@InterfaceAudience.Private final class X509TestHelpers extends Object
Modifier and Type | Field and Description |
---|---|
private static String |
DEFAULT_ELLIPTIC_CURVE_NAME |
private static int |
DEFAULT_RSA_KEY_SIZE_BITS |
private static BigInteger |
DEFAULT_RSA_PUB_EXPONENT |
private static SecureRandom |
PRNG |
private static int |
SERIAL_NUMBER_MAX_BITS |
Modifier | Constructor and Description |
---|---|
private |
X509TestHelpers() |
Modifier and Type | Method and Description |
---|---|
private static X509Certificate |
buildAndSignCertificate(PrivateKey privateKey,
org.bouncycastle.cert.X509v3CertificateBuilder builder)
Signs the certificate being built by the given builder using the given private key and returns
the certificate.
|
static byte[] |
certAndPrivateKeyToBCFKSBytes(X509Certificate cert,
PrivateKey privateKey,
char[] keyPassword)
Encodes the given X509Certificate and private key as a BCFKS KeyStore, optionally protecting
the private key (and possibly the cert?) with a password.
|
private static byte[] |
certAndPrivateKeyToBytes(X509Certificate cert,
PrivateKey privateKey,
char[] keyPassword,
KeyStore keyStore) |
static byte[] |
certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate cert,
PrivateKey privateKey,
char[] keyPassword)
Encodes the given X509Certificate and private key as a JKS KeyStore, optionally protecting the
private key (and possibly the cert?) with a password.
|
static byte[] |
certAndPrivateKeyToPKCS12Bytes(X509Certificate cert,
PrivateKey privateKey,
char[] keyPassword)
Encodes the given X509Certificate and private key as a PKCS12 KeyStore, optionally protecting
the private key (and possibly the cert?) with a password.
|
static byte[] |
certToBCFKSTrustStoreBytes(X509Certificate cert,
char[] keyPassword)
Encodes the given X509Certificate as a BCFKS TrustStore, optionally protecting the cert with a
password (though it's unclear why one would do this since certificates only contain public
information and do not need to be kept secret).
|
static byte[] |
certToJavaTrustStoreBytes(X509Certificate cert,
char[] keyPassword)
Encodes the given X509Certificate as a JKS TrustStore, optionally protecting the cert with a
password (though it's unclear why one would do this since certificates only contain public
information and do not need to be kept secret).
|
static byte[] |
certToPKCS12TrustStoreBytes(X509Certificate cert,
char[] keyPassword)
Encodes the given X509Certificate as a PKCS12 TrustStore, optionally protecting the cert with a
password (though it's unclear why one would do this since certificates only contain public
information and do not need to be kept secret).
|
private static byte[] |
certToTrustStoreBytes(X509Certificate cert,
char[] keyPassword,
KeyStore trustStore) |
static KeyPair |
generateECKeyPair()
Generates an elliptic curve key pair using the "secp256r1" aka "prime256v1" aka "NIST P-256"
curve.
|
static KeyPair |
generateKeyPair(X509KeyType keyType)
Generates a new asymmetric key pair of the given type.
|
static KeyPair |
generateRSAKeyPair()
Generates an RSA key pair with a 2048-bit private key and F4 (65537) as the public exponent.
|
private static org.bouncycastle.asn1.x509.GeneralNames |
getLocalhostSubjectAltNames()
Returns subject alternative names for "localhost".
|
private static org.bouncycastle.cert.X509v3CertificateBuilder |
initCertBuilder(org.bouncycastle.asn1.x500.X500Name issuer,
LocalDate notBefore,
LocalDate notAfter,
org.bouncycastle.asn1.x500.X500Name subject,
PublicKey subjectPublicKey)
Helper method for newSelfSignedCACert() and newCert().
|
static X509Certificate |
newCert(X509Certificate caCert,
KeyPair caKeyPair,
org.bouncycastle.asn1.x500.X500Name certSubject,
PublicKey certPublicKey)
Using the private key of the given CA key pair and the Subject of the given CA cert as the
Issuer, issues a new cert with the given subject and public key.
|
static X509Certificate |
newCert(X509Certificate caCert,
KeyPair caKeyPair,
org.bouncycastle.asn1.x500.X500Name certSubject,
PublicKey certPublicKey,
org.bouncycastle.asn1.x509.GeneralNames subjectAltNames)
Using the private key of the given CA key pair and the Subject of the given CA cert as the
Issuer, issues a new cert with the given subject and public key.
