progress on the certificate bootstrapping #2

Author: uzoltan

client-common/src/main/java/eu/arrowhead/client/common/ArrowheadClientMain.java

@@ -17,9 +17,7 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
-import java.net.MalformedURLException;
 import java.net.URI;
-import java.net.URL;
 import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
@@ -50,7 +48,7 @@ public abstract class ArrowheadClientMain {
   protected String baseUri;
   protected String base64PublicKey;
   protected HttpServer server;
-  protected final TypeSafeProperties props = Utility.getProp();
+  protected TypeSafeProperties props = Utility.getProp();
 
   private boolean daemon;
   private ClientType clientType;
@@ -137,31 +135,27 @@ protected void startSecureServer(Set<Class<?>> classes, String[] packages) {
     config.registerClasses(classes);
     config.packages(packages);
 
-    String keystorePath = props.getProperty("keystore");
-    String keystorePass = props.getProperty("keystorepass");
-    String keyPass = props.getProperty("keypass");
-    String truststorePath = props.getProperty("truststore");
-    String truststorePass = props.getProperty("truststorepass");
-
     SSLContextConfigurator sslCon = new SSLContextConfigurator();
-    sslCon.setKeyStoreFile(keystorePath);
-    sslCon.setKeyStorePass(keystorePass);
-    sslCon.setKeyPass(keyPass);
-    sslCon.setTrustStoreFile(truststorePath);
-    sslCon.setTrustStorePass(truststorePass);
+    sslCon.setKeyStoreFile(props.getProperty("keystore"));
+    sslCon.setKeyStorePass(props.getProperty("keystorepass"));
+    sslCon.setKeyPass(props.getProperty("keypass"));
+    sslCon.setTrustStoreFile(props.getProperty("truststore"));
+    sslCon.setTrustStorePass(props.getProperty("truststorepass"));
     if (!sslCon.validateConfiguration(true)) {
       try {
-        sslCon = doCertificateBootstrapping();
-      } catch (ArrowheadException | MalformedURLException e) {
+        sslCon = CertificateBootstrapper.bootstrap(clientType);
+        props = Utility.getProp();
+      } catch (ArrowheadException e) {
         throw new AuthException(
-            "Provided SSL context is not valid, check the certificate or the config files! Certificate bootstrapping failed with: " + e.getMessage());
+            "Provided SSL context is not valid, check the certificate or the config files! Certificate bootstrapping failed with: " + e.getMessage(),
+            e);
       }
     }
 
     SSLContext sslContext = sslCon.createSSLContext();
     Utility.setSSLContext(sslContext);
 
-    KeyStore keyStore = SecurityUtils.loadKeyStore(keystorePath, keystorePass);
+    KeyStore keyStore = SecurityUtils.loadKeyStore(props.getProperty("keystore"), props.getProperty("keystorepass"));
     X509Certificate serverCert = SecurityUtils.getFirstCertFromKeyStore(keyStore);
     base64PublicKey = Base64.getEncoder().encodeToString(serverCert.getPublicKey().getEncoded());
     System.out.println("Server PublicKey Base64: " + base64PublicKey);
@@ -193,22 +187,4 @@ protected void shutdown() {
     System.out.println(clientType + " Server stopped");
     System.exit(0);
   }
-
-  protected SSLContextConfigurator doCertificateBootstrapping() throws MalformedURLException {
-    URL url = new URL(props.getProperty("cert_authority_url"));
-    if (!Utility.isHostAvailable(url.getHost(), url.getPort(), 3000)) {
-      throw new ArrowheadException("CA Core System is unavailable at " + props.getProperty("cert_authority_url"));
-    }
-
-    String cloudCN = CertificateBootstrapper.getCloudCommonNameFromCA();
-    String systemName = clientType.name().replaceAll("_", "").toLowerCase() + System.currentTimeMillis();
-    String keyStorePassword = props.getProperty("keystorepass") != null ? props.getProperty("keystorepass") : Utility.getRandomPassword();
-    String trustStorePassword = props.getProperty("truststorepass") != null ? props.getProperty("truststorepass") : Utility.getRandomPassword();
-
-    KeyStore[] keyStores = CertificateBootstrapper
-        .obtainSystemAndCloudKeyStore(systemName, cloudCN, keyStorePassword.toCharArray(), trustStorePassword.toCharArray());
-
-    //updating app.conf is missing in the end yet
-    return null;
-  }
 }

