6b498988628d5b125063a232f857074e7a910738
[gigi.git] / util-testing / org / cacert / gigi / util / SimpleSigner.java
1 package org.cacert.gigi.util;
2
3 import java.io.File;
4 import java.io.FileInputStream;
5 import java.io.FileNotFoundException;
6 import java.io.FileOutputStream;
7 import java.io.IOException;
8 import java.io.InputStream;
9 import java.io.InputStreamReader;
10 import java.io.PrintWriter;
11 import java.io.Reader;
12 import java.math.BigInteger;
13 import java.nio.file.Paths;
14 import java.security.GeneralSecurityException;
15 import java.security.KeyFactory;
16 import java.security.NoSuchAlgorithmException;
17 import java.security.PrivateKey;
18 import java.security.PublicKey;
19 import java.security.Signature;
20 import java.security.cert.CertificateFactory;
21 import java.security.cert.X509Certificate;
22 import java.security.spec.InvalidKeySpecException;
23 import java.security.spec.PKCS8EncodedKeySpec;
24 import java.sql.SQLException;
25 import java.sql.Timestamp;
26 import java.text.ParseException;
27 import java.text.SimpleDateFormat;
28 import java.util.Base64;
29 import java.util.Calendar;
30 import java.util.Date;
31 import java.util.HashMap;
32 import java.util.LinkedList;
33 import java.util.List;
34 import java.util.Map;
35 import java.util.Map.Entry;
36 import java.util.Properties;
37 import java.util.TimeZone;
38
39 import javax.security.auth.x500.X500Principal;
40
41 import org.cacert.gigi.crypto.SPKAC;
42 import org.cacert.gigi.database.DatabaseConnection;
43 import org.cacert.gigi.database.DatabaseConnection.Link;
44 import org.cacert.gigi.database.GigiPreparedStatement;
45 import org.cacert.gigi.database.GigiResultSet;
46 import org.cacert.gigi.dbObjects.Certificate.CSRType;
47 import org.cacert.gigi.dbObjects.Certificate.SANType;
48 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
49 import org.cacert.gigi.dbObjects.CertificateProfile;
50 import org.cacert.gigi.dbObjects.Digest;
51 import org.cacert.gigi.output.DateSelector;
52
53 import sun.security.pkcs10.PKCS10;
54 import sun.security.util.DerOutputStream;
55 import sun.security.util.DerValue;
56 import sun.security.util.ObjectIdentifier;
57 import sun.security.x509.AVA;
58 import sun.security.x509.AlgorithmId;
59 import sun.security.x509.GeneralNameInterface;
60 import sun.security.x509.RDN;
61 import sun.security.x509.X500Name;
62
63 public class SimpleSigner {
64
65     private static GigiPreparedStatement warnMail;
66
67     private static GigiPreparedStatement updateMail;
68
69     private static GigiPreparedStatement readyCerts;
70
71     private static GigiPreparedStatement getSANSs;
72
73     private static GigiPreparedStatement revoke;
74
75     private static GigiPreparedStatement revokeCompleted;
76
77     private static GigiPreparedStatement finishJob;
78
79     private static GigiPreparedStatement locateCA;
80
81     private static volatile boolean running = true;
82
83     private static Thread runner;
84
85     private static SimpleDateFormat sdf = new SimpleDateFormat("yyMMddHHmmss'Z'");
86
87     static {
88         TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
89         sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
90     }
91
92     public static void main(String[] args) throws IOException, SQLException, InterruptedException {
93         Properties p = new Properties();
94         try (Reader reader = new InputStreamReader(new FileInputStream("config/gigi.properties"), "UTF-8")) {
95             p.load(reader);
96         }
97         DatabaseConnection.init(p);
98
99         runSigner();
100     }
101
102     public static void stopSigner() throws InterruptedException {
103         Thread capturedRunner;
104         synchronized (SimpleSigner.class) {
105             if (runner == null) {
106                 throw new IllegalStateException("already stopped");
107             }
108             capturedRunner = runner;
109             running = false;
110             SimpleSigner.class.notifyAll();
111         }
112         capturedRunner.join();
113     }
114
115     public synchronized static void runSigner() throws SQLException, IOException, InterruptedException {
116         if (runner != null) {
117             throw new IllegalStateException("already running");
118         }
119         running = true;
120
121         runner = new Thread() {
122
123             @Override
124             public void run() {
125                 try (Link l = DatabaseConnection.newLink(false)) {
126                     readyCerts = new GigiPreparedStatement("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, `executeFrom`, `executeTo`, profile FROM jobs " + //
127                             "INNER JOIN certs ON certs.id=jobs.`targetId` " + //
128                             "INNER JOIN profiles ON profiles.id=certs.profile " + //
129                             "WHERE jobs.state='open' "//
130                             + "AND task='sign'");
131
132                     getSANSs = new GigiPreparedStatement("SELECT contents, type FROM `subjectAlternativeNames` " + //
133                             "WHERE `certId`=?");
134
135                     updateMail = new GigiPreparedStatement("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=? WHERE id=?");
136                     warnMail = new GigiPreparedStatement("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?");
137
