// --- BEGIN COPYRIGHT BLOCK --- // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation; version 2 of the License. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // (C) 2007 Red Hat, Inc. // All rights reserved. // --- END COPYRIGHT BLOCK --- package netscape.security.x509; import java.io.IOException; import java.security.InvalidKeyException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.NoSuchAlgorithmException; import java.security.NoSuchProviderException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.SecureRandom; import java.security.Signature; import java.security.SignatureException; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Date; import netscape.security.pkcs.PKCS10; /** * Generate a pair of keys, and provide access to them. This class is * provided primarily for ease of use. * *
* This provides some simple certificate management functionality. Specifically, it allows you to create self-signed * X.509 certificates as well as PKCS 10 based certificate signing requests. * *
* Keys for some public key signature algorithms have algorithm parameters, such as DSS/DSA. Some sites' Certificate * Authorities adopt fixed algorithm parameters, which speeds up some operations including key generation and signing. * At this time, this interface * does not provide a way to provide such algorithm parameters, e.g. * by providing the CA certificate which includes those parameters. * *
* Also, note that at this time only signature-capable keys may be acquired through this interface. Diffie-Hellman keys, * used for secure key exchange, may be supported later. * * @author David Brownell * @author Hemma Prafullchandra * @version 1.44 * @see PKCS10 * @see X509CertImpl */ public final class CertAndKeyGen { /** * Creates a CertAndKeyGen object for a particular key type * and signature algorithm. * * @param keyType type of key, e.g. "RSA", "DSA" * @param sigAlg name of the signature algorithm, e.g. "MD5WithRSA", * "MD2WithRSA", "SHAwithDSA". * @exception NoSuchAlgorithmException on unrecognized algorithms. */ public CertAndKeyGen(String keyType, String sigAlg) throws NoSuchAlgorithmException { keyGen = KeyPairGenerator.getInstance(keyType); this.sigAlg = sigAlg; } /** * Sets the source of random numbers used when generating keys. * If you do not provide one, a system default facility is used. * You may wish to provide your own source of random numbers * to get a reproducible sequence of keys and signatures, or * because you may be able to take advantage of strong sources * of randomness/entropy in your environment. * * @deprecated All random numbers come from PKCS #11 now. */ public void setRandom(SecureRandom generator) { } // want "public void generate (X509Certificate)" ... inherit DSA/D-H param /** * Generates a random public/private key pair, with a given key * size. Different algorithms provide different degrees of security * for the same key size, because of the "work factor" involved in * brute force attacks. As computers become faster, it becomes * easier to perform such attacks. Small keys are to be avoided. * *
* Note that not all values of "keyBits" are valid for all algorithms, and not all public key algorithms are * currently supported for use in X.509 certificates. If the algorithm you specified does not produce X.509 * compatible keys, an invalid key exception is thrown. * * @param keyBits the number of bits in the keys. * @exception InvalidKeyException if the environment does not * provide X.509 public keys for this signature algorithm. */ public void generate(int keyBits) throws InvalidKeyException { KeyPair pair; try { keyGen.initialize(keyBits); pair = keyGen.generateKeyPair(); } catch (Exception e) { throw new IllegalArgumentException(e.getMessage()); } PublicKey publicKey = pair.getPublic(); if (publicKey instanceof X509Key) { this.publicKey = (X509Key) publicKey; } else { throw new InvalidKeyException("public key " + publicKey + " not an X509Key."); } privateKey = pair.getPrivate(); } /** * Returns the public key of the generated key pair. */ public X509Key getPublicKey() { return publicKey; } /** * Returns the private key of the generated key pair. * *
* Be extremely careful when handling private keys. * When private keys are not kept secret, they lose their ability * to securely authenticate specific entities ... that is a huge * security risk! */ public PrivateKey getPrivateKey() { return privateKey; } /** * Returns a self-signed X.509v1 certificate for the public key. * The certificate is immediately valid. * *