Merge "upd: Reduce Boilerplate in translated SprintfCommands"
[gigi.git] / util-testing / org / cacert / gigi / util / SimpleSigner.java
1 package org.cacert.gigi.util;
2
3 import java.io.File;
4 import java.io.FileInputStream;
5 import java.io.FileNotFoundException;
6 import java.io.FileOutputStream;
7 import java.io.IOException;
8 import java.io.InputStream;
9 import java.io.InputStreamReader;
10 import java.io.PrintWriter;
11 import java.io.Reader;
12 import java.math.BigInteger;
13 import java.nio.file.Paths;
14 import java.security.GeneralSecurityException;
15 import java.security.KeyFactory;
16 import java.security.NoSuchAlgorithmException;
17 import java.security.PrivateKey;
18 import java.security.PublicKey;
19 import java.security.Signature;
20 import java.security.cert.CertificateFactory;
21 import java.security.cert.X509Certificate;
22 import java.security.spec.InvalidKeySpecException;
23 import java.security.spec.PKCS8EncodedKeySpec;
24 import java.sql.SQLException;
25 import java.sql.Timestamp;
26 import java.text.ParseException;
27 import java.text.SimpleDateFormat;
28 import java.util.Base64;
29 import java.util.Calendar;
30 import java.util.Date;
31 import java.util.HashMap;
32 import java.util.LinkedList;
33 import java.util.List;
34 import java.util.Map;
35 import java.util.Map.Entry;
36 import java.util.Properties;
37 import java.util.TimeZone;
38
39 import javax.security.auth.x500.X500Principal;
40
41 import org.cacert.gigi.crypto.SPKAC;
42 import org.cacert.gigi.database.DatabaseConnection;
43 import org.cacert.gigi.database.GigiPreparedStatement;
44 import org.cacert.gigi.database.GigiResultSet;
45 import org.cacert.gigi.dbObjects.Certificate.CSRType;
46 import org.cacert.gigi.dbObjects.Certificate.SANType;
47 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
48 import org.cacert.gigi.dbObjects.CertificateProfile;
49 import org.cacert.gigi.dbObjects.Digest;
50 import org.cacert.gigi.output.DateSelector;
51
52 import sun.security.pkcs10.PKCS10;
53 import sun.security.util.DerOutputStream;
54 import sun.security.util.DerValue;
55 import sun.security.util.ObjectIdentifier;
56 import sun.security.x509.AVA;
57 import sun.security.x509.AlgorithmId;
58 import sun.security.x509.GeneralNameInterface;
59 import sun.security.x509.RDN;
60 import sun.security.x509.X500Name;
61
62 public class SimpleSigner {
63
64     private static GigiPreparedStatement warnMail;
65
66     private static GigiPreparedStatement updateMail;
67
68     private static GigiPreparedStatement readyCerts;
69
70     private static GigiPreparedStatement getSANSs;
71
72     private static GigiPreparedStatement revoke;
73
74     private static GigiPreparedStatement revokeCompleted;
75
76     private static GigiPreparedStatement finishJob;
77
78     private static GigiPreparedStatement locateCA;
79
80     private static volatile boolean running = true;
81
82     private static Thread runner;
83
84     private static SimpleDateFormat sdf = new SimpleDateFormat("yyMMddHHmmss'Z'");
85
86     static {
87         TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
88         sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
89     }
90
91     public static void main(String[] args) throws IOException, SQLException, InterruptedException {
92         Properties p = new Properties();
93         try (Reader reader = new InputStreamReader(new FileInputStream("config/gigi.properties"), "UTF-8")) {
94             p.load(reader);
95         }
96         DatabaseConnection.init(p);
97
98         runSigner();
99     }
100
101     public static void stopSigner() throws InterruptedException {
102         Thread capturedRunner;
103         synchronized (SimpleSigner.class) {
104             if (runner == null) {
105                 throw new IllegalStateException("already stopped");
106             }
107             capturedRunner = runner;
108             running = false;
109             SimpleSigner.class.notifyAll();
110         }
111         capturedRunner.join();
112     }
113
114     public synchronized static void runSigner() throws SQLException, IOException, InterruptedException {
115         if (runner != null) {
116             throw new IllegalStateException("already running");
117         }
118         running = true;
119         readyCerts = new GigiPreparedStatement("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, `executeFrom`, `executeTo`, profile FROM jobs " + //
120                 "INNER JOIN certs ON certs.id=jobs.`targetId` " + //
121                 "INNER JOIN profiles ON profiles.id=certs.profile " + //
122                 "WHERE jobs.state='open' "//
123                 + "AND task='sign'");
124
125         getSANSs = new GigiPreparedStatement("SELECT contents, type FROM `subjectAlternativeNames` " + //
126                 "WHERE `certId`=?");
127
128         updateMail = new GigiPreparedStatement("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=? WHERE id=?");
129         warnMail = new GigiPreparedStatement("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?");
130
