/* | |
* Copyright 2012 gitblit.com. | |
* | |
* Licensed under the Apache License, Version 2.0 (the "License"); | |
* you may not use this file except in compliance with the License. | |
* You may obtain a copy of the License at | |
* | |
* http://www.apache.org/licenses/LICENSE-2.0 | |
* | |
* Unless required by applicable law or agreed to in writing, software | |
* distributed under the License is distributed on an "AS IS" BASIS, | |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
* See the License for the specific language governing permissions and | |
* limitations under the License. | |
*/ | |
package com.gitblit.utils; | |
import java.io.File; | |
import java.io.FileInputStream; | |
import java.io.FileOutputStream; | |
import java.io.FileWriter; | |
import java.io.IOException; | |
import java.io.InputStream; | |
import java.lang.reflect.Field; | |
import java.math.BigInteger; | |
import java.security.InvalidKeyException; | |
import java.security.KeyPair; | |
import java.security.KeyPairGenerator; | |
import java.security.KeyStore; | |
import java.security.NoSuchAlgorithmException; | |
import java.security.PrivateKey; | |
import java.security.SecureRandom; | |
import java.security.Security; | |
import java.security.SignatureException; | |
import java.security.cert.CertPathBuilder; | |
import java.security.cert.CertPathBuilderException; | |
import java.security.cert.CertStore; | |
import java.security.cert.Certificate; | |
import java.security.cert.CertificateEncodingException; | |
import java.security.cert.CertificateFactory; | |
import java.security.cert.CollectionCertStoreParameters; | |
import java.security.cert.PKIXBuilderParameters; | |
import java.security.cert.PKIXCertPathBuilderResult; | |
import java.security.cert.TrustAnchor; | |
import java.security.cert.X509CRL; | |
import java.security.cert.X509CertSelector; | |
import java.security.cert.X509Certificate; | |
import java.text.MessageFormat; | |
import java.text.SimpleDateFormat; | |
import java.util.ArrayList; | |
import java.util.Arrays; | |
import java.util.Calendar; | |
import java.util.Date; | |
import java.util.HashMap; | |
import java.util.HashSet; | |
import java.util.List; | |
import java.util.Map; | |
import java.util.Set; | |
import java.util.TimeZone; | |
import java.util.zip.ZipEntry; | |
import java.util.zip.ZipOutputStream; | |
import javax.crypto.Cipher; | |
import javax.naming.ldap.LdapName; | |
import org.bouncycastle.asn1.ASN1ObjectIdentifier; | |
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; | |
import org.bouncycastle.asn1.x500.X500Name; | |
import org.bouncycastle.asn1.x500.X500NameBuilder; | |
import org.bouncycastle.asn1.x500.style.BCStyle; | |
import org.bouncycastle.asn1.x509.BasicConstraints; | |
import org.bouncycastle.asn1.x509.GeneralName; | |
import org.bouncycastle.asn1.x509.GeneralNames; | |
import org.bouncycastle.asn1.x509.KeyUsage; | |
import org.bouncycastle.asn1.x509.X509Extension; | |
import org.bouncycastle.cert.X509CRLHolder; | |
import org.bouncycastle.cert.X509v2CRLBuilder; | |
import org.bouncycastle.cert.X509v3CertificateBuilder; | |
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; | |
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; | |
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; | |
import org.bouncycastle.jce.PrincipalUtil; | |
import org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier; | |
import org.bouncycastle.openssl.PEMEncryptor; | |
import org.bouncycastle.openssl.PEMWriter; | |
import org.bouncycastle.openssl.jcajce.JcaPEMWriter; | |
import org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder; | |
import org.bouncycastle.operator.ContentSigner; | |
import org.bouncycastle.operator.OperatorCreationException; | |
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; | |
import org.slf4j.Logger; | |
import org.slf4j.LoggerFactory; | |
import com.gitblit.Constants; | |
/** | |
* Utility class to generate X509 certificates, keystores, and truststores. | |
* | |
* @author James Moger | |
* | |
*/ | |
public class X509Utils { | |
public static final String SERVER_KEY_STORE = "serverKeyStore.jks"; | |
public static final String SERVER_TRUST_STORE = "serverTrustStore.jks"; | |
public static final String CERTS = "certs"; | |
public static final String CA_KEY_STORE = "certs/caKeyStore.p12"; | |
public static final String CA_REVOCATION_LIST = "certs/caRevocationList.crl"; | |
public static final String CA_CONFIG = "certs/authority.conf"; | |
public static final String CA_CN = "Gitblit Certificate Authority"; | |
public static final String CA_ALIAS = CA_CN; | |
private static final String BC = org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME; | |
private static final int KEY_LENGTH = 2048; | |
private static final String KEY_ALGORITHM = "RSA"; | |
private static final String SIGNING_ALGORITHM = "SHA512withRSA"; | |
public static final boolean unlimitedStrength; | |
private static final Logger logger = LoggerFactory.getLogger(X509Utils.class); | |
static { | |
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); | |
// check for JCE Unlimited Strength | |
int maxKeyLen = 0; | |
try { | |
maxKeyLen = Cipher.getMaxAllowedKeyLength("AES"); | |
} catch (NoSuchAlgorithmException e) { | |
} | |
unlimitedStrength = maxKeyLen > 128; | |
if (unlimitedStrength) { | |
logger.info("Using JCE Unlimited Strength Jurisdiction Policy files"); | |
} else { | |
logger.info("Using JCE Standard Encryption Policy files, encryption key lengths will be limited"); | |
} | |
} | |
public static enum RevocationReason { | |
// https://en.wikipedia.org/wiki/Revocation_list | |
unspecified, keyCompromise, caCompromise, affiliationChanged, superseded, | |
cessationOfOperation, certificateHold, unused, removeFromCRL, privilegeWithdrawn, | |
ACompromise; | |
public static RevocationReason [] reasons = { | |
unspecified, keyCompromise, caCompromise, | |
affiliationChanged, superseded, cessationOfOperation, | |
privilegeWithdrawn }; | |
@Override | |
public String toString() { | |
return name() + " (" + ordinal() + ")"; | |
} | |
} | |
public interface X509Log { | |
void log(String message); | |
} | |
public static class X509Metadata { | |
// map for distinguished name OIDs | |
public final Map<String, String> oids; | |
// CN in distingiushed name | |
public final String commonName; | |
// password for store | |
public final String password; | |
// password hint for README in bundle | |
public String passwordHint; | |
// E or EMAILADDRESS in distinguished name | |
public String emailAddress; | |
// start date of generated certificate | |
public Date notBefore; | |
// expiraiton date of generated certificate | |
public Date notAfter; | |
// hostname of server for which certificate is generated | |
public String serverHostname; | |
// displayname of user for README in bundle | |
public String userDisplayname; | |
// serialnumber of generated or read certificate | |
public String serialNumber; | |
public X509Metadata(String cn, String pwd) { | |
if (StringUtils.isEmpty(cn)) { | |
throw new RuntimeException("Common name required!"); | |
} | |
if (StringUtils.isEmpty(pwd)) { | |
throw new RuntimeException("Password required!"); | |
} | |
commonName = cn; | |
password = pwd; | |
Calendar c = Calendar.getInstance(TimeZone.getDefault()); | |
c.set(Calendar.SECOND, 0); | |
c.set(Calendar.MILLISECOND, 0); | |
notBefore = c.getTime(); | |
c.add(Calendar.YEAR, 1); | |
c.add(Calendar.DATE, 1); | |
notAfter = c.getTime(); | |
oids = new HashMap<String, String>(); | |
} | |
public X509Metadata clone(String commonName, String password) { | |
X509Metadata clone = new X509Metadata(commonName, password); | |
clone.emailAddress = emailAddress; | |
clone.notBefore = notBefore; | |
clone.notAfter = notAfter; | |
clone.oids.putAll(oids); | |
clone.passwordHint = passwordHint; | |
clone.serverHostname = serverHostname; | |
clone.userDisplayname = userDisplayname; | |
return clone; | |
} | |
public String getOID(String oid, String defaultValue) { | |
if (oids.containsKey(oid)) { | |
return oids.get(oid); | |
} | |
return defaultValue; | |
} | |
public void setOID(String oid, String value) { | |
if (StringUtils.isEmpty(value)) { | |
oids.remove(oid); | |
} else { | |
oids.put(oid, value); | |
} | |
} | |
} | |
/** | |
* Prepare all the certificates and stores necessary for a Gitblit GO server. | |
* | |
* @param metadata | |
* @param folder | |
* @param x509log | |
*/ | |
public static void prepareX509Infrastructure(X509Metadata metadata, File folder, X509Log x509log) { | |
// make the specified folder, if necessary | |
folder.mkdirs(); | |
// Gitblit CA certificate | |
File caKeyStore = new File(folder, CA_KEY_STORE); | |
if (!caKeyStore.exists()) { | |
logger.info(MessageFormat.format("Generating {0} ({1})", CA_CN, caKeyStore.getAbsolutePath())); | |
X509Certificate caCert = newCertificateAuthority(metadata, caKeyStore, x509log); | |
saveCertificate(caCert, new File(caKeyStore.getParentFile(), "ca.cer")); | |
} | |
// Gitblit CRL | |
File caRevocationList = new File(folder, CA_REVOCATION_LIST); | |
if (!caRevocationList.exists()) { | |
logger.info(MessageFormat.format("Generating {0} CRL ({1})", CA_CN, caRevocationList.getAbsolutePath())); | |
newCertificateRevocationList(caRevocationList, caKeyStore, metadata.password); | |
x509log.log("new certificate revocation list created"); | |
} | |
// rename the old keystore to the new name | |
File oldKeyStore = new File(folder, "keystore"); | |
if (oldKeyStore.exists()) { | |
oldKeyStore.renameTo(new File(folder, SERVER_KEY_STORE)); | |
logger.info(MessageFormat.format("Renaming {0} to {1}", oldKeyStore.getName(), SERVER_KEY_STORE)); | |
} | |
// create web SSL certificate signed by CA | |
File serverKeyStore = new File(folder, SERVER_KEY_STORE); | |
if (!serverKeyStore.exists()) { | |
logger.info(MessageFormat.format("Generating SSL certificate for {0} signed by {1} ({2})", metadata.commonName, CA_CN, serverKeyStore.getAbsolutePath())); | |
PrivateKey caPrivateKey = getPrivateKey(CA_ALIAS, caKeyStore, metadata.password); | |
X509Certificate caCert = getCertificate(CA_ALIAS, caKeyStore, metadata.password); | |
