diff --git a/src/main/java/de/mlessmann/certassist/models/Certificate.java b/src/main/java/de/mlessmann/certassist/models/Certificate.java
index 6150139..fdf3d16 100644
--- a/src/main/java/de/mlessmann/certassist/models/Certificate.java
+++ b/src/main/java/de/mlessmann/certassist/models/Certificate.java
@@ -3,13 +3,12 @@ package de.mlessmann.certassist.models;
import jakarta.persistence.*;
import jakarta.validation.constraints.Min;
import jakarta.validation.constraints.NotNull;
-import lombok.*;
-import org.hibernate.proxy.HibernateProxy;
-
import java.time.OffsetDateTime;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
+import lombok.*;
+import org.hibernate.proxy.HibernateProxy;
@Entity
@Table(uniqueConstraints = { @UniqueConstraint(columnNames = { "fingerprint" }) })
@@ -30,7 +29,14 @@ public class Certificate {
private String trustingAuthority;
- @Min(1)
+ /**
+ *
+ * - -1 = no requested key length is known (might happen with imported certificates)
+ * - 0 = no key is available for this certificate (might happen with trusted third party certificates)
+ * - > 1 = The key length in bits used for the private key of this certificate
+ *
+ */
+ @Min(-1)
private int requestedKeyLength;
private OffsetDateTime notBefore;
@@ -69,8 +75,12 @@ public class Certificate {
public final boolean equals(Object o) {
if (this == o) return true;
if (o == null) return false;
- Class oEffectiveClass = o instanceof HibernateProxy ? ((HibernateProxy) o).getHibernateLazyInitializer().getPersistentClass() : o.getClass();
- Class thisEffectiveClass = this instanceof HibernateProxy ? ((HibernateProxy) this).getHibernateLazyInitializer().getPersistentClass() : this.getClass();
+ Class oEffectiveClass = o instanceof HibernateProxy
+ ? ((HibernateProxy) o).getHibernateLazyInitializer().getPersistentClass()
+ : o.getClass();
+ Class thisEffectiveClass = this instanceof HibernateProxy
+ ? ((HibernateProxy) this).getHibernateLazyInitializer().getPersistentClass()
+ : this.getClass();
if (thisEffectiveClass != oEffectiveClass) return false;
Certificate that = (Certificate) o;
return getId() != null && Objects.equals(getId(), that.getId());
@@ -78,6 +88,8 @@ public class Certificate {
@Override
public final int hashCode() {
- return this instanceof HibernateProxy ? ((HibernateProxy) this).getHibernateLazyInitializer().getPersistentClass().hashCode() : getClass().hashCode();
+ return this instanceof HibernateProxy
+ ? ((HibernateProxy) this).getHibernateLazyInitializer().getPersistentClass().hashCode()
+ : getClass().hashCode();
}
}
diff --git a/src/main/java/de/mlessmann/certassist/openssl/OpenSSLService.java b/src/main/java/de/mlessmann/certassist/openssl/OpenSSLService.java
index 9355796..85ae4b1 100644
--- a/src/main/java/de/mlessmann/certassist/openssl/OpenSSLService.java
+++ b/src/main/java/de/mlessmann/certassist/openssl/OpenSSLService.java
@@ -23,11 +23,9 @@ import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.security.cert.X509Certificate;
import java.time.OffsetDateTime;
-import java.time.ZonedDateTime;
import java.time.format.DateTimeFormatter;
import java.time.format.DateTimeFormatterBuilder;
import java.time.temporal.ChronoField;
-import java.time.temporal.IsoFields;
import java.util.*;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeoutException;
@@ -72,20 +70,20 @@ public class OpenSSLService {
"^(?[0-9a-zA-Z]+) (?i)Fingerprint(?-i)=(?[a-z:A-Z0-9]+)"
);
private final DateTimeFormatter OSSL_DATE_TIME = new DateTimeFormatterBuilder()
- .parseCaseInsensitive()
- .appendValue(ChronoField.YEAR, 4)
- .appendLiteral('-')
- .appendValue(ChronoField.MONTH_OF_YEAR, 2)
- .appendLiteral('-')
