Generate new CA Certificate when expired/not readable

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1270 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4

2 files changed, 53 insertions, 15 deletions

diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
index 551cf0af..db34198d 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
@@ -43,6 +43,9 @@ import java.net.URI;
 import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
 import java.util.Enumeration;
 import java.util.Iterator;
 import java.util.UUID;
@@ -134,6 +137,11 @@ public class Configurator {
           zipOS.close();
           updateConfig(configDir);
         }
+        if (caCertificateUpdateRequired()) {
+          log.info("Creating new CA certificate");
+          createKeyStore(configDir);
+          certRenewed = true;
+        }
       }
     } else {
       initConfig(configDir);
@@ -345,6 +353,30 @@ public class Configurator {
     return true;
   }
 
+  private static boolean caCertificateUpdateRequired() {
+    String configDir = System.getProperty("user.home") + '/' + CONFIG_DIR;
+    File keystoreFile = new File(configDir, KEYSTORE_FILE);
+    File passwdFile = new File(configDir, PASSWD_FILE);
+    String passwd;
+    try {
+      passwd = Container.readPassword(passwdFile);
+    } catch (IOException e) {
+      log.error("Error reading password file", e);
+      return true;
+    }
+    X509Certificate cert = (X509Certificate) Container.getCACertificate(keystoreFile, passwd.toCharArray());
+    try {
+      cert.checkValidity();
+    } catch (CertificateExpiredException e) {
+      log.warn("CA Certificate expired");
+      return true;
+    } catch (CertificateNotYetValidException e) {
+      log.error("CA Certificate not yet valid");
+      return true;
+    }
+    return false;
+  }
+
   protected static void backup(File dir, URI relativeTo, ZipOutputStream zip, boolean doDelete) throws IOException {
     if (dir.isDirectory()) {
       File[] subDirs = dir.listFiles();
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
index ad589a59..3769629e 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
@@ -290,20 +290,26 @@ public class Container {
     server.join();

   }

 

-  private void loadCACertificate(File keystoreFile, char[] passwd) {

-    try {

-      if (log.isTraceEnabled()) {

-        log.trace("local ca certificate from " + keystoreFile);

-      }

-      BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile));

-      KeyStore sslKeyStore = KeyStore.getInstance("JKS");

-      sslKeyStore.load(bis, passwd);

-      Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS);

-      caCertificate = sslChain[sslChain.length - 1];

-      bis.close();

-    } catch (Exception ex) {

-      log.error("Failed to load local ca certificate", ex);

-      log.warn("automated web certificate installation will not be available");

-    }

+  private void loadCACertificate(File keystoreFile, char[] passwd) {
+    caCertificate = getCACertificate(keystoreFile, passwd);
+    if (caCertificate == null)
+      log.warn("automated web certificate installation will not be available");
+  }
+
+  protected static Certificate getCACertificate(File keystoreFile, char[] passwd) {
+    try {
+      if (log.isTraceEnabled()) {
+        log.trace("local ca certificate from " + keystoreFile);
+      }
+      BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile));
+      KeyStore sslKeyStore = KeyStore.getInstance("JKS");
+      sslKeyStore.load(bis, passwd);
+      Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS);
+      bis.close();
+      return sslChain[sslChain.length - 1];
+    } catch (Exception ex) {
+      log.error("Failed to load local ca certificate", ex);
+      return null;
+    }
   }
 }