newSSLCertificate(metadata, caPrivateKey, caCert, serverKeyStore, x509log); | |
} | |
// server certificate trust store holds trusted public certificates | |
File serverTrustStore = new File(folder, X509Utils.SERVER_TRUST_STORE); | |
if (!serverTrustStore.exists()) { | |
logger.info(MessageFormat.format("Importing {0} into trust store ({1})", CA_ALIAS, serverTrustStore.getAbsolutePath())); | |
X509Certificate caCert = getCertificate(CA_ALIAS, caKeyStore, metadata.password); | |
addTrustedCertificate(CA_ALIAS, caCert, serverTrustStore, metadata.password); | |
} | |
} | |
/** | |
* Open a keystore. Store type is determined by file extension of name. If | |
* undetermined, JKS is assumed. The keystore does not need to exist. | |
* | |
* @param storeFile | |
* @param storePassword | |
* @return a KeyStore | |
*/ | |
public static KeyStore openKeyStore(File storeFile, String storePassword) { | |
String lc = storeFile.getName().toLowerCase(); | |
String type = "JKS"; | |
String provider = null; | |
if (lc.endsWith(".p12") || lc.endsWith(".pfx")) { | |
type = "PKCS12"; | |
provider = BC; | |
} | |
try { | |
KeyStore store; | |
if (provider == null) { | |
store = KeyStore.getInstance(type); | |
} else { | |
store = KeyStore.getInstance(type, provider); | |
} | |
if (storeFile.exists()) { | |
FileInputStream fis = null; | |
try { | |
fis = new FileInputStream(storeFile); | |
store.load(fis, storePassword.toCharArray()); | |
} finally { | |
if (fis != null) { | |
fis.close(); | |
} | |
} | |
} else { | |
store.load(null); | |
} | |
return store; | |
} catch (Exception e) { | |
throw new RuntimeException("Could not open keystore " + storeFile, e); | |
} | |
} | |
/** | |
* Saves the keystore to the specified file. | |
* | |
* @param targetStoreFile | |
* @param store | |
* @param password | |
*/ | |
public static void saveKeyStore(File targetStoreFile, KeyStore store, String password) { | |
File folder = targetStoreFile.getAbsoluteFile().getParentFile(); | |
if (!folder.exists()) { | |
folder.mkdirs(); | |
} | |
File tmpFile = new File(folder, Long.toHexString(System.currentTimeMillis()) + ".tmp"); | |
FileOutputStream fos = null; | |
try { | |
fos = new FileOutputStream(tmpFile); | |
store.store(fos, password.toCharArray()); | |
fos.flush(); | |
fos.close(); | |
if (targetStoreFile.exists()) { | |
targetStoreFile.delete(); | |
} | |
tmpFile.renameTo(targetStoreFile); | |
} catch (IOException e) { | |
String message = e.getMessage().toLowerCase(); | |
if (message.contains("illegal key size")) { | |
throw new RuntimeException("Illegal Key Size! You might consider installing the JCE Unlimited Strength Jurisdiction Policy files for your JVM."); | |
} else { | |
throw new RuntimeException("Could not save keystore " + targetStoreFile, e); | |
} | |
} catch (Exception e) { | |
throw new RuntimeException("Could not save keystore " + targetStoreFile, e); | |
} finally { | |
if (fos != null) { | |
try { | |
fos.close(); | |
} catch (IOException e) { | |
} | |
} | |
if (tmpFile.exists()) { | |
tmpFile.delete(); | |
} | |
} | |
} | |
/** | |
* Retrieves the X509 certificate with the specified alias from the certificate | |
* store. | |
* | |
* @param alias | |
* @param storeFile | |
* @param storePassword | |
* @return the certificate | |
*/ | |
public static X509Certificate getCertificate(String alias, File storeFile, String storePassword) { | |
try { | |
KeyStore store = openKeyStore(storeFile, storePassword); | |
X509Certificate caCert = (X509Certificate) store.getCertificate(alias); | |
return caCert; | |
} catch (Exception e) { | |
throw new RuntimeException(e); | |
} | |
} | |
/** | |
* Retrieves the private key for the specified alias from the certificate | |
* store. | |
* | |
* @param alias | |
* @param storeFile | |
* @param storePassword | |
* @return the private key | |
*/ | |
public static PrivateKey getPrivateKey(String alias, File storeFile, String storePassword) { | |
try { | |
KeyStore store = openKeyStore(storeFile, storePassword); | |
PrivateKey key = (PrivateKey) store.getKey(alias, storePassword.toCharArray()); | |
return key; | |
} catch (Exception e) { | |
throw new RuntimeException(e); | |
} | |
} | |
/** | |
* Saves the certificate to the file system. If the destination filename | |
* ends with the pem extension, the certificate is written in the PEM format, | |
* otherwise the certificate is written in the DER format. | |
* | |
* @param cert | |
* @param targetFile | |
*/ | |
public static void saveCertificate(X509Certificate cert, File targetFile) { | |
File folder = targetFile.getAbsoluteFile().getParentFile(); | |
if (!folder.exists()) { | |
folder.mkdirs(); | |
} | |
File tmpFile = new File(folder, Long.toHexString(System.currentTimeMillis()) + ".tmp"); | |
try { | |
boolean asPem = targetFile.getName().toLowerCase().endsWith(".pem"); | |
if (asPem) { | |
// PEM encoded X509 | |
PEMWriter pemWriter = null; | |
try { | |
pemWriter = new PEMWriter(new FileWriter(tmpFile)); | |
pemWriter.writeObject(cert); | |
pemWriter.flush(); | |
} finally { | |
if (pemWriter != null) { | |
pemWriter.close(); | |
} | |
} | |
} else { | |
// DER encoded X509 | |
