1 package org.cacert.gigi.util;
4 import java.io.FileInputStream;
5 import java.io.FileNotFoundException;
6 import java.io.FileOutputStream;
7 import java.io.IOException;
8 import java.io.InputStream;
9 import java.io.InputStreamReader;
10 import java.io.PrintWriter;
11 import java.io.Reader;
12 import java.math.BigInteger;
13 import java.nio.file.Paths;
14 import java.security.GeneralSecurityException;
15 import java.security.KeyFactory;
16 import java.security.NoSuchAlgorithmException;
17 import java.security.PrivateKey;
18 import java.security.PublicKey;
19 import java.security.Signature;
20 import java.security.cert.CertificateFactory;
21 import java.security.cert.X509Certificate;
22 import java.security.spec.InvalidKeySpecException;
23 import java.security.spec.PKCS8EncodedKeySpec;
24 import java.sql.SQLException;
25 import java.sql.Timestamp;
26 import java.text.ParseException;
27 import java.text.SimpleDateFormat;
28 import java.util.Base64;
29 import java.util.Calendar;
30 import java.util.Date;
31 import java.util.HashMap;
32 import java.util.LinkedList;
33 import java.util.List;
35 import java.util.Map.Entry;
36 import java.util.Properties;
37 import java.util.TimeZone;
39 import javax.security.auth.x500.X500Principal;
41 import org.cacert.gigi.crypto.SPKAC;
42 import org.cacert.gigi.database.DatabaseConnection;
43 import org.cacert.gigi.database.DatabaseConnection.Link;
44 import org.cacert.gigi.database.GigiPreparedStatement;
45 import org.cacert.gigi.database.GigiResultSet;
46 import org.cacert.gigi.dbObjects.Certificate.CSRType;
47 import org.cacert.gigi.dbObjects.Certificate.SANType;
48 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
49 import org.cacert.gigi.dbObjects.CertificateProfile;
50 import org.cacert.gigi.dbObjects.Digest;
51 import org.cacert.gigi.output.DateSelector;
53 import sun.security.pkcs10.PKCS10;
54 import sun.security.util.DerOutputStream;
55 import sun.security.util.DerValue;
56 import sun.security.util.ObjectIdentifier;
57 import sun.security.x509.AVA;
58 import sun.security.x509.AlgorithmId;
59 import sun.security.x509.GeneralNameInterface;
60 import sun.security.x509.RDN;
61 import sun.security.x509.X500Name;
63 public class SimpleSigner {
65 private static GigiPreparedStatement warnMail;
67 private static GigiPreparedStatement updateMail;
69 private static GigiPreparedStatement readyCerts;
71 private static GigiPreparedStatement getSANSs;
73 private static GigiPreparedStatement revoke;
75 private static GigiPreparedStatement revokeCompleted;
77 private static GigiPreparedStatement finishJob;
79 private static GigiPreparedStatement locateCA;
81 private static volatile boolean running = true;
83 private static Thread runner;
85 private static SimpleDateFormat sdf = new SimpleDateFormat("yyMMddHHmmss'Z'");
88 TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
89 sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
92 public static void main(String[] args) throws IOException, SQLException, InterruptedException {
93 Properties p = new Properties();
94 try (Reader reader = new InputStreamReader(new FileInputStream("config/gigi.properties"), "UTF-8")) {
97 DatabaseConnection.init(p);
102 public static void stopSigner() throws InterruptedException {
103 Thread capturedRunner;
104 synchronized (SimpleSigner.class) {
105 if (runner == null) {
106 throw new IllegalStateException("already stopped");
108 capturedRunner = runner;
110 SimpleSigner.class.notifyAll();
112 capturedRunner.join();
115 public synchronized static void runSigner() throws SQLException, IOException, InterruptedException {
116 if (runner != null) {
117 throw new IllegalStateException("already running");
121 runner = new Thread() {
