Coder Social home page Coder Social logo

morihofi / acmeserver Goto Github PK

View Code? Open in Web Editor NEW
5.0 5.0 0.0 1.82 MB

Java-based ACME server for SSL/TLS certificate management with ACME V2 protocol support (RFC 8555)

License: MIT License

Dockerfile 0.09% Java 79.66% HTML 4.81% JavaScript 11.67% Shell 0.17% Vue 3.07% CSS 0.01% TypeScript 0.35% Batchfile 0.18%
acme certificate certificate-authority java rfc8555 security

acmeserver's Introduction

Hey there ๐Ÿ‘‹

Hey there! ๐Ÿ‘‹ I'm morihofi, an 18-year-old developer with a passion for coding and creating amazing things. Here are a few facts about me:

  • ๐ŸŒ I'm based Germany
  • ๐Ÿ˜„ My pronouns are he/him
  • ๐Ÿ‘จ๐Ÿปโ€๐Ÿ’ป I primarily work with Java, PHP, C#, Visual Basic (6 and .NET), and JavaScript
  • โšก Fun fact: I've been programming for about 8 years. See my projects (beginning at 2017)
  • ๐ŸŽฎ Besides programming, I'm an avid gamer
  • ๐ŸŽฌ I also have a keen interest in video editing and cutting. It's a creative outlet for me, and I enjoy creating visually appealing content
  • ๐Ÿณโ€๐ŸŒˆ I'm proud to be a member of the LGBTQ+ community
  • ๐Ÿพ Additionally, I'm a furry (you may have noticed)

acmeserver's People

Contributors

morihofi avatar snyk-bot avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar

acmeserver's Issues

Refactor: Refactoring Log4j Logging Statements

Currently, there is concatenating for logging in use, like log.info("E-Mail validation successful for email \"" + email + "\"");. A better way to do this is log.info("E-Mail validation successful for email {}", email);. This is an issue across the codebase, SpotBugs also doesn't like it.

Nonces are not strike off the list, generated nonces are not checked agenist

Looks like a randome nonce can be send in a request, since server only inserts nonce in to db when nonce was used.

References:

acmeserver/src/main/java/de/morihofi/acmeserver/tools/crypto/Crypto.java

Lines 41 to 53 in 6e5ac3b

public static String createNonce() {
try {
SecureRandom prng = SecureRandom.getInstance("SHA1PRNG");
String randomNum = String.valueOf(prng.nextInt());
MessageDigest sha = MessageDigest.getInstance("SHA-256");
byte[] result = sha.digest(randomNum.getBytes(StandardCharsets.UTF_8));
return Hashing.hexEncode(result);
} catch (Exception e) {
throw new IllegalArgumentException("Unable to create nonce", e);
}
}

acmeserver/src/main/java/de/morihofi/acmeserver/certificate/acme/security/NonceManager.java

Lines 63 to 94 in 6e5ac3b

public static boolean isNonceUsed(String nonce) {
if (Main.debug) {
// Nonce protection is disabled when DEBUG environment variable is set to TRUE
return false;
}
try (Session session = Objects.requireNonNull(HibernateUtil.getSessionFactory()).openSession()) {
org.hibernate.Transaction transaction = session.beginTransaction();
// Check if the nonce exists in the database
String hql = "SELECT 1 FROM HttpNonces hn WHERE hn.nonce = :nonce";
Query query = session.createQuery(hql, HttpNonces.class);
query.setParameter("nonce", nonce);
List<HttpNonces> results = TypeSafetyHelper.safeCastToClassOfType(query.getResultList(), HttpNonces.class);
boolean nonceExists = !results.isEmpty();
if (!nonceExists) {
// If the nonce does not exist, add it to the database
HttpNonces newNonce = new HttpNonces(nonce, LocalDateTime.now());
session.persist(newNonce);
}
transaction.commit();
// Return true if nonce exists, false if it was added
return nonceExists;
} catch (Exception e) {
LOG.error("Error checking or adding nonce", e);
return false;
}
}

The precise method used to generate and track nonces is up to the
server. For example, the server could generate a random 128-bit
value for each response, keep a list of issued nonces, and strike
nonces from this list as they are used.
-- RFC 8555 6.5. Replay Protection

Package nonce implements a service for generating and redeeming nonces.
To generate a nonce, it encrypts a monotonically increasing counter (latest)
using an authenticated cipher. To redeem a nonce, it checks that the nonce
decrypts to a valid integer between the earliest and latest counter values,
and that it's not on the cross-off list. To avoid a constantly growing cross-off
list, the nonce service periodically retires the oldest counter values by
finding the lowest counter value in the cross-off list, deleting it, and setting
"earliest" to its value. To make this efficient, the cross-off list is represented
two ways: Once as a map, for quick lookup of a given value, and once as a heap,
to quickly find the lowest value.
The MaxUsed value determines how long a generated nonce can be used before it
is forgotten. To calculate that period, divide the MaxUsed value by average
redemption rate (valid POSTs per second).
-- letsencrypt/boulder nonce/nonce.go

Allow easy import of CA certificates on first run

Currently, the process for importing CA (Certificate Authority) certificates into the system during the initial setup is manual and can be cumbersome for users who are not familiar with the necessary steps. This can pose a significant barrier to entry, especially in environments where custom or self-signed CA certificates are prevalent. To enhance user experience and streamline the initial setup process, I propose the implementation of a feature that simplifies the import of CA certificates on the first run of the application.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.