Search in sources :

Example 1 with InternalCertificate

use of org.mozilla.jss.crypto.InternalCertificate in project jss by dogtagpki.

the class GenerateTestCert method doIt.

/**
 * Based on the input parameters, generate a cert
 * pair.
 */
private void doIt(String[] args) throws Exception {
    String caCertNick = CACERT_NICKNAME;
    String serverCertNick = SERVERCERT_NICKNAME;
    String clientCertNick = CLIENTCERT_NICKNAME;
    if (args.length < 3) {
        usage();
    }
    try {
        CryptoManager cm = CryptoManager.getInstance();
        CryptoToken tok = cm.getInternalKeyStorageToken();
        PasswordCallback cb = new FilePasswordCallback(args[1]);
        tok.login(cb);
        int serialNum = Integer.parseInt(args[2]);
        X509Certificate[] permCerts = cm.getPermCerts();
        int originalPermCerts = permCerts.length;
        System.out.println("Number of certificates stored in the " + " database: " + originalPermCerts);
        String hostname = "localhost";
        if (args.length > 4) {
            hostname = args[3];
        }
        String alg = "SHA-256/RSA";
        if (args.length > 5) {
            alg = args[4];
        }
        setSigAlg(alg);
        X509Certificate[] certs;
        if (args.length > 6) {
            caCertNick = args[5];
        }
        /* ensure certificate does not already exists */
        certs = cm.findCertsByNickname(caCertNick);
        if (certs.length > 0) {
            System.out.println(caCertNick + " already exists!");
            System.exit(1);
        }
        if (args.length > 7) {
            serverCertNick = args[6];
        }
        certs = cm.findCertsByNickname(serverCertNick);
        if (certs.length > 0) {
            System.out.println(serverCertNick + " already exists!");
            System.exit(1);
        }
        if (args.length == 8) {
            clientCertNick = args[7];
        }
        certs = cm.findCertsByNickname(clientCertNick);
        if (certs.length > 0) {
            System.out.println(clientCertNick + " already exists!");
            System.exit(1);
        }
        // generate CA cert
        java.security.KeyPairGenerator kpg = java.security.KeyPairGenerator.getInstance(keyType, "Mozilla-JSS");
        kpg.initialize(keyLength);
        KeyPair caPair = kpg.genKeyPair();
        SEQUENCE extensions = new SEQUENCE();
        extensions.addElement(makeBasicConstraintsExtension());
        Certificate caCert = makeCert("CACert", "CACert", serialNum, caPair.getPrivate(), caPair.getPublic(), serialNum, extensions);
        X509Certificate nssCaCert = cm.importUserCACertPackage(ASN1Util.encode(caCert), caCertNick);
        InternalCertificate intern = (InternalCertificate) nssCaCert;
        intern.setSSLTrust(PK11Cert.TRUSTED_CA | PK11Cert.TRUSTED_CLIENT_CA | PK11Cert.VALID_CA);
        // generate server cert
        kpg.initialize(keyLength);
        KeyPair serverPair = kpg.genKeyPair();
        Certificate serverCert = makeCert("CACert", hostname, serialNum + 1, caPair.getPrivate(), serverPair.getPublic(), serialNum, null);
        nssServerCert = cm.importCertPackage(ASN1Util.encode(serverCert), serverCertNick);
        // generate client auth cert
        kpg.initialize(keyLength);
        KeyPair clientPair = kpg.genKeyPair();
        Certificate clientCert = makeCert("CACert", "ClientCert", serialNum + 2, caPair.getPrivate(), clientPair.getPublic(), serialNum, null);
        nssClientCert = cm.importCertPackage(ASN1Util.encode(clientCert), clientCertNick);
        System.out.println("\nThis program created certificates with \n" + "following cert nicknames:" + "\n\t" + caCertNick + "\n\t" + serverCertNick + "\n\t" + clientCertNick);
        permCerts = cm.getPermCerts();
        if ((originalPermCerts + 3) != permCerts.length) {
            System.out.println("Error there should be three more " + " certificates stored in the database");
            System.exit(1);
        } else {
            System.out.println("Number of certificates stored in the " + " database: " + permCerts.length);
        }
        /* ensure certificates exists */
        certs = cm.findCertsByNickname(caCertNick);
        if (certs.length == 0) {
            System.out.println(caCertNick + " should exist!");
            System.exit(1);
        }
        certs = cm.findCertsByNickname(serverCertNick);
        if (certs.length == 0) {
            System.out.println(serverCertNick + " should exist!");
            System.exit(1);
        }
        certs = cm.findCertsByNickname(clientCertNick);
        if (certs.length == 0) {
            System.out.println(clientCertNick + " should exist!");
            System.exit(1);
        }
    } catch (Exception e) {
        e.printStackTrace();
        System.exit(1);
    }
    System.exit(0);
}
Also used : KeyPair(java.security.KeyPair) CryptoToken(org.mozilla.jss.crypto.CryptoToken) CryptoManager(org.mozilla.jss.CryptoManager) X509Certificate(org.mozilla.jss.crypto.X509Certificate) InternalCertificate(org.mozilla.jss.crypto.InternalCertificate) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) PasswordCallback(org.mozilla.jss.util.PasswordCallback) Certificate(org.mozilla.jss.pkix.cert.Certificate) InternalCertificate(org.mozilla.jss.crypto.InternalCertificate) X509Certificate(org.mozilla.jss.crypto.X509Certificate)

Example 2 with InternalCertificate

use of org.mozilla.jss.crypto.InternalCertificate in project jss by dogtagpki.

the class TestCertApprovalCallback method approve.

