SaveSSLCertificates.java

/*
 * Copyright (C) 2011-2012 Intel Corporation
 * All rights reserved.
 */
package com.intel.mtwilson.crypto;

import com.intel.dcsg.cpg.crypto.HmacCredential;
import com.intel.dcsg.cpg.tls.policy.TlsUtil;
import com.intel.mtwilson.KeystoreUtil;
import com.intel.mtwilson.ApiClient;
import com.intel.mtwilson.api.*;
import com.intel.mtwilson.datatypes.OsData;
import java.io.*;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.*;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Properties;
import org.apache.commons.codec.binary.Hex;
import org.junit.Test;

/**
 *
 * @author jbuhacoff
 */
public class SaveSSLCertificates {

    @Test
    public void testSaveSSLCerts() throws IOException, NoSuchAlgorithmException, KeyManagementException, CertificateEncodingException {
        X509Certificate[] certs = TlsUtil.getServerCertificates(new URL("https://10.1.71.81:8181/AttestationService"));
        for(X509Certificate cert : certs) {
            System.out.println(String.format("Subject: %s", cert.getSubjectX500Principal().getName()));
            System.out.println(String.format("Issuer: %s", cert.getIssuerX500Principal().getName()));
            System.out.println(String.format("Not Before: %s", cert.getNotBefore().toString()));
            System.out.println(String.format("Not After: %s", cert.getNotAfter().toString()));
            byte[] certBytes = cert.getEncoded();
            MessageDigest hashMd5 = MessageDigest.getInstance("MD5");
            byte[] digestMd5 = hashMd5.digest(certBytes);
            System.out.println(String.format("MD5: %s", new String(Hex.encodeHex(digestMd5))));
            MessageDigest hashSha1 = MessageDigest.getInstance("SHA-1");
            byte[] digestSha1 = hashSha1.digest(certBytes);
            System.out.println(String.format("SHA-1: %s", new String(Hex.encodeHex(digestSha1))));
            MessageDigest hashSha256 = MessageDigest.getInstance("SHA-256");
            byte[] digestSha256 = hashSha256.digest(certBytes);
            System.out.println(String.format("SHA-256: %s", new String(Hex.encodeHex(digestSha256))));
        }
    }
    
    public static void main(String[] args) throws MalformedURLException, NoSuchAlgorithmException, KeyManagementException, UnsupportedEncodingException, IOException, ApiException, SignatureException, KeyStoreException, CertificateException, ClientException {
        URL url = new URL("https://10.1.71.81:8181");
        try {
            // test API client against a server and require valid certs
            Properties p = new Properties();
            p.setProperty("mtwilson.api.ssl.requireTrustedCertificate", "true");
            p.setProperty("mtwilson.api.ssl.verifyHostname", "false");
            ApiClient c = new ApiClient(url, new HmacCredential("cloudportal@intel","nU8jTeJaFJZ7TJdMb4g4wAOljEHqwyFoRGvrsPjxrST8icOU"), p);
            List<OsData> list = c.listAllOS();
            System.out.println(String.format("Got list size %i", list.size()));            
        }
        catch(javax.net.ssl.SSLPeerUnverifiedException e) {
            System.out.println(String.format("SSL certificate for server %s is not trusted", url.toExternalForm()));
            System.out.println("Add certificate to trust store and try again? (Y/N) ");
            BufferedReader in = new BufferedReader(new InputStreamReader(System.in));
            String saveCertAndTryAgain = in.readLine().trim();
            if( saveCertAndTryAgain.toUpperCase().startsWith("Y") ) {
                // download server SSL certificates
                X509Certificate[] serverCertificates = TlsUtil.getServerCertificates(url);
                // create a new temporary trust store and add those certificates
                KeyStore keystore = KeyStore.getInstance("JKS");
                keystore.load(null, null);
                String aliasBasename = "tmp";
                int certificateNumber = 0;
                for(X509Certificate cert : serverCertificates) {
                    certificateNumber++;
                    String alias = String.format("%s%i", aliasBasename, certificateNumber);
                    keystore.setCertificateEntry(alias, cert);
                }
                File tmp = File.createTempFile("keystore", ".jks"); // IOException.  // creates a temporary file
                KeystoreUtil.save(keystore, "changeit", tmp);
                System.out.println("Keystore is in "+tmp.getAbsolutePath());
                // try the call again
                Properties p = new Properties();
                p.setProperty("mtwilson.api.ssl.requireTrustedCertificate", "true");
                p.setProperty("mtwilson.api.ssl.verifyHostname", "false");
                p.setProperty("mtwilson.api.truststore", tmp.getAbsolutePath()); 
                ApiClient c = new ApiClient(url, new HmacCredential("cloudportal@intel","nU8jTeJaFJZ7TJdMb4g4wAOljEHqwyFoRGvrsPjxrST8icOU"), p);
                List<OsData> list = c.listAllOS();
                System.out.println(String.format("Got list size %i", list.size()));            
                
            }
        }
        /*
         * 
mtwilson.api.clientId=
mtwilson.api.secretKey=
         * 
        System.out.println("URL: "+baseurl.toExternalForm());
        System.out.print("Root password: ");
         * 
         */
    }
    
}