Please to look at...
-------- Original Message --------
Subject: [PATCH] Handle null values correcly before invoking the
certificate generation
Date: Mon, 22 Aug 2011 16:30:57 -0400
From: Bryan Kearney <bkearney(a)redhat.com>
To: candlepin-patches(a)redhat.com
CC: Bryan Kearney <bkearney(a)redhat.com>
---
.../candlepin/pki/impl/BouncyCastlePKIUtility.java | 39 ++++++++-------
.../impl/DefaultEntitlementCertServiceAdapter.java | 50
+++++++++++---------
2 files changed, 49 insertions(+), 40 deletions(-)
diff --git
a/proxy/src/main/java/org/fedoraproject/candlepin/pki/impl/BouncyCastlePKIUtility.java
b/proxy/src/main/java/org/fedoraproject/candlepin/pki/impl/BouncyCastlePKIUtility.java
index d283872..44474bd 100644
---
a/proxy/src/main/java/org/fedoraproject/candlepin/pki/impl/BouncyCastlePKIUtility.java
+++
b/proxy/src/main/java/org/fedoraproject/candlepin/pki/impl/BouncyCastlePKIUtility.java
@@ -61,26 +61,26 @@ import com.google.inject.Inject;
* This class implements methods to create X509 Certificates, X509
CRLs, encode
* objects in PEM format (for saving to the db or sending to the
client), and
* decode raw ASN.1 DER values (as read from a Certificate/CRL).
- *
+ *
* All code that imports bouncycastle should live either in this module,
* or in {@link BouncyCastlePKIReader}
- *
+ *
* (March 24, 2011) Notes on implementing a PKIUtility with NSS/JSS:
- *
+ *
* JSS provides classes and functions to generate X509Certificates
(see CertificateInfo,
* for example).
- *
+ *
* PEM encoding requires us to determine the object type (which we
know), add the correct
* header and footer to the output, base64 encode the DER for the
object, and line wrap
* the base64 encoding.
- *
+ *
* decodeDERValue should be simple, as JSS provides code to parse
ASN.1, but I wasn't
* able to get it to work.
- *
+ *
* The big one is CRL generation. JSS has no code to generate CRLs in
any format. We'll
* have to use the raw ASN.1 libraries to build up our own properly
formatted CRL DER
- * representation, then PEM encode it.
- *
+ * representation, then PEM encode it.
+ *
* See also {@link BouncyCastlePKIReader} for more notes on using
NSS/JSS, and a note
* about not using bouncycastle as the JSSE provider.
*/
@@ -142,8 +142,11 @@ public class BouncyCastlePKIUtility extends
PKIUtility {
if (extensions != null) {
for (X509ExtensionWrapper wrapper : extensions) {
+ // Bounceycastle hates null values. So, set them to blank
+ // if they are null
+ String value = wrapper.getValue() == null ? "" :
wrapper.getValue();
certGen.addExtension(wrapper.getOid(),
wrapper.isCritical(),
- new DERUTF8String(wrapper.getValue()));
+ new DERUTF8String(value));
}
}
@@ -153,7 +156,7 @@ public class BouncyCastlePKIUtility extends PKIUtility {
@Override
public X509CRL createX509CRL(List<X509CRLEntryWrapper> entries,
BigInteger crlNumber) {
-
+
try {
X509Certificate caCert = reader.getCACert();
X509V2CRLGenerator generator = new X509V2CRLGenerator();
@@ -177,7 +180,7 @@ public class BouncyCastlePKIUtility extends PKIUtility {
throw new RuntimeException(e);
}
}
-
+
private byte[] getPemEncoded(Object obj) throws IOException {
ByteArrayOutputStream byteArrayOutputStream = new
ByteArrayOutputStream();
OutputStreamWriter oswriter = new
OutputStreamWriter(byteArrayOutputStream);
@@ -186,22 +189,22 @@ public class BouncyCastlePKIUtility extends
PKIUtility {
writer.close();
return byteArrayOutputStream.toByteArray();
}
-
+
@Override
public byte[] getPemEncoded(X509Certificate cert) throws IOException {
return getPemEncoded((Object) cert);
}
-
- @Override
+
+ @Override
public byte[] getPemEncoded(Key key) throws IOException {
return getPemEncoded((Object) key);
}
-
+
@Override
public byte[] getPemEncoded(X509CRL crl) throws IOException {
return getPemEncoded((Object) crl);
}
-
+
@Override
public String decodeDERValue(byte[] value) {
ASN1InputStream vis = null;
@@ -210,7 +213,7 @@ public class BouncyCastlePKIUtility extends PKIUtility {
vis = new ASN1InputStream(value);
decoded = new ASN1InputStream(
((DEROctetString) vis.readObject()).getOctets());
-
+
return decoded.readObject().toString();
}
catch (IOException e) {
@@ -225,7 +228,7 @@ public class BouncyCastlePKIUtility extends PKIUtility {
log.warn("failed to close ASN1 stream", e);
}
}
-
+
if (decoded != null) {
try {
decoded.close();
diff --git
a/proxy/src/main/java/org/fedoraproject/candlepin/service/impl/DefaultEntitlementCertServiceAdapter.java
b/proxy/src/main/java/org/fedoraproject/candlepin/service/impl/DefaultEntitlementCertServiceAdapter.java
index 2855a67..8d836d7 100644
---