FileOutputStream fos = null; | |
try { | |
fos = new FileOutputStream(tmpFile); | |
fos.write(cert.getEncoded()); | |
fos.flush(); | |
} finally { | |
if (fos != null) { | |
fos.close(); | |
} | |
} | |
} | |
// rename tmp file to target | |
if (targetFile.exists()) { | |
targetFile.delete(); | |
} | |
tmpFile.renameTo(targetFile); | |
} catch (Exception e) { | |
if (tmpFile.exists()) { | |
tmpFile.delete(); | |
} | |
throw new RuntimeException("Failed to save certificate " + cert.getSubjectX500Principal().getName(), e); | |
} | |
} | |
/** | |
* Generate a new keypair. | |
* | |
* @return a keypair | |
* @throws Exception | |
*/ | |
private static KeyPair newKeyPair() throws Exception { | |
KeyPairGenerator kpGen = KeyPairGenerator.getInstance(KEY_ALGORITHM, BC); | |
kpGen.initialize(KEY_LENGTH, new SecureRandom()); | |
return kpGen.generateKeyPair(); | |
} | |
/** | |
* Builds a distinguished name from the X509Metadata. | |
* | |
* @return a DN | |
*/ | |
private static X500Name buildDistinguishedName(X509Metadata metadata) { | |
X500NameBuilder dnBuilder = new X500NameBuilder(BCStyle.INSTANCE); | |
setOID(dnBuilder, metadata, "C", null); | |
setOID(dnBuilder, metadata, "ST", null); | |
setOID(dnBuilder, metadata, "L", null); | |
setOID(dnBuilder, metadata, "O", Constants.NAME); | |
setOID(dnBuilder, metadata, "OU", Constants.NAME); | |
setOID(dnBuilder, metadata, "E", metadata.emailAddress); | |
setOID(dnBuilder, metadata, "CN", metadata.commonName); | |
X500Name dn = dnBuilder.build(); | |
return dn; | |
} | |
private static void setOID(X500NameBuilder dnBuilder, X509Metadata metadata, | |
String oid, String defaultValue) { | |
String value = null; | |
if (metadata.oids != null && metadata.oids.containsKey(oid)) { | |
value = metadata.oids.get(oid); | |
} | |
if (StringUtils.isEmpty(value)) { | |
value = defaultValue; | |
} | |
if (!StringUtils.isEmpty(value)) { | |
try { | |
Field field = BCStyle.class.getField(oid); | |
ASN1ObjectIdentifier objectId = (ASN1ObjectIdentifier) field.get(null); | |
dnBuilder.addRDN(objectId, value); | |
} catch (Exception e) { | |
logger.error(MessageFormat.format("Failed to set OID \"{0}\"!", oid) ,e); | |
} | |
} | |
} | |
/** | |
* Creates a new SSL certificate signed by the CA private key and stored in | |
* keyStore. | |
* | |
* @param sslMetadata | |
* @param caPrivateKey | |
* @param caCert | |
* @param targetStoreFile | |
* @param x509log | |
*/ | |
public static X509Certificate newSSLCertificate(X509Metadata sslMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetStoreFile, X509Log x509log) { | |
try { | |
KeyPair pair = newKeyPair(); | |
X500Name webDN = buildDistinguishedName(sslMetadata); | |
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); | |
X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder( | |
issuerDN, | |
BigInteger.valueOf(System.currentTimeMillis()), | |
sslMetadata.notBefore, | |
sslMetadata.notAfter, | |
webDN, | |
pair.getPublic()); | |
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |
certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |
certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); | |
certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |
// support alternateSubjectNames for SSL certificates | |
List<GeneralName> altNames = new ArrayList<GeneralName>(); | |
if (HttpUtils.isIpAddress(sslMetadata.commonName)) { | |
altNames.add(new GeneralName(GeneralName.iPAddress, sslMetadata.commonName)); | |
} | |
if (altNames.size() > 0) { | |
GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName [altNames.size()])); | |
certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); | |
} | |
ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM) | |
.setProvider(BC).build(caPrivateKey); | |
X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC) | |
.getCertificate(certBuilder.build(caSigner)); | |
cert.checkValidity(new Date()); | |
cert.verify(caCert.getPublicKey()); | |
// Save to keystore | |
KeyStore serverStore = openKeyStore(targetStoreFile, sslMetadata.password); | |
serverStore.setKeyEntry(sslMetadata.commonName, pair.getPrivate(), sslMetadata.password.toCharArray(), | |
new Certificate[] { cert, caCert }); | |
saveKeyStore(targetStoreFile, serverStore, sslMetadata.password); | |
x509log.log(MessageFormat.format("New SSL certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getSubjectDN().getName())); | |
// update serial number in metadata object | |
sslMetadata.serialNumber = cert.getSerialNumber().toString(); | |
return cert; | |
} catch (Throwable t) { | |
throw new RuntimeException("Failed to generate SSL certificate!", t); | |
} | |
} | |
/** | |
* Creates a new certificate authority PKCS#12 store. This function will | |
* destroy any existing CA store. | |
* | |
* @param metadata | |
* @param storeFile | |
* @param keystorePassword | |
* @param x509log | |
* @return | |
*/ | |
public static X509Certificate newCertificateAuthority(X509Metadata metadata, File storeFile, X509Log x509log) { | |
try { | |
KeyPair caPair = newKeyPair(); | |
ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPair.getPrivate()); | |
