feat: Add basic support for running OpenSSL CLI #4
4 changed files with 98 additions and 66 deletions
|
|
@ -20,6 +20,7 @@ public class CertificateRequest {
|
|||
@Builder.Default
|
||||
private int requestedValidityDays = 365;
|
||||
private CertificateSubject subject;
|
||||
private CertificateRequestExtension extension;
|
||||
|
||||
public enum RequestType {
|
||||
ROOT_AUTHORITY,
|
||||
|
|
@ -32,5 +33,10 @@ public class CertificateRequest {
|
|||
this.subject = builder.build();
|
||||
return this;
|
||||
}
|
||||
|
||||
public CertificateRequestBuilder extension(CertificateRequestExtension.CertificateRequestExtensionBuilder builder) {
|
||||
this.extension = builder.build();
|
||||
return this;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,20 @@
|
|||
package de.mlessmann.certassist.openssl;
|
||||
|
||||
import lombok.Builder;
|
||||
import lombok.Getter;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
@Getter
|
||||
@Builder
|
||||
public class CertificateRequestExtension {
|
||||
|
||||
private List<String> alternativeNames;
|
||||
|
||||
public static class CertificateRequestExtensionBuilder {
|
||||
public CertificateRequestExtensionBuilder alternativeNames(String... altNames) {
|
||||
this.alternativeNames = List.of(altNames);
|
||||
return this;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -13,8 +13,12 @@ import org.zeroturnaround.exec.StartedProcess;
|
|||
import org.zeroturnaround.exec.stream.slf4j.Slf4jStream;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.nio.file.Files;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.StandardOpenOption;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
import java.util.concurrent.ExecutionException;
|
||||
|
||||
import static org.slf4j.LoggerFactory.getLogger;
|
||||
|
|
@ -24,6 +28,15 @@ public class OpenSSLCertificateCreator {
|
|||
|
||||
public static final String OPENSSL_CERT_SUBJECT_TEMPLATE = "/C=ISO-COUNTRY/ST=STATE/L=LOCALITY/O=ORGANIZATION/CN=COMMON-NAME";
|
||||
private static final Logger LOGGER = getLogger(OpenSSLCertificateCreator.class);
|
||||
private static final String CSR_EXT_TEMPLATE = """
|
||||
authorityKeyIdentifier=keyid,issuer
|
||||
basicConstraints=CA:FALSE
|
||||
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
||||
subjectAltName = @alt_names
|
||||
|
||||
[alt_names]
|
||||
""";
|
||||
|
||||
private final ExecutableResolver executableResolver;
|
||||
|
||||
@Autowired
|
||||
|
|
@ -32,26 +45,14 @@ public class OpenSSLCertificateCreator {
|
|||
}
|
||||
|
||||
private static String buildSubjectArg(CertificateRequest request) {
|
||||
String certSubject = OPENSSL_CERT_SUBJECT_TEMPLATE.replace("ISO-COUNTRY", request.getSubject()
|
||||
.getCountry())
|
||||
.replace("STATE", request.getSubject()
|
||||
.getState())
|
||||
.replace("LOCALITY", request.getSubject()
|
||||
.getLocality())
|
||||
.replace("ORGANIZATION", request.getSubject()
|
||||
.getOrganization())
|
||||
.replace("COMMON-NAME", request.getCommonName());
|
||||
String certSubject = OPENSSL_CERT_SUBJECT_TEMPLATE.replace("ISO-COUNTRY", request.getSubject().getCountry()).replace("STATE", request.getSubject().getState()).replace("LOCALITY", request.getSubject().getLocality()).replace("ORGANIZATION", request.getSubject().getOrganization()).replace("COMMON-NAME", request.getCommonName());
|
||||
|
||||
if (StringUtils.isNotBlank(request.getSubject()
|
||||
.getOrganizationalUnit())) {
|
||||
certSubject += "/OU=" + request.getSubject()
|
||||
.getOrganizationalUnit();
|
||||
if (StringUtils.isNotBlank(request.getSubject().getOrganizationalUnit())) {
|
||||
certSubject += "/OU=" + request.getSubject().getOrganizationalUnit();
|
||||
}
|
||||
|
||||
if (StringUtils.isNotBlank(request.getSubject()
|
||||
.getEmailAddress())) {
|
||||
certSubject += "/emailAddress=" + request.getSubject()
|
||||
.getEmailAddress();
|
||||
if (StringUtils.isNotBlank(request.getSubject().getEmailAddress())) {
|
||||
certSubject += "/emailAddress=" + request.getSubject().getEmailAddress();
|
||||
}
|
||||
return certSubject;
|
||||
}
|
||||
|
|
