282 lines
11 KiB
Java
282 lines
11 KiB
Java
package de.mlessmann.certassist.openssl;
|
|
|
|
import de.mlessmann.certassist.ExecutableResolver;
|
|
import de.mlessmann.certassist.except.CommandLineOperationException;
|
|
import de.mlessmann.certassist.except.UnresolvableCLIDependency;
|
|
import de.mlessmann.certassist.openssl.CertificateRequest.RequestType;
|
|
import java.io.IOException;
|
|
import java.nio.charset.StandardCharsets;
|
|
import java.nio.file.Files;
|
|
import java.nio.file.Path;
|
|
import java.nio.file.StandardOpenOption;
|
|
import java.util.List;
|
|
import java.util.Optional;
|
|
import java.util.concurrent.ExecutionException;
|
|
import java.util.concurrent.atomic.AtomicInteger;
|
|
import java.util.stream.Collectors;
|
|
import lombok.RequiredArgsConstructor;
|
|
import lombok.extern.slf4j.Slf4j;
|
|
import org.apache.commons.lang3.StringUtils;
|
|
import org.springframework.lang.NonNull;
|
|
import org.springframework.stereotype.Service;
|
|
import org.zeroturnaround.exec.ProcessExecutor;
|
|
import org.zeroturnaround.exec.StartedProcess;
|
|
import org.zeroturnaround.exec.stream.slf4j.Slf4jStream;
|
|
|
|
@Service
|
|
@RequiredArgsConstructor
|
|
@Slf4j
|
|
public class OpenSSLCertificateCreator {
|
|
|
|
public static final String OPENSSL_CERT_SUBJECT_TEMPLATE =
|
|
"/C=ISO-COUNTRY/ST=STATE/L=LOCALITY/O=ORGANIZATION/CN=COMMON-NAME";
|
|
private static final String CSR_EXT_TEMPLATE =
|
|
"""
|
|
authorityKeyIdentifier=keyid,issuer
|
|
basicConstraints=CA:FALSE
|
|
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
""";
|
|
|
|
private final ExecutableResolver executableResolver;
|
|
|
|
private static String buildSubjectArg(CertificateRequest request) {
|
|
String certSubject = OPENSSL_CERT_SUBJECT_TEMPLATE
|
|
.replace("ISO-COUNTRY", request.getSubject().getCountry())
|
|
.replace("STATE", request.getSubject().getState())
|
|
.replace("LOCALITY", request.getSubject().getLocality())
|
|
.replace("ORGANIZATION", request.getSubject().getOrganization())
|
|
.replace("COMMON-NAME", request.getCommonName());
|
|
|
|
if (StringUtils.isNotBlank(request.getSubject().getOrganizationalUnit())) {
|
|
certSubject += "/OU=" + request.getSubject().getOrganizationalUnit();
|
|
}
|
|
|
|
if (StringUtils.isNotBlank(request.getSubject().getEmailAddress())) {
|
|
certSubject += "/emailAddress=" + request.getSubject().getEmailAddress();
|
|
}
|
|
return certSubject;
|
|
}
|
|
|
|
@NonNull
|
|
public OpenSSLCertificateResult createCertificate(CertificateRequest request)
|
|
throws CommandLineOperationException, InterruptedException {
|
|
Path tmpDir;
|
|
try {
|
|
tmpDir = Files.createTempDirectory("certassist");
|
|
} catch (IOException e) {
|
|
throw new CommandLineOperationException("Could not create temporary directory for certificate creation", e);
|
|
}
|
|
|
|
Path keyFile = createKeyfile(request, tmpDir.resolve("root.key"));
|
|
Path rootCert = createCertificate(request, keyFile, tmpDir.resolve("root.crt"));
|
|
if (
|
|
request.getType() == RequestType.ROOT_AUTHORITY || request.getType() == RequestType.STANDALONE_CERTIFICATE
|
|
) {
|
|
return new OpenSSLCertificateResult(tmpDir, rootCert, keyFile);
|
|
}
|
|
|
|
Path childKey = createKeyfile(request, tmpDir.resolve("child.key"));
