From 2a29339f0a02b0eac839f1a55ec6f9e2c34fbd46 Mon Sep 17 00:00:00 2001 From: tkellner Date: Fri, 20 Dec 2013 17:28:32 +0000 Subject: Generate new CA Certificate when expired/not readable git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1270 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../java/at/gv/egiz/bku/webstart/Configurator.java | 32 +++++++++++++++++++ .../java/at/gv/egiz/bku/webstart/Container.java | 36 +++++++++++++--------- 2 files changed, 53 insertions(+), 15 deletions(-) diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java index 551cf0af..db34198d 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java @@ -43,6 +43,9 @@ import java.net.URI; import java.net.URL; import java.security.GeneralSecurityException; import java.security.KeyStore; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; import java.util.Enumeration; import java.util.Iterator; import java.util.UUID; @@ -134,6 +137,11 @@ public class Configurator { zipOS.close(); updateConfig(configDir); } + if (caCertificateUpdateRequired()) { + log.info("Creating new CA certificate"); + createKeyStore(configDir); + certRenewed = true; + } } } else { initConfig(configDir); @@ -345,6 +353,30 @@ public class Configurator { return true; } + private static boolean caCertificateUpdateRequired() { + String configDir = System.getProperty("user.home") + '/' + CONFIG_DIR; + File keystoreFile = new File(configDir, KEYSTORE_FILE); + File passwdFile = new File(configDir, PASSWD_FILE); + String passwd; + try { + passwd = Container.readPassword(passwdFile); + } catch (IOException e) { + log.error("Error reading password file", e); + return true; + } + X509Certificate cert = (X509Certificate) Container.getCACertificate(keystoreFile, passwd.toCharArray()); + try { + cert.checkValidity(); + } catch (CertificateExpiredException e) { + log.warn("CA Certificate expired"); + return true; + } catch (CertificateNotYetValidException e) { + log.error("CA Certificate not yet valid"); + return true; + } + return false; + } + protected static void backup(File dir, URI relativeTo, ZipOutputStream zip, boolean doDelete) throws IOException { if (dir.isDirectory()) { File[] subDirs = dir.listFiles(); diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java index ad589a59..3769629e 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java @@ -290,20 +290,26 @@ public class Container { server.join(); } - private void loadCACertificate(File keystoreFile, char[] passwd) { - try { - if (log.isTraceEnabled()) { - log.trace("local ca certificate from " + keystoreFile); - } - BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile)); - KeyStore sslKeyStore = KeyStore.getInstance("JKS"); - sslKeyStore.load(bis, passwd); - Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS); - caCertificate = sslChain[sslChain.length - 1]; - bis.close(); - } catch (Exception ex) { - log.error("Failed to load local ca certificate", ex); - log.warn("automated web certificate installation will not be available"); - } + private void loadCACertificate(File keystoreFile, char[] passwd) { + caCertificate = getCACertificate(keystoreFile, passwd); + if (caCertificate == null) + log.warn("automated web certificate installation will not be available"); + } + + protected static Certificate getCACertificate(File keystoreFile, char[] passwd) { + try { + if (log.isTraceEnabled()) { + log.trace("local ca certificate from " + keystoreFile); + } + BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile)); + KeyStore sslKeyStore = KeyStore.getInstance("JKS"); + sslKeyStore.load(bis, passwd); + Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS); + bis.close(); + return sslChain[sslChain.length - 1]; + } catch (Exception ex) { + log.error("Failed to load local ca certificate", ex); + return null; + } } } -- cgit v1.2.3