域名增加证书CN和SAN校验
This commit is contained in:
duandongmei
@@ -1,17 +1,23 @@
|
||||
package com.nis.web.controller.configuration.proxy;
|
||||
|
||||
import java.io.BufferedReader;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStreamReader;
|
||||
import java.security.KeyStore;
|
||||
import java.security.Principal;
|
||||
import java.security.SecureRandom;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.text.SimpleDateFormat;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Date;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.UUID;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.net.ssl.KeyManagerFactory;
|
||||
import javax.net.ssl.SSLContext;
|
||||
@@ -55,6 +61,8 @@ import com.nis.web.controller.BaseController;
|
||||
@Controller
|
||||
@RequestMapping("${adminPath}/proxy/intercept/strateagy")
|
||||
public class PxyObjKeyringController extends BaseController {
|
||||
public Map certInfoMap=new HashMap<>();
|
||||
SimpleDateFormat sdf=new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
|
||||
|
||||
@RequestMapping(value = {"/form"})
|
||||
@RequiresPermissions(value={"proxy:intercept:config"})
|
||||
@@ -110,32 +118,52 @@ public class PxyObjKeyringController extends BaseController {
|
||||
} catch (Exception e) {
|
||||
validFlag=false;
|
||||
logger.error("证书文件校验失败",e);
|
||||
addMessage(redirectAttributes,e.getMessage());
|
||||
addMessage(redirectAttributes,"error",e.getMessage());
|
||||
}
|
||||
|
||||
if(validFlag){
|
||||
validFlag=true;
|
||||
try{
|
||||
|
||||
try{
|
||||
if(validFlag){
|
||||
validFlag=true;
|
||||
if(publicKeyFileI != null) {
|
||||
// 获取公钥信息
|
||||
X509Certificate cert=FileUtils.getCertificateInfo(publicKeyFileI.getInputStream());
|
||||
String issuer=cert.getIssuerDN().getName();//颁发者
|
||||
Date notBefore=cert.getNotBefore();//起始时间
|
||||
Date notAfter=cert.getNotAfter();//结束时间
|
||||
String subject=cert.getSubjectDN().getName();//颁发给
|
||||
cfg.setIssuer(StringUtil.isEmpty(issuer)?"":issuer.trim());
|
||||
cfg.setSubject(StringUtil.isEmpty(subject)?"":subject.trim());
|
||||
cfg.setNotBeforeTime(notBefore);
|
||||
cfg.setNotAfterTime(notAfter);
|
||||
if(certInfoMap != null && certInfoMap.size() >0){
|
||||
|
||||
String issuer=certInfoMap.get("ca issuer").toString();//颁发者
|
||||
Date notBeforeTime=new Date(certInfoMap.get("ca notbefore").toString());//开始时间
|
||||
Date notAfterTime=new Date(certInfoMap.get("ca notafter").toString());//结束时间
|
||||
String subject=certInfoMap.get("ca subjectname").toString();//颁发给
|
||||
String notBeforeStr=sdf.format(notBeforeTime);
|
||||
String notAfterStr=sdf.format(notAfterTime);
|
||||
String cn="";//CN
|
||||
//CN精确信息获取
|
||||
if(!StringUtil.isEmpty(subject)){
|
||||
for (String cnStr : subject.split(",")) {
|
||||
cnStr=StringUtil.isEmpty(cnStr) ? "":cnStr.trim();
|
||||
if(cnStr.split("=").length > 1){
|
||||
cn=cnStr.split("=")[1];
|
||||
cn=StringUtil.isEmpty(cn) ? "":cn.trim();
|
||||
}
|
||||
}
|
||||
}
|
||||
String altName=certInfoMap.get("ca altname").toString();//SAN
|
||||
|
||||
cfg.setIssuer(issuer);
|
||||
cfg.setSubject(subject);
|
||||
cfg.setCn(cn);
|
||||
cfg.setAltName(altName);
|
||||
cfg.setNotBeforeTime(notBeforeStr);
|
||||
cfg.setNotAfterTime(notAfterStr);
|
||||
}else{
|
||||
logger.info("无证书信息");
|
||||
}
|
||||
}
|
||||
}catch (Exception e) {
|
||||
logger.error("证书信息获取失败",e);
|
||||
addMessage(redirectAttributes,e.getMessage());
|
||||
}
|
||||
}
|
||||
if(validFlag){
|
||||
try{
|
||||
}catch (Exception e) {
|
||||
logger.error("证书信息获取失败",e);
|
||||
addMessage(redirectAttributes,"error","save_failed");
|
||||
}
|
||||
try{
|
||||
if(validFlag){
|
||||
if(publicKeyFileI != null) {
|
||||
String filename = publicKeyFileI.getOriginalFilename();
|
||||
String prefix = FileUtils.getPrefix(filename, false);
|
||||
@@ -183,20 +211,29 @@ public class PxyObjKeyringController extends BaseController {
|
||||
}
|
||||
}
|
||||
pxyObjKeyringService.saveOrUpdate(cfg);
|
||||
}
|
||||
|
||||
addMessage(redirectAttributes,"save_success");
|
||||
}catch(Exception e){
|
||||
logger.error("证书上传失败",e);
|
||||
if(e instanceof MaatConvertException) {
|
||||
addMessage(redirectAttributes,e.getMessage());
|
||||
}else {
|
||||
addMessage(redirectAttributes,e.getMessage());
|
||||
}
|
||||
}
|
||||
}
|
||||
addMessage(redirectAttributes,"success","save_success");
|
||||
}catch(Exception e){
|
||||
logger.error("证书上传失败",e);
|
||||
if(e instanceof MaatConvertException) {
|
||||
addMessage(redirectAttributes,"error",e.getMessage());
|
||||
}else {
|
||||
addMessage(redirectAttributes,"error",e.getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
return "redirect:" + adminPath +"/proxy/intercept/strateagy/list?functionId="+cfg.getFunctionId();
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param file
|
||||
* @param validateType --incert证书校验 --inkey 私钥
|
||||
* @param certType 证书类型
|
||||
* @return
|
||||
* @throws Exception
|
||||
*/
|
||||
public boolean validCertFileContent(MultipartFile file,String validateType)throws Exception{
|
||||
String os = System.getProperty("os.name").toLowerCase();
|
||||
if(!os.contains("windows")){
|
||||
@@ -217,18 +254,29 @@ public class PxyObjKeyringController extends BaseController {
|
||||
+File.separator
|
||||
+Constants.CERT_VALIDATE_FILE).getPath();
|
||||
//x509脚本分配可执行权限
|
||||
Map<String, Object> resultMap1=avCfgService.execShell("","chmod","+x",x509Shell);
|
||||
logger.info("x509脚本分配可执行权限:"+"chmod"+" "+"x"+" "+x509Shell);
|
||||
Map<String, Object> resultMap1=this.execShell("","chmod","+x",x509Shell);
|
||||
logger.info("x509 chmod +x :"+resultMap1.get("out").toString());
|
||||
logger.info("x509脚本分配可执行权限:"+"chmod"+" "+"+x"+" "+x509Shell);
|
||||
//验证文件
|
||||
logger.info(x509Shell+" "+validateType+" "+filePath);
|
||||
Map<String, Object> resultMap=avCfgService.execShell(x509Shell,validateType,filePath);
|
||||
Map<String, Object> resultMap=this.execShell(x509Shell,validateType,filePath);
|
||||
|
||||
if(resultMap == null || StringUtil.isEmpty(resultMap.get("out"))){
|
||||
//临时文件删除
|
||||
logger.info("delete file"+filePath);
|
||||
FileUtils.deleteFile(filePath);
|
||||
return false;
|
||||
}else{
|
||||
/*logger.info("x509 Out Info:"+resultMap.get("out").toString());
|
||||
Pattern p = Pattern.compile("\\s*|\t|\r|\n");
|
||||
Matcher m = p.matcher(resultMap.get("out").toString());
|
||||
logger.info(m.replaceAll("test"));*/
|
||||
}