131         revoke = new GigiPreparedStatement("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.`targetId`=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
132         revokeCompleted = new GigiPreparedStatement("UPDATE certs SET revoked=NOW() WHERE id=?");
133
134         finishJob = new GigiPreparedStatement("UPDATE jobs SET state='done' WHERE id=?");
135
136         locateCA = new GigiPreparedStatement("SELECT id FROM cacerts WHERE keyname=?");
137
138         runner = new Thread() {
139
140             @Override
141             public void run() {
142                 work();
143             }
144
145         };
146         runner.start();
147     }
148
149     private synchronized static void work() {
150         try {
151             gencrl();
152         } catch (IOException e2) {
153             e2.printStackTrace();
154         } catch (InterruptedException e2) {
155             e2.printStackTrace();
156         }
157
158         while (running) {
159             try {
160                 signCertificates();
161                 revokeCertificates();
162
163                 SimpleSigner.class.wait(5000);
164             } catch (IOException e) {
165                 e.printStackTrace();
166             } catch (SQLException e) {
167                 e.printStackTrace();
168             } catch (InterruptedException e1) {
169             }
170         }
171         runner = null;
172     }
173
174     private static void revokeCertificates() throws SQLException, IOException, InterruptedException {
175         GigiResultSet rs = revoke.executeQuery();
176         boolean worked = false;
177         while (rs.next()) {
178             int id = rs.getInt(1);
179             worked = true;
180             System.out.println("Revoke faked: " + id);
181             revokeCompleted.setInt(1, id);
182             revokeCompleted.execute();
183             finishJob.setInt(1, rs.getInt(3));
184             finishJob.execute();
185         }
186         if (worked) {
187             gencrl();
188         }
189     }
190
191     private static void gencrl() throws IOException, InterruptedException {
192         if (true) {
193             return;
194         }
195         String[] call = new String[] {
196                 "openssl", "ca",//
197                 "-cert",
198                 "../unassured.crt",//
199                 "-keyfile",
200                 "../unassured.key",//
201                 "-gencrl",//
202                 "-crlhours",//
203                 "12",//
204                 "-out",
205                 "../unassured.crl",//
206                 "-config",
207                 "../selfsign.config"
208
209         };
210         Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
211         if (p1.waitFor() != 0) {
212             System.out.println("Error while generating crl.");
213         }
214     }
215
216     private static int counter = 0;
217
218     private static void signCertificates() throws SQLException {
219         GigiResultSet rs = readyCerts.executeQuery();
220
221         Calendar c = Calendar.getInstance();
222         c.setTimeZone(TimeZone.getTimeZone("UTC"));
223         while (rs.next()) {
224             String csrname = rs.getString("csr_name");
225             int id = rs.getInt("id");
226             System.out.println("sign: " + csrname);
227             try {
228                 String csrType = rs.getString("csr_type");
229                 CSRType ct = CSRType.valueOf(csrType);
230                 File crt = KeyStorage.locateCrt(id);
231
232                 Timestamp from = rs.getTimestamp("executeFrom");
233                 String length = rs.getString("executeTo");
234                 Date fromDate;
235                 Date toDate;
236                 if (from == null) {
237                     fromDate = new Date(System.currentTimeMillis());
238                 } else {
239                     fromDate = new Date(from.getTime());
240                 }
241                 if (length.endsWith("m") || length.endsWith("y")) {
242                     String num = length.substring(0, length.length() - 1);
243                     int inter = Integer.parseInt(num);
244                     c.setTime(fromDate);
245                     if (length.endsWith("m")) {
246                         c.add(Calendar.MONTH, inter);
247                     } else {
248                         c.add(Calendar.YEAR, inter);
249                     }
250                     toDate = c.getTime();
251                 } else {
252                     toDate = DateSelector.getDateFormat().parse(length);
253                 }
254
255                 getSANSs.setInt(1, id);
256                 GigiResultSet san = getSANSs.executeQuery();
257
258                 LinkedList<SubjectAlternateName> altnames = new LinkedList<>();
259                 while (san.next()) {
260                     altnames.add(new SubjectAlternateName(SANType.valueOf(san.getString("type").toUpperCase()), san.getString("contents")));
261                 }
262                 // TODO look them up!
