Do not depend on lighty-aaa module

The point of this rework is to not rely on other
lighty modules to run gnmi. Let's rather use
what is available from opendaylight instead.

Author: Tobianas

lighty-modules/lighty-gnmi/lighty-gnmi-sb/pom.xml

@@ -78,11 +78,6 @@
             <artifactId>jsonassert</artifactId>
             <scope>test</scope>
         </dependency>
-        <dependency>
-            <groupId>io.lighty.modules</groupId>
-            <artifactId>lighty-aaa-encryption-service</artifactId>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.mockito</groupId>
             <artifactId>mockito-subclass</artifactId>
@@ -103,10 +98,6 @@
             <artifactId>aaa-encrypt-service-impl</artifactId>
             <scope>test</scope>
         </dependency>
-      <dependency>
-        <groupId>io.lighty.modules</groupId>
-        <artifactId>lighty-aaa</artifactId>
-      </dependency>
     </dependencies>
 
 </project>

lighty-modules/lighty-gnmi/lighty-gnmi-sb/src/main/java/io/lighty/gnmi/southbound/device/session/security/KeystoreGnmiSecurityProvider.java

@@ -8,20 +8,28 @@
 
 package io.lighty.gnmi.southbound.device.session.security;
 
-import io.lighty.aaa.util.AAAConfigUtils;
 import io.lighty.gnmi.southbound.schema.certstore.service.CertificationStorageService;
 import io.lighty.gnmi.southbound.timeout.TimeoutUtils;
 import io.lighty.modules.gnmi.connector.configuration.SecurityFactory;
 import io.lighty.modules.gnmi.connector.security.Security;
 import java.io.IOException;
+import java.io.Reader;
 import java.io.StringReader;
 import java.security.GeneralSecurityException;
 import java.security.KeyPair;
+import java.security.Provider;
 import java.security.cert.CertificateException;
 import java.util.Optional;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMDecryptorProvider;
+import org.bouncycastle.openssl.PEMEncryptedKeyPair;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
 import org.opendaylight.yang.gen.v1.urn.lighty.gnmi.certificate.storage.rev210504.Keystore;
 import org.opendaylight.yang.gen.v1.urn.lighty.gnmi.topology.rev210316.GnmiNode;
 import org.opendaylight.yang.gen.v1.urn.lighty.gnmi.topology.rev210316.security.SecurityChoice;
@@ -100,7 +108,7 @@ private Security createSecurityFromKeystore(final KeyPair keyPair, final Keystor
 
     private KeyPair getKeyPair(final String clientKey, final String passphrase) throws SessionSecurityException {
         try {
-            return AAAConfigUtils.decodePrivateKey(
+            return decodePrivateKey(
                     new StringReader(this.certService
                             .decrypt(clientKey)
                             .replace("\\\\n", "\n")),
@@ -112,4 +120,24 @@ private KeyPair getKeyPair(final String clientKey, final String passphrase) thro
             throw new RuntimeException(e);
         }
     }
+
+    public static KeyPair decodePrivateKey(final Reader reader, final String passphrase) throws IOException {
+        try (PEMParser keyReader = new PEMParser(reader)) {
+            final Provider bcprov;
+            final var prov = java.security.Security.getProvider(BouncyCastleProvider.PROVIDER_NAME);
+            bcprov = prov != null ? prov : new BouncyCastleProvider();
+            JcaPEMKeyConverter converter = new JcaPEMKeyConverter();
+            PEMDecryptorProvider decryptionProv = new JcePEMDecryptorProviderBuilder().setProvider(bcprov)
+                .build(passphrase.toCharArray());
+
+            Object privateKey = keyReader.readObject();
+            KeyPair keyPair;
+            if (privateKey instanceof PEMEncryptedKeyPair pemPrivateKey) {
+                keyPair = converter.getKeyPair(pemPrivateKey.decryptKeyPair(decryptionProv));
+            } else {
+                keyPair = converter.getKeyPair((PEMKeyPair) privateKey);
+            }
+            return keyPair;
+        }
+    }
 }

lighty-modules/lighty-gnmi/lighty-gnmi-sb/src/test/java/io/lighty/gnmi/southbound/device/KeystoreGnmiSecurityTest.java

