1 files changed, 62 insertions, 6 deletions

diff --git a/src/com/gitblit/utils/X509Utils.java b/src/com/gitblit/utils/X509Utils.java
index 24afb8d9..cfad9ec0 100644
--- a/src/com/gitblit/utils/X509Utils.java
+++ b/src/com/gitblit/utils/X509Utils.java
@@ -111,6 +111,12 @@ public class X509Utils {
 

 	private static final String BC = org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME;

 	

+	private static final int KEY_LENGTH = 2048;

+	

+	private static final String KEY_ALGORITHM = "RSA";

+	

+	private static final String SIGNING_ALGORITHM = "SHA512withRSA";

+	

 	public static final boolean unlimitedStrength;

 	

 	private static final Logger logger = LoggerFactory.getLogger(X509Utils.class);

@@ -183,6 +189,9 @@ public class X509Utils {
 		// displayname of user for README in bundle

 		public String userDisplayname;

 

+		// serialnumber of generated or read certificate

+		public String serialNumber;

+

 		public X509Metadata(String cn, String pwd) {

 			if (StringUtils.isEmpty(cn)) {

 				throw new RuntimeException("Common name required!");

@@ -472,8 +481,8 @@ public class X509Utils {
 	 * @throws Exception

 	 */

 	private static KeyPair newKeyPair() throws Exception {

-		KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", BC);

-		kpGen.initialize(2048, new SecureRandom());

+		KeyPairGenerator kpGen = KeyPairGenerator.getInstance(KEY_ALGORITHM, BC);

+		kpGen.initialize(KEY_LENGTH, new SecureRandom());

 		return kpGen.generateKeyPair();

 	}

 	

@@ -547,7 +556,7 @@ public class X509Utils {
 			certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));

 			certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));

 

-			ContentSigner caSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption")

+			ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM)

 					.setProvider(BC).build(caPrivateKey);

 			X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC)

 					.getCertificate(certBuilder.build(caSigner));

@@ -562,6 +571,10 @@ public class X509Utils {
 			saveKeyStore(targetStoreFile, serverStore, sslMetadata.password);

 			

 	        x509log.log(MessageFormat.format("New SSL certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getSubjectDN().getName()));

+	        

+	        // update serial number in metadata object

+	        sslMetadata.serialNumber = cert.getSerialNumber().toString();

+

 			return cert;

 		} catch (Throwable t) {

 			throw new RuntimeException("Failed to generate SSL certificate!", t);

@@ -582,7 +595,7 @@ public class X509Utils {
 		try {

 			KeyPair caPair = newKeyPair();

 			

-			ContentSigner caSigner = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPair.getPrivate());

+			ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPair.getPrivate());

 			

 			// clone metadata

 			X509Metadata caMetadata = metadata.clone(CA_CN, metadata.password);

@@ -623,6 +636,9 @@ public class X509Utils {
 			

 			x509log.log(MessageFormat.format("New CA certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getIssuerDN().getName()));

 

+	        // update serial number in metadata object

+	        caMetadata.serialNumber = cert.getSerialNumber().toString();

+

 			return cert;

 		} catch (Throwable t) {

 			throw new RuntimeException("Failed to generate Gitblit CA certificate!", t);

@@ -649,7 +665,7 @@ public class X509Utils {
 			X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date());

 			

 			// build and sign CRL with CA private key

-			ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey);

+			ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);

 			X509CRLHolder crl = crlBuilder.build(signer);

 

 			File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp");

@@ -743,6 +759,17 @@ public class X509Utils {
 	        		zos.write(FileUtils.readContent(pemFile));

 	        		zos.closeEntry();

 	        	}

+	        	

+	        	// include user's public certificate

+	        	zos.putNextEntry(new ZipEntry(clientMetadata.commonName + ".cer"));

+        		zos.write(cert.getEncoded());

+        		zos.closeEntry();

+        		

+	        	// include CA public certificate

+	        	zos.putNextEntry(new ZipEntry("ca.cer"));

+        		zos.write(caCert.getEncoded());

+        		zos.closeEntry();

+        		

 	        	if (readme != null) {

 	        		zos.putNextEntry(new ZipEntry("README.TXT"));

 	        		zos.write(readme.getBytes("UTF-8"));

@@ -799,7 +826,7 @@ public class X509Utils {
 				certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);

 			}

 

-			ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSA").setProvider(BC).build(caPrivateKey);

+			ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);

 

 			X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certBuilder.build(signer));

 			PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)pair.getPrivate();

@@ -852,6 +879,9 @@ public class X509Utils {
 	        // save certificate after successfully creating the key stores

 	        saveCertificate(userCert, certFile);

 	        

+	        // update serial number in metadata object

+	        clientMetadata.serialNumber = userCert.getSerialNumber().toString();

+	        

 	        return userCert;

 		} catch (Throwable t) {

 			throw new RuntimeException("Failed to generate client certificate!", t);

@@ -1065,4 +1095,30 @@ public class X509Utils {
 		}

 		return false;

 	}

+	

+	public static X509Metadata getMetadata(X509Certificate cert) {

+		// manually split DN into OID components

+		// this is instead of parsing with LdapName which:

+		// (1) I don't trust the order of values

+		// (2) it filters out values like EMAILADDRESS

+		String dn = cert.getSubjectDN().getName();

+		Map<String, String> oids = new HashMap<String, String>();

+		for (String kvp : dn.split(",")) {

+			String [] val = kvp.trim().split("=");

+			String oid = val[0].toUpperCase().trim();

+			String data = val[1].trim();

+			oids.put(oid, data);

+		}

+		

+		X509Metadata metadata = new X509Metadata(oids.get("CN"), "whocares");

+		metadata.oids.putAll(oids);

+		metadata.serialNumber = cert.getSerialNumber().toString();

+		metadata.notAfter = cert.getNotAfter();

+		metadata.notBefore = cert.getNotBefore();

+		metadata.emailAddress = metadata.getOID("E", null);

+		if (metadata.emailAddress == null) {

+			metadata.emailAddress = metadata.getOID("EMAILADDRESS", null);

+		}

+		return metadata;

+	}

 }