check CRLs when verifying a cert; add action that generates a CSR

d-shapiro · d-shapiro · commit 6d077e655bd5 · 2018-07-31T12:41:56.000-07:00
diff --git a/dslink-v2/build.gradle b/dslink-v2/build.gradle
@@ -4,6 +4,8 @@ artifacts {
 }
 
 dependencies {
+	compile 'org.bouncycastle:bcprov-jdk15on:+'
+	compile 'org.bouncycastle:bcpkix-jdk15on:+'
     testImplementation 'junit:junit:[4.12,)'
 }
 
diff --git a/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/AnonymousTrustFactory.java b/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/AnonymousTrustFactory.java
@@ -1,6 +1,8 @@
 package com.acuity.iot.dsa.dslink.sys.cert;
 
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.Provider;
 import java.security.Security;
 import java.security.cert.CertificateException;
@@ -147,10 +149,15 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
         private void checkLocally(X509Certificate[] chain, String authType) throws CertificateException {
             Set<X509Certificate> chainAsSet = new HashSet<X509Certificate>();
             Collections.addAll(chainAsSet, chain);
+            X509Certificate anchorCert;
             try {
-                PKIXCertPathBuilderResult result = CertificateVerifier.verifyCertificate(chain[0], chainAsSet);
-                TrustAnchor anchor = result.getTrustAnchor();
-                X509Certificate anchorCert = anchor.getTrustedCert();
+                if (CertificateVerifier.isSelfSigned(chain[0])) {
+                    anchorCert = chain[0];
+                } else {
+                    PKIXCertPathBuilderResult result = CertificateVerifier.verifyCertificate(chain[0], chainAsSet);
+                    TrustAnchor anchor = result.getTrustAnchor();
+                    anchorCert = anchor.getTrustedCert();
+                }
                 
                 if (anchorCert == null) {
                     throw new CertificateException();
@@ -163,6 +170,10 @@ private void checkLocally(X509Certificate[] chain, String authType) throws Certi
                 
             } catch (CertificateVerificationException e1) {
                 throw new CertificateException();
+            } catch (NoSuchAlgorithmException e) {
+                throw new CertificateException();
+            } catch (NoSuchProviderException e) {
+                throw new CertificateException();
             }
         }
 
