class BCCertFactory extends SSLCertFactory
Before starting to generate certificates, a root CA needs to be generated by calling
generateRootCA(java.lang.String, int, java.lang.String, java.util.Map<java.lang.String, java.lang.String>, java.security.KeyStore, java.security.KeyStore)
. This will be saved and will be used for signing all the issued
certificates, using this BCCertFactory
instance.
Modifier and Type | Field and Description |
---|---|
private org.bouncycastle.cert.X509ExtensionUtils |
extUtils
Helper to generate X509 extensions.
|
private org.bouncycastle.cert.X509CertificateHolder |
rootCAHolder
The Bouncy Castle-style root CA certificate.
|
private org.bouncycastle.crypto.params.AsymmetricKeyParameter |
rootCAPrivateKey
The private key for the root CA certificate, used to sign all issued certificates.
|
private java.security.cert.X509Certificate |
rootCAX509Cert
The X509-encoded root CA certificate.
|
private java.security.SecureRandom |
srnd
Secure random to generate the keys.
|
exponent, keyStrength, MIN_RSA_KEY_STRENGTH
Constructor and Description |
---|
BCCertFactory()
Create a new Bouncy Castle-style SSL certificate factory.
|
Modifier and Type | Method and Description |
---|---|
private org.bouncycastle.asn1.x500.X500Name |
buildSubject(java.util.Map<java.lang.String,java.lang.String> fieldMap,
java.lang.String commonName)
Using the passed field map and the Common Name, build the X500-style distinguished name.
|
static byte[] |
cipherBytes(boolean encrypt,
byte[] bytes,
java.lang.String password)
Encrypt or decrypt the given byte array, using AES and the provided password.
|
private java.security.cert.X509Certificate |
convertCertificate(org.bouncycastle.cert.X509CertificateHolder cert)
Generate a X509-style certificate from the Bouncy Castle-style X509-holder instance.
|
java.security.PrivateKey |
decryptPrivateKey(byte[] encrypted,
java.lang.String password)
Decrypt a private key which was previously AES encrypted with the given password.
|
byte[] |
encryptPrivateKey(java.security.Key key,
java.lang.String password)
Encrypt the given key using AES and the provided password.
|
private org.bouncycastle.cert.X509CertificateHolder |
generateCertificate(int validity,
org.bouncycastle.asn1.x500.X500Name subject,
org.bouncycastle.crypto.AsymmetricCipherKeyPair subjectKeyPair,
org.bouncycastle.cert.X509CertificateHolder issuer,
org.bouncycastle.crypto.params.AsymmetricKeyParameter issuerPrivateKey,
boolean certificateAuthority,
org.bouncycastle.asn1.x509.KeyPurposeId[] usages)
Generate a certificate and sign it with the private key for the specified issuer.
|
java.lang.String |
generateCertificate(java.lang.String alias,
int validity,
java.lang.String commonName,
java.util.Map<java.lang.String,java.lang.String> fieldMap,
java.security.KeyStore certStore,
java.security.KeyStore certKeyStore)
Generate a certificate and sign it with the already generated root CA.
|
private org.bouncycastle.crypto.AsymmetricCipherKeyPair |
generateKeyPair()
Generate an asymmetric key pair using the RSA algorithm.
|
java.lang.String |
generateRootCA(java.lang.String alias,
int validity,
java.lang.String commonName,
java.util.Map<java.lang.String,java.lang.String> fieldMap,
java.security.KeyStore certStore,
java.security.KeyStore certKeyStore)
Generate a self-signed root CA certificate, which will be used to sign all the issues
certificates.
|
java.lang.String |
generateSelfSignedCertificate(java.lang.String alias,
boolean certificateAuthority,
int validity,
java.lang.String commonName,
java.util.Map<java.lang.String,java.lang.String> fieldMap,
java.security.KeyStore certStore,
java.security.KeyStore certKeyStore)
Generate a self-signed certificate.