@ -65,30 +66,22 @@ public class OpenSSLCertificateCreator {
|
|||
throw new CommandLineOperationException("Could not create temporary directory for certificate creation", e);
|
||||
}
|
||||
|
||||
createKeyfile(request, tmpDir);
|
||||
createCertificate(request, tmpDir);
|
||||
Path keyFile = createKeyfile(request, tmpDir.resolve("root.key"));
|
||||
Path rootCert = createCertificate(request, keyFile, tmpDir.resolve("root.crt"));
|
||||
|
||||
Path childKey = createKeyfile(request, tmpDir.resolve("child.key"));
|
||||
Path unsignedCert = createCertificate(request, childKey, tmpDir.resolve("child.csr"));
|
||||
Path signedCert = signCertificate(request, rootCert, keyFile, unsignedCert);
|
||||
return new OpenSSLCertificateResult(tmpDir);
|
||||
}
|
||||
|
||||
private Path createKeyfile(CertificateRequest request, Path tmpDir) throws CommandLineOperationException, InterruptedException {
|
||||
Path keyFile = tmpDir.resolve("root.key")
|
||||
.toAbsolutePath();
|
||||
LOGGER.atDebug()
|
||||
.log("Writing new certificate key to {}", keyFile);
|
||||
private Path createKeyfile(CertificateRequest request, Path outFile) throws CommandLineOperationException, InterruptedException {
|
||||
Path keyFile = outFile.toAbsolutePath();
|
||||
LOGGER.atDebug().log("Writing new certificate key to {}", keyFile);
|
||||
|
||||
try {
|
||||
StartedProcess keygenProc = new ProcessExecutor().command(resolveOpenSSL(), "genrsa", "-out",
|
||||
keyFile.toString(),
|
||||
"-passout", "env:KEY_PASS",
|
||||
Integer.toString(request.getRequestedKeyLength()))
|
||||
.environment("KEY_PASS", request.getOid())
|
||||
.redirectOutput(Slf4jStream.ofCaller()
|
||||
.asDebug())
|
||||
.redirectError(Slf4jStream.ofCaller()
|
||||
.asError())
|
||||
.start();
|
||||
keygenProc.getFuture()
|
||||
.get();
|
||||
StartedProcess keygenProc = new ProcessExecutor().command(resolveOpenSSL(), "genrsa", "-out", keyFile.toString(), "-passout", "env:KEY_PASS", Integer.toString(request.getRequestedKeyLength())).environment("KEY_PASS", request.getOid()).redirectOutput(Slf4jStream.ofCaller().asDebug()).redirectError(Slf4jStream.ofCaller().asError()).start();
|
||||
keygenProc.getFuture().get();
|
||||
} catch (IOException e) {
|
||||
throw new CommandLineOperationException("Failure running OpenSSL keygen command.", e);
|
||||
} catch (ExecutionException e) {
|
||||
|
|
@ -97,38 +90,54 @@ public class OpenSSLCertificateCreator {
|
|||
return keyFile;
|
||||
}
|
||||
|
||||
private Path createCertificate(CertificateRequest request, Path tmpDir) throws CommandLineOperationException, InterruptedException {
|
||||
Path keyFile = tmpDir.resolve("root.key")
|
||||
.toAbsolutePath();
|
||||
Path certFile = tmpDir.resolve("root.crt")
|
||||
.toAbsolutePath();
|
||||
LOGGER.atDebug()
|
||||
.log("Writing new certificate file {}", certFile);
|
||||
private Path createCertificate(CertificateRequest request, Path keyFile, Path outFile) throws CommandLineOperationException, InterruptedException {
|
||||
LOGGER.atDebug().log("Writing new certificate file {}", outFile);
|
||||
|
||||
String certSubject = buildSubjectArg(request);
|
||||
try {
|
||||
StartedProcess keygenProc = new ProcessExecutor().command(resolveOpenSSL(), "req", "-new", "-nodes",
|
||||
"-key", keyFile.toString(), "-sha256", "-days",
|
||||
Integer.toString(
|
||||
request.getRequestedValidityDays()),
|
||||
"-out",
|
||||
certFile.toString(),
|
||||
"-passout", "env:KEY_PASS", "-utf8", "-subj",
|
||||
certSubject)
|
||||
.environment("KEY_PASS", request.getOid())
|
||||
.redirectOutput(Slf4jStream.ofCaller()
|
||||
.asDebug())
|
||||
.redirectError(Slf4jStream.ofCaller()
|
||||
.asError())
|
||||
.start();
|
||||
keygenProc.getFuture()
|
||||
.get();
|
||||
StartedProcess certGenProc = new ProcessExecutor().command(resolveOpenSSL(), "req", "-new", "-passin", "env:KEY_PASS", "-key", keyFile.toString(), "-sha256", "-days", Integer.toString(request.getRequestedValidityDays()), "-out", outFile.toString(), "-passout", "env:KEY_PASS", "-utf8", "-subj", certSubject).environment("KEY_PASS", request.getOid()).redirectOutput(Slf4jStream.ofCaller().asDebug()).redirectError(Slf4jStream.ofCaller().asError()).start();
