The question is how to generate certificate chains programmatically in Java. In other words, I would like to perform in java the operations detailed here: http://fusesource.com/docs/broker/5.3/security/i382664.html
Besically, I can create the RSA keys for a new client:
private KeyPair genRSAKeyPair(){
// Get RSA key factory:
KeyPairGenerator kpg = null;
try {
kpg = KeyPairGenerator.getInstance("RSA");
} catch (NoSuchAlgorithmException e) {
log.error(e.getMessage());
e.printStackTrace();
return null;
}
// Generate RSA public/private key pair:
kpg.initialize(RSA_KEY_LEN);
KeyPair kp = kpg.genKeyPair();
return kp;
}
and I generate the corresponding certificate:
private X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
throws GeneralSecurityException, IOException {
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
// Update the algorith, and resign.
algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}
Then I generate the cert signing request and I save it to csrFile file:
public static void writeCertReq(File csrFile, String alias, String keyPass, KeyStore ks)
throws KeyStoreException,
NoSuchAlgorithmException,
InvalidKeyException,
IOException,
CertificateException,
SignatureException,
UnrecoverableKeyException {
Object objs[] = getPrivateKey(ks, alias, keyPass.toCharArray());
PrivateKey privKey = (PrivateKey) objs[0];
PKCS10 request = null;
Certificate cert = ks.getCertificate(alias);
request = new PKCS10(cert.getPublicKey());
String sigAlgName = "MD5WithRSA";
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privKey);
X500Name subject = new X500Name(((X509Certificate) cert).getSubjectDN().toString());
X500Signer signer = new X500Signer(signature, subject);
request.encodeAndSign(signer);
request.print(System.out);
FileOutputStream fos = new FileOutputStream(csrFile);
PrintStream ps = new PrintStream(fos);
request.print(ps);
fos.close();
}
where
private static Object[] getPrivateKey(KeyStore ks, String alias, char keyPass[])
throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException {
key = null;
key = ks.getKey(alias, keyPass);
return (new Object[]{ (PrivateKey) key, keyPass });
}
Now I should sign the CSR with the CA private key, but I cannot see how to achive that in java. I have "my own" CA private key in my jks.
Besides, once I manage to sign the CSR I should chain the CA cert with the signed CSR: how that can be done in java?
I would prefer not to use bc or other external libs, just "sun.security" classes.
Thank you.
I believe the code example in the post http://www.pixelstech.net/article/1406726666-Generate-certificate-in-Java----2 will show you how to generate certificate chain with pure Java. It doesn't require you to use Bouncy Castle.
Sorry, but despite your desires, and besides writing all of your crypto code and including it with your project (not recommended), I'd recommend using Bouncy Castle here.
Specifically, please refer to https://stackoverflow.com/a/7366757/751158 - which includes code for exactly what you're looking to do.
I see you've already gone over to the BouncyCastle side of the house but just in case anyone else was wondering; you can add the cert chain to the entry when putting the key into the KeyStore. For example
// build your certs
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load([keystore stream], password.toCharArray());// or null, null if it's a brand new store
X509Certificate[] chain = new X509Certificate[2];
chain[0] = _clientCert;
chain[1] = _caCert;
keyStore.setKeyEntry("Alias", _clientCertKey, password.toCharArray(), chain);
keyStore.store([output stream], password.toCharArray());
// do other stuff
Related
I'm trying to store a private key in the android keystore but i keep getting an error, what am i doing wrong here ? I'm self signing the certificate because i need one to store the key but i don't need it.
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA");
keyPairGen.initialize(1280);
KeyPair pair = keyPairGen.generateKeyPair();
PrivateKey privKey = pair.getPrivate();
PublicKey publicKey = pair.getPublic();
Certificate certificate = selfSign(pair, "myCer");
KeyStore ks = KeyStore.getInstance("AndroidKeyStore");
ks.load(null);
ks.setKeyEntry("MyPrivateKey", privKey, null, new Certificate[] { certificate });
Self signed certificate method :
public final static Certificate selfSign(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException, CertIOException, CertificateException {
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
long now = System.currentTimeMillis();
Date startDate = new Date(now);
X500Name dnName = new X500Name("CN=" + subjectDN);
BigInteger certSerialNumber = new BigInteger(Long.toString(now)); // <-- Using the current timestamp as the certificate serial number
Calendar calendar = Calendar.getInstance();
calendar.setTime(startDate);
calendar.add(Calendar.YEAR, 2); // <-- 1 Yr validity
Date endDate = calendar.getTime();
String signatureAlgorithm = "SHA256WithRSA"; // <-- Use appropriate signature algorithm based on your keyPair algorithm.