|
java.util.Map<java.lang.String,java.lang.String> |
getMandatorySubjectFields()
Get the map with the mandatory subject attributes.
|
void |
init(java.lang.Integer keyStrength,
java.math.BigInteger exponent)
Initiatialize this SSL certificate factory.
|
private void |
saveKeyEntry(java.security.KeyStore store,
org.bouncycastle.crypto.AsymmetricCipherKeyPair keyPair,
java.lang.String alias,
char[] keyentryPassword,
java.security.cert.Certificate[] chain)
Encrypt and save the private key in the specified store.
|
void |
setRootCA(java.security.cert.X509Certificate cert,
java.security.PrivateKey pk)
Set the details for the root CA certificate.
|
private final java.security.SecureRandom srnd
private final org.bouncycastle.cert.X509ExtensionUtils extUtils
private org.bouncycastle.cert.X509CertificateHolder rootCAHolder
private org.bouncycastle.crypto.params.AsymmetricKeyParameter rootCAPrivateKey
private java.security.cert.X509Certificate rootCAX509Cert
public BCCertFactory() throws SSLCertGenException
SSLCertGenException
- If the factory could not be initialized.public static byte[] cipherBytes(boolean encrypt, byte[] bytes, java.lang.String password) throws SSLCertGenException
encrypt
- Flag indicating if we need to encrypt or decrypt.bytes
- The bytes to be processed.password
- The encrypt/decrypt password.SSLCertGenException
- If the was problems during processing.public void init(java.lang.Integer keyStrength, java.math.BigInteger exponent) throws SSLCertGenException
The existing root CA will be removed.
init
in class SSLCertFactory
keyStrength
- The private key size: SSLCertFactory.MIN_RSA_KEY_STRENGTH
bits or better.
If null
, defaults to SSLCertFactory.MIN_RSA_KEY_STRENGTH
.exponent
- The public key exponent. If null
, defaults to 65537.
WARNING: a wrong value may result in vulnerable SSL private keys and also 3rd party
software might not accept them. Use with care.SSLCertGenException
- If the factory could not be instantiated.public java.security.PrivateKey decryptPrivateKey(byte[] encrypted, java.lang.String password) throws SSLCertGenException
decryptPrivateKey
in class SSLCertFactory
encrypted
- The bytes representing the encrypted private key.password
- The encryption password.private key
.SSLCertGenException
- If the private key could not be decrypted.public byte[] encryptPrivateKey(java.security.Key key, java.lang.String password) throws SSLCertGenException
encryptPrivateKey
in class SSLCertFactory
key
- The key to be encrypted.password
- The encryption password.SSLCertGenException
- If the key could not be encrypted.public java.lang.String generateCertificate(java.lang.String alias, int validity, java.lang.String commonName, java.util.Map<java.lang.String,java.lang.String> fieldMap, java.security.KeyStore certStore, java.security.KeyStore certKeyStore) throws SSLCertGenException
The encrypted private key will be saved in the specified certKeyStore
; the encrypt
password will be returned by this API.
The public certificate will be saved in the specified certStore
and will be signed
using the rootCAPrivateKey
.
generateCertificate
in class SSLCertFactory
alias
- The certificate alias, used to store the private key and certificate.validity
- The certificate validity, in years.commonName
- The certificate's common name (CN).fieldMap
- A map with additional subject attributes.certStore
- The store where to save the certificate.certKeyStore
- The store where to save the private key.SSLCertGenException
- If the root CA is not yet generated or the certificate could not be generated.public java.lang.String generateRootCA(java.lang.String alias, int validity, java.lang.String commonName, java.util.Map<java.lang.String,java.lang.String> fieldMap, java.security.KeyStore certStore, java.security.KeyStore certKeyStore) throws SSLCertGenException
The encrypted private key will be saved in the specified certKeyStore
; the encrypt
password will be returned by this API.
The public root CA certificate will be saved in the specified certStore
.
generateRootCA
in class SSLCertFactory
alias
- The certificate alias, used to store the private key and certificate.validity
- The certificate validity, in years.commonName
- The certificate's common name (CN).fieldMap
- A map with additional subject attributes.certStore
- The store where to save the certificate.certKeyStore
- The store where to save the private key.SSLCertGenException
- If the root CA is not yet generated or the certificate could not be generated.public void setRootCA(java.security.cert.X509Certificate cert, java.security.PrivateKey pk) throws SSLCertGenException
setRootCA
in class SSLCertFactory
cert
- The certificate.pk
- The private key.SSLCertGenException
public java.lang.String generateSelfSignedCertificate(java.lang.String alias, boolean certificateAuthority, int validity, java.lang.String commonName, java.util.Map<java.lang.String,java.lang.String> fieldMap, java.security.KeyStore certStore, java.security.KeyStore certKeyStore) throws SSLCertGenException
The encrypted private key will be saved in the specified certKeyStore
; the encrypt
password will be returned by this API.
The public certificate will be saved in the specified certStore
.
generateSelfSignedCertificate
in class SSLCertFactory
alias
- The certificate alias, used to store the private key and certificate.certificateAuthority
- Flag indicating if the generated self-signed certificate will be used as the root
CA.validity
- The certificate validity, in years.commonName
- The certificate's common name (CN).fieldMap
- A map with additional subject attributes.certStore
- The store where to save the certificate.certKeyStore
- The store where to save the private key.SSLCertGenException
- If the root CA is not yet generated or the certificate could not be generated.public java.util.Map<java.lang.String,java.lang.String> getMandatorySubjectFields()
This includes the "Organization Unit (OU)", "Organization (O)", "Locality (city, etc) (L)", "State or Province Name (ST)" and "Country Code (C)" fields.
getMandatorySubjectFields
in class SSLCertFactory
private org.bouncycastle.cert.X509CertificateHolder generateCertificate(int validity, org.bouncycastle.asn1.x500.X500Name subject, org.bouncycastle.crypto.AsymmetricCipherKeyPair subjectKeyPair, org.bouncycastle.cert.X509CertificateHolder issuer, org.bouncycastle.crypto.params.AsymmetricKeyParameter issuerPrivateKey, boolean certificateAuthority, org.bouncycastle.asn1.x509.KeyPurposeId[] usages) throws SSLCertGenException
validity
- The certificate validity, in years.subject
- X500-style subject name.subjectKeyPair
- The subject's asymmetric private-public key pair.issuer
- The issuer's Bouncy Castle-style certificate. If null
, it will be
self-signed.issuerPrivateKey
- The issuer's private key, to sign the new certificate.certificateAuthority
- Flag indicating if this certificate should be marked as a CA.usages
- Extended usages for this certificate.SSLCertGenException
- In case of problems during the certificate generation.private org.bouncycastle.crypto.AsymmetricCipherKeyPair generateKeyPair()
private void saveKeyEntry(java.security.KeyStore store, org.bouncycastle.crypto.AsymmetricCipherKeyPair keyPair, java.lang.String alias, char[] keyentryPassword, java.security.cert.Certificate[] chain) throws SSLCertGenException
store
- The key store where to save the private key.keyPair
- The asymmetric key pair, from which the private key will be extracted.alias
- The alias used to save the private key in the store.keyentryPassword
- The password to encrypt the private key.chain
- The certificate chain.SSLCertGenException
private org.bouncycastle.asn1.x500.X500Name buildSubject(java.util.Map<java.lang.String,java.lang.String> fieldMap, java.lang.String commonName)
fieldMap
- A map with the subject fields.commonName
- The common name.private java.security.cert.X509Certificate convertCertificate(org.bouncycastle.cert.X509CertificateHolder cert) throws SSLCertGenException
cert
- The Bouncy Castle-style certificate.SSLCertGenException
- If the certificate could not be converted.