// clone metadata | |
X509Metadata caMetadata = metadata.clone(CA_CN, metadata.password); | |
X500Name issuerDN = buildDistinguishedName(caMetadata); | |
// Generate self-signed certificate | |
X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder( | |
issuerDN, | |
BigInteger.valueOf(System.currentTimeMillis()), | |
caMetadata.notBefore, | |
caMetadata.notAfter, | |
issuerDN, | |
caPair.getPublic()); | |
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |
caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); | |
caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); | |
caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); | |
caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); | |
JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC); | |
X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner)); | |
// confirm the validity of the CA certificate | |
cert.checkValidity(new Date()); | |
cert.verify(cert.getPublicKey()); | |
// Delete existing keystore | |
if (storeFile.exists()) { | |
storeFile.delete(); | |
} | |
// Save private key and certificate to new keystore | |
KeyStore store = openKeyStore(storeFile, caMetadata.password); | |
store.setKeyEntry(CA_ALIAS, caPair.getPrivate(), caMetadata.password.toCharArray(), | |
new Certificate[] { cert }); | |
saveKeyStore(storeFile, store, caMetadata.password); | |
x509log.log(MessageFormat.format("New CA certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getIssuerDN().getName())); | |
// update serial number in metadata object | |
caMetadata.serialNumber = cert.getSerialNumber().toString(); | |
return cert; | |
} catch (Throwable t) { | |
throw new RuntimeException("Failed to generate Gitblit CA certificate!", t); | |
} | |
} | |
/** | |
* Creates a new certificate revocation list (CRL). This function will | |
* destroy any existing CRL file. | |
* | |
* @param caRevocationList | |
* @param storeFile | |
* @param keystorePassword | |
* @return | |
*/ | |
public static void newCertificateRevocationList(File caRevocationList, File caKeystoreFile, String caKeystorePassword) { | |
try { | |
// read the Gitblit CA key and certificate | |
KeyStore store = openKeyStore(caKeystoreFile, caKeystorePassword); | |
PrivateKey caPrivateKey = (PrivateKey) store.getKey(CA_ALIAS, caKeystorePassword.toCharArray()); | |
X509Certificate caCert = (X509Certificate) store.getCertificate(CA_ALIAS); | |
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); | |
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date()); | |
// build and sign CRL with CA private key | |
ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey); | |
X509CRLHolder crl = crlBuilder.build(signer); | |
File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp"); | |
FileOutputStream fos = null; | |
try { | |
fos = new FileOutputStream(tmpFile); | |
fos.write(crl.getEncoded()); | |
fos.flush(); | |
fos.close(); | |
if (caRevocationList.exists()) { | |
caRevocationList.delete(); | |
} | |
tmpFile.renameTo(caRevocationList); | |
} finally { | |
if (fos != null) { | |
fos.close(); | |
} | |
if (tmpFile.exists()) { | |
tmpFile.delete(); | |
} | |
} | |
} catch (Exception e) { | |
throw new RuntimeException("Failed to create new certificate revocation list " + caRevocationList, e); | |
} | |
} | |
/** | |
* Imports a certificate into the trust store. | |
* | |
* @param alias | |
* @param cert | |
* @param storeFile | |
* @param storePassword | |
*/ | |
public static void addTrustedCertificate(String alias, X509Certificate cert, File storeFile, String storePassword) { | |
try { | |
KeyStore store = openKeyStore(storeFile, storePassword); | |
store.setCertificateEntry(alias, cert); | |
saveKeyStore(storeFile, store, storePassword); | |
} catch (Exception e) { | |
throw new RuntimeException("Failed to import certificate into trust store " + storeFile, e); | |
} | |
} | |
/** | |
* Creates a new client certificate PKCS#12 and PEM store. Any existing | |
* stores are destroyed. After generation, the certificates are bundled | |
* into a zip file with a personalized README file. | |
* | |
* The zip file reference is returned. | |
* | |
* @param clientMetadata a container for dynamic parameters needed for generation | |
* @param caKeystoreFile | |
* @param caKeystorePassword | |
* @param x509log | |
* @return a zip file containing the P12, PEM, and personalized README | |
*/ | |
public static File newClientBundle(X509Metadata clientMetadata, File caKeystoreFile, | |
String caKeystorePassword, X509Log x509log) { | |
return newClientBundle(null,clientMetadata,caKeystoreFile,caKeystorePassword,x509log); | |
} | |
/** | |
* Creates a new client certificate PKCS#12 and PEM store. Any existing | |
* stores are destroyed. After generation, the certificates are bundled | |
* into a zip file with a personalized README file. | |
* | |
* The zip file reference is returned. | |
* | |
* @param user | |
* @param clientMetadata a container for dynamic parameters needed for generation | |
* @param caKeystoreFile | |
* @param caKeystorePassword | |
* @param x509log | |