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic());
// Extensions --------------------------
// Basic Constraints
BasicConstraints basicConstraints = new BasicConstraints(true); // <-- true for CA, false for EndEntity
certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints); // Basic Constraints is usually marked as critical.
// -------------------------------------
return new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
}
I've been trying on this for a couple of days and I'm hopelessly stuck.
To fully understand how java key store works, i've been trying to create my own keystore, put some stuff inside it, then retrieve them from another program.
Here's my keystore generator :
{
//generate a X509 certificate
Security.addProvider(new BouncyCastleProvider());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509", "BC");
X509Certificate certificate = (X509Certificate) certificateFactory.generateCertificate(new FileInputStream("certificate.cer"));
LOGGER.debug("BouncyCastle provider & X509 certificate added.");
//generate a private & a public key
KeyPair keyPair = generateRSAKeyPair();
RSAPrivateKey priv = (RSAPrivateKey) keyPair.getPrivate();
RSAPublicKey pub = (RSAPublicKey) keyPair.getPublic();
//generate a keystore
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] keyStorePassword = "keystore_password".toCharArray();
ks.load(null, keyStorePassword);
try (FileOutputStream fos = new FileOutputStream("TestKeyStore.jks")) {
ks.store(fos, keyStorePassword);
}
ks.load(new FileInputStream("TestKeyStore.jks"), keyStorePassword);
//Symmetric key
SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry((secretKey));
KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(keyStorePassword);
ks.setEntry("symmetric_key", secretKeyEntry, protectionParameter);
//Asymmetric key
X509Certificate[] x509Certificates = new X509Certificate[1];
x509Certificates[0] = certificate;
ks.setKeyEntry("asymmetric key", priv, keyStorePassword, x509Certificates);
//certificate
ks.setCertificateEntry("test_certif", certificate);
Key key = ks.getKey("symmetric_key", keyStorePassword);
System.out.println("I have this symmetric key : " + key);
X509Certificate certificate1 = (X509Certificate) ks.getCertificate("test_certif");
System.out.println("I have this certificate : " + certificate1);
System.out.println(ks.aliases().nextElement());
LOGGER.debug("all went well");
}
As you probably noticed, it's not all polished: my goal for now is only to put some stuff inside the keystore. But the point here, from the last System.out.println(ks.aliases().nextElement());, is just to see there is indeed something inside the keystore. And this is working just fine, it gives back symmetric_key.
Now, from the same folder is another class that is supposed to read from that keystore.
Note: there is no issue regarding the file (I've tested by moving its localization) so it can't be that.
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] keyStorePassword = "keystore_password".toCharArray();
ks.load(new FileInputStream("TestKeyStore.jks"), keyStorePassword);
System.out.println(ks.containsAlias("symmetric_key"));
This always gets me: false
If I try this: System.out.println(ks.aliases());, it's always null
If I try this:
if (!keystore.aliases().hasMoreElements()) {
System.out.println("nothing inside the keystore");
}
it gives me back nothing inside the keystore.
Even though it's not the case in the generator.
Any clue?
Thank you
The problem is that you are setting the entries after writing the keystore.
If you move:
try (FileOutputStream fos = new FileOutputStream("TestKeyStore.jks")) {
ks.store(fos, keyStorePassword);
}
Till after this line:
ks.setCertificateEntry("test_certif", certificate);
Everything should work fine.
Bellow you have an working example with some code removed for clarity:
public static void main(String[] args) throws Exception{
final KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(2048);
final KeyPair keyPair = keyGen.genKeyPair();
RSAPrivateKey priv = (RSAPrivateKey) keyPair.getPrivate();
//generate a keystore
KeyStore ks = KeyStore.getInstance("PKCS12");
char[] keyStorePassword = PASSWORD;
ks.load(null, keyStorePassword);
X509Certificate[] chain = {generateCertificate("cn=Unknown", keyPair, 365, "SHA256withRSA")};
// saving one keypair in keystore object
ks.setKeyEntry("asymmetric key", keyPair.getPrivate(), keyStorePassword, chain);
//Symmetric key
SecretKey secretKey = KeyGenerator.getInstance("AES").generateKey();
KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry((secretKey));
KeyStore.ProtectionParameter protectionParameter = new KeyStore.PasswordProtection(keyStorePassword);
// saving symmetric key in keystore object
ks.setEntry("symmetric_key", secretKeyEntry, protectionParameter);
// Saving our keystore object into the filesystem
try (FileOutputStream fos = new FileOutputStream("TestKeyStore.p12")) {
ks.store(fos, keyStorePassword);
}
// The rest of the code
}
The reason why it works in the method that saves the keystore is because the changed keystore is still in memory, but not on the filesystem. Also, since you are creating a PKCS12 keystore, I would avoid the .jks extension and go for something like .pkcs12.
I am trying to read secret key (passphrase) from JCEKS keystore using Java code , code is working for JKS keystore but not for JCEKS keystore. i am using ibm_sdk71 as runtime (due to project requirements).
public static String getPasswordFromKeystore(String entry, String keystoreLocation, String keyStorePassword,String keyPP1) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, InvalidKeySpecException, java.security.UnrecoverableEntryException{
char[] password = "new".toCharArray() ;
FileInputStream fIn = new FileInputStream(keystoreLocation);
KeyStore.PasswordProtection keyStorePP = new KeyStore.PasswordProtection(keyStorePassword.toCharArray());
KeyStore.PasswordProtection keyPP = new KeyStore.PasswordProtection(keyPP1.toCharArray());
KeyStore ks= KeyStore.getInstance("JCEKS");
ks.load(fIn, keyStorePassword.toCharArray());
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBE");
KeyStore.SecretKeyEntry ske;
ske = (KeyStore.SecretKeyEntry)ks.getEntry(entry, keyPP);
PBEKeySpec keySpec;
keySpec = (PBEKeySpec)factory.getKeySpec(ske.getSecretKey(),PBEKeySpec.class);
password = keySpec.getPassword();
return new String(password);
}
Appreciate any guidance.
Regards
I have a Root CA certificate that has to sign a certificate that I am creating.
public static X509Certificate generateCertificate(final PublicKey publicKey,
final PrivateKey privateKey,
final String signingAlgorithm, GeneralNames names)
throws IOException, CertificateException, OperatorCreationException, NoSuchAlgorithmException
{
final X500NameBuilder subject = new X500NameBuilder(RFC4519Style.INSTANCE);
subject.addRDN(BCStyle.C, COUNTRY_NAME);
subject.addRDN(BCStyle.ST, STATE_NAME);
subject.addRDN(BCStyle.L, LOCALITY_NAME);
subject.addRDN(BCStyle.O, ORGANIZATION_NAME);
subject.addRDN(BCStyle.OU, ORGANIZATION_UNIT_NAME);
subject.addRDN(BCStyle.E, EMAIL_ADDRESS);
final X500NameBuilder issuer = new X500NameBuilder(RFC4519Style.INSTANCE);
issuer.addRDN(BCStyle.C, COUNTRY_NAME);
issuer.addRDN(BCStyle.ST, STATE_NAME);
issuer.addRDN(BCStyle.L, LOCALITY_NAME);
issuer.addRDN(BCStyle.O, ORGANIZATION_NAME);
issuer.addRDN(BCStyle.OU, ISSUER);
final BigInteger sn = new BigInteger(SERIAL_NUMBER_LENGTH, new SecureRandom());
final Date validFrom = Calendar.getInstance().getTime();
final Calendar c = Calendar.getInstance();
c.add(Calendar.YEAR, YEARS_VALID);
final Date validUntil = c.getTime();
File file = new File("PATH TO ROOT CA");
CertificateFactory fact = CertificateFactory.getInstance("X.509");
FileInputStream in = new FileInputStream(file);
X509Certificate cer = (X509Certificate) fact.generateCertificate(in);
