diff --git a/src/main/java/de/mlessmann/certassist/openssl/OpenSSLCertificateCreator.java b/src/main/java/de/mlessmann/certassist/openssl/OpenSSLCertificateCreator.java index 74af6ab..ea02474 100644 --- a/src/main/java/de/mlessmann/certassist/openssl/OpenSSLCertificateCreator.java +++ b/src/main/java/de/mlessmann/certassist/openssl/OpenSSLCertificateCreator.java @@ -33,6 +33,7 @@ import org.springframework.lang.NonNull; import org.springframework.stereotype.Service; import org.springframework.util.CollectionUtils; import org.zeroturnaround.exec.ProcessExecutor; +import org.zeroturnaround.exec.ProcessResult; import org.zeroturnaround.exec.StartedProcess; import org.zeroturnaround.exec.stream.slf4j.Slf4jStream; @@ -123,13 +124,13 @@ public class OpenSSLCertificateCreator { } try (var certAuthority = certificateProvider.requestCertificateUsage(request.getTrustingAuthority())) { - Path unsignedCert = createSigningRequest(request, keyFile, tmpDir.resolve("child.csr"), keyPassphrase); + Path signingRequest = createSigningRequest(request, keyFile, tmpDir.resolve("child.csr"), keyPassphrase); Path signedCert = signCertificate( request, certAuthority.certificatePath(), certAuthority.certificateKeyPath(), - unsignedCert, - keyPassphrase + passwordProvider.getPasswordFor(certAuthority.fingerprint()), + signingRequest ); String fingerprint = getCertificateFingerprint(signedCert); passwordProvider.setPasswordFor(fingerprint, keyPassphrase); @@ -356,11 +357,11 @@ public class OpenSSLCertificateCreator { CertificateRequest request, Path caCert, Path caKey, - Path csrFile, - String certPassword + String caKeyPassphrase, + Path csrFile ) throws CommandLineOperationException, InterruptedException { Path outFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".crt")); - log.atDebug().log("Writing new signed certificate file {}", outFile); + log.debug("Writing new signed certificate file {}", outFile); Path extFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".ext")); try { @@ -395,7 +396,8 @@ public class OpenSSLCertificateCreator { StartedProcess certGenProc = null; try { - certGenProc = new ProcessExecutor() + certGenProc = + new ProcessExecutor() .command( resolveOpenSSL(), "x509", @@ -409,15 +411,23 @@ public class OpenSSLCertificateCreator { "-CAkey", caKey.toString(), "-CAcreateserial", + "-passin", + OSSL_ARG_KEY_PW, "-out", outFile.toString(), "-extfile", extFile.toString() ) + .environment(OSSL_ENV_KEY_PW, caKeyPassphrase) .redirectOutput(Slf4jStream.of(openSSLLogger).asDebug()) .redirectError(Slf4jStream.of(openSSLLogger).asError()) .start(); - certGenProc.getFuture().get(30, TimeUnit.SECONDS); + ProcessResult result = certGenProc.getFuture().get(30, TimeUnit.SECONDS); + // Check exit code + if (result.getExitValue() != 0) { + throw new CommandLineOperationException("Failed to sign certificate. Exit code: " + result.getExitValue()); + } + } catch (IOException | TimeoutException e) { throw new CommandLineOperationException("Failure running OpenSSL x509 command.", e); } catch (ExecutionException e) { diff --git a/src/main/java/de/mlessmann/certassist/openssl/OpenSSLCertificateResult.java b/src/main/java/de/mlessmann/certassist/openssl/OpenSSLCertificateResult.java index 036b9b7..17d1721 100644 --- a/src/main/java/de/mlessmann/certassist/openssl/OpenSSLCertificateResult.java +++ b/src/main/java/de/mlessmann/certassist/openssl/OpenSSLCertificateResult.java @@ -45,7 +45,6 @@ public class OpenSSLCertificateResult implements CertificateUsage { } private void cleanupDir(boolean retryOnExit) { - try { log.info("Cleaning up temporary output directory {}", tmpDir); Files.walkFileTree(tmpDir, Set.of(), Integer.MAX_VALUE, new DeleteRecursiveFileVisitor());