@@ -20,7 +20,6 @@
 import com.google.common.util.concurrent.ListenableFuture;
 import io.grpc.ConnectivityState;
 import io.grpc.ManagedChannel;
-import io.lighty.aaa.encrypt.service.impl.AAAEncryptionServiceImpl;
 import io.lighty.gnmi.southbound.device.connection.DeviceConnection;
 import io.lighty.gnmi.southbound.device.connection.DeviceConnectionInitializer;
 import io.lighty.gnmi.southbound.device.session.security.KeystoreGnmiSecurityProvider;
@@ -36,22 +35,12 @@
 import java.nio.charset.Charset;
 import java.nio.file.Files;
 import java.nio.file.Paths;
-import java.security.InvalidAlgorithmParameterException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.KeySpec;
-import java.util.Base64;
 import java.util.Optional;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
-import javax.crypto.NoSuchPaddingException;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.GCMParameterSpec;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
 import javax.xml.bind.DatatypeConverter;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.Assertions;
@@ -60,13 +49,15 @@
 import org.mockito.ArgumentCaptor;
 import org.mockito.MockitoAnnotations;
 import org.mockito.Spy;
+import org.opendaylight.aaa.encrypt.impl.AAAEncryptionServiceImpl;
 import org.opendaylight.mdsal.binding.api.ReadTransaction;
 import org.opendaylight.mdsal.binding.api.WriteTransaction;
 import org.opendaylight.mdsal.binding.dom.adapter.BindingDOMDataBrokerAdapter;
 import org.opendaylight.mdsal.common.api.CommitInfo;
 import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
 import org.opendaylight.yang.gen.v1.config.aaa.authn.encrypt.service.config.rev240202.AaaEncryptServiceConfig;
 import org.opendaylight.yang.gen.v1.config.aaa.authn.encrypt.service.config.rev240202.AaaEncryptServiceConfigBuilder;
+import org.opendaylight.yang.gen.v1.config.aaa.authn.encrypt.service.config.rev240202.EncryptServiceConfig;
 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Host;
 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.IpAddress;
 import org.opendaylight.yang.gen.v1.urn.ietf.params.xml.ns.yang.ietf.inet.types.rev130715.Ipv4Address;
@@ -413,7 +404,7 @@ private static InstanceIdentifier<Keystore> getKeystore2Identifier() {
                 .build();
     }
 
-    private static Keystore getKeystore1WithPassResponse() {
+    private static Keystore getKeystore1WithPassResponse() throws IllegalBlockSizeException, BadPaddingException {
         return new KeystoreBuilder()
                 .setCaCertificate(getResource(CA_CRT))
                 .setClientCert(getResource(CLIENT_ENCRYPTED_CRT))
@@ -426,7 +417,7 @@ private static Keystore getKeystore1WithPassResponse() {
                 .build();
     }
 
-    private static Keystore getKeystore2Response() {
+    private static Keystore getKeystore2Response() throws IllegalBlockSizeException, BadPaddingException {
         return new KeystoreBuilder().setCaCertificate(getResource(CA_CRT)).setClientCert(getResource(CLIENT_CRT))
                 .setClientKey(DatatypeConverter.printBase64Binary(
                         (AAA_ENCRYPTION_SERVICE.encrypt((getResource(CLIENT_KEY).getBytes())))))
@@ -447,26 +438,25 @@ private static String getResource(String path) {
     }
 
     private static AAAEncryptionServiceImpl createEncryptionServiceWithErrorHandling() {
-        try {
-            return createEncryptionService();
-        } catch (NoSuchPaddingException | NoSuchAlgorithmException | InvalidKeySpecException
-                | InvalidAlgorithmParameterException | InvalidKeyException e) {
-            throw new RuntimeException("Failed to create encryption service", e);
-        }
+        return createEncryptionService();
     }
 
