/* * The contents of this file are subject to the terms of the Common Development and * Distribution License (the License). You may not use this file except in compliance with the * License. * * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the * specific language governing permission and limitations under the License. * * When distributing Covered Software, include this CDDL Header Notice in each file and include * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL * Header, with the fields enclosed by brackets [] replaced by your own identifying * information: "Portions Copyright [year] [name of copyright owner]". * * Copyright 2009-2010 Sun Microsystems, Inc. * Portions Copyright 2013-2016 ForgeRock AS. * Portions Copyright 2025 Wren Security. * Portions Copyright 2025 3A Systems LLC. */ package org.opends.server.util; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.InputStream; import java.math.BigInteger; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.PrivateKey; import java.security.SecureRandom; import java.security.Security; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.time.Instant; import java.time.temporal.ChronoUnit; import java.util.Date; import com.forgerock.opendj.util.FipsStaticUtils; import com.forgerock.opendj.util.StaticUtils; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider; import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.util.BigIntegers; import org.forgerock.i18n.LocalizableMessage; import org.forgerock.util.Reject; import static org.opends.messages.UtilityMessages.ERR_CERTMGR_ADD_CERT; import static org.opends.messages.UtilityMessages.ERR_CERTMGR_ALIAS_ALREADY_EXISTS; import static org.opends.messages.UtilityMessages.ERR_CERTMGR_ALIAS_INVALID; import static org.opends.messages.UtilityMessages.ERR_CERTMGR_CERT_REPLIES_INVALID; import static org.opends.messages.UtilityMessages.ERR_CERTMGR_DELETE_ALIAS; import static org.opends.messages.UtilityMessages.ERR_CERTMGR_GEN_SELF_SIGNED_CERT; import static org.opends.messages.UtilityMessages.ERR_CERTMGR_KEYSTORE_NONEXISTANT; import static org.opends.messages.UtilityMessages.ERR_CERTMGR_TRUSTED_CERT; /** * Provides a wrapper class that collects all of the JVM vendor and JDK version * specific code in a single place. */ public final class Platform { private static final PlatformIMPL IMPL; /** The minimum java supported version. */ public static final String JAVA_MINIMUM_VERSION_NUMBER = "11"; static { IMPL = new DefaultPlatformIMPL(); } /** Key size, key algorithm and signature algorithms used. */ public static enum KeyType { /** RSA key algorithm with 2048 bits size and SHA256withRSA signing algorithm. */ RSA("RSA", 2048, "SHA256withRSA"), /** Elliptic Curve key algorithm with 256 bits size and SHA256withECDSA signing algorithm. */ EC("EC", 256, "SHA256withECDSA"); /** Default key type used when none can be determined. */ public final static KeyType DEFAULT = RSA; final String keyAlgorithm; final int keySize; final String signatureAlgorithm; private KeyType(String keyAlgorithm, int keySize, String signatureAlgorithm) { this.keySize = keySize; this.keyAlgorithm = keyAlgorithm; this.signatureAlgorithm = signatureAlgorithm; } /** * Get a KeyType based on the alias name. * * @param alias * certificate alias * @return KeyTpe deduced from the alias. */ public static KeyType getTypeOrDefault(String alias) { try { return KeyType.valueOf(alias.substring(alias.lastIndexOf('-') + 1).toUpperCase()); } catch (Exception e) { return KeyType.DEFAULT; } } } /** * Platform base class. Performs all of the certificate management functions. */ private static abstract class PlatformIMPL { protected PlatformIMPL() { } private final void deleteAlias(KeyStore ks, String ksPath, String alias, char[] pwd) throws KeyStoreException { try { if (ks == null) { LocalizableMessage msg = ERR_CERTMGR_KEYSTORE_NONEXISTANT.get(); throw new KeyStoreException(msg.toString()); } ks.deleteEntry(alias); try (final FileOutputStream fs = new FileOutputStream(ksPath)) { ks.store(fs, pwd); } } catch (Exception e) { throw new KeyStoreException(ERR_CERTMGR_DELETE_ALIAS.get(alias, e.getMessage()).toString(), e); } } private final void addCertificate(KeyStore ks, String ksType, String ksPath, String alias, char[] pwd, String certPath) throws KeyStoreException { try { CertificateFactory cf = CertificateFactory.getInstance("X509"); if (ks == null) { ks = KeyStore.getInstance(ksType); ks.load(null, pwd); } // Do not support certificate replies. if (ks.