263                 // cfg.println("keyUsage=critical," +
264                 // "digitalSignature, keyEncipherment, keyAgreement");
265                 // cfg.println("extendedKeyUsage=critical," + "clientAuth");
266                 // cfg.close();
267
268                 int profile = rs.getInt("profile");
269                 CertificateProfile cp = CertificateProfile.getById(profile);
270                 String s = cp.getId() + "";
271                 while (s.length() < 4) {
272                     s = "0" + s;
273                 }
274                 s += "-" + cp.getKeyName() + ".cfg";
275                 Properties caP = new Properties();
276                 try (FileInputStream inStream = new FileInputStream("signer/profiles/" + s)) {
277                     caP.load(inStream);
278                 }
279                 String ca = caP.getProperty("ca") + "_2015_1";
280
281                 HashMap<String, String> subj = new HashMap<>();
282                 try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT name, value FROM `certAvas` WHERE `certId`=?")) {
283                     ps.setInt(1, rs.getInt("id"));
284                     GigiResultSet rs2 = ps.executeQuery();
285                     while (rs2.next()) {
286                         String name = rs2.getString("name");
287                         if (name.equals("EMAIL")) {
288                             name = "emailAddress";
289                         }
290                         subj.put(name, rs2.getString("value"));
291                     }
292                 }
293                 if (subj.size() == 0) {
294                     subj.put("CN", "<empty>");
295                     System.out.println("WARNING: DN was empty");
296                 }
297                 System.out.println(subj);
298
299                 PublicKey pk;
300                 byte[] data = IOUtils.readURL(new FileInputStream(csrname));
301                 if (ct == CSRType.SPKAC) {
302                     String dt = new String(data, "UTF-8");
303                     if (dt.startsWith("SPKAC=")) {
304                         dt = dt.substring(6);
305                         data = dt.getBytes("UTF-8");
306                         System.out.println(dt);
307                     }
308                     SPKAC sp = new SPKAC(Base64.getDecoder().decode(data));
309                     pk = sp.getPubkey();
310                 } else {
311                     PKCS10 p10 = new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", new String(data, "UTF-8")));
312                     pk = p10.getSubjectPublicKeyInfo();
313                 }
314                 PrivateKey i = loadOpensslKey(new File("signer/ca/" + ca + "/ca.key"));
315
316                 X509Certificate root = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new FileInputStream("signer/ca/" + ca + "/ca.crt"));
317                 byte[] cert = generateCert(pk, i, subj, root.getSubjectX500Principal(), altnames, fromDate, toDate, Digest.valueOf(rs.getString("md").toUpperCase()), caP.getProperty("eku"));
318                 PrintWriter out = new PrintWriter(crt);
319                 out.println("-----BEGIN CERTIFICATE-----");
320                 out.println(Base64.getMimeEncoder().encodeToString(cert));
321                 out.println("-----END CERTIFICATE-----");
322                 out.close();
323
324                 try (InputStream is = new FileInputStream(crt)) {
325                     locateCA.setString(1, ca);
326                     GigiResultSet caRs = locateCA.executeQuery();
327                     if ( !caRs.next()) {
328                         throw new Error("ca " + ca + " was not found");
329                     }
330
331                     CertificateFactory cf = CertificateFactory.getInstance("X.509");
332                     X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
333                     BigInteger serial = crtp.getSerialNumber();
334                     updateMail.setString(1, crt.getPath());
335                     updateMail.setString(2, serial.toString(16));
336                     updateMail.setInt(3, caRs.getInt("id"));
337                     updateMail.setInt(4, id);
338                     updateMail.execute();
339
340                     finishJob.setInt(1, rs.getInt("jobid"));
341                     finishJob.execute();
342                     System.out.println("signed: " + id);
343                     continue;
344                 }
345
346             } catch (GeneralSecurityException e) {
347                 e.printStackTrace();
348             } catch (IOException e) {
349                 e.printStackTrace();
350             } catch (ParseException e) {
351                 e.printStackTrace();
352             }
353             System.out.println("Error with: " + id);
354             warnMail.setInt(1, rs.getInt("jobid"));
355             warnMail.execute();
356
357         }
358         rs.close();
359     }
360
