From 61366ba8efcc0cf3d36438e9ee26228e7bc66174 Mon Sep 17 00:00:00 2001 From: clemenso Date: Fri, 12 Jun 2009 12:42:05 +0000 Subject: BKU Web Start git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@361 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../java/at/gv/egiz/bku/webstart/TLSServerCA.java | 138 +++++++++++++++++++++ 1 file changed, 138 insertions(+) create mode 100644 BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java (limited to 'BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java') diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java new file mode 100644 index 00000000..97ca716b --- /dev/null +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java @@ -0,0 +1,138 @@ +package at.gv.egiz.bku.webstart; + +import iaik.asn1.CodingException; +import iaik.asn1.ObjectID; +import iaik.asn1.structures.AlgorithmID; +import iaik.asn1.structures.GeneralName; +import iaik.asn1.structures.GeneralNames; +import iaik.asn1.structures.Name; +import iaik.x509.X509Certificate; +import iaik.x509.extensions.AuthorityKeyIdentifier; +import iaik.x509.extensions.BasicConstraints; +import iaik.x509.extensions.ExtendedKeyUsage; +import iaik.x509.extensions.KeyUsage; + +import iaik.x509.extensions.SubjectAltName; +import iaik.x509.extensions.SubjectKeyIdentifier; +import java.io.IOException; +import java.math.BigInteger; +import java.net.InetAddress; +import java.net.UnknownHostException; +import java.security.GeneralSecurityException; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.NoSuchAlgorithmException; +import java.util.Calendar; +import java.util.GregorianCalendar; +import java.util.Random; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +public class TLSServerCA { + public static final int CA_VALIDITY_Y = 3; + public static final int SERVER_VALIDITY_Y = 3; + private final static Log log = LogFactory.getLog(TLSServerCA.class); + + private KeyPair caKeyPair; + private X509Certificate caCert; + + private KeyPair serverKeyPair; + private X509Certificate serverCert; + + private KeyPair generateKeyPair() throws NoSuchAlgorithmException { + KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA"); + gen.initialize(2048); + return gen.generateKeyPair(); + } + + private void generateCACert() throws GeneralSecurityException, CodingException { + log.debug("generating MOCCA CA certificate"); + Name subject = new Name(); + subject.addRDN(ObjectID.country, "AT"); + subject.addRDN(ObjectID.organization, "MOCCA"); + subject.addRDN(ObjectID.organizationalUnit, "MOCCA TLS Server CA"); + + caKeyPair = generateKeyPair(); + caCert = new X509Certificate(); + caCert.setSerialNumber(new BigInteger(20, new Random())); + caCert.setSubjectDN(subject); + caCert.setPublicKey(caKeyPair.getPublic()); + caCert.setIssuerDN(subject); + + caCert.addExtension(new SubjectKeyIdentifier(caKeyPair.getPublic())); + + caCert.addExtension(new BasicConstraints(true)); + caCert.addExtension(new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign + | KeyUsage.digitalSignature)); + + GregorianCalendar date = new GregorianCalendar(); + date.add(Calendar.HOUR_OF_DAY, -1); + caCert.setValidNotBefore(date.getTime()); + date.add(Calendar.YEAR, CA_VALIDITY_Y); + caCert.setValidNotAfter(date.getTime()); + caCert.sign(AlgorithmID.sha1WithRSAEncryption, caKeyPair.getPrivate()); + + log.debug("successfully generated MOCCA TLS Server CA certificate " + caCert.getSubjectDN()); + } + + private void generateServerCert() throws GeneralSecurityException, CodingException { + log.debug("generating MOCCA server certificate"); + Name subject = new Name(); + subject.addRDN(ObjectID.country, "AT"); + subject.addRDN(ObjectID.organization, "MOCCA"); + subject.addRDN(ObjectID.organizationalUnit, "MOCCA TLS Server"); + subject.addRDN(ObjectID.commonName, "localhost"); + subject.addRDN(ObjectID.commonName, "127.0.0.1"); + + serverKeyPair = generateKeyPair(); + serverCert = new X509Certificate(); + serverCert.setSerialNumber(new BigInteger(20, new Random())); + serverCert.setSubjectDN(subject); + serverCert.setPublicKey(serverKeyPair.getPublic()); + serverCert.setIssuerDN(caCert.getSubjectDN()); + + serverCert.addExtension(new SubjectKeyIdentifier(serverKeyPair.getPublic())); + byte[] aki = new SubjectKeyIdentifier(caCert.getPublicKey()).get(); + serverCert.addExtension(new AuthorityKeyIdentifier(aki)); + + serverCert.addExtension(new ExtendedKeyUsage(ExtendedKeyUsage.serverAuth)); + + GeneralNames altNames = new GeneralNames(); + altNames.addName(new GeneralName(GeneralName.dNSName, "localhost")); + altNames.addName(new GeneralName(GeneralName.dNSName, "127.0.0.1")); + altNames.addName(new GeneralName(GeneralName.iPAddress, "127.0.0.1")); + serverCert.addExtension(new SubjectAltName(altNames)); + + serverCert.addExtension(new BasicConstraints(false)); + serverCert.addExtension(new KeyUsage(KeyUsage.keyEncipherment + | KeyUsage.digitalSignature)); + + GregorianCalendar date = new GregorianCalendar(); + date.add(Calendar.HOUR_OF_DAY, -1); + serverCert.setValidNotBefore(date.getTime()); + date.add(Calendar.YEAR,SERVER_VALIDITY_Y); + date.add(Calendar.HOUR_OF_DAY, -1); + serverCert.setValidNotAfter(date.getTime()); + serverCert.sign(AlgorithmID.sha1WithRSAEncryption, caKeyPair.getPrivate()); + + log.debug("successfully generated MOCCA TLS Server certificate " + serverCert.getSubjectDN()); + caKeyPair = null; + } + + public KeyStore generateKeyStore(char[] password) throws GeneralSecurityException, IOException, CodingException { +// try { + generateCACert(); + generateServerCert(); + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, null); + ks.setKeyEntry("server", serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert}); + return ks; +// } catch (Exception e) { +// log.error("Cannot generate certificate", e); +// } +// return null; + } + +} -- cgit v1.2.3 From 145003155c05e915b900989a27cef1271398164b Mon Sep 17 00:00:00 2001 From: clemenso Date: Wed, 26 Aug 2009 17:31:32 +0000 Subject: MOCCA TLS Server CA cert installation servlet removed help.jsp (and jsp dependencies in jetty) moved html pages to src/main/webapp (encoding problem?) switch to BASIC download protocol in BKUWebStart (no jnlpDownloadServlet required, see template.xml) git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@474 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java') diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java index 97ca716b..fd94958e 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java @@ -32,6 +32,7 @@ import org.apache.commons.logging.LogFactory; public class TLSServerCA { public static final int CA_VALIDITY_Y = 3; + public static final String MOCCA_TLS_SERVER_ALIAS = "server"; public static final int SERVER_VALIDITY_Y = 3; private final static Log log = LogFactory.getLog(TLSServerCA.class); @@ -127,7 +128,7 @@ public class TLSServerCA { generateServerCert(); KeyStore ks = KeyStore.getInstance("JKS"); ks.load(null, null); - ks.setKeyEntry("server", serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert}); + ks.setKeyEntry(MOCCA_TLS_SERVER_ALIAS, serverKeyPair.getPrivate(), password, new X509Certificate[]{serverCert, caCert}); return ks; // } catch (Exception e) { // log.error("Cannot generate certificate", e); -- cgit v1.2.3 From dd04951a76fc6406755a94ecf547c0797f062fa2 Mon Sep 17 00:00:00 2001 From: clemenso Date: Fri, 28 Aug 2009 17:53:01 +0000 Subject: replace installCertificate servlet with der encoded crt file in webapp/ moved local-webstart profile to BKUWebStart (jnlp-inline goal) help note for internet explorer on visat/7 git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@482 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java') diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java index fd94958e..08a06570 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java @@ -64,9 +64,13 @@ public class TLSServerCA { caCert.addExtension(new SubjectKeyIdentifier(caKeyPair.getPublic())); - caCert.addExtension(new BasicConstraints(true)); - caCert.addExtension(new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign - | KeyUsage.digitalSignature)); + BasicConstraints bc = new BasicConstraints(true); + bc.setCritical(true); + caCert.addExtension(bc); + KeyUsage ku = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign + | KeyUsage.digitalSignature); + ku.setCritical(true); + caCert.addExtension(ku); GregorianCalendar date = new GregorianCalendar(); date.add(Calendar.HOUR_OF_DAY, -1); -- cgit v1.2.3 From bd070e82c276afb8c1c3a9ddc3b5712783760881 Mon Sep 17 00:00:00 2001 From: mcentner Date: Tue, 29 Sep 2009 17:36:06 +0000 Subject: Logging issues fixed: - Added possibility to configure logging of BKUWebstart. Logging is now configured from log4j configuration deployed with BKUWebstart in a first step. In a second step the webstart launcher looks for a log4j configuration file in the user's mooca configuration directory and updates the log4j configuration. - Logging of IAIK PKI properly initialized. IAIK PKI does not mess with the log4j configuration any longer. - Changed log4j accordingly (an appender is now needed as IAIK PKI does not reconfigure log4j any longer). Added css-stylesheet to ErrorResponses issued by the BKU to improve the presentation to the user. Changed dependencies of BKUWebStart (see Issue#469 https://egovlabs.gv.at/tracker/index.php?func=detail&aid=469&group_id=13&atid=134). DataURLConnection now uses the request encoding of SL < 1.2. application/x-www-form-urlencoded is now used as default encoding method. multipart/form-data is used only if transfer parameters are present in the request that require a Content-Type parameter. This can only be set with multipart/form-data. This is not in conformance with SL 1.2, however it should improve compatibility with applications. Therefore, removed the ability to configure the DataURLConnection implementation class. DataURLConnection now uses a streaming implementation for encoding of application/x-www-form-urlencoded requests. XWWWFormUrlImputDecoder now uses a streaming implementation for decoding of application/x-www-form-urlencoded requests. Fixed Bug in SLResultPart that caused a binary response to be provided as parameter "XMLResponse" in a multipart/form-data encoded request to DataURL. SLCommandFactory now supports unmarshalling of SL < 1.2 requests in order issue meaningful error messages. Therefore, the marshaling context for response marshaling had to be separated from the marshaling context for requests in order to avoid the marshaling of SL < 1.2 namespace prefixes in SL 1.2 responses. Target attribute in QualifiedProperties is now marshaled. (see Issue#470 https://egovlabs.gv.at/tracker/index.php?func=detail&aid=470&group_id=13&atid=134) Reporting of XML validation errors improved. git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@510 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4 --- .../src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java') diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java index 08a06570..745042f8 100644 --- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java +++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/TLSServerCA.java @@ -16,8 +16,6 @@ import iaik.x509.extensions.SubjectAltName; import iaik.x509.extensions.SubjectKeyIdentifier; import java.io.IOException; import java.math.BigInteger; -import java.net.InetAddress; -import java.net.UnknownHostException; import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.KeyPairGenerator; @@ -27,14 +25,15 @@ import java.util.Calendar; import java.util.GregorianCalendar; import java.util.Random; -import org.apache.commons.logging.Log; -import org.apache.commons.logging.LogFactory; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + public class TLSServerCA { public static final int CA_VALIDITY_Y = 3; public static final String MOCCA_TLS_SERVER_ALIAS = "server"; public static final int SERVER_VALIDITY_Y = 3; - private final static Log log = LogFactory.getLog(TLSServerCA.class); + private final static Logger log = LoggerFactory.getLogger(TLSServerCA.class); private KeyPair caKeyPair; private X509Certificate caCert; -- cgit v1.2.3