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) { LocalizableMessage msg = ERR_CERTMGR_CERT_REPLIES_INVALID.get(alias); throw new KeyStoreException(msg.toString()); } else if (!ks.containsAlias(alias) || ks.entryInstanceOf(alias, KeyStore.TrustedCertificateEntry.class)) { try (InputStream inStream = new FileInputStream(certPath)) { trustedCert(alias, cf, ks, inStream); } } else { LocalizableMessage msg = ERR_CERTMGR_ALIAS_INVALID.get(alias); throw new KeyStoreException(msg.toString()); } try (FileOutputStream fileOutStream = new FileOutputStream(ksPath)) { ks.store(fileOutStream, pwd); } } catch (Exception e) { throw new KeyStoreException(ERR_CERTMGR_ADD_CERT.get(alias, e.getMessage()).toString(), e); } } private static final KeyStore generateSelfSignedCertificate(KeyStore ks, String ksType, String ksPath, KeyType keyType, String alias, char[] pwd, String dn, int validity) throws KeyStoreException { boolean isFips = StaticUtils.isFips(); try { if(!isFips) { FipsStaticUtils.registerBcProvider(true); } if (ks == null) { ks = KeyStore.getInstance(ksType); ks.load(null, pwd); } else if (ks.containsAlias(alias)) { LocalizableMessage msg = ERR_CERTMGR_ALIAS_ALREADY_EXISTS.get(alias); throw new KeyStoreException(msg.toString()); } KeyPair keyPair = newKeyPair(keyType); PrivateKey privateKey = keyPair.getPrivate(); X500Name subject = new X500Name(dn); Certificate[] certificateChain = new Certificate[] { generateSelfCertificate(keyPair, keyType, subject, validity) }; ks.setKeyEntry(alias, privateKey, pwd, certificateChain); try (FileOutputStream fileOutStream = new FileOutputStream(ksPath)) { ks.store(fileOutStream, pwd); } return ks; } catch (Exception e) { throw new KeyStoreException(ERR_CERTMGR_GEN_SELF_SIGNED_CERT.get(alias, e.getMessage()).toString(), e); } finally { if(!isFips) { Security.removeProvider(BouncyCastleFipsProvider.PROVIDER_NAME); } } } private static KeyPair newKeyPair(KeyType keyType) throws Exception { KeyPairGenerator generator = KeyPairGenerator.getInstance(keyType.keyAlgorithm, BouncyCastleFipsProvider.PROVIDER_NAME); generator.initialize(keyType.keySize); return generator.generateKeyPair(); } private static Certificate generateSelfCertificate(KeyPair keyPair, KeyType keyType, X500Name subject, int days) throws Exception { BigInteger serial = BigIntegers.createRandomBigInteger(64, new SecureRandom()); Instant now = Instant.now(); Date notBeforeDate = Date.from(now); Date notAfterDate = Date.from(now.plus(days, ChronoUnit.DAYS)); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder( subject, serial, notBeforeDate, notAfterDate, subject, keyPair.getPublic() ); ContentSigner signer = new JcaContentSignerBuilder(keyType.signatureAlgorithm) .setProvider(BouncyCastleFipsProvider.PROVIDER_NAME) .build(keyPair.getPrivate()); X509CertificateHolder holder = builder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter() .setProvider(BouncyCastleFipsProvider.PROVIDER_NAME); return converter.getCertificate(holder); } /** * Generate a x509 certificate from the input stream. Verification is done * only if it is self-signed. */ private void trustedCert(String alias, CertificateFactory cf, KeyStore ks, InputStream in) throws KeyStoreException { try { if (ks.containsAlias(alias)) { LocalizableMessage msg = ERR_CERTMGR_ALIAS_ALREADY_EXISTS.get(alias); throw new KeyStoreException(msg.toString()); } X509Certificate cert = (X509Certificate) cf.generateCertificate(in); if (isSelfSigned(cert)) { cert.verify(cert.getPublicKey()); } ks.setCertificateEntry(alias, cert); } catch (Exception e) { throw new