• Home
• org.graylog2
• graylog2-server
• 5.2.11
• source code
• CertutilCsrSign.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.graylog.security.certutil.CertutilCsrSign Maven / Gradle / Ivy

/*
 * Copyright (C) 2020 Graylog, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the Server Side Public License, version 1,
 * as published by MongoDB, Inc.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * Server Side Public License for more details.
 *
 * You should have received a copy of the Server Side Public License
 * along with this program. If not, see
 * .
 */
package org.graylog.security.certutil;

import com.github.rvesse.airline.annotations.Command;
import com.github.rvesse.airline.annotations.Option;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.graylog.security.certutil.console.CommandLineConsole;
import org.graylog.security.certutil.console.SystemConsole;
import org.graylog.security.certutil.csr.CsrSigner;
import org.graylog.security.certutil.csr.storage.CsrFileStorage;
import org.graylog.security.certutil.csr.storage.CsrStorage;
import org.graylog2.bootstrap.CliCommand;

import java.io.FileInputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import static org.graylog.security.certutil.CertConstants.CA_KEY_ALIAS;
import static org.graylog.security.certutil.CertConstants.PKCS12;


@Command(name = "csrsign", description = "Signs a CSR using the given CA", groupNames = {"certutil"})
public class CertutilCsrSign implements CliCommand {
    @Option(name = "--ca", description = "Filename for the CA keystore")
    protected String caKeystoreFilename = "datanode-ca.p12";

    @Option(name = "--csrFile", description = "The CSR to sign")
    protected String csrFilename = "csr.csr";

    @Option(name = "--certFile", description = "Filename for the signed certificate")
    protected String certFilename = "datanode-cert.p12";

    private final CommandLineConsole console;

    private final CsrStorage csrStorage;

    public static final CommandLineConsole.Prompt PROMPT_ENTER_CA_PASSWORD = CommandLineConsole.prompt("Enter CA password: ");
    public static final CommandLineConsole.Prompt PROMPT_ENTER_CERTIFICATE_VALIDITY_IN_DAYS = CommandLineConsole.prompt("Enter certificate validity in days: ");

    public CertutilCsrSign() {
        this.console = new SystemConsole();
        this.csrStorage = new CsrFileStorage(csrFilename);
    }

    public CertutilCsrSign(String caKeystoreFilename, String csrFilename, String certFilename, CommandLineConsole console) {
        this.caKeystoreFilename = caKeystoreFilename;
        this.certFilename = certFilename;
        this.csrStorage = new CsrFileStorage(csrFilename);
        this.console = console;
    }

    @Override
    public void run() {
        console.printLine("This tool will generate a data-node certificate for HTTP communication (REST API)");

        // we'll use our own generated CA
            console.printLine("Generating a HTTP certificate signed by the datanode CA");

            final Path caKeystorePath = Path.of(caKeystoreFilename);
            console.printLine("Using certificate authority " + caKeystorePath.toAbsolutePath());

            try {
                char[] password = console.readPassword(PROMPT_ENTER_CA_PASSWORD);
                KeyStore caKeystore = KeyStore.getInstance(PKCS12);
                caKeystore.load(new FileInputStream(caKeystoreFilename), password);

                final PrivateKey caPrivateKey = (PrivateKey) caKeystore.getKey(CA_KEY_ALIAS, password);
                final X509Certificate caCertificate = (X509Certificate) caKeystore.getCertificate(CA_KEY_ALIAS);
                final var csr = csrStorage.readCsr();
                final int validityDays = console.readInt(PROMPT_ENTER_CERTIFICATE_VALIDITY_IN_DAYS);

                final var cert = new CsrSigner().sign(caPrivateKey, caCertificate, csr, validityDays);

                final Path certPath = Path.of(certFilename);
                writePem(certPath, cert);

                console.printLine("Certificate written to file " + certPath.toAbsolutePath());

                // TODO: provide good user-friendly error message for each exception type!
            } catch (KeyStoreException | IOException | CertificateException | NoSuchAlgorithmException |
                     UnrecoverableKeyException e) {
                throw new RuntimeException(e);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }

    }

    private static void writePem(Path path, Object object) throws IOException {
        FileWriter writer = new FileWriter(path.toFile(), StandardCharsets.UTF_8);
        JcaPEMWriter pemWriter = new JcaPEMWriter(writer);
        pemWriter.writeObject(object);
        pemWriter.flush();
        pemWriter.close();
    }
}