Example 31 with KeyStore
use of java.security.KeyStore in project camel by apache.
the class XmlSignatureTest method loadKeystore.
public static KeyStore loadKeystore() throws Exception {
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream in = XmlSignatureTest.class.getResourceAsStream("/bob.keystore");
keystore.load(in, "letmein".toCharArray());
return keystore;
}
Also used :
InputStream(java.io.InputStream)
KeyStore(java.security.KeyStore)
Example 32 with KeyStore
use of java.security.KeyStore in project cassandra by apache.
the class SSLFactory method createSSLContext.
@SuppressWarnings("resource")
public static SSLContext createSSLContext(EncryptionOptions options, boolean buildTruststore) throws IOException {
FileInputStream tsf = null;
FileInputStream ksf = null;
SSLContext ctx;
try {
ctx = SSLContext.getInstance(options.protocol);
TrustManager[] trustManagers = null;
if (buildTruststore) {
tsf = new FileInputStream(options.truststore);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(options.algorithm);
KeyStore ts = KeyStore.getInstance(options.store_type);
ts.load(tsf, options.truststore_password.toCharArray());
tmf.init(ts);
trustManagers = tmf.getTrustManagers();
}
ksf = new FileInputStream(options.keystore);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(options.algorithm);
KeyStore ks = KeyStore.getInstance(options.store_type);
ks.load(ksf, options.keystore_password.toCharArray());
if (!checkedExpiry) {
for (Enumeration<String> aliases = ks.aliases(); aliases.hasMoreElements(); ) {
String alias = aliases.nextElement();
if (ks.getCertificate(alias).getType().equals("X.509")) {
Date expires = ((X509Certificate) ks.getCertificate(alias)).getNotAfter();
if (expires.before(new Date()))
logger.warn("Certificate for {} expired on {}", alias, expires);
}
}
checkedExpiry = true;
}
kmf.init(ks, options.keystore_password.toCharArray());
ctx.init(kmf.getKeyManagers(), trustManagers, null);
} catch (Exception e) {
throw new IOException("Error creating the initializing the SSL Context", e);
} finally {
FileUtils.closeQuietly(tsf);
FileUtils.closeQuietly(ksf);
}
return ctx;
}
Also used :
SSLContext(javax.net.ssl.SSLContext)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
FileInputStream(java.io.FileInputStream)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
IOException(java.io.IOException)
TrustManager(javax.net.ssl.TrustManager)
KeyManagerFactory(javax.net.ssl.KeyManagerFactory)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
Example 33 with KeyStore
use of java.security.KeyStore in project gitblit by gitblit.
the class X509Utils method newCertificateRevocationList.
/**
* Creates a new certificate revocation list (CRL). This function will
* destroy any existing CRL file.
*
* @param caRevocationList
* @param storeFile
* @param keystorePassword
* @return
*/
public static void newCertificateRevocationList(File caRevocationList, File caKeystoreFile, String caKeystorePassword) {
try {
// read the Gitblit CA key and certificate
KeyStore store = openKeyStore(caKeystoreFile, caKeystorePassword);
PrivateKey caPrivateKey = (PrivateKey) store.getKey(CA_ALIAS, caKeystorePassword.toCharArray());
X509Certificate caCert = (X509Certificate) store.getCertificate(CA_ALIAS);
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());
X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuerDN, new Date());
// build and sign CRL with CA private key
ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);
X509CRLHolder crl = crlBuilder.build(signer);
File tmpFile = new File(caRevocationList.getParentFile(), Long.toHexString(System.currentTimeMillis()) + ".tmp");
FileOutputStream fos = null;
try {
fos = new FileOutputStream(tmpFile);
fos.write(crl.getEncoded());
fos.flush();
fos.close();
if (caRevocationList.exists()) {
caRevocationList.delete();
}
tmpFile.renameTo(caRevocationList);
} finally {
if (fos != null) {
fos.close();
}
if (tmpFile.exists()) {
tmpFile.delete();
}
}
} catch (Exception e) {
throw new RuntimeException("Failed to create new certificate revocation list " + caRevocationList, e);
}
}
Also used :
PrivateKey(java.security.PrivateKey)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
SignatureException(java.security.SignatureException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
InvalidKeyException(java.security.InvalidKeyException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
FileOutputStream(java.io.FileOutputStream)
X509CRLHolder(org.bouncycastle.cert.X509CRLHolder)
X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder)
File(java.io.File)
Example 34 with KeyStore
use of java.security.KeyStore in project gitblit by gitblit.
the class X509Utils method newClientCertificate.
/**
* Creates a new client certificate PKCS#12 and PEM store. Any existing
* stores are destroyed.