client-common/src/main/java/eu/arrowhead/client/common/CertificateBootstrapper.java

@@ -2,63 +2,107 @@
 
 import eu.arrowhead.client.common.exception.ArrowheadException;
 import eu.arrowhead.client.common.exception.AuthException;
+import eu.arrowhead.client.common.misc.ClientType;
 import eu.arrowhead.client.common.misc.SecurityUtils;
+import eu.arrowhead.client.common.misc.TypeSafeProperties;
 import eu.arrowhead.client.common.model.CertificateSigningRequest;
 import eu.arrowhead.client.common.model.CertificateSigningResponse;
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.PublicKey;
-import java.security.Security;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.security.spec.InvalidKeySpecException;
 import java.util.Base64;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.ServiceConfigurationError;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.Response.Status;
 import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.bouncycastle.pkcs.PKCS10CertificationRequest;
 import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
+import org.glassfish.grizzly.ssl.SSLContextConfigurator;
 
 public final class CertificateBootstrapper {
 
-  private static String CA_URL;
-
-  //Static initializer: get the Certificate Authority URL when the class first gets used
-  static {
-    Security.addProvider(new BouncyCastleProvider());
-    CA_URL = Utility.getProp().getProperty("cert_authority_url");
-    if (CA_URL == null) {
-      throw new ArrowheadException("cert_authority_url property is not provided in config file, but certificate bootstrapping is requested!",
-                                   Status.BAD_REQUEST.getStatusCode());
-    }
-  }
+  private static TypeSafeProperties props = Utility.getProp();
+  private static String CA_URL = props.getProperty("cert_authority_url");
 
   private CertificateBootstrapper() {
     throw new AssertionError("CertificateBootstrapper is a non-instantiable class");
   }
 
