feat: Implement support for importing certificates
chore: Remove obsolete model wip: Create first working test case for cert import wip: Generate basic certRequest from given cert files wip: Start work on being able to import certificates chore: Update gitignore
This commit is contained in:
parent
b39242baba
commit
f2ed523285
15 changed files with 518 additions and 33 deletions
|
|
@ -8,7 +8,6 @@ import lombok.Data;
|
|||
public class CertificateRequest {
|
||||
|
||||
private RequestType type;
|
||||
private String commonName;
|
||||
private String trustingAuthority;
|
||||
|
||||
@Builder.Default
|
||||
|
|
@ -18,6 +17,7 @@ public class CertificateRequest {
|
|||
private int requestedValidityDays = 365;
|
||||
|
||||
private CertificateSubject subject;
|
||||
private CertificateSubject issuer;
|
||||
private CertificateRequestExtension extension;
|
||||
|
||||
public enum RequestType {
|
||||
|
|
@ -33,6 +33,11 @@ public class CertificateRequest {
|
|||
return this;
|
||||
}
|
||||
|
||||
public CertificateRequestBuilder issuer(CertificateSubject.CertificateSubjectBuilder builder) {
|
||||
this.issuer = builder.build();
|
||||
return this;
|
||||
}
|
||||
|
||||
public CertificateRequestBuilder extension(
|
||||
CertificateRequestExtension.CertificateRequestExtensionBuilder builder
|
||||
) {
|
||||
|
|
|
|||
|
|
@ -1,6 +1,9 @@
|
|||
package de.mlessmann.certassist.openssl;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import java.util.stream.Stream;
|
||||
|
||||
import lombok.Builder;
|
||||
import lombok.Getter;
|
||||
|
||||
|
|
@ -13,7 +16,12 @@ public class CertificateRequestExtension {
|
|||
public static class CertificateRequestExtensionBuilder {
|
||||
|
||||
public CertificateRequestExtensionBuilder alternativeNames(String... altNames) {
|
||||
this.alternativeNames = List.of(altNames);
|
||||
Objects.requireNonNull(altNames, "Alternative names must not be null (but can be empty)");
|
||||
this.alternativeNames = Stream.of(altNames)
|
||||
.filter(Objects::nonNull)
|
||||
.map(String::trim)
|
||||
.map(name -> name.replaceAll("^DNS:", ""))
|
||||
.toList();
|
||||
return this;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,10 +7,13 @@ import lombok.Getter;
|
|||
@Builder
|
||||
public class CertificateSubject {
|
||||
|
||||
private String commonName;
|
||||
private String emailAddress;
|
||||
private String organization;
|
||||
private String organizationalUnit;
|
||||
private String country;
|
||||
private String state;
|
||||
private String locality;
|
||||
|
||||
public static class CertificateSubjectBuilder {}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import de.mlessmann.certassist.ExecutableResolver;
|
|||
import de.mlessmann.certassist.except.CommandLineOperationException;
|
||||
import de.mlessmann.certassist.except.UnresolvableCLIDependency;
|
||||
import de.mlessmann.certassist.openssl.CertificateRequest.RequestType;
|
||||
import de.mlessmann.certassist.openssl.CertificateSubject.CertificateSubjectBuilder;
|
||||
import java.io.IOException;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
|
|
@ -59,7 +60,7 @@ public class OpenSSLCertificateCreator {
|
|||
.replace("STATE", request.getSubject().getState())
|
||||
.replace("LOCALITY", request.getSubject().getLocality())
|
||||
.replace("ORGANIZATION", request.getSubject().getOrganization())
|
||||
.replace("COMMON-NAME", request.getCommonName());
|
||||
.replace("COMMON-NAME", request.getSubject().getCommonName());
|
||||
|
||||
if (StringUtils.isNotBlank(request.getSubject().getOrganizationalUnit())) {
|
||||
certSubject += "/OU=" + request.getSubject().getOrganizationalUnit();
|
||||
|
|
@ -351,7 +352,7 @@ public class OpenSSLCertificateCreator {
|
|||
return outFile;
|
||||
}
|
||||
|
||||
private String getCertificateFingerprint(Path certificate)
|
||||
public String getCertificateFingerprint(Path certificate)
|
||||
throws CommandLineOperationException, InterruptedException {
|
||||
try {
|
||||
StartedProcess fingerprintProc = new ProcessExecutor()
|
||||
|
|
@ -361,6 +362,16 @@ public class OpenSSLCertificateCreator {
|
|||
.start();
|
||||
var fingerprintResult = fingerprintProc.getFuture().get();
|
||||
String output = fingerprintResult.getOutput().getUTF8();
|
||||
|
||||
if (fingerprintResult.getExitValue() != 0) {
|
||||
log.debug("Fingerprint command output:\n{}", output);
|
||||
throw new CommandLineOperationException(
|
||||
"Failed to get fingerprint of certificate. Exit code: %d".formatted(
|
||||
fingerprintResult.getExitValue()
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
Matcher matcher = FINGERPRINT_EXTRACTOR.matcher(output);
