diff options
Diffstat (limited to 'src/com/gitblit/utils/X509Utils.java')
| -rw-r--r-- | src/com/gitblit/utils/X509Utils.java | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/src/com/gitblit/utils/X509Utils.java b/src/com/gitblit/utils/X509Utils.java index e6ffec1a..e27d7bc8 100644 --- a/src/com/gitblit/utils/X509Utils.java +++ b/src/com/gitblit/utils/X509Utils.java @@ -232,6 +232,13 @@ public class X509Utils { saveCertificate(caCert, new File(caKeyStore.getParentFile(), "ca.cer"));
}
+ // Gitblit CRL
+ File caRevocationList = new File(folder, CA_REVOCATION_LIST);
+ if (!caRevocationList.exists()) {
+ logger.info(MessageFormat.format("Generating {0} CRL ({1})", CA_CN, caRevocationList.getAbsolutePath()));
+ newCertificateRevocationList(caRevocationList, caKeyStore, metadata.password);
+ }
+
// rename the old keystore to the new name
File oldKeyStore = new File(folder, "keystore");
if (oldKeyStore.exists()) {
@@ -602,6 +609,55 @@ public class X509Utils { }
/**
+ * Creates a new certificate revocation list (CRL). This function will
+ * destroy any existing CRL file.
+ *
+ * @param caRevocationList
+ * @param storeFile
+ * @param keystorePassword
+ * @return
+ */
+ public static void newCertificateRevocationList(File caRevocationList, File caKeystoreFile, String caKeystorePassword) {
+ try {
+ // read the Gitblit CA key and certificate
+ KeyStore store = openKeyStore(caKeystoreFile, caKeystorePassword);
+ PrivateKey caPrivateKey = (PrivateKey) store.getKey(CA_FN, caKeystorePassword.toCharArray());
+ X509Certificate caCert = (X509Certificate) store.getCertificate(CA_FN);
+
+ X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());
+ X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date());
+
+ // build and sign CRL with CA private key
+ ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey);
+ X509CRLHolder crl = crlBuilder.build(signer);
+
+ File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp");
+ FileOutputStream fos = null;
+ try {
+ fos = new FileOutputStream(tmpFile);
+ fos.write(crl.getEncoded());
+ fos.flush();
+ fos.close();
+ if (caRevocationList.exists()) {
+ caRevocationList.delete();
+ }
+ tmpFile.renameTo(caRevocationList);
+
+ log(caRevocationList.getParentFile(), "new certificate revocation list created");
+ } finally {
+ if (fos != null) {
+ fos.close();
+ }
+ if (tmpFile.exists()) {
+ tmpFile.delete();
+ }
+ }
+ } catch (Exception e) {
+ throw new RuntimeException("Failed to create new certificate revocation list " + caRevocationList, e);
+ }
+ }
+
+ /**
* Imports a certificate into the trust store.
*
* @param alias
|