+  public static SSLContextConfigurator bootstrap(ClientType clientType) {
+    //Check if the CA is available at the provided URL (with socket opening)
+    URL url;
+    try {
+      url = new URL(CA_URL);
+    } catch (MalformedURLException e) {
+      throw new ArrowheadException(
+          "cert_authority_url property is not (properly) provided in config file, but certificate bootstrapping is requested!",
+          Status.BAD_REQUEST.getStatusCode(), e);
+    }
+    if (!Utility.isHostAvailable(url.getHost(), url.getPort(), 3000)) {
+      throw new ArrowheadException("CA Core System is unavailable at " + props.getProperty("cert_authority_url"));
+    }
+
+    //Prepare the data needed to generate the certificate(s)
+    String cloudCN = CertificateBootstrapper.getCloudCommonNameFromCA();
+    String systemName = clientType.name().replaceAll("_", "").toLowerCase() + System.currentTimeMillis();
+    String keyStorePassword = !Utility.isBlank(props.getProperty("keystorepass")) ? props.getProperty("keystorepass") : Utility.getRandomPassword();
+    String trustStorePassword =
+        !Utility.isBlank(props.getProperty("truststorepass")) ? props.getProperty("truststorepass") : Utility.getRandomPassword();
+
+    //Obtain the keystore and truststore
+    KeyStore[] keyStores = CertificateBootstrapper
+        .obtainSystemAndCloudKeyStore(systemName, cloudCN, keyStorePassword.toCharArray(), trustStorePassword.toCharArray());
+
+    //Save the keystores to file
+    String certPathPrefix = "config" + File.separator + "certificates";
+    CertificateBootstrapper.saveKeyStoreToFile(keyStores[0], keyStorePassword.toCharArray(), systemName + ".p12", certPathPrefix);
+    CertificateBootstrapper.saveKeyStoreToFile(keyStores[1], trustStorePassword.toCharArray(), "truststore.p12", certPathPrefix);
+
+    //Update app.conf with the new values
+    Map<String, String> secureParameters = new HashMap<>();
+    secureParameters.put("keystore", certPathPrefix + File.separator + systemName + ".p12");
+    secureParameters.put("keystorepass", keyStorePassword);
+    secureParameters.put("keypass", keyStorePassword);
+    secureParameters.put("truststore", certPathPrefix + File.separator + "truststore.p12");
+    secureParameters.put("truststorepass", trustStorePassword);
+    CertificateBootstrapper.updateConfigurationFiles("config" + File.separator + "app.conf", secureParameters);
+
+    //Return a new, valid SSLContextConfigurator
+    SSLContextConfigurator sslCon = new SSLContextConfigurator();
+    sslCon.setKeyStoreFile(certPathPrefix + File.separator + systemName + ".p12");
+    sslCon.setKeyStorePass(keyStorePassword);
+    sslCon.setKeyPass(keyStorePassword);
+    sslCon.setTrustStoreFile(certPathPrefix + File.separator + "truststore.p12");
+    sslCon.setTrustStorePass(trustStorePassword);
+    return sslCon;
+  }
+
   /*
     Gets the Cloud Common Name from the Certificate Authority Core System, proper URL is read from the config file
    */
-  public static String getCloudCommonNameFromCA() {
+  private static String getCloudCommonNameFromCA() {
     Response caResponse = Utility.sendRequest(CA_URL, "GET", null);
     return caResponse.readEntity(String.class);
   }
@@ -74,7 +118,7 @@ public static String getCloudCommonNameFromCA() {
    *
    * @see <a href="https://tools.ietf.org/html/rfc5280.html#section-7.1">X.509 certificate specification: distinguished names</a>
    */
-  public static KeyStore obtainSystemKeyStore(String commonName, char[] keyStorePassword) {
+  private static KeyStore obtainSystemKeyStore(String commonName, char[] keyStorePassword) {
     CertificateSigningResponse signingResponse = getSignedCertFromCA(commonName);
 
     //Get the reconstructed certs from the CA response
@@ -110,7 +154,7 @@ public static KeyStore obtainSystemKeyStore(String commonName, char[] keyStorePa
    *
    * @see <a href="https://tools.ietf.org/html/rfc5280.html#section-7.1">X.509 certificate specification: distinguished names</a>
    */
-  public static KeyStore[] obtainSystemAndCloudKeyStore(String systemName, String cloudCN, char[] systemKsPassword, char[] cloudKsPassword) {
+  private static KeyStore[] obtainSystemAndCloudKeyStore(String systemName, String cloudCN, char[] systemKsPassword, char[] cloudKsPassword) {
     String commonName = systemName + "." + cloudCN;
     CertificateSigningResponse signingResponse = getSignedCertFromCA(commonName);
 
