1 package org.cacert.gigi.util;
3 import java.io.ByteArrayInputStream;
5 import java.io.FileInputStream;
6 import java.io.FileNotFoundException;
7 import java.io.FileOutputStream;
8 import java.io.IOException;
9 import java.io.InputStream;
10 import java.io.InputStreamReader;
11 import java.io.PrintWriter;
12 import java.io.Reader;
13 import java.math.BigInteger;
14 import java.nio.file.Paths;
15 import java.security.GeneralSecurityException;
16 import java.security.KeyFactory;
17 import java.security.KeyPair;
18 import java.security.KeyPairGenerator;
19 import java.security.NoSuchAlgorithmException;
20 import java.security.PrivateKey;
21 import java.security.PublicKey;
22 import java.security.Signature;
23 import java.security.cert.CertificateFactory;
24 import java.security.cert.X509Certificate;
25 import java.security.spec.InvalidKeySpecException;
26 import java.security.spec.PKCS8EncodedKeySpec;
27 import java.sql.SQLException;
28 import java.sql.Timestamp;
29 import java.text.ParseException;
30 import java.text.SimpleDateFormat;
31 import java.util.Arrays;
32 import java.util.Base64;
33 import java.util.Calendar;
34 import java.util.Date;
35 import java.util.HashMap;
36 import java.util.LinkedList;
37 import java.util.List;
39 import java.util.Map.Entry;
40 import java.util.Properties;
41 import java.util.TimeZone;
43 import javax.security.auth.x500.X500Principal;
45 import org.cacert.gigi.crypto.SPKAC;
46 import org.cacert.gigi.database.DatabaseConnection;
47 import org.cacert.gigi.database.GigiPreparedStatement;
48 import org.cacert.gigi.database.GigiResultSet;
49 import org.cacert.gigi.dbObjects.Certificate;
50 import org.cacert.gigi.dbObjects.Certificate.CSRType;
51 import org.cacert.gigi.dbObjects.Certificate.SANType;
52 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
53 import org.cacert.gigi.dbObjects.CertificateProfile;
54 import org.cacert.gigi.dbObjects.Digest;
55 import org.cacert.gigi.output.DateSelector;
56 import org.cacert.gigi.testUtils.IOUtils;
58 import sun.security.pkcs10.PKCS10;
59 import sun.security.util.DerOutputStream;
60 import sun.security.util.DerValue;
61 import sun.security.util.ObjectIdentifier;
62 import sun.security.x509.AVA;
63 import sun.security.x509.AlgorithmId;
64 import sun.security.x509.GeneralNameInterface;
65 import sun.security.x509.RDN;
66 import sun.security.x509.X500Name;
68 public class SimpleSigner {
70 private static GigiPreparedStatement warnMail;
72 private static GigiPreparedStatement updateMail;
74 private static GigiPreparedStatement readyCerts;
76 private static GigiPreparedStatement getSANSs;
78 private static GigiPreparedStatement revoke;
80 private static GigiPreparedStatement revokeCompleted;
82 private static GigiPreparedStatement finishJob;
84 private static volatile boolean running = true;
86 private static Thread runner;
88 private static SimpleDateFormat sdf = new SimpleDateFormat("yyMMddHHmmss'Z'");
91 TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
92 sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
95 public static void main(String[] args) throws IOException, SQLException, InterruptedException {
98 KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
100 KeyPair kp = kpg.generateKeyPair();
101 X500Principal xp = new X500Principal(genX500Name(Certificate.buildDN("CN", "uiae")).getEncoded());
102 byte[] i = generateCert(kp.getPublic(), kp.getPrivate(), Certificate.buildDN("CN", "uiae"), xp, Arrays.<SubjectAlternateName>asList(), new Date(), new Date(System.currentTimeMillis() + 1000 * 60 * 60), Digest.SHA512, "clientAuth");
103 System.out.println(Base64.getMimeEncoder().encodeToString(i));
104 } catch (GeneralSecurityException e) {
109 Properties p = new Properties();
110 try (Reader reader = new InputStreamReader(new FileInputStream("config/gigi.properties"), "UTF-8")) {
113 DatabaseConnection.init(p);
118 public static void stopSigner() throws InterruptedException {
119 Thread capturedRunner;
120 synchronized (SimpleSigner.class) {
121 if (runner == null) {