- .appendValue(ChronoField.DAY_OF_MONTH, 2)
- .appendLiteral(' ')
- .appendValue(ChronoField.HOUR_OF_DAY, 2)
- .appendLiteral(':')
- .appendValue(ChronoField.MINUTE_OF_HOUR, 2)
- .appendLiteral(':')
- .appendValue(ChronoField.SECOND_OF_MINUTE, 2)
- .appendOffset("+HH:MM:ss","Z")
- .toFormatter();
+ .parseCaseInsensitive()
+ .appendValue(ChronoField.YEAR, 4)
+ .appendLiteral('-')
+ .appendValue(ChronoField.MONTH_OF_YEAR, 2)
+ .appendLiteral('-')
+ .appendValue(ChronoField.DAY_OF_MONTH, 2)
+ .appendLiteral(' ')
+ .appendValue(ChronoField.HOUR_OF_DAY, 2)
+ .appendLiteral(':')
+ .appendValue(ChronoField.MINUTE_OF_HOUR, 2)
+ .appendLiteral(':')
+ .appendValue(ChronoField.SECOND_OF_MINUTE, 2)
+ .appendOffset("+HH:MM:ss", "Z")
+ .toFormatter();
private static final String OSSL_ENV_KEY_PW = "KEY_PASS";
private static final String OSSL_ARG_KEY_PW = "env:" + OSSL_ENV_KEY_PW;
private final AtomicBoolean versionLogged = new AtomicBoolean(false);
@@ -764,7 +762,7 @@ public class OpenSSLService {
"sep_multiline",
"-nameopt",
"lname",
- "-modulus"
+ "-modulus"
)
);
command.addAll(Arrays.asList(additArgs));
diff --git a/src/main/java/de/mlessmann/certassist/openssl/X509CertificateInfo.java b/src/main/java/de/mlessmann/certassist/openssl/X509CertificateInfo.java
index 3f81078..d99d506 100644
--- a/src/main/java/de/mlessmann/certassist/openssl/X509CertificateInfo.java
+++ b/src/main/java/de/mlessmann/certassist/openssl/X509CertificateInfo.java
@@ -2,23 +2,21 @@ package de.mlessmann.certassist.openssl;
import de.mlessmann.certassist.models.CertificateInfoExtension;
import de.mlessmann.certassist.models.CertificateInfoSubject;
-import lombok.Builder;
-import org.springframework.lang.Nullable;
-
import java.time.OffsetDateTime;
-import java.time.ZonedDateTime;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
+import lombok.Builder;
+import org.springframework.lang.Nullable;
@Builder
public record X509CertificateInfo(
- CertificateInfoSubject subject,
- @Nullable CertificateInfoSubject issuer,
- String serial,
- OffsetDateTime notBefore,
- OffsetDateTime notAfter,
- List extensions
+ CertificateInfoSubject subject,
+ @Nullable CertificateInfoSubject issuer,
+ String serial,
+ OffsetDateTime notBefore,
+ OffsetDateTime notAfter,
+ List extensions
) {
public X509CertificateInfo {
Objects.requireNonNull(subject);
@@ -34,4 +32,8 @@ public record X509CertificateInfo(
}
return Collections.unmodifiableList(extensions);
}
+
+ public boolean hasExtensions() {
+ return extensions != null && !extensions.isEmpty();
+ }
}
diff --git a/src/main/java/de/mlessmann/certassist/service/CertificateCreationService.java b/src/main/java/de/mlessmann/certassist/service/CertificateCreationService.java
index 1383116..349558a 100644
--- a/src/main/java/de/mlessmann/certassist/service/CertificateCreationService.java
+++ b/src/main/java/de/mlessmann/certassist/service/CertificateCreationService.java
@@ -79,9 +79,17 @@ public class CertificateCreationService {
private Certificate createEntityFromInfo(X509CertificateInfo info) {
final Certificate certificate = new Certificate();
- certificate.setType(mapCertificateRequestType(info.issuer() != null ? CertificateInfo.RequestType.NORMAL_CERTIFICATE : CertificateInfo.RequestType.STANDALONE_CERTIFICATE));
+ certificate.setType(
+ mapCertificateRequestType(
+ info.issuer() != null
+ ? CertificateInfo.RequestType.NORMAL_CERTIFICATE
+ : CertificateInfo.RequestType.STANDALONE_CERTIFICATE
+ )
+ );
certificate.setSubjectCommonName(info.subject().getCommonName());
- certificate.setTrustingAuthority(info.issuer().getCommonName());
+ if (info.issuer() != null) {
+ certificate.setTrustingAuthority(info.issuer().getCommonName());