|
static X509Certificate |
newSelfSignedCACert(org.bouncycastle.asn1.x500.X500Name subject,
KeyPair keyPair)
Uses the private key of the given key pair to create a self-signed CA certificate with the
public half of the key pair and the given subject and expiration.
|
static String |
pemEncodeCertAndPrivateKey(X509Certificate cert,
PrivateKey privateKey,
char[] keyPassword)
PEM-encodes the given X509 certificate and private key (compatible with OpenSSL), optionally
protecting the private key with a password.
|
static String |
pemEncodePrivateKey(PrivateKey key,
char[] password)
PEM-encodes the given private key (compatible with OpenSSL), optionally protecting it with a
password, and returns the result as a String.
|
static String |
pemEncodeX509Certificate(X509Certificate cert)
PEM-encodes the given X509 certificate (compatible with OpenSSL) and returns the result as a
String.
|
static X509Certificate |
toX509Cert(org.bouncycastle.cert.X509CertificateHolder certHolder)
Convenience method to convert a bouncycastle X509CertificateHolder to a java X509Certificate.
|
private static final SecureRandom PRNG
private static final int DEFAULT_RSA_KEY_SIZE_BITS
private static final BigInteger DEFAULT_RSA_PUB_EXPONENT
private static final String DEFAULT_ELLIPTIC_CURVE_NAME
private static final int SERIAL_NUMBER_MAX_BITS
private X509TestHelpers()
public static X509Certificate newSelfSignedCACert(org.bouncycastle.asn1.x500.X500Name subject, KeyPair keyPair) throws IOException, org.bouncycastle.operator.OperatorCreationException, GeneralSecurityException
subject
- the subject of the new certificate being created.keyPair
- the key pair to use. The public key will be embedded in the new certificate, and
the private key will be used to self-sign the certificate.IOException
org.bouncycastle.operator.OperatorCreationException
GeneralSecurityException
public static X509Certificate newCert(X509Certificate caCert, KeyPair caKeyPair, org.bouncycastle.asn1.x500.X500Name certSubject, PublicKey certPublicKey) throws IOException, org.bouncycastle.operator.OperatorCreationException, GeneralSecurityException
certPublicKey
, should be used as the key
store.caCert
- the certificate of the CA that's doing the signing.caKeyPair
- the key pair of the CA. The private key will be used to sign. The public
key must match the public key in the caCert
.certSubject
- the subject field of the new cert being issued.certPublicKey
- the public key of the new cert being issued.IOException
org.bouncycastle.operator.OperatorCreationException
GeneralSecurityException
public static X509Certificate newCert(X509Certificate caCert, KeyPair caKeyPair, org.bouncycastle.asn1.x500.X500Name certSubject, PublicKey certPublicKey, org.bouncycastle.asn1.x509.GeneralNames subjectAltNames) throws IOException, org.bouncycastle.operator.OperatorCreationException, GeneralSecurityException
certPublicKey
, should be used as the key
store.caCert
- the certificate of the CA that's doing the signing.caKeyPair
- the key pair of the CA. The private key will be used to sign. The public
key must match the public key in the caCert
.certSubject
- the subject field of the new cert being issued.certPublicKey
- the public key of the new cert being issued.subjectAltNames
- the subject alternative names to use, or null if noneIOException
org.bouncycastle.operator.OperatorCreationException
GeneralSecurityException
private static org.bouncycastle.asn1.x509.GeneralNames getLocalhostSubjectAltNames() throws UnknownHostException
UnknownHostException
private static org.bouncycastle.cert.X509v3CertificateBuilder initCertBuilder(org.bouncycastle.asn1.x500.X500Name issuer, LocalDate notBefore, LocalDate notAfter, org.bouncycastle.asn1.x500.X500Name subject, PublicKey subjectPublicKey)
issuer
- Issuer field of the new cert.notBefore
- date before which the new cert is not valid.notAfter
- date after which the new cert is not valid.subject
- Subject field of the new cert.subjectPublicKey
- public key to store in the new cert.private static X509Certificate buildAndSignCertificate(PrivateKey privateKey, org.bouncycastle.cert.X509v3CertificateBuilder builder) throws IOException, org.bouncycastle.operator.OperatorCreationException, CertificateException
privateKey
- the private key to sign the certificate with.builder
- the cert builder that contains the certificate data.IOException
org.bouncycastle.operator.OperatorCreationException
