X-Git-Url: http://git.argeo.org/?a=blobdiff_plain;f=org.argeo.security.core%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fcrypto%2FPkiUtils.java;fp=org.argeo.security.core%2Fsrc%2Forg%2Fargeo%2Fsecurity%2Fcrypto%2FPkiUtils.java;h=ed6640f36993ef06ddff5049d1c886ba782906d7;hb=50911fdcc6df5cd35e71a0a4ecddf03f98f742a2;hp=0000000000000000000000000000000000000000;hpb=c8b79d2eccc1a44f363e0d0d61bc6fdc0e8f4bd6;p=lgpl%2Fargeo-commons.git diff --git a/org.argeo.security.core/src/org/argeo/security/crypto/PkiUtils.java b/org.argeo.security.core/src/org/argeo/security/crypto/PkiUtils.java new file mode 100644 index 000000000..ed6640f36 --- /dev/null +++ b/org.argeo.security.core/src/org/argeo/security/crypto/PkiUtils.java @@ -0,0 +1,97 @@ +package org.argeo.security.crypto; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.SecureRandom; +import java.security.Security; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.util.Date; + +import javax.security.auth.x500.X500Principal; + +import org.argeo.ArgeoException; +import org.bouncycastle.cert.X509v3CertificateBuilder; +import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; +import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; + +/** + * Utilities around private keys and certificate, mostly wrapping BouncyCastle + * implementations. + */ +public class PkiUtils { + private final static String SECURITY_PROVIDER; + static { + Security.addProvider(new BouncyCastleProvider()); + SECURITY_PROVIDER = "BC"; + } + + public static X509Certificate generateSelfSignedCertificate( + KeyStore keyStore, X500Principal x500Principal, char[] keyPassword) { + try { + KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", + SECURITY_PROVIDER); + kpGen.initialize(1024, new SecureRandom()); + KeyPair pair = kpGen.generateKeyPair(); + Date notBefore = new Date(System.currentTimeMillis() - 10000); + Date notAfter = new Date( + System.currentTimeMillis() + 24L * 3600 * 1000); + BigInteger serial = BigInteger.valueOf(System.currentTimeMillis()); + X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder( + x500Principal, serial, notBefore, notAfter, x500Principal, + pair.getPublic()); + ContentSigner sigGen = new JcaContentSignerBuilder( + "SHA256WithRSAEncryption").setProvider(SECURITY_PROVIDER) + .build(pair.getPrivate()); + X509Certificate cert = new JcaX509CertificateConverter() + .setProvider(SECURITY_PROVIDER).getCertificate( + certGen.build(sigGen)); + cert.checkValidity(new Date()); + cert.verify(cert.getPublicKey()); + + keyStore.setKeyEntry(x500Principal.getName(), pair.getPrivate(), + keyPassword, new Certificate[] { cert }); + return cert; + } catch (Exception e) { + throw new ArgeoException("Cannot generate self-signed certificate", + e); + } + } + + public static KeyStore getKeyStore(File keyStoreFile, + char[] keyStorePassword) { + try { + KeyStore store = KeyStore.getInstance("PKCS12", SECURITY_PROVIDER); + if (keyStoreFile.exists()) { + try (FileInputStream fis = new FileInputStream(keyStoreFile)) { + store.load(fis, keyStorePassword); + } + } else { + store.load(null); + } + return store; + } catch (Exception e) { + throw new ArgeoException("Cannot load keystore " + keyStoreFile, e); + } + } + + public static void saveKeyStore(File keyStoreFile, char[] keyStorePassword, + KeyStore keyStore) { + try { + try (FileOutputStream fis = new FileOutputStream(keyStoreFile)) { + keyStore.store(fis, keyStorePassword); + } + } catch (Exception e) { + throw new ArgeoException("Cannot save keystore " + keyStoreFile, e); + } + } + +}