* @return a zip file containing the P12, PEM, and personalized README | |
*/ | |
public static File newClientBundle(com.gitblit.models.UserModel user,X509Metadata clientMetadata, File caKeystoreFile, | |
String caKeystorePassword, X509Log x509log) { | |
try { | |
// read the Gitblit CA key and certificate | |
KeyStore store = openKeyStore(caKeystoreFile, caKeystorePassword); | |
PrivateKey caPrivateKey = (PrivateKey) store.getKey(CA_ALIAS, caKeystorePassword.toCharArray()); | |
X509Certificate caCert = (X509Certificate) store.getCertificate(CA_ALIAS); | |
// generate the P12 and PEM files | |
File targetFolder = new File(caKeystoreFile.getParentFile(), clientMetadata.commonName); | |
X509Certificate cert = newClientCertificate(clientMetadata, caPrivateKey, caCert, targetFolder); | |
x509log.log(MessageFormat.format("New client certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getSubjectDN().getName())); | |
// process template message | |
String readme = null; | |
String sInstructionsFileName = "instructions.tmpl"; | |
if( user == null ) | |
readme = processTemplate(new File(caKeystoreFile.getParentFile(),sInstructionsFileName), clientMetadata); | |
else{ | |
File fileInstructionsTmp = null; | |
if( (fileInstructionsTmp = new File(caKeystoreFile.getParentFile(),sInstructionsFileName+"_"+user.getPreferences().getLocale())).exists() ) | |
readme = processTemplate(fileInstructionsTmp,clientMetadata); | |
else | |
readme = processTemplate(new File(caKeystoreFile.getParentFile(),sInstructionsFileName),clientMetadata); | |
} | |
// Create a zip bundle with the p12, pem, and a personalized readme | |
File zipFile = new File(targetFolder, clientMetadata.commonName + ".zip"); | |
if (zipFile.exists()) { | |
zipFile.delete(); | |
} | |
ZipOutputStream zos = null; | |
try { | |
zos = new ZipOutputStream(new FileOutputStream(zipFile)); | |
File p12File = new File(targetFolder, clientMetadata.commonName + ".p12"); | |
if (p12File.exists()) { | |
zos.putNextEntry(new ZipEntry(p12File.getName())); | |
zos.write(FileUtils.readContent(p12File)); | |
zos.closeEntry(); | |
} | |
File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem"); | |
if (pemFile.exists()) { | |
zos.putNextEntry(new ZipEntry(pemFile.getName())); | |
zos.write(FileUtils.readContent(pemFile)); | |
zos.closeEntry(); | |
} | |
// include user's public certificate | |
zos.putNextEntry(new ZipEntry(clientMetadata.commonName + ".cer")); | |
zos.write(cert.getEncoded()); | |
zos.closeEntry(); | |
// include CA public certificate | |
zos.putNextEntry(new ZipEntry("ca.cer")); | |
zos.write(caCert.getEncoded()); | |
zos.closeEntry(); | |
if (readme != null) { | |
zos.putNextEntry(new ZipEntry("README.TXT")); | |
zos.write(readme.getBytes("UTF-8")); | |
zos.closeEntry(); | |
} | |
zos.flush(); | |
} finally { | |
if (zos != null) { | |
zos.close(); | |
} | |
} | |
return zipFile; | |
} catch (Throwable t) { | |
throw new RuntimeException("Failed to generate client bundle!", t); | |
} | |
} | |
/** | |
* Creates a new client certificate PKCS#12 and PEM store. Any existing | |
* stores are destroyed. | |
* | |
* @param clientMetadata a container for dynamic parameters needed for generation | |
* @param caKeystoreFile | |
* @param caKeystorePassword | |
* @param targetFolder | |
* @return | |
*/ | |
public static X509Certificate newClientCertificate(X509Metadata clientMetadata, | |
PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) { | |
try { | |
KeyPair pair = newKeyPair(); | |
X500Name userDN = buildDistinguishedName(clientMetadata); | |
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); | |
// create a new certificate signed by the Gitblit CA certificate | |
X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder( | |
issuerDN, | |
BigInteger.valueOf(System.currentTimeMillis()), | |
clientMetadata.notBefore, | |
clientMetadata.notAfter, | |
userDN, | |
pair.getPublic()); | |
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); | |
certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |
certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); | |
certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); | |
certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); | |
if (!StringUtils.isEmpty(clientMetadata.emailAddress)) { | |
GeneralNames subjectAltName = new GeneralNames( | |
new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); | |
certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); | |
} | |
ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey); | |
X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certBuilder.build(signer)); | |
PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)pair.getPrivate(); | |
bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, | |
extUtils.createSubjectKeyIdentifier(pair.getPublic())); | |
// confirm the validity of the user certificate | |
userCert.checkValidity(); | |
userCert.verify(caCert.getPublicKey()); | |
userCert.getIssuerDN().equals(caCert.getSubjectDN()); | |
// verify user certificate chain | |
verifyChain(userCert, caCert); | |
targetFolder.mkdirs(); | |