diff --git a/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CRLVerifier.java b/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CRLVerifier.java
@@ -0,0 +1,189 @@
+package com.acuity.iot.dsa.dslink.sys.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Hashtable;
+import java.util.List;
+ 
+import javax.naming.Context;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+ 
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.DERIA5String;
+import org.bouncycastle.asn1.DEROctetString;
+import org.bouncycastle.asn1.x509.CRLDistPoint;
+import org.bouncycastle.asn1.x509.DistributionPoint;
+import org.bouncycastle.asn1.x509.DistributionPointName;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.X509Extensions;
+ 
+/**
+ * Class that verifies CRLs for given X509 certificate. Extracts the CRL
+ * distribution points from the certificate (if available) and checks the
+ * certificate revocation status against the CRLs coming from the
+ * distribution points. Supports HTTP, HTTPS, FTP and LDAP based URLs.
+ * 
+ * @author Svetlin Nakov
+ */
+public class CRLVerifier {
+ 
+    /**
+     * Extracts the CRL distribution points from the certificate (if available)
+     * and checks the certificate revocation status against the CRLs coming from
+     * the distribution points. Supports HTTP, HTTPS, FTP and LDAP based URLs.
+     * 
+     * @param cert the certificate to be checked for revocation
+     * @throws CertificateVerificationException if the certificate is revoked
+     */
+    public static void verifyCertificateCRLs(X509Certificate cert)
+            throws CertificateVerificationException {
+        try {
+            List<String> crlDistPoints = getCrlDistributionPoints(cert);
+            for (String crlDP : crlDistPoints) {
+                X509CRL crl = downloadCRL(crlDP);
+                if (crl.isRevoked(cert)) {
+                    throw new CertificateVerificationException(
+                            "The certificate is revoked by CRL: " + crlDP);
+                }
+            }
+        } catch (Exception ex) {
+            if (ex instanceof CertificateVerificationException) {
+                throw (CertificateVerificationException) ex;
+            } else {
+                throw new CertificateVerificationException(
+                        "Can not verify CRL for certificate: " + 
+                        cert.getSubjectX500Principal());
+            }
+        }
+    }
+ 
+    /**
+     * Downloads CRL from given URL. Supports http, https, ftp and ldap based URLs.
+     */
+    private static X509CRL downloadCRL(String crlURL) throws IOException,
+            CertificateException, CRLException,
+            CertificateVerificationException, NamingException {
+        if (crlURL.startsWith("http://") || crlURL.startsWith("https://")
+                || crlURL.startsWith("ftp://")) {
+            X509CRL crl = downloadCRLFromWeb(crlURL);
+            return crl;
+        } else if (crlURL.startsWith("ldap://")) {
+            X509CRL crl = downloadCRLFromLDAP(crlURL);
+            return crl;
+        } else {
+            throw new CertificateVerificationException(
+                    "Can not download CRL from certificate " +
+                    "distribution point: " + crlURL);
+        }
+    }
+ 
+    /**
+     * Downloads a CRL from given LDAP url, e.g.
+     * ldap://ldap.infonotary.com/dc=identity-ca,dc=infonotary,dc=com
+     */
+    private static X509CRL downloadCRLFromLDAP(String ldapURL) 
+            throws CertificateException, NamingException, CRLException, 
+            CertificateVerificationException {
+        Hashtable<String , String> env = new Hashtable<String , String>();
+        env.put(Context.INITIAL_CONTEXT_FACTORY, 
+                "com.sun.jndi.ldap.LdapCtxFactory");
+        env.put(Context.PROVIDER_URL, ldapURL);
+ 
+        DirContext ctx = new InitialDirContext(env);
+        Attributes avals = ctx.getAttributes("");
+        Attribute aval = avals.get("certificateRevocationList;binary");
+        byte[] val = (byte[])aval.get();
+        if ((val == null) || (val.length == 0)) {
+            throw new CertificateVerificationException(
+                    "Can not download CRL from: " + ldapURL);
+        } else {
+            InputStream inStream = new ByteArrayInputStream(val);
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            X509CRL crl = (X509CRL)cf.generateCRL(inStream);
+            return crl;
+        }
+    }
+     
+    /**
+     * Downloads a CRL from given HTTP/HTTPS/FTP URL, e.g.
+     * http://crl.infonotary.com/crl/identity-ca.crl
+     */
+    private static X509CRL downloadCRLFromWeb(String crlURL)
+            throws MalformedURLException, IOException, CertificateException,
+            CRLException {
+        URL url = new URL(crlURL);
+        InputStream crlStream = url.openStream();
+        try {
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            X509CRL crl = (X509CRL) cf.generateCRL(crlStream);
+            return crl;
+        } finally {
+            crlStream.close();
+        }
+    }
+ 
+    /**
+     * Extracts all CRL distribution point URLs from the "CRL Distribution Point"
+     * extension in a X.509 certificate. If CRL distribution point extension is
+     * unavailable, returns an empty list. 
+     */
+    public static List<String> getCrlDistributionPoints(
+            X509Certificate cert) throws CertificateParsingException, IOException {
+        byte[] crldpExt = cert.getExtensionValue(
+                X509Extensions.CRLDistributionPoints.getId());
+        if (crldpExt == null) {
+            List<String> emptyList = new ArrayList<String>();
+            return emptyList;
+        }
+        ASN1InputStream oAsnInStream = new ASN1InputStream(
+                new ByteArrayInputStream(crldpExt));
+        ASN1Primitive derObjCrlDP = oAsnInStream.readObject();
+        DEROctetString dosCrlDP = (DEROctetString) derObjCrlDP;
+        byte[] crldpExtOctets = dosCrlDP.getOctets();
+        ASN1InputStream oAsnInStream2 = new ASN1InputStream(
+                new ByteArrayInputStream(crldpExtOctets));
+        ASN1Primitive derObj2 = oAsnInStream2.readObject();
+        CRLDistPoint distPoint = CRLDistPoint.getInstance(derObj2);
+        
+        oAsnInStream.close();
+        oAsnInStream2.close();
+        
+        List<String> crlUrls = new ArrayList<String>();
+        for (DistributionPoint dp : distPoint.getDistributionPoints()) {
+            DistributionPointName dpn = dp.getDistributionPoint();
+            // Look for URIs in fullName
+            if (dpn != null) {
+                if (dpn.getType() == DistributionPointName.FULL_NAME) {
+                    GeneralName[] genNames = GeneralNames.getInstance(
+                        dpn.getName()).getNames();
+                    // Look for an URI
+                    for (int j = 0; j < genNames.length; j++) {
+                        if (genNames[j].getTagNo() == GeneralName.uniformResourceIdentifier) {
+                            String url = DERIA5String.getInstance(
+                                genNames[j].getName()).getString();
+                            crlUrls.add(url);
+                        }
+                    }
+                }
+            }
+        }
+        return crlUrls;
+    }
+ 
+}
diff --git a/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertificateVerifier.java b/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/CertificateVerifier.java
@@ -77,7 +77,7 @@ public static PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert,
              
             // Check whether the certificate is revoked by the CRL
             // given in its CRL distribution point extension
-//            CRLVerifier.verifyCertificateCRLs(cert); //TODO
+            CRLVerifier.verifyCertificateCRLs(cert);
      
             // The chain is built and verified. Return it as a result
             return verifiedCertChain;
diff --git a/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/SysCertManager.java b/dslink-v2/src/main/java/com/acuity/iot/dsa/dslink/sys/cert/SysCertManager.java
@@ -1,13 +1,41 @@
 package com.acuity.iot.dsa.dslink.sys.cert;
 
 import java.io.File;
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
+import java.time.format.ResolverStyle;
+import java.util.Iterator;
+import javax.security.auth.x500.X500Principal;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS10CertificationRequest;
+import org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder;
+import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
 import org.iot.dsa.node.DSBool;
+import org.iot.dsa.node.DSIValue;
 import org.iot.dsa.node.DSInfo;
+import org.iot.dsa.node.DSMap;
 import org.iot.dsa.node.DSNode;
 import org.iot.dsa.node.DSString;
+import org.iot.dsa.node.DSValueType;
+import org.iot.dsa.node.action.ActionInvocation;
+import org.iot.dsa.node.action.ActionResult;
+import org.iot.dsa.node.action.ActionSpec;
+import org.iot.dsa.node.action.ActionSpec.ResultType;
+import org.iot.dsa.node.action.ActionValues;
+import org.iot.dsa.node.action.DSAbstractAction;
+import org.iot.dsa.node.action.DSAction;
+import org.iot.dsa.node.action.DSActionValues;
 import org.iot.dsa.security.DSPasswordAes128;
+import org.iot.dsa.util.DSException;
 
 /**
  * Certificate management for the whole process.  This is basically a stub for future
@@ -28,6 +56,7 @@ public class SysCertManager extends DSNode {
     private static final String CERTFILE_TYPE = "Cert_File_Type";
     private static final String LOCAL_TRUSTSTORE = "Local_Truststore";
     private static final String QUARANTINE = "Quarantine";
+    private static final String GENERATE_CSR = "Generate_Certificate_Signing_Request";
 
     // Fields
     // ------
@@ -37,6 +66,7 @@ public class SysCertManager extends DSNode {
     private DSInfo keystore = getInfo(CERTFILE);
     private DSInfo keystorePass = getInfo(CERTFILE_PASS);
     private DSInfo keystoreType = getInfo(CERTFILE_TYPE);
+    private DSInfo generateCSR = getInfo(GENERATE_CSR);
     private CertCollection localTruststore; 
     private CertCollection quarantine;
 
@@ -80,6 +110,24 @@ public void declareDefaults() {
         declareDefault(CERTFILE_PASS, DSPasswordAes128.valueOf("dsarocks"));
         declareDefault(LOCAL_TRUSTSTORE, new CertCollection());
         declareDefault(QUARANTINE, new CertCollection()).setTransient(true);
+        declareDefault(GENERATE_CSR, getGenerateCSRAction());
+    }
+    
+    private DSAbstractAction getGenerateCSRAction() {
+        DSAbstractAction act = new DSAbstractAction() {
+            
+            @Override
+            public void prepareParameter(DSInfo info, DSMap parameter) {
+            }
+            
+            @Override
+            public ActionResult invoke(DSInfo info, ActionInvocation invocation) {
+                return ((SysCertManager) info.getParent()).generateCSR(info);
+            }
+        };
+        act.setResultType(ResultType.VALUES);
+        act.addValueResult("CSR", DSValueType.STRING);
+        return act;
     }
 
     private String getCertFilePass() {
@@ -150,5 +198,44 @@ public void allow(DSInfo certInfo) {
         getLocalTruststore().addCertificate(name, certStr);
     }
     
+    private ActionResult generateCSR(DSInfo actionInfo) {
+        KeyPairGenerator keyGen;
+        try {
+            keyGen = KeyPairGenerator.getInstance("RSA");
+        } catch (NoSuchAlgorithmException e) {
+            DSException.throwRuntime(e);
+            return null;
+        }
+        keyGen.initialize(2048, new SecureRandom());
+        KeyPair pair = keyGen.generateKeyPair();
+        PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(
+            new X500Principal("CN=dslink-java-v2"), pair.getPublic());
+        JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA");
+        ContentSigner signer;
+        try {
+            signer = csBuilder.build(pair.getPrivate());
+        } catch (OperatorCreationException e) {
+            DSException.throwRuntime(e);
+            return null;
+        }
+        PKCS10CertificationRequest csr = p10Builder.build(signer);
+        StringWriter str = new StringWriter();
+        JcaPEMWriter pemWriter = new JcaPEMWriter(str);
+        try {
+            pemWriter.writeObject(csr);
+        } catch (IOException e) {
+            DSException.throwRuntime(e);
+            return null;
+        } finally {
+            try {
+                pemWriter.close();
+                str.close();
+            } catch (IOException e) {
+                DSException.throwRuntime(e);
+                return null;
+            }
+        }
+        return new DSActionValues(actionInfo.getAction()).addResult(DSString.valueOf(str));
+    }
 
 }

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,8 @@ artifacts {`
`4`	`4`	`}`
`5`	`5`
`6`	`6`	`dependencies {`
	`7`	`+ compile 'org.bouncycastle:bcprov-jdk15on:+'`
	`8`	`+ compile 'org.bouncycastle:bcpkix-jdk15on:+'`
`7`	`9`	`testImplementation 'junit:junit:[4.12,)'`
`8`	`10`	`}`
`9`	`11`