X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=org.argeo.cms%2Fsrc%2Forg%2Fargeo%2Fcms%2Finternal%2Fruntime%2FPkiUtils.java;h=f47e544218456968cfeb7982031c9649589a3849;hb=76a8481ee26616efa0fa59838a93bcad937b2692;hp=a90d598912ceacfaa93eb49862c7a92d962960b1;hpb=dca2b13e0e3ca3e7a9469e089b980c48c880ad1a;p=lgpl%2Fargeo-commons.git

diff --git a/org.argeo.cms/src/org/argeo/cms/internal/runtime/PkiUtils.java b/org.argeo.cms/src/org/argeo/cms/internal/runtime/PkiUtils.java
index a90d59891..f47e54421 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/runtime/PkiUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/runtime/PkiUtils.java
@@ -12,6 +12,7 @@ import java.security.GeneralSecurityException;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.KeyStore;
+import java.security.KeyStore.TrustedCertificateEntry;
 import java.security.KeyStoreException;
 import java.security.PrivateKey;
 import java.security.SecureRandom;
@@ -21,6 +22,7 @@ import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Date;
+import java.util.Objects;
 
 import javax.security.auth.x500.X500Principal;
 
@@ -49,23 +51,37 @@ import org.bouncycastle.pkcs.PKCSException;
 class PkiUtils {
 	private final static CmsLog log = CmsLog.getLog(PkiUtils.class);
 
-	public final static String PKCS12 = "PKCS12";
-	public static final String DEFAULT_KEYSTORE_PATH = KernelConstants.DIR_NODE + '/' + CmsConstants.NODE + ".p12";
+	final static String PKCS12 = "PKCS12";
+	final static String JKS = "JKS";
 
-	public static final String DEFAULT_PEM_KEY_PATH = KernelConstants.DIR_NODE + '/' + CmsConstants.NODE + ".key";
+	static final String DEFAULT_KEYSTORE_PATH = KernelConstants.DIR_PRIVATE + '/' + CmsConstants.NODE + ".p12";
 
-	public static final String DEFAULT_PEM_CERT_PATH = KernelConstants.DIR_NODE + '/' + CmsConstants.NODE + ".crt";
+	static final String DEFAULT_TRUSTSTORE_PATH = KernelConstants.DIR_PRIVATE + "/trusted.p12";
 
-	private final static String SECURITY_PROVIDER;
+	static final String DEFAULT_PEM_KEY_PATH = KernelConstants.DIR_PRIVATE + '/' + CmsConstants.NODE + ".key";
+
+	static final String DEFAULT_PEM_CERT_PATH = KernelConstants.DIR_PRIVATE + '/' + CmsConstants.NODE + ".crt";
+
+	static final String IPA_PEM_CA_CERT_PATH = "/etc/ipa/ca.crt";
+
+	static final String DEFAULT_KEYSTORE_PASSWORD = "changeit";
+
+	private final static String SUN_SECURITY_PROVIDER;
+	private final static String SUN_JSSE_SECURITY_PROVIDER;
+	private final static String BC_SECURITY_PROVIDER;
 	static {
 		Security.addProvider(new BouncyCastleProvider());
-		SECURITY_PROVIDER = "BC";
+		// BouncyCastle does not store trusted certificates properly
+		// TODO report it
+		BC_SECURITY_PROVIDER = "BC";
+		SUN_SECURITY_PROVIDER = "SUN";
+		SUN_JSSE_SECURITY_PROVIDER = "SunJSSE";
 	}
 
