refactored certificate service

4.x.x
hasuniea 9 years ago
parent efd029083b
commit e1a24abfa3

@ -26,7 +26,8 @@ import org.bouncycastle.asn1.ASN1Primitive;
import org.bouncycastle.asn1.pkcs.Attribute; import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.*; import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.cert.CertIOException; import org.bouncycastle.cert.CertIOException;
import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder; import org.bouncycastle.cert.X509v3CertificateBuilder;
@ -44,14 +45,7 @@ import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest; import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest; import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest;
import org.bouncycastle.util.Store; import org.bouncycastle.util.Store;
import org.jscep.message.CertRep; import org.jscep.message.*;
import org.jscep.message.MessageDecodingException;
import org.jscep.message.MessageEncodingException;
import org.jscep.message.PkcsPkiEnvelopeDecoder;
import org.jscep.message.PkcsPkiEnvelopeEncoder;
import org.jscep.message.PkiMessage;
import org.jscep.message.PkiMessageDecoder;
import org.jscep.message.PkiMessageEncoder;
import org.jscep.transaction.FailInfo; import org.jscep.transaction.FailInfo;
import org.jscep.transaction.Nonce; import org.jscep.transaction.Nonce;
import org.jscep.transaction.TransactionId; import org.jscep.transaction.TransactionId;
@ -63,33 +57,10 @@ import org.wso2.carbon.certificate.mgt.core.util.ConfigurationUtil;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import javax.xml.bind.DatatypeConverter; import javax.xml.bind.DatatypeConverter;
import java.io.ByteArrayInputStream; import java.io.*;
import java.io.DataInputStream; import java.security.*;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.Security;
import java.security.SignatureException;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException; import java.security.cert.*;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException; import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList; import java.util.ArrayList;
@ -613,83 +584,24 @@ public class CertificateGenerator {
return null; return null;
} }
public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken)
X509Certificate caCert, List certPropertyList)
throws KeystoreException { throws KeystoreException {
byte[] byteArrayBst = DatatypeConverter.parseBase64Binary(binarySecurityToken); byte[] byteArrayBst = DatatypeConverter.parseBase64Binary(binarySecurityToken);
PKCS10CertificationRequest certificationRequest = null; PKCS10CertificationRequest certificationRequest;
KeyStoreReader keyStoreReader = new KeyStoreReader(); KeyStoreReader keyStoreReader = new KeyStoreReader();
PrivateKey privateKeyCA = keyStoreReader.getCAPrivateKey(); PrivateKey privateKeyCA = keyStoreReader.getCAPrivateKey();
X509Certificate certCA = (X509Certificate) keyStoreReader.getCACertificate();
try { try {
certificationRequest = new PKCS10CertificationRequest(byteArrayBst); certificationRequest = new PKCS10CertificationRequest(byteArrayBst);
} catch (IOException e) { } catch (IOException e) {
String msg = "CSR cannot be recovered."; String msg = "CSR cannot be recovered.";
log.error(msg, e); log.error(msg, e);
throw new KeystoreException(msg, e);
} }
JcaPKCS10CertificationRequest csr = new JcaPKCS10CertificationRequest(certificationRequest); JcaPKCS10CertificationRequest csr = new JcaPKCS10CertificationRequest(certificationRequest);
X509Certificate signedCertificate = signCSR(csr, privateKeyCA, caCert, certPropertyList); X509Certificate signedCertificate = generateCertificateFromCSR(privateKeyCA, certificationRequest,
saveCertInKeyStore(signedCertificate); certCA.getIssuerX500Principal().getName());
return signedCertificate;
}
private static X509Certificate signCSR(JcaPKCS10CertificationRequest jcaRequest,
PrivateKey privateKey, X509Certificate caCert,
List certParameterList) throws KeystoreException {
String commonName =
(String) certParameterList.get(PropertyIndex.COMMON_NAME_INDEX.getValue());
int notBeforeDays =
(Integer) certParameterList.get(PropertyIndex.NOT_BEFORE_DAYS_INDEX.getValue());
int notAfterDays =
(Integer) certParameterList.get(PropertyIndex.NOT_AFTER_DAYS_INDEX.getValue());
X509v3CertificateBuilder certificateBuilder;
X509Certificate signedCertificate;
try {
ContentSigner signer;
BigInteger serialNumber = BigInteger.valueOf(new SecureRandom().
nextInt(Integer.MAX_VALUE));
Date notBeforeDate = new Date(System.currentTimeMillis() -
(ConfigurationUtil.MILLI_SECONDS * notBeforeDays));
Date notAfterDate = new Date(System.currentTimeMillis() +
(ConfigurationUtil.MILLI_SECONDS * notAfterDays));
certificateBuilder =
new JcaX509v3CertificateBuilder(caCert, serialNumber, notBeforeDate, notAfterDate,
new X500Principal(commonName),
jcaRequest.getPublicKey());
//Adding extensions to the signed certificate.
certificateBuilder.addExtension(Extension.keyUsage, true,
new KeyUsage(KeyUsage.digitalSignature));
certificateBuilder.addExtension(Extension.extendedKeyUsage, false,
new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
certificateBuilder.addExtension(Extension.basicConstraints, true,
new BasicConstraints(false));
signer = new JcaContentSignerBuilder(ConfigurationUtil.SIGNATURE_ALGORITHM).
setProvider(ConfigurationUtil.PROVIDER).build(privateKey);
signedCertificate = new JcaX509CertificateConverter().setProvider(
ConfigurationUtil.PROVIDER).getCertificate(
certificateBuilder.build(signer));
} catch (InvalidKeyException e) {
String errorMsg = "CSR's public key is invalid";
throw new KeystoreException(errorMsg, e);
} catch (NoSuchAlgorithmException e) {
String errorMsg = "Certificate cannot be generated";
throw new KeystoreException(errorMsg, e);
} catch (CertIOException e) {
String errorMsg = "Cannot add extension(s) to signed certificate";
throw new KeystoreException(errorMsg, e);
} catch (OperatorCreationException e) {
String errorMsg = "Content signer cannot be created";
throw new KeystoreException(errorMsg, e);
} catch (CertificateException e) {
String errorMsg = "Signed certificate cannot be generated";
throw new KeystoreException(errorMsg, e);
}
return signedCertificate; return signedCertificate;
} }
} }

