preparations for server mode

.gitignore

@@ -24,4 +24,5 @@ hs_err_pid*
 replay_pid*
 /.idea
 
-*.iml
+*.iml
+/jzlint-server/target/

jzlint-ca/src/main/java/de/mtg/jzlint/ca/CreateCertificate008.java

@@ -1,11 +1,33 @@
 package de.mtg.jzlint.ca;
 
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.security.spec.AlgorithmParameterSpec;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.List;
+import java.util.Random;
+
 import org.bouncycastle.asn1.ASN1Encoding;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
-import org.bouncycastle.asn1.DERPrintableString;
-import org.bouncycastle.asn1.DERSet;
 import org.bouncycastle.asn1.x500.X500Name;
-import org.bouncycastle.asn1.x509.*;
+import org.bouncycastle.asn1.x509.AccessDescription;
+import org.bouncycastle.asn1.x509.AuthorityInformationAccess;
+import org.bouncycastle.asn1.x509.CertificatePolicies;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.PolicyInformation;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.X509v3CertificateBuilder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
@@ -14,17 +36,6 @@
 import org.bouncycastle.operator.ContentSigner;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 
-import java.io.IOException;
-import java.math.BigInteger;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.security.*;
-import java.security.cert.X509Certificate;
-import java.security.spec.AlgorithmParameterSpec;
-import java.time.ZoneId;
-import java.time.ZonedDateTime;
-import java.util.*;
-
 
 /**
  * Certificates for lint: e_aia_ca_issuers_must_have_http_only

jzlint-server/pom.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>de.mtg</groupId>
+    <artifactId>jzlint-server</artifactId>
+    <version>1.0.1</version>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>3.3.4</version>
+        <relativePath/>
+    </parent>
+
+    <dependencies>
+
+        <dependency>
+            <groupId>de.mtg</groupId>
+            <artifactId>jzlint</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+            <version>1.78.1</version>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>

jzlint-server/src/main/java/de/mtg/jzlint/server/CliUtils.java

@@ -0,0 +1,88 @@
+package de.mtg.jzlint.server;
+
+import java.security.cert.X509CRL;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import de.mtg.jzlint.Source;
+
+public class CliUtils {
+
+    public static final String CHECK_APPLIES = "checkApplies";
+    public static final String EXECUTE = "execute";
+
+    private CliUtils() {
+        // empty
+    }
+
+    public static boolean isCertificateIssuerLint(Class<?> lintClass) {
+        try {
+            lintClass.getMethod(CHECK_APPLIES, X509Certificate.class, X509Certificate.class);
+            return true;
+        } catch (NoSuchMethodException e) {
+            return false;
+        }
+    }
+
+    public static boolean isCRLIssuerLint(Class<?> lintClass) {
+        try {
+            lintClass.getMethod(CHECK_APPLIES, X509CRL.class, X509Certificate.class);
+            return true;
+        } catch (NoSuchMethodException e) {
+            return false;
+        }
+    }
+
+    public static boolean isOCSPResponseIssuerLint(Class<?> lintClass) {
+        try {
+            lintClass.getMethod(CHECK_APPLIES, byte[].class, X509Certificate.class);
+            return true;
+        } catch (NoSuchMethodException e) {
+            return false;
+        }
+    }
+
+    public static boolean isCertificateLint(Class<?> lintClass) {
+        try {
+            lintClass.getMethod(CHECK_APPLIES, X509Certificate.class);
+            return true;
+        } catch (NoSuchMethodException e) {
+            return false;
+        }
+    }
+
+    public static boolean isCRLLint(Class<?> lintClass) {
+        try {
+            lintClass.getMethod(CHECK_APPLIES, X509CRL.class);
+            return true;
+        } catch (NoSuchMethodException e) {
+            return false;
+        }
+    }
+
+    public static boolean isOCSPResponseLint(Class<?> lintClass) {
+        try {
+            lintClass.getMethod(CHECK_APPLIES, byte[].class);
+            return true;
+        } catch (NoSuchMethodException e) {
+            return false;
+        }
+    }
+
+    public static boolean includeLint(Source lintSource, List<String> includeSources, List<String> excludeSources) {
+
+        boolean includeIsEmpty = includeSources == null || includeSources.isEmpty();
+        boolean excludeIsEmpty = excludeSources == null || excludeSources.isEmpty();
+
+        if (!includeIsEmpty) {
+            return includeSources.contains(lintSource.getSourceName());
+        }
+
+        if (!excludeIsEmpty) {
+            return !excludeSources.contains(lintSource.getSourceName());
+        }
+
+        return true;
+    }
+
+}

jzlint-server/src/main/java/de/mtg/jzlint/server/JZLintServer.java

@@ -0,0 +1,17 @@
+package de.mtg.jzlint.server;
+
+import java.security.Security;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class JZLintServer {
+
+    public static void main(String[] args) {
+        Security.addProvider(new BouncyCastleProvider());
+        SpringApplication.run(JZLintServer.class, args);
+    }
+
+}

jzlint-server/src/main/java/de/mtg/jzlint/server/LintController.java

@@ -0,0 +1,78 @@
+package de.mtg.jzlint.server;
+
+import java.nio.charset.StandardCharsets;
+import java.security.cert.X509Certificate;
+import java.util.concurrent.ForkJoinPool;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.request.async.DeferredResult;
+
+import de.mtg.jzlint.LintJSONResults;
+import de.mtg.jzlint.utils.ParsedDomainNameUtils;
+
+@RestController
+public class LintController {
+
+    @Value("${request.timeout:15000}")
+    private long requestTimeout;
+
+    @PostMapping(value = "/certificate/lint", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
+    public DeferredResult<ResponseEntity<?>> lintCertificate(@RequestBody TBLCertificate tblCertificate) {
+        DeferredResult<ResponseEntity<?>> response = new DeferredResult<>(requestTimeout, new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR));
+
+        ForkJoinPool.commonPool().submit(() -> {
+            try {
+                byte[] rawPKIObject = tblCertificate.getCertificate().getBytes(StandardCharsets.US_ASCII);
+                LintJSONResults lint = ServerUtils.lint(rawPKIObject, null, tblCertificate.getIncludeNames(), tblCertificate.getIncludeSources(), tblCertificate.getExcludeNames(), tblCertificate.getExcludeSources());
+                X509Certificate certificate = ServerUtils.getCertificate(rawPKIObject);
+                ParsedDomainNameUtils.cleanCacheEntry(certificate);
+                response.setResult(new ResponseEntity<>(ServerUtils.convertResultToResponse(lint), HttpStatus.OK));
+            } catch (Exception ex) {
+                response.setResult(new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR));
+            }
+        });
+
+        return response;
+    }
+
+    @PostMapping("/crl/lint")
+    DeferredResult<ResponseEntity<?>> lintCRL(@RequestBody TBLCRL tblCrl) {
+        DeferredResult<ResponseEntity<?>> response = new DeferredResult<>(requestTimeout, new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR));
+
+        ForkJoinPool.commonPool().submit(() -> {
+            try {
+                byte[] rawPKIObject = tblCrl.getCrl().getBytes(StandardCharsets.US_ASCII);
+                LintJSONResults lint = ServerUtils.lint(rawPKIObject, null, tblCrl.getIncludeNames(), tblCrl.getIncludeSources(), tblCrl.getExcludeNames(), tblCrl.getExcludeSources());
+                response.setResult(new ResponseEntity<>(ServerUtils.convertResultToResponse(lint), HttpStatus.OK));
+            } catch (Exception ex) {
+                response.setResult(new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR));
+            }
+        });
+
+        return response;
+    }
+
+    @PostMapping("/ocspresponse/lint")
+    DeferredResult<ResponseEntity<?>> lintOCSP(@RequestBody TBLOCPResponse tblocpResponse) {
+        DeferredResult<ResponseEntity<?>> response = new DeferredResult<>(requestTimeout, new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR));
+
+        ForkJoinPool.commonPool().submit(() -> {
+            try {
+                byte[] rawPKIObject = tblocpResponse.getOcspResponse().getBytes(StandardCharsets.US_ASCII);
+                LintJSONResults lint = ServerUtils.lint(rawPKIObject, null, tblocpResponse.getIncludeNames(), tblocpResponse.getIncludeSources(), tblocpResponse.getExcludeNames(), tblocpResponse.getExcludeSources());
+                response.setResult(new ResponseEntity<>(ServerUtils.convertResultToResponse(lint), HttpStatus.OK));
+            } catch (Exception ex) {
+                response.setResult(new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR));
+            }
+        });
+
+        return response;
+    }
+
+}

jzlint-server/src/main/java/de/mtg/jzlint/server/LintResponse.java

@@ -0,0 +1,34 @@
+package de.mtg.jzlint.server;
+
+import java.util.List;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+
+@JsonInclude(JsonInclude.Include.NON_NULL)
+public class LintResponse {
+
+    private List<String> warnings;
+
+    private List<String> errors;
+
+    public LintResponse() {
+        // empty
+    }
+
+    public List<String> getWarnings() {
+        return warnings;
+    }
+
+    public void setWarnings(List<String> warnings) {
+        this.warnings = warnings;
+    }
+
+    public List<String> getErrors() {
+        return errors;
+    }
+
+    public void setErrors(List<String> errors) {
+        this.errors = errors;
+    }
+
+}