 	public static X509Certificate generateSelfSignedCertificate(KeyStore keyStore, X500Principal x500Principal,
 			int keySize, char[] keyPassword) {
 		try {
-			KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", SECURITY_PROVIDER);
+			KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", BC_SECURITY_PROVIDER);
 			kpGen.initialize(keySize, new SecureRandom());
 			KeyPair pair = kpGen.generateKeyPair();
 			Date notBefore = new Date(System.currentTimeMillis() - 10000);
@@ -73,9 +89,9 @@ class PkiUtils {
 			BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
 			X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(x500Principal, serial, notBefore,
 					notAfter, x500Principal, pair.getPublic());
-			ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(SECURITY_PROVIDER)
-					.build(pair.getPrivate());
-			X509Certificate cert = new JcaX509CertificateConverter().setProvider(SECURITY_PROVIDER)
+			ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption")
+					.setProvider(BC_SECURITY_PROVIDER).build(pair.getPrivate());
+			X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC_SECURITY_PROVIDER)
 					.getCertificate(certGen.build(sigGen));
 			cert.checkValidity(new Date());
 			cert.verify(cert.getPublicKey());
@@ -89,7 +105,7 @@ class PkiUtils {
 
 	public static KeyStore getKeyStore(Path keyStoreFile, char[] keyStorePassword, String keyStoreType) {
 		try {
-			KeyStore store = KeyStore.getInstance(keyStoreType, SECURITY_PROVIDER);
+			KeyStore store = KeyStore.getInstance(keyStoreType, SUN_JSSE_SECURITY_PROVIDER);
 			if (Files.exists(keyStoreFile)) {
 				try (InputStream fis = Files.newInputStream(keyStoreFile)) {
 					store.load(fis, keyStorePassword);
@@ -149,12 +165,24 @@ class PkiUtils {
 //		return bos.toByteArray();
 //	}
 
-	public static void loadPem(KeyStore keyStore, Reader key, char[] keyPassword, Reader cert) {
-		PrivateKey privateKey = loadPemPrivateKey(key, keyPassword);
-		X509Certificate certificate = loadPemCertificate(cert);
+	public static void loadPrivateCertificatePem(KeyStore keyStore, String alias, Reader key, char[] keyPassword,
+			Reader cert) {
+		Objects.requireNonNull(keyStore);
+		Objects.requireNonNull(key);
+		try {
+			X509Certificate certificate = loadPemCertificate(cert);
+			PrivateKey privateKey = loadPemPrivateKey(key, keyPassword);
+			keyStore.setKeyEntry(alias, privateKey, keyPassword, new java.security.cert.Certificate[] { certificate });
+		} catch (KeyStoreException e) {
+			throw new RuntimeException("Cannot store PEM certificate", e);
+		}
+	}
+
+	public static void loadTrustedCertificatePem(KeyStore keyStore,char[] keyStorePassword, Reader cert) {
 		try {
-			keyStore.setKeyEntry(certificate.getSubjectX500Principal().getName(), privateKey, keyPassword,
-					new java.security.cert.Certificate[] { certificate });
+			X509Certificate certificate = loadPemCertificate(cert);
+			TrustedCertificateEntry trustedCertificateEntry = new TrustedCertificateEntry(certificate);
+			keyStore.setEntry(certificate.getSubjectX500Principal().getName(), trustedCertificateEntry, null);
 		} catch (KeyStoreException e) {
 			throw new RuntimeException("Cannot store PEM certificate", e);
 		}
@@ -162,7 +190,7 @@ class PkiUtils {
 
 	public static PrivateKey loadPemPrivateKey(Reader reader, char[] keyPassword) {
 		try (PEMParser pemParser = new PEMParser(reader)) {
-			JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
+			JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BC_SECURITY_PROVIDER);
 			Object object = pemParser.readObject();
 			PrivateKeyInfo privateKeyInfo;
 			if (object instanceof PKCS8EncryptedPrivateKeyInfo) {
@@ -184,7 +212,7 @@ class PkiUtils {
 	public static X509Certificate loadPemCertificate(Reader reader) {
 		try (PEMParser pemParser = new PEMParser(reader)) {
 			X509CertificateHolder certHolder = (X509CertificateHolder) pemParser.readObject();
-			X509Certificate cert = new JcaX509CertificateConverter().setProvider(SECURITY_PROVIDER)
+			X509Certificate cert = new JcaX509CertificateConverter().setProvider(SUN_SECURITY_PROVIDER)
 					.getCertificate(certHolder);
 			return cert;
 		} catch (IOException | CertificateException e) {