SDK: Add ca extension when issue CA certificates (#2277)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -23,6 +23,10 @@ import java.util.Objects;
|
|||||||
import javax.security.auth.x500.X500Principal;
|
import javax.security.auth.x500.X500Principal;
|
||||||
|
|
||||||
import lombok.Data;
|
import lombok.Data;
|
||||||
|
import org.bouncycastle.asn1.x509.BasicConstraints;
|
||||||
|
import org.bouncycastle.asn1.x509.Extension;
|
||||||
|
import org.bouncycastle.asn1.x509.X509Extension;
|
||||||
|
import org.bouncycastle.cert.CertIOException;
|
||||||
import org.bouncycastle.cert.X509v3CertificateBuilder;
|
import org.bouncycastle.cert.X509v3CertificateBuilder;
|
||||||
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
|
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
|
||||||
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
|
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
|
||||||
@@ -70,24 +74,14 @@ public class CA {
|
|||||||
return issue(subject, null, null);
|
return issue(subject, null, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
// generate key and issue a certificate
|
// generate key and issue a CA certificate
|
||||||
|
public CA issueCA(final String subject, final Date notBefore, final Date notAfter) throws CertificateException {
|
||||||
|
return new CA(issue(subject, notBefore, notAfter, true));
|
||||||
|
}
|
||||||
|
|
||||||
|
// generate key and issue an end certificate
|
||||||
public Certificate issue(final String subject, final Date notBefore, final Date notAfter) throws CertificateException {
|
public Certificate issue(final String subject, final Date notBefore, final Date notAfter) throws CertificateException {
|
||||||
Objects.requireNonNull(subject);
|
return issue(subject, notBefore, notAfter, false);
|
||||||
try {
|
|
||||||
final KeyPair keyPair = genKey();
|
|
||||||
final X509Certificate[] certificateChain = certificate.getCertificateChain();
|
|
||||||
final ContentSigner signer = new JcaContentSignerBuilder(SHA_256_WITH_RSA_ENCRYPTION).build(certificate.getKeyPair().getPrivate());
|
|
||||||
final X509v3CertificateBuilder caCertBuilder = new JcaX509v3CertificateBuilder(
|
|
||||||
certificateChain[0].getSubjectX500Principal(),
|
|
||||||
BigInteger.valueOf(nextSerial++), notBefore(notBefore), notAfter(notAfter), new X500Principal(subject),
|
|
||||||
keyPair.getPublic());
|
|
||||||
final X509Certificate[] subjectCertificateChain = new X509Certificate[certificateChain.length + 1];
|
|
||||||
certificateChain[0] = new JcaX509CertificateConverter().getCertificate(caCertBuilder.build(signer));
|
|
||||||
System.arraycopy(certificateChain, 0, subjectCertificateChain, 1, certificateChain.length);
|
|
||||||
return new Certificate(keyPair, subjectCertificateChain);
|
|
||||||
} catch (final NoSuchAlgorithmException | OperatorCreationException e) {
|
|
||||||
throw new CertificateException(e);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getFingerprint() {
|
public String getFingerprint() {
|
||||||
@@ -99,6 +93,28 @@ public class CA {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private Certificate issue(final String subject, final Date notBefore, final Date notAfter, final boolean ca) throws CertificateException {
|
||||||
|
Objects.requireNonNull(subject);
|
||||||
|
try {
|
||||||
|
final KeyPair keyPair = genKey();
|
||||||
|
final X509Certificate[] certificateChain = certificate.getCertificateChain();
|
||||||
|
final ContentSigner signer = new JcaContentSignerBuilder(SHA_256_WITH_RSA_ENCRYPTION).build(certificate.getKeyPair().getPrivate());
|
||||||
|
final X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
|
||||||
|
certificateChain[0].getSubjectX500Principal(),
|
||||||
|
BigInteger.valueOf(nextSerial++), notBefore(notBefore), notAfter(notAfter), new X500Principal(subject),
|
||||||
|
keyPair.getPublic());
|
||||||
|
if (ca) {
|
||||||
|
certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
|
||||||
|
}
|
||||||
|
final X509Certificate[] subjectCertificateChain = new X509Certificate[certificateChain.length + 1];
|
||||||
|
subjectCertificateChain[0] = new JcaX509CertificateConverter().getCertificate(certBuilder.build(signer));
|
||||||
|
System.arraycopy(certificateChain, 0, subjectCertificateChain, 1, certificateChain.length);
|
||||||
|
return new Certificate(keyPair, subjectCertificateChain);
|
||||||
|
