diff options
Diffstat (limited to 'pki/base/util/src/netscape/security/x509/CertAndKeyGen.java')
| -rw-r--r-- | pki/base/util/src/netscape/security/x509/CertAndKeyGen.java | 283 |
1 files changed, 127 insertions, 156 deletions
diff --git a/pki/base/util/src/netscape/security/x509/CertAndKeyGen.java b/pki/base/util/src/netscape/security/x509/CertAndKeyGen.java index 644bfe7e5..f13a4852e 100644 --- a/pki/base/util/src/netscape/security/x509/CertAndKeyGen.java +++ b/pki/base/util/src/netscape/security/x509/CertAndKeyGen.java @@ -35,26 +35,21 @@ import java.util.Date; import netscape.security.pkcs.PKCS10; - /** - * Generate a pair of keys, and provide access to them. This class is + * Generate a pair of keys, and provide access to them. This class is * provided primarily for ease of use. - * - * <P>This provides some simple certificate management functionality. - * Specifically, it allows you to create self-signed X.509 certificates - * as well as PKCS 10 based certificate signing requests. - * - * <P>Keys for some public key signature algorithms have algorithm - * parameters, such as DSS/DSA. Some sites' Certificate Authorities - * adopt fixed algorithm parameters, which speeds up some operations - * including key generation and signing. <em>At this time, this interface + * + * <P> + * This provides some simple certificate management functionality. Specifically, it allows you to create self-signed X.509 certificates as well as PKCS 10 based certificate signing requests. + * + * <P> + * Keys for some public key signature algorithms have algorithm parameters, such as DSS/DSA. Some sites' Certificate Authorities adopt fixed algorithm parameters, which speeds up some operations including key generation and signing. <em>At this time, this interface * does not provide a way to provide such algorithm parameters, e.g. * by providing the CA certificate which includes those parameters.</em> - * - * <P>Also, note that at this time only signature-capable keys may be - * acquired through this interface. Diffie-Hellman keys, used for secure - * key exchange, may be supported later. - * + * + * <P> + * Also, note that at this time only signature-capable keys may be acquired through this interface. Diffie-Hellman keys, used for secure key exchange, may be supported later. + * * @author David Brownell * @author Hemma Prafullchandra * @version 1.44 @@ -65,17 +60,16 @@ public final class CertAndKeyGen { /** * Creates a CertAndKeyGen object for a particular key type * and signature algorithm. - * + * * @param keyType type of key, e.g. "RSA", "DSA" * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA", - * "MD2WithRSA", "SHAwithDSA". + * "MD2WithRSA", "SHAwithDSA". * @exception NoSuchAlgorithmException on unrecognized algorithms. */ - public CertAndKeyGen (String keyType, String sigAlg) - throws NoSuchAlgorithmException - { - keyGen = KeyPairGenerator.getInstance(keyType); - this.sigAlg = sigAlg; + public CertAndKeyGen(String keyType, String sigAlg) + throws NoSuchAlgorithmException { + keyGen = KeyPairGenerator.getInstance(keyType); + this.sigAlg = sigAlg; } /** @@ -85,125 +79,108 @@ public final class CertAndKeyGen { * to get a reproducible sequence of keys and signatures, or * because you may be able to take advantage of strong sources * of randomness/entropy in your environment. - * + * * @deprecated All random numbers come from PKCS #11 now. */ - public void setRandom (SecureRandom generator) - { + public void setRandom(SecureRandom generator) { } // want "public void generate (X509Certificate)" ... inherit DSA/D-H param /** * Generates a random public/private key pair, with a given key - * size. Different algorithms provide different degrees of security + * size. Different algorithms provide different degrees of security * for the same key size, because of the "work factor" involved in - * brute force attacks. As computers become faster, it becomes - * easier to perform such attacks. Small keys are to be avoided. - * - * <P>Note that not all values of "keyBits" are valid for all - * algorithms, and not all public key algorithms are currently - * supported for use in X.509 certificates. If the algorithm - * you specified does not produce X.509 compatible keys, an - * invalid key exception is thrown. - * + * brute force attacks. As computers become faster, it becomes + * easier to perform such attacks. Small keys are to be avoided. + * + * <P> + * Note that not all values of "keyBits" are valid for all algorithms, and not all public key algorithms are currently supported for use in X.509 certificates. If the algorithm you specified does not produce X.509 compatible keys, an invalid key exception is thrown. + * * @param keyBits the number of bits in the keys. * @exception InvalidKeyException if the environment does not - * provide