com.floragunn.searchguard.tools.tlstool.tasks.CreateClientCsr Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of search-guard-tlstool Show documentation
Show all versions of search-guard-tlstool Show documentation
SSL/TLS certificate generation and validation tool for Search Guard
/*
* Copyright 2017-2018 floragunn GmbH
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
package com.floragunn.searchguard.tools.tlstool.tasks;
import java.io.File;
import java.io.IOException;
import java.security.KeyPair;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.ExtensionsGenerator;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import com.floragunn.searchguard.tools.tlstool.Config;
import com.floragunn.searchguard.tools.tlstool.Context;
import com.floragunn.searchguard.tools.tlstool.ToolException;
public class CreateClientCsr extends CreateClientCertificateBase {
private static int generatedCsrCount = 0;
private static boolean passwordAutoGenerated = false;
public CreateClientCsr(Context ctx, Config.Client clientConfig) {
super(ctx, clientConfig);
}
@Override
public void run() throws ToolException {
try {
File privateKeyFile = new File(ctx.getTargetDirectory(), getClientFileName(clientConfig) + ".key");
File csrFile = new File(ctx.getTargetDirectory(), getClientFileName(clientConfig) + ".csr");
File readmeFile = new File(ctx.getTargetDirectory(), "client-csr.readme");
if (!checkFileOverwrite("csr", clientConfig.getDn(), privateKeyFile, csrFile)) {
return;
}
KeyPair clientKeyPair = generateKeyPair(clientConfig.getKeysize());
PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(
createDn(clientConfig.getDn(), "client"), clientKeyPair.getPublic());
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(Extension.keyUsage, true,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment));
extensionsGenerator.addExtension(Extension.extendedKeyUsage, true,
new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth }));
builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder(
ctx.getConfig().getDefaults().getSignatureAlgorithm());
ContentSigner signer = csBuilder.build(clientKeyPair.getPrivate());
org.bouncycastle.pkcs.PKCS10CertificationRequest csr = builder.build(signer);
String privateKeyPassword = getPassword(clientConfig.getPkPassword());
addEncryptedOutputFile(privateKeyFile, privateKeyPassword, clientKeyPair.getPrivate());
addOutputFile(csrFile, csr);
if (isPasswordAutoGenerationEnabled(clientConfig.getPkPassword())) {
appendOutputFile(readmeFile, createPasswordInfo(privateKeyFile, privateKeyPassword));
passwordAutoGenerated = true;
}
generatedCsrCount++;
} catch (OperatorCreationException | IOException e) {
throw new ToolException("Error while composing certificate", e);
}
}
public static int getGeneratedCsrCount() {
return generatedCsrCount;
}
public static boolean isPasswordAutoGenerated() {
return passwordAutoGenerated;
}
}