} catch (final NoSuchAlgorithmException | OperatorCreationException | CertIOException e) {
|
||||||
|
throw new CertificateException(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private static String toHex(final byte[] bytes) {
|
private static String toHex(final byte[] bytes) {
|
||||||
final StringBuilder sb = new StringBuilder();
|
final StringBuilder sb = new StringBuilder();
|
||||||
for (final byte b : bytes) {
|
for (final byte b : bytes) {
|
||||||
@@ -115,8 +131,9 @@ public class CA {
|
|||||||
final ContentSigner selfSigner = new JcaContentSignerBuilder(SHA_256_WITH_RSA_ENCRYPTION).build(keyPair.getPrivate());
|
final ContentSigner selfSigner = new JcaContentSignerBuilder(SHA_256_WITH_RSA_ENCRYPTION).build(keyPair.getPrivate());
|
||||||
final X509v3CertificateBuilder caCertBuilder = new JcaX509v3CertificateBuilder(
|
final X509v3CertificateBuilder caCertBuilder = new JcaX509v3CertificateBuilder(
|
||||||
caPrincipal, BigInteger.valueOf(0L), notBefore(notBefore), notAfter(notAfter), caPrincipal, keyPair.getPublic());
|
caPrincipal, BigInteger.valueOf(0L), notBefore(notBefore), notAfter(notAfter), caPrincipal, keyPair.getPublic());
|
||||||
|
caCertBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
|
||||||
return new Certificate(keyPair, new X509Certificate[] { new JcaX509CertificateConverter().getCertificate(caCertBuilder.build(selfSigner)) });
|
return new Certificate(keyPair, new X509Certificate[] { new JcaX509CertificateConverter().getCertificate(caCertBuilder.build(selfSigner)) });
|
||||||
} catch (final NoSuchAlgorithmException | OperatorCreationException e) {
|
} catch (final NoSuchAlgorithmException | OperatorCreationException | CertIOException e) {
|
||||||
throw new CertificateException(e);
|
throw new CertificateException(e);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -62,7 +62,7 @@ public class AuthenticationSetupHelper {
|
|||||||
CA ddiCA = tenant.getDdiCA();
|
CA ddiCA = tenant.getDdiCA();
|
||||||
if (ddiCA == null) {
|
if (ddiCA == null) {
|
||||||
final CA ddiRootCA = new CA();
|
final CA ddiRootCA = new CA();
|
||||||
ddiCA = new CA(ddiRootCA.issue(CA.DEFAULT_INTERMEDIATE_CA_DN, null, null));
|
ddiCA = ddiRootCA.issueCA(CA.DEFAULT_INTERMEDIATE_CA_DN, null, null);
|
||||||
tenant.setDdiCA(ddiCA);
|
tenant.setDdiCA(ddiCA);
|
||||||
}
|
}
|
||||||
if (!Boolean.TRUE.equals(Objects.requireNonNull(mgmtTenantManagementRestApi
|
if (!Boolean.TRUE.equals(Objects.requireNonNull(mgmtTenantManagementRestApi
|
||||||
@@ -104,18 +104,16 @@ public class AuthenticationSetupHelper {
|
|||||||
.getBody()).getValue()))) {
|
.getBody()).getValue()))) {
|
||||||
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED, true));
|
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED, true));
|
||||||
}
|
}
|
||||||
if (!gatewayToken.equals(
|
if (!gatewayToken.equals(Objects.requireNonNull(mgmtTenantManagementRestApi
|
||||||
Objects.requireNonNull(mgmtTenantManagementRestApi
|
.getTenantConfigurationValue(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY)
|
||||||
.getTenantConfigurationValue(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY)
|
.getBody()).getValue())) {
|
||||||
.getBody()).getValue())) {
|
|
||||||
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, gatewayToken));
|
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, gatewayToken));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// if gateway token is configured then the gateway auth is enabled key is set
|
// if gateway token is configured then the gateway auth is enabled, so all devices use gateway token authentication.
|
||||||
// so all devices use gateway token authentication
|
// otherwise, target token authentication is enabled - then all devices shall be registered and the target token shall be set to the one from
|
||||||
// otherwise target token authentication is enabled. Then all devices shall be registered
|
// the DDI controller instance
|
||||||
// and the target token shall be set to the one from the DDI controller instance
|
|
||||||
public void setupTargetAuthentication() {
|
public void setupTargetAuthentication() {
|
||||||
final String gatewayToken = tenant.getGatewayToken();
|
final String gatewayToken = tenant.getGatewayToken();
|
||||||
if (ObjectUtils.isEmpty(gatewayToken)) {
|
if (ObjectUtils.isEmpty(gatewayToken)) {
|
||||||
|
|||||||
Reference in New Issue
Block a user