122 throw new IllegalStateException("already stopped");
124 capturedRunner = runner;
126 SimpleSigner.class.notifyAll();
128 capturedRunner.join();
131 public synchronized static void runSigner() throws SQLException, IOException, InterruptedException {
132 if (runner != null) {
133 throw new IllegalStateException("already running");
136 readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, executeFrom, executeTo, profile FROM jobs " + //
137 "INNER JOIN certs ON certs.id=jobs.targetId " + //
138 "INNER JOIN profiles ON profiles.id=certs.profile " + //
139 "WHERE jobs.state='open' "//
140 + "AND task='sign'");
142 getSANSs = DatabaseConnection.getInstance().prepare("SELECT contents, type FROM subjectAlternativeNames " + //
145 updateMail = DatabaseConnection.getInstance().prepare("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=1 WHERE id=?");
146 warnMail = DatabaseConnection.getInstance().prepare("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?");
148 revoke = DatabaseConnection.getInstance().prepare("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.targetId=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
149 revokeCompleted = DatabaseConnection.getInstance().prepare("UPDATE certs SET revoked=NOW() WHERE id=?");
151 finishJob = DatabaseConnection.getInstance().prepare("UPDATE jobs SET state='done' WHERE id=?");
153 runner = new Thread() {
164 private synchronized static void work() {
167 } catch (IOException e2) {
168 e2.printStackTrace();
169 } catch (InterruptedException e2) {
170 e2.printStackTrace();
176 revokeCertificates();
178 SimpleSigner.class.wait(5000);
179 } catch (IOException e) {
181 } catch (SQLException e) {
183 } catch (InterruptedException e1) {
189 private static void revokeCertificates() throws SQLException, IOException, InterruptedException {
190 GigiResultSet rs = revoke.executeQuery();
191 boolean worked = false;
193 int id = rs.getInt(1);
194 File crt = KeyStorage.locateCrt(id);
195 String[] call = new String[] {
198 "../unassured.crt",//
200 "../unassured.key",//
202 "../../" + crt.getPath(),//
208 Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
209 System.out.println("revoking: " + crt.getPath());
210 if (p1.waitFor() == 0) {
212 revokeCompleted.setInt(1, id);
213 revokeCompleted.execute();
214 finishJob.setInt(1, rs.getInt(3));
217 System.out.println("Failed");
225 private static void gencrl() throws IOException, InterruptedException {
226 String[] call = new String[] {
229 "../unassured.crt",//
231 "../unassured.key",//
236 "../unassured.crl",//
241 Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
242 if (p1.waitFor() != 0) {
243 System.out.println("Error while generating crl.");
247 private static int counter = 0;
249 private static void signCertificates() throws SQLException {
250 GigiResultSet rs = readyCerts.executeQuery();
252 Calendar c = Calendar.getInstance();
253 c.setTimeZone(TimeZone.getTimeZone("UTC"));
255 String csrname = rs.getString("csr_name");
256 int id = rs.getInt("id");
257 System.out.println("sign: " + csrname);
259 String csrType = rs.getString("csr_type");
260 CSRType ct = CSRType.valueOf(csrType);
261 File crt = KeyStorage.locateCrt(id);
263 Timestamp from = rs.getTimestamp("executeFrom");
264 String length = rs.getString("executeTo");
268 fromDate = new Date(System.currentTimeMillis());
270 fromDate = new Date(from.getTime());
272 if (length.endsWith("m") || length.endsWith("y")) {
273 String num = length.substring(0, length.length() - 1);
274 int inter = Integer.parseInt(num);
276 if (length.endsWith("m")) {
277 c.add(Calendar.MONTH, inter);
279 c.add(Calendar.YEAR, inter);
281 toDate = c.getTime();
283 toDate = DateSelector.getDateFormat().parse(length);
286 getSANSs.setInt(1, id);
287 GigiResultSet san = getSANSs.executeQuery();
289 boolean first = true;
290 LinkedList<SubjectAlternateName> altnames = new LinkedList<>();
293 altnames.add(new SubjectAlternateName(SANType.valueOf(san.getString("type").toUpperCase()), san.getString("contents")));
295 // TODO look them up!
