Created
May 27, 2016 11:23
-
-
Save oharsta/4a62e066621c376402bf491bd32c6bfe to your computer and use it in GitHub Desktop.
Add certificates and private keys to an existing or new KeyStore in Java or create a self-signed certificate and add this.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import org.apache.commons.io.IOUtils; | |
import sun.security.tools.keytool.CertAndKeyGen; | |
import sun.security.x509.X500Name; | |
import java.io.ByteArrayInputStream; | |
import java.io.IOException; | |
import java.security.*; | |
import java.security.cert.CertificateException; | |
import java.security.cert.CertificateFactory; | |
import java.security.cert.X509Certificate; | |
import java.security.interfaces.RSAPrivateKey; | |
import java.security.spec.InvalidKeySpecException; | |
import java.security.spec.KeySpec; | |
import java.security.spec.PKCS8EncodedKeySpec; | |
import java.util.ArrayList; | |
import java.util.Base64; | |
/** | |
* Usage is to create a keyStore or use an existing keyStore and add | |
* privateKey and certificates. | |
* | |
* It is also possible to create a selfsigned Certificate on the fly. | |
* | |
* See the main class for an usage example | |
* | |
* If you want to run this with maven Java8 then ensure you add the following plugin: | |
* | |
* <plugin> | |
* <groupId>org.apache.maven.plugins</groupId> | |
* <artifactId>maven-compiler-plugin</artifactId> | |
* <version>3.5.1</version> | |
* <configuration> | |
* <fork>true</fork> | |
* <compilerArgument>-XDignore.symbol.file</compilerArgument> | |
* </configuration> | |
* </plugin> | |
*/ | |
public class KeyStoreService { | |
public static void main(String[] args) throws Exception { | |
KeyStoreService keystoreService = new KeyStoreService(); | |
String[] certPrivateKey = keystoreService.createCertPrivateKey(); | |
String[] cert = keystoreService.createCertPrivateKey(); | |
KeyStore keyStore = keystoreService.createKeyStore("secret"); | |
keystoreService.addPrivateKey(keyStore, "alias", certPrivateKey[1], certPrivateKey[0], "secret"); | |
keystoreService.addCertificate(keyStore, "otherAlias", cert[0]); | |
} | |
public KeyStore createKeyStore(String pemPassPhrase) { | |
try { | |
KeyStore keyStore = KeyStore.getInstance("JKS"); | |
keyStore.load(null, pemPassPhrase.toCharArray()); | |
return keyStore; | |
} catch (Exception e) { | |
//too many exceptions we can't handle, so brute force catch | |
throw new RuntimeException(e); | |
} | |
} | |
//privateKey must be in the DER unencrypted PKCS#8 format. | |
public void addPrivateKey(KeyStore keyStore, String alias, String privateKey, String certificate, String password) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, KeyStoreException, CertificateException { | |
String wrappedCert = wrapCert(certificate); | |
byte[] decodedKey = Base64.getDecoder().decode(privateKey.getBytes()); | |
char[] passwordChars = password.toCharArray(); | |
CertificateFactory certFact = CertificateFactory.getInstance("X.509"); | |
java.security.cert.Certificate cert = certFact.generateCertificate(new ByteArrayInputStream(wrappedCert.getBytes())); | |
ArrayList<java.security.cert.Certificate> certs = new ArrayList<>(); | |
certs.add(cert); | |
byte[] privKeyBytes = IOUtils.toByteArray(new ByteArrayInputStream(decodedKey)); | |
KeySpec ks = new PKCS8EncodedKeySpec(privKeyBytes); | |
RSAPrivateKey privKey = (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(ks); | |
keyStore.setKeyEntry(alias, privKey, passwordChars, certs.toArray(new java.security.cert.Certificate[certs.size()])); | |
} | |
public void addCertificate(KeyStore keyStore, String alias, String certificate) throws CertificateException, KeyStoreException { | |
String wrappedCert = wrapCert(certificate); | |
ByteArrayInputStream certificateInputStream = new ByteArrayInputStream(wrappedCert.getBytes()); | |
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); | |
java.security.cert.Certificate cert = certificateFactory.generateCertificate(certificateInputStream); | |
IOUtils.closeQuietly(certificateInputStream); | |
keyStore.setCertificateEntry(alias, cert); | |
} | |
private String wrapCert(String certificate) { | |
return "-----BEGIN CERTIFICATE-----\n" + certificate + "\n-----END CERTIFICATE-----"; | |
} | |
public String[] createCertPrivateKey() throws NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, IOException, CertificateException, SignatureException { | |
CertAndKeyGen certGen = new CertAndKeyGen("RSA", "SHA256WithRSA", null); | |
certGen.generate(2048); | |
long validSecs = 10 * 365 * 24 * 60 * 60; | |
X509Certificate certificate = certGen.getSelfCertificate(new X500Name("CN=AttributeMapper,O=SURFnet,L=Utrecht,C=NL"), validSecs); | |
String certificatePublicKey = new String(Base64.getEncoder().encode(certificate.getEncoded())); | |
String privateKey = new String(Base64.getEncoder().encode(certGen.getPrivateKey().getEncoded())); | |
return new String[] {certificatePublicKey, privateKey}; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment