From 2a29339f0a02b0eac839f1a55ec6f9e2c34fbd46 Mon Sep 17 00:00:00 2001
From: tkellner <tkellner@8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4>
Date: Fri, 20 Dec 2013 17:28:32 +0000
Subject: Generate new CA Certificate when expired/not readable

git-svn-id: https://joinup.ec.europa.eu/svn/mocca/trunk@1270 8a26b1a7-26f0-462f-b9ef-d0e30c41f5a4
---
 .../java/at/gv/egiz/bku/webstart/Configurator.java | 32 +++++++++++++++++++
 .../java/at/gv/egiz/bku/webstart/Container.java    | 36 +++++++++++++---------
 2 files changed, 53 insertions(+), 15 deletions(-)

(limited to 'BKUWebStart')

diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
index 551cf0af..db34198d 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Configurator.java
@@ -43,6 +43,9 @@ import java.net.URI;
 import java.net.URL;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.X509Certificate;
 import java.util.Enumeration;
 import java.util.Iterator;
 import java.util.UUID;
@@ -134,6 +137,11 @@ public class Configurator {
           zipOS.close();
           updateConfig(configDir);
         }
+        if (caCertificateUpdateRequired()) {
+          log.info("Creating new CA certificate");
+          createKeyStore(configDir);
+          certRenewed = true;
+        }
       }
     } else {
       initConfig(configDir);
@@ -345,6 +353,30 @@ public class Configurator {
     return true;
   }
 
+  private static boolean caCertificateUpdateRequired() {
+    String configDir = System.getProperty("user.home") + '/' + CONFIG_DIR;
+    File keystoreFile = new File(configDir, KEYSTORE_FILE);
+    File passwdFile = new File(configDir, PASSWD_FILE);
+    String passwd;
+    try {
+      passwd = Container.readPassword(passwdFile);
+    } catch (IOException e) {
+      log.error("Error reading password file", e);
+      return true;
+    }
+    X509Certificate cert = (X509Certificate) Container.getCACertificate(keystoreFile, passwd.toCharArray());
+    try {
+      cert.checkValidity();
+    } catch (CertificateExpiredException e) {
+      log.warn("CA Certificate expired");
+      return true;
+    } catch (CertificateNotYetValidException e) {
+      log.error("CA Certificate not yet valid");
+      return true;
+    }
+    return false;
+  }
+
   protected static void backup(File dir, URI relativeTo, ZipOutputStream zip, boolean doDelete) throws IOException {
     if (dir.isDirectory()) {
       File[] subDirs = dir.listFiles();
diff --git a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
index ad589a59..3769629e 100644
--- a/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
+++ b/BKUWebStart/src/main/java/at/gv/egiz/bku/webstart/Container.java
@@ -290,20 +290,26 @@ public class Container {
     server.join();
   }
 
-  private void loadCACertificate(File keystoreFile, char[] passwd) {
-    try {
-      if (log.isTraceEnabled()) {
-        log.trace("local ca certificate from " + keystoreFile);
-      }
-      BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile));
-      KeyStore sslKeyStore = KeyStore.getInstance("JKS");
-      sslKeyStore.load(bis, passwd);
-      Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS);
-      caCertificate = sslChain[sslChain.length - 1];
-      bis.close();
-    } catch (Exception ex) {
-      log.error("Failed to load local ca certificate", ex);
-      log.warn("automated web certificate installation will not be available");
-    }
+  private void loadCACertificate(File keystoreFile, char[] passwd) {
+    caCertificate = getCACertificate(keystoreFile, passwd);
+    if (caCertificate == null)
+      log.warn("automated web certificate installation will not be available");
+  }
+
+  protected static Certificate getCACertificate(File keystoreFile, char[] passwd) {
+    try {
+      if (log.isTraceEnabled()) {
+        log.trace("local ca certificate from " + keystoreFile);
+      }
+      BufferedInputStream bis = new BufferedInputStream(new FileInputStream(keystoreFile));
+      KeyStore sslKeyStore = KeyStore.getInstance("JKS");
+      sslKeyStore.load(bis, passwd);
+      Certificate[] sslChain = sslKeyStore.getCertificateChain(TLSServerCA.MOCCA_TLS_SERVER_ALIAS);
+      bis.close();
+      return sslChain[sslChain.length - 1];
+    } catch (Exception ex) {
+      log.error("Failed to load local ca certificate", ex);
+      return null;
+    }
   }
 }
-- 
cgit v1.2.3