@Override
public boolean approve(org.mozilla.jss.crypto.X509Certificate servercert, SSLCertificateApprovalCallback.ValidityStatus status) {
    SSLCertificateApprovalCallback.ValidityItem item;
    System.out.println("in TestCertApprovalCallback.approve()");
    /* dump out server cert details */
    System.out.println("Peer cert details: " + "\n     subject: " + servercert.getSubjectDN().toString() + "\n     issuer:  " + servercert.getIssuerDN().toString() + "\n     serial:  " + servercert.getSerialNumber().toString());
    /* iterate through all the problems */
    boolean trust_the_server_cert = false;
    Enumeration<ValidityItem> errors = status.getReasons();
    int i = 0;
    while (errors.hasMoreElements()) {
        i++;
        item = errors.nextElement();
        System.out.println("item " + i + " reason=" + item.getReason() + " depth=" + item.getDepth());
        org.mozilla.jss.crypto.X509Certificate cert = item.getCert();
        if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
            trust_the_server_cert = true;
        }
        System.out.println(" cert details: " + "\n     subject: " + cert.getSubjectDN().toString() + "\n     issuer:  " + cert.getIssuerDN().toString() + "\n     serial:  " + cert.getSerialNumber().toString());
    }
    if (trust_the_server_cert) {
        System.out.println("importing certificate.");
        try {
            InternalCertificate newcert = org.mozilla.jss.CryptoManager.getInstance().importCertToPerm(servercert, "testnick");
            newcert.setSSLTrust(PK11Cert.TRUSTED_PEER | PK11Cert.VALID_PEER);
        } catch (Exception e) {
            System.out.println("thrown exception: " + e);
        }
    }
    /* allow the connection to continue.
        	returning false here would abort the connection */
    return true;
}
Also used : InternalCertificate(org.mozilla.jss.crypto.InternalCertificate)

Example 3 with InternalCertificate

use of org.mozilla.jss.crypto.InternalCertificate in project jss by dogtagpki.

the class SSLClientAuth method generateCerts.

private void generateCerts(CryptoManager cm, int serialNum) {
    // RSA Key with default exponent
    int keyLength = 4096;
    try {
        java.security.KeyPairGenerator kpg = java.security.KeyPairGenerator.getInstance("RSA", "Mozilla-JSS");
        kpg.initialize(keyLength);
        KeyPair caPair = kpg.genKeyPair();
        // Generate CA cert
        SEQUENCE extensions = new SEQUENCE();
        extensions.addElement(makeBasicConstraintsExtension());
        Certificate caCert = makeCert("CACert", "CACert", serialNum, caPair.getPrivate(), caPair.getPublic(), serialNum, extensions);
        X509Certificate nssCaCert = cm.importUserCACertPackage(ASN1Util.encode(caCert), "SSLCA-" + serialNum);
        InternalCertificate intern = (InternalCertificate) nssCaCert;
        intern.setSSLTrust(PK11Cert.TRUSTED_CA | PK11Cert.TRUSTED_CLIENT_CA | PK11Cert.VALID_CA);
        // generate server cert
        kpg.initialize(keyLength);
        KeyPair serverPair = kpg.genKeyPair();
        Certificate serverCert = makeCert("CACert", "localhost", serialNum + 1, caPair.getPrivate(), serverPair.getPublic(), serialNum, null);
        nssServerCert = cm.importCertPackage(ASN1Util.encode(serverCert), serverCertNick);
        // generate client auth cert
        kpg.initialize(keyLength);
        KeyPair clientPair = kpg.genKeyPair();
        Certificate clientCert = makeCert("CACert", "ClientCert", serialNum + 2, caPair.getPrivate(), clientPair.getPublic(), serialNum, null);
        nssClientCert = cm.importCertPackage(ASN1Util.encode(clientCert), clientCertNick);
    } catch (CertificateEncodingException ex) {
        ex.printStackTrace();
        System.exit(1);
    } catch (NoSuchAlgorithmException ex) {
        ex.printStackTrace();
        System.exit(1);
    } catch (NoSuchProviderException ex) {
        ex.printStackTrace();
        System.exit(1);
    } catch (NicknameConflictException ex) {
        ex.printStackTrace();
        System.exit(1);
    } catch (UserCertConflictException ex) {
        ex.printStackTrace();
        System.exit(1);
    } catch (TokenException ex) {
        ex.printStackTrace();
        System.exit(1);
    } catch (NoSuchItemOnTokenException ex) {
        ex.printStackTrace();
        System.exit(1);
    } catch (Exception ex) {
        ex.printStackTrace();
        System.exit(1);
    }
}
Also used : UserCertConflictException(org.mozilla.jss.UserCertConflictException) KeyPair(java.security.KeyPair) NicknameConflictException(org.mozilla.jss.NicknameConflictException) NoSuchItemOnTokenException(org.mozilla.jss.crypto.NoSuchItemOnTokenException) CertificateEncodingException(java.security.cert.CertificateEncodingException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) X509Certificate(org.mozilla.jss.crypto.X509Certificate) NicknameConflictException(org.mozilla.jss.NicknameConflictException) SocketException(java.net.SocketException) NoSuchItemOnTokenException(org.mozilla.jss.crypto.NoSuchItemOnTokenException) ObjectNotFoundException(org.mozilla.jss.crypto.ObjectNotFoundException) EOFException(java.io.EOFException) UserCertConflictException(org.mozilla.jss.UserCertConflictException) TokenException(org.mozilla.jss.crypto.TokenException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) NoSuchProviderException(java.security.NoSuchProviderException) CertificateEncodingException(java.security.cert.CertificateEncodingException) InternalCertificate(org.mozilla.jss.crypto.InternalCertificate) SEQUENCE(org.mozilla.jss.asn1.SEQUENCE) NoSuchItemOnTokenException(org.mozilla.jss.crypto.NoSuchItemOnTokenException) TokenException(org.mozilla.jss.crypto.TokenException) NoSuchProviderException(java.security.NoSuchProviderException) InternalCertificate(org.mozilla.jss.crypto.InternalCertificate) Certificate(org.mozilla.jss.pkix.cert.Certificate) X509Certificate(org.mozilla.jss.crypto.X509Certificate)