@ -54,6 +54,5 @@ public interface CertificateManagementService {
String extractChallengeToken(X509Certificate certificate); String extractChallengeToken(X509Certificate certificate);
X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, X509Certificate caCert, X509Certificate getSignedCertificateFromCSR(String binarySecurityToken) throws KeystoreException;
List certParameterList) throws KeystoreException;
} }

@ -101,9 +101,9 @@ public class CertificateManagementServiceImpl implements CertificateManagementSe
return certificateGenerator.extractChallengeToken(certificate); return certificateGenerator.extractChallengeToken(certificate);
} }
public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken, @Override
X509Certificate caCert, List certParameterList) public X509Certificate getSignedCertificateFromCSR(String binarySecurityToken) throws KeystoreException {
throws KeystoreException { return certificateGenerator.getSignedCertificateFromCSR(binarySecurityToken);
return certificateGenerator.getSignedCertificateFromCSR(binarySecurityToken, caCert, certParameterList);
} }
} }

@ -1427,7 +1427,7 @@
<properties> <properties>
<testng.version>6.1.1</testng.version> <testng.version>6.1.1</testng.version>
<carbon.kernel.version>4.4.1</carbon.kernel.version> <carbon.kernel.version>4.4.2</carbon.kernel.version>
<carbon.p2.plugin.version>1.5.4</carbon.p2.plugin.version> <carbon.p2.plugin.version>1.5.4</carbon.p2.plugin.version>
<maven-buildnumber-plugin.version>1.3</maven-buildnumber-plugin.version> <maven-buildnumber-plugin.version>1.3</maven-buildnumber-plugin.version>

Loading…
Cancel
Save