X.509 public keys for this signature algorithm. + * provide X.509 public keys for this signature algorithm. */ - public void generate (int keyBits) - throws InvalidKeyException - { - KeyPair pair; + public void generate(int keyBits) + throws InvalidKeyException { + KeyPair pair; - try { - keyGen.initialize (keyBits); - pair = keyGen.generateKeyPair (); + try { + keyGen.initialize(keyBits); + pair = keyGen.generateKeyPair(); - } catch (Exception e) { - throw new IllegalArgumentException (e.getMessage ()); - } - - PublicKey publicKey = pair.getPublic(); + } catch (Exception e) { + throw new IllegalArgumentException(e.getMessage()); + } - if (publicKey instanceof X509Key) { - this.publicKey = (X509Key) publicKey; - - } else { - throw new InvalidKeyException ("public key " + publicKey + - " not an X509Key."); - } - privateKey = pair.getPrivate (); - } + PublicKey publicKey = pair.getPublic(); + + if (publicKey instanceof X509Key) { + this.publicKey = (X509Key) publicKey; + } else { + throw new InvalidKeyException("public key " + publicKey + + " not an X509Key."); + } + privateKey = pair.getPrivate(); + } /** * Returns the public key of the generated key pair. */ - public X509Key getPublicKey () - { - return publicKey; + public X509Key getPublicKey() { + return publicKey; } - /** * Returns the private key of the generated key pair. - * - * <P><STRONG><em>Be extremely careful when handling private keys. + * + * <P> + * <STRONG><em>Be extremely careful when handling private keys. * When private keys are not kept secret, they lose their ability * to securely authenticate specific entities ... that is a huge * security risk!</em></STRONG> */ - public PrivateKey getPrivateKey () - { - return privateKey; + public PrivateKey getPrivateKey() { + return privateKey; } - /** * Returns a self-signed X.509v1 certificate for the public key. * The certificate is immediately valid. - * - * <P>Such certificates normally are used to identify a "Certificate - * Authority" (CA). Accordingly, they will not always be accepted by - * other parties. However, such certificates are also useful when - * you are bootstrapping your security infrastructure, or deploying - * system prototypes. - * + * + * <P> + * Such certificates normally are used to identify a "Certificate Authority" (CA). Accordingly, they will not always be accepted by other parties. However, such certificates are also useful when you are bootstrapping your security infrastructure, or deploying system prototypes. + * * @deprecated Use the new <a href = - * "#getSelfCertificate(netscape.security.x509.X500Name, long)"> - * + * "#getSelfCertificate(netscape.security.x509.X500Name, long)"> + * * @param myname X.500 name of the subject (who is also the issuer) * @param validity how long the certificate should be valid, in seconds - */ - public X509Cert getSelfCert (X500Name myname, long validity) - throws InvalidKeyException, SignatureException, NoSuchAlgorithmException - { - X509Certificate cert; - - try { - cert = getSelfCertificate(myname, validity); - return new X509Cert(cert.getEncoded()); - } catch (CertificateException e) { - throw new SignatureException(e.getMessage()); - } catch (NoSuchProviderException e) { - throw new NoSuchAlgorithmException(e.getMessage()); - } catch (IOException e) { - throw new SignatureException(e.getMessage()); - } + */ + public X509Cert getSelfCert(X500Name myname, long validity) + throws InvalidKeyException, SignatureException, NoSuchAlgorithmException { + X509Certificate cert; + + try { + cert = getSelfCertificate(myname, validity); + return new X509Cert(cert.getEncoded()); + } catch (CertificateException e) { + throw new SignatureException(e.getMessage()); + } catch (NoSuchProviderException e) { + throw new NoSuchAlgorithmException(e.getMessage()); + } catch (IOException e) { + throw new SignatureException(e.getMessage()); + } } - /** * Returns a self-signed X.509v3 certificate for the public key. * The certificate is immediately valid. No extensions. - * - * <P>Such certificates normally are used to identify a "Certificate - * Authority" (CA). Accordingly, they will not always be accepted by - * other parties. However, such certificates are also useful when - * you are bootstrapping your security infrastructure, or deploying - * system prototypes. - * + * + * <P> + * Such certificates normally are used to identify a "Certificate Authority" (CA). Accordingly, they will not always be accepted by other parties. However, such certificates are also useful when you are bootstrapping your security infrastructure, or deploying system prototypes. + * * @param myname X.500 name of the subject (who is also the issuer) * @param validity how long the certificate should be valid, in seconds * @exception CertificateException on certificate handling errors. @@ -212,30 +189,29 @@ public final class CertAndKeyGen { * @exception NoSuchAlgorithmException on unrecognized algorithms. * @exception NoSuchProviderException on unrecognized providers. */ - public X509Certificate getSelfCertificate (X500Name myname, long validity) - throws CertificateException, InvalidKeyException, SignatureException, - NoSuchAlgorithmException, NoSuchProviderException - { - X500Signer issuer; - X509CertImpl cert; - Date firstDate, lastDate; - - try { - issuer = getSigner (myname); + public X509Certificate getSelfCertificate(X500Name myname, long validity) + throws CertificateException, InvalidKeyException, SignatureException, + NoSuchAlgorithmException, NoSuchProviderException { + X500Signer issuer; + X509CertImpl cert; + Date firstDate, lastDate; - firstDate = new Date (); - lastDate = new Date (); - lastDate.setTime (lastDate.getTime () + validity * 1000); + try { + issuer = getSigner(myname); + + firstDate = new Date(); + lastDate = new Date(); + lastDate.setTime(lastDate.getTime() + validity * 1000); CertificateValidity interval = - new CertificateValidity(firstDate,lastDate); - + new CertificateValidity(firstDate, lastDate); + X509CertInfo info = new X509CertInfo(); // Add all mandatory attributes info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V1)); info.set(X509CertInfo.SERIAL_NUMBER, - new CertificateSerialNumber((int)(firstDate.getTime()/1000))); + new CertificateSerialNumber((int) (firstDate.getTime() / 1000))); AlgorithmId algID = issuer.getAlgorithmId(); info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algID)); @@ -245,63 +221,58 @@ public final class CertAndKeyGen { info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer.getSigner())); - cert = new X509CertImpl(info); - cert.sign(privateKey, algID.getName()); + cert = new X509CertImpl(info); + cert.sign(privateKey, algID.getName()); - return (X509Certificate)cert; + return (X509Certificate) cert; - } catch (IOException e) { - throw new CertificateEncodingException("getSelfCert: " + + } catch (IOException e) { + throw new CertificateEncodingException("getSelfCert: " + e.getMessage()); - } + } } /** - * Returns a PKCS #10 certificate request. The caller uses either - * <code>PKCS10.print</code> or <code>PKCS10.toByteArray</code> - * operations on the result, to get the request in an appropriate + * Returns a PKCS #10 certificate request. The caller uses either <code>PKCS10.print</code> or <code>PKCS10.toByteArray</code> operations on the result, to get the request in an appropriate * transmission format. - * - * <P>PKCS #10 certificate requests are sent, along with some proof - * of identity, to Certificate Authorities (CAs) which then issue - * X.509 public key certificates. - * + * + * <P> + * PKCS #10 certificate requests are sent, along with some proof of identity, to Certificate Authorities (CAs) which then issue X.509 public key certificates. + * * @param myname X.500 name of the subject * @exception InvalidKeyException on key handling errors. * @exception SignatureException on signature handling errors. */ - public PKCS10 getCertRequest (X500Name myname) - throws InvalidKeyException, SignatureException - { - PKCS10 req = new PKCS10 (publicKey); + public PKCS10 getCertRequest(X500Name myname) + throws InvalidKeyException, SignatureException { + PKCS10 req = new PKCS10(publicKey); - try { - req.encodeAndSign (getSigner (myname)); + try { + req.encodeAndSign(getSigner(myname)); - } catch (CertificateException e) { - throw new SignatureException (sigAlg + " CertificateException"); + } catch (CertificateException e) { + throw new SignatureException(sigAlg + " CertificateException"); - } catch (IOException e) { - throw new SignatureException (sigAlg + " IOException"); + } catch (IOException e) { + throw new SignatureException(sigAlg + " IOException"); - } catch (NoSuchAlgorithmException e) { - // "can't happen" - throw new SignatureException (sigAlg + " unavailable?"); - } - return req; + } catch (NoSuchAlgorithmException e) { + // "can't happen" + throw new SignatureException(sigAlg + " unavailable?"); + } + return req; } - private X500Signer getSigner (X500Name me) - throws InvalidKeyException, NoSuchAlgorithmException - { - Signature signature = Signature.getInstance(sigAlg); + private X500Signer getSigner(X500Name me) + throws InvalidKeyException, NoSuchAlgorithmException { + Signature signature = Signature.getInstance(sigAlg); - signature.initSign (privateKey); - return new X500Signer (signature, me); + signature.initSign(privateKey); + return new X500Signer(signature, me); } - private String sigAlg; - private KeyPairGenerator keyGen; - private X509Key publicKey; - private PrivateKey privateKey; + private String sigAlg; + private KeyPairGenerator keyGen; + private X509Key publicKey; + private PrivateKey privateKey; } |