From: Felix Dörre Date: Sat, 23 Aug 2014 13:09:23 +0000 (+0200) Subject: Merge branch 'issuePeriod' X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=d895448cb685adc4c2bfac8d92759252d2ce8c36;hp=-c Merge branch 'issuePeriod' Conflicts: src/org/cacert/gigi/pages/account/CertificateIssueForm.java util/org/cacert/gigi/util/SimpleSigner.java --- d895448cb685adc4c2bfac8d92759252d2ce8c36 diff --combined doc/tableStructure.sql index bab06582,3fe84bb0..b2972841 --- a/doc/tableStructure.sql +++ b/doc/tableStructure.sql @@@ -144,7 -144,7 +144,7 @@@ CREATE TABLE `clientcerts` DROP TABLE IF EXISTS `profiles`; CREATE TABLE `profiles` ( `id` int(3) NOT NULL AUTO_INCREMENT, - `keyname` varchar(10) NOT NULL, + `keyname` varchar(60) NOT NULL, `keyUsage` varchar(100) NOT NULL, `extendedKeyUsage` varchar(100) NOT NULL, `rootcert` int(2) NOT NULL DEFAULT '1', @@@ -152,17 -152,10 +152,17 @@@ PRIMARY KEY (`id`), UNIQUE (`keyname`) ) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=latin1; -INSERT INTO `profiles` SET keyname='client', name='ssl-client', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='clientAuth'; -INSERT INTO `profiles` SET keyname='server', name='ssl-server', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='serverAuth'; -INSERT INTO `profiles` SET keyname='mail', name='mail', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='emailProtection'; +INSERT INTO `profiles` SET rootcert=0, keyname='client', name='ssl-client (unassured)', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='clientAuth'; +INSERT INTO `profiles` SET rootcert=0, keyname='mail', name='mail (unassured)', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='emailProtection'; +INSERT INTO `profiles` SET rootcert=0, keyname='client-mail', name='ssl-client + mail (unassured)', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='clientAuth, emailProtection'; +INSERT INTO `profiles` SET rootcert=0, keyname='server', name='ssl-server (unassured)', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='serverAuth'; +INSERT INTO `profiles` SET rootcert=1, keyname='client-a', name='ssl-client (assured)', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='clientAuth'; +INSERT INTO `profiles` SET rootcert=1, keyname='mail-a', name='mail (assured)', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='emailProtection'; +INSERT INTO `profiles` SET rootcert=1, keyname='client-mail-a', name='ssl-client + mail(assured)', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='clientAuth, emailProtection'; +INSERT INTO `profiles` SET rootcert=1, keyname='server-a', name='ssl-server (assured)', keyUsage='digitalSignature, keyEncipherment, keyAgreement', extendedKeyUsage='serverAuth'; + +-- 0=unassured, 1=assured, 2=codesign, 3=orga, 4=orga-sign DROP TABLE IF EXISTS `subjectAlternativeNames`; CREATE TABLE `subjectAlternativeNames` ( `certId` int(11) NOT NULL, @@@ -180,6 -173,8 +180,8 @@@ CREATE TABLE `jobs` `task` enum('sign','revoke') NOT NULL, `state` enum('open', 'done', 'error') NOT NULL DEFAULT 'open', `warning` int(2) NOT NULL DEFAULT '0', + `executeFrom` DATE, + `executeTo` VARCHAR(11), PRIMARY KEY (`id`), KEY `state` (`state`) ) ENGINE=InnoDB AUTO_INCREMENT=0 DEFAULT CHARSET=latin1; diff --combined src/org/cacert/gigi/Launcher.java index 94d7d655,10488f05..25bc3ce6 --- a/src/org/cacert/gigi/Launcher.java +++ b/src/org/cacert/gigi/Launcher.java @@@ -10,6 -10,7 +10,7 @@@ import java.security.UnrecoverableKeyEx import java.security.cert.Certificate; import java.util.List; import java.util.Properties; + import java.util.TimeZone; import javax.net.ssl.ExtendedSSLSession; import javax.net.ssl.SNIHostName; @@@ -46,6 -47,7 +47,7 @@@ import org.eclipse.jetty.util.ssl.SslCo public class Launcher { public static void main(String[] args) throws Exception { + TimeZone.setDefault(TimeZone.getTimeZone("UTC")); GigiConfig conf = GigiConfig.parse(System.in); ServerConstants.init(conf.getMainProps()); initEmails(conf); @@@ -62,7 -64,6 +64,7 @@@ ServerConnector connector = new ServerConnector(s, createConnectionFactory(conf), new HttpConnectionFactory(https_config)); connector.setHost(conf.getMainProps().getProperty("host")); connector.setPort(Integer.parseInt(conf.getMainProps().getProperty("port"))); + connector.setAcceptQueueSize(100); s.setConnectors(new