diff --git a/packages/supervisor/src/api/pki.controller.ts b/packages/supervisor/src/api/pki.controller.ts index 2734a32..e389722 100644 --- a/packages/supervisor/src/api/pki.controller.ts +++ b/packages/supervisor/src/api/pki.controller.ts @@ -66,6 +66,16 @@ export class PkiController { ) } + @Get("/ca/pem") + @EncodeResponseWith(t.string) + async getCertificateAuthorityPem(): Promise { + const ca = await this.ca.get() + if (!ca) { + throw new NotFoundException(null, "CA certificate not found") + } + return ca.exportCertificateAsPem() + } + @Delete("/ca/:serial") @EncodeResponseWith(t.undefined) revokeCertificateAuthority(@Param("serial") unknownSerial: unknown): Promise { diff --git a/packages/supervisor/src/pki/pkijs/cryptoEngine.ts b/packages/supervisor/src/pki/pkijs/cryptoEngine.ts index cbfd1e7..25bfc57 100644 --- a/packages/supervisor/src/pki/pkijs/cryptoEngine.ts +++ b/packages/supervisor/src/pki/pkijs/cryptoEngine.ts @@ -34,11 +34,6 @@ function encryptWithPbeSha1( return encrypted } -function pkcs7Pad(message: Buffer, blockSize: number): Buffer { - const size = blockSize - (message.length % blockSize) - return Buffer.concat([message, Buffer.alloc(size, size)]) -} - /** * A shim for pkijs.CryptoEngine that implements the legacy pbeWithSHA1And3-KeyTripleDES-CBC. */ @@ -77,7 +72,7 @@ export class CryptoEngineShim extends pkijs.CryptoEngine { private encryptEncryptedContentInfoWithPbe1( parameters: pkijs.CryptoEngineEncryptParams, ): pkijs.EncryptedContentInfo { - const contentToEncrypt = pkcs7Pad(Buffer.from(parameters.contentToEncrypt), 8) + const contentToEncrypt = Buffer.from(parameters.contentToEncrypt) const { contentEncryptionAlgorithm: { name: algorithm }, contentType, diff --git a/packages/supervisor/src/pki/pkijs/pkcs12.ts b/packages/supervisor/src/pki/pkijs/pkcs12.ts index 99e6f98..d73840e 100644 --- a/packages/supervisor/src/pki/pkijs/pkcs12.ts +++ b/packages/supervisor/src/pki/pkijs/pkcs12.ts @@ -1,7 +1,12 @@ import * as asn1js from "asn1js" import * as pkijs from "pkijs" -import { OID_PKCS12_BagId_CertBag, OID_PKCS12_BagId_PKCS8ShroudedKeyBag, OID_PKCS9_LocalKeyId } from "../consts" +import { + OID_PKCS12_BagId_CertBag, + OID_PKCS12_BagId_PKCS8ShroudedKeyBag, + OID_PKCS9_FriendlyName, + OID_PKCS9_LocalKeyId, +} from "../consts" function getSafeContentEncryptionParams(algorithm: "DES-EDE3-CBC" | "RC2-40-CBC", password: ArrayBuffer) { const params = { @@ -41,6 +46,10 @@ export async function exportAsPkcs12( }), ], }), + new pkijs.Attribute({ + type: OID_PKCS9_FriendlyName, + values: [new asn1js.BmpString({ value: "certificate" })], + }), ], }) @@ -54,6 +63,12 @@ export async function exportAsPkcs12( bagValue: new pkijs.CertBag({ parsedValue: cert, }), + bagAttributes: [ + new pkijs.Attribute({ + type: OID_PKCS9_FriendlyName, + values: [new asn1js.BmpString({ value: "trust anchor" })], + }), + ], }), ), ], @@ -71,6 +86,10 @@ export async function exportAsPkcs12( bagId: OID_PKCS12_BagId_PKCS8ShroudedKeyBag, bagValue: pkcs8KeyBag, bagAttributes: [ + new pkijs.Attribute({ + type: OID_PKCS9_FriendlyName, + values: [new asn1js.BmpString({ value: "private key" })], + }), new pkijs.Attribute({ type: OID_PKCS9_LocalKeyId, values: [new asn1js.OctetString({ valueHex: certKeyId })], diff --git a/packages/web/app/pki/actions.ts b/packages/web/app/pki/actions.ts index 354d626..1e6ae7e 100644 --- a/packages/web/app/pki/actions.ts +++ b/packages/web/app/pki/actions.ts @@ -40,6 +40,10 @@ export async function deleteClientCertificate(serial: SerialNumberString): Promi await deleteEndpoint(`api/v1/pki/clients/${serial}`) } +export async function exportCertificateAuthorityPem(): Promise { + return await getTypedEndpoint(t.string, `api/v1/pki/ca/pem`) +} + export async function exportClientCertificateP12(serial: SerialNumberString, password: string): Promise { return await postTypedEndpoint( t.string, diff --git a/packages/web/app/pki/exportDialog.tsx b/packages/web/app/pki/exportDialog.tsx new file mode 100644 index 0000000..8b03e91 --- /dev/null +++ b/packages/web/app/pki/exportDialog.tsx @@ -0,0 +1,123 @@ +"use client" + +import { FileDownload } from "@mui/icons-material" +import { + Button, + CircularProgress, + Dialog, + DialogActions, + DialogContent, + DialogTitle, + Stack, + TextField, +} from "@mui/material" +import { SerialNumberString } from "@yonagi/common/types/pki/SerialNumberString" +import { FormEvent, useState } from "react" +import { useQuery } from "react-query" + +import { exportClientCertificateP12 } from "./actions" +import { base64ToBlob, downloadBlob } from "../../lib/client" +import { useNotifications } from "../../lib/notifications" + +export function ExportPkcs12Dialog({ + onClose, + open, + serialNumber, +}: { + onClose: () => void + open: boolean + serialNumber: SerialNumberString +}): JSX.Element { + const [password, setPassword] = useState("") + + const { isLoading, refetch } = useQuery({ + enabled: false, + queryFn: async () => { + const base64 = await exportClientCertificateP12(serialNumber, password) + const blob = base64ToBlob(base64, "application/x-pkcs12") + downloadBlob(blob, `${serialNumber}.p12`) + }, + onError: (error) => { + notifyError("Failed to export PKCS#12", String(error)) + }, + queryKey: ["pki", "download", serialNumber], + retry: false, + }) + + const handleSubmit = () => { + refetch() + .then(() => { + onClose() + }) + .catch((error) => { + notifyError("Failed to export as PKCS#12", String(error)) + }) + } + + const { notifyError } = useNotifications() + + return ( + ) => { + e.preventDefault() + handleSubmit() + }, + }} + > + Export PKCS#12 + + + { + setPassword(e.currentTarget.value) + }} + required + type="password" + value={password} + variant="filled" + /> + + + + + + + + ) +} + +export function useExportPkcs12Dialog({ serialNumber }: { serialNumber: SerialNumberString }) { + const [isOpen, setOpen] = useState(false) + const dialog = ExportPkcs12Dialog({ + onClose: () => { + setOpen(false) + }, + open: isOpen, + serialNumber, + }) + + return { + dialog, + open: () => { + setOpen(true) + }, + } +} diff --git a/packages/web/app/pki/page.tsx b/packages/web/app/pki/page.tsx index ee81683..091eae7 100644 --- a/packages/web/app/pki/page.tsx +++ b/packages/web/app/pki/page.tsx @@ -36,11 +36,13 @@ import { deleteCertificateAuthority, deleteClientCertificate, deleteServerCertificate, - exportClientCertificateP12, + exportCertificateAuthorityPem, getPkiSummary, } from "./actions" -import { useNonce, useQueryHelpers } from "../../lib/client" +import { useExportPkcs12Dialog } from "./exportDialog" +import { downloadBlob, useNonce, useQueryHelpers } from "../../lib/client" import { ValidatedForm, ValidatedTextField } from "../../lib/forms" +import { useNotifications } from "../../lib/notifications" const PKI_QUERY_KEY = ["pki", "summary"] @@ -89,13 +91,15 @@ function CertificateDetailCell({ children, label }: { children: React.ReactNode; } function CertificateDisplayAccordionDetails({ + canExportCaPem, + canExportP12, cert, delete: submitDelete, - downloadable, }: { + canExportCaPem?: boolean + canExportP12?: boolean cert: CertificateSummary delete: (serial: SerialNumberString) => Promise - downloadable?: boolean }) { const { invalidate } = useQueryHelpers(PKI_QUERY_KEY) const { isLoading: isDeleting, mutate: mutateDelete } = useMutation({ @@ -103,34 +107,26 @@ function CertificateDisplayAccordionDetails({ mutationKey: ["pki", "delete", cert.serialNumber], onSettled: invalidate, }) - const { - data, - error: exportError, - isLoading: isExporting, - refetch: download, - } = useQuery({ + const { notifyError } = useNotifications() + + const { isLoading: isExportingCaPem, refetch: refetchCaPem } = useQuery({ enabled: false, queryFn: async () => { - let blobUrl: string - if (!data) { - const base64 = await exportClientCertificateP12(cert.serialNumber, "neko") - const buffer = Buffer.from(base64, "base64") - const blob = new Blob([buffer], { type: "application/x-pkcs12" }) - blobUrl = URL.createObjectURL(blob) - } else { - blobUrl = data - } - - const a = document.createElement("a") - a.href = blobUrl - a.download = `${cert.serialNumber}.p12` - a.click() - - return blobUrl + const pem = await exportCertificateAuthorityPem() + const blob = new Blob([pem], { type: "application/x-pem-file" }) + downloadBlob(blob, `${cert.serialNumber}.crt`) + }, + onError: (error) => { + notifyError("Failed to download certificate", String(error)) }, queryKey: ["pki", "download", cert.serialNumber], retry: false, }) + + const { dialog: exportPkcs12Dialog, open: openExportPkcs12Dialog } = useExportPkcs12Dialog({ + serialNumber: cert.serialNumber, + }) + const [deletePopoverAnchor, setDeletePopoverAnchor] = useState(null) return ( @@ -165,19 +161,31 @@ function CertificateDisplayAccordionDetails({ > Delete - {downloadable && ( + {canExportCaPem && ( + )} + {canExportP12 && ( + )} @@ -210,6 +218,7 @@ function CertificateDisplayAccordionDetails({ Confirm Delete + {canExportP12 && exportPkcs12Dialog} ) } @@ -294,9 +303,10 @@ function CertificateAccordion( title: string } & ( | { + canExportCaPem?: boolean + canExportP12?: boolean cert?: CertificateSummary delete: (serial: SerialNumberString) => Promise - downloadable?: boolean } | { cert?: never @@ -327,7 +337,8 @@ function CertificateAccordion( props.delete(serial)} - downloadable={props.downloadable} + canExportCaPem={props.canExportCaPem} + canExportP12={props.canExportP12} /> ) : props.create ? ( @@ -362,6 +373,7 @@ export default function PkiDashboardPage() { Infrastructure createCertificateAuthority(form).finally(increaseNonce)} defaultExpanded @@ -386,7 +398,7 @@ export default function PkiDashboardPage() { deleteClientCertificate(serial)} - downloadable + canExportP12 isLoading={!hasData} key={clientCert.serialNumber} title="Client" diff --git a/packages/web/lib/client.ts b/packages/web/lib/client.ts index 4a165c6..146225b 100644 --- a/packages/web/lib/client.ts +++ b/packages/web/lib/client.ts @@ -40,3 +40,24 @@ export function useQueryHelpers(queryKey: readonly unknown[]) { }, } } + +export function base64ToBlob(base64: string, type: string) { + const byteCharacters = atob(base64) + const byteArray = new Uint8Array(byteCharacters.length) + for (let i = 0; i < byteCharacters.length; i++) { + byteArray[i] = byteCharacters.charCodeAt(i) + } + return new Blob([byteArray], { type }) +} + +export function downloadBlob(blob: Blob, filename: string) { + const url = URL.createObjectURL(blob) + try { + const a = document.createElement("a") + a.href = url + a.download = filename + a.click() + } finally { + URL.revokeObjectURL(url) + } +} diff --git a/tools/java-pkcs12-compatibility/.clang-format b/tools/java-pkcs12-compatibility/.clang-format new file mode 100644 index 0000000..ed5e6cc --- /dev/null +++ b/tools/java-pkcs12-compatibility/.clang-format @@ -0,0 +1,3 @@ +BasedOnStyle: LLVM +IndentWidth: 4 +ColumnLimit: 120 diff --git a/tools/java-pkcs12-compatibility/README.md b/tools/java-pkcs12-compatibility/README.md new file mode 100644 index 0000000..49bb79e --- /dev/null +++ b/tools/java-pkcs12-compatibility/README.md @@ -0,0 +1,5 @@ +# Java/Android PKCS#12 Compatibility Test Tool + +Under the hood, Android uses Java's `KeyStore` API to handle PKCS#12 files. + +This tool loads PKCS#12 files with `KeyStore` to verify compatibility of Yonagi generated PKCS#12 files with Java/Android. diff --git a/tools/java-pkcs12-compatibility/build.gradle b/tools/java-pkcs12-compatibility/build.gradle new file mode 100644 index 0000000..ee457ab --- /dev/null +++ b/tools/java-pkcs12-compatibility/build.gradle @@ -0,0 +1,21 @@ +plugins { + id 'java' +} + +group 'maho.science.yonagi.android-pkcs12-compatibility-test' +version '1.0-SNAPSHOT' + +repositories { + mavenCentral() +} + +sourceSets { + main { + java { + srcDirs = ['src'] + } + } +} + +dependencies { +} diff --git a/tools/java-pkcs12-compatibility/gradle/wrapper/gradle-wrapper.jar b/tools/java-pkcs12-compatibility/gradle/wrapper/gradle-wrapper.jar new file mode 100644 index 0000000..7f93135 Binary files /dev/null and b/tools/java-pkcs12-compatibility/gradle/wrapper/gradle-wrapper.jar differ diff --git a/tools/java-pkcs12-compatibility/gradle/wrapper/gradle-wrapper.properties