* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
import org.onap.aaf.misc.env.Trans;
public class LocalCA extends CA {
-
private final static BigInteger ONE = new BigInteger("1");
// Extensions
private static final KeyPurposeId[] ASN_WebUsage = new KeyPurposeId[] {
KeyPurposeId.id_kp_serverAuth, // WebServer
KeyPurposeId.id_kp_clientAuth // WebClient
};
-
+
private final PrivateKey caKey;
private final X500Name issuer;
- private final SecureRandom random = new SecureRandom();
private BigInteger serial;
private final X509ChainWithIssuer x509cwi; // "Cert" is CACert
-
-
+
+
public LocalCA(Access access, final String name, final String env, final String[][] params) throws IOException, CertException {
super(access, name, env);
-
- serial = new BigInteger(64,random);
- if(params.length<1 || params[0].length<2) {
+ serial = new BigInteger(64,new SecureRandom());
+
+ if (params.length<1 || params[0].length<2) {
throw new IOException("LocalCA expects cm_ca.<ca name>=org.onap.aaf.auth.cm.ca.LocalCA,<full path to key file>[;<Full Path to Trust Chain, ending with actual CA>]+");
}
-
+
// Read in the Private Key
String configured;
File f = new File(params[0][0]);
- if(f.exists() && f.isFile()) {
+ if (f.exists() && f.isFile()) {
String fileName = f.getName();
- if(fileName.endsWith(".key")) {
+ if (fileName.endsWith(".key")) {
caKey = Factory.toPrivateKey(NullTrans.singleton(),f);
List<FileReader> frs = new ArrayList<>(params.length-1);
try {
String dir = access.getProperty(CM_PUBLIC_DIR, "");
- if(!"".equals(dir) && !dir.endsWith("/")) {
+ if (!"".equals(dir) && !dir.endsWith("/")) {
dir = dir + '/';
}
String path;
- for(int i=1; i<params[0].length; ++i) { // first param is Private Key, remainder are TrustChain
+ for
(int i=1; i<params[0].length; ++i) { // first param is Private Key, remainder are TrustChain
path = !params[0][i].contains("/")?dir+params[0][i]:params[0][i];
access.printf(Level.INIT, "Loading a TrustChain Member for %s from %s\n",name, path);
frs.add(new FileReader(path));
}
x509cwi = new X509ChainWithIssuer(frs);
} finally {
- for(FileReader fr : frs) {
- if(fr!=null) {
+ for (FileReader fr : frs) {
+ if (fr!=null) {
fr.close();
}
}
}
configured = "Configured with " + fileName;
} else {
- if(params.length<1 || params[0].length<3) {
+ if (params.length<1 || params[0].length<3) {
throw new CertException("LocalCA parameters must be <keystore [.p12|.pkcs12|.jks|.pkcs11(sun only)]; <alias>; enc:<encrypted Keystore Password>>");
}
try {
Provider p;
KeyStore keyStore;
FileInputStream fis = null;
- if(fileName.endsWith(".pkcs11")) {
+ if (fileName.endsWith(".pkcs11")) {
String ksType="PKCS11";
p = Factory.getSecurityProvider(ksType,params);
keyStore = KeyStore.getInstance(ksType,p);
- } else if(fileName.endsWith(".jks")) {
+ } else if (fileName.endsWith(".jks")) {
keyStore = KeyStore.getInstance("JKS");
fis = new FileInputStream(f);
- } else if(fileName.endsWith(".p12") || fileName.endsWith(".pkcs12")) {
+ } else if (fileName.endsWith(".p12") || fileName.endsWith(".pkcs12")) {
keyStore = KeyStore.getInstance("PKCS12");
fis = new FileInputStream(f);
} else {
throw new CertException("Unknown Keystore type from filename " + fileName);
}
-
+
KeyStore.ProtectionParameter keyPass;
try {