+ }
certificate.setRequestedKeyLength(-1);
certificate.setNotBefore(info.notBefore());
certificate.setNotAfter(info.notAfter());
@@ -94,12 +102,14 @@ public class CertificateCreationService {
certificate.setSubjectState(subjectInfo.getState());
certificate.setSubjectLocality(subjectInfo.getLocality());
- final CertificateInfoExtension extension = info.extensions().getFirst();
- if (extension != null) {
- final CertificateExtension certificateExtension = new CertificateExtension();
- certificateExtension.setIdentifier("alternativeNames");
- certificateExtension.setValue(String.join(",", extension.getAlternativeDnsNames()));
- certificate.setCertificateExtension(List.of(certificateExtension));
+ if (info.hasExtensions()) {
+ final CertificateInfoExtension extension = info.extensions().getFirst();
+ if (extension != null) {
+ final CertificateExtension certificateExtension = new CertificateExtension();
+ certificateExtension.setIdentifier("alternativeNames");
+ certificateExtension.setValue(String.join(",", extension.getAlternativeDnsNames()));
+ certificate.setCertificateExtension(List.of(certificateExtension));
+ }
}
return certificate;
}
@@ -113,6 +123,7 @@ public class CertificateCreationService {
try {
String fingerprint = openSSLService.getCertificateFingerprint(certificate);
Certificate entity = createEntityFromInfo(openSSLService.getCertificateInfo(certificate));
+ entity.setRequestedKeyLength(-1);
entity.setFingerprint(fingerprint);
entity.setCert(Files.readAllBytes(certificate));
if (keyFile != null) {
diff --git a/src/test/java/de/mlessmann/certassist/TestOpenSSLService.java b/src/test/java/de/mlessmann/certassist/TestOpenSSLService.java
index c25780f..cc6c4ea 100644
--- a/src/test/java/de/mlessmann/certassist/TestOpenSSLService.java
+++ b/src/test/java/de/mlessmann/certassist/TestOpenSSLService.java
@@ -1,5 +1,9 @@
package de.mlessmann.certassist;
+import static java.util.Objects.requireNonNull;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.*;
+
import de.mlessmann.certassist.models.CertificateInfo;
import de.mlessmann.certassist.models.CertificateInfo.RequestType;
import de.mlessmann.certassist.models.CertificateInfoExtension;
@@ -8,24 +12,19 @@ import de.mlessmann.certassist.openssl.CertificatePasswordProvider;
import de.mlessmann.certassist.openssl.CertificateProvider;
import de.mlessmann.certassist.openssl.OpenSSLService;
import de.mlessmann.certassist.service.ExecutableResolver;
+import java.nio.file.Path;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.boot.test.mock.mockito.MockBean;
-import java.nio.file.Path;
-
-import static java.util.Objects.requireNonNull;
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.mockito.Mockito.*;
-
@SpringBootTest
class TestOpenSSLService {
public static final String TEST_CERT_PASSPHRASE = "ABC-123";
public static final Path TEST_CERT_PATH = Path.of("src/test/resources/openssl");
public static final String TEST_CERT_FINGERPRINT =
- "SHA1;4E:D6:0A:47:F0:63:AD:96:26:83:16:28:32:F5:E8:36:5A:62:91:95";
+ "SHA1;4E:D6:0A:47:F0:63:AD:96:26:83:16:28:32:F5:E8:36:5A:62:91:95";
private static final String ERR_NOT_ENCRYPTED = "Private key not encrypted";
private static final String ERR_VERIFY_FAILED = "Certificate verification failed";
@@ -45,57 +44,55 @@ class TestOpenSSLService {
var certificateCreator = new OpenSSLService(executableResolver, passwordProvider, certificateProvider);
CertificateInfo certRequest = CertificateInfo
- .builder()
- .type(RequestType.STANDALONE_CERTIFICATE)
- .subject(
- CertificateInfoSubject
- .builder()
- .commonName("test.home")
- .country("DE")
- .state("SH")
- .locality("HH")
- .organization("Crazy-Cats")