125 try (Link l = DatabaseConnection.newLink(false)) {
126 readyCerts = new GigiPreparedStatement("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, `executeFrom`, `executeTo`, profile FROM jobs " + //
127 "INNER JOIN certs ON certs.id=jobs.`targetId` " + //
128 "INNER JOIN profiles ON profiles.id=certs.profile " + //
129 "WHERE jobs.state='open' "//
130 + "AND task='sign'");
132 getSANSs = new GigiPreparedStatement("SELECT contents, type FROM `subjectAlternativeNames` " + //
135 updateMail = new GigiPreparedStatement("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=? WHERE id=?");
136 warnMail = new GigiPreparedStatement("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?");
138 revoke = new GigiPreparedStatement("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.`targetId`=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
139 revokeCompleted = new GigiPreparedStatement("UPDATE certs SET revoked=NOW() WHERE id=?");
141 finishJob = new GigiPreparedStatement("UPDATE jobs SET state='done' WHERE id=?");
143 locateCA = new GigiPreparedStatement("SELECT id FROM cacerts WHERE keyname=?");
146 } catch (InterruptedException e) {
155 public static void ping() {
156 synchronized (SimpleSigner.class) {
157 SimpleSigner.class.notifyAll();
159 SimpleSigner.class.wait(2000);
160 } catch (InterruptedException e) {
166 private synchronized static void work() {
169 } catch (IOException e2) {
170 e2.printStackTrace();
171 } catch (InterruptedException e2) {
172 e2.printStackTrace();
178 revokeCertificates();
180 SimpleSigner.class.notifyAll();
181 SimpleSigner.class.wait(5000);
182 } catch (IOException e) {
184 } catch (SQLException e) {
186 } catch (InterruptedException e1) {
192 private static void revokeCertificates() throws SQLException, IOException, InterruptedException {
193 GigiResultSet rs = revoke.executeQuery();
194 boolean worked = false;
196 int id = rs.getInt(1);
198 System.out.println("Revoke faked: " + id);
199 revokeCompleted.setInt(1, id);
200 revokeCompleted.execute();
201 finishJob.setInt(1, rs.getInt(3));
209 private static void gencrl() throws IOException, InterruptedException {
213 String[] call = new String[] {
217 "../unassured.crt",//
219 "../unassured.key",//
224 "../unassured.crl",//
229 Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
230 if (p1.waitFor() != 0) {
231 System.out.println("Error while generating crl.");
235 private static int counter = 0;
237 private static void signCertificates() throws SQLException {
238 GigiResultSet rs = readyCerts.executeQuery();
240 Calendar c = Calendar.getInstance();
241 c.setTimeZone(TimeZone.getTimeZone("UTC"));
243 String csrname = rs.getString("csr_name");
244 int id = rs.getInt("id");
245 System.out.println("sign: " + csrname);
247 String csrType = rs.getString("csr_type");
248 CSRType ct = CSRType.valueOf(csrType);
249 File crt = KeyStorage.locateCrt(id);
251 Timestamp from = rs.getTimestamp("executeFrom");
252 String length = rs.getString("executeTo");
256 fromDate = new Date(System.currentTimeMillis());
258 fromDate = new Date(from.getTime());
260 if (length.endsWith("m") || length.endsWith("y")) {
261 String num = length.substring(0, length.length() - 1);
262 int inter = Integer.parseInt(num);
264 if (length.endsWith("m")) {
265 c.add(Calendar.MONTH, inter);
267 c.add(Calendar.YEAR, inter);
269 toDate = c.getTime();
271 toDate = DateSelector.getDateFormat().parse(length);
274 getSANSs.setInt(1, id);
275 GigiResultSet san = getSANSs.executeQuery();
277 LinkedList<SubjectAlternateName> altnames = new LinkedList<>();
279 altnames.add(new SubjectAlternateName(SANType.valueOf(san.getString("type").toUpperCase()), san.getString("contents")));
281 // TODO look them up!