b/tools/java-pkcs12-compatibility/gradle/wrapper/gradle-wrapper.properties new file mode 100644 index 0000000..3fa8f86 --- /dev/null +++ b/tools/java-pkcs12-compatibility/gradle/wrapper/gradle-wrapper.properties @@ -0,0 +1,7 @@ +distributionBase=GRADLE_USER_HOME +distributionPath=wrapper/dists +distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip +networkTimeout=10000 +validateDistributionUrl=true +zipStoreBase=GRADLE_USER_HOME +zipStorePath=wrapper/dists diff --git a/tools/java-pkcs12-compatibility/gradlew b/tools/java-pkcs12-compatibility/gradlew new file mode 100644 index 0000000..1aa94a4 --- /dev/null +++ b/tools/java-pkcs12-compatibility/gradlew @@ -0,0 +1,249 @@ +#!/bin/sh + +# +# Copyright © 2015-2021 the original authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +############################################################################## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# +############################################################################## + +# Attempt to set APP_HOME + +# Resolve links: $0 may be a link +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac +done + +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036) +APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit + +# Use the maximum available, or set MAX_FD != -1 to use that value. +MAX_FD=maximum + +warn () { + echo "$*" +} >&2 + +die () { + echo + echo "$*" + echo + exit 1 +} >&2 + +# OS specific support (must be 'true' or 'false'). +cygwin=false +msys=false +darwin=false +nonstop=false +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; +esac + +CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar + + +# Determine the Java command to use to start the JVM. +if [ -n "$JAVA_HOME" ] ; then + if [ -x "$JAVA_HOME/jre/sh/java" ] ; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD=$JAVA_HOME/jre/sh/java + else + JAVACMD=$JAVA_HOME/bin/java + fi + if [ ! -x "$JAVACMD" ] ; then + die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +else + JAVACMD=java + if ! command -v java >/dev/null 2>&1 + then + die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. + +Please set the JAVA_HOME variable in your environment to match the +location of your Java installation." + fi +fi + +# Increase the maximum file descriptors if we can. +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC2039,SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac +fi + +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. + +# For Cygwin or MSYS, switch paths to Windows format before running java +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + + # Now convert the arguments - kludge to limit ourselves to /bin/sh + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) + fi + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg + done +fi + + +# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' + +# Collect all arguments for the java command: +# * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments, +# and any embedded shellness will be escaped. +# * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be +# treated as '${Hostname}' itself on the command line. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# + +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' + +exec "$JAVACMD" "$@" diff --git a/tools/java-pkcs12-compatibility/gradlew.bat b/tools/java-pkcs12-compatibility/gradlew.bat new file mode 100644 index 0000000..6689b85 --- /dev/null +++ b/tools/java-pkcs12-compatibility/gradlew.bat @@ -0,0 +1,92 @@ +@rem +@rem Copyright 2015 the original author or authors. +@rem +@rem Licensed under the Apache License, Version 2.0 (the "License"); +@rem you may not use this file except in compliance with the License. +@rem You may obtain a copy of the License at +@rem +@rem https://www.apache.org/licenses/LICENSE-2.0 +@rem +@rem Unless required by applicable law or agreed to in writing, software +@rem distributed under the License is distributed on an "AS IS" BASIS, +@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +@rem See the License for the specific language governing permissions and +@rem limitations under the License. +@rem + +@if "%DEBUG%"=="" @echo off +@rem ########################################################################## +@rem +@rem Gradle startup script for Windows +@rem +@rem ########################################################################## + +@rem Set local scope for the variables with windows NT shell +if "%OS%"=="Windows_NT" setlocal + +set DIRNAME=%~dp0 +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused +set APP_BASE_NAME=%~n0 +set APP_HOME=%DIRNAME% + +@rem Resolve any "." and ".." in APP_HOME to make it shorter. +for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi + +@rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. +set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m" + +@rem Find java.exe +if defined JAVA_HOME goto findJavaFromJavaHome + +set JAVA_EXE=java.exe +%JAVA_EXE% -version >NUL 2>&1 +if %ERRORLEVEL% equ 0 goto execute + +echo. +echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:findJavaFromJavaHome +set JAVA_HOME=%JAVA_HOME:"=% +set JAVA_EXE=%JAVA_HOME%/bin/java.exe + +if exist "%JAVA_EXE%" goto execute + +echo. +echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% +echo. +echo Please set the JAVA_HOME variable in your environment to match the +echo location of your Java installation. + +goto fail + +:execute +@rem Setup the command line + +set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar + + +@rem Execute Gradle +"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %* + +:end +@rem End local scope for the variables with windows NT shell +if %ERRORLEVEL% equ 0 goto mainEnd + +:fail +rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of +rem the _cmd.exe /c_ return code! +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% + +:mainEnd +if "%OS%"=="Windows_NT" endlocal + +:omega diff --git a/tools/java-pkcs12-compatibility/src/Main.java b/tools/java-pkcs12-compatibility/src/Main.java new file mode 100644 index 0000000..b5291d2 --- /dev/null +++ b/tools/java-pkcs12-compatibility/src/Main.java @@ -0,0 +1,62 @@ +import java.awt.*; +import java.security.KeyStore; +import javax.swing.*; + +public class Main { + private static void remakeKeyStore(String filename, String outputFilename, String password) throws Exception { + var fis = new java.io.FileInputStream(filename); + var ksIn = KeyStore.getInstance("PKCS12"); + ksIn.load(fis, password.toCharArray()); + fis.close(); + + var ksOut = KeyStore.getInstance("PKCS12"); + ksOut.load(null, password.toCharArray()); + + var entries = ksIn.aliases(); + while (entries.hasMoreElements()) { + var alias = entries.nextElement(); + var cert = ksIn.getCertificate(alias); + ksOut.setCertificateEntry(alias, cert); + + var key = ksIn.getKey(alias, password.toCharArray()); + ksOut.setKeyEntry(alias, key, password.toCharArray(), new java.security.cert.Certificate[] {cert}); + + var chain = ksIn.getCertificateChain(alias); + if (chain != null) { + ksOut.setKeyEntry(alias, key, password.toCharArray(), chain); + } + } + + var fos = new java.io.FileOutputStream(outputFilename); + ksOut.store(fos, password.toCharArray()); + fos.close(); + } + + public static void main(String[] args) throws Exception { + SwingUtilities.invokeLater(() -> { + // select file by dialog + var fd = new FileDialog(new Frame(), "Choose a file", FileDialog.LOAD); + fd.setFilenameFilter((dir, name) -> name.endsWith(".p12")); + fd.setVisible(true); + var filename = fd.getFiles()[0].getAbsolutePath(); + + // assert and create output filename ".out.p12" + if (!filename.endsWith(".p12")) { + JOptionPane.showMessageDialog(null, "File must be .p12"); + return; + } + var outputFilename = filename.substring(0, filename.length() - 4) + ".out.p12"; + + // read password by dialog + var password = JOptionPane.showInputDialog("Enter password"); + + // remake keystore + try { + remakeKeyStore(filename, outputFilename, password); + } catch (Exception e) { + e.printStackTrace(); + JOptionPane.showMessageDialog(null, e.getMessage()); + } + }); + } +}