use of org.mozilla.jss.crypto.InternalCertificate in project jss by dogtagpki.
the class GenerateTestCert method doIt.
/**
* Based on the input parameters, generate a cert
* pair.
*/
private void doIt(String[] args) throws Exception {
String caCertNick = CACERT_NICKNAME;
String serverCertNick = SERVERCERT_NICKNAME;
String clientCertNick = CLIENTCERT_NICKNAME;
if (args.length < 3) {
usage();
}
try {
CryptoManager cm = CryptoManager.getInstance();
CryptoToken tok = cm.getInternalKeyStorageToken();
PasswordCallback cb = new FilePasswordCallback(args[1]);
tok.login(cb);
int serialNum = Integer.parseInt(args[2]);
X509Certificate[] permCerts = cm.getPermCerts();
int originalPermCerts = permCerts.length;
System.out.println("Number of certificates stored in the " + " database: " + originalPermCerts);
String hostname = "localhost";
if (args.length > 4) {
hostname = args[3];
}
String alg = "SHA-256/RSA";
if (args.length > 5) {
alg = args[4];
}
setSigAlg(alg);
X509Certificate[] certs;
if (args.length > 6) {
caCertNick = args[5];
}
/* ensure certificate does not already exists */
certs = cm.findCertsByNickname(caCertNick);
if (certs.length > 0) {
System.out.println(caCertNick + " already exists!");
System.exit(1);
}
if (args.length > 7) {
serverCertNick = args[6];
}
certs = cm.findCertsByNickname(serverCertNick);
if (certs.length > 0) {
System.out.println(serverCertNick + " already exists!");
System.exit(1);
}
if (args.length == 8) {
clientCertNick = args[7];
}
certs = cm.findCertsByNickname(clientCertNick);
if (certs.length > 0) {
System.out.println(clientCertNick + " already exists!");
System.exit(1);
}
// generate CA cert
java.security.KeyPairGenerator kpg = java.security.KeyPairGenerator.getInstance(keyType, "Mozilla-JSS");
kpg.initialize(keyLength);
KeyPair caPair = kpg.genKeyPair();
SEQUENCE extensions = new SEQUENCE();
extensions.addElement(makeBasicConstraintsExtension());
Certificate caCert = makeCert("CACert", "CACert", serialNum, caPair.getPrivate(), caPair.getPublic(), serialNum, extensions);
X509Certificate nssCaCert = cm.importUserCACertPackage(ASN1Util.encode(caCert), caCertNick);
InternalCertificate intern = (InternalCertificate) nssCaCert;
intern.setSSLTrust(PK11Cert.TRUSTED_CA | PK11Cert.TRUSTED_CLIENT_CA | PK11Cert.VALID_CA);
// generate server cert
kpg.initialize(keyLength);
KeyPair serverPair = kpg.genKeyPair();
Certificate serverCert = makeCert("CACert", hostname, serialNum + 1, caPair.getPrivate(), serverPair.getPublic(), serialNum, null);
nssServerCert = cm.importCertPackage(ASN1Util.encode(serverCert), serverCertNick);
// generate client auth cert
kpg.initialize(keyLength);
KeyPair clientPair = kpg.genKeyPair();
Certificate clientCert = makeCert("CACert", "ClientCert", serialNum + 2, caPair.getPrivate(), clientPair.getPublic(), serialNum, null);
nssClientCert = cm.importCertPackage(ASN1Util.encode(clientCert), clientCertNick);
System.out.println("\nThis program created certificates with \n" + "following cert nicknames:" + "\n\t" + caCertNick + "\n\t" + serverCertNick + "\n\t" + clientCertNick);
permCerts = cm.getPermCerts();
if ((originalPermCerts + 3) != permCerts.length) {
System.out.println("Error there should be three more " + " certificates stored in the database");
System.exit(1);
} else {
System.out.println("Number of certificates stored in the " + " database: " + permCerts.length);
}
/* ensure certificates exists */
certs = cm.findCertsByNickname(caCertNick);
if (certs.length == 0) {
System.out.println(caCertNick + " should exist!");
System.exit(1);
}
certs = cm.findCertsByNickname(serverCertNick);
if (certs.length == 0) {
System.out.println(serverCertNick + " should exist!");
System.exit(1);
}
certs = cm.findCertsByNickname(clientCertNick);
if (certs.length == 0) {
System.out.println(clientCertNick + " should exist!");
System.exit(1);
}
} catch (Exception e) {
e.printStackTrace();
System.exit(1);
}
System.exit(0);
}
use of org.mozilla.jss.crypto.InternalCertificate in project jss by dogtagpki.
the class TestCertApprovalCallback method approve.