|
|
Path unsignedCert = createSigningRequest(request, childKey, tmpDir.resolve("child.csr"));
|
|
Path signedCert = signCertificate(request, rootCert, keyFile, unsignedCert);
|
|
return new OpenSSLCertificateResult(tmpDir, signedCert, childKey);
|
|
}
|
|
|
|
private Path createKeyfile(CertificateRequest request, Path outFile)
|
|
throws CommandLineOperationException, InterruptedException {
|
|
Path keyFile = outFile.toAbsolutePath();
|
|
log.atDebug().log("Writing new certificate key to {}", keyFile);
|
|
|
|
try {
|
|
StartedProcess keygenProc = new ProcessExecutor()
|
|
.command(
|
|
resolveOpenSSL(),
|
|
"genrsa",
|
|
"-out",
|
|
keyFile.toString(),
|
|
"-passout",
|
|
"env:KEY_PASS",
|
|
Integer.toString(request.getRequestedKeyLength())
|
|
)
|
|
.environment("KEY_PASS", request.getOid())
|
|
.redirectOutput(Slf4jStream.ofCaller().asDebug())
|
|
.redirectError(Slf4jStream.ofCaller().asError())
|
|
.start();
|
|
keygenProc.getFuture().get();
|
|
} catch (IOException e) {
|
|
throw new CommandLineOperationException("Failure running OpenSSL keygen command.", e);
|
|
} catch (ExecutionException e) {
|
|
throw new RuntimeException(e);
|
|
}
|
|
return keyFile;
|
|
}
|
|
|
|
private Path createCertificate(CertificateRequest request, Path keyFile, Path outFile)
|
|
throws CommandLineOperationException, InterruptedException {
|
|
log.atDebug().log("Writing new certificate file {}", outFile);
|
|
|
|
String certSubject = buildSubjectArg(request);
|
|
try {
|
|
StartedProcess certGenProc = new ProcessExecutor()
|
|
.command(
|
|
resolveOpenSSL(),
|
|
"req",
|
|
"-x509",
|
|
"-new",
|
|
"-passin",
|
|
"env:KEY_PASS",
|
|
"-key",
|
|
keyFile.toString(),
|
|
"-sha256",
|
|
"-days",
|
|
Integer.toString(request.getRequestedValidityDays()),
|
|
"-out",
|
|
outFile.toString(),
|
|
"-passout",
|
|
"env:KEY_PASS",
|
|
"-utf8",
|
|
"-subj",
|
|
certSubject
|
|
)
|
|
.environment("KEY_PASS", request.getOid())
|
|
.redirectOutput(Slf4jStream.ofCaller().asDebug())
|
|
.redirectError(Slf4jStream.ofCaller().asError())
|
|
.start();
|
|
certGenProc.getFuture().get();
|
|
} catch (IOException e) {
|
|
throw new CommandLineOperationException("Failure running OpenSSL req command.", e);
|
|
} catch (ExecutionException e) {
|
|
throw new RuntimeException(e);
|
|
}
|
|
return outFile;
|
|
}
|
|
|
|
private Path createSigningRequest(CertificateRequest request, Path keyFile, Path outFile)
|
|
throws CommandLineOperationException, InterruptedException {
|
|
log.atDebug().log("Writing new certificate signing request file {}", outFile);
|
|
|
|
String certSubject = buildSubjectArg(request);
|
|
try {
|
|
StartedProcess certGenProc = new ProcessExecutor()
|
|
.command(
|
|
resolveOpenSSL(),
|
|
"req",
|
|
"-new",
|
|
"-passin",
|
|
"env:KEY_PASS",
|
|
"-key",
|
|
keyFile.toString(),
|
|
"-sha256",
|
|
"-out",
|
|
outFile.toString(),
|
|
"-passout",
|
|
"env:KEY_PASS",
|
|
"-utf8",
|
|
"-subj",
|
|
certSubject
|
|
)
|
|
.environment("KEY_PASS", request.getOid())
|
|
.redirectOutput(Slf4jStream.ofCaller().asDebug())
|
|
.redirectError(Slf4jStream.ofCaller().asError())
|
|
.start();
|
|
certGenProc.getFuture().get();
|
|
} catch (IOException e) {
|
|
