public static void main(String[] args) throws Exception { if (args.length != 3) { System.out.println("Usage: JwtGenerator <subject> <issuer> <audience>"); System.exit(1); } KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); keyGen.initialize(512); KeyPair keyPair = keyGen.genKeyPair(); PublicKey publicKey = keyPair.getPublic(); long validTime = System.currentTimeMillis() + 1000 * 60 * 60 * 24 / 2; String jwt = new JwtBuilderFactory() .jws(new SigningManager().newRsaSigningHandler(keyPair.getPrivate())) .headers() .alg(JwsAlgorithm.RS256) .done() .claims( new JwtClaimsSet( json(object( field("iss", args[0]), field("sub", args[1]), field("aud", args[2]), field("exp", validTime / 1000))) .asMap())) .build(); System.out.println("JWT: " + jwt); Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.DAY_OF_YEAR, 7); X509CertInfo info = new X509CertInfo(); CertificateValidity interval = new CertificateValidity(new Date(), new Date(validTime)); BigInteger sn = new BigInteger(64, new SecureRandom()); X500Name owner = new X500Name("CN=ForgeRock,L=Bristol,C=GB"); info.set(X509CertInfo.VALIDITY, interval); info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner)); info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner)); info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey)); info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); AlgorithmId algo = new AlgorithmId(AlgorithmId.sha256WithRSAEncryption_oid); info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo)); // Sign the cert to identify the algorithm that's used. X509CertImpl cert = new X509CertImpl(info); cert.sign(keyPair.getPrivate(), "SHA256withRSA"); System.out.println("Certificate:"); BASE64Encoder encoder = new BASE64Encoder(); System.out.println(X509Factory.BEGIN_CERT); encoder.encodeBuffer(cert.getEncoded(), System.out); System.out.println(X509Factory.END_CERT); }
private static X509Certificate generateCert( String hostname, KeyPair kp, boolean isCertAuthority, PublicKey signerPublicKey, PrivateKey signerPrivateKey) throws IOException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException { X500Name issuer = new X500Name("CN=root" + issuerDirString); X500Name subject; if (hostname == null) { subject = issuer; } else { subject = new X500Name("CN=" + hostname + issuerDirString); } X509CertInfo info = new X509CertInfo(); Date from = new Date(); Date to = new Date(from.getTime() + 365 * 86400000l); CertificateValidity interval = new CertificateValidity(from, to); BigInteger sn = new BigInteger(64, new SecureRandom()); info.set(X509CertInfo.VALIDITY, interval); info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(subject)); info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer)); info.set(X509CertInfo.KEY, new CertificateX509Key(kp.getPublic())); info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid); info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo)); // Sign the cert to identify the algorithm that's used. X509CertImpl cert = new X509CertImpl(info); cert.sign(signerPrivateKey, signingAlgorithm); // Update the algorithm, and resign. algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG); info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo); cert = new X509CertImpl(info); cert.sign(signerPrivateKey, signingAlgorithm); return cert; }
/** * Create KeyStore and add a self-signed X.509 Certificate * * @param dname the X.509 Distinguished Name, eg "CN=www.google.co.uk, O=\"Google Inc\", * L=\"Mountain View\", S=California, C=US" * @param keyAlgorithmName the key algorithm, eg "RSA" */ private static KeyStore generateCertificate( String alias, char[] keyStorePassword, KeyAlgorithmName keyAlgorithmName, String dname, String... sanDomains) throws GeneralSecurityException, IOException { CertAndKeyGen certAndKeyGen = new CertAndKeyGen( keyAlgorithmName.name(), keyAlgorithmName.signatureAlgorithmName, "SunCertificates"); certAndKeyGen.generate(keyAlgorithmName.keySize); PrivateKey privateKey = certAndKeyGen.getPrivateKey(); X509CertInfo info = new X509CertInfo(); Date from = new Date(); Date to = new Date(from.getTime() + TimeUnit.DAYS.toMillis(360)); CertificateValidity interval = new CertificateValidity(from, to); BigInteger sn = new BigInteger(64, new SecureRandom()); X500Name owner = new X500Name(dname); info.set(X509CertInfo.VALIDITY, interval); info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner)); info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner)); info.set(X509CertInfo.KEY, new CertificateX509Key(certAndKeyGen.getPublicKey())); info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); info.set( X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid))); // add subject alternative names GeneralNames generalNames = new GeneralNames(); for (String sanDomain : sanDomains) { generalNames.add(new GeneralName(new DNSName(sanDomain))); } if (generalNames.size() > 0) { CertificateExtensions certificateExtensions = (CertificateExtensions) info.get(X509CertInfo.EXTENSIONS); if (certificateExtensions == null) certificateExtensions = new CertificateExtensions(); certificateExtensions.set( SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(generalNames)); info.set(X509CertInfo.EXTENSIONS, certificateExtensions); } // Sign the certificate to identify the algorithm that's used. X509CertImpl x509Certificate = new X509CertImpl(info); x509Certificate.sign(privateKey, keyAlgorithmName.signatureAlgorithmName); // update the algorithm, and resign. info.set( CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, x509Certificate.get(X509CertImpl.SIG_ALG)); x509Certificate = new X509CertImpl(info); x509Certificate.sign(privateKey, keyAlgorithmName.signatureAlgorithmName); // add to new key store KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, keyStorePassword); keyStore.setKeyEntry( alias, privateKey, keyStorePassword, new X509Certificate[] {x509Certificate}); return keyStore; }