CertificateException
public static KeyPair generateKeyPair(X509KeyType keyType) throws GeneralSecurityException
keyType
- the type of key pair to generate.GeneralSecurityException
- if your java crypto providers are messed up.public static KeyPair generateRSAKeyPair() throws GeneralSecurityException
GeneralSecurityException
public static KeyPair generateECKeyPair() throws GeneralSecurityException
GeneralSecurityException
public static String pemEncodeCertAndPrivateKey(X509Certificate cert, PrivateKey privateKey, char[] keyPassword) throws IOException, org.bouncycastle.operator.OperatorCreationException
cert
- the X509 certificate to PEM-encode.privateKey
- the private key to PEM-encode.keyPassword
- an optional key password. If empty or null, the private key will not be
encrypted.IOException
- if converting the certificate or private key to PEM format
fails.org.bouncycastle.operator.OperatorCreationException
- if constructing the encryptor from the given password fails.public static String pemEncodePrivateKey(PrivateKey key, char[] password) throws IOException, org.bouncycastle.operator.OperatorCreationException
key
- the private key.password
- an optional key password. If empty or null, the private key will not be
encrypted.IOException
- if converting the key to PEM format fails.org.bouncycastle.operator.OperatorCreationException
- if constructing the encryptor from the given password fails.public static String pemEncodeX509Certificate(X509Certificate cert) throws IOException
cert
- the certificate.IOException
- if converting the certificate to PEM format fails.public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, char[] keyPassword) throws IOException, GeneralSecurityException
cert
- the certificate to serialize.keyPassword
- an optional password to encrypt the trust store. If empty or null, the cert
will not be encrypted.IOException
GeneralSecurityException
public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert, char[] keyPassword) throws IOException, GeneralSecurityException
cert
- the certificate to serialize.keyPassword
- an optional password to encrypt the trust store. If empty or null, the cert
will not be encrypted.IOException
GeneralSecurityException
public static byte[] certToBCFKSTrustStoreBytes(X509Certificate cert, char[] keyPassword) throws IOException, GeneralSecurityException
cert
- the certificate to serialize.keyPassword
- an optional password to encrypt the trust store. If empty or null, the cert
will not be encrypted.IOException
GeneralSecurityException
private static byte[] certToTrustStoreBytes(X509Certificate cert, char[] keyPassword, KeyStore trustStore) throws IOException, GeneralSecurityException
IOException
GeneralSecurityException
public static byte[] certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate cert, PrivateKey privateKey, char[] keyPassword) throws IOException, GeneralSecurityException
cert
- the X509 certificate to serialize.privateKey
- the private key to serialize.keyPassword
- an optional key password. If empty or null, the private key will not be
encrypted.IOException
GeneralSecurityException
public static byte[] certAndPrivateKeyToPKCS12Bytes(X509Certificate cert, PrivateKey privateKey, char[] keyPassword) throws IOException, GeneralSecurityException
cert
- the X509 certificate to serialize.privateKey
- the private key to serialize.keyPassword
- an optional key password. If empty or null, the private key will not be
encrypted.IOException
GeneralSecurityException
public static byte[] certAndPrivateKeyToBCFKSBytes(X509Certificate cert, PrivateKey privateKey, char[] keyPassword) throws IOException, GeneralSecurityException
cert
- the X509 certificate to serialize.privateKey
- the private key to serialize.keyPassword
- an optional key password. If empty or null, the private key will not be
encrypted.IOException
GeneralSecurityException
private static byte[] certAndPrivateKeyToBytes(X509Certificate cert, PrivateKey privateKey, char[] keyPassword, KeyStore keyStore) throws IOException, GeneralSecurityException
IOException
GeneralSecurityException
public static X509Certificate toX509Cert(org.bouncycastle.cert.X509CertificateHolder certHolder) throws CertificateException
certHolder
- a bouncycastle X509CertificateHolder.CertificateException
- if the conversion fails.Copyright © 2007–2020 The Apache Software Foundation. All rights reserved.