a/proxy/src/main/java/org/fedoraproject/candlepin/service/impl/DefaultEntitlementCertServiceAdapter.java
+++
b/proxy/src/main/java/org/fedoraproject/candlepin/service/impl/DefaultEntitlementCertServiceAdapter.java
@@ -52,28 +52,28 @@ import com.google.inject.Inject;
/**
* DefaultEntitlementCertServiceAdapter
*/
-public class DefaultEntitlementCertServiceAdapter extends
+public class DefaultEntitlementCertServiceAdapter extends
BaseEntitlementCertServiceAdapter {
-
+
private PKIUtility pki;
private X509ExtensionUtil extensionUtil;
private KeyPairCurator keyPairCurator;
private CertificateSerialCurator serialCurator;
private ProductServiceAdapter productAdapter;
private EntitlementCurator entCurator;
-
- private static Logger log =
+
+ private static Logger log =
LoggerFactory.getLogger(DefaultEntitlementCertServiceAdapter.class);
-
+
@Inject
public DefaultEntitlementCertServiceAdapter(PKIUtility pki,
X509ExtensionUtil extensionUtil,
- EntitlementCertificateCurator entCertCurator,
+ EntitlementCertificateCurator entCertCurator,
KeyPairCurator keyPairCurator,
CertificateSerialCurator serialCurator,
ProductServiceAdapter productAdapter,
EntitlementCurator entCurator) {
-
+
this.pki = pki;
this.extensionUtil = extensionUtil;
this.entCertCurator = entCertCurator;
@@ -83,18 +83,18 @@ public class DefaultEntitlementCertServiceAdapter
extends
this.entCurator = entCurator;
}
-
+
// NOTE: we use entitlement here, but it version does not...
// NOTE: we can get consumer from entitlement.getConsumer()
@Override
- public EntitlementCertificate generateEntitlementCert(Entitlement
entitlement,
+ public EntitlementCertificate generateEntitlementCert(Entitlement
entitlement,
Subscription sub, Product product)
throws GeneralSecurityException, IOException {
-
+
log.debug("Generating entitlement cert for:");
log.debug(" consumer: {}", entitlement.getConsumer().getUuid());
log.debug(" product: {}" , product.getId());
- log.debug("entitlement's endDt == subs endDt? {} == {} ?",
+ log.debug("entitlement's endDt == subs endDt? {} == {} ?",
entitlement.getEndDate(), sub.getEndDate());
Preconditions
.checkArgument(
@@ -108,31 +108,31 @@ public class DefaultEntitlementCertServiceAdapter
extends
// We need the sequence generated id before we create the
EntitlementCertificate,
// otherwise we could have used cascading create
serialCurator.create(serial);
-
+
X509Certificate x509Cert = createX509Certificate(entitlement, sub,
product, BigInteger.valueOf(serial.getId()), keyPair);
-
+
EntitlementCertificate cert = new EntitlementCertificate();
cert.setSerial(serial);
cert.setKeyAsBytes(pki.getPemEncoded(keyPair.getPrivate()));
cert.setCertAsBytes(this.pki.getPemEncoded(x509Cert));
cert.setEntitlement(entitlement);
-
+
log.debug("Generated cert serial number: " + serial.getId());
log.debug("Key: " + cert.getKey());
log.debug("Cert: " + cert.getCert());
-
+
entitlement.getCertificates().add(cert);
entCertCurator.create(cert);
return cert;
}
-
+
@Override
public void revokeEntitlementCertificates(Entitlement e) {
for (EntitlementCertificate cert : e.getCertificates()) {
CertificateSerial serial = cert.getSerial();
serial.setRevoked(true);
-
+
this.serialCurator.merge(serial);
}
}
@@ -152,12 +152,12 @@ public class DefaultEntitlementCertServiceAdapter
extends
}
return providedProducts;
}
-
+
/**
* Scan the product content looking for any which modify some
other product. If found
* we must check that this consumer has another entitlement
granting them access
* to that modified product. If they do not, we should filter out
this content.
- *
+ *
* @param prod
* @param ent
* @return ProductContent to include in the certificate.
@@ -180,7 +180,7 @@ public class DefaultEntitlementCertServiceAdapter
extends
}
}
}
-
+
if (include) {
filtered.add(pc);
}
@@ -211,17 +211,23 @@ public class DefaultEntitlementCertServiceAdapter
extends
if (sub != null) {
extensions.addAll(extensionUtil.subscriptionExtensions(sub, ent));
}
-
+
extensions.addAll(extensionUtil.entitlementExtensions(ent));
extensions.addAll(extensionUtil.consumerExtensions(ent.getConsumer()));
+ if (log.isDebugEnabled()) {
+ for (X509ExtensionWrapper eWrapper : extensions) {
+ log.debug(String.format("Extension %s with value %s",
+ eWrapper.getOid(), eWrapper.getValue()));
+ }
+ }
X509Certificate x509Cert = this.pki.createX509Certificate(
createDN(ent), extensions, sub.getStartDate(),
ent.getEndDate(),
keyPair, serialNumber, null);
return x509Cert;
}
-
+
private String createDN(Entitlement ent) {
StringBuilder sb = new StringBuilder("CN=");
sb.append(ent.getId());
--
1.7.4.4