-    private static AAAEncryptionServiceImpl createEncryptionService() throws NoSuchPaddingException,
-            NoSuchAlgorithmException, InvalidKeySpecException, InvalidAlgorithmParameterException, InvalidKeyException {
-        final AaaEncryptServiceConfig encrySrvConfig = getDefaultAaaEncryptServiceConfig();
-        final byte[] encryptionKeySalt = Base64.getDecoder().decode(encrySrvConfig.getEncryptSalt());
-        final SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(encrySrvConfig.getEncryptMethod());
-        final KeySpec keySpec = new PBEKeySpec(encrySrvConfig.getEncryptKey().toCharArray(), encryptionKeySalt,
-                encrySrvConfig.getEncryptIterationCount(), encrySrvConfig.getEncryptKeyLength());
-        final SecretKey key = new SecretKeySpec(keyFactory.generateSecret(keySpec).getEncoded(),
-                encrySrvConfig.getEncryptType());
-        final GCMParameterSpec ivParameterSpec = new GCMParameterSpec(encrySrvConfig.getAuthTagLength(),
-                encryptionKeySalt);
-        return new AAAEncryptionServiceImpl(ivParameterSpec, encrySrvConfig.getCipherTransforms(), key);
+    private static AAAEncryptionServiceImpl createEncryptionService() {
+        // Build configuration from your test constants
+        AaaEncryptServiceConfig config = new AaaEncryptServiceConfigBuilder()
+            .setEncryptKey("V1S1ED4OMeEh")
+            .setPasswordLength(12)
+            .setEncryptSalt("TdtWeHbch/7xP52/rp3Usw==")
+            .setEncryptMethod("PBKDF2WithHmacSHA1")
+            .setEncryptType("AES")
+            .setEncryptIterationCount(32768)
+            .setEncryptKeyLength(128)
+            .setAuthTagLength(128)
+            .setCipherTransforms("AES/GCM/NoPadding")
+            .build();
+
+        // The ODL impl expects EncryptServiceConfig, so cast is fine
+        return new AAAEncryptionServiceImpl((EncryptServiceConfig) config);
     }
 
     private static AaaEncryptServiceConfig getDefaultAaaEncryptServiceConfig() {

lighty-modules/lighty-gnmi/lighty-gnmi-sb/src/test/java/io/lighty/gnmi/southbound/lightymodule/GnmiSouthBoundModuleTest.java

@@ -9,29 +9,21 @@
 
 import static org.mockito.Mockito.when;
 
-import io.lighty.aaa.encrypt.service.impl.AAAEncryptionServiceImpl;
 import io.lighty.core.controller.api.LightyController;
 import io.lighty.core.controller.impl.LightyControllerBuilder;
 import io.lighty.core.controller.impl.util.ControllerConfigUtils;
 import io.lighty.gnmi.southbound.lightymodule.config.GnmiConfiguration;
 import io.lighty.gnmi.southbound.lightymodule.util.GnmiConfigUtils;
-import java.security.NoSuchAlgorithmException;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.KeySpec;
-import java.util.Base64;
 import java.util.List;
-import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.GCMParameterSpec;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.SecretKeySpec;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
+import org.opendaylight.aaa.encrypt.impl.AAAEncryptionServiceImpl;
 import org.opendaylight.yang.gen.v1.config.aaa.authn.encrypt.service.config.rev240202.AaaEncryptServiceConfig;
 import org.opendaylight.yang.gen.v1.config.aaa.authn.encrypt.service.config.rev240202.AaaEncryptServiceConfigBuilder;
+import org.opendaylight.yang.gen.v1.config.aaa.authn.encrypt.service.config.rev240202.EncryptServiceConfig;
+
 
 public class GnmiSouthBoundModuleTest {
 
@@ -72,27 +64,24 @@ public void gnmiModuleStartFailedTest() throws Exception {
         Assertions.assertTrue(services.shutdown(MODULE_TIMEOUT, MODULE_TIME_UNIT));
     }
 
-    private static AAAEncryptionServiceImpl createEncryptionService()
-            throws NoSuchAlgorithmException, InvalidKeySpecException {
-        final AaaEncryptServiceConfig encrySrvConfig = getDefaultAaaEncryptServiceConfig();
-        final byte[] encryptionKeySalt = Base64.getDecoder().decode(encrySrvConfig.getEncryptSalt());
-        final SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(encrySrvConfig.getEncryptMethod());
-        final KeySpec keySpec = new PBEKeySpec(encrySrvConfig.getEncryptKey().toCharArray(), encryptionKeySalt,
-                encrySrvConfig.getEncryptIterationCount(), encrySrvConfig.getEncryptKeyLength());
-        final SecretKey key
-                = new SecretKeySpec(keyFactory.generateSecret(keySpec).getEncoded(), encrySrvConfig.getEncryptType());
-        final GCMParameterSpec ivParameterSpec = new GCMParameterSpec(encrySrvConfig.getAuthTagLength(),
-                encryptionKeySalt);
-        return new AAAEncryptionServiceImpl(ivParameterSpec, encrySrvConfig.getCipherTransforms(), key);
-    }
+    /**
+     * Creates the official ODL AAAEncryptionServiceImpl with a test configuration.
+     */
+    private static AAAEncryptionServiceImpl createEncryptionService() {
+        final AaaEncryptServiceConfig config = new AaaEncryptServiceConfigBuilder()
+            .setEncryptKey("V1S1ED4OMeEh")
+            .setPasswordLength(12)
+            .setEncryptSalt("TdtWeHbch/7xP52/rp3Usw==")
+            .setEncryptMethod("PBKDF2WithHmacSHA1")
+            .setEncryptType("AES")
+            .setEncryptIterationCount(32768)
+            .setEncryptKeyLength(128)
+            .setAuthTagLength(128)
+            .setCipherTransforms("AES/GCM/NoPadding")
+            .build();
 
-    private static AaaEncryptServiceConfig getDefaultAaaEncryptServiceConfig() {
-        return new AaaEncryptServiceConfigBuilder().setEncryptKey("V1S1ED4OMeEh")
-                .setPasswordLength(12).setEncryptSalt("TdtWeHbch/7xP52/rp3Usw==")
-                .setEncryptMethod("PBKDF2WithHmacSHA1").setEncryptType("AES")
-                .setEncryptIterationCount(32768).setEncryptKeyLength(128)
-                .setAuthTagLength(128)
-                .setCipherTransforms("AES/GCM/NoPadding").build();
+        // This constructor internally handles key derivation, IV setup, etc.
+        return new AAAEncryptionServiceImpl((EncryptServiceConfig) config);
     }
 }
 

lighty-modules/lighty-gnmi/lighty-gnmi-test/src/test/java/io/lighty/modules/gnmi/test/utils/TestUtils.java

@@ -9,7 +9,7 @@
 package io.lighty.modules.gnmi.test.utils;
 
 import com.google.common.io.CharStreams;
-import io.lighty.aaa.util.AAAConfigUtils;
+import io.lighty.gnmi.southbound.device.session.security.KeystoreGnmiSecurityProvider;
 import io.lighty.gnmi.southbound.device.session.security.SessionSecurityException;
 import io.lighty.modules.gnmi.connector.configuration.SecurityFactory;
 import io.lighty.modules.gnmi.connector.gnmi.session.impl.GnmiSessionFactoryImpl;
@@ -51,7 +51,7 @@ public static SessionManager createSessionManagerWithCerts() throws IOException,
 
     private static KeyPair getKeyPair(final String clientKey) throws SessionSecurityException {
         try {
-            return AAAConfigUtils.decodePrivateKey(new StringReader(clientKey), PASSPHRASE);
+            return KeystoreGnmiSecurityProvider.decodePrivateKey(new StringReader(clientKey), PASSPHRASE);
         } catch (IOException e) {
             throw new SessionSecurityException("Error while creating KeyPair from private key and passphrase", e);
         }