throw new CommandLineOperationException("Failure running OpenSSL req command.", e);
|
|
} catch (ExecutionException e) {
|
|
throw new RuntimeException(e);
|
|
}
|
|
return outFile;
|
|
}
|
|
|
|
public boolean verifyCertificate(Path certFile) throws CommandLineOperationException {
|
|
try {
|
|
StartedProcess verifyCommand = new ProcessExecutor()
|
|
.command(resolveOpenSSL(), "x509", "-in", certFile.toString(), "-text", "-noout")
|
|
.redirectOutput(Slf4jStream.ofCaller().asDebug())
|
|
.redirectError(Slf4jStream.ofCaller().asError())
|
|
.start();
|
|
var verifyResult = verifyCommand.getFuture().get();
|
|
return verifyResult.getExitValue() == 0;
|
|
} catch (IOException | InterruptedException | ExecutionException e) {
|
|
throw new RuntimeException(e);
|
|
}
|
|
}
|
|
|
|
private Path signCertificate(CertificateRequest request, Path caCert, Path caKey, Path csrFile)
|
|
throws CommandLineOperationException, InterruptedException {
|
|
Path outFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".crt"));
|
|
log.atDebug().log("Writing new signed certificate file {}", outFile);
|
|
Path extFile = csrFile.resolveSibling(csrFile.getFileName().toString().replace(".csr", ".ext"));
|
|
|
|
try {
|
|
String extContent = CSR_EXT_TEMPLATE;
|
|
List<String> altNames = Optional
|
|
.ofNullable(request.getExtension())
|
|
.map(CertificateRequestExtension::getAlternativeNames)
|
|
.orElse(List.of());
|
|
if (!altNames.isEmpty()) {
|
|
AtomicInteger counter = new AtomicInteger(1);
|
|
String altNamesContent = altNames
|
|
.stream()
|
|
.map(name -> "DNS.%d = %s".formatted(counter.getAndIncrement(), name))
|
|
.collect(Collectors.joining("\n"));
|
|
extContent = extContent.replaceAll("\\[alt_names]\n?", "[alt_names]\n" + altNamesContent);
|
|
} else {
|
|
extContent = extContent.replaceAll("\\s*subjectAltName\\s+=\\s+@alt_names\n?", "");
|
|
extContent = extContent.replaceAll("\\[alt_names]\n?", "");
|
|
}
|
|
|
|
log.debug("Writing extension file content: \n {}", extContent);
|
|
Files.writeString(
|
|
extFile,
|
|
extContent,
|
|
StandardCharsets.UTF_8,
|
|
StandardOpenOption.CREATE,
|
|
StandardOpenOption.TRUNCATE_EXISTING
|
|
);
|
|
} catch (IOException e) {
|
|
throw new RuntimeException(e);
|
|
}
|
|
|
|
try {
|
|
StartedProcess certGenProc = new ProcessExecutor()
|
|
.command(
|
|
resolveOpenSSL(),
|
|
"x509",
|
|
"-req",
|
|
"-days",
|
|
Integer.toString(request.getRequestedValidityDays()),
|
|
"-in",
|
|
csrFile.toString(),
|
|
"-CA",
|
|
caCert.toString(),
|
|
"-CAkey",
|
|
caKey.toString(),
|
|
"-CAcreateserial",
|
|
"-out",
|
|
outFile.toString(),
|
|
"-extfile",
|
|
extFile.toString()
|
|
)
|
|
.redirectOutput(Slf4jStream.ofCaller().asDebug())
|
|
.redirectError(Slf4jStream.ofCaller().asError())
|
|
.start();
|
|
certGenProc.getFuture().get();
|
|
} catch (IOException e) {
|
|
throw new CommandLineOperationException("Failure running OpenSSL x509 command.", e);
|
|
} catch (ExecutionException e) {
|
|
throw new RuntimeException(e);
|
|
}
|
|
return outFile;
|
|
}
|
|
|
|
private String resolveOpenSSL() throws CommandLineOperationException {
|
|
try {
|
|
return executableResolver.getOpenSSLPath();
|
|
} catch (UnresolvableCLIDependency e) {
|
|
throw new CommandLineOperationException(e);
|
|
}
|
|
}
|
|
}
|