strimzi · ppatierno · Jul 2, 2018 · Jun 7, 2018 · Jun 8, 2018 · Jun 11, 2018
diff --git a/.checkstyle/checkstyle.xml b/.checkstyle/checkstyle.xml
@@ -92,7 +92,7 @@
         </module>
         <module name="ClassDataAbstractionCoupling">
             <!-- default is 7 -->
-            <property name="max" value="20"/>
+            <property name="max" value="21"/>
         </module>
         <module name="BooleanExpressionComplexity">
             <!-- default is 3 -->
@@ -101,7 +101,7 @@
 
         <module name="ClassFanOutComplexity">
             <!-- default is 20 -->
-            <property name="max" value="45"/>
+            <property name="max" value="49"/>
         </module>
         <module name="CyclomaticComplexity">
             <!-- default is 10-->
@@ -113,7 +113,7 @@
         </module>
         <module name="NPathComplexity">
             <!-- default is 200 -->
-            <property name="max" value="500"/>
+            <property name="max" value="900"/>
         </module>
 
         <module name="IllegalToken">

diff --git a/.findbugs/findbugs-exclude.xml b/.findbugs/findbugs-exclude.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+  <Match>
+    <Bug pattern="EI_EXPOSE_REP,EI_EXPOSE_REP2"/>
+    <Package name="io.strimzi.certs"/>
+  </Match>
+</FindBugsFilter>
diff --git a/certificate-manager/pom.xml b/certificate-manager/pom.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>strimzi</artifactId>
+    <groupId>io.strimzi</groupId>
+    <version>0.5.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>certificate-manager</artifactId>
+  <dependencies>
+    <dependency>
+      <groupId>io.fabric8</groupId>
+      <artifactId>kubernetes-model</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-slf4j-impl</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+    </dependency>
+  </dependencies>
+
+</project>
diff --git a/certificate-manager/src/main/java/io/strimzi/certs/CertAndKey.java b/certificate-manager/src/main/java/io/strimzi/certs/CertAndKey.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright 2017-2018, Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.certs;
+
+public class CertAndKey {
+
+    private final byte[] key;
+    private final byte[] cert;
+
+    public CertAndKey(byte[] key, byte[] cert) {
+        this.key = key;
+        this.cert = cert;
+    }
+
+    public byte[] key() {
+        return key;
+    }
+
+    public byte[] cert() {
+        return cert;
+    }
+}
diff --git a/certificate-manager/src/main/java/io/strimzi/certs/CertManager.java b/certificate-manager/src/main/java/io/strimzi/certs/CertManager.java
@@ -0,0 +1,65 @@
+/*
+ * Copyright 2017-2018, Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.certs;
+
+import java.io.File;
+import java.io.IOException;
+
+public interface CertManager {
+
+    /**
+     * Generate a self-signed certificate
+     *
+     * @param keyFile path to the file which will contain the private key
+     * @param certFile path to the file which will contain the self signed certificate
+     * @param sbj subject information
+     * @param days certificate duration
+     * @throws IOException
+     */
+    void generateSelfSignedCert(File keyFile, File certFile, Subject sbj, int days) throws IOException;
+
+    /**
+     * Generate a self-signed certificate
+     *
+     * @param keyFile path to the file which will contain the private key
+     * @param certFile path to the file which will contain the self signed certificate
+     * @param days certificate duration
+     * @throws IOException
+     */
+    void generateSelfSignedCert(File keyFile, File certFile, int days) throws IOException;
+
+    /**
+     * Generate a certificate sign request
+     *
+     * @param keyFile path to the file which will contain the private key
+     * @param csrFile path to the file which will contain the certificate sign request
+     * @param sbj subject information
+     */
+    void generateCsr(File keyFile, File csrFile, Subject sbj) throws IOException;
+
+    /**
+     * Generate a certificate signed by a Certificate Authority
+     *
+     * @param csrFile path to the file containing the certificate sign request
+     * @param caKey path to the file containing the CA private key
+     * @param caCert path to the file containing the CA certificate
+     * @param crtFile path to the file which will contain the signed certificate
+     * @param days certificate duration
+     * @throws IOException
+     */
+    void generateCert(File csrFile, File caKey, File caCert, File crtFile, int days) throws IOException;
+
+    /**
+     * Generate a certificate signed by a Certificate Authority
+     *
+     * @param csrFile path to the file containing the certificate sign request
+     * @param caKey CA private key bytes
+     * @param caCert CA certificate bytes
+     * @param crtFile path to the file which will contain the signed certificate
+     * @param days certificate duration
+     * @throws IOException
+     */
+    void generateCert(File csrFile, byte[] caKey, byte[] caCert, File crtFile, int days) throws IOException;
+}
diff --git a/certificate-manager/src/main/java/io/strimzi/certs/OpenSslCertManager.java b/certificate-manager/src/main/java/io/strimzi/certs/OpenSslCertManager.java
@@ -0,0 +1,210 @@
+/*
+ * Copyright 2017-2018, Strimzi authors.