// save certificate, stamped with unique name | |
String date = new SimpleDateFormat("yyyyMMdd").format(new Date()); | |
String id = date; | |
File certFile = new File(targetFolder, id + ".cer"); | |
int count = 0; | |
while (certFile.exists()) { | |
id = date + "_" + Character.toString((char) (0x61 + count)); | |
certFile = new File(targetFolder, id + ".cer"); | |
count++; | |
} | |
// save user private key, user certificate and CA certificate to a PKCS#12 store | |
File p12File = new File(targetFolder, clientMetadata.commonName + ".p12"); | |
if (p12File.exists()) { | |
p12File.delete(); | |
} | |
KeyStore userStore = openKeyStore(p12File, clientMetadata.password); | |
userStore.setKeyEntry(MessageFormat.format("Gitblit ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate [] { userCert }); | |
userStore.setCertificateEntry(MessageFormat.format("Gitblit ({0}) Certificate Authority", clientMetadata.serverHostname), caCert); | |
saveKeyStore(p12File, userStore, clientMetadata.password); | |
// save user private key, user certificate, and CA certificate to a PEM store | |
File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem"); | |
if (pemFile.exists()) { | |
pemFile.delete(); | |
} | |
JcePEMEncryptorBuilder builder = new JcePEMEncryptorBuilder("DES-EDE3-CBC"); | |
builder.setSecureRandom(new SecureRandom()); | |
PEMEncryptor pemEncryptor = builder.build(clientMetadata.password.toCharArray()); | |
JcaPEMWriter pemWriter = new JcaPEMWriter(new FileWriter(pemFile)); | |
pemWriter.writeObject(pair.getPrivate(), pemEncryptor); | |
pemWriter.writeObject(userCert); | |
pemWriter.writeObject(caCert); | |
pemWriter.flush(); | |
pemWriter.close(); | |
// save certificate after successfully creating the key stores | |
saveCertificate(userCert, certFile); | |
// update serial number in metadata object | |
clientMetadata.serialNumber = userCert.getSerialNumber().toString(); | |
return userCert; | |
} catch (Throwable t) { | |
throw new RuntimeException("Failed to generate client certificate!", t); | |
} | |
} | |
/** | |
* Verifies a certificate's chain to ensure that it will function properly. | |
* | |
* @param testCert | |
* @param additionalCerts | |
* @return | |
*/ | |
public static PKIXCertPathBuilderResult verifyChain(X509Certificate testCert, X509Certificate... additionalCerts) { | |
try { | |
// Check for self-signed certificate | |
if (isSelfSigned(testCert)) { | |
throw new RuntimeException("The certificate is self-signed. Nothing to verify."); | |
} | |
// Prepare a set of all certificates | |
// chain builder must have all certs, including cert to validate | |
// http://stackoverflow.com/a/10788392 | |
Set<X509Certificate> certs = new HashSet<X509Certificate>(); | |
certs.add(testCert); | |
certs.addAll(Arrays.asList(additionalCerts)); | |
// Attempt to build the certification chain and verify it | |
// Create the selector that specifies the starting certificate | |
X509CertSelector selector = new X509CertSelector(); | |
selector.setCertificate(testCert); | |
// Create the trust anchors (set of root CA certificates) | |
Set<TrustAnchor> trustAnchors = new HashSet<TrustAnchor>(); | |
for (X509Certificate cert : additionalCerts) { | |
if (isSelfSigned(cert)) { | |
trustAnchors.add(new TrustAnchor(cert, null)); | |
} | |
} | |
// Configure the PKIX certificate builder | |
PKIXBuilderParameters pkixParams = new PKIXBuilderParameters(trustAnchors, selector); | |
pkixParams.setRevocationEnabled(false); | |
pkixParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certs), BC)); | |
// Build and verify the certification chain | |
CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", BC); | |
PKIXCertPathBuilderResult verifiedCertChain = (PKIXCertPathBuilderResult) builder.build(pkixParams); | |
// The chain is built and verified | |
return verifiedCertChain; | |
} catch (CertPathBuilderException e) { | |
throw new RuntimeException("Error building certification path: " + testCert.getSubjectX500Principal(), e); | |
} catch (Exception e) { | |
throw new RuntimeException("Error verifying the certificate: " + testCert.getSubjectX500Principal(), e); | |
} | |
} | |
/** | |
* Checks whether given X.509 certificate is self-signed. | |
* | |
* @param cert | |
* @return true if the certificate is self-signed | |
*/ | |
public static boolean isSelfSigned(X509Certificate cert) { | |
try { | |
cert.verify(cert.getPublicKey()); | |
return true; | |
} catch (SignatureException e) { | |
return false; | |
} catch (InvalidKeyException e) { | |
return false; | |
} catch (Exception e) { | |
throw new RuntimeException(e); | |
} | |
} | |
public static String processTemplate(File template, X509Metadata metadata) { | |
String content = null; | |
if (template.exists()) { | |
String message = FileUtils.readContent(template, "\n"); | |
if (!StringUtils.isEmpty(message)) { | |
content = message; | |
if (!StringUtils.isEmpty(metadata.serverHostname)) { | |
content = content.replace("$serverHostname", metadata.serverHostname); | |
} | |
if (!StringUtils.isEmpty(metadata.commonName)) { | |
content = content.replace("$username", metadata.commonName); | |
