1 package org
.argeo
.security
.crypto
;
4 import java
.io
.FileInputStream
;
5 import java
.io
.FileOutputStream
;
6 import java
.math
.BigInteger
;
7 import java
.security
.KeyPair
;
8 import java
.security
.KeyPairGenerator
;
9 import java
.security
.KeyStore
;
10 import java
.security
.SecureRandom
;
11 import java
.security
.Security
;
12 import java
.security
.cert
.Certificate
;
13 import java
.security
.cert
.X509Certificate
;
14 import java
.util
.Date
;
16 import javax
.security
.auth
.x500
.X500Principal
;
18 import org
.argeo
.ArgeoException
;
19 import org
.bouncycastle
.cert
.X509v3CertificateBuilder
;
20 import org
.bouncycastle
.cert
.jcajce
.JcaX509CertificateConverter
;
21 import org
.bouncycastle
.cert
.jcajce
.JcaX509v3CertificateBuilder
;
22 import org
.bouncycastle
.jce
.provider
.BouncyCastleProvider
;
23 import org
.bouncycastle
.operator
.ContentSigner
;
24 import org
.bouncycastle
.operator
.jcajce
.JcaContentSignerBuilder
;
27 * Utilities around private keys and certificate, mostly wrapping BouncyCastle
30 public class PkiUtils
{
31 private final static String SECURITY_PROVIDER
;
33 Security
.addProvider(new BouncyCastleProvider());
34 SECURITY_PROVIDER
= "BC";
37 public static X509Certificate
generateSelfSignedCertificate(
38 KeyStore keyStore
, X500Principal x500Principal
, char[] keyPassword
) {
40 KeyPairGenerator kpGen
= KeyPairGenerator
.getInstance("RSA",
42 kpGen
.initialize(1024, new SecureRandom());
43 KeyPair pair
= kpGen
.generateKeyPair();
44 Date notBefore
= new Date(System
.currentTimeMillis() - 10000);
45 Date notAfter
= new Date(
46 System
.currentTimeMillis() + 24L * 3600 * 1000);
47 BigInteger serial
= BigInteger
.valueOf(System
.currentTimeMillis());
48 X509v3CertificateBuilder certGen
= new JcaX509v3CertificateBuilder(
49 x500Principal
, serial
, notBefore
, notAfter
, x500Principal
,
51 ContentSigner sigGen
= new JcaContentSignerBuilder(
52 "SHA256WithRSAEncryption").setProvider(SECURITY_PROVIDER
)
53 .build(pair
.getPrivate());
54 X509Certificate cert
= new JcaX509CertificateConverter()
55 .setProvider(SECURITY_PROVIDER
).getCertificate(
56 certGen
.build(sigGen
));
57 cert
.checkValidity(new Date());
58 cert
.verify(cert
.getPublicKey());
60 keyStore
.setKeyEntry(x500Principal
.getName(), pair
.getPrivate(),
61 keyPassword
, new Certificate
[] { cert
});
63 } catch (Exception e
) {
64 throw new ArgeoException("Cannot generate self-signed certificate",
69 public static KeyStore
getKeyStore(File keyStoreFile
,
70 char[] keyStorePassword
) {
72 KeyStore store
= KeyStore
.getInstance("PKCS12", SECURITY_PROVIDER
);
73 if (keyStoreFile
.exists()) {
74 try (FileInputStream fis
= new FileInputStream(keyStoreFile
)) {
75 store
.load(fis
, keyStorePassword
);
81 } catch (Exception e
) {
82 throw new ArgeoException("Cannot load keystore " + keyStoreFile
, e
);
86 public static void saveKeyStore(File keyStoreFile
, char[] keyStorePassword
,
89 try (FileOutputStream fis
= new FileOutputStream(keyStoreFile
)) {
90 keyStore
.store(fis
, keyStorePassword
);
92 } catch (Exception e
) {
93 throw new ArgeoException("Cannot save keystore " + keyStoreFile
, e
);