Automatically generate a self-signed certificate with BouncyCastle.

James Moger

2011-05-05 5b60db394cbbbb031b615ff3278ec43cbe3fe88c

Automatically generate a self-signed certificate with BouncyCastle.

 .classpath

@@ -69,5 +69,10 @@
            <attribute name="javadoc_location" value="jar:platform:/resource/gitblit/ext/bcprov-jdk16-1.46-javadoc.jar!/"/>

        </attributes>

    </classpathentry>

    <classpathentry kind="lib" path="ext/bcmail-jdk16-1.46.jar" sourcepath="ext/bcmail-jdk16-1.46-sources.jar">

        <attributes>

            <attribute name="javadoc_location" value="jar:platform:/resource/gitblit/ext/bcmail-jdk16-1.46-javadoc.jar!/"/>

        </attributes>

    </classpathentry>

    <classpathentry kind="output" path="bin"/>

</classpath>


 src/com/gitblit/Build.java

@@ -43,6 +43,7 @@
        downloadFromApache(MavenObject.WICKET_GOOGLE_CHARTS, BuildType.RUNTIME);

        downloadFromApache(MavenObject.MARKDOWNPAPERS, BuildType.RUNTIME);

        downloadFromApache(MavenObject.BOUNCYCASTLE, BuildType.RUNTIME);

        downloadFromApache(MavenObject.BOUNCYCASTLE_MAIL, BuildType.RUNTIME);



        downloadFromEclipse(MavenObject.JGIT, BuildType.RUNTIME);

        downloadFromEclipse(MavenObject.JGIT_HTTP, BuildType.RUNTIME);

@@ -62,6 +63,7 @@
        downloadFromApache(MavenObject.WICKET_GOOGLE_CHARTS, BuildType.COMPILETIME);

        downloadFromApache(MavenObject.MARKDOWNPAPERS, BuildType.COMPILETIME);

        downloadFromApache(MavenObject.BOUNCYCASTLE, BuildType.COMPILETIME);

        downloadFromApache(MavenObject.BOUNCYCASTLE_MAIL, BuildType.COMPILETIME);

        

        downloadFromEclipse(MavenObject.JGIT, BuildType.COMPILETIME);

        downloadFromEclipse(MavenObject.JGIT_HTTP, BuildType.COMPILETIME);

@@ -289,6 +291,8 @@
        public static final MavenObject MARKDOWNPAPERS = new MavenObject("MarkdownPapers", "org/tautua/markdownpapers", "markdownpapers-core", "1.0.0", 87000, 58000, 278000, "feda63bd149f3315da210e397d45d02277038ad5", "a9a6c4d163af81e265a15138fcaeafa9829c6054", "f932656266a7f9593488d3f89e815d0af44d0853");

        

        public static final MavenObject BOUNCYCASTLE = new MavenObject("BouncyCastle", "org/bouncycastle", "bcprov-jdk16", "1.46", 1900000, 1400000, 4670000, "ce091790943599535cbb4de8ede84535b0c1260c", "d2b70567594225923450d7e3f80cd022c852725e", "873a6fe765f33fc27df498a5d1f5bf077e503b2f");

		
        public static final MavenObject BOUNCYCASTLE_MAIL = new MavenObject("BouncyCastle Mail", "org/bouncycastle", "bcmail-jdk16", "1.46", 502000, 420000, 482000, "08a9233bfd6ad38ea32df5e6ff91035b650584b9", "3ebd62bc56854767512dc5deec0a17795f2e671d", "3b7c5f3938f202311bdca0bf7ed46bc0118af081");



        public static final MavenObject JGIT = new MavenObject("JGit", "org/eclipse/jgit", "org.eclipse.jgit", "0.12.1", 1318000, 1354000, 2993000, "fd77699699b9651d2fc31c7ed63af98b14fc1975", "c8b3d84922c7802cfe6a661e13a002641a78583d", "5609aa3ce3ac3d52030befd27ddd2941f6c07570");




 src/com/gitblit/GitBlitServer.java

@@ -2,23 +2,40 @@


import java.io.BufferedReader;

import java.io.File;

import java.io.FileInputStream;

import java.io.FileOutputStream;

import java.io.IOException;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.math.BigInteger;

import java.net.InetAddress;

import java.net.ServerSocket;

import java.net.Socket;

import java.net.URL;

import java.net.UnknownHostException;

import java.security.KeyPair;

import java.security.KeyPairGenerator;

import java.security.KeyStore;

import java.security.ProtectionDomain;

import java.security.SecureRandom;

import java.security.Security;

import java.security.cert.X509Certificate;

import java.text.MessageFormat;

import java.util.ArrayList;

import java.util.Date;

import java.util.List;



import org.apache.log4j.ConsoleAppender;

import org.apache.log4j.PatternLayout;

import org.apache.wicket.protocol.http.ContextParamWebApplicationFactory;

import org.apache.wicket.protocol.http.WicketFilter;

import org.bouncycastle.asn1.x500.X500NameBuilder;

import org.bouncycastle.asn1.x500.style.BCStyle;

import org.bouncycastle.cert.X509v3CertificateBuilder;

import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;

import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;

import org.bouncycastle.operator.ContentSigner;

import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

import org.eclipse.jetty.http.security.Constraint;

import org.eclipse.jetty.security.ConstraintMapping;

import org.eclipse.jetty.security.ConstraintSecurityHandler;