361     private static PrivateKey loadOpensslKey(File f) throws FileNotFoundException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
362         byte[] p8b = PEM.decode("RSA PRIVATE KEY", new String(IOUtils.readURL(new FileInputStream(f))));
363         DerOutputStream dos = new DerOutputStream();
364         dos.putInteger(0);
365         new AlgorithmId(new ObjectIdentifier(new int[] {
366                 1, 2, 840, 113549, 1, 1, 1
367         })).encode(dos);
368         dos.putOctetString(p8b);
369         byte[] ctx = dos.toByteArray();
370         dos.reset();
371         dos.write(DerValue.tag_Sequence, ctx);
372         PKCS8EncodedKeySpec p8 = new PKCS8EncodedKeySpec(dos.toByteArray());
373         PrivateKey i = KeyFactory.getInstance("RSA").generatePrivate(p8);
374         return i;
375     }
376
377     public static synchronized byte[] generateCert(PublicKey pk, PrivateKey prk, Map<String, String> subj, X500Principal issuer, List<SubjectAlternateName> altnames, Date fromDate, Date toDate, Digest digest, String eku) throws IOException, GeneralSecurityException {
378         File f = Paths.get("signer", "serial").toFile();
379         if ( !f.exists()) {
380             try (FileOutputStream fos = new FileOutputStream(f)) {
381                 fos.write("1".getBytes("UTF-8"));
382             }
383         }
384         try (FileInputStream fr = new FileInputStream(f)) {
385             byte[] serial = IOUtils.readURL(fr);
386             BigInteger ser = new BigInteger(new String(serial).trim());
387             ser = ser.add(BigInteger.ONE);
388
389             PrintWriter pw = new PrintWriter(f);
390             pw.println(ser);
391             pw.close();
392             if (digest != Digest.SHA256 && digest != Digest.SHA512) {
393                 System.err.println("assuming sha256 either way ;-): " + digest);
394                 digest = Digest.SHA256;
395             }
396             ObjectIdentifier sha512withrsa = new ObjectIdentifier(new int[] {
397                     1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : 13
398             });
399             AlgorithmId aid = new AlgorithmId(sha512withrsa);
400             Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : "SHA512withRSA");
401
402             DerOutputStream cert = new DerOutputStream();
403             DerOutputStream content = new DerOutputStream();
404             {
405                 DerOutputStream version = new DerOutputStream();
406                 version.putInteger(2); // v3
407                 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), version);
408             }
409             content.putInteger(ser); // Serial
410             aid.encode(content);
411
412             {
413                 content.write(issuer.getEncoded());
414             }
415             {
416                 DerOutputStream notAround = new DerOutputStream();
417                 notAround.putUTCTime(fromDate);
418                 notAround.putUTCTime(toDate);
419                 content.write(DerValue.tag_Sequence, notAround);
420             }
421             {
422
423                 X500Name xn = genX500Name(subj);
424                 content.write(xn.getEncoded());
425             }
426             {
427                 content.write(pk.getEncoded());
428             }
429             {
430                 DerOutputStream extensions = new DerOutputStream();
431                 {
432                     addExtension(extensions, new ObjectIdentifier(new int[] {
433                             2, 5, 29, 17
434                     }), generateSAN(altnames));
435                     addExtension(extensions, new ObjectIdentifier(new int[] {
436                             2, 5, 29, 15
437                     }), generateKU());
438                     addExtension(extensions, new ObjectIdentifier(new int[] {
439                             2, 5, 29, 37
440                     }), generateEKU(eku));
441                 }
442                 DerOutputStream extensionsSeq = new DerOutputStream();
443                 extensionsSeq.write(DerValue.tag_Sequence, extensions);
444                 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 3), extensionsSeq);
445             }
446
447             DerOutputStream contentSeq = new DerOutputStream();
448
449             contentSeq.write(DerValue.tag_Sequence, content.toByteArray());
450
451             s.initSign(prk);
452             s.update(contentSeq.toByteArray());
453
454             aid.encode(contentSeq);
455             contentSeq.putBitString(s.sign());
456             cert.write(DerValue.tag_Sequence, contentSeq);
457
458             // X509Certificate c = (X509Certificate)
459             // CertificateFactory.getInstance("X509").generateCertificate(new
460             // ByteArrayInputStream(cert.toByteArray()));
461             // c.verify(pk); only for self-signeds
462
463             byte[] res = cert.toByteArray();
464             cert.close();