|
||||
if (!matcher.find()) {
|
||||
log.debug(output);
|
||||
|
|
@ -381,6 +392,49 @@ public class OpenSSLCertificateCreator {
|
|||
}
|
||||
}
|
||||
|
||||
public CertificateRequest getCertificateInfo(Path path) throws CommandLineOperationException, InterruptedException {
|
||||
try {
|
||||
StartedProcess infoProc = new ProcessExecutor()
|
||||
.command(
|
||||
resolveOpenSSL(),
|
||||
"x509",
|
||||
"-in",
|
||||
path.toString(),
|
||||
"-noout",
|
||||
"-dateopt",
|
||||
"iso_8601",
|
||||
"-fingerprint",
|
||||
"-subject",
|
||||
"-issuer",
|
||||
"-serial",
|
||||
"-dates",
|
||||
"-alias",
|
||||
"-email",
|
||||
"-purpose",
|
||||
"-ext",
|
||||
"subjectAltName",
|
||||
"-nameopt",
|
||||
"sep_multiline",
|
||||
"-nameopt",
|
||||
"lname"
|
||||
)
|
||||
.readOutput(true)
|
||||
.redirectError(Slf4jStream.ofCaller().asError())
|
||||
.start();
|
||||
var infoResult = infoProc.getFuture().get();
|
||||
String output = infoResult.getOutput().getUTF8();
|
||||
if (infoResult.getExitValue() != 0) {
|
||||
log.debug("Certificate info command output:\n{}", output);
|
||||
throw new CommandLineOperationException(
|
||||
"Failed to get info of path. Exit code: %d".formatted(infoResult.getExitValue())
|
||||
);
|
||||
}
|
||||
return getCertificateInfo(output.lines().toArray(String[]::new));
|
||||
} catch (IOException | ExecutionException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
private String resolveOpenSSL() throws CommandLineOperationException {
|
||||
try {
|
||||
return executableResolver.getOpenSSLPath();
|
||||
|
|
@ -388,4 +442,59 @@ public class OpenSSLCertificateCreator {
|
|||
throw new CommandLineOperationException(e);
|
||||
}
|
||||
}
|
||||
|
||||
private CertificateRequest getCertificateInfo(String[] lines) {
|
||||
var builder = CertificateRequest.builder();
|
||||
boolean hasIssuer = false;
|
||||
|
||||
for (int i = 0; i < lines.length; i++) {
|
||||
String line = lines[i];
|
||||
if (line.startsWith("subject=")) {
|
||||
CertificateSubjectBuilder subjectBuilder = CertificateSubject.builder();
|
||||
|
||||
line = lines[++i];
|
||||
while (line.startsWith(" ")) {
|
||||
subjectBuilder = readSubjectInfo(line, subjectBuilder);
|
||||
line = lines[++i];
|
||||
}
|
||||
builder = builder.subject(subjectBuilder);
|
||||
} else if (line.startsWith("issuer=")) {
|
||||
hasIssuer = true;
|
||||
CertificateSubjectBuilder issuerBuilder = CertificateSubject.builder();
|
||||
|
||||
line = lines[++i];
|
||||
while (line.startsWith(" ")) {
|
||||
issuerBuilder = readSubjectInfo(line, issuerBuilder);
|
||||
line = lines[++i];
|
||||
}
|
||||
|
||||
builder = builder.issuer(issuerBuilder);
|
||||
} else if (line.startsWith("X509v3 Subject Alternative Name")) {
|
||||
String[] altNames = lines[++i].split(",");
|
||||
builder = builder.extension(CertificateRequestExtension.builder().alternativeNames(altNames));
|
||||
}
|
||||
}
|
||||
|
||||
builder = builder.type(hasIssuer ? RequestType.NORMAL_CERTIFICATE : RequestType.STANDALONE_CERTIFICATE);
|
||||
return builder.build();
|
||||
}
|
||||
|
||||
private CertificateSubjectBuilder readSubjectInfo(String line, CertificateSubjectBuilder builder) {
|
||||
String[] parts = line.split("=", 2);
|
||||
if (parts.length != 2) {
|
||||
return builder;
|
||||
}
|
||||
String key = parts[0];
|
||||
String value = parts[1];
|
||||
return switch (key.trim()) {
|
||||
case "countryName" -> builder.country(value);
|
||||
case "stateOrProvinceName" -> builder.state(value);
|
||||
case "localityName" -> builder.locality(value);
|
||||
case "organizationName" -> builder.organization(value);
|
||||
case "organizationalUnitName" -> builder.organizationalUnit(value);
|
||||
case "commonName" -> builder.commonName(value);
|
||||
case "emailAddress" -> builder.emailAddress(value);
|
||||
default -> throw new IllegalStateException("Unexpected subject key: %s in line: %s".formatted(key, line));
|
||||
};
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,8 +8,10 @@ import de.mlessmann.certassist.openssl.*;
|
|||
import de.mlessmann.certassist.repositories.CertificateRepository;
|
||||
import java.io.IOException;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.util.List;
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
@Service
|
||||
|
|
@ -18,29 +20,10 @@ public class CertificateCreationService {
|
|||
|
||||
private final CertificateRepository certificateRepository;
|
||||
private final OpenSSLCertificateCreator openSSLCertificateCreator;
|
||||
private final PassphraseService passphraseService;
|
||||
|
||||