@@ -139,7 +183,7 @@ Create the Cloud KeyStore (with a different KeyStore Entry type,
       KeyStore ks = KeyStore.getInstance("pkcs12");
       ks.load(null, cloudKsPassword);
       KeyStore.Entry certEntry = new KeyStore.TrustedCertificateEntry(cloudCert);
-      ks.setEntry(cloudCN, certEntry, new KeyStore.PasswordProtection(cloudKsPassword));
+      ks.setEntry(cloudCN, certEntry, null);
       keyStores[1] = ks;
     } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException e) {
       throw new ArrowheadException("System key store creation failed!", e);
@@ -157,11 +201,11 @@ Create the Cloud KeyStore (with a different KeyStore Entry type,
    * @param saveLocation optional relative or absolute path where the keystore should be saved (must point to directory). If not provided, the file
    *     will be placed into the working directory.
    */
-  public static void saveKeyStoreToFile(KeyStore keyStore, char[] keyStorePassword, String fileName, String saveLocation) {
+  private static void saveKeyStoreToFile(KeyStore keyStore, char[] keyStorePassword, String fileName, String saveLocation) {
     if (keyStore == null || fileName == null) {
       throw new NullPointerException("Saving the key store to file is not possible, key store or file name is null!");
     }
-    if (!fileName.endsWith(".p12") || !fileName.endsWith(".jks")) {
+    if (!(fileName.endsWith(".p12") || fileName.endsWith(".jks"))) {
       throw new ServiceConfigurationError("File name should end with its extension! (p12 or jks)");
     }
     if (saveLocation != null) {
@@ -179,7 +223,7 @@ public static void saveKeyStoreToFile(KeyStore keyStore, char[] keyStorePassword
   /*
      Updates the given properties file with the given key-value pairs.
    */
-  public static void updateConfigurationFiles(String configLocation, Map<String, String> configValues) {
+  private static void updateConfigurationFiles(String configLocation, Map<String, String> configValues) {
     try {
       FileInputStream in = new FileInputStream(configLocation);
       Properties props = new Properties();
@@ -195,12 +239,15 @@ public static void updateConfigurationFiles(String configLocation, Map<String, S
     } catch (IOException e) {
       throw new ArrowheadException("Cert bootstrapping: IOException during configuration file update", e);
     }
+    props = Utility.getProp();
+    CA_URL = props.getProperty("cert_authority_url");
   }
 
   /*
     Authorization Public Key is used by ArrowheadProviders to verify the signatures by the Authorization Core System in secure mode
    */
-  public static PublicKey getAuthorizationPublicKey() {
+  //TODO also save it to file and update props
+  private static PublicKey getAuthorizationPublicKey() {
     Response caResponse = Utility.sendRequest(CA_URL + "/auth", "GET", null);
     try {
       return SecurityUtils.getPublicKey(caResponse.readEntity(String.class));

client-common/src/main/java/eu/arrowhead/client/common/Utility.java

@@ -379,4 +379,8 @@ public static String getRandomPassword() {
     PasswordGenerator generator = new PasswordGenerator.Builder().useDigits(true).useLower(true).useUpper(true).usePunctuation(false).build();
     return generator.generate(12);
   }
+
+  public static boolean isBlank(final String str) {
+    return (str == null || "".equals(str.trim()));
+  }
 }

consumer/src/main/java/eu/arrowhead/client/consumer/ConsumerMain.java

@@ -9,6 +9,7 @@
 
 package eu.arrowhead.client.consumer;
 
+import eu.arrowhead.client.common.CertificateBootstrapper;
 import eu.arrowhead.client.common.Utility;
 import eu.arrowhead.client.common.exception.ArrowheadException;
 import eu.arrowhead.client.common.misc.ClientType;
@@ -27,15 +28,15 @@
 import javax.swing.JOptionPane;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
-import org.glassfish.jersey.SslConfigurator;
+import org.glassfish.grizzly.ssl.SSLContextConfigurator;
 
 public class ConsumerMain {
 
   private static boolean isSecure;
   private static String orchestratorUrl;
-  private static final TypeSafeProperties props = Utility.getProp();
+  private static TypeSafeProperties props = Utility.getProp();
 
-  public static void main(String[] args) {
+  private ConsumerMain(String[] args) {
     //Prints the working directory for extra information. Working directory should always contain a config folder with the app.conf file!
     System.out.println("Working directory: " + System.getProperty("user.dir"));
 
@@ -63,8 +64,12 @@ public static void main(String[] args) {
     JOptionPane.showMessageDialog(null, label, "Provider Response", JOptionPane.INFORMATION_MESSAGE);
   }
 
