package club.wpia.gigi.util;
+import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import javax.security.auth.x500.X500Principal;
+import club.wpia.gigi.GigiApiException;
import club.wpia.gigi.crypto.SPKAC;
import club.wpia.gigi.database.DatabaseConnection;
+import club.wpia.gigi.database.DatabaseConnection.Link;
import club.wpia.gigi.database.GigiPreparedStatement;
import club.wpia.gigi.database.GigiResultSet;
-import club.wpia.gigi.database.DatabaseConnection.Link;
-import club.wpia.gigi.dbObjects.CertificateProfile;
-import club.wpia.gigi.dbObjects.Digest;
+import club.wpia.gigi.dbObjects.Certificate;
+import club.wpia.gigi.dbObjects.Certificate.AttachmentType;
import club.wpia.gigi.dbObjects.Certificate.CSRType;
import club.wpia.gigi.dbObjects.Certificate.SANType;
import club.wpia.gigi.dbObjects.Certificate.SubjectAlternateName;
+import club.wpia.gigi.dbObjects.CertificateProfile;
+import club.wpia.gigi.dbObjects.Digest;
import club.wpia.gigi.output.DateSelector;
-import club.wpia.gigi.util.KeyStorage;
-import club.wpia.gigi.util.PEM;
+import club.wpia.gigi.util.ServerConstants.Host;
import sun.security.pkcs10.PKCS10;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
try (Reader reader = new InputStreamReader(new FileInputStream("config/gigi.properties"), "UTF-8")) {
p.load(reader);
}
+ ServerConstants.init(p);
DatabaseConnection.init(p);
runSigner();
@Override
public void run() {
try (Link l = DatabaseConnection.newLink(false)) {
- readyCerts = new GigiPreparedStatement("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, `executeFrom`, `executeTo`, profile FROM jobs " + //
+ readyCerts = new GigiPreparedStatement("SELECT certs.id AS id, jobs.id AS jobid, csr_type, md, `executeFrom`, `executeTo`, profile FROM jobs " + //
"INNER JOIN certs ON certs.id=jobs.`targetId` " + //
"INNER JOIN profiles ON profiles.id=certs.profile " + //
"WHERE jobs.state='open' " + //
getSANSs = new GigiPreparedStatement("SELECT contents, type FROM `subjectAlternativeNames` " + //
"WHERE `certId`=?");
- updateMail = new GigiPreparedStatement("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=?, expire=? WHERE id=?");
- warnMail = new GigiPreparedStatement("UPDATE jobs SET warning=warning+1, state=CASE WHEN warning<3 THEN 'open'::`jobState` ELSE 'error'::`jobState` END WHERE id=?");
+ updateMail = new GigiPreparedStatement("UPDATE certs SET created=NOW(), serial=?, caid=?, expire=? WHERE id=?");
+ warnMail = new GigiPreparedStatement("UPDATE jobs SET attempt=attempt+1, state=CASE WHEN attempt<3 THEN 'open'::`jobState` ELSE 'error'::`jobState` END WHERE id=?");
- revoke = new GigiPreparedStatement("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.`targetId`=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
- revokeCompleted = new GigiPreparedStatement("UPDATE certs SET revoked=NOW() WHERE id=?");
+ revoke = new GigiPreparedStatement("SELECT certs.id, jobs.id FROM jobs INNER JOIN certs ON jobs.`targetId`=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
+ revokeCompleted = new GigiPreparedStatement("UPDATE `certs` SET revoked=NOW() WHERE id=?");
finishJob = new GigiPreparedStatement("UPDATE jobs SET state='done' WHERE id=?");
worked = true;
System.out.println("Revoke faked: " + id);
revokeCompleted.setInt(1, id);
- revokeCompleted.execute();
- finishJob.setInt(1, rs.getInt(3));
- finishJob.execute();
+ revokeCompleted.executeUpdate();
+ finishJob.setInt(1, rs.getInt(2));
+ finishJob.executeUpdate();
}
if (worked) {
gencrl();
Calendar c = Calendar.getInstance();
c.setTimeZone(TimeZone.getTimeZone("UTC"));
while (rs.next()) {
- String csrname = rs.getString("csr_name");
int id = rs.getInt("id");
- System.out.println("sign: " + csrname);
+ System.out.println("sign: " + id);
try {
+ Certificate crt = Certificate.getById(id);
String csrType = rs.getString("csr_type");
CSRType ct = CSRType.valueOf(csrType);
- File crt = KeyStorage.locateCrt(id);
Timestamp from = rs.getTimestamp("executeFrom");
String length = rs.getString("executeTo");
System.out.println(subj);
PublicKey pk;
- byte[] data = IOUtils.readURL(new FileInputStream(csrname));
+ byte[] data = crt.getAttachment(AttachmentType.CSR).getBytes("UTF-8");
if (ct == CSRType.SPKAC) {
String dt = new String(data, "UTF-8");
if (dt.startsWith("SPKAC=")) {
X509Certificate root = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new FileInputStream("signer/ca/" + ca + "/ca.crt"));
byte[] cert = generateCert(pk, i, subj, root.getSubjectX500Principal(), altnames, fromDate, toDate, Digest.valueOf(rs.getString("md").toUpperCase()), caP.getProperty("eku"));
- PrintWriter out = new PrintWriter(crt);
- out.println("-----BEGIN CERTIFICATE-----");
- out.println(Base64.getMimeEncoder().encodeToString(cert));
- out.println("-----END CERTIFICATE-----");
- out.close();
+ StringBuilder b = new StringBuilder();
+ b.append("-----BEGIN CERTIFICATE-----\r\n");
+ b.append(Base64.getMimeEncoder().encodeToString(cert));
+ b.append("-----END CERTIFICATE-----\r\n");
+ crt.addAttachment(AttachmentType.CRT, b.toString());
- try (InputStream is = new FileInputStream(crt)) {
+ try (InputStream is = new ByteArrayInputStream(cert)) {
locateCA.setString(1, ca);
GigiResultSet caRs = locateCA.executeQuery();
if ( !caRs.next()) {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
BigInteger serial = crtp.getSerialNumber();
- updateMail.setString(1, crt.getPath());
- updateMail.setString(2, serial.toString(16));
- updateMail.setInt(3, caRs.getInt("id"));
- updateMail.setTimestamp(4, new Timestamp(toDate.getTime()));
- updateMail.setInt(5, id);
- updateMail.execute();
+ updateMail.setString(1, serial.toString(16));
+ updateMail.setInt(2, caRs.getInt("id"));
+ updateMail.setTimestamp(3, new Timestamp(toDate.getTime()));
+ updateMail.setInt(4, id);
+ updateMail.executeUpdate();
finishJob.setInt(1, rs.getInt("jobid"));
- finishJob.execute();
+ finishJob.executeUpdate();
System.out.println("signed: " + id);
continue;
}
e.printStackTrace();
} catch (ParseException e) {
e.printStackTrace();
+ } catch (GigiApiException e) {
+ e.printStackTrace();
}
System.out.println("Error with: " + id);
warnMail.setInt(1, rs.getInt("jobid"));
- warnMail.execute();
+ warnMail.executeUpdate();
}
rs.close();
PrintWriter pw = new PrintWriter(f);
pw.println(ser);
pw.close();
- if (digest != Digest.SHA256 && digest != Digest.SHA512) {
+ if (digest != Digest.SHA256 && digest != Digest.SHA384 && digest != Digest.SHA512) {
System.err.println("assuming sha256 either way ;-): " + digest);
digest = Digest.SHA256;
}
ObjectIdentifier sha512withrsa = new ObjectIdentifier(new int[] {
- 1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : 13
+ 1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : (digest == Digest.SHA384 ? 12 : 13)
});
AlgorithmId aid = new AlgorithmId(sha512withrsa);
- Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : "SHA512withRSA");
+ Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : (digest == Digest.SHA384 ? "SHA384withRSA" : "SHA512withRSA"));
DerOutputStream cert = new DerOutputStream();
DerOutputStream content = new DerOutputStream();
addExtension(extensions, new ObjectIdentifier(new int[] {
2, 5, 29, 37
}), generateEKU(eku));
+ addExtension(extensions, new ObjectIdentifier(new int[] {
+ 1, 3, 6, 1, 5, 5, 7, 1, 1
+ }), generateAIA());
}
DerOutputStream extensionsSeq = new DerOutputStream();
extensionsSeq.write(DerValue.tag_Sequence, extensions);
}
+ private static byte[] generateAIA() throws IOException {
+ try (DerOutputStream dos = new DerOutputStream()) {
+ try (DerOutputStream seq = new DerOutputStream()) {
+ seq.putOID(new ObjectIdentifier(new int[] {
+ 1, 3, 6, 1, 5, 5, 7, 48, 2
+ }));
+ seq.write((byte) 0x86, ("http://" + ServerConstants.getHostName(Host.OCSP_RESPONDER)).getBytes("UTF-8"));
+ dos.write(DerValue.tag_Sequence, seq);
+ }
+ byte[] data = dos.toByteArray();
+ dos.reset();
+ dos.write(DerValue.tag_Sequence, data);
+ return dos.toByteArray();
+ }
+ }
+
private static byte[] generateKU() throws IOException {
try (DerOutputStream dos = new DerOutputStream()) {
dos.putBitString(new byte[] {