gfwleak/k18-ntcs-web-ntc
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

域名增加证书CN和SAN校验

Browse Source
This commit is contained in:
duandongmei
2018-11-06 11:31:28 +08:00
parent 21fbccfa88
commit c10161f88e
1 changed files with 168 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

204
src/main/java/com/nis/web/controller/configuration/proxy/PxyObjKeyringController.java
View File

@@ -1,17 +1,23 @@
package com.nis.web.controller.configuration.proxy; package com.nis.web.controller.configuration.proxy;
import java.io.BufferedReader;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.Principal; import java.security.Principal;
import java.security.SecureRandom; import java.security.SecureRandom;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Date; import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.UUID; import java.util.UUID;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
@@ -55,6 +61,8 @@ import com.nis.web.controller.BaseController;
@Controller @Controller
@RequestMapping("${adminPath}/proxy/intercept/strateagy") @RequestMapping("${adminPath}/proxy/intercept/strateagy")
public class PxyObjKeyringController extends BaseController { public class PxyObjKeyringController extends BaseController {
public Map certInfoMap=new HashMap<>();
SimpleDateFormat sdf=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
@RequestMapping(value = {"/form"}) @RequestMapping(value = {"/form"})
@RequiresPermissions(value={"proxy:intercept:config"}) @RequiresPermissions(value={"proxy:intercept:config"})
@@ -110,32 +118,52 @@ public class PxyObjKeyringController extends BaseController {
} catch (Exception e) { } catch (Exception e) {
validFlag=false; validFlag=false;
logger.error("证书文件校验失败",e); logger.error("证书文件校验失败",e);
addMessage(redirectAttributes,e.getMessage()); addMessage(redirectAttributes,"error",e.getMessage());
} }
if(validFlag){ try{
validFlag=true; if(validFlag){
try{ validFlag=true;
if(publicKeyFileI != null) { if(publicKeyFileI != null) {
// 获取公钥信息 // 获取公钥信息
X509Certificate cert=FileUtils.getCertificateInfo(publicKeyFileI.getInputStream()); if(certInfoMap != null && certInfoMap.size() >0){
String issuer=cert.getIssuerDN().getName();//颁发者
Date notBefore=cert.getNotBefore();//起始时间 String issuer=certInfoMap.get("ca issuer").toString();//颁发者
Date notAfter=cert.getNotAfter();//结束时间 Date notBeforeTime=new Date(certInfoMap.get("ca notbefore").toString());//开始时间
String subject=cert.getSubjectDN().getName();//颁发给 Date notAfterTime=new Date(certInfoMap.get("ca notafter").toString());//结束时间
cfg.setIssuer(StringUtil.isEmpty(issuer)?"":issuer.trim()); String subject=certInfoMap.get("ca subjectname").toString();//颁发给
cfg.setSubject(StringUtil.isEmpty(subject)?"":subject.trim()); String notBeforeStr=sdf.format(notBeforeTime);
cfg.setNotBeforeTime(notBefore); String notAfterStr=sdf.format(notAfterTime);
cfg.setNotAfterTime(notAfter); String cn="";//CN
//CN精确信息获取
if(!StringUtil.isEmpty(subject)){
for (String cnStr : subject.split(",")) {
cnStr=StringUtil.isEmpty(cnStr) ? "":cnStr.trim();
if(cnStr.split("=").length > 1){
cn=cnStr.split("=")[1];
cn=StringUtil.isEmpty(cn) ? "":cn.trim();
}
}
}
String altName=certInfoMap.get("ca altname").toString();//SAN
cfg.setIssuer(issuer);
cfg.setSubject(subject);
cfg.setCn(cn);
cfg.setAltName(altName);
cfg.setNotBeforeTime(notBeforeStr);
cfg.setNotAfterTime(notAfterStr);
}else{
logger.info("无证书信息");
}
} }
}catch (Exception e) {
logger.error("证书信息获取失败",e);
addMessage(redirectAttributes,e.getMessage());
} }
} }catch (Exception e) {
if(validFlag){ logger.error("证书信息获取失败",e);
try{ addMessage(redirectAttributes,"error","save_failed");
}
try{
if(validFlag){
if(publicKeyFileI != null) { if(publicKeyFileI != null) {
String filename = publicKeyFileI.getOriginalFilename(); String filename = publicKeyFileI.getOriginalFilename();
String prefix = FileUtils.getPrefix(filename, false); String prefix = FileUtils.getPrefix(filename, false);
@@ -183,20 +211,29 @@ public class PxyObjKeyringController extends BaseController {
} }
} }
pxyObjKeyringService.saveOrUpdate(cfg); pxyObjKeyringService.saveOrUpdate(cfg);
}
addMessage(redirectAttributes,"save_success");
}catch(Exception e){ addMessage(redirectAttributes,"success","save_success");
logger.error("证书上传失败",e); }catch(Exception e){
if(e instanceof MaatConvertException) { logger.error("证书上传失败",e);
addMessage(redirectAttributes,e.getMessage()); if(e instanceof MaatConvertException) {
}else { addMessage(redirectAttributes,"error",e.getMessage());
addMessage(redirectAttributes,e.getMessage()); }else {
} addMessage(redirectAttributes,"error",e.getMessage());
} }
} }
return "redirect:" + adminPath +"/proxy/intercept/strateagy/list?functionId="+cfg.getFunctionId(); return "redirect:" + adminPath +"/proxy/intercept/strateagy/list?functionId="+cfg.getFunctionId();