public Certificate createCertificate(final CertificateRequest certificateRequest) {
|
||||
final Certificate certificate = new Certificate();
|
||||
certificate.setType(mapCertificateRequestType(certificateRequest.getType()));
|
||||
certificate.setCommonName(certificateRequest.getCommonName());
|
||||
certificate.setTrustingAuthority(certificateRequest.getTrustingAuthority());
|
||||
certificate.setRequestedKeyLength(certificateRequest.getRequestedKeyLength());
|
||||
certificate.setRequestedValidityDays(certificateRequest.getRequestedValidityDays());
|
||||
final CertificateSubject certificateSubject = certificateRequest.getSubject();
|
||||
certificate.setSubjectEmailAddress(certificateSubject.getEmailAddress());
|
||||
certificate.setSubjectOrganization(certificateSubject.getOrganization());
|
||||
certificate.setSubjectOrganizationalUnit(certificateSubject.getOrganizationalUnit());
|
||||
certificate.setSubjectCountry(certificateSubject.getCountry());
|
||||
certificate.setSubjectState(certificateSubject.getState());
|
||||
certificate.setSubjectLocality(certificateSubject.getLocality());
|
||||
|
||||
final CertificateRequestExtension extension = certificateRequest.getExtension();
|
||||
if (extension != null) {
|
||||
final CertificateExtension certificateExtension = new CertificateExtension();
|
||||
certificateExtension.setIdentifier("alternativeNames");
|
||||
certificateExtension.setValue(String.join(",", extension.getAlternativeNames()));
|
||||
certificate.setCertificateExtension(List.of(certificateExtension));
|
||||
}
|
||||
final Certificate certificate = createEntityFromRequest(certificateRequest);
|
||||
|
||||
try (
|
||||
OpenSSLCertificateResult certificateCreatorResult = openSSLCertificateCreator.createCertificate(
|
||||
|
|
@ -60,6 +43,49 @@ public class CertificateCreationService {
|
|||
return certificate;
|
||||
}
|
||||
|
||||
private Certificate createEntityFromRequest(CertificateRequest certificateRequest) {
|
||||
final Certificate certificate = new Certificate();
|
||||
certificate.setType(mapCertificateRequestType(certificateRequest.getType()));
|
||||
certificate.setCommonName(certificateRequest.getSubject().getCommonName());
|
||||
certificate.setTrustingAuthority(certificateRequest.getTrustingAuthority());
|
||||
certificate.setRequestedKeyLength(certificateRequest.getRequestedKeyLength());
|
||||
certificate.setRequestedValidityDays(certificateRequest.getRequestedValidityDays());
|
||||
final CertificateSubject certificateSubject = certificateRequest.getSubject();
|
||||
certificate.setSubjectEmailAddress(certificateSubject.getEmailAddress());
|
||||
certificate.setSubjectOrganization(certificateSubject.getOrganization());
|
||||
certificate.setSubjectOrganizationalUnit(certificateSubject.getOrganizationalUnit());
|
||||
certificate.setSubjectCountry(certificateSubject.getCountry());
|
||||
certificate.setSubjectState(certificateSubject.getState());
|
||||
certificate.setSubjectLocality(certificateSubject.getLocality());
|
||||
|
||||
final CertificateRequestExtension extension = certificateRequest.getExtension();
|
||||
if (extension != null) {
|
||||
final CertificateExtension certificateExtension = new CertificateExtension();
|
||||
certificateExtension.setIdentifier("alternativeNames");
|
||||
certificateExtension.setValue(String.join(",", extension.getAlternativeNames()));
|
||||
certificate.setCertificateExtension(List.of(certificateExtension));
|
||||
}
|
||||
return certificate;
|
||||
}
|
||||
|
||||
public Certificate importCertificate(Path certificate, Path keyFile, String passphrase) {
|
||||
try {
|
||||
String fingerprint = openSSLCertificateCreator.getCertificateFingerprint(certificate);
|
||||
var generatedRequest = openSSLCertificateCreator.getCertificateInfo(certificate);
|
||||
Certificate entity = createEntityFromRequest(generatedRequest);
|
||||
entity.setCert(Files.readAllBytes(certificate));
|
||||
entity.setPrivateKey(Files.readAllBytes(keyFile));
|
||||
if (StringUtils.isNotBlank(passphrase)) {
|
||||
passphraseService.storePassphrase("cert:" + fingerprint, passphrase);
|
||||
}
|
||||
return certificateRepository.save(entity);
|
||||
} catch (CommandLineOperationException | IOException e) {
|
||||
throw new RuntimeException("Unable to import certificate", e);
|
||||
} catch (InterruptedException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
}
|
||||
|
||||
private CertificateType mapCertificateRequestType(CertificateRequest.RequestType requestType) {
|
||||
return switch (requestType) {
|
||||
case ROOT_AUTHORITY -> CertificateType.ROOT_CA;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue