sun.security.x509.CertificateX509Key Java Examples

private X509Certificate generateCertificate(final KeyPair pair, final String alias) throws GeneralSecurityException, IOException {
    final X509CertInfo info = new X509CertInfo();
    final X500Name name = new X500Name("dc=" + alias);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger(256, RND)));
    info.set(X509CertInfo.SUBJECT, name);
    info.set(X509CertInfo.ISSUER, name);
    info.set(X509CertInfo.VALIDITY,
            new CertificateValidity(Date.from(Instant.now().minus(1, ChronoUnit.DAYS)),
                    Date.from(Instant.now().plus(730, ChronoUnit.DAYS))));
    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
    info.set(X509CertInfo.ALGORITHM_ID,
            new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.sha256WithRSAEncryption_oid)));

    final X509CertImpl cert = new X509CertImpl(info);
    cert.sign(pair.getPrivate(), AlgorithmId.sha256WithRSAEncryption_oid.toString());

    return cert;
}
 

private String createEphemeralCert(Duration shiftIntoPast)
    throws GeneralSecurityException, ExecutionException, IOException {
  Duration validFor = Duration.ofHours(1);
  ZonedDateTime notBefore = ZonedDateTime.now().minus(shiftIntoPast);
  ZonedDateTime notAfter = notBefore.plus(validFor);

  CertificateValidity interval =
      new CertificateValidity(Date.from(notBefore.toInstant()), Date.from(notAfter.toInstant()));

  X509CertInfo info = new X509CertInfo();
  info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(1));
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get("SHA1withRSA")));
  info.set(X509CertInfo.SUBJECT, new X500Name("C = US, O = Google\\, Inc, CN=temporary-subject"));
  info.set(X509CertInfo.KEY, new CertificateX509Key(Futures.getDone(clientKeyPair).getPublic()));
  info.set(X509CertInfo.VALIDITY, interval);
  info.set(
      X509CertInfo.ISSUER,
      new X500Name("C = US, O = Google\\, Inc, CN=Google Cloud SQL Signing CA foo:baz"));

  KeyFactory keyFactory = KeyFactory.getInstance("RSA");
  PKCS8EncodedKeySpec keySpec =
      new PKCS8EncodedKeySpec(decodeBase64StripWhitespace(TestKeys.SIGNING_CA_PRIVATE_KEY));
  PrivateKey signingKey = keyFactory.generatePrivate(keySpec);

  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(signingKey, "SHA1withRSA");

  StringBuilder sb = new StringBuilder();
  sb.append("-----BEGIN CERTIFICATE-----\n");
  sb.append(Base64.getEncoder().encodeToString(cert.getEncoded()).replaceAll("(.{64})", "$1\n"));
  sb.append("\n");
  sb.append("-----END CERTIFICATE-----\n");

  return sb.toString();
}
 

protected static X509CertInfo createCertificateInfo(final String subjectDn, final String altNameIp,
		final String altNameHost, final PublicKey subjectPublicKey, final long validForDays, final boolean makeCa,
		final String issuerDn) {

	try {

		// Look up algorithm based on CA private key
		final AlgorithmId algorithmId = AlgorithmId.get(CERTIFICATE_SIGNING_ALGORITHM);

		// Define validity period
		final Date notBefore = new Date(new Date().getTime() - 300); // 5 minutes prior to avoid clock skew issues
		final Date notAfter = new Date(notBefore.getTime() + (validForDays * 24 * 3600 * 1000));
		final CertificateValidity validity = new CertificateValidity(notBefore, notAfter);

		// Random serial number
		final BigInteger serialNumber = RandomNumberGenerator.generateRandomInteger(128);

		// Define information within certificate
		final X509CertInfo certificateInfo = new X509CertInfo();
		certificateInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
		certificateInfo.set(X509CertInfo.VALIDITY, validity);
		certificateInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber));
		certificateInfo.set(X509CertInfo.SUBJECT, new X500Name(subjectDn));
		certificateInfo.set(X509CertInfo.ISSUER, new X500Name(issuerDn));
		certificateInfo.set(X509CertInfo.KEY, new CertificateX509Key(subjectPublicKey));
		certificateInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algorithmId));

		// Process extensions
		final CertificateExtensions extensions = new CertificateExtensions();

		// Make the issued certificate a sub-CA of this one (or self-signed)
		final BasicConstraintsExtension bce = new BasicConstraintsExtension(makeCa, 0);
		extensions.set(BasicConstraintsExtension.NAME,
				new BasicConstraintsExtension(true, bce.getExtensionValue()));

		// Add a subject alternative name (if not null)
		if (altNameIp != null) {
			final GeneralNames generalNames = new GeneralNames();
			generalNames.add(new GeneralName(new IPAddressName(altNameIp)));
			generalNames.add(new GeneralName(new DNSName(altNameHost)));
			final SubjectAlternativeNameExtension san = new SubjectAlternativeNameExtension(false, generalNames);
			extensions.set(SubjectAlternativeNameExtension.NAME, san);
		}

		certificateInfo.set(X509CertInfo.EXTENSIONS, extensions);

		return certificateInfo;

	} catch (GeneralSecurityException | IOException e) {
		throw new RuntimeException(e);
	}
}
 

public static X509CertInfo createCertificateInfo(final String subjectDn, final String altNameIp,
		final String altNameHost, final PublicKey subjectPublicKey, final long validForDays, final boolean makeCa,
		final String issuerDn, final String certificateSigningAlgorithm) {

	try {

		// Look up algorithm based on CA private key
		final AlgorithmId algorithmId = AlgorithmId.get(certificateSigningAlgorithm);

		// Define validity period
		final Date notBefore = new Date(new Date().getTime() - 300); // 5 minutes prior to avoid clock skew issues
		final Date notAfter = new Date(notBefore.getTime() + (validForDays * 24 * 3600 * 1000));
		final CertificateValidity validity = new CertificateValidity(notBefore, notAfter);

		// Random serial number
		final BigInteger serialNumber = RandomNumberGenerator.generateRandomInteger(128);

		// Define information within certificate
		final X509CertInfo certificateInfo = new X509CertInfo();
		certificateInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
		certificateInfo.set(X509CertInfo.VALIDITY, validity);
		certificateInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber));
		certificateInfo.set(X509CertInfo.SUBJECT, new X500Name(subjectDn));
		certificateInfo.set(X509CertInfo.ISSUER, new X500Name(issuerDn));
		certificateInfo.set(X509CertInfo.KEY, new CertificateX509Key(subjectPublicKey));
		certificateInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algorithmId));

		// Process extensions
		final CertificateExtensions extensions = new CertificateExtensions();

		// Make the issued certificate a sub-CA of this one (or self-signed)
		final BasicConstraintsExtension bce = new BasicConstraintsExtension(makeCa, 0);
		extensions.set(BasicConstraintsExtension.NAME,
				new BasicConstraintsExtension(true, bce.getExtensionValue()));

		// Add a subject alternative name (if not null)
		if (altNameIp != null) {
			final GeneralNames generalNames = new GeneralNames();
			generalNames.add(new GeneralName(new IPAddressName(altNameIp)));
			generalNames.add(new GeneralName(new DNSName(altNameHost)));
			final SubjectAlternativeNameExtension san = new SubjectAlternativeNameExtension(false, generalNames);
			extensions.set(SubjectAlternativeNameExtension.NAME, san);
		}

		certificateInfo.set(X509CertInfo.EXTENSIONS, extensions);

		return certificateInfo;

	} catch (GeneralSecurityException | IOException e) {
		throw new RuntimeException(e);
	}
}
 

private X509Certificate generateSelfSignedCertificate(KeyPair keyPair) throws CertificateException, IOException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException {
    X509CertInfo certInfo = new X509CertInfo();
    // Serial number and version
    certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger(64, new SecureRandom())));
    certInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));

    // Subject & Issuer
    X500Name owner = new X500Name(DN_NAME);
    certInfo.set(X509CertInfo.SUBJECT, owner);
    certInfo.set(X509CertInfo.ISSUER, owner);

    // Key and algorithm
    certInfo.set(X509CertInfo.KEY, new CertificateX509Key(keyPair.getPublic()));
    AlgorithmId algorithm = new AlgorithmId(AlgorithmId.sha1WithRSAEncryption_oid);
    certInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algorithm));

    // Validity
    Date validFrom = new Date();
    Date validTo = new Date(validFrom.getTime() + 50L * 365L * 24L * 60L * 60L * 1000L); //50 years
    CertificateValidity validity = new CertificateValidity(validFrom, validTo);
    certInfo.set(X509CertInfo.VALIDITY, validity);
    
    GeneralNameInterface dnsName = new DNSName("baeldung.com");
    DerOutputStream dnsNameOutputStream = new DerOutputStream();
    dnsName.encode(dnsNameOutputStream);
    
    GeneralNameInterface ipAddress = new IPAddressName("127.0.0.1");
    DerOutputStream ipAddressOutputStream = new DerOutputStream();
    ipAddress.encode(ipAddressOutputStream);
    
    GeneralNames generalNames = new GeneralNames();
    generalNames.add(new GeneralName(dnsName));
    generalNames.add(new GeneralName(ipAddress));
    
    CertificateExtensions ext = new CertificateExtensions();
    ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(generalNames));

    certInfo.set(X509CertInfo.EXTENSIONS, ext);        

    // Create certificate and sign it
    X509CertImpl cert = new X509CertImpl(certInfo);
    cert.sign(keyPair.getPrivate(), SHA1WITHRSA);

    // Since the SHA1withRSA provider may have a different algorithm ID to what we think it should be,
    // we need to reset the algorithm ID, and resign the certificate
    AlgorithmId actualAlgorithm = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
    certInfo.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, actualAlgorithm);
    X509CertImpl newCert = new X509CertImpl(certInfo);
    newCert.sign(keyPair.getPrivate(), SHA1WITHRSA);

    return newCert;
}