|
||||
if(resultMap != null
|
||||
&& !StringUtil.isEmpty(resultMap.get("out"))
|
||||
&& (!(resultMap.get("out").toString().indexOf(Constants.CERT_VALIDATE_SUCCESS_INFO) > -1))
|
||||
){
|
||||
|
||||
logger.error("x509 Out Info:"+resultMap.get("out").toString());
|
||||
|
||||
//临时文件删除
|
||||
logger.info("delete file"+filePath);
|
||||
FileUtils.deleteFile(filePath);
|
||||
@@ -344,4 +392,88 @@ public class PxyObjKeyringController extends BaseController {
|
||||
}
|
||||
//return "redirect:" + adminPath +"/ntc/iplist/list?functionId="+entity.getFunctionId();
|
||||
}
|
||||
|
||||
/**
|
||||
* 调用shell脚本 返回运行结果
|
||||
*
|
||||
* @param shellName
|
||||
* @param params
|
||||
* @return
|
||||
*/
|
||||
public Map<String, Object> execShell(String shellName,
|
||||
String... params) {
|
||||
Map<String, Object> result = new HashMap<String, Object>();
|
||||
StringBuilder sb = new StringBuilder();
|
||||
sb.append(shellName);
|
||||
for (String temp : params) {
|
||||
sb.append(" " + temp);
|
||||
}
|
||||
String os = System.getProperty("os.name").toLowerCase();
|
||||
String cmd1 = "";
|
||||
String cmd2 = "";
|
||||
if(os.contains("windows")){
|
||||
cmd1 = "cmd.exe";
|
||||
cmd2 = "/c";
|
||||
}else{
|
||||
cmd1 = "/bin/sh";
|
||||
cmd2 = "-c";
|
||||
}
|
||||
logger.info("调用脚本信息,cmd1:"+cmd1+",cmd2:"+cmd2);
|
||||
String cmdarray[] = new String[] {cmd1, cmd2 ,sb.toString() };
|
||||
BufferedReader br = null;
|
||||
BufferedReader bre = null;
|
||||
try {
|
||||
Process exec = Runtime.getRuntime().exec(cmdarray);
|
||||
exec.getInputStream();
|
||||
br = new BufferedReader(
|
||||
new InputStreamReader(exec.getInputStream()));
|
||||
bre = new BufferedReader(new InputStreamReader(
|
||||
exec.getErrorStream()));
|
||||
String s = null;
|
||||
StringBuilder out = new StringBuilder();
|
||||
String key="";
|
||||
String value="";
|
||||
if(sb.toString().indexOf("incert") > -1) certInfoMap=new HashMap<>();
|
||||
while ((s = br.readLine()) != null) {
|
||||
logger.info(s);
|
||||
//证书信息收集
|
||||
if(sb.toString().indexOf("incert") > -1){
|
||||
if(s.indexOf(":") > -1){
|
||||
key=s.substring(0, s.indexOf(":", 0));
|
||||
key=StringUtil.isEmpty(key) ?"": key.toLowerCase().trim();
|
||||
value=s.substring(s.indexOf(":", 0)+1, s.length());
|
||||
value=StringUtil.isEmpty(value) ?"": value.trim();
|
||||
certInfoMap.put(key, value);
|
||||
}
|
||||
}
|
||||
out.append(s);
|
||||
}
|
||||
result.put("out", out.toString());//输出参数
|
||||
out.setLength(0);//清空
|
||||
while ((s = bre.readLine()) != null) {
|
||||
out.append(s);
|
||||
}
|
||||
result.put("error", out.toString());//错误信息
|
||||
int waitFor = exec.waitFor();
|
||||
logger.info("调用脚本:"+sb.toString()+",执行返回状态值:"+waitFor);
|
||||
result.put("exitStatus", waitFor);//执行状态
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
logger.error("调用 " + shellName + " 脚本异常", e);
|
||||
} finally {
|
||||
if (br != null)
|
||||
try {
|
||||
br.close();
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
if (bre != null)
|
||||
try {
|
||||
bre.close();
|
||||
} catch (IOException e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
}
|
||||
return result;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user