Connector[] { connector }); diff --combined src/org/cacert/gigi/pages/account/CertificateIssueForm.java index 0ec43af5,086d51a3..ff659225 --- a/src/org/cacert/gigi/pages/account/CertificateIssueForm.java +++ b/src/org/cacert/gigi/pages/account/CertificateIssueForm.java @@@ -27,6 -27,7 +27,7 @@@ import org.cacert.gigi.GigiApiException import org.cacert.gigi.User; import org.cacert.gigi.crypto.SPKAC; import org.cacert.gigi.localisation.Language; + import org.cacert.gigi.output.CertificateValiditySelector; import org.cacert.gigi.output.Form; import org.cacert.gigi.output.template.HashAlgorithms; import org.cacert.gigi.output.template.IterableDataset; @@@ -94,23 -95,25 +95,25 @@@ public class CertificateIssueForm exten 1, 3, 6, 1, 5, 5, 7, 3, 9 }); - User u; + private User u; private CSRType csrType; - String csr; + private String csr; - String spkacChallenge; + private String spkacChallenge; public String CN = DEFAULT_CN; - Set SANs = new LinkedHashSet<>(); + private Set SANs = new LinkedHashSet<>(); - Digest selectedDigest = Digest.getDefault(); + private Digest selectedDigest = Digest.getDefault(); + CertificateValiditySelector issueDate = new CertificateValiditySelector(); + - boolean login; + private boolean login; - CertificateProfile profile = CertificateProfile.getById(1); + private CertificateProfile profile = CertificateProfile.getById(1); public CertificateIssueForm(HttpServletRequest hsr) { super(hsr); @@@ -118,7 -121,7 +121,7 @@@ spkacChallenge = RandomToken.generateToken(16); } - Certificate result; + private Certificate result; public Certificate getResult() { return result; @@@ -230,6 -233,7 +233,7 @@@ } else { login = "1".equals(req.getParameter("login")); + issueDate.update(req); CN = req.getParameter("CN"); String hashAlg = req.getParameter("hash_alg"); if (hashAlg != null) { @@@ -296,7 -300,7 +300,7 @@@ result = new Certificate(LoginPage.getUser(req).getId(), subject.toString(), selectedDigest.toString(), // this.csr, this.csrType, profile, SANs.toArray(new SubjectAlternateName[SANs.size()])); - result.issue().waitFor(60000); + result.issue(issueDate.getFrom(), issueDate.getTo()).waitFor(60000); return true; } } catch (IOException e) { @@@ -407,6 -411,7 +411,7 @@@ } vars2.put("CN", CN); + vars2.put("validity", issueDate); vars2.put("emails", content.toString()); vars2.put("hashs", new HashAlgorithms(selectedDigest)); vars2.put("profiles", new IterableDataset() { diff --combined src/org/cacert/gigi/util/Job.java index 9ec46129,959c14f5..6e502afd --- a/src/org/cacert/gigi/util/Job.java +++ b/src/org/cacert/gigi/util/Job.java @@@ -1,15 -1,18 +1,18 @@@ package org.cacert.gigi.util; + import java.sql.Date; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import org.cacert.gigi.Certificate; + import org.cacert.gigi.GigiApiException; import org.cacert.gigi.database.DatabaseConnection; + import org.cacert.gigi.output.CertificateValiditySelector; public class Job { - int id; + private int id; private Job(int id) { this.id = id; @@@ -29,10 -32,22 +32,22 @@@ } } - public static Job submit(Certificate targetId, JobType type) throws SQLException { + public static Job sign(Certificate targetId, Date start, String period) throws SQLException, GigiApiException { + CertificateValiditySelector.checkValidityLength(period); + PreparedStatement ps = DatabaseConnection.getInstance().prepare("INSERT INTO `jobs` SET targetId=?, task=?, executeFrom=?, executeTo=?"); + ps.setInt(1, targetId.getId()); + ps.setString(2, JobType.SIGN.getName()); + ps.setDate(3, start); + ps.setString(4, period); + ps.execute(); + return new Job(DatabaseConnection.lastInsertId(ps)); + } + + public static Job revoke(Certificate targetId) throws SQLException { + PreparedStatement ps = DatabaseConnection.getInstance().prepare("INSERT INTO `jobs` SET targetId=?, task=?"); ps.setInt(1, targetId.getId()); - ps.setString(2, type.getName()); + ps.setString(2, JobType.REVOKE.getName()); ps.execute(); return new Job(DatabaseConnection.lastInsertId(ps)); } diff --combined util/org/cacert/gigi/util/SimpleSigner.java index 