@@ -144,23 +161,28 @@
            Connector httpConnector = createConnector(params.useNIO, params.port);

            String bindInterface = fileSettings.getString(Keys.server.httpBindInterface, null);

            if (!StringUtils.isEmpty(bindInterface)) {

                logger.warn(MessageFormat.format("Binding port {0} to {1}", params.port, bindInterface));

                logger.warn(MessageFormat.format("Binding connector on port {0} to {1}", params.port, bindInterface));

                httpConnector.setHost(bindInterface);

            }

            connectors.add(httpConnector);

        }



        if (params.securePort > 0) {

            if (new File("keystore").exists()) {

                Connector secureConnector = createSSLConnector(params.useNIO, params.securePort, params.storePassword);

            File keystore = new File("keystore");

            if (!keystore.exists()) {

                logger.info("Generating self-signed ssl certificate");

                generateSelfSignedCertificate("localhost", keystore, params.storePassword);

            }

            if (keystore.exists()) {

                Connector secureConnector = createSSLConnector(keystore, params.storePassword, params.useNIO, params.securePort);

                String bindInterface = fileSettings.getString(Keys.server.httpsBindInterface, null);

                if (!StringUtils.isEmpty(bindInterface)) {

                    logger.warn(MessageFormat.format("Binding port {0} to {1}", params.port, bindInterface));

                    logger.warn(MessageFormat.format("Binding ssl connector on port {0} to {1}", params.securePort, bindInterface));

                    secureConnector.setHost(bindInterface);

                }

                connectors.add(secureConnector);

            } else {

                logger.warn("Failed to find Keystore?  Did you run \"makekeystore\"?");

                logger.warn("Failed to find or load Keystore?");

                logger.warn("SSL connector DISABLED.");

            }

        }

@@ -296,25 +318,68 @@
        return connector;

    }



    private static Connector createSSLConnector(boolean useNIO, int port, String password) {

    private static Connector createSSLConnector(File keystore, String password, boolean useNIO, int port) {

        SslConnector connector;

        if (useNIO) {

            logger.info("Setting up NIO SslSelectChannelConnector on port " + port);

            SslSelectChannelConnector ssl = new SslSelectChannelConnector();

            ssl.setSoLingerTime(-1);

            ssl.setThreadPool(new QueuedThreadPool(20));

            ssl.setThreadPool(new QueuedThreadPool(20));			
            connector = ssl;

        } else {

            logger.info("Setting up NIO SslSocketConnector on port " + port);

            SslSocketConnector ssl = new SslSocketConnector();

            connector = ssl;

        }

        connector.setKeystore("keystore");

        connector.setAllowRenegotiate(true);

        connector.setKeystore(keystore.getAbsolutePath());

        connector.setPassword(password);

        connector.setPort(port);

        connector.setMaxIdleTime(30000);

        return connector;

    }

	
    private static void generateSelfSignedCertificate(String hostname, File keystore, String keystorePassword) {

        try {

            Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());



            final String BC = org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME;

			
            KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");

            kpGen.initialize(1024, new SecureRandom());

            KeyPair pair = kpGen.generateKeyPair();



            // Generate self-signed certificate

            X500NameBuilder builder = new X500NameBuilder(BCStyle.INSTANCE);

            builder.addRDN(BCStyle.OU, Constants.NAME);

            builder.addRDN(BCStyle.O, Constants.NAME);

            builder.addRDN(BCStyle.CN, hostname);



            Date notBefore = new Date(System.currentTimeMillis() - 1*24*60*60*1000l);

            Date notAfter = new Date(System.currentTimeMillis() + 10*365*24*60*60*1000l);

            BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());



            X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(builder.build(), serial, notBefore, notAfter, builder.build(), pair.getPublic());

            ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BC).build(pair.getPrivate());

            X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certGen.build(sigGen));

            cert.checkValidity(new Date());

            cert.verify(cert.getPublicKey());



            // Save to keystore			
            KeyStore store = KeyStore.getInstance("JKS");

            if (keystore.exists()) {

                FileInputStream fis = new FileInputStream(keystore);

                store.load(fis, keystorePassword.toCharArray());

            } else {

                store.load(null);

            }

            store.setKeyEntry(hostname, pair.getPrivate(), keystorePassword.toCharArray(), new java.security.cert.Certificate[] { cert });

            store.store(new FileOutputStream(keystore), keystorePassword.toCharArray());

        } catch (Throwable t) {

            t.printStackTrace();

            throw new RuntimeException("Failed to generate self-signed certificate!", t);

        }

    }



    /**

     * Recursively delete a folder and its contents.