- )
- .extension(CertificateInfoExtension.builder().alternativeDnsNames("test2.home", "test3.home"))
- .build();
+ .builder()
+ .type(RequestType.STANDALONE_CERTIFICATE)
+ .subject(
+ CertificateInfoSubject
+ .builder()
+ .commonName("test.home")
+ .country("DE")
+ .state("SH")
+ .locality("HH")
+ .organization("Crazy-Cats")
+ )
+ .extension(CertificateInfoExtension.builder().alternativeDnsNames("test2.home", "test3.home"))
+ .build();
try (var cert = certificateCreator.createCertificate(certRequest)) {
assertThat(certificateCreator.verifyCertificate(cert.certificatePath(), cert.certificatePath()))
- .withFailMessage(ERR_VERIFY_FAILED)
- .isTrue();
+ .withFailMessage(ERR_VERIFY_FAILED)
+ .isTrue();
assertThat(certificateCreator.isKeyEncrypted(requireNonNull(cert.certificateKeyPath())))
- .withFailMessage(ERR_NOT_ENCRYPTED)
- .isTrue();
+ .withFailMessage(ERR_NOT_ENCRYPTED)
+ .isTrue();
CertificateInfo childRequest = CertificateInfo
- .builder()
- .type(RequestType.NORMAL_CERTIFICATE)
- .trustingAuthority(cert.fingerprint())
- .subject(
- CertificateInfoSubject
- .builder()
- .commonName("test.local")
- .country("DE")
- .state("SH")
- .locality("HH")
- .organization("Crazy-Cats")
- )
- .extension(CertificateInfoExtension.builder().alternativeDnsNames("test2.local", "test3.local"))
- .build();
+ .builder()
+ .type(RequestType.NORMAL_CERTIFICATE)
+ .trustingAuthority(cert.fingerprint())
+ .subject(
+ CertificateInfoSubject
+ .builder()
+ .commonName("test.local")
+ .country("DE")
+ .state("SH")
+ .locality("HH")
+ .organization("Crazy-Cats")
+ )
+ .extension(CertificateInfoExtension.builder().alternativeDnsNames("test2.local", "test3.local"))
+ .build();
var spiedCert = spy(cert);
doNothing().when(spiedCert).close();
when(certificateProvider.requestCertificateUsage(cert.fingerprint())).thenReturn(spiedCert);
try (var childCert = certificateCreator.createCertificate(childRequest)) {
Path fullchain = childCert.fullchainPath();
- assertThat(
- certificateCreator.verifyCertificate(requireNonNull(fullchain), cert.certificatePath())
- )
- .withFailMessage(ERR_VERIFY_FAILED)
- .isTrue();
+ assertThat(certificateCreator.verifyCertificate(requireNonNull(fullchain), cert.certificatePath()))
+ .withFailMessage(ERR_VERIFY_FAILED)
+ .isTrue();
assertThat(certificateCreator.isKeyEncrypted(requireNonNull(childCert.certificateKeyPath())))
- .withFailMessage(ERR_NOT_ENCRYPTED)
- .isTrue();
+ .withFailMessage(ERR_NOT_ENCRYPTED)
+ .isTrue();
}
}
}
@@ -124,6 +121,7 @@ class TestOpenSSLService {
assertThat(request.subject().getState()).isEqualTo("SH");
assertThat(request.subject().getLocality()).isEqualTo("HH");
assertThat(request.subject().getOrganization()).isEqualTo("Crazy-Cats");
- assertThat(request.extensions().getFirst().getAlternativeDnsNames()).containsExactly("test2.local", "test3.local");
+ assertThat(request.extensions().getFirst().getAlternativeDnsNames())
+ .containsExactly("test2.local", "test3.local");
}
}
diff --git a/src/test/java/de/mlessmann/certassist/repositories/CertificateRepositoryTest.java b/src/test/java/de/mlessmann/certassist/repositories/CertificateRepositoryTest.java
index e142fa4..1b53594 100644
--- a/src/test/java/de/mlessmann/certassist/repositories/CertificateRepositoryTest.java
+++ b/src/test/java/de/mlessmann/certassist/repositories/CertificateRepositoryTest.java
@@ -6,7 +6,6 @@ import de.mlessmann.certassist.models.Certificate;
import de.mlessmann.certassist.models.CertificateExtension;
import de.mlessmann.certassist.models.CertificateType;
import jakarta.transaction.Transactional;
-
import java.time.OffsetDateTime;
import java.util.List;
import java.util.stream.StreamSupport;