138                     revoke = new GigiPreparedStatement("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.`targetId`=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
139                     revokeCompleted = new GigiPreparedStatement("UPDATE certs SET revoked=NOW() WHERE id=?");
140
141                     finishJob = new GigiPreparedStatement("UPDATE jobs SET state='done' WHERE id=?");
142
143                     locateCA = new GigiPreparedStatement("SELECT id FROM cacerts WHERE keyname=?");
144
145                     work();
146                 } catch (InterruptedException e) {
147                     throw new Error(e);
148                 }
149             }
150
151         };
152         runner.start();
153     }
154
155     public static void ping() {
156         synchronized (SimpleSigner.class) {
157             SimpleSigner.class.notifyAll();
158             try {
159                 SimpleSigner.class.wait(2000);
160             } catch (InterruptedException e) {
161                 e.printStackTrace();
162             }
163         }
164     }
165
166     private synchronized static void work() {
167         try {
168             gencrl();
169         } catch (IOException e2) {
170             e2.printStackTrace();
171         } catch (InterruptedException e2) {
172             e2.printStackTrace();
173         }
174
175         while (running) {
176             try {
177                 signCertificates();
178                 revokeCertificates();
179
180                 SimpleSigner.class.notifyAll();
181                 SimpleSigner.class.wait(5000);
182             } catch (IOException e) {
183                 e.printStackTrace();
184             } catch (SQLException e) {
185                 e.printStackTrace();
186             } catch (InterruptedException e1) {
187             }
188         }
189         runner = null;
190     }
191
192     private static void revokeCertificates() throws SQLException, IOException, InterruptedException {
193         GigiResultSet rs = revoke.executeQuery();
194         boolean worked = false;
195         while (rs.next()) {
196             int id = rs.getInt(1);
197             worked = true;
198             System.out.println("Revoke faked: " + id);
199             revokeCompleted.setInt(1, id);
200             revokeCompleted.execute();
201             finishJob.setInt(1, rs.getInt(3));
202             finishJob.execute();
203         }
204         if (worked) {
205             gencrl();
206         }
207     }
208
209     private static void gencrl() throws IOException, InterruptedException {
210         if (true) {
211             return;
212         }
213         String[] call = new String[] {
214                 "openssl",
215                 "ca",//
216                 "-cert",
217                 "../unassured.crt",//
218                 "-keyfile",
219                 "../unassured.key",//
220                 "-gencrl",//
221                 "-crlhours",//
222                 "12",//
223                 "-out",
224                 "../unassured.crl",//
225                 "-config",
226                 "../selfsign.config"
227
228         };
229         Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
230         if (p1.waitFor() != 0) {
231             System.out.println("Error while generating crl.");
232         }
233     }
234
235     private static void signCertificates() throws SQLException {
236         GigiResultSet rs = readyCerts.executeQuery();
237
238         Calendar c = Calendar.getInstance();
239         c.setTimeZone(TimeZone.getTimeZone("UTC"));
240         while (rs.next()) {
241             String csrname = rs.getString("csr_name");
242             int id = rs.getInt("id");
243             System.out.println("sign: " + csrname);
244             try {
245                 String csrType = rs.getString("csr_type");
246                 CSRType ct = CSRType.valueOf(csrType);
247                 File crt = KeyStorage.locateCrt(id);
248
249                 Timestamp from = rs.getTimestamp("executeFrom");
250                 String length = rs.getString("executeTo");
251                 Date fromDate;
252                 Date toDate;
253                 if (from == null) {
254                     fromDate = new Date(System.currentTimeMillis());
255                 } else {
256                     fromDate = new Date(from.getTime());
257                 }
258                 if (length.endsWith("m") || length.endsWith("y")) {
259                     String num = length.substring(0, length.length() - 1);
260                     int inter = Integer.parseInt(num);
261                     c.setTime(fromDate);
262                     if (length.endsWith("m")) {
263                         c.add(Calendar.MONTH, inter);
264                     } else {
265                         c.add(Calendar.YEAR, inter);
266                     }
267                     toDate = c.getTime();
268                 } else {
269                     toDate = DateSelector.getDateFormat().parse(length);
270                 }
271
272                 getSANSs.setInt(1, id);
273                 GigiResultSet san = getSANSs.executeQuery();
274
275                 LinkedList<SubjectAlternateName> altnames = new LinkedList<>();
276                 while (san.next()) {
277                     altnames.add(new SubjectAlternateName(SANType.valueOf(san.getString("type").toUpperCase()), san.getString("contents")));
278                 }
279                 // TODO look them up!