282 // cfg.println("keyUsage=critical," +
283 // "digitalSignature, keyEncipherment, keyAgreement");
284 // cfg.println("extendedKeyUsage=critical," + "clientAuth");
287 int profile = rs.getInt("profile");
288 CertificateProfile cp = CertificateProfile.getById(profile);
289 String s = cp.getId() + "";
290 while (s.length() < 4) {
293 s += "-" + cp.getKeyName() + ".cfg";
294 Properties caP = new Properties();
295 try (FileInputStream inStream = new FileInputStream("signer/profiles/" + s)) {
299 HashMap<String, String> subj = new HashMap<>();
300 try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT name, value FROM `certAvas` WHERE `certId`=?")) {
301 ps.setInt(1, rs.getInt("id"));
302 GigiResultSet rs2 = ps.executeQuery();
304 String name = rs2.getString("name");
305 if (name.equals("EMAIL")) {
306 name = "emailAddress";
308 subj.put(name, rs2.getString("value"));
311 if (subj.size() == 0) {
312 subj.put("CN", "<empty>");
313 System.out.println("WARNING: DN was empty");
315 System.out.println(subj);
318 byte[] data = IOUtils.readURL(new FileInputStream(csrname));
319 if (ct == CSRType.SPKAC) {
320 String dt = new String(data, "UTF-8");
321 if (dt.startsWith("SPKAC=")) {
322 dt = dt.substring(6);
323 data = dt.getBytes("UTF-8");
324 System.out.println(dt);
326 SPKAC sp = new SPKAC(Base64.getDecoder().decode(data));
329 PKCS10 p10 = new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", new String(data, "UTF-8")));
330 pk = p10.getSubjectPublicKeyInfo();
332 String ca = caP.getProperty("ca") + "_2015_1";
333 File parent = new File("signer/ca");
334 for (File f : parent.listFiles()) {
335 if (f.getName().startsWith(caP.getProperty("ca"))) {
340 File caKey = new File(parent, ca + "/ca.key");
341 PrivateKey i = loadOpensslKey(caKey);
343 X509Certificate root = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new FileInputStream("signer/ca/" + ca + "/ca.crt"));
344 byte[] cert = generateCert(pk, i, subj, root.getSubjectX500Principal(), altnames, fromDate, toDate, Digest.valueOf(rs.getString("md").toUpperCase()), caP.getProperty("eku"));
345 PrintWriter out = new PrintWriter(crt);
346 out.println("-----BEGIN CERTIFICATE-----");
347 out.println(Base64.getMimeEncoder().encodeToString(cert));
348 out.println("-----END CERTIFICATE-----");
351 try (InputStream is = new FileInputStream(crt)) {
352 locateCA.setString(1, ca);
353 GigiResultSet caRs = locateCA.executeQuery();
355 throw new Error("ca " + ca + " was not found");
358 CertificateFactory cf = CertificateFactory.getInstance("X.509");
359 X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
360 BigInteger serial = crtp.getSerialNumber();
361 updateMail.setString(1, crt.getPath());
362 updateMail.setString(2, serial.toString(16));
363 updateMail.setInt(3, caRs.getInt("id"));
364 updateMail.setInt(4, id);
365 updateMail.execute();
367 finishJob.setInt(1, rs.getInt("jobid"));
369 System.out.println("signed: " + id);
373 } catch (GeneralSecurityException e) {
375 } catch (IOException e) {
377 } catch (ParseException e) {
380 System.out.println("Error with: " + id);
381 warnMail.setInt(1, rs.getInt("jobid"));
388 private static PrivateKey loadOpensslKey(File f) throws FileNotFoundException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
389 byte[] p8b = PEM.decode("RSA PRIVATE KEY", new String(IOUtils.readURL(new FileInputStream(f))));
390 DerOutputStream dos = new DerOutputStream();
392 new AlgorithmId(new ObjectIdentifier(new int[] {
393 1, 2, 840, 113549, 1, 1, 1
395 dos.putOctetString(p8b);
396 byte[] ctx = dos.toByteArray();
398 dos.write(DerValue.tag_Sequence, ctx);
399 PKCS8EncodedKeySpec p8 = new PKCS8EncodedKeySpec(dos.toByteArray());
400 PrivateKey i = KeyFactory.getInstance("RSA").generatePrivate(p8);
404 public static synchronized byte[] generateCert(PublicKey pk, PrivateKey prk, Map<String, String> subj, X500Principal issuer, List<SubjectAlternateName> altnames, Date fromDate, Date toDate, Digest digest, String eku) throws IOException, GeneralSecurityException {
405 File f = Paths.get("signer", "serial").toFile();
407 try (FileOutputStream fos = new FileOutputStream(f)) {
408 fos.write("1".getBytes("UTF-8"));
411 try (FileInputStream fr = new FileInputStream(f)) {
412 byte[] serial = IOUtils.readURL(fr);
413 BigInteger ser = new BigInteger(new String(serial).trim());
414 ser = ser.add(BigInteger.ONE);
416 PrintWriter pw = new PrintWriter(f);
419 if (digest != Digest.SHA256 && digest != Digest.SHA512) {
