Compare commits
3 commits
2a02e26b01
...
a9d8782a27
| Author | SHA1 | Date | |
|---|---|---|---|
a9d8782a27
|
|||
|
f8e9158a76
|
|||
|
4b863fec42
|
6 changed files with 109 additions and 89 deletions
|
|
@ -3,13 +3,12 @@ package de.mlessmann.certassist.models;
|
|||
import jakarta.persistence.*;
|
||||
import jakarta.validation.constraints.Min;
|
||||
import jakarta.validation.constraints.NotNull;
|
||||
import lombok.*;
|
||||
import org.hibernate.proxy.HibernateProxy;
|
||||
|
||||
import java.time.OffsetDateTime;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import lombok.*;
|
||||
import org.hibernate.proxy.HibernateProxy;
|
||||
|
||||
@Entity
|
||||
@Table(uniqueConstraints = { @UniqueConstraint(columnNames = { "fingerprint" }) })
|
||||
|
|
@ -30,7 +29,14 @@ public class Certificate {
|
|||
|
||||
private String trustingAuthority;
|
||||
|
||||
@Min(1)
|
||||
/**
|
||||
* <ul>
|
||||
* <li>-1 = no requested key length is known (might happen with imported certificates)</li>
|
||||
* <li>0 = no key is available for this certificate (might happen with trusted third party certificates)</li>
|
||||
* <li>> 1 = The key length in bits used for the private key of this certificate</li>
|
||||
* </ul>
|
||||
*/
|
||||
@Min(-1)
|
||||
private int requestedKeyLength;
|
||||
|
||||
private OffsetDateTime notBefore;
|
||||
|
|
@ -69,8 +75,12 @@ public class Certificate {
|
|||
public final boolean equals(Object o) {
|
||||
if (this == o) return true;
|
||||
if (o == null) return false;
|
||||
Class<?> oEffectiveClass = o instanceof HibernateProxy ? ((HibernateProxy) o).getHibernateLazyInitializer().getPersistentClass() : o.getClass();
|
||||
Class<?> thisEffectiveClass = this instanceof HibernateProxy ? ((HibernateProxy) this).getHibernateLazyInitializer().getPersistentClass() : this.getClass();
|
||||
Class<?> oEffectiveClass = o instanceof HibernateProxy
|
||||
? ((HibernateProxy) o).getHibernateLazyInitializer().getPersistentClass()
|
||||
: o.getClass();
|
||||
Class<?> thisEffectiveClass = this instanceof HibernateProxy
|
||||
? ((HibernateProxy) this).getHibernateLazyInitializer().getPersistentClass()
|
||||
: this.getClass();
|
||||
if (thisEffectiveClass != oEffectiveClass) return false;
|
||||
Certificate that = (Certificate) o;
|
||||
return getId() != null && Objects.equals(getId(), that.getId());
|
||||
|
|
@ -78,6 +88,8 @@ public class Certificate {
|
|||
|
||||
@Override
|
||||
public final int hashCode() {
|
||||
return this instanceof HibernateProxy ? ((HibernateProxy) this).getHibernateLazyInitializer().getPersistentClass().hashCode() : getClass().hashCode();
|
||||
return this instanceof HibernateProxy
|
||||
? ((HibernateProxy) this).getHibernateLazyInitializer().getPersistentClass().hashCode()
|
||||
: getClass().hashCode();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,11 +23,9 @@ import java.nio.file.Path;
|
|||
import java.nio.file.StandardOpenOption;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.time.OffsetDateTime;
|
||||
import java.time.ZonedDateTime;
|
||||
import java.time.format.DateTimeFormatter;
|
||||
import java.time.format.DateTimeFormatterBuilder;
|
||||
import java.time.temporal.ChronoField;
|
||||
import java.time.temporal.IsoFields;
|
||||
import java.util.*;
|
||||
import java.util.concurrent.ExecutionException;
|
||||
import java.util.concurrent.TimeoutException;
|
||||
|
|
@ -72,20 +70,20 @@ public class OpenSSLService {
|
|||
"^(?<algo>[0-9a-zA-Z]+) (?i)Fingerprint(?-i)=(?<finger>[a-z:A-Z0-9]+)"
|
||||
);
|
||||
private final DateTimeFormatter OSSL_DATE_TIME = new DateTimeFormatterBuilder()
|
||||
.parseCaseInsensitive()
|
||||
.appendValue(ChronoField.YEAR, 4)
|
||||
.appendLiteral('-')
|
||||
.appendValue(ChronoField.MONTH_OF_YEAR, 2)
|
||||
.appendLiteral('-')
|
||||