Example 4 with InternalCertificate

use of org.mozilla.jss.crypto.InternalCertificate in project jss by dogtagpki.

the class TestCertificateApprovalCallback method approve.

@Override
public boolean approve(org.mozilla.jss.crypto.X509Certificate servercert, SSLCertificateApprovalCallback.ValidityStatus status) {
    SSLCertificateApprovalCallback.ValidityItem item;
    logger.debug("in TestCertificateApprovalCallback.approve()");
    /* dump out server cert details */
    logger.debug("Peer cert details:");
    logger.debug("     subject: " + servercert.getSubjectDN());
    logger.debug("     issuer:  " + servercert.getIssuerDN());
    logger.debug("     serial:  " + servercert.getSerialNumber());
    /* iterate through all the problems */
    boolean trust_the_server_cert = false;
    Enumeration<ValidityItem> errors = status.getReasons();
    int i = 0;
    while (errors.hasMoreElements()) {
        i++;
        item = errors.nextElement();
        logger.debug("item " + i + " reason=" + item.getReason() + " depth=" + item.getDepth());
        org.mozilla.jss.crypto.X509Certificate cert = item.getCert();
        if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
            trust_the_server_cert = true;
        }
        logger.debug(" cert details:");
        logger.debug("     subject: " + cert.getSubjectDN());
        logger.debug("     issuer:  " + cert.getIssuerDN());
        logger.debug("     serial:  " + cert.getSerialNumber());
    }
    if (trust_the_server_cert) {
        logger.debug("importing certificate.");
        try {
            InternalCertificate newcert = org.mozilla.jss.CryptoManager.getInstance().importCertToPerm(servercert, "testnick");
            newcert.setSSLTrust(PK11Cert.TRUSTED_PEER | PK11Cert.VALID_PEER);
        } catch (Exception e) {
            System.out.println("thrown exception: " + e);
        }
    }
    /* don't do this in production code!                 */
    return true;
}
Also used : SSLCertificateApprovalCallback(org.mozilla.jss.ssl.SSLCertificateApprovalCallback) InternalCertificate(org.mozilla.jss.crypto.InternalCertificate)

Aggregations

InternalCertificate (org.mozilla.jss.crypto.InternalCertificate)4 KeyPair (java.security.KeyPair)2 SEQUENCE (org.mozilla.jss.asn1.SEQUENCE)2 X509Certificate (org.mozilla.jss.crypto.X509Certificate)2 Certificate (org.mozilla.jss.pkix.cert.Certificate)2 EOFException (java.io.EOFException)1 SocketException (java.net.SocketException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 NoSuchProviderException (java.security.NoSuchProviderException)1 CertificateEncodingException (java.security.cert.CertificateEncodingException)1 CryptoManager (org.mozilla.jss.CryptoManager)1 NicknameConflictException (org.mozilla.jss.NicknameConflictException)1 UserCertConflictException (org.mozilla.jss.UserCertConflictException)1 CryptoToken (org.mozilla.jss.crypto.CryptoToken)1 NoSuchItemOnTokenException (org.mozilla.jss.crypto.NoSuchItemOnTokenException)1 ObjectNotFoundException (org.mozilla.jss.crypto.ObjectNotFoundException)1 TokenException (org.mozilla.jss.crypto.TokenException)1 SSLCertificateApprovalCallback (org.mozilla.jss.ssl.SSLCertificateApprovalCallback)1 PasswordCallback (org.mozilla.jss.util.PasswordCallback)1