final JcaContentSignerBuilder builder = new JcaContentSignerBuilder(signingAlgorithm);
ContentSigner signer = builder.build(privateKey);
final X509v3CertificateBuilder certBuilder=new JcaX509v3CertificateBuilder(cer, sn, validFrom, validUntil, subject.build(), publicKey);
BasicConstraints constr = new BasicConstraints(false);
KeyUsage usage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment);
certBuilder.addExtension(Extension.keyUsage, false, usage);
certBuilder.addExtension(Extension.subjectAlternativeName, false, names);
certBuilder.addExtension(Extension.basicConstraints, false, constr);
// certBuilder.addExtension(Extension.authorityKeyIdentifier, false,utiles.createAuthorityKeyIdentifier(cer));
certBuilder.addExtension(Extension.subjectKeyIdentifier, false,
new SubjectKeyIdentifier(publicKey.getEncoded()));
final byte[] certBytes = certBuilder.build(signer).getEncoded();
final CertificateFactory certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE);
return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes));
}
I have tried a number of things but I can't find exactly a solution. Also I don't understand what i have to set on Subject Key Identifier extension.
It seems you're not getting the X.509 certificate generation process right:
You generate a Certificate Signing Request (CSR), which is basically your certificate's structure, not yet signed by a CA;
A Certificate Authority (in this case, your root CA) signs this CSR.
Have a look at Sign CSR using Bouncy Castle, which is probably what you're looking for.
I have generated an RSA x509 certificate using bouncy castle in java. The code is below:
public static X509Certificate generateCert()
{
try
{
Security.addProvider(new BouncyCastleProvider());
// generate a key pair
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
KeyPair keyPair = keyPairGenerator.generateKeyPair();
// build a certificate generator
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X500Principal dnName = new X500Principal("cn=example");
// add some options
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setSubjectDN(new X509Name("dc=name"));
certGen.setIssuerDN(dnName); // use the same
// yesterday
certGen.setNotBefore(new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000));
// in 2 years
certGen.setNotAfter(new Date(System.currentTimeMillis() + 2 * 365 * 24 * 60 * 60 * 1000));
certGen.setPublicKey(keyPair.getPublic());
certGen.setSignatureAlgorithm("SHA256withRSA");
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping));
mCurrentRSAKeyPair = keyPair;
// finally, sign the certificate with the private key of the same KeyPair
X509Certificate cert = certGen.generate(keyPair.getPrivate(), "BC");
return cert;
}
catch (Exception e)
{
e.printStackTrace();
return null;
}
}
I want to be able to cast the X509Cerificate returned into a java.security.cert Certificate[] however it says they are incompatible. I need to use this certificate array for an android keystore:
public RSA(char[] password) throws Exception
{
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null);
Enumeration<String> aliases = ks.aliases();
if(!aliases.hasMoreElements())
{
//mCurrentCertificate is the X509Certificate
mCurrentCertificate = generateCert();
//Store the new keypair
FileInputStream fs = null;
ks.load(fs, password);
KeyStore.ProtectionParameter protParam =
new KeyStore.PasswordProtection(password);
Object cert = mCurrentCertificate.getEncoded();
java.security.cert.Certificate[] myCert = (java.security.cert.Certificate[]) cert; //CAST HERE
KeyStore.PrivateKeyEntry pkEntry =
new KeyStore.PrivateKeyEntry(mCurrentRSAKeyPair.getPrivate(),
myCert);
ks.setEntry("UserKey", pkEntry, protParam);
}
}
myCert is an array of certificates, and cert is an array of bytes (as returned by getEncoded()).
You should put your mCurrentCertificate variable inside an array:
java.security.cert.Certificate[] myCert = new java.security.cert.Certificate[] { (java.security.cert.Certificate) mCurrentCertificate};
// not sure if needs to cast mCurrentCertificate