public boolean createSelfSignedKeystore(
String cn,
String keystoreFile,
String keystorePassword,
String privateKeyPassword,
String privateKeyAlias) {
KeyStore ks = null;
try {
ks = KeyStore.getInstance("JKS");
ks.load(null, null);
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA");
keyGen.initialize(1024, new SecureRandom());
KeyPair keypair = keyGen.generateKeyPair();
PrivateKey privkey = keypair.getPrivate();
PublicKey pubkey = keypair.getPublic();
Hashtable<DERObjectIdentifier, String> attrs = new Hashtable<DERObjectIdentifier, String>();
Vector<DERObjectIdentifier> ordering = new Vector<DERObjectIdentifier>();
ordering.add(X509Name.CN);
attrs.put(X509Name.CN, cn);
X509Name issuerDN = new X509Name(ordering, attrs);
X509Name subjectDN = new X509Name(ordering, attrs);
Date validFrom = new Date();
validFrom.setTime(validFrom.getTime() - (10 * 60 * 1000));
Date validTo = new Date();
validTo.setTime(validTo.getTime() + (20 * (24 * 60 * 60 * 1000)));
X509V3CertificateGenerator x509 = new X509V3CertificateGenerator();
x509.setSignatureAlgorithm("SHA1withDSA");
x509.setIssuerDN(issuerDN);
x509.setSubjectDN(subjectDN);
x509.setPublicKey(pubkey);
x509.setNotBefore(validFrom);
x509.setNotAfter(validTo);
x509.setSerialNumber(new BigInteger(128, new Random()));
X509Certificate[] cert = new X509Certificate[1];
cert[0] = x509.generate(privkey, "BC");
java.security.cert.Certificate[] chain = new java.security.cert.Certificate[1];
chain[0] = cert[0];
ks.setKeyEntry(privateKeyAlias, privkey, privateKeyPassword.toCharArray(), cert);
ks.setKeyEntry(privateKeyAlias, privkey, privateKeyPassword.toCharArray(), chain);
ks.store(new FileOutputStream(keystoreFile), keystorePassword.toCharArray());
String IDP_RFC_CERT = "WEB-INF/guanxi_idp/keystore/guanxi_idp_cert.txt";
PEMWriter pemWriter = new PEMWriter(new FileWriter(servletContext.getRealPath(IDP_RFC_CERT)));
pemWriter.writeObject(cert[0]);
pemWriter.close();
return true;
} catch (Exception se) {
return false;
}
}
private void addCertToKeystore(X509Certificate _cert, Key _privateKey, String alias)
throws KeyStoreException {
X509Certificate[] chain = new X509Certificate[2];
chain[0] = _cert;
chain[1] = rootCA;
keystore.setKeyEntry(alias, _privateKey, KEYSTORE_PASSWORD.toCharArray(), chain);
}
/**
* We need a root CA as a file to add to the browser under which all certificates will be trusted.
*
* @throws Exception
*/
private void createRootCA() throws Exception {
KeyPair _keyPair = newKeyPair();
rootCA = buildRootCert(Configuration.getRootCaName(), _keyPair);
writePEMObject(rootCAPath, rootCA);
writePEMObject(Configuration.getRootKeyPath(), _keyPair.getPrivate());
keystore.setKeyEntry(
Configuration.getRootCaName(),
_keyPair.getPrivate(),
KEYSTORE_PASSWORD.toCharArray(),
new X509Certificate[] {rootCA});
}
/**
* Read certificate and adds it to the keystore.
*
* @throws IOException
* @throws CertificateException
* @throws KeyStoreException
*/
private void readRootCA() throws IOException, CertificateException, KeyStoreException {
Key _privateKey = readPrivateKey(Configuration.getRootKeyPath());
X509CertificateHolder holder =
(X509CertificateHolder) readWithPemParser(Configuration.getRootCaPath());
rootCA =
new JcaX509CertificateConverter()
.setProvider(BouncyCastleProvider.PROVIDER_NAME)
.getCertificate(holder);
keystore.setKeyEntry(
Configuration.getRootCaName(),
_privateKey,
KEYSTORE_PASSWORD.toCharArray(),
new X509Certificate[] {rootCA});
}
/**
* Create KeyStore and add a self-signed X.509 Certificate
*
* @param dname the X.509 Distinguished Name, eg "CN=www.google.co.uk, O=\"Google Inc\",
* L=\"Mountain View\", S=California, C=US"
* @param keyAlgorithmName the key algorithm, eg "RSA"
*/
private static KeyStore generateCertificate(
String alias,
char[] keyStorePassword,
KeyAlgorithmName keyAlgorithmName,
String dname,
String... sanDomains)
throws GeneralSecurityException, IOException {
CertAndKeyGen certAndKeyGen =
new CertAndKeyGen(
keyAlgorithmName.name(), keyAlgorithmName.signatureAlgorithmName, "SunCertificates");
certAndKeyGen.generate(keyAlgorithmName.keySize);
PrivateKey privateKey = certAndKeyGen.getPrivateKey();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + TimeUnit.DAYS.toMillis(360));
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dname);
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
info.set(X509CertInfo.KEY, new CertificateX509Key(certAndKeyGen.getPublicKey()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
info.set(
X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid)));
// add subject alternative names
GeneralNames generalNames = new GeneralNames();
for (String sanDomain : sanDomains) {
generalNames.add(new GeneralName(new DNSName(sanDomain)));
}
if (generalNames.size() > 0) {
CertificateExtensions certificateExtensions =
(CertificateExtensions) info.get(X509CertInfo.EXTENSIONS);
if (certificateExtensions == null) certificateExtensions = new CertificateExtensions();
certificateExtensions.set(
SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(generalNames));
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
// Sign the certificate to identify the algorithm that's used.
X509CertImpl x509Certificate = new X509CertImpl(info);
x509Certificate.sign(privateKey, keyAlgorithmName.signatureAlgorithmName);
// update the algorithm, and resign.
info.set(
CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,
x509Certificate.get(X509CertImpl.SIG_ALG));
x509Certificate = new X509CertImpl(info);
x509Certificate.sign(privateKey, keyAlgorithmName.signatureAlgorithmName);
// add to new key store
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, keyStorePassword);
keyStore.setKeyEntry(
alias, privateKey, keyStorePassword, new X509Certificate[] {x509Certificate});
return keyStore;
}