KeyStoreException(ERR_CERTMGR_TRUSTED_CERT.get(alias, e.getMessage()).toString(), e); } } /** * Check that the issuer and subject DNs match. */ private boolean isSelfSigned(X509Certificate cert) { return cert.getSubjectDN().equals(cert.getIssuerDN()); } } /** Prevent instantiation. */ private Platform() { } /** * Add the certificate in the specified path to the provided keystore; * creating the keystore with the provided type and path if it doesn't exist. * * @param ks * The keystore to add the certificate to, may be null if it doesn't * exist. * @param ksType * The type to use if the keystore is created. * @param ksPath * The path to the keystore if it is created. * @param alias * The alias to store the certificate under. * @param pwd * The password to use in saving the certificate. * @param certPath * The path to the file containing the certificate. * @throws KeyStoreException * If an error occurred adding the certificate to the keystore. */ public static void addCertificate(KeyStore ks, String ksType, String ksPath, String alias, char[] pwd, String certPath) throws KeyStoreException { IMPL.addCertificate(ks, ksType, ksPath, alias, pwd, certPath); } /** * Delete the specified alias from the provided keystore. * * @param ks * The keystore to delete the alias from. * @param ksPath * The path to the keystore. * @param alias * The alias to use in the request generation. * @param pwd * The keystore password to use. * @throws KeyStoreException * If an error occurred deleting the alias. */ public static void deleteAlias(KeyStore ks, String ksPath, String alias, char[] pwd) throws KeyStoreException { IMPL.deleteAlias(ks, ksPath, alias, pwd); } /** * Generate a self-signed certificate using the specified alias, dn string and * validity period. If the keystore does not exist, it will be created using * the specified keystore type and path. * * @param ks * The keystore to save the certificate in. May be null if it does * not exist. * @param keyType * The keystore type to use if the keystore is created. * @param ksPath * The path to the keystore if the keystore is created. * @param ksType * Specify the key size, key algorithm and signature algorithms used. * @param alias * The alias to store the certificate under. * @param pwd * The password to us in saving the certificate. * @param dn * The dn string used as the certificate subject. * @param validity * The validity of the certificate in days. * @throws KeyStoreException * If the self-signed certificate cannot be generated. */ public static void generateSelfSignedCertificate(KeyStore ks, String ksType, String ksPath, KeyType keyType, String alias, char[] pwd, String dn, int validity) throws KeyStoreException { PlatformIMPL.generateSelfSignedCertificate(ks, ksType, ksPath, keyType, alias, pwd, dn, validity); } /** * Default platform class. */ private static class DefaultPlatformIMPL extends PlatformIMPL { } /** * Test if a platform java vendor property starts with the specified vendor * string. * * @param vendor * The vendor to check for. * @return {@code true} if the java vendor starts with the specified vendor * string. */ public static boolean isVendor(String vendor) { String javaVendor = System.getProperty("java.vendor"); return javaVendor.startsWith(vendor); } /** * Computes the number of replay/worker/cleaner threads based on the number of cpus in the system. * Allows for a multiplier to be specified and a minimum value to be returned if not enough processors * are present in the system. * * @param minimumValue at least this value should be returned. * @param cpuMultiplier the scaling multiplier of the number of threads to return * @return the number of threads based on the number of cpus in the system. * @throws IllegalArgumentException if {@code cpuMultiplier} is a non positive number */ public static int computeNumberOfThreads(int minimumValue, float cpuMultiplier) { Reject.ifTrue(cpuMultiplier < 0, "Multiplier must be a positive number"); return Math.max(minimumValue, (int)(Runtime.getRuntime().availableProcessors() * cpuMultiplier)); } }