public class SSLCertGenUtil
extends java.lang.Object
The private keys will be saved under the "/security/certificates/private-keys/" node.
The company information (used to build the certificate's subject) will be saved under the "/security/certificates/company/" node. If the node does not already exist, it will ask the user for the information.
Modifier and Type | Class and Description |
---|---|
static class |
SSLCertGenUtil.BigIntegerOptionHandler
Implements BigInteger option handler to get BigInterger from the decimal string.
|
(package private) static class |
SSLCertGenUtil.BooleanOption
The enumeration type for boolean options
|
static class |
SSLCertGenUtil.EnumMapper<E extends java.lang.Enum<E>>
Maps string key and value pairs into pairs with keys given by the provided enumeration type.
|
(package private) static class |
SSLCertGenUtil.ExternalCertificates
Defines option names to load external CA certificates.
|
(package private) static class |
SSLCertGenUtil.InputParameters
SSLCertGenUtil input parameters
|
static class |
SSLCertGenUtil.LoadCertificatesMapper
Maps string key and value pairs into pairs with ExternalCertificates keys when these
parameters are parsed.
|
static class |
SSLCertGenUtil.RequestInfoMapper
Maps string key and value pairs into pairs with RequestInfo keys when request info
parameters are parsed.
|
Modifier and Type | Field and Description |
---|---|
private java.security.KeyStore |
accCertStore
Store where to add the certificates associated with non-server accounts.
|
private java.security.KeyStore |
accKeyStore
Store where to add the private keys for the certificates associated with non-server
accounts.
|
private java.util.Set<java.lang.String> |
aliases
All the collected aliases from the defined accounts.
|
private static java.lang.String |
CERT_VALIDITY_YEARS_NODE
Constant identifying the name of the company node containing the certificate validity.
|
private BootstrapConfig |
cfg
Configuration used to initialize the directory.
|
private java.util.Map<java.lang.String,java.lang.String> |
company
Map identifying the company attributes.
|
private int |
currentInputIdx
Current index in the
inputs , if set. |
private java.util.Map<java.lang.String,java.lang.String> |
directoryPasswords
The passwords used to encrypt the directory private keys.
|
private DirectoryService |
ds
Instance to access the directory.
|
private boolean |
externalRootCA
Flag indicating if the externally generated root CA is used.
|
private SSLCertFactory |
factory
Factory to generate the SSL certificate.
|
private SSLCertGenUtil.InputParameters |
inputParameters
Input parameters
|
private java.lang.String[] |
inputs
Array from where to read the input.
|
private java.util.Map<java.lang.String,java.lang.String> |
keyEntryPasswords
The random passwords used to encrypt the private keys in their
KeyStore , per each
alias. |
private java.lang.String |
masterPassword
The master password to encrypt all private keys, in the directory.
|
private java.io.BufferedReader |
reader
Read data from the standard input.
|
private boolean |
reusePasswords
Flag indicating if passwords are reused from the directory.
|
private boolean |
reuseRootCA
Flag indicating if the existing root CA is re-used.
|
private static java.lang.String |
ROOT_CA_NODE
Constant identifying the CAs node in the directory.
|
private static java.lang.String |
ROOT_CA_PRIVATE_KEYS_STORE
The default root CA private keys JKS store
|
private static java.lang.String |
ROOT_CERT_COMMON_NAME
Constant identifying the common name node in the directory.
|
private static java.lang.String |
ROOT_CERTIFICATES_NODE
Constant identifying the security/certificates node in the directory.
|
private static java.lang.String |
ROOT_COMPANY_NODE
Constant identifying the company information node in the directory.
|
private static java.lang.String |
ROOT_PEER_NODE
Constant identifying the peer certs node in the directory.
|
private static java.lang.String |
ROOT_PRIVATE_KEYS_NODE
Constant identifying the private keys container node in the directory.
|
private static java.lang.String |
ROOT_PROCESSES_NODE
Constant identifying the process accounts node in the directory.
|
private static java.lang.String |
ROOT_USERS_NODE
Constant identifying the user accounts node in the directory.
|
private java.lang.String |
rootCAAlias
Alias for the root CA.
|
private java.lang.String |
rootCAPassword
Password for the root CA (if reused).
|
private static java.lang.Integer |
RSA_KEY_LENGTH_DEFAULT_VALUE
The default value for the RSA key length
|
private static java.lang.String |
RSA_PRIVATE_KEY_STRENGTH
Constant identifying the name of the company node containing the RSA private key strength.
|
private static java.lang.String |
RSA_PUBLIC_EXPONENT
Constant identifying the name of the company node containing the RSA public exponent.
|
private static java.math.BigInteger |
RSA_PUBLIC_EXPONENT_DEFAULT_VALUE
The default value for the RSA public exponent
|
private static java.lang.String |
SERVER_CERTS_STORE
The default server certificates JKS store
|
private java.util.Set<java.lang.String> |
serverAliases
All the aliases associated with server processes.
|
private java.lang.String |
serverId
P2J server identifier
|
private java.security.KeyStore |
trustCertStore
Store where to add the trusted certificates (servers and CAs).
|
private java.security.KeyStore |
trustKeyStore
Store where to add the private keys for the trusted certificates.
|
private int |
validity
The certificate's validity, in years.
|
private java.lang.String |
webAlias
Current web alias
|
private WebCertificates |
webCerts
Manages web certificates in the directory
|
private java.lang.String |
webPrivateKeyPassword
Web private key password in the directory
|
private static java.lang.String[] |
YES_NO
Valid entries for yes/no options.
|
Constructor and Description |
---|
SSLCertGenUtil(BootstrapConfig config)
Create a new utility.
|
Modifier and Type | Method and Description |
---|---|
(package private) static java.lang.String |
createAES256BitKey()
Create a random 256-bit password to be used as an AES encryption key.
|
private java.lang.String |
createAES256BitKey(java.lang.String alias)
Create a random 256-bit password to be used as an AES encryption key.
|
(package private) static java.security.KeyStore |
createEmptyStore()
Create an empty store, to hold either private keys or certificates.
|
void |
generate()
Main method to (re)generate the root CA, peer certificates and private keys.
|
private void |
generateCertificate(java.lang.String alias)
Generate peer certificates for the given alias.
|
private void |
generateCertificates()
Generate peer certificates for all
aliases . |
private void |
generateRootCA()
Generate the root CA if there is no CA certificate in the directory or the reuse root CA
option is not set, otherwise read the existing root CA from the directory.
|
private SSLCertFactory.CertificateSuite |
getCertificateSuite(java.lang.String serverAlias)
Gets the certificate suite for the given server alias from the directory.
|
private java.security.cert.Certificate[] |
getFullChain(java.security.cert.Certificate leaf)
Returns a full chain for the given generated certificate signed by the root CA certificate
|
static void |
main(java.lang.String[] args)
Command line driver.
|
private void |
readAccounts(java.lang.String rootNode)
Read all the accounts which have an alias specified.
|
private void |
readCompanyConfiguration()
Read the existing company configuration from the directory or, if missing, read it from
the standard input.
|
private java.lang.String |
readLine(java.lang.String txt)
Read a line of text using the created
reader . |
private java.lang.String |
readOption(java.lang.String msg,
java.lang.String[] valid)
Ask the user to enter one of the specified valid options, using the given message.
|
private java.lang.String |
readPassword(java.lang.String alias)
Get the reused password or generate a new one, for the given alias.
|
private void |
saveCertificate(java.lang.String alias,
java.security.KeyStore certStore,
java.lang.String parentNode)
Save the certificate for the specified alias in the directory, under the specified parent
node.
|
private void |
saveCertificatePair(java.lang.String alias)
Save the public and private certificates for the given alias from the directory.
|
private void |
saveCertificatePairInExternalStore(java.lang.String alias)
Save public and private certificates under the given alias in the generated external
key store given by this file name template "%s-private-key.store".
|
private void |
saveCertificates()
Save all the peer certificates and their private keys in the directory.
|
private void |
savePrivateKey(java.lang.String alias,
java.security.KeyStore privateKeyStore)
Save the private key for the specified alias in the directory.
|
private void |
savePrivateKeys(boolean server)
Save the private keys in external key store(s).
|
private void |
saveRootCA()
Save all the root CA certificate and its private key in the directory.
|
private void |
saveRootCAPrivateKey()
Save the root CA private key in an external key store.
|
private void |
saveServerCertificates()
Save the server certificates in an external store.
|
private void |
saveToWebStore(SSLCertFactory.CertificateSuite suite,
java.lang.String alias)
Includes the target certificate suite into the new key store and saves the key store content
into the file named by this template [alias]-web-key.store.
|
private void |
updateWebCertificates(java.lang.String serverId)
Updates the web certificates and saves them into the external key store.
|
private static final java.lang.String ROOT_CA_NODE
private static final java.lang.String ROOT_PEER_NODE
private static final java.lang.String ROOT_CERTIFICATES_NODE
private static final java.lang.String ROOT_PROCESSES_NODE
private static final java.lang.String ROOT_USERS_NODE
private static final java.lang.String ROOT_COMPANY_NODE
private static final java.lang.String ROOT_CERT_COMMON_NAME
private static final java.lang.String ROOT_PRIVATE_KEYS_NODE
private static final java.lang.String CERT_VALIDITY_YEARS_NODE
private static final java.lang.String RSA_PRIVATE_KEY_STRENGTH
private static final java.lang.String RSA_PUBLIC_EXPONENT
private static final java.lang.Integer RSA_KEY_LENGTH_DEFAULT_VALUE
private static final java.math.BigInteger RSA_PUBLIC_EXPONENT_DEFAULT_VALUE
private static final java.lang.String SERVER_CERTS_STORE
private static final java.lang.String ROOT_CA_PRIVATE_KEYS_STORE
private static final java.lang.String[] YES_NO
private final java.io.BufferedReader reader
private final BootstrapConfig cfg
private final java.util.Map<java.lang.String,java.lang.String> company
private final java.util.Set<java.lang.String> aliases
private final java.util.Set<java.lang.String> serverAliases
private final SSLCertFactory factory
private final java.security.KeyStore trustCertStore
private final java.security.KeyStore trustKeyStore
private final java.security.KeyStore accCertStore
private final java.security.KeyStore accKeyStore
private final java.util.Map<java.lang.String,java.lang.String> keyEntryPasswords
KeyStore
, per each
alias.private int validity
private java.lang.String rootCAAlias
private java.lang.String rootCAPassword
private DirectoryService ds
private java.lang.String masterPassword
private boolean reusePasswords
private boolean reuseRootCA
private boolean externalRootCA
private java.util.Map<java.lang.String,java.lang.String> directoryPasswords
private java.lang.String[] inputs
private int currentInputIdx
inputs
, if set.private java.lang.String webAlias
private java.lang.String webPrivateKeyPassword
private WebCertificates webCerts
private java.lang.String serverId
private SSLCertGenUtil.InputParameters inputParameters
public SSLCertGenUtil(BootstrapConfig config) throws SSLCertGenException
config
- Configuration for accessing the directory.SSLCertGenException
- If the utility could not be instantiated.public void generate() throws ConfigurationException, java.io.IOException, SSLCertGenException
ConfigurationException
- In case the directory service
could not be initialized.java.io.IOException
- If standard input can not be accessed.SSLCertGenException
- In case of problems during the generation of root CA or peer certificates.private void saveToWebStore(SSLCertFactory.CertificateSuite suite, java.lang.String alias) throws SSLCertGenException
suite
- The certificate suitealias
- The web certificate aliasSSLCertGenException
- If the target certificate suite is not saved.private void updateWebCertificates(java.lang.String serverId) throws SSLCertGenException
serverId
- The server identifierSSLCertGenException
- If it is failed.private SSLCertFactory.CertificateSuite getCertificateSuite(java.lang.String serverAlias) throws SSLCertGenException
serverAlias
- The given server aliasSSLCertGenException
- If it can't get certificate suite for the provided aliasprivate java.security.cert.Certificate[] getFullChain(java.security.cert.Certificate leaf)
leaf
- The given generated certificateprivate void saveCertificatePairInExternalStore(java.lang.String alias) throws SSLCertGenException
alias
- The certificate aliasSSLCertGenException
- If certificates weren't saved in the external file due to the underlined exception
thrown by IO API or Cryptography API.private void saveRootCAPrivateKey() throws java.io.IOException, SSLCertGenException
java.io.IOException
- If standard input can not be accessed.SSLCertGenException
- In case of problems during key store access.private void saveServerCertificates() throws java.io.IOException, SSLCertGenException
java.io.IOException
- If standard input can not be accessed.SSLCertGenException
- In case of problems during key store access.private java.lang.String readPassword(java.lang.String alias)
alias
- The certificate alias.private void savePrivateKeys(boolean server) throws java.io.IOException, SSLCertGenException
server
- true
to save the server private keys; false
to save
the account private-keys.java.io.IOException
- If standard input can not be accessed.SSLCertGenException
- In case of problems during key store access.private void saveRootCA() throws SSLCertGenException
SSLCertGenException
- If the data could not be saved.private void saveCertificates() throws SSLCertGenException
SSLCertGenException
- If the data could not be saved.private void saveCertificatePair(java.lang.String alias) throws SSLCertGenException
alias
- The given aliasSSLCertGenException
- If the data could not be saved.private void saveCertificate(java.lang.String alias, java.security.KeyStore certStore, java.lang.String parentNode) throws SSLCertGenException
alias
- The alias.certStore
- The store from which to retrieve the certificate.parentNode
- The parent node where to save the certificate.SSLCertGenException
- If the data could not be saved.private void savePrivateKey(java.lang.String alias, java.security.KeyStore privateKeyStore) throws SSLCertGenException
The private key is encrypted using a random password, which will be saved too in the directory.
alias
- The alias.privateKeyStore
- The store from which to read the private key.SSLCertGenException
- If the private key could not be saved.private void generateCertificates() throws SSLCertGenException
aliases
.SSLCertGenException
- If the SSL certificates could not be generated.private void generateCertificate(java.lang.String alias) throws SSLCertGenException
alias
- The given aliasSSLCertGenException
- If the SSL certificates could not be generated.private void generateRootCA() throws SSLCertGenException, java.io.IOException
SSLCertGenException
- If the root CA could not be generated.java.io.IOException
- If the alias for the root CA could not be read from standard input.private void readAccounts(java.lang.String rootNode)
rootNode
- The node from which to read the accounts.private void readCompanyConfiguration() throws java.io.IOException, SSLCertGenException
java.io.IOException
- In case of problems during reading.SSLCertGenException
- If the SSLCertFactory
factory could not be initialized.private java.lang.String readLine(java.lang.String txt) throws java.io.IOException
reader
.txt
- Description to be written to standard output.java.io.IOException
- If data could not be read.private java.lang.String readOption(java.lang.String msg, java.lang.String[] valid) throws java.io.IOException
msg
- The message shown to the user.valid
- An array of valid options.java.io.IOException
static java.security.KeyStore createEmptyStore() throws SSLCertGenException
KeyStore
instance.SSLCertGenException
- If the store could not be generated.static java.lang.String createAES256BitKey()
private java.lang.String createAES256BitKey(java.lang.String alias)
If reusePasswords
is on, and there is a password in the directory, that will be
returned.
alias
- The alias to check.public static void main(java.lang.String[] args) throws ConfigurationException, java.io.IOException, SSLCertGenException
args
- Application command line parameters. File name is the only one expected.ConfigurationException
- In case the directory service
could not be initialized.java.io.IOException
- If standard input can not be accessed.SSLCertGenException
- In case of problems during the generation of root CA or peer certificates.