String pass = access.decrypt(params[0][2]/*encrypted passcode*/, true);
- if(pass==null) {
+ if (pass==null || pass.isEmpty()) {
throw new CertException("Passcode for " + fileName + " cannot be decrypted.");
}
char[] ksPass = pass.toCharArray();
keyStore.load(fis,ksPass);
} finally {
- if (fis != null)
+ if (fis != null) {
fis.close();
+ }
}
Entry entry;
- if(fileName.endsWith(".pkcs11")) {
+ if (fileName.endsWith(".pkcs11")) {
entry = keyStore.getEntry(params[0][1]/*alias*/, null);
} else {
entry = keyStore.getEntry(params[0][1]/*alias*/, keyPass);
}
- if(entry==null) {
+ if (entry==null) {
throw new CertException("There is no Keystore entry with name '" + params[0][1] +'\'');
}
PrivateKeyEntry privateKeyEntry = (PrivateKeyEntry)entry;
caKey = privateKeyEntry.getPrivateKey();
-
+
x509cwi = new X509ChainWithIssuer(privateKeyEntry.getCertificateChain());
configured = "keystore \"" + fileName + "\", alias " + params[0][1];
} catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | UnrecoverableEntryException e) {
} else {
throw new CertException("Private Key, " + f.getPath() + ", does not exist");
}
-
+
X500NameBuilder xnb = new X500NameBuilder();
List<RDN> rp = RDN.parse(',', x509cwi.getIssuerDN());
Collections.reverse(rp);
- for(RDN rnd : rp) {
+ for (RDN rnd : rp) {
xnb.addRDN(rnd.aoi,rnd.value);
}
issuer = xnb.build();
public X509andChain sign(Trans trans, CSRMeta csrmeta) throws IOException, CertException {
GregorianCalendar gc = new GregorianCalendar();
Date start = gc.getTime();
- gc.add(GregorianCalendar.MONTH, 6);
+ gc.add(GregorianCalendar.MONTH, 12);
Date end = gc.getTime();
X509Certificate x509;
TimeTaken tt = trans.start("Create/Sign Cert",Env.SUB);
try {
BigInteger bi;
-
+
synchronized(ONE) {
bi = serial;
serial = serial.add(ONE);
}
-
+
RSAPublicKey rpk = (RSAPublicKey)csrmeta.keypair(trans).getPublic();
X509v3CertificateBuilder xcb = new X509v3CertificateBuilder(
issuer,
// new SubjectPublicKeyInfo(ASN1Sequence.getInstance(caCert.getPublicKey().getEncoded()))
);
List<GeneralName> lsan = new ArrayList<>();
- for(String s : csrmeta.sans()) {
- lsan.add(new GeneralName(GeneralName.dNSName,s));
+ // Email
+ lsan.add(new GeneralName(GeneralName.rfc822Name,csrmeta.email()));
+ for (String s : csrmeta.sans()) {
+ if(IPV4_PATTERN.matcher(s).matches() || IPV6_PATTERN.matcher(s).matches()) {
+ lsan.add(new GeneralName(GeneralName.iPAddress,s));
+ } else {
+ lsan.add(new GeneralName(GeneralName.dNSName,s));
+ }
}
GeneralName[] sans = new GeneralName[lsan.size()];
lsan.toArray(sans);
))
.addExtension(Extension.keyUsage,
true, new KeyUsage(KeyUsage.digitalSignature
- | KeyUsage.keyEncipherment
+ | KeyUsage.keyEncipherment
| KeyUsage.nonRepudiation))
.addExtension(Extension.extendedKeyUsage,
true, new ExtendedKeyUsage(ASN_WebUsage))
false, new GeneralNames(sans))
// .addExtension(MiscObjectIdentifiers.netscape, true, new NetscapeCertType(
// NetscapeCertType.sslClient|NetscapeCertType.sslClient))
- ;
-
+ ;
+
x509 = new JcaX509CertificateConverter().getCertificate(
xcb.build(BCFactory.contentSigner(caKey)));
} catch (GeneralSecurityException|OperatorCreationException e) {
} finally {
tt.done();
}
-
+
return new X509andChain(x509,x509cwi.trustChain);
}
Code Review / aaf / authz.git / blobdiff