481729ab,2f0f6f6b..fe08aef9 --- a/util/org/cacert/gigi/util/SimpleSigner.java +++ b/util/org/cacert/gigi/util/SimpleSigner.java @@@ -12,14 -12,19 +12,19 @@@ import java.math.BigInteger import java.security.GeneralSecurityException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; + import java.util.Date; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; - import java.util.Arrays; + import java.text.ParseException; + import java.text.SimpleDateFormat; + import java.util.Calendar; import java.util.Properties; + import java.util.TimeZone; import org.cacert.gigi.Certificate.CSRType; import org.cacert.gigi.database.DatabaseConnection; + import org.cacert.gigi.output.CertificateValiditySelector; public class SimpleSigner { @@@ -41,6 -46,11 +46,12 @@@ private static Thread runner; + private static SimpleDateFormat sdf = new SimpleDateFormat("YYMMddHHmmss'Z'"); ++ + static { + sdf.setTimeZone(TimeZone.getTimeZone("UTC")); + } + public static void main(String[] args) throws IOException, SQLException, InterruptedException { Properties p = new Properties(); p.load(new FileReader("config/gigi.properties")); @@@ -64,7 -74,7 +75,7 @@@ throw new IllegalStateException("already running"); } running = true; - readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, certs.subject, jobs.id AS jobid, csr_type, md, keyUsage, extendedKeyUsage, rootcert FROM jobs " + // - readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, certs.subject, jobs.id AS jobid, csr_type, md, keyUsage, extendedKeyUsage, executeFrom, executeTo FROM jobs " + // ++ readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, certs.subject, jobs.id AS jobid, csr_type, md, keyUsage, extendedKeyUsage, executeFrom, executeTo, rootcert FROM jobs " + // "INNER JOIN certs ON certs.id=jobs.targetId " + // "INNER JOIN profiles ON profiles.id=certs.profile " + // "WHERE jobs.state='open' "// @@@ -174,110 -184,138 +185,146 @@@ private static int counter = 0; - private static void signCertificates() throws SQLException, IOException, InterruptedException { + private static void signCertificates() throws SQLException { ResultSet rs = readyCerts.executeQuery(); while (rs.next()) { String csrname = rs.getString("csr_name"); - System.out.println("sign: " + csrname); int id = rs.getInt("id"); - String csrType = rs.getString("csr_type"); - CSRType ct = CSRType.valueOf(csrType); - File crt = KeyStorage.locateCrt(id); - - String keyUsage = rs.getString("keyUsage"); - String ekeyUsage = rs.getString("extendedKeyUsage"); - getSANSs.setInt(1, id); - ResultSet san = getSANSs.executeQuery(); - - File f = new File("keys", "SANFile" + System.currentTimeMillis() + (counter++) + ".cfg"); - PrintWriter cfg = new PrintWriter(f); - boolean first = true; - while (san.next()) { - if ( !first) { - cfg.print(", "); + System.out.println("sign: " + csrname); + try { + String csrType = rs.getString("csr_type"); + CSRType ct = CSRType.valueOf(csrType); + File crt = KeyStorage.locateCrt(id); + + String keyUsage = rs.getString("keyUsage"); + String ekeyUsage = rs.getString("extendedKeyUsage"); + java.sql.Date from = rs.getDate("executeFrom"); + String length = rs.getString("executeTo"); + Date fromDate; + Date toDate; + if (from == null) { + fromDate = new Date(System.currentTimeMillis()); } else { - cfg.print("subjectAltName="); + fromDate = new Date(from.getTime()); + } + if (length.endsWith("m") || length.endsWith("y")) { + String num = length.substring(0, length.length() - 1); + int inter = Integer.parseInt(num); + Calendar c = Calendar.getInstance(); + c.setTimeZone(TimeZone.getTimeZone("UTC")); + c.setTime(fromDate); + if (length.endsWith("m")) { + c.add(Calendar.MONTH, inter); + } else { + c.add(Calendar.YEAR, inter); + } + toDate = c.getTime(); + } else { + toDate = CertificateValiditySelector.getDateFormat().parse(length); + } + System.out.println(from); + System.out.println(sdf.format(fromDate)); + + getSANSs.setInt(1, id); + ResultSet san = getSANSs.executeQuery(); + + File f = new File("keys", "SANFile" + System.currentTimeMillis() + (counter++) + ".cfg"); + PrintWriter cfg = new PrintWriter(f); + boolean first = true; + while (san.next()) { + if ( !first) { + cfg.print(", "); + } else { + cfg.print("subjectAltName="); + } + first = false; + cfg.print(san.getString("type")); + cfg.print(":"); + cfg.print(san.getString("contents")); + } + cfg.println(); + cfg.println("keyUsage=" + keyUsage); + cfg.println("extendedKeyUsage=" + ekeyUsage); + cfg.close(); + ++ int rootcert = rs.getInt("rootcert"); ++ String ca = "unassured"; ++ if (rootcert == 0) { ++ ca = "unassured"; ++ } else if (rootcert == 1) { ++ ca = "assured"; + } - first = false; - cfg.print(san.getString("type")); - cfg.print(":"); - cfg.print(san.getString("contents")); - } - cfg.println(); - cfg.println("keyUsage=" + keyUsage); - cfg.println("extendedKeyUsage=" + ekeyUsage); - cfg.close(); - int rootcert = rs.getInt("rootcert"); - String ca = "unassured"; - if (rootcert == 0) { - ca = "unassured"; - } else if (rootcert == 1) { - ca = "assured"; - } - - String[] call = new String[] { - "openssl", "ca",// - "-in", - "../../" + csrname,// - "-cert", - "../" + ca + ".crt",// - "-keyfile", - "../" + ca + ".key",// - "-out", - "../../" + crt.getPath(),// - "-utf8", - "-days", - "356",// - "-batch",// - "-md", - rs.getString("md"),// - "-extfile", - "../" + f.getName(),// - - "-subj", - rs.getString("subject"),// - "-config", - "../selfsign.config"// - - }; - if (ct == CSRType.SPKAC) { - call[2] = "-spkac"; - } - Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca")); + - int waitFor = p1.waitFor(); - f.delete(); - if (waitFor == 0) { - try (InputStream is = new FileInputStream(crt)) { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - X509Certificate crtp = (X509Certificate) cf.generateCertificate(is); - BigInteger serial = crtp.getSerialNumber(); - updateMail.setString(1, crt.getPath()); - updateMail.setString(2, serial.toString(16)); - updateMail.setInt(3, id); - updateMail.execute(); - - finishJob.setInt(1, rs.getInt("jobid")); - finishJob.execute(); - System.out.println("signed: " + id); - continue; - } catch (GeneralSecurityException e) { - e.printStackTrace(); + String[] call = new String[] { + "openssl", "ca",// + "-in", + "../../" + csrname,// + "-cert", - "../unassured.crt",// ++ "../" + ca + ".crt",// + "-keyfile", - "../unassured.key",// ++ "../" + ca + ".key",// + "-out", + "../../" + crt.getPath(),// + "-utf8", + "-startdate", + sdf.format(fromDate),// + "-enddate", + sdf.format(toDate),// + "-batch",// + "-md", + rs.getString("md"),// + "-extfile", + "../" + f.getName(),// + + "-subj", + rs.getString("subject"),// + "-config", + "../selfsign.config"// + + }; + if (ct == CSRType.SPKAC) { + call[2] = "-spkac"; } - System.out.println("ERROR Afterwards: " + id); - warnMail.setInt(1, rs.getInt("jobid")); - warnMail.execute(); - } else { - BufferedReader br = new BufferedReader(new InputStreamReader(p1.getErrorStream())); - String s; - while ((s = br.readLine()) != null) { - System.out.println(s); + Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca")); + + int waitFor = p1.waitFor(); + f.delete(); + if (waitFor == 0) { + try (InputStream is = new FileInputStream(crt)) { + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + X509Certificate crtp = (X509Certificate) cf.generateCertificate(is); + BigInteger serial = crtp.getSerialNumber(); + updateMail.setString(1, crt.getPath()); + updateMail.setString(2, serial.toString(16)); + updateMail.setInt(3, id); + updateMail.execute(); + + finishJob.setInt(1, rs.getInt("jobid")); + finishJob.execute(); + System.out.println("signed: " + id); + continue; + } + } else { + BufferedReader br = new BufferedReader(new InputStreamReader(p1.getErrorStream())); + String s; + while ((s = br.readLine()) != null) { + System.out.println(s); + } } - System.out.println(Arrays.toString(call)); - System.out.println("ERROR: " + id); - warnMail.setInt(1, rs.getInt("jobid")); - warnMail.execute(); + } catch (GeneralSecurityException e) { + e.printStackTrace(); + } catch (IOException e) { + e.printStackTrace(); + } catch (SQLException e) { + e.printStackTrace(); + } catch (ParseException e) { + e.printStackTrace(); + } catch (InterruptedException e1) { + e1.printStackTrace(); } + System.out.println("Error with: " + id); + warnMail.setInt(1, rs.getInt("jobid")); + warnMail.execute(); } rs.close();