.appendValue(ChronoField.DAY_OF_MONTH, 2)
|
||||
.appendLiteral(' ')
|
||||
.appendValue(ChronoField.HOUR_OF_DAY, 2)
|
||||
.appendLiteral(':')
|
||||
.appendValue(ChronoField.MINUTE_OF_HOUR, 2)
|
||||
.appendLiteral(':')
|
||||
.appendValue(ChronoField.SECOND_OF_MINUTE, 2)
|
||||
.appendOffset("+HH:MM:ss","Z")
|
||||
.toFormatter();
|
||||
.parseCaseInsensitive()
|
||||
.appendValue(ChronoField.YEAR, 4)
|
||||
.appendLiteral('-')
|
||||
.appendValue(ChronoField.MONTH_OF_YEAR, 2)
|
||||
.appendLiteral('-')
|
||||
.appendValue(ChronoField.DAY_OF_MONTH, 2)
|
||||
.appendLiteral(' ')
|
||||
.appendValue(ChronoField.HOUR_OF_DAY, 2)
|
||||
.appendLiteral(':')
|
||||
.appendValue(ChronoField.MINUTE_OF_HOUR, 2)
|
||||
.appendLiteral(':')
|
||||
.appendValue(ChronoField.SECOND_OF_MINUTE, 2)
|
||||
.appendOffset("+HH:MM:ss", "Z")
|
||||
.toFormatter();
|
||||
private static final String OSSL_ENV_KEY_PW = "KEY_PASS";
|
||||
private static final String OSSL_ARG_KEY_PW = "env:" + OSSL_ENV_KEY_PW;
|
||||
private final AtomicBoolean versionLogged = new AtomicBoolean(false);
|
||||
|
|
@ -764,7 +762,7 @@ public class OpenSSLService {
|
|||
"sep_multiline",
|
||||
"-nameopt",
|
||||
"lname",
|
||||
"-modulus"
|
||||
"-modulus"
|
||||
)
|
||||
);
|
||||
command.addAll(Arrays.asList(additArgs));
|
||||
|
|
|
|||
|
|
@ -2,23 +2,21 @@ package de.mlessmann.certassist.openssl;
|
|||
|
||||
import de.mlessmann.certassist.models.CertificateInfoExtension;
|
||||
import de.mlessmann.certassist.models.CertificateInfoSubject;
|
||||
import lombok.Builder;
|
||||
import org.springframework.lang.Nullable;
|
||||
|
||||
import java.time.OffsetDateTime;
|
||||
import java.time.ZonedDateTime;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import lombok.Builder;
|
||||
import org.springframework.lang.Nullable;
|
||||
|
||||
@Builder
|
||||
public record X509CertificateInfo(
|
||||
CertificateInfoSubject subject,
|
||||
@Nullable CertificateInfoSubject issuer,
|
||||
String serial,
|
||||
OffsetDateTime notBefore,
|
||||
OffsetDateTime notAfter,
|
||||
List<CertificateInfoExtension> extensions
|
||||
CertificateInfoSubject subject,
|
||||
@Nullable CertificateInfoSubject issuer,
|
||||
String serial,
|
||||
OffsetDateTime notBefore,
|
||||
OffsetDateTime notAfter,
|
||||
List<CertificateInfoExtension> extensions
|
||||
) {
|
||||
public X509CertificateInfo {
|
||||
Objects.requireNonNull(subject);
|
||||
|
|
@ -34,4 +32,8 @@ public record X509CertificateInfo(
|
|||
}
|
||||
return Collections.unmodifiableList(extensions);
|
||||
}
|
||||
|
||||
public boolean hasExtensions() {
|
||||
return extensions != null && !extensions.isEmpty();
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -79,9 +79,17 @@ public class CertificateCreationService {
|
|||
|
||||
private Certificate createEntityFromInfo(X509CertificateInfo info) {
|
||||
final Certificate certificate = new Certificate();
|
||||
certificate.setType(mapCertificateRequestType(info.issuer() != null ? CertificateInfo.RequestType.NORMAL_CERTIFICATE : CertificateInfo.RequestType.STANDALONE_CERTIFICATE));
|
||||
certificate.setType(
|
||||
mapCertificateRequestType(
|
||||
info.issuer() != null
|
||||
? CertificateInfo.RequestType.NORMAL_CERTIFICATE
|
||||
: CertificateInfo.RequestType.STANDALONE_CERTIFICATE
|
||||
)
|
||||
);
|
||||
certificate.setSubjectCommonName(info.subject().getCommonName());
|
||||
certificate.setTrustingAuthority(info.issuer().getCommonName());
|
||||
if (info.issuer() != null) {
|
||||
certificate.setTrustingAuthority(info.issuer().getCommonName());
|
||||
}
|
||||
certificate.setRequestedKeyLength(-1);
|
||||
certificate.setNotBefore(info.notBefore());
|
||||
certificate.setNotAfter(info.notAfter());
|
||||
|
|
@ -94,12 +102,14 @@ public class CertificateCreationService {
|
|||
certificate.setSubjectState(subjectInfo.getState());
|
||||
certificate.setSubjectLocality(subjectInfo.getLocality());
|
||||
|
||||
final CertificateInfoExtension extension = info.extensions().getFirst();
|
||||
if (extension != null) {
|
||||
final CertificateExtension certificateExtension = new CertificateExtension();
|
||||
certificateExtension.setIdentifier("alternativeNames");
|
||||
certificateExtension.setValue(String.join(",", extension.getAlternativeDnsNames()));
|
||||
certificate.setCertificateExtension(List.of(certificateExtension));
|
||||
if (info.hasExtensions()) {
|
||||
final CertificateInfoExtension extension = info.extensions().getFirst();
|
||||
if (extension != null) {
|
||||
final CertificateExtension certificateExtension = new CertificateExtension();
|
||||
certificateExtension.setIdentifier("alternativeNames");
|
||||
certificateExtension.setValue(String.join(",", extension.getAlternativeDnsNames()));
|
||||
certificate.setCertificateExtension(List.of(certificateExtension));
|
||||
}
|
||||
}
|
||||
return certificate;
|
||||
}
|
||||
|
|
@ -113,6 +123,7 @@ public class CertificateCreationService {
|
|||
try {
|
||||
String fingerprint = openSSLService.getCertificateFingerprint(certificate);
|
||||
Certificate entity = createEntityFromInfo(openSSLService.getCertificateInfo(certificate));
|
||||
entity.setRequestedKeyLength(-1);
|
||||
entity.setFingerprint(fingerprint);
|
||||
entity.setCert(Files.readAllBytes(certificate));
|
||||
if (keyFile != null) {
|
||||
|
|
|
|||
|
|
@ -1,5 +1,9 @@
|
|||
package de.mlessmann.certassist;
|
||||
|
||||
import static java.util.Objects.requireNonNull;
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.*;
|
||||
|
||||
import de.mlessmann.certassist.models.CertificateInfo;
|
||||
import de.mlessmann.certassist.models.CertificateInfo.RequestType;
|
||||
import de.mlessmann.certassist.models.CertificateInfoExtension;
|
||||
|
|
@ -8,24 +12,19 @@ import de.mlessmann.certassist.openssl.CertificatePasswordProvider;
|
|||
import de.mlessmann.certassist.openssl.CertificateProvider;
|
||||
import de.mlessmann.certassist.openssl.OpenSSLService;
|
||||
import de.mlessmann.certassist.service.ExecutableResolver;
|
||||
import java.nio.file.Path;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.springframework.boot.test.context.SpringBootTest;
|
||||
import org.springframework.boot.test.mock.mockito.MockBean;
|
||||
|
||||
import java.nio.file.Path;
|
||||
|
||||
import static java.util.Objects.requireNonNull;
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.mockito.Mockito.*;
|
||||
|
||||
@SpringBootTest
|
||||
class TestOpenSSLService {
|
||||
|
||||
public static final String TEST_CERT_PASSPHRASE = "ABC-123";
|
||||
public static final Path TEST_CERT_PATH = Path.of("src/test/resources/openssl");
|
||||
public static final String TEST_CERT_FINGERPRINT =
|
||||
"SHA1;4E:D6:0A:47:F0:63:AD:96:26:83:16:28:32:F5:E8:36:5A:62:91:95";
|
||||
"SHA1;4E:D6:0A:47:F0:63:AD:96:26:83:16:28:32:F5:E8:36:5A:62:91:95";
|
||||
private static final String ERR_NOT_ENCRYPTED = "Private key not encrypted";
|
||||
private static final String ERR_VERIFY_FAILED = "Certificate verification failed";
|
||||
|
||||
|
|
@ -45,57 +44,55 @@ class TestOpenSSLService {
|
|||
var certificateCreator = new OpenSSLService(executableResolver, passwordProvider, certificateProvider);
|
||||
|
||||
CertificateInfo certRequest = CertificateInfo
|
||||
.builder()
|
||||
.type(RequestType.STANDALONE_CERTIFICATE)
|
||||
.subject(
|
||||
CertificateInfoSubject
|
||||
.builder()
|
||||
.commonName("test.home")
|
||||
.country("DE")
|
||||
.state("SH")
|
||||
.locality("HH")
|
||||
.organization("Crazy-Cats")
|
||||
)
|
||||
.extension(CertificateInfoExtension.builder().alternativeDnsNames("test2.home", "test3.home"))
|
||||
.build();
|
||||
.builder()
|
||||
.type(RequestType.STANDALONE_CERTIFICATE)
|
||||
.subject(
|
||||
CertificateInfoSubject
|
||||
.builder()
|
||||
.commonName("test.home")
|
||||
.country("DE")
|
||||
.state("SH")
|
||||
.locality("HH")
|
||||
.organization("Crazy-Cats")
|
||||
)
|
||||
.extension(CertificateInfoExtension.builder().alternativeDnsNames("test2.home", "test3.home"))
|
||||
.build();
|
||||
|
||||
try (var cert = certificateCreator.createCertificate(certRequest)) {
|
||||
assertThat(certificateCreator.verifyCertificate(cert.certificatePath(), cert.certificatePath()))
|
||||
.withFailMessage(ERR_VERIFY_FAILED)
|
||||
.isTrue();
|
||||
.withFailMessage(ERR_VERIFY_FAILED)
|
||||
.isTrue();
|
||||
assertThat(certificateCreator.isKeyEncrypted(requireNonNull(cert.certificateKeyPath())))
|
||||
.withFailMessage(ERR_NOT_ENCRYPTED)
|
||||
.isTrue();
|
||||
.withFailMessage(ERR_NOT_ENCRYPTED)
|
||||
.isTrue();
|
||||
|
||||
CertificateInfo childRequest = CertificateInfo
|
||||
.builder()
|
||||
.type(RequestType.NORMAL_CERTIFICATE)
|
||||
.trustingAuthority(cert.fingerprint())
|
||||
.subject(
|
||||
CertificateInfoSubject
|
||||
.builder()
|
||||
.commonName("test.local")
|
||||
.country("DE")
|
||||
.state("SH")
|
||||
.locality("HH")
|
||||
.organization("Crazy-Cats")
|
||||
)
|
||||
.extension(CertificateInfoExtension.builder().alternativeDnsNames("test2.local", "test3.local"))
|
||||
.build();
|
||||
.builder()
|
||||
.type(RequestType.NORMAL_CERTIFICATE)
|
||||
.trustingAuthority(cert.fingerprint())
|
||||
.subject(
|
||||
CertificateInfoSubject
|
||||
.builder()
|
||||
.commonName("test.local")
|
||||
.country("DE")
|
||||
.state("SH")
|
||||
.locality("HH")
|
||||
.organization("Crazy-Cats")
|
||||
)
|
||||
.extension(CertificateInfoExtension.builder().alternativeDnsNames("test2.local", "test3.local"))
|
||||
.build();
|
||||
|
||||
var spiedCert = spy(cert);
|
||||
doNothing().when(spiedCert).close();
|
||||
when(certificateProvider.requestCertificateUsage(cert.fingerprint())).thenReturn(spiedCert);
|
||||
try (var childCert = certificateCreator.createCertificate(childRequest)) {
|
||||
Path fullchain = childCert.fullchainPath();
|
||||
assertThat(
|
||||
certificateCreator.verifyCertificate(requireNonNull(fullchain), cert.certificatePath())
|
||||
)
|
||||
.withFailMessage(ERR_VERIFY_FAILED)
|
||||
.isTrue();
|
||||
assertThat(certificateCreator.verifyCertificate(requireNonNull(fullchain), cert.certificatePath()))
|
||||
.withFailMessage(ERR_VERIFY_FAILED)
|
||||
.isTrue();
|
||||
assertThat(certificateCreator.isKeyEncrypted(requireNonNull(childCert.certificateKeyPath())))
|
||||
.withFailMessage(ERR_NOT_ENCRYPTED)
|
||||
.isTrue();
|
||||
.withFailMessage(ERR_NOT_ENCRYPTED)
|
||||
.isTrue();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -124,6 +121,7 @@ class TestOpenSSLService {
|
|||
assertThat(request.subject().getState()).isEqualTo("SH");
|
||||
assertThat(request.subject().getLocality()).isEqualTo("HH");
|
||||
assertThat(request.subject().getOrganization()).isEqualTo("Crazy-Cats");
|
||||
assertThat(request.extensions().getFirst().getAlternativeDnsNames()).containsExactly("test2.local", "test3.local");
|
||||
assertThat(request.extensions().getFirst().getAlternativeDnsNames())
|
||||
.containsExactly("test2.local", "test3.local");
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,7 +6,6 @@ import de.mlessmann.certassist.models.Certificate;
|
|||
import de.mlessmann.certassist.models.CertificateExtension;
|
||||
import de.mlessmann.certassist.models.CertificateType;
|
||||
import jakarta.transaction.Transactional;
|
||||
|
||||
import java.time.OffsetDateTime;
|
||||
import java.util.List;
|
||||
import java.util.stream.StreamSupport;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue