1 package org
.argeo
.security
.crypto
;
4 import java
.io
.FileInputStream
;
5 import java
.io
.FileOutputStream
;
6 import java
.math
.BigInteger
;
7 import java
.security
.KeyPair
;
8 import java
.security
.KeyPairGenerator
;
9 import java
.security
.KeyStore
;
10 import java
.security
.SecureRandom
;
11 import java
.security
.cert
.Certificate
;
12 import java
.security
.cert
.X509Certificate
;
13 import java
.util
.Date
;
15 import javax
.security
.auth
.x500
.X500Principal
;
17 import org
.argeo
.ArgeoException
;
18 import org
.bouncycastle
.cert
.X509v3CertificateBuilder
;
19 import org
.bouncycastle
.cert
.jcajce
.JcaX509CertificateConverter
;
20 import org
.bouncycastle
.cert
.jcajce
.JcaX509v3CertificateBuilder
;
21 import org
.bouncycastle
.operator
.ContentSigner
;
22 import org
.bouncycastle
.operator
.jcajce
.JcaContentSignerBuilder
;
25 * Utilities around private keys and certificate, mostly wrapping BouncyCastle
28 public class PkiUtils
{
29 private final static String SECURITY_PROVIDER
;
31 // Security.addProvider(new BouncyCastleProvider());
32 SECURITY_PROVIDER
= "BC";
35 public static X509Certificate
generateSelfSignedCertificate(
36 KeyStore keyStore
, X500Principal x500Principal
, char[] keyPassword
) {
38 KeyPairGenerator kpGen
= KeyPairGenerator
.getInstance("RSA",
40 kpGen
.initialize(1024, new SecureRandom());
41 KeyPair pair
= kpGen
.generateKeyPair();
42 Date notBefore
= new Date(System
.currentTimeMillis() - 10000);
43 Date notAfter
= new Date(
44 System
.currentTimeMillis() + 24L * 3600 * 1000);
45 BigInteger serial
= BigInteger
.valueOf(System
.currentTimeMillis());
46 X509v3CertificateBuilder certGen
= new JcaX509v3CertificateBuilder(
47 x500Principal
, serial
, notBefore
, notAfter
, x500Principal
,
49 ContentSigner sigGen
= new JcaContentSignerBuilder(
50 "SHA256WithRSAEncryption").setProvider(SECURITY_PROVIDER
)
51 .build(pair
.getPrivate());
52 X509Certificate cert
= new JcaX509CertificateConverter()
53 .setProvider(SECURITY_PROVIDER
).getCertificate(
54 certGen
.build(sigGen
));
55 cert
.checkValidity(new Date());
56 cert
.verify(cert
.getPublicKey());
58 keyStore
.setKeyEntry(x500Principal
.getName(), pair
.getPrivate(),
59 keyPassword
, new Certificate
[] { cert
});
61 } catch (Exception e
) {
62 throw new ArgeoException("Cannot generate self-signed certificate",
67 public static KeyStore
getKeyStore(File keyStoreFile
,
68 char[] keyStorePassword
) {
70 KeyStore store
= KeyStore
.getInstance("PKCS12", SECURITY_PROVIDER
);
71 if (keyStoreFile
.exists()) {
72 try (FileInputStream fis
= new FileInputStream(keyStoreFile
)) {
73 store
.load(fis
, keyStorePassword
);
79 } catch (Exception e
) {
80 throw new ArgeoException("Cannot load keystore " + keyStoreFile
, e
);
84 public static void saveKeyStore(File keyStoreFile
, char[] keyStorePassword
,
87 try (FileOutputStream fis
= new FileOutputStream(keyStoreFile
)) {
88 keyStore
.store(fis
, keyStorePassword
);
90 } catch (Exception e
) {
91 throw new ArgeoException("Cannot save keystore " + keyStoreFile
, e
);