+ * License: Apache License 2.0 (see the file LICENSE or http://apache.org/licenses/LICENSE-2.0.html).
+ */
+package io.strimzi.certs;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.io.BufferedWriter;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.OutputStreamWriter;
+import java.nio.charset.Charset;
+import java.nio.file.Files;
+import java.nio.file.StandardCopyOption;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+import static java.util.Arrays.asList;
+
+/**
+ * An OpenSSL based certificates manager
+ */
+public class OpenSslCertManager implements CertManager {
+
+    private static final Logger log = LogManager.getLogger(OpenSslCertManager.class);
+
+    @Override
+    public void generateSelfSignedCert(File keyFile, File certFile, int days) throws IOException {
+        generateSelfSignedCert(keyFile, certFile, null, days);
+    }
+
+    @Override
+    public void generateSelfSignedCert(File keyFile, File certFile, Subject sbj, int days) throws IOException {
+
+        List<String> cmd = new ArrayList<>(asList("openssl", "req", "-x509", "-new", "-days", String.valueOf(days), "-batch", "-nodes",
+                "-out", certFile.getAbsolutePath(), "-keyout", keyFile.getAbsolutePath()));
+
+        File sna = null;
+        File openSslConf = null;
+        if (sbj != null) {
+
+            if (sbj.subjectAltNames() != null && sbj.subjectAltNames().size() > 0) {
+
+                // subject alt names need to be in an openssl configuration file
+                InputStream is = getClass().getClassLoader().getResourceAsStream("openssl.conf");
+                openSslConf = File.createTempFile("openssl", "conf");
+                Files.copy(is, openSslConf.toPath(), StandardCopyOption.REPLACE_EXISTING);
+
+                sna = addSubjectAltNames(openSslConf, sbj);
+                cmd.addAll(asList("-config", sna.toPath().toString(), "-extensions", "v3_req"));
+            }
+
+            cmd.addAll(asList("-subj", sbj.toString()));
+        }
+
+        exec(cmd);
+
+        if (sna != null) {
+            if (!sna.delete()) {
+                log.warn("{} cannot be deleted", sna.getName());
+            }
+        }
+        if (openSslConf != null) {
+            if (!openSslConf.delete()) {
+                log.warn("{} cannot be deleted", openSslConf.getName());
+            }
+        }
+    }
+
+    /**
+     * Add subject alt names section to the provided openssl configuration file
+     *
+     * @param opensslConf openssl configuration file
+     * @param sbj subject information
+     * @return openssl configuration file with subject alt names added
+     * @throws IOException
+     */
+    private File addSubjectAltNames(File opensslConf, Subject sbj) throws IOException {
+
+        File sna = File.createTempFile("sna", "sna");
+        Files.copy(opensslConf.toPath(), sna.toPath(), StandardCopyOption.REPLACE_EXISTING);
+
+        BufferedWriter out = null;
+        try {
+            out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(sna, true), "UTF8"));
+            boolean newline = false;
+            for (Map.Entry<String, String> entry : sbj.subjectAltNames().entrySet()) {
+                if (newline) {
+                    out.append("\n");
+                }
+                out.append(entry.getKey()).append(" = ").append(entry.getValue());
+                newline = true;
+            }
+        } finally {
+            if (out != null) {
+                out.close();
+            }
+        }
+
+        return sna;
+    }
+
+    @Override
+    public void generateCsr(File keyFile, File csrFile, Subject sbj) throws IOException {
+
+        List<String> cmd = new ArrayList<>(asList("openssl", "req", "-new", "-batch", "-nodes",
+                "-keyout", keyFile.getAbsolutePath(), "-out", csrFile.getAbsolutePath()));
+
+        File sna = null;
+        File openSslConf = null;
+        if (sbj != null) {
+
+            if (sbj.subjectAltNames() != null && sbj.subjectAltNames().size() > 0) {
+
+                // subject alt names need to be in an openssl configuration file
+                InputStream is = getClass().getClassLoader().getResourceAsStream("openssl.conf");
+                openSslConf = File.createTempFile("openssl", "conf");
+                Files.copy(is, openSslConf.toPath(), StandardCopyOption.REPLACE_EXISTING);
+
+                sna = addSubjectAltNames(openSslConf, sbj);
+                cmd.addAll(asList("-config", sna.toPath().toString(), "-extensions", "v3_req"));
+            }
+
+            cmd.addAll(asList("-subj", sbj.toString()));
+        }
+
+        exec(cmd);
+
+        if (sna != null) {
+            if (!sna.delete()) {
+                log.warn("{} cannot be deleted", sna.getName());
+            }
+        }
+        if (openSslConf != null) {
+            if (!openSslConf.delete()) {
+                log.warn("{} cannot be deleted", openSslConf.getName());
+            }
+        }
+    }
+
+    @Override
+    public void generateCert(File csrFile, File caKey, File caCert, File crtFile, int days) throws IOException {
+        exec("openssl", "x509", "-req", "-days", String.valueOf(days), "-in", csrFile.getAbsolutePath(),
+                "-CA", caCert.getAbsolutePath(), "-CAkey", caKey.getAbsolutePath(), "-CAcreateserial",
+                "-out", crtFile.getAbsolutePath());
+    }
+
+    @Override
+    public void generateCert(File csrFile, byte[] caKey, byte[] caCert, File crtFile, int days) throws IOException {
+
+        File caKeyFile = File.createTempFile("tls", "ca");
+        Files.write(caKeyFile.toPath(), caKey);
+
+        File caCertFile = File.createTempFile("tls", "ca");
+        Files.write(caCertFile.toPath(), caCert);
+
+        generateCert(csrFile, caKeyFile, caCertFile, crtFile, days);
+
+        if (!caKeyFile.delete()) {
+            log.warn("{} cannot be deleted", caKeyFile.getName());
+        }
+        if (!caCertFile.delete()) {
+            log.warn("{} cannot be deleted", caCertFile.getName());
+        }
+    }
+
+    private void exec(String... cmd) throws IOException {
+        exec(asList(cmd));
+    }
+
+    private void exec(List<String> cmd) throws IOException {
+        File out = null;
+
+        try {
+
+            out = File.createTempFile("openssl", Integer.toString(cmd.hashCode()));
+
+            ProcessBuilder processBuilder = new ProcessBuilder(cmd)
+                    .redirectOutput(out)
+                    .redirectErrorStream(true);
+            log.info("Running command {}", processBuilder.command());
+
+            Process proc = processBuilder.start();
+
+            OutputStream outputStream = proc.getOutputStream();
+            // close subprocess' stdin
+            outputStream.close();
+
+            int result = proc.waitFor();
+            String stdout = new String(Files.readAllBytes(out.toPath()), Charset.defaultCharset());
+
+            log.debug(stdout);
+            log.info("result {}", result);
+
+        } catch (InterruptedException ignored) {
+        } finally {
+            if (out != null) {
+                if (!out.delete()) {
+                    log.warn("{} cannot be deleted", out.getName());
+                }
+            }
+        }
+    }
+}