+  public static void main(String[] args) {
+    new ConsumerMain(args);
+  }
+
   //Compiles the payload for the orchestration request
-  private static ServiceRequestForm compileSRF() {
+  private ServiceRequestForm compileSRF() {
     /*
       ArrowheadSystem: systemName, (address, port, authenticationInfo)
       Since this Consumer skeleton will not receive HTTP requests (does not provide any services on its own),
@@ -104,7 +109,7 @@ Since this Consumer skeleton will not receive HTTP requests (does not provide an
     return srf;
   }
 
-  private static double consumeService(String providerUrl) {
+  private double consumeService(String providerUrl) {
     /*
       Sending request to the provider, to the acquired URL. The method type and payload should be known beforehand.
       If needed, compile the request payload here, before sending the request.
@@ -141,19 +146,25 @@ private static double consumeService(String providerUrl) {
    */
 
   //DO NOT MODIFY - Gets the correct URL where the orchestration requests needs to be sent (from app.conf config file + command line argument)
-  private static void getOrchestratorUrl(String[] args) {
+  private void getOrchestratorUrl(String[] args) {
     String orchAddress = props.getProperty("orch_address", "0.0.0.0");
     int orchInsecurePort = props.getIntProperty("orch_insecure_port", 8440);
     int orchSecurePort = props.getIntProperty("orch_secure_port", 8441);
 
     for (String arg : args) {
       if (arg.equals("-tls")) {
         isSecure = true;
-        SslConfigurator sslConfig = SslConfigurator.newInstance().trustStoreFile(props.getProperty("truststore"))
-                                                   .trustStorePassword(props.getProperty("truststorepass"))
-                                                   .keyStoreFile(props.getProperty("keystore")).keyStorePassword(props.getProperty("keystorepass"))
-                                                   .keyPassword(props.getProperty("keypass"));
-        SSLContext sslContext = sslConfig.createSSLContext();
+        SSLContextConfigurator sslCon = new SSLContextConfigurator();
+        sslCon.setKeyStoreFile(props.getProperty("keystore"));
+        sslCon.setKeyStorePass(props.getProperty("keystorepass"));
+        sslCon.setKeyPass(props.getProperty("keypass"));
+        sslCon.setTrustStoreFile(props.getProperty("truststore"));
+        sslCon.setTrustStorePass(props.getProperty("truststorepass"));
+        if (!sslCon.validateConfiguration(true)) {
+          sslCon = CertificateBootstrapper.bootstrap(ClientType.CONSUMER);
+          props = Utility.getProp();
+        }
+        SSLContext sslContext = sslCon.createSSLContext();
         Utility.setSSLContext(sslContext);
         break;
       }
@@ -169,7 +180,7 @@ private static void getOrchestratorUrl(String[] args) {
 
   /* NO NEED TO MODIFY (for basic functionality)
      Sends the orchestration request to the Orchestrator, and compiles the URL for the first provider received from the OrchestrationResponse */
-  private static String sendOrchestrationRequest(ServiceRequestForm srf) {
+  private String sendOrchestrationRequest(ServiceRequestForm srf) {
     //Sending a POST request to the orchestrator (URL, method, payload)
     Response postResponse = Utility.sendRequest(orchestratorUrl, "POST", srf);
     //Parsing the orchestrator response

provider/src/main/java/eu/arrowhead/client/provider/FullProviderMain.java

@@ -112,6 +112,7 @@ protected void startSecureServer(Set<Class<?>> classes, String[] packages) {
     privateKey = SecurityUtils.getPrivateKey(keyStore, keystorePass);
 
     //Load the Authorization Core System public key
+    //TODO expect and extract a public key only from crt
     String authCertPath = props.getProperty("authorization_cert");
     KeyStore authKeyStore = SecurityUtils.createKeyStoreFromCert(authCertPath);
     X509Certificate authCert = SecurityUtils.getFirstCertFromKeyStore(authKeyStore);