} | |
if (!StringUtils.isEmpty(metadata.userDisplayname)) { | |
content = content.replace("$userDisplayname", metadata.userDisplayname); | |
} | |
if (!StringUtils.isEmpty(metadata.passwordHint)) { | |
content = content.replace("$storePasswordHint", metadata.passwordHint); | |
} | |
} | |
} | |
return content; | |
} | |
/** | |
* Revoke a certificate. | |
* | |
* @param cert | |
* @param reason | |
* @param caRevocationList | |
* @param caKeystoreFile | |
* @param caKeystorePassword | |
* @param x509log | |
* @return true if the certificate has been revoked | |
*/ | |
public static boolean revoke(X509Certificate cert, RevocationReason reason, | |
File caRevocationList, File caKeystoreFile, String caKeystorePassword, | |
X509Log x509log) { | |
try { | |
// read the Gitblit CA key and certificate | |
KeyStore store = openKeyStore(caKeystoreFile, caKeystorePassword); | |
PrivateKey caPrivateKey = (PrivateKey) store.getKey(CA_ALIAS, caKeystorePassword.toCharArray()); | |
return revoke(cert, reason, caRevocationList, caPrivateKey, x509log); | |
} catch (Exception e) { | |
logger.error(MessageFormat.format("Failed to revoke certificate {0,number,0} [{1}] in {2}", | |
cert.getSerialNumber(), cert.getSubjectDN().getName(), caRevocationList)); | |
} | |
return false; | |
} | |
/** | |
* Revoke a certificate. | |
* | |
* @param cert | |
* @param reason | |
* @param caRevocationList | |
* @param caPrivateKey | |
* @param x509log | |
* @return true if the certificate has been revoked | |
*/ | |
public static boolean revoke(X509Certificate cert, RevocationReason reason, | |
File caRevocationList, PrivateKey caPrivateKey, X509Log x509log) { | |
try { | |
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(cert).getName()); | |
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date()); | |
if (caRevocationList.exists()) { | |
byte [] data = FileUtils.readContent(caRevocationList); | |
X509CRLHolder crl = new X509CRLHolder(data); | |
crlBuilder.addCRL(crl); | |
} | |
crlBuilder.addCRLEntry(cert.getSerialNumber(), new Date(), reason.ordinal()); | |
// build and sign CRL with CA private key | |
ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey); | |
X509CRLHolder crl = crlBuilder.build(signer); | |
File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp"); | |
FileOutputStream fos = null; | |
try { | |
fos = new FileOutputStream(tmpFile); | |
fos.write(crl.getEncoded()); | |
fos.flush(); | |
fos.close(); | |
if (caRevocationList.exists()) { | |
caRevocationList.delete(); | |
} | |
tmpFile.renameTo(caRevocationList); | |
} finally { | |
if (fos != null) { | |
fos.close(); | |
} | |
if (tmpFile.exists()) { | |
tmpFile.delete(); | |
} | |
} | |
x509log.log(MessageFormat.format("Revoked certificate {0,number,0} reason: {1} [{2}]", | |
cert.getSerialNumber(), reason.toString(), cert.getSubjectDN().getName())); | |
return true; | |
} catch (IOException | OperatorCreationException | CertificateEncodingException e) { | |
logger.error(MessageFormat.format("Failed to revoke certificate {0,number,0} [{1}] in {2}", | |
cert.getSerialNumber(), cert.getSubjectDN().getName(), caRevocationList)); | |
} | |
return false; | |
} | |
/** | |
* Returns true if the certificate has been revoked. | |
* | |
* @param cert | |
* @param caRevocationList | |
* @return true if the certificate is revoked | |
*/ | |
public static boolean isRevoked(X509Certificate cert, File caRevocationList) { | |
if (!caRevocationList.exists()) { | |
return false; | |
} | |
InputStream inStream = null; | |
try { | |
inStream = new FileInputStream(caRevocationList); | |
CertificateFactory cf = CertificateFactory.getInstance("X.509"); | |
X509CRL crl = (X509CRL)cf.generateCRL(inStream); | |
return crl.isRevoked(cert); | |
} catch (Exception e) { | |
logger.error(MessageFormat.format("Failed to check revocation status for certificate {0,number,0} [{1}] in {2}", | |
cert.getSerialNumber(), cert.getSubjectDN().getName(), caRevocationList)); | |
} finally { | |
if (inStream != null) { | |
try { | |
inStream.close(); | |
} catch (Exception e) { | |
} | |
} | |
} | |
return false; | |
} | |
public static X509Metadata getMetadata(X509Certificate cert) { | |
Map<String, String> oids = new HashMap<String, String>(); | |
try { | |
String dn = cert.getSubjectDN().getName(); | |
LdapName ldapName = new LdapName(dn); | |
for (int i = 0; i < ldapName.size(); i++) { | |
String [] val = ldapName.get(i).trim().split("=", 2); | |
String oid = val[0].toUpperCase().trim(); | |
String data = val[1].trim(); | |
oids.put(oid, data); | |
} | |
} catch (Exception e) { | |
throw new RuntimeException(e); | |
} | |
X509Metadata metadata = new X509Metadata(oids.get("CN"), "whocares"); | |
metadata.oids.putAll(oids); | |
metadata.serialNumber = cert.getSerialNumber().toString(); | |
metadata.notAfter = cert.getNotAfter(); | |
metadata.notBefore = cert.getNotBefore(); | |
metadata.emailAddress = metadata.getOID("E", null); | |
if (metadata.emailAddress == null) { | |
metadata.emailAddress = metadata.getOID("EMAILADDRESS", null); | |
} | |
return metadata; | |
} | |
} |