*
* @param clientMetadata a container for dynamic parameters needed for generation
* @param caKeystoreFile
* @param caKeystorePassword
* @param targetFolder
* @return
*/
public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) {
try {
KeyPair pair = newKeyPair();
X500Name userDN = buildDistinguishedName(clientMetadata);
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());
// create a new certificate signed by the Gitblit CA certificate
X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore, clientMetadata.notAfter, userDN, pair.getPublic());
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature));
if (!StringUtils.isEmpty(clientMetadata.emailAddress)) {
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress));
certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
}
ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);
X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certBuilder.build(signer));
PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate();
bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
// confirm the validity of the user certificate
userCert.checkValidity();
userCert.verify(caCert.getPublicKey());
userCert.getIssuerDN().equals(caCert.getSubjectDN());
// verify user certificate chain
verifyChain(userCert, caCert);
targetFolder.mkdirs();
// save certificate, stamped with unique name
String date = new SimpleDateFormat("yyyyMMdd").format(new Date());
String id = date;
File certFile = new File(targetFolder, id + ".cer");
int count = 0;
while (certFile.exists()) {
id = date + "_" + Character.toString((char) (0x61 + count));
certFile = new File(targetFolder, id + ".cer");
count++;
}
// save user private key, user certificate and CA certificate to a PKCS#12 store
File p12File = new File(targetFolder, clientMetadata.commonName + ".p12");
if (p12File.exists()) {
p12File.delete();
}
KeyStore userStore = openKeyStore(p12File, clientMetadata.password);
userStore.setKeyEntry(MessageFormat.format("Gitblit ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate[] { userCert });
userStore.setCertificateEntry(MessageFormat.format("Gitblit ({0}) Certificate Authority", clientMetadata.serverHostname), caCert);
saveKeyStore(p12File, userStore, clientMetadata.password);
// save user private key, user certificate, and CA certificate to a PEM store
File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem");
if (pemFile.exists()) {
pemFile.delete();
}
JcePEMEncryptorBuilder builder = new JcePEMEncryptorBuilder("DES-EDE3-CBC");
builder.setSecureRandom(new SecureRandom());
PEMEncryptor pemEncryptor = builder.build(clientMetadata.password.toCharArray());
JcaPEMWriter pemWriter = new JcaPEMWriter(new FileWriter(pemFile));
pemWriter.writeObject(pair.getPrivate(), pemEncryptor);
pemWriter.writeObject(userCert);
pemWriter.writeObject(caCert);
pemWriter.flush();
pemWriter.close();
// save certificate after successfully creating the key stores
saveCertificate(userCert, certFile);
// update serial number in metadata object
clientMetadata.serialNumber = userCert.getSerialNumber().toString();
return userCert;
} catch (Throwable t) {
throw new RuntimeException("Failed to generate client certificate!", t);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
FileWriter(java.io.FileWriter)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
PKCS12BagAttributeCarrier(org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier)
PEMEncryptor(org.bouncycastle.openssl.PEMEncryptor)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
JcePEMEncryptorBuilder(org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder)
KeyPair(java.security.KeyPair)
ContentSigner(org.bouncycastle.operator.ContentSigner)
SecureRandom(java.security.SecureRandom)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
JcaPEMWriter(org.bouncycastle.openssl.jcajce.JcaPEMWriter)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
SimpleDateFormat(java.text.SimpleDateFormat)
File(java.io.File)
Example 35 with KeyStore
use of java.security.KeyStore in project gitblit by gitblit.
the class X509Utils method newSSLCertificate.
/**
* Creates a new SSL certificate signed by the CA private key and stored in
* keyStore.
*
* @param sslMetadata
* @param caPrivateKey
* @param caCert
* @param targetStoreFile
* @param x509log
*/
public static X509Certificate newSSLCertificate(X509Metadata sslMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetStoreFile, X509Log x509log) {
try {
KeyPair pair = newKeyPair();
X500Name webDN = buildDistinguishedName(sslMetadata);
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());
X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), sslMetadata.notBefore, sslMetadata.notAfter, webDN, pair.getPublic());
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
// support alternateSubjectNames for SSL certificates
List<GeneralName> altNames = new ArrayList<GeneralName>();
if (HttpUtils.isIpAddress(sslMetadata.commonName)) {
altNames.add(new GeneralName(GeneralName.iPAddress, sslMetadata.commonName));
}
if (altNames.size() > 0) {
GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName[altNames.size()]));
certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
}
ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);
X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certBuilder.build(caSigner));
cert.checkValidity(new Date());
cert.verify(caCert.getPublicKey());
// Save to keystore
KeyStore serverStore = openKeyStore(targetStoreFile, sslMetadata.password);
serverStore.setKeyEntry(sslMetadata.commonName, pair.getPrivate(), sslMetadata.password.toCharArray(), new Certificate[] { cert, caCert });
saveKeyStore(targetStoreFile, serverStore, sslMetadata.password);
x509log.log(MessageFormat.format("New SSL certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getSubjectDN().getName()));
// update serial number in metadata object
sslMetadata.serialNumber = cert.getSerialNumber().toString();
return cert;
} catch (Throwable t) {
throw new RuntimeException("Failed to generate SSL certificate!", t);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
KeyPair(java.security.KeyPair)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ArrayList(java.util.ArrayList)
ContentSigner(org.bouncycastle.operator.ContentSigner)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Aggregations
KeyStore (java.security.KeyStore)899
IOException (java.io.IOException)226
X509Certificate (java.security.cert.X509Certificate)216
FileInputStream (java.io.FileInputStream)186
InputStream (java.io.InputStream)177
KeyStoreException (java.security.KeyStoreException)174
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)165
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)146
Certificate (java.security.cert.Certificate)144
KeyManagerFactory (javax.net.ssl.KeyManagerFactory)136
SSLContext (javax.net.ssl.SSLContext)130
CertificateException (java.security.cert.CertificateException)115
PrivateKey (java.security.PrivateKey)104
File (java.io.File)95
CertificateFactory (java.security.cert.CertificateFactory)80
ByteArrayInputStream (java.io.ByteArrayInputStream)78
UnrecoverableKeyException (java.security.UnrecoverableKeyException)64
Key (java.security.Key)63
TrustManager (javax.net.ssl.TrustManager)60
Test (org.junit.Test)54