420 System.err.println("assuming sha256 either way ;-): " + digest);
421 digest = Digest.SHA256;
423 ObjectIdentifier sha512withrsa = new ObjectIdentifier(new int[] {
424 1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : 13
426 AlgorithmId aid = new AlgorithmId(sha512withrsa);
427 Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : "SHA512withRSA");
429 DerOutputStream cert = new DerOutputStream();
430 DerOutputStream content = new DerOutputStream();
432 DerOutputStream version = new DerOutputStream();
433 version.putInteger(2); // v3
434 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), version);
436 content.putInteger(ser); // Serial
440 content.write(issuer.getEncoded());
443 DerOutputStream notAround = new DerOutputStream();
444 notAround.putUTCTime(fromDate);
445 notAround.putUTCTime(toDate);
446 content.write(DerValue.tag_Sequence, notAround);
450 X500Name xn = genX500Name(subj);
451 content.write(xn.getEncoded());
454 content.write(pk.getEncoded());
457 DerOutputStream extensions = new DerOutputStream();
459 addExtension(extensions, new ObjectIdentifier(new int[] {
461 }), generateSAN(altnames));
462 addExtension(extensions, new ObjectIdentifier(new int[] {
465 addExtension(extensions, new ObjectIdentifier(new int[] {
467 }), generateEKU(eku));
469 DerOutputStream extensionsSeq = new DerOutputStream();
470 extensionsSeq.write(DerValue.tag_Sequence, extensions);
471 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 3), extensionsSeq);
474 DerOutputStream contentSeq = new DerOutputStream();
476 contentSeq.write(DerValue.tag_Sequence, content.toByteArray());
479 s.update(contentSeq.toByteArray());
481 aid.encode(contentSeq);
482 contentSeq.putBitString(s.sign());
483 cert.write(DerValue.tag_Sequence, contentSeq);
485 // X509Certificate c = (X509Certificate)
486 // CertificateFactory.getInstance("X509").generateCertificate(new
487 // ByteArrayInputStream(cert.toByteArray()));
488 // c.verify(pk); only for self-signeds
490 byte[] res = cert.toByteArray();
497 private static byte[] generateKU() throws IOException {
498 try (DerOutputStream dos = new DerOutputStream()) {
499 dos.putBitString(new byte[] {
502 return dos.toByteArray();
506 private static byte[] generateEKU(String eku) throws IOException {
508 DerOutputStream dos = new DerOutputStream();
509 for (String name : eku.split(",")) {
510 ObjectIdentifier oid;
513 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.1");
516 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.2");
519 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.3");
521 case "emailProtection":
522 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
525 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9");
529 throw new Error(name);
533 byte[] data = dos.toByteArray();
535 dos.write(DerValue.tag_Sequence, data);
536 return dos.toByteArray();
539 public static X500Name genX500Name(Map<String, String> subj) throws IOException {
540 LinkedList<RDN> rdns = new LinkedList<>();
541 for (Entry<String, String> i : subj.entrySet()) {
545 return new X500Name(rdns.toArray(new RDN[rdns.size()]));
548 private static RDN genRDN(Entry<String, String> i) throws IOException {
549 DerOutputStream dos = new DerOutputStream();
550 dos.putUTF8String(i.getValue());
552 String key = i.getKey();
562 1, 2, 840, 113549, 1, 9, 1
592 throw new Error("unknown RDN-type: " + key);
594 RDN rdn = new RDN(new AVA(new ObjectIdentifier(oid), new DerValue(dos.toByteArray())));
599 private static void addExtension(DerOutputStream extensions, ObjectIdentifier oid, byte[] extContent) throws IOException {
600 DerOutputStream SANs = new DerOutputStream();
602 SANs.putOctetString(extContent);
604 extensions.write(DerValue.tag_Sequence, SANs);
607 private static byte[] generateSAN(List<SubjectAlternateName> altnames) throws IOException {
608 DerOutputStream SANContent = new DerOutputStream();
609 for (SubjectAlternateName san : altnames) {
611 if (san.getType() == SANType.DNS) {
612 type = (byte) GeneralNameInterface.NAME_DNS;
613 } else if (san.getType() == SANType.EMAIL) {
614 type = (byte) GeneralNameInterface.NAME_RFC822;
617 throw new Error("" + san.getType());
619 SANContent.write(DerValue.createTag(DerValue.TAG_CONTEXT, false, type), san.getName().getBytes("UTF-8"));
621 DerOutputStream SANSeqContent = new DerOutputStream();
622 SANSeqContent.write(DerValue.tag_Sequence, SANContent);
623 byte[] byteArray = SANSeqContent.toByteArray();
625 SANSeqContent.close();