@Override
public boolean approve(org.mozilla.jss.crypto.X509Certificate servercert, SSLCertificateApprovalCallback.ValidityStatus status) {
SSLCertificateApprovalCallback.ValidityItem item;
System.out.println("in TestCertApprovalCallback.approve()");
/* dump out server cert details */
System.out.println("Peer cert details: " + "\n subject: " + servercert.getSubjectDN().toString() + "\n issuer: " + servercert.getIssuerDN().toString() + "\n serial: " + servercert.getSerialNumber().toString());
/* iterate through all the problems */
boolean trust_the_server_cert = false;
Enumeration<ValidityItem> errors = status.getReasons();
int i = 0;
while (errors.hasMoreElements()) {
i++;
item = errors.nextElement();
System.out.println("item " + i + " reason=" + item.getReason() + " depth=" + item.getDepth());
org.mozilla.jss.crypto.X509Certificate cert = item.getCert();
if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
trust_the_server_cert = true;
}
System.out.println(" cert details: " + "\n subject: " + cert.getSubjectDN().toString() + "\n issuer: " + cert.getIssuerDN().toString() + "\n serial: " + cert.getSerialNumber().toString());
}
if (trust_the_server_cert) {
System.out.println("importing certificate.");
try {
InternalCertificate newcert = org.mozilla.jss.CryptoManager.getInstance().importCertToPerm(servercert, "testnick");
newcert.setSSLTrust(PK11Cert.TRUSTED_PEER | PK11Cert.VALID_PEER);
} catch (Exception e) {
System.out.println("thrown exception: " + e);
}
}
/* allow the connection to continue.
returning false here would abort the connection */
return true;
}
use of org.mozilla.jss.crypto.InternalCertificate in project jss by dogtagpki.
the class SSLClientAuth method generateCerts.
private void generateCerts(CryptoManager cm, int serialNum) {
// RSA Key with default exponent
int keyLength = 4096;
try {
java.security.KeyPairGenerator kpg = java.security.KeyPairGenerator.getInstance("RSA", "Mozilla-JSS");
kpg.initialize(keyLength);
KeyPair caPair = kpg.genKeyPair();
// Generate CA cert
SEQUENCE extensions = new SEQUENCE();
extensions.addElement(makeBasicConstraintsExtension());
Certificate caCert = makeCert("CACert", "CACert", serialNum, caPair.getPrivate(), caPair.getPublic(), serialNum, extensions);
X509Certificate nssCaCert = cm.importUserCACertPackage(ASN1Util.encode(caCert), "SSLCA-" + serialNum);
InternalCertificate intern = (InternalCertificate) nssCaCert;
intern.setSSLTrust(PK11Cert.TRUSTED_CA | PK11Cert.TRUSTED_CLIENT_CA | PK11Cert.VALID_CA);
// generate server cert
kpg.initialize(keyLength);
KeyPair serverPair = kpg.genKeyPair();
Certificate serverCert = makeCert("CACert", "localhost", serialNum + 1, caPair.getPrivate(), serverPair.getPublic(), serialNum, null);
nssServerCert = cm.importCertPackage(ASN1Util.encode(serverCert), serverCertNick);
// generate client auth cert
kpg.initialize(keyLength);
KeyPair clientPair = kpg.genKeyPair();
Certificate clientCert = makeCert("CACert", "ClientCert", serialNum + 2, caPair.getPrivate(), clientPair.getPublic(), serialNum, null);
nssClientCert = cm.importCertPackage(ASN1Util.encode(clientCert), clientCertNick);
} catch (CertificateEncodingException ex) {
ex.printStackTrace();
System.exit(1);
} catch (NoSuchAlgorithmException ex) {
ex.printStackTrace();
System.exit(1);
} catch (NoSuchProviderException ex) {
ex.printStackTrace();
System.exit(1);
} catch (NicknameConflictException ex) {
ex.printStackTrace();
System.exit(1);
} catch (UserCertConflictException ex) {
ex.printStackTrace();
System.exit(1);
} catch (TokenException ex) {
ex.printStackTrace();
System.exit(1);
} catch (NoSuchItemOnTokenException ex) {
ex.printStackTrace();
System.exit(1);
} catch (Exception ex) {
ex.printStackTrace();
System.exit(1);
}
}
use of org.mozilla.jss.crypto.InternalCertificate in project jss by dogtagpki.
the class TestCertificateApprovalCallback method approve.
@Override
public boolean approve(org.mozilla.jss.crypto.X509Certificate servercert, SSLCertificateApprovalCallback.ValidityStatus status) {
SSLCertificateApprovalCallback.ValidityItem item;
logger.debug("in TestCertificateApprovalCallback.approve()");
/* dump out server cert details */
logger.debug("Peer cert details:");
logger.debug(" subject: " + servercert.getSubjectDN());
logger.debug(" issuer: " + servercert.getIssuerDN());
logger.debug(" serial: " + servercert.getSerialNumber());
/* iterate through all the problems */
boolean trust_the_server_cert = false;
Enumeration<ValidityItem> errors = status.getReasons();
int i = 0;
while (errors.hasMoreElements()) {
i++;
item = errors.nextElement();
logger.debug("item " + i + " reason=" + item.getReason() + " depth=" + item.getDepth());
org.mozilla.jss.crypto.X509Certificate cert = item.getCert();
if (item.getReason() == SSLCertificateApprovalCallback.ValidityStatus.UNTRUSTED_ISSUER) {
trust_the_server_cert = true;
}
logger.debug(" cert details:");
logger.debug(" subject: " + cert.getSubjectDN());
logger.debug(" issuer: " + cert.getIssuerDN());
logger.debug(" serial: " + cert.getSerialNumber());
}
if (trust_the_server_cert) {
logger.debug("importing certificate.");
try {
InternalCertificate newcert = org.mozilla.jss.CryptoManager.getInstance().importCertToPerm(servercert, "testnick");
newcert.setSSLTrust(PK11Cert.TRUSTED_PEER | PK11Cert.VALID_PEER);
} catch (Exception e) {
System.out.println("thrown exception: " + e);
}
}
/* don't do this in production code! */
return true;
}
Aggregations