|
||||
certGenProc.getFuture().get();
|
||||
} catch (IOException e) {
|
||||
throw new CommandLineOperationException("Failure running OpenSSL req command.", e);
|
||||
} catch (ExecutionException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
return certFile;
|
||||
return outFile;
|
||||
}
|
||||
|
||||
private Path signCertificate(CertificateRequest request, Path caCert, Path caKey, Path csrFile) throws CommandLineOperationException, InterruptedException {
|
||||
Path outFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".crt"));
|
||||
LOGGER.atDebug().log("Writing new signed certificate file {}", outFile);
|
||||
Path extFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".ext"));
|
||||
|
||||
try {
|
||||
String extContent = CSR_EXT_TEMPLATE;
|
||||
List<String> altNames = Optional.ofNullable(request.getExtension())
|
||||
.map(CertificateRequestExtension::getAlternativeNames)
|
||||
.orElse(List.of());
|
||||
if (!altNames.isEmpty()) {
|
||||
String altNamesContent = String.join("\n", altNames);
|
||||
extContent = extContent.replaceAll("\\[alt_names]\n?, ", "[alt_names]\n" + altNamesContent);
|
||||
} else {
|
||||
extContent = extContent.replaceAll("\\s*subjectAltName\\s+=\\s+@alt_names\n?", "");
|
||||
extContent = extContent.replaceAll("\\[alt_names]\n?, ", "");
|
||||
}
|
||||
|
||||
LOGGER.debug("Writing extension file content: \n {}", extContent);
|
||||
Files.writeString(extFile, extContent, StandardCharsets.UTF_8, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
|
||||
} catch (IOException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
|
||||
try {
|
||||
StartedProcess certGenProc = new ProcessExecutor().command(resolveOpenSSL(), "x509", "-req", "-days", Integer.toString(request.getRequestedValidityDays()), "-in", csrFile.toString(), "-CA", caCert.toString(), "-CAkey", caKey.toString(), "-CAcreateserial", "-out", outFile.toString(), "-extfile", extFile.toString()).redirectOutput(Slf4jStream.ofCaller().asDebug()).redirectError(Slf4jStream.ofCaller().asError()).start();
|
||||
certGenProc.getFuture().get();
|
||||
} catch (IOException e) {
|
||||
throw new CommandLineOperationException("Failure running OpenSSL x509 command.", e);
|
||||
} catch (ExecutionException e) {
|
||||
throw new RuntimeException(e);
|
||||
}
|
||||
return outFile;
|
||||
}
|
||||
|
||||
private String resolveOpenSSL() throws CommandLineOperationException {
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@ package de.mlessmann.certassist;
|
|||
|
||||
import de.mlessmann.certassist.openssl.CertificateRequest;
|
||||
import de.mlessmann.certassist.openssl.CertificateRequest.RequestType;
|
||||
import de.mlessmann.certassist.openssl.CertificateRequestExtension;
|
||||
import de.mlessmann.certassist.openssl.CertificateSubject;
|
||||
import de.mlessmann.certassist.openssl.OpenSSLCertificateCreator;
|
||||
import org.junit.jupiter.api.BeforeEach;
|
||||
|
|
@ -19,15 +20,11 @@ public class TestOpenSSLCertificateCreator {
|
|||
|
||||
@Test
|
||||
void testCertificateCreation() throws Exception {
|
||||
CertificateRequest certRequest = CertificateRequest.builder()
|
||||
.commonName("test.home")
|
||||
.type(RequestType.STANDALONE_CERTIFICATE)
|
||||
.subject(CertificateSubject.builder().country("DE").state("SH")
|
||||
.locality("").organization("Crazy-Cats"))
|
||||
.build();
|
||||
CertificateRequest certRequest = CertificateRequest.builder().commonName("test.home").type(RequestType.STANDALONE_CERTIFICATE).subject(CertificateSubject.builder().country("DE").state("SH").locality("HH").organization("Crazy-Cats")).extension(CertificateRequestExtension.builder().alternativeNames("test2.home", "test3.home")).build();
|
||||
|
||||
try (var cert = openSSLCertificateCreator.createCertificate(certRequest)) {
|
||||
System.out.println("Certificate created: " + cert);
|
||||
}
|
||||
throw new RuntimeException("Test not implemented");
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue