package de.mlessmann.certassist.openssl; import de.mlessmann.certassist.ExecutableResolver; import de.mlessmann.certassist.except.CommandLineOperationException; import de.mlessmann.certassist.except.UnresolvableCLIDependency; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.StandardOpenOption; import java.util.List; import java.util.Optional; import java.util.concurrent.ExecutionException; import java.util.concurrent.atomic.AtomicInteger; import java.util.stream.Collectors; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; import org.apache.commons.lang3.StringUtils; import org.springframework.lang.NonNull; import org.springframework.stereotype.Service; import org.zeroturnaround.exec.ProcessExecutor; import org.zeroturnaround.exec.StartedProcess; import org.zeroturnaround.exec.stream.slf4j.Slf4jStream; @Service @RequiredArgsConstructor @Slf4j public class OpenSSLCertificateCreator { public static final String OPENSSL_CERT_SUBJECT_TEMPLATE = "/C=ISO-COUNTRY/ST=STATE/L=LOCALITY/O=ORGANIZATION/CN=COMMON-NAME"; private static final String CSR_EXT_TEMPLATE = """ authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] """; private final ExecutableResolver executableResolver; private static String buildSubjectArg(CertificateRequest request) { String certSubject = OPENSSL_CERT_SUBJECT_TEMPLATE .replace("ISO-COUNTRY", request.getSubject().getCountry()) .replace("STATE", request.getSubject().getState()) .replace("LOCALITY", request.getSubject().getLocality()) .replace("ORGANIZATION", request.getSubject().getOrganization()) .replace("COMMON-NAME", request.getCommonName()); if (StringUtils.isNotBlank(request.getSubject().getOrganizationalUnit())) { certSubject += "/OU=" + request.getSubject().getOrganizationalUnit(); } if (StringUtils.isNotBlank(request.getSubject().getEmailAddress())) { certSubject += "/emailAddress=" + request.getSubject().getEmailAddress(); } return certSubject; } @NonNull public OpenSSLCertificateResult createCertificate(CertificateRequest request) throws CommandLineOperationException, InterruptedException { Path tmpDir; try { tmpDir = Files.createTempDirectory("certassist"); } catch (IOException e) { throw new CommandLineOperationException("Could not create temporary directory for certificate creation", e); } Path keyFile = createKeyfile(request, tmpDir.resolve("root.key")); Path rootCert = createCertificate(request, keyFile, tmpDir.resolve("root.crt")); Path childKey = createKeyfile(request, tmpDir.resolve("child.key")); Path unsignedCert = createSigningRequest(request, childKey, tmpDir.resolve("child.csr")); Path signedCert = signCertificate(request, rootCert, keyFile, unsignedCert); return new OpenSSLCertificateResult(tmpDir, signedCert, childKey); } private Path createKeyfile(CertificateRequest request, Path outFile) throws CommandLineOperationException, InterruptedException { Path keyFile = outFile.toAbsolutePath(); log.atDebug().log("Writing new certificate key to {}", keyFile); try { StartedProcess keygenProc = new ProcessExecutor() .command( resolveOpenSSL(), "genrsa", "-out", keyFile.toString(), "-passout", "env:KEY_PASS", Integer.toString(request.getRequestedKeyLength()) ) .environment("KEY_PASS", request.getOid()) .redirectOutput(Slf4jStream.ofCaller().asDebug()) .redirectError(Slf4jStream.ofCaller().asError()) .start(); keygenProc.getFuture().get(); } catch (IOException e) { throw new CommandLineOperationException("Failure running OpenSSL keygen command.", e); } catch (ExecutionException e) { throw new RuntimeException(e); } return keyFile; } private Path createCertificate(CertificateRequest request, Path keyFile, Path outFile) throws CommandLineOperationException, InterruptedException { log.atDebug().log("Writing new certificate file {}", outFile); String certSubject = buildSubjectArg(request); try { StartedProcess certGenProc = new ProcessExecutor() .command( resolveOpenSSL(), "req", "-x509", "-new", "-passin", "env:KEY_PASS", "-key", keyFile.toString(), "-sha256", "-days", Integer.toString(request.getRequestedValidityDays()), "-out", outFile.toString(), "-passout", "env:KEY_PASS", "-utf8", "-subj", certSubject ) .environment("KEY_PASS", request.getOid()) .redirectOutput(Slf4jStream.ofCaller().asDebug()) .redirectError(Slf4jStream.ofCaller().asError()) .start(); certGenProc.getFuture().get(); } catch (IOException e) { throw new CommandLineOperationException("Failure running OpenSSL req command.", e); } catch (ExecutionException e) { throw new RuntimeException(e); } return outFile; } private Path createSigningRequest(CertificateRequest request, Path keyFile, Path outFile) throws CommandLineOperationException, InterruptedException { log.atDebug().log("Writing new certificate signing request file {}", outFile); String certSubject = buildSubjectArg(request); try { StartedProcess certGenProc = new ProcessExecutor() .command( resolveOpenSSL(), "req", "-new", "-passin", "env:KEY_PASS", "-key", keyFile.toString(), "-sha256", "-out", outFile.toString(), "-passout", "env:KEY_PASS", "-utf8", "-subj", certSubject ) .environment("KEY_PASS", request.getOid()) .redirectOutput(Slf4jStream.ofCaller().asDebug()) .redirectError(Slf4jStream.ofCaller().asError()) .start(); certGenProc.getFuture().get(); } catch (IOException e) { throw new CommandLineOperationException("Failure running OpenSSL req command.", e); } catch (ExecutionException e) { throw new RuntimeException(e); } return outFile; } public boolean verifyCertificate(Path certFile) throws CommandLineOperationException { try { StartedProcess verifyCommand = new ProcessExecutor() .command(resolveOpenSSL(), "x509", "-in", certFile.toString(), "-text", "-noout") .redirectOutput(Slf4jStream.ofCaller().asDebug()) .redirectError(Slf4jStream.ofCaller().asError()) .start(); var verifyResult = verifyCommand.getFuture().get(); return verifyResult.getExitValue() == 0; } catch (IOException | InterruptedException | ExecutionException e) { throw new RuntimeException(e); } } private Path signCertificate(CertificateRequest request, Path caCert, Path caKey, Path csrFile) throws CommandLineOperationException, InterruptedException { Path outFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".crt")); log.atDebug().log("Writing new signed certificate file {}", outFile); Path extFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".ext")); try { String extContent = CSR_EXT_TEMPLATE; List altNames = Optional .ofNullable(request.getExtension()) .map(CertificateRequestExtension::getAlternativeNames) .orElse(List.of()); if (!altNames.isEmpty()) { AtomicInteger counter = new AtomicInteger(1); String altNamesContent = altNames .stream() .map(name -> "DNS.%d = %s".formatted(counter.getAndIncrement(), name)) .collect(Collectors.joining("\n")); extContent = extContent.replaceAll("\\[alt_names]\n?", "[alt_names]\n" + altNamesContent); } else { extContent = extContent.replaceAll("\\s*subjectAltName\\s+=\\s+@alt_names\n?", ""); extContent = extContent.replaceAll("\\[alt_names]\n?", ""); } log.debug("Writing extension file content: \n {}", extContent); Files.writeString( extFile, extContent, StandardCharsets.UTF_8, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING ); } catch (IOException e) { throw new RuntimeException(e); } try { StartedProcess certGenProc = new ProcessExecutor() .command( resolveOpenSSL(), "x509", "-req", "-days", Integer.toString(request.getRequestedValidityDays()), "-in", csrFile.toString(), "-CA", caCert.toString(), "-CAkey", caKey.toString(), "-CAcreateserial", "-out", outFile.toString(), "-extfile", extFile.toString() ) .redirectOutput(Slf4jStream.ofCaller().asDebug()) .redirectError(Slf4jStream.ofCaller().asError()) .start(); certGenProc.getFuture().get(); } catch (IOException e) { throw new CommandLineOperationException("Failure running OpenSSL x509 command.", e); } catch (ExecutionException e) { throw new RuntimeException(e); } return outFile; } private String resolveOpenSSL() throws CommandLineOperationException { try { return executableResolver.getOpenSSLPath(); } catch (UnresolvableCLIDependency e) { throw new CommandLineOperationException(e); } } }