Java tutorial
/* * JBoss, Home of Professional Open Source. * Copyright 2012, Red Hat, Inc., and individual contributors * as indicated by the @author tags. See the copyright.txt file in the * distribution for a full listing of individual contributors. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, write to the Free * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * 02110-1301 USA, or see the FSF site: http://www.fsf.org. */ package org.jboss.capedwarf.appidentity; import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.SecureRandom; import java.security.Security; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Date; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.Certificate; import org.bouncycastle.asn1.x509.ExtendedKeyUsage; import org.bouncycastle.asn1.x509.KeyPurposeId; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.asn1.x509.X509Extension; import org.bouncycastle.cert.CertIOException; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; import org.bouncycastle.crypto.params.AsymmetricKeyParameter; import org.bouncycastle.crypto.util.PrivateKeyFactory; import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder; import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder; /** * Generates self-signed X509 certificates and private/public key pairs. * * @author <a href="mailto:marko.luksa@gmail.com">Marko Luksa</a> */ public class CertificateGenerator { private static CertificateGenerator instance = new CertificateGenerator(); private static final int KEY_SIZE = 1024; private CertificateGenerator() { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); } public KeyPair generateKeyPair() { try { KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", "BC"); generator.initialize(KEY_SIZE, new SecureRandom()); return generator.generateKeyPair(); } catch (NoSuchAlgorithmException e) { throw new RuntimeException("Cannot generate RSA key pair", e); } catch (NoSuchProviderException e) { throw new RuntimeException("Cannot generate RSA key pair", e); } } public X509Certificate generateCertificate(KeyPair pair, String dn) { try { X509v3CertificateBuilder builder = new X509v3CertificateBuilder(new X500Name("CN=" + dn), BigInteger.valueOf(new SecureRandom().nextLong()), new Date(System.currentTimeMillis() - 10000), new Date(System.currentTimeMillis() + 24L * 3600 * 1000), new X500Name("CN=" + dn), SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded())); builder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false)); builder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); builder.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth)); X509CertificateHolder holder = builder.build(createContentSigner(pair)); Certificate certificate = holder.toASN1Structure(); return convertToJavaCertificate(certificate); } catch (CertificateEncodingException e) { throw new RuntimeException("Cannot generate X509 certificate", e); } catch (OperatorCreationException e) { throw new RuntimeException("Cannot generate X509 certificate", e); } catch (CertIOException e) { throw new RuntimeException("Cannot generate X509 certificate", e); } catch (IOException e) { throw new RuntimeException("Cannot generate X509 certificate", e); } catch (CertificateException e) { throw new RuntimeException("Cannot generate X509 certificate", e); } } private X509Certificate convertToJavaCertificate(Certificate certificate) throws CertificateException, IOException { InputStream is = new ByteArrayInputStream(certificate.getEncoded()); try { return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is); } finally { is.close(); } } private ContentSigner createContentSigner(KeyPair pair) throws IOException, OperatorCreationException { AlgorithmIdentifier signatureAlgorithmId = new DefaultSignatureAlgorithmIdentifierFinder() .find("SHA256withRSA"); AlgorithmIdentifier digestAlgorithmId = new DefaultDigestAlgorithmIdentifierFinder() .find(signatureAlgorithmId); AsymmetricKeyParameter privateKey = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded()); return new BcRSAContentSignerBuilder(signatureAlgorithmId, digestAlgorithmId).build(privateKey); } public static CertificateGenerator getInstance() { return instance; } }