} }
/**
*
* @param file
* @param validateType --incert证书校验 --inkey 私钥
* @param certType 证书类型
* @return
* @throws Exception
*/
public boolean validCertFileContent(MultipartFile file,String validateType)throws Exception{ public boolean validCertFileContent(MultipartFile file,String validateType)throws Exception{
String os = System.getProperty("os.name").toLowerCase(); String os = System.getProperty("os.name").toLowerCase();
if(!os.contains("windows")){ if(!os.contains("windows")){
@@ -217,18 +254,29 @@ public class PxyObjKeyringController extends BaseController {
+File.separator +File.separator
+Constants.CERT_VALIDATE_FILE).getPath(); +Constants.CERT_VALIDATE_FILE).getPath();
//x509脚本分配可执行权限 //x509脚本分配可执行权限
Map<String, Object> resultMap1=avCfgService.execShell("","chmod","+x",x509Shell); Map<String, Object> resultMap1=this.execShell("","chmod","+x",x509Shell);
logger.info("x509脚本分配可执行权限:"+"chmod"+" "+"x"+" "+x509Shell); logger.info("x509 chmod +x :"+resultMap1.get("out").toString());
logger.info("x509脚本分配可执行权限:"+"chmod"+" "+"+x"+" "+x509Shell);
//验证文件 //验证文件
logger.info(x509Shell+" "+validateType+" "+filePath); logger.info(x509Shell+" "+validateType+" "+filePath);
Map<String, Object> resultMap=avCfgService.execShell(x509Shell,validateType,filePath); Map<String, Object> resultMap=this.execShell(x509Shell,validateType,filePath);
if(resultMap == null || StringUtil.isEmpty(resultMap.get("out"))){
//临时文件删除
logger.info("delete file"+filePath);
FileUtils.deleteFile(filePath);
return false;
}else{
/*logger.info("x509 Out Info:"+resultMap.get("out").toString());
Pattern p = Pattern.compile("\\s*|\t|\r|\n");
Matcher m = p.matcher(resultMap.get("out").toString());
logger.info(m.replaceAll("test"));*/
}
if(resultMap != null if(resultMap != null
&& !StringUtil.isEmpty(resultMap.get("out")) && !StringUtil.isEmpty(resultMap.get("out"))
&& (!(resultMap.get("out").toString().indexOf(Constants.CERT_VALIDATE_SUCCESS_INFO) > -1)) && (!(resultMap.get("out").toString().indexOf(Constants.CERT_VALIDATE_SUCCESS_INFO) > -1))
){ ){
logger.error("x509 Out Info:"+resultMap.get("out").toString()); logger.error("x509 Out Info:"+resultMap.get("out").toString());
//临时文件删除 //临时文件删除
logger.info("delete file"+filePath); logger.info("delete file"+filePath);
FileUtils.deleteFile(filePath); FileUtils.deleteFile(filePath);
@@ -344,4 +392,88 @@ public class PxyObjKeyringController extends BaseController {
} }
//return "redirect:" + adminPath +"/ntc/iplist/list?functionId="+entity.getFunctionId(); //return "redirect:" + adminPath +"/ntc/iplist/list?functionId="+entity.getFunctionId();
} }
/**
* 调用shell脚本 返回运行结果
*
* @param shellName
* @param params
* @return
*/
public Map<String, Object> execShell(String shellName,
String... params) {
Map<String, Object> result = new HashMap<String, Object>();
StringBuilder sb = new StringBuilder();
sb.append(shellName);
for (String temp : params) {
sb.append(" " + temp);
}
String os = System.getProperty("os.name").toLowerCase();
String cmd1 = "";
String cmd2 = "";
if(os.contains("windows")){
cmd1 = "cmd.exe";
cmd2 = "/c";
}else{
cmd1 = "/bin/sh";
cmd2 = "-c";
}
logger.info("调用脚本信息,cmd1:"+cmd1+",cmd2:"+cmd2);
String cmdarray[] = new String[] {cmd1, cmd2 ,sb.toString() };
BufferedReader br = null;
BufferedReader bre = null;
try {
Process exec = Runtime.getRuntime().exec(cmdarray);
exec.getInputStream();
br = new BufferedReader(
new InputStreamReader(exec.getInputStream()));
bre = new BufferedReader(new InputStreamReader(
exec.getErrorStream()));
String s = null;
StringBuilder out = new StringBuilder();
String key="";
String value="";
if(sb.toString().indexOf("incert") > -1) certInfoMap=new HashMap<>();
while ((s = br.readLine()) != null) {
logger.info(s);
//证书信息收集
if(sb.toString().indexOf("incert") > -1){
if(s.indexOf(":") > -1){
key=s.substring(0, s.indexOf(":", 0));
key=StringUtil.isEmpty(key) ?"": key.toLowerCase().trim();
value=s.substring(s.indexOf(":", 0)+1, s.length());
value=StringUtil.isEmpty(value) ?"": value.trim();
certInfoMap.put(key, value);
}
}
out.append(s);
}
result.put("out", out.toString());//输出参数
out.setLength(0);//清空
while ((s = bre.readLine()) != null) {
out.append(s);
}
result.put("error", out.toString());//错误信息
int waitFor = exec.waitFor();
logger.info("调用脚本:"+sb.toString()+",执行返回状态值:"+waitFor);
result.put("exitStatus", waitFor);//执行状态
} catch (Exception e) {
e.printStackTrace();
logger.error("调用 " + shellName + " 脚本异常", e);
} finally {
if (br != null)
try {
br.close();
} catch (IOException e) {
e.printStackTrace();
}
if (bre != null)
try {
bre.close();
} catch (IOException e) {
e.printStackTrace();
}
}
return result;
}
} }