280                 // cfg.println("keyUsage=critical," +
281                 // "digitalSignature, keyEncipherment, keyAgreement");
282                 // cfg.println("extendedKeyUsage=critical," + "clientAuth");
283                 // cfg.close();
284
285                 int profile = rs.getInt("profile");
286                 CertificateProfile cp = CertificateProfile.getById(profile);
287                 String s = cp.getId() + "";
288                 while (s.length() < 4) {
289                     s = "0" + s;
290                 }
291                 s += "-" + cp.getKeyName() + ".cfg";
292                 Properties caP = new Properties();
293                 try (FileInputStream inStream = new FileInputStream("signer/profiles/" + s)) {
294                     caP.load(inStream);
295                 }
296
297                 HashMap<String, String> subj = new HashMap<>();
298                 try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT name, value FROM `certAvas` WHERE `certId`=?")) {
299                     ps.setInt(1, rs.getInt("id"));
300                     GigiResultSet rs2 = ps.executeQuery();
301                     while (rs2.next()) {
302                         String name = rs2.getString("name");
303                         if (name.equals("EMAIL")) {
304                             name = "emailAddress";
305                         }
306                         subj.put(name, rs2.getString("value"));
307                     }
308                 }
309                 if (subj.size() == 0) {
310                     subj.put("CN", "<empty>");
311                     System.out.println("WARNING: DN was empty");
312                 }
313                 System.out.println(subj);
314
315                 PublicKey pk;
316                 byte[] data = IOUtils.readURL(new FileInputStream(csrname));
317                 if (ct == CSRType.SPKAC) {
318                     String dt = new String(data, "UTF-8");
319                     if (dt.startsWith("SPKAC=")) {
320                         dt = dt.substring(6);
321                         data = dt.getBytes("UTF-8");
322                         System.out.println(dt);
323                     }
324                     SPKAC sp = new SPKAC(Base64.getDecoder().decode(data));
325                     pk = sp.getPubkey();
326                 } else {
327                     PKCS10 p10 = new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", new String(data, "UTF-8")));
328                     pk = p10.getSubjectPublicKeyInfo();
329                 }
330                 String ca = caP.getProperty("ca") + "_2015_1";
331                 File parent = new File("signer/ca");
332                 File[] caFiles = parent.listFiles();
333                 if (null == caFiles) {
334                     caFiles = new File[0];
335                 }
336                 for (File f : caFiles) {
337                     if (f.getName().startsWith(caP.getProperty("ca"))) {
338                         ca = f.getName();
339                         break;
340                     }
341                 }
342                 File caKey = new File(parent, ca + "/ca.key");
343                 PrivateKey i = loadOpensslKey(caKey);
344
345                 X509Certificate root = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new FileInputStream("signer/ca/" + ca + "/ca.crt"));
346                 byte[] cert = generateCert(pk, i, subj, root.getSubjectX500Principal(), altnames, fromDate, toDate, Digest.valueOf(rs.getString("md").toUpperCase()), caP.getProperty("eku"));
347                 PrintWriter out = new PrintWriter(crt);
348                 out.println("-----BEGIN CERTIFICATE-----");
349                 out.println(Base64.getMimeEncoder().encodeToString(cert));
350                 out.println("-----END CERTIFICATE-----");
351                 out.close();
352
353                 try (InputStream is = new FileInputStream(crt)) {
354                     locateCA.setString(1, ca);
355                     GigiResultSet caRs = locateCA.executeQuery();
356                     if ( !caRs.next()) {
357                         throw new Error("ca " + ca + " was not found");
358                     }
359
360                     CertificateFactory cf = CertificateFactory.getInstance("X.509");
361                     X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
362                     BigInteger serial = crtp.getSerialNumber();
363                     updateMail.setString(1, crt.getPath());
364                     updateMail.setString(2, serial.toString(16));
365                     updateMail.setInt(3, caRs.getInt("id"));
366                     updateMail.setInt(4, id);
367                     updateMail.execute();
368
369                     finishJob.setInt(1, rs.getInt("jobid"));
370                     finishJob.execute();
371                     System.out.println("signed: " + id);
372                     continue;
373                 }
374
375             } catch (GeneralSecurityException e) {
376                 e.printStackTrace();
377             } catch (IOException e) {
378                 e.printStackTrace();
379             } catch (ParseException e) {
380                 e.printStackTrace();
381             }
382             System.out.println("Error with: " + id);
383             warnMail.setInt(1, rs.getInt("jobid"));
384             warnMail.execute();
385
386         }
387         rs.close();
388     }
389
390     private static PrivateKey loadOpensslKey(File f) throws FileNotFoundException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
391         byte[] p8b = PEM.decode("RSA PRIVATE KEY", new String(IOUtils.readURL(new FileInputStream(f))));
392         DerOutputStream dos = new DerOutputStream();
393         dos.putInteger(0);
394         new AlgorithmId(new ObjectIdentifier(new int[] {
395                 1, 2, 840, 113549, 1, 1, 1
396         })).encode(dos);
397         dos.putOctetString(p8b);
398         byte[] ctx = dos.toByteArray();
399         dos.reset();
400         dos.write(DerValue.tag_Sequence, ctx);
401         PKCS8EncodedKeySpec p8 = new PKCS8EncodedKeySpec(dos.toByteArray());
402         PrivateKey i = KeyFactory.getInstance("RSA").generatePrivate(p8);
403         return i;
404     }
405
406     public static synchronized byte[] generateCert(PublicKey pk, PrivateKey prk, Map<String, String> subj, X500Principal issuer, List<SubjectAlternateName> altnames, Date fromDate, Date toDate, Digest digest, String eku) throws IOException, GeneralSecurityException {
407         File f = Paths.get("signer", "serial").toFile();
408         if ( !f.exists()) {
409             try (FileOutputStream fos = new FileOutputStream(f)) {
410                 fos.write("1".getBytes("UTF-8"));
411             }
412         }
413         try (FileInputStream fr = new FileInputStream(f)) {
414             byte[] serial = IOUtils.readURL(fr);
415             BigInteger ser = new BigInteger(new String(serial).trim());
416             ser = ser.add(BigInteger.ONE);
417
418             PrintWriter pw = new PrintWriter(f);
419             pw.println(ser);
420             pw.close();
421             if (digest != Digest.SHA256 && digest != Digest.SHA512) {
422                 System.err.println("assuming sha256 either way ;-): " + digest);
423                 digest = Digest.SHA256;
424             }
425             ObjectIdentifier sha512withrsa = new ObjectIdentifier(new int[] {
426                     1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : 13
427             });
428             AlgorithmId aid = new AlgorithmId(sha512withrsa);
429             Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : "SHA512withRSA");
430
431             DerOutputStream cert = new DerOutputStream();
432             DerOutputStream content = new DerOutputStream();
433             {
434                 DerOutputStream version = new DerOutputStream();
435                 version.putInteger(2); // v3
436                 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), version);
437             }
438             content.putInteger(ser); // Serial
439             aid.encode(content);
440
441             {
442                 content.write(issuer.getEncoded());
443             }
444             {
445                 DerOutputStream notAround = new DerOutputStream();
446                 notAround.putUTCTime(fromDate);
447                 notAround.putUTCTime(toDate);
448                 content.write(DerValue.tag_Sequence, notAround);
449             }
450             {
451
452                 X500Name xn = genX500Name(subj);
453                 content.write(xn.getEncoded());
454             }
455             {
456                 content.write(pk.getEncoded());
457             }
458             {
459                 DerOutputStream extensions = new DerOutputStream();
460                 {
461                     addExtension(extensions, new ObjectIdentifier(new int[] {
462                             2, 5, 29, 17
463                     }), generateSAN(altnames));
464                     addExtension(extensions, new ObjectIdentifier(new int[] {
465                             2, 5, 29, 15
466                     }), generateKU());
467                     addExtension(extensions, new ObjectIdentifier(new int[] {
468                             2, 5, 29, 37
469                     }), generateEKU(eku));
470                 }
471                 DerOutputStream extensionsSeq = new DerOutputStream();
472                 extensionsSeq.write(DerValue.tag_Sequence, extensions);
473                 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 3), extensionsSeq);
474             }
475
476             DerOutputStream contentSeq = new DerOutputStream();
477
478             contentSeq.write(DerValue.tag_Sequence, content.toByteArray());
479
480             s.initSign(prk);
481             s.update(contentSeq.toByteArray());
482
483             aid.encode(contentSeq);
484             contentSeq.putBitString(s.sign());
485             cert.write(DerValue.tag_Sequence, contentSeq);
486
487             // X509Certificate c = (X509Certificate)
488             // CertificateFactory.getInstance("X509").generateCertificate(new
489             // ByteArrayInputStream(cert.toByteArray()));
490             // c.verify(pk); only for self-signeds
491
492             byte[] res = cert.toByteArray();
493             cert.close();
494             return res;
495         }
496
497     }
498
499     private static byte[] generateKU() throws IOException {
500         try (DerOutputStream dos = new DerOutputStream()) {
501             dos.putBitString(new byte[] {
502                     (byte) 0b10101000
503             });
504             return dos.toByteArray();
505         }
506     }
507
508     private static byte[] generateEKU(String eku) throws IOException {
509
510         try (DerOutputStream dos = new DerOutputStream()) {
511             for (String name : eku.split(",")) {
512                 ObjectIdentifier oid;
513                 switch (name) {
514                 case "serverAuth":
515                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.1");
516                     break;
517                 case "clientAuth":
518                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.2");
519                     break;
520                 case "codeSigning":
521                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.3");
522                     break;
523                 case "emailProtection":
524                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
525                     break;
526                 case "OCSPSigning":
527                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9");
528                     break;
529
530                 default:
531                     throw new Error(name);
532                 }
533                 dos.putOID(oid);
534             }
535             byte[] data = dos.toByteArray();
536             dos.reset();
537             dos.write(DerValue.tag_Sequence, data);
538             return dos.toByteArray();
539         }
540     }
541
542     public static X500Name genX500Name(Map<String, String> subj) throws IOException {
543         LinkedList<RDN> rdns = new LinkedList<>();
544         for (Entry<String, String> i : subj.entrySet()) {
545             RDN rdn = genRDN(i);
546             rdns.add(rdn);
547         }
548         return new X500Name(rdns.toArray(new RDN[rdns.size()]));
549     }
550
551     private static RDN genRDN(Entry<String, String> i) throws IOException {
552         DerOutputStream dos = new DerOutputStream();
553         dos.putUTF8String(i.getValue());
554         int[] oid;
555         String key = i.getKey();
556         switch (key) {
557         case "CN":
558             oid = new int[] {
559                     2, 5, 4, 3
560             };
561             break;
562         case "EMAIL":
563         case "emailAddress":
564             oid = new int[] {
565                     1, 2, 840, 113549, 1, 9, 1
566             };
567             break;
568         case "O":
569             oid = new int[] {
570                     2, 5, 4, 10
571             };
572             break;
573         case "OU":
574             oid = new int[] {
575                     2, 5, 4, 11
576             };
577             break;
578         case "ST":
579             oid = new int[] {
580                     2, 5, 4, 8
581             };
582             break;
583         case "L":
584             oid = new int[] {
585                     2, 5, 4, 7
586             };
587             break;
588         case "C":
589             oid = new int[] {
590                     2, 5, 4, 6
591             };
592             break;
593         default:
594             dos.close();
595             throw new Error("unknown RDN-type: " + key);
596         }
597         RDN rdn = new RDN(new AVA(new ObjectIdentifier(oid), new DerValue(dos.toByteArray())));
598         dos.close();
599         return rdn;
600     }
601
602     private static void addExtension(DerOutputStream extensions, ObjectIdentifier oid, byte[] extContent) throws IOException {
603         DerOutputStream SANs = new DerOutputStream();
604         SANs.putOID(oid);
605         SANs.putOctetString(extContent);
606
607         extensions.write(DerValue.tag_Sequence, SANs);
608     }
609
610     private static byte[] generateSAN(List<SubjectAlternateName> altnames) throws IOException {
611         DerOutputStream SANContent = new DerOutputStream();
612         for (SubjectAlternateName san : altnames) {
613             byte type = 0;
614             if (san.getType() == SANType.DNS) {
615                 type = (byte) GeneralNameInterface.NAME_DNS;
616             } else if (san.getType() == SANType.EMAIL) {
617                 type = (byte) GeneralNameInterface.NAME_RFC822;
618             } else {
619                 SANContent.close();
620                 throw new Error("" + san.getType());
621             }
622             SANContent.write(DerValue.createTag(DerValue.TAG_CONTEXT, false, type), san.getName().getBytes("UTF-8"));
623         }
624         DerOutputStream SANSeqContent = new DerOutputStream();
625         SANSeqContent.write(DerValue.tag_Sequence, SANContent);
626         byte[] byteArray = SANSeqContent.toByteArray();
627         SANContent.close();
628         SANSeqContent.close();
629         return byteArray;
630     }
631 }