feat: certs are generate from java (#11)

Author: csviri

pom.xml

@@ -27,6 +27,7 @@
         <commons-compress.version>1.22</commons-compress.version>
         <google.cloud.libraries.version>26.9.0</google.cloud.libraries.version>
         <commons-io.version>2.11.0</commons-io.version>
+        <bouncycastle.version>1.72</bouncycastle.version>
     </properties>
 
     <dependencyManagement>
@@ -102,10 +103,13 @@
             <version>${assertj.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcpkix-jdk18on</artifactId>
+            <version>${bouncycastle.version}</version>
+        </dependency>
     </dependencies>
-
-
-
+    
     <build>
         <plugins>
             <plugin>

src/main/java/com/csviri/jenvtest/APIServer.java

@@ -35,6 +35,7 @@ public APIServer(APIServerConfig config) {
     public void start() {
         log.debug("Stating API Server. Using jenvtest dir: {}", config.getJenvtestDirectory());
         binaryManager.initAndDownloadIfRequired();
+        certManager.createCertificatesIfNeeded();
         prepareLogDirectory();
         etcdProcessManager.cleanEtcdData();
         etcdProcessManager.startEtcd();

src/main/java/com/csviri/jenvtest/APIServerProcessManager.java

@@ -26,7 +26,6 @@ public APIServerProcessManager(CertManager certManager, BinaryManager binaryMana
 
 
     public void startApiServer() {
-        certManager.ensureAPIServerCertificates();
         var apiServerBinary = binaryManager.binaries().getApiServer();
         try {
             if (!apiServerBinary.exists()) {

src/main/java/com/csviri/jenvtest/CertManager.java

@@ -1,12 +1,32 @@
 package com.csviri.jenvtest;
 
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.File;
+import java.io.FileWriter;
 import java.io.IOException;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
 
-// todo impl in java
 public class CertManager {
 
     private static final Logger log = LoggerFactory.getLogger(CertManager.class);
@@ -23,7 +43,7 @@ public CertManager(String jenvtestDir) {
         this.jenvtestDir = jenvtestDir;
     }
 
-    public void ensureAPIServerCertificates() {
+    public void createCertificatesIfNeeded() {
         try {
             generateAPIServerCertificates();
             generateUserCertificates();
@@ -40,13 +60,16 @@ private void generateAPIServerCertificates() throws IOException, InterruptedExce
             return;
         }
         log.debug("Generating API Server certificates");
-        Process process = new ProcessBuilder("openssl", "req", "-nodes", "-x509", "-sha256", "-newkey", "rsa:4096", "-keyout", key.getPath(), "-out",
-                cert.getPath(),
-                "-days", "356", "-subj", "/CN=example.org",
-                "-addext", "subjectAltName = IP:127.0.0.1,DNS:kubernetes," +
-                "DNS:kubernetes.default,DNS:kubernetes.default.svc,DNS:kubernetes.default.svc.cluster,DNS:kubernetes.default.svc.cluster.local")
-                .start();
-        process.waitFor();
+        generateKeyAndCertificate("CN=example.org", new File(jenvtestDir, API_SERVER_KEY_NAME),
+                new File(jenvtestDir, API_SERVER_CERT_NAME),
+                new GeneralName(GeneralName.iPAddress, "127.0.0.1"),
+                dns("kubernetes"), dns("kubernetes.default"),
+                dns("kubernetes.default.svc"), dns("kubernetes.default.svc.cluster"),
+                dns("kubernetes.default.svc.cluster.local"));
+    }
+
+    private GeneralName dns(String dns) {
+        return new GeneralName(GeneralName.dNSName, dns);
     }
 
     private void generateUserCertificates() throws IOException, InterruptedException {
@@ -56,11 +79,46 @@ private void generateUserCertificates() throws IOException, InterruptedException
             return;
         }
         log.debug("Generating Client certificates");
-        var process = new ProcessBuilder("openssl", "req", "-nodes", "-x509", "-sha256", "-newkey",
-                "rsa:4096", "-keyout", key.getPath(), "-out", cert.getPath(), "-days", "356", "-subj",
-                "/O=system:masters/CN=jenvtest")
-                .start();
-        process.waitFor();
+        generateKeyAndCertificate("O=system:masters,CN=jenvtest", new File(jenvtestDir, CLIENT_KEY_NAME),
+                new File(jenvtestDir, CLIENT_CERT_NAME));
+    }
+
+
+    private static void generateKeyAndCertificate(String dirName, File keyFile, File certFile, GeneralName... generalNames) {
+        try {
+            KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+
+            KeyPair certKeyPair = keyGen.generateKeyPair();
+            X500Name name = new X500Name(dirName);
+            // If you issue more than just test certificates, you might want a decent serial number schema ^.^
+            BigInteger serialNumber = BigInteger.valueOf(System.currentTimeMillis());
+            Instant validFrom = Instant.now();
+            Instant validUntil = validFrom.plus(365, ChronoUnit.DAYS);
+
+            JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+                    name,
+                    serialNumber,
+                    Date.from(validFrom), Date.from(validUntil),
+                    name, certKeyPair.getPublic());
+
+            if (generalNames.length > 0) {
+                builder.addExtension(Extension.subjectAlternativeName, false,
+                        new GeneralNames(generalNames));
+            }
+
+            // Finally, sign the certificate:
+            ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA").build(certKeyPair.getPrivate());
+            X509CertificateHolder certHolder = builder.build(signer);
+            X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certHolder);
+
+            try (FileWriter certWriter = new FileWriter(certFile); JcaPEMWriter certPemWriter = new JcaPEMWriter(certWriter);
+                 FileWriter keyWriter = new FileWriter(keyFile); JcaPEMWriter keyPemWriter = new JcaPEMWriter(keyWriter)) {
+                certPemWriter.writeObject(cert);
+                keyPemWriter.writeObject(certKeyPair.getPrivate());
+            }
+        } catch (NoSuchAlgorithmException | CertificateException | IOException | OperatorCreationException e) {
+            throw new JenvtestException(e);
+        }
     }
 
     public String getClientCertPath() {