465             return res;
466         }
467
468     }
469
470     private static byte[] generateKU() throws IOException {
471         try (DerOutputStream dos = new DerOutputStream()) {
472             dos.putBitString(new byte[] {
473                 (byte) 0b10101000
474             });
475             return dos.toByteArray();
476         }
477     }
478
479     private static byte[] generateEKU(String eku) throws IOException {
480
481         DerOutputStream dos = new DerOutputStream();
482         for (String name : eku.split(",")) {
483             ObjectIdentifier oid;
484             switch (name) {
485             case "serverAuth":
486                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.1");
487                 break;
488             case "clientAuth":
489                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.2");
490                 break;
491             case "codeSigning":
492                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.3");
493                 break;
494             case "emailProtection":
495                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
496                 break;
497             case "OCSPSigning":
498                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9");
499                 break;
500
501             default:
502                 throw new Error(name);
503             }
504             dos.putOID(oid);
505         }
506         byte[] data = dos.toByteArray();
507         dos.reset();
508         dos.write(DerValue.tag_Sequence, data);
509         return dos.toByteArray();
510     }
511
512     public static X500Name genX500Name(Map<String, String> subj) throws IOException {
513         LinkedList<RDN> rdns = new LinkedList<>();
514         for (Entry<String, String> i : subj.entrySet()) {
515             RDN rdn = genRDN(i);
516             rdns.add(rdn);
517         }
518         return new X500Name(rdns.toArray(new RDN[rdns.size()]));
519     }
520
521     private static RDN genRDN(Entry<String, String> i) throws IOException {
522         DerOutputStream dos = new DerOutputStream();
523         dos.putUTF8String(i.getValue());
524         int[] oid;
525         String key = i.getKey();
526         switch (key) {
527         case "CN":
528             oid = new int[] {
529                     2, 5, 4, 3
530             };
531             break;
532         case "EMAIL":
533         case "emailAddress":
534             oid = new int[] {
535                     1, 2, 840, 113549, 1, 9, 1
536             };
537             break;
538         case "O":
539             oid = new int[] {
540                     2, 5, 4, 10
541             };
542             break;
543         case "OU":
544             oid = new int[] {
545                     2, 5, 4, 11
546             };
547             break;
548         case "ST":
549             oid = new int[] {
550                     2, 5, 4, 8
551             };
552             break;
553         case "L":
554             oid = new int[] {
555                     2, 5, 4, 7
556             };
557             break;
558         case "C":
559             oid = new int[] {
560                     2, 5, 4, 6
561             };
562             break;
563         default:
564             dos.close();
565             throw new Error("unknown RDN-type: " + key);
566         }
567         RDN rdn = new RDN(new AVA(new ObjectIdentifier(oid), new DerValue(dos.toByteArray())));
568         dos.close();
569         return rdn;
570     }
571
572     private static void addExtension(DerOutputStream extensions, ObjectIdentifier oid, byte[] extContent) throws IOException {
573         DerOutputStream SANs = new DerOutputStream();
574         SANs.putOID(oid);
575         SANs.putOctetString(extContent);
576
577         extensions.write(DerValue.tag_Sequence, SANs);
578     }
579
580     private static byte[] generateSAN(List<SubjectAlternateName> altnames) throws IOException {
581         DerOutputStream SANContent = new DerOutputStream();
582         for (SubjectAlternateName san : altnames) {
583             byte type = 0;
584             if (san.getType() == SANType.DNS) {
585                 type = (byte) GeneralNameInterface.NAME_DNS;
586             } else if (san.getType() == SANType.EMAIL) {
587                 type = (byte) GeneralNameInterface.NAME_RFC822;
588             } else {
589                 SANContent.close();
590                 throw new Error("" + san.getType());
591             }
592             SANContent.write(DerValue.createTag(DerValue.TAG_CONTEXT, false, type), san.getName().getBytes("UTF-8"));
593         }
594         DerOutputStream SANSeqContent = new DerOutputStream();
595         SANSeqContent.write(DerValue.tag_Sequence, SANContent);
596         byte[] byteArray = SANSeqContent.toByteArray();
597         SANContent.close();
598         SANSeqContent.close();
599         return byteArray;
600     }
601 }