This provides some simple certificate management functionality. * Specifically, it allows you to create self-signed X.509 certificates * as well as PKCS 10 based certificate signing requests. * *
Keys for some public key signature algorithms have algorithm * parameters, such as DSS/DSA. Some sites' Certificate Authorities * adopt fixed algorithm parameters, which speeds up some operations * including key generation and signing. At this time, this interface * does not provide a way to provide such algorithm parameters, e.g. * by providing the CA certificate which includes those parameters. * *
Also, note that at this time only signature-capable keys may be * acquired through this interface. Diffie-Hellman keys, used for secure * key exchange, may be supported later. * * @author David Brownell * @author Hemma Prafullchandra * @see PKCS10 * @see X509CertImpl */ public final class CertAndKeyGen { /** * Creates a CertAndKeyGen object for a particular key type * and signature algorithm. * * @param keyType type of key, e.g. "RSA", "DSA" * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA", * "MD2WithRSA", "SHAwithDSA". * @exception NoSuchAlgorithmException on unrecognized algorithms. */ public CertAndKeyGen (String keyType, String sigAlg) throws NoSuchAlgorithmException { keyGen = KeyPairGenerator.getInstance(keyType); this.sigAlg = sigAlg; } /** * Creates a CertAndKeyGen object for a particular key type, * signature algorithm, and provider. * * @param keyType type of key, e.g. "RSA", "DSA" * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA", * "MD2WithRSA", "SHAwithDSA". * @param providerName name of the provider * @exception NoSuchAlgorithmException on unrecognized algorithms. * @exception NoSuchProviderException on unrecognized providers. */ public CertAndKeyGen (String keyType, String sigAlg, String providerName) throws NoSuchAlgorithmException, NoSuchProviderException { if (providerName == null) { keyGen = KeyPairGenerator.getInstance(keyType); } else { try { keyGen = KeyPairGenerator.getInstance(keyType, providerName); } catch (Exception e) { // try first available provider instead keyGen = KeyPairGenerator.getInstance(keyType); } } this.sigAlg = sigAlg; } /** * Sets the source of random numbers used when generating keys. * If you do not provide one, a system default facility is used. * You may wish to provide your own source of random numbers * to get a reproducible sequence of keys and signatures, or * because you may be able to take advantage of strong sources * of randomness/entropy in your environment. */ public void setRandom (SecureRandom generator) { prng = generator; } // want "public void generate (X509Certificate)" ... inherit DSA/D-H param /** * Generates a random public/private key pair, with a given key * size. Different algorithms provide different degrees of security * for the same key size, because of the "work factor" involved in * brute force attacks. As computers become faster, it becomes * easier to perform such attacks. Small keys are to be avoided. * *
Note that not all values of "keyBits" are valid for all
* algorithms, and not all public key algorithms are currently
* supported for use in X.509 certificates. If the algorithm
* you specified does not produce X.509 compatible keys, an
* invalid key exception is thrown.
*
* @param keyBits the number of bits in the keys.
* @exception InvalidKeyException if the environment does not
* provide X.509 public keys for this signature algorithm.
*/
public void generate (int keyBits)
throws InvalidKeyException
{
KeyPair pair;
try {
if (prng == null) {
prng = new SecureRandom();
}
keyGen.initialize(keyBits, prng);
pair = keyGen.generateKeyPair();
} catch (Exception e) {
throw new IllegalArgumentException(e.getMessage());
}
publicKey = pair.getPublic();
privateKey = pair.getPrivate();
// publicKey's format must be X.509 otherwise
// the whole CertGen part of this class is broken.
if (!"X.509".equalsIgnoreCase(publicKey.getFormat())) {
throw new IllegalArgumentException("publicKey's is not X.509, but "
+ publicKey.getFormat());
}
}
/**
* Returns the public key of the generated key pair if it is of type
* X509Key, or null if the public key is of a different type.
*
* XXX Note: This behaviour is needed for backwards compatibility.
* What this method really should return is the public key of the
* generated key pair, regardless of whether or not it is an instance of
* X509Key. Accordingly, the return type of this method
* should be PublicKey.
*/
public X509Key getPublicKey()
{
if (!(publicKey instanceof X509Key)) {
return null;
}
return (X509Key)publicKey;
}
/**
* Always returns the public key of the generated key pair. Used
* by KeyTool only.
*
* The publicKey is not necessarily to be an instance of
* X509Key in some JCA/JCE providers, for example SunPKCS11.
*/
public PublicKey getPublicKeyAnyway() {
return publicKey;
}
/**
* Returns the private key of the generated key pair.
*
*
Be extremely careful when handling private keys. * When private keys are not kept secret, they lose their ability * to securely authenticate specific entities ... that is a huge * security risk! */ public PrivateKey getPrivateKey () { return privateKey; } /** * Returns a self-signed X.509v3 certificate for the public key. * The certificate is immediately valid. No extensions. * *
Such certificates normally are used to identify a "Certificate
* Authority" (CA). Accordingly, they will not always be accepted by
* other parties. However, such certificates are also useful when
* you are bootstrapping your security infrastructure, or deploying
* system prototypes.
*
* @param myname X.500 name of the subject (who is also the issuer)
* @param firstDate the issue time of the certificate
* @param validity how long the certificate should be valid, in seconds
* @exception CertificateException on certificate handling errors.
* @exception InvalidKeyException on key handling errors.
* @exception SignatureException on signature handling errors.
* @exception NoSuchAlgorithmException on unrecognized algorithms.
* @exception NoSuchProviderException on unrecognized providers.
*/
public X509Certificate getSelfCertificate (
X500Name myname, Date firstDate, long validity)
throws CertificateException, InvalidKeyException, SignatureException,
NoSuchAlgorithmException, NoSuchProviderException
{
return getSelfCertificate(myname, firstDate, validity, null);
}
// Like above, plus a CertificateExtensions argument, which can be null.
public X509Certificate getSelfCertificate (X500Name myname, Date firstDate,
long validity, CertificateExtensions ext)
throws CertificateException, InvalidKeyException, SignatureException,
NoSuchAlgorithmException, NoSuchProviderException
{
X509CertImpl cert;
Date lastDate;
try {
lastDate = new Date ();
lastDate.setTime (firstDate.getTime () + validity * 1000);
CertificateValidity interval =
new CertificateValidity(firstDate,lastDate);
X509CertInfo info = new X509CertInfo();
// Add all mandatory attributes
info.set(X509CertInfo.VERSION,
new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
new java.util.Random().nextInt() & 0x7fffffff));
AlgorithmId algID = AlgorithmId.getAlgorithmId(sigAlg);
info.set(X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(algID));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(myname));
info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
if (ext != null) info.set(X509CertInfo.EXTENSIONS, ext);
cert = new X509CertImpl(info);
cert.sign(privateKey, this.sigAlg);
return (X509Certificate)cert;
} catch (IOException e) {
throw new CertificateEncodingException("getSelfCert: " +
e.getMessage());
}
}
// Keep the old method
public X509Certificate getSelfCertificate (X500Name myname, long validity)
throws CertificateException, InvalidKeyException, SignatureException,
NoSuchAlgorithmException, NoSuchProviderException
{
return getSelfCertificate(myname, new Date(), validity);
}
/**
* Returns a PKCS #10 certificate request. The caller uses either
* PKCS10.print or PKCS10.toByteArray
* operations on the result, to get the request in an appropriate
* transmission format.
*
*
PKCS #10 certificate requests are sent, along with some proof * of identity, to Certificate Authorities (CAs) which then issue * X.509 public key certificates. * * @param myname X.500 name of the subject * @exception InvalidKeyException on key handling errors. * @exception SignatureException on signature handling errors. */ public PKCS10 getCertRequest (X500Name myname) throws InvalidKeyException, SignatureException { PKCS10 req = new PKCS10 (publicKey); try { Signature signature = Signature.getInstance(sigAlg); signature.initSign (privateKey); req.encodeAndSign(myname, signature); } catch (CertificateException e) { throw new SignatureException (sigAlg + " CertificateException"); } catch (IOException e) { throw new SignatureException (sigAlg + " IOException"); } catch (NoSuchAlgorithmException e) { // "can't happen" throw new SignatureException (sigAlg + " unavailable?"); } return req; } private SecureRandom prng; private String sigAlg; private KeyPairGenerator keyGen; private PublicKey publicKey; private PrivateKey privateKey; }