
+ }
}
Entry entry;
if (fileName.endsWith(".pkcs11")) {
}
PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry)entry;
caKey = privateKeyEntry.getPrivateKey();
-
+
x509cwi = new X509ChainWithIssuer(privateKeyEntry.getCertificateChain());
configured = "keystore \"" + fileName + "\", alias " + params[0][1];
} catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | UnrecoverableEntryException e) {
} else {
throw new CertException("Private Key, " + f.getPath() + ", does not exist");
}
-
+
X500NameBuilder xnb = new X500NameBuilder();
List<RDN> rp = RDN.parse(',', x509cwi.getIssuerDN());
Collections.reverse(rp);
public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
GregorianCalendar gc = new GregorianCalendar();
Date start = gc.getTime();
- gc.add(GregorianCalendar.MONTH, 6);
+ gc.add(GregorianCalendar.MONTH, 12);
Date end = gc.getTime();
X509Certificate x509;
TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);
try {
BigInteger bi;
-
+
synchronized(ONE) {
bi = serial;
serial = serial.add(ONE);
}
-
+
RSAPublicKey rpk = (RSAPublicKey)csrmeta.keypair(trans).getPublic();
X509v3CertificateBuilder xcb = new X509v3CertificateBuilder(
issuer,
// new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))
);
List<GeneralName> lsan = new ArrayList<>();
+ // Email
+ lsan.add(new GeneralName(GeneralName.rfc822Name,csrmeta.email()));
for (String s : csrmeta.sans()) {
- lsan.add(new GeneralName(GeneralName.dNSName,s));
+ if(IPV4_PATTERN.matcher(s).matches() || IPV6_PATTERN.matcher(s).matches()) {
+ lsan.add(new GeneralName(GeneralName.iPAddress,s));
+ } else {
+ lsan.add(new GeneralName(GeneralName.dNSName,s));
+ }
}
GeneralName[] sans = new GeneralName[lsan.size()];
lsan.toArray(sans);
))
.addExtension(Extension.keyUsage,
true, new KeyUsage(KeyUsage.digitalSignature
- | KeyUsage.keyEncipherment
+ | KeyUsage.keyEncipherment
| KeyUsage.nonRepudiation))
.addExtension(Extension.extendedKeyUsage,
true, new ExtendedKeyUsage(ASN_WebUsage))
false, new GeneralNames(sans))
// .addExtension(MiscObjectIdentifiers.netscape, true, new NetscapeCertType(
// NetscapeCertType.sslClient|NetscapeCertType.sslClient))
- ;
-
+ ;
+
x509 = new JcaX509CertificateConverter().getCertificate(
xcb.build(BCFactory.contentSigner(caKey)));
} catch (GeneralSecurityException|OperatorCreationException e) {
} finally {
tt.done();
}
-
+
return new X509andChain(x509,x509cwi.trustChain);
}