X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fruntime%2FPkiUtils.java;h=f47e544218456968cfeb7982031c9649589a3849;hb=494e505f8d0e4972bdb61297595c5f09207fdfbb;hp=3acc95eedef8f632163dc97662cd4b2a4aa1d8b5;hpb=8302ed5e76967f1d618b59ebe4ae11223e5037c3;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/PkiUtils.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/PkiUtils.java
index 3acc95eed..f47e54421 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/PkiUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/PkiUtils.java
@@ -22,6 +22,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Date;
+import java.util.Objects;
 
 import javax.security.auth.x500.X500Principal;
 
@@ -53,32 +54,34 @@ class PkiUtils {
 	final static String PKCS12 = "PKCS12";
 	final static String JKS = "JKS";
 
-	static final String DEFAULT_KEYSTORE_PATH = KernelConstants.DIR_NODE + '/' + CmsConstants.NODE + ".p12";
+	static final String DEFAULT_KEYSTORE_PATH = KernelConstants.DIR_PRIVATE + '/' + CmsConstants.NODE + ".p12";
 
-	static final String DEFAULT_TRUSTSTORE_PATH = KernelConstants.DIR_NODE + "/trusted.p12";
+	static final String DEFAULT_TRUSTSTORE_PATH = KernelConstants.DIR_PRIVATE + "/trusted.p12";
 
-	static final String DEFAULT_PEM_KEY_PATH = KernelConstants.DIR_NODE + '/' + CmsConstants.NODE + ".key";
+	static final String DEFAULT_PEM_KEY_PATH = KernelConstants.DIR_PRIVATE + '/' + CmsConstants.NODE + ".key";
 
-	static final String DEFAULT_PEM_CERT_PATH = KernelConstants.DIR_NODE + '/' + CmsConstants.NODE + ".crt";
+	static final String DEFAULT_PEM_CERT_PATH = KernelConstants.DIR_PRIVATE + '/' + CmsConstants.NODE + ".crt";
 
 	static final String IPA_PEM_CA_CERT_PATH = "/etc/ipa/ca.crt";
 
 	static final String DEFAULT_KEYSTORE_PASSWORD = "changeit";
 
-	private final static String SECURITY_PROVIDER;
-	private final static String BC_PROVIDER;
+	private final static String SUN_SECURITY_PROVIDER;
+	private final static String SUN_JSSE_SECURITY_PROVIDER;
+	private final static String BC_SECURITY_PROVIDER;
 	static {
 		Security.addProvider(new BouncyCastleProvider());
 		// BouncyCastle does not store trusted certificates properly
 		// TODO report it
-		BC_PROVIDER = "BC";
-		SECURITY_PROVIDER = "SUN";
+		BC_SECURITY_PROVIDER = "BC";
+		SUN_SECURITY_PROVIDER = "SUN";
+		SUN_JSSE_SECURITY_PROVIDER = "SunJSSE";
 	}
 
 	public static X509Certificate generateSelfSignedCertificate(KeyStore keyStore, X500Principal x500Principal,
 			int keySize, char[] keyPassword) {
 		try {
-			KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", SECURITY_PROVIDER);
+			KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", BC_SECURITY_PROVIDER);
 			kpGen.initialize(keySize, new SecureRandom());
 			KeyPair pair = kpGen.generateKeyPair();
 			Date notBefore = new Date(System.currentTimeMillis() - 10000);
@@ -86,9 +89,9 @@ class PkiUtils {
 			BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
 			X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(x500Principal, serial, notBefore,
 					notAfter, x500Principal, pair.getPublic());
-			ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(SECURITY_PROVIDER)
-					.build(pair.getPrivate());
-			X509Certificate cert = new JcaX509CertificateConverter().setProvider(SECURITY_PROVIDER)
+			ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption")
+					.setProvider(BC_SECURITY_PROVIDER).build(pair.getPrivate());
+			X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC_SECURITY_PROVIDER)
 					.getCertificate(certGen.build(sigGen));
 			cert.checkValidity(new Date());
 			cert.verify(cert.getPublicKey());
@@ -102,7 +105,7 @@ class PkiUtils {
 
 	public static KeyStore getKeyStore(Path keyStoreFile, char[] keyStorePassword, String keyStoreType) {
 		try {
-			KeyStore store = KeyStore.getInstance(keyStoreType, "SunJSSE");
+			KeyStore store = KeyStore.getInstance(keyStoreType, SUN_JSSE_SECURITY_PROVIDER);
 			if (Files.exists(keyStoreFile)) {
 				try (InputStream fis = Files.newInputStream(keyStoreFile)) {
 					store.load(fis, keyStorePassword);
@@ -162,17 +165,24 @@ class PkiUtils {
 //		return bos.toByteArray();
 //	}
 
-	public static void loadPem(KeyStore keyStore, Reader key, char[] keyPassword, Reader cert) {
+	public static void loadPrivateCertificatePem(KeyStore keyStore, String alias, Reader key, char[] keyPassword,
+			Reader cert) {
+		Objects.requireNonNull(keyStore);
+		Objects.requireNonNull(key);
 		try {
 			X509Certificate certificate = loadPemCertificate(cert);
-			if (key != null) {
-				PrivateKey privateKey = loadPemPrivateKey(key, keyPassword);
-				keyStore.setKeyEntry(certificate.getSubjectX500Principal().getName(), privateKey, keyPassword,
-						new java.security.cert.Certificate[] { certificate });
-			} else {
-				TrustedCertificateEntry trustedCertificateEntry = new TrustedCertificateEntry(certificate);
-				keyStore.setEntry(certificate.getSubjectX500Principal().getName(), trustedCertificateEntry, null);
-			}
+			PrivateKey privateKey = loadPemPrivateKey(key, keyPassword);
+			keyStore.setKeyEntry(alias, privateKey, keyPassword, new java.security.cert.Certificate[] { certificate });
+		} catch (KeyStoreException e) {
+			throw new RuntimeException("Cannot store PEM certificate", e);
+		}
+	}
+
+	public static void loadTrustedCertificatePem(KeyStore keyStore,char[] keyStorePassword, Reader cert) {
+		try {
+			X509Certificate certificate = loadPemCertificate(cert);
+			TrustedCertificateEntry trustedCertificateEntry = new TrustedCertificateEntry(certificate);
+			keyStore.setEntry(certificate.getSubjectX500Principal().getName(), trustedCertificateEntry, null);
 		} catch (KeyStoreException e) {
 			throw new RuntimeException("Cannot store PEM certificate", e);
 		}
@@ -180,7 +190,7 @@ class PkiUtils {
 
 	public static PrivateKey loadPemPrivateKey(Reader reader, char[] keyPassword) {
 		try (PEMParser pemParser = new PEMParser(reader)) {
-			JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BC_PROVIDER);
+			JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BC_SECURITY_PROVIDER);
 			Object object = pemParser.readObject();
 			PrivateKeyInfo privateKeyInfo;
 			if (object instanceof PKCS8EncryptedPrivateKeyInfo) {
@@ -202,7 +212,7 @@ class PkiUtils {
 	public static X509Certificate loadPemCertificate(Reader reader) {
 		try (PEMParser pemParser = new PEMParser(reader)) {
 			X509CertificateHolder certHolder = (X509CertificateHolder) pemParser.readObject();
-			X509Certificate cert = new JcaX509CertificateConverter().setProvider(SECURITY_PROVIDER)
+			X509Certificate cert = new JcaX509CertificateConverter().setProvider(SUN_SECURITY_PROVIDER)
 					.getCertificate(certHolder);
 			return cert;
 		} catch (IOException | CertificateException e) {