296 // cfg.println("keyUsage=critical," +
297 // "digitalSignature, keyEncipherment, keyAgreement");
298 // cfg.println("extendedKeyUsage=critical," + "clientAuth");
301 int profile = rs.getInt("profile");
302 CertificateProfile cp = CertificateProfile.getById(profile);
303 String s = cp.getId() + "";
304 while (s.length() < 4) {
307 s += "-" + cp.getKeyName() + ".cfg";
308 Properties caP = new Properties();
309 caP.load(new FileInputStream("signer/profiles/" + s));
310 String ca = caP.getProperty("ca") + "_2015_1";
312 HashMap<String, String> subj = new HashMap<>();
313 GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT name, value FROM certAvas WHERE certId=?");
314 ps.setInt(1, rs.getInt("id"));
315 GigiResultSet rs2 = ps.executeQuery();
317 String name = rs2.getString("name");
318 if (name.equals("EMAIL")) {
319 name = "emailAddress";
321 subj.put(name, rs2.getString("value"));
323 if (subj.size() == 0) {
324 subj.put("CN", "<empty>");
325 System.out.println("WARNING: DN was empty");
327 System.out.println(subj);
330 byte[] data = IOUtils.readURL(new FileInputStream(csrname));
331 if (ct == CSRType.SPKAC) {
332 SPKAC sp = new SPKAC(data);
335 PKCS10 p10 = new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", new String(data)));
336 pk = p10.getSubjectPublicKeyInfo();
338 PrivateKey i = loadOpensslKey(new File("signer/ca/" + ca + "/ca.key"));
341 X509Certificate root = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new FileInputStream("signer/ca/" + ca + "/ca.crt"));
342 byte[] cert = generateCert(pk, i, subj, root.getSubjectX500Principal(), altnames, fromDate, toDate, Digest.valueOf(rs.getString("md").toUpperCase()), caP.getProperty("eku"));
343 PrintWriter out = new PrintWriter(crt);
344 out.println("-----BEGIN CERTIFICATE-----");
345 out.println(Base64.getMimeEncoder().encodeToString(cert));
346 out.println("-----END CERTIFICATE-----");
350 * call = new String[] { "openssl", "ca",// "-in", "../../"
351 * + csrname,// "-cert", "../" + ca + ".crt",// "-keyfile",
352 * "../" + ca + ".key",// "-out", "../../" +
353 * crt.getPath(),// "-utf8", "-startdate",
354 * sdf.format(fromDate),// "-enddate", sdf.format(toDate),//
355 * "-batch",// "-md", rs.getString("md"),// "-extfile",
356 * "../" + f.getName(),// "-subj",
357 * Certificate.stringifyDN(subj),// "-config",
358 * "../selfsign.config"// };
362 try (InputStream is = new FileInputStream(crt)) {
363 CertificateFactory cf = CertificateFactory.getInstance("X.509");
364 X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
365 BigInteger serial = crtp.getSerialNumber();
366 updateMail.setString(1, crt.getPath());
367 updateMail.setString(2, serial.toString(16));
368 updateMail.setInt(3, id);
369 updateMail.execute();
371 finishJob.setInt(1, rs.getInt("jobid"));
373 System.out.println("signed: " + id);
377 } catch (GeneralSecurityException e) {
379 } catch (IOException e) {
381 } catch (ParseException e) {
384 System.out.println("Error with: " + id);
385 warnMail.setInt(1, rs.getInt("jobid"));
392 private static PrivateKey loadOpensslKey(File f) throws FileNotFoundException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
393 byte[] p8b = PEM.decode("RSA PRIVATE KEY", new String(IOUtils.readURL(new FileInputStream(f))));
394 DerOutputStream dos = new DerOutputStream();
396 new AlgorithmId(new ObjectIdentifier(new int[] {
397 1, 2, 840, 113549, 1, 1, 1
399 dos.putOctetString(p8b);
400 byte[] ctx = dos.toByteArray();
402 dos.write(DerValue.tag_Sequence, ctx);
403 PKCS8EncodedKeySpec p8 = new PKCS8EncodedKeySpec(dos.toByteArray());
404 PrivateKey i = KeyFactory.getInstance("RSA").generatePrivate(p8);
408 private static synchronized byte[] generateCert(PublicKey pk, PrivateKey prk, Map<String, String> subj, X500Principal issuer, List<SubjectAlternateName> altnames, Date fromDate, Date toDate, Digest digest, String eku) throws IOException, GeneralSecurityException {
409 File f = Paths.get("signer", "serial").toFile();
411 FileOutputStream fos = new FileOutputStream(f);
412 fos.write("1".getBytes());
415 try (FileInputStream fr = new FileInputStream(f)) {
416 byte[] serial = IOUtils.readURL(fr);
417 BigInteger ser = new BigInteger(new String(serial).trim());
418 ser = ser.add(BigInteger.ONE);
420 PrintWriter pw = new PrintWriter(f);
423 if (digest != Digest.SHA256 && digest != Digest.SHA512) {
424 System.err.println("assuming sha256 either way ;-): " + digest);
425 digest = Digest.SHA256;
427 ObjectIdentifier sha512withrsa = new ObjectIdentifier(new int[] {
428 1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : 13
430 AlgorithmId aid = new AlgorithmId(sha512withrsa);
431 Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : "SHA512withRSA");
433 DerOutputStream cert = new DerOutputStream();
434 DerOutputStream content = new DerOutputStream();
436 DerOutputStream version = new DerOutputStream();
437 version.putInteger(2); // v3
438 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), version);
440 content.putInteger(ser); // Serial
444 content.write(issuer.getEncoded());
447 DerOutputStream notAround = new DerOutputStream();
448 notAround.putUTCTime(fromDate);
449 notAround.putUTCTime(toDate);
450 content.write(DerValue.tag_Sequence, notAround);
454 X500Name xn = genX500Name(subj);
455 content.write(xn.getEncoded());
458 content.write(pk.getEncoded());
461 DerOutputStream extensions = new DerOutputStream();
463 addExtension(extensions, new ObjectIdentifier(new int[] {
465 }), generateSAN(altnames));
466 addExtension(extensions, new ObjectIdentifier(new int[] {
469 addExtension(extensions, new ObjectIdentifier(new int[] {
471 }), generateEKU(eku));
473 DerOutputStream extensionsSeq = new DerOutputStream();
474 extensionsSeq.write(DerValue.tag_Sequence, extensions);
475 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 3), extensionsSeq);
478 DerOutputStream contentSeq = new DerOutputStream();
480 contentSeq.write(DerValue.tag_Sequence, content.toByteArray());
483 s.update(contentSeq.toByteArray());
485 aid.encode(contentSeq);
486 contentSeq.putBitString(s.sign());
487 cert.write(DerValue.tag_Sequence, contentSeq);
489 X509Certificate c = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new ByteArrayInputStream(cert.toByteArray()));
490 // c.verify(pk); only for self-signeds
492 return cert.toByteArray();
497 private static byte[] generateKU() throws IOException {
498 DerOutputStream dos = new DerOutputStream();
499 dos.putBitString(new byte[] {
502 return dos.toByteArray();
505 private static byte[] generateEKU(String eku) throws IOException {
507 DerOutputStream dos = new DerOutputStream();
508 for (String name : eku.split(",")) {
509 ObjectIdentifier oid;
512 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.1");
515 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.2");
518 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.3");
520 case "emailProtection":
521 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
525 throw new Error(name);
529 byte[] data = dos.toByteArray();
531 dos.write(DerValue.tag_Sequence, data);
532 return dos.toByteArray();
535 private static X500Name genX500Name(Map<String, String> subj) throws IOException {
536 LinkedList<RDN> rdns = new LinkedList<>();
537 for (Entry<String, String> i : subj.entrySet()) {
541 return new X500Name(rdns.toArray(new RDN[rdns.size()]));
544 private static RDN genRDN(Entry<String, String> i) throws IOException {
545 DerOutputStream dos = new DerOutputStream();
546 dos.putUTF8String(i.getValue());
548 String key = i.getKey();
558 1, 2, 840, 113549, 1, 9, 1
572 throw new Error("unknown RDN-type: " + key);
574 RDN rdn = new RDN(new AVA(new ObjectIdentifier(oid), new DerValue(dos.toByteArray())));
578 private static void addExtension(DerOutputStream extensions, ObjectIdentifier oid, byte[] extContent) throws IOException {
579 DerOutputStream SANs = new DerOutputStream();
581 SANs.putOctetString(extContent);
583 extensions.write(DerValue.tag_Sequence, SANs);
586 private static byte[] generateSAN(List<SubjectAlternateName> altnames) throws IOException {
587 DerOutputStream SANContent = new DerOutputStream();
588 for (SubjectAlternateName san : altnames) {
590 if (san.getType() == SANType.DNS) {
591 type = (byte) GeneralNameInterface.NAME_DNS;
592 } else if (san.getType() == SANType.EMAIL) {
593 type = (byte) GeneralNameInterface.NAME_RFC822;
595 throw new Error("" + san.getType());
597 SANContent.write(DerValue.createTag(DerValue.TAG_CONTEXT, false, type), san.getName().getBytes());
599 DerOutputStream SANSeqContent = new DerOutputStream();
600 SANSeqContent.write(DerValue.tag_Sequence, SANContent);
601 byte[] byteArray = SANSeqContent.toByteArray();