public class X509Utilities
Modifier and Type | Class and Description |
---|---|
static class |
X509Utilities.CACertAndKey
Helper data class to pass around public certificate and KeyPair entities when using CA certs.
|
Modifier and Type | Field and Description |
---|---|
static X509Utilities |
INSTANCE |
Modifier and Type | Method and Description |
---|---|
void |
addOrReplaceCertificate(java.security.KeyStore $receiver,
java.lang.String alias,
java.security.cert.Certificate cert)
Helper extension method to add, or overwrite any public certificate data in store
|
void |
addOrReplaceKey(java.security.KeyStore $receiver,
java.lang.String alias,
java.security.Key key,
char[] password,
java.security.cert.Certificate[] chain)
Helper extension method to add, or overwrite any key data in store
|
java.security.KeyStore |
createCAKeyStoreAndTrustStore(java.nio.file.Path keyStoreFilePath,
java.lang.String storePassword,
java.lang.String keyPassword,
java.nio.file.Path trustStoreFilePath,
java.lang.String trustStorePassword)
All in one wrapper to manufacture a root CA cert and an Intermediate CA cert.
Normally this would be run once and then the outputs would be re-used repeatedly to manufacture the server certs
|
org.bouncycastle.pkcs.PKCS10CertificationRequest |
createCertificateSigningRequest(java.lang.String myLegalName,
java.lang.String nearestCity,
java.lang.String email,
java.security.KeyPair keyPair)
Create certificate signing request using provided information.
|
X509Utilities.CACertAndKey |
createIntermediateCert(java.lang.String domain,
X509Utilities.CACertAndKey certificateAuthority)
Create a de novo root intermediate X509 v3 CA cert and KeyPair.
|
java.security.KeyStore |
createKeystoreForSSL(java.nio.file.Path keyStoreFilePath,
java.lang.String storePassword,
java.lang.String keyPassword,
java.security.KeyStore caKeyStore,
java.lang.String caKeyPassword,
java.lang.String commonName)
An all in wrapper to manufacture a server certificate and keys all stored in a KeyStore suitable for running TLS on the local machine
|
X509Utilities.CACertAndKey |
createSelfSignedCACert(java.lang.String myLegalName)
Create a de novo root self-signed X509 v3 CA cert and KeyPair.
|
java.security.cert.X509Certificate |
createServerCert(org.bouncycastle.asn1.x500.X500Name subject,
java.security.PublicKey publicKey,
X509Utilities.CACertAndKey certificateAuthority,
java.util.List<java.lang.String> subjectAlternativeNameDomains,
java.util.List<java.lang.String> subjectAlternativeNameIps)
Create an X509v3 certificate suitable for use in TLS roles.
|
java.security.KeyPair |
generateECDSAKeyPairForSSL()
Generate a standard curve ECDSA KeyPair suitable for TLS, although the rest of Corda uses newer curves.
|
java.lang.String |
getCORDA_CLIENT_CA() |
java.lang.String |
getCORDA_CLIENT_CA_PRIVATE_KEY() |
java.lang.String |
getCORDA_INTERMEDIATE_CA() |
java.lang.String |
getCORDA_INTERMEDIATE_CA_PRIVATE_KEY() |
java.lang.String |
getCORDA_ROOT_CA() |
java.lang.String |
getCORDA_ROOT_CA_PRIVATE_KEY() |
org.bouncycastle.asn1.x500.X500Name |
getDevX509Name(java.lang.String commonName)
Return a bogus X509 for dev purposes. Use getX509Name for something more real.
|
java.lang.String |
getECDSA_CURVE() |
java.lang.String |
getKEYSTORE_TYPE() |
java.lang.String |
getKEY_GENERATION_ALGORITHM() |
java.lang.String |
getSIGNATURE_ALGORITHM() |
org.bouncycastle.asn1.x500.X500Name |
getX509Name(java.lang.String myLegalName,
java.lang.String nearestCity,
java.lang.String email) |
X509Utilities.CACertAndKey |
loadCertificateAndKey(java.security.KeyStore keyStore,
java.lang.String keyPassword,
java.lang.String alias)
Helper method to load a Certificate and KeyPair from their KeyStore.
The access details should match those of the createCAKeyStoreAndTrustStore call used to manufacture the keys.
|
java.security.cert.X509Certificate |
loadCertificateFromKeyStore(java.nio.file.Path keyStoreFilePath,
java.lang.String storePassword,
java.lang.String alias)
Extract public X509 certificate from a KeyStore file assuming storage alias is know
|
java.security.cert.X509Certificate |
loadCertificateFromPEMFile(java.nio.file.Path filename)
Helper method to load back a .pem/.cer format file copy of a certificate
|
java.security.KeyPair |
loadKeyPairFromKeyStore(java.nio.file.Path keyStoreFilePath,
java.lang.String storePassword,
java.lang.String keyPassword,
java.lang.String alias)
Extract public and private keys from a KeyStore file assuming storage alias is known.
|
java.security.KeyStore |
loadKeyStore(java.nio.file.Path keyStoreFilePath,
java.lang.String storePassword)
Helper method to open an existing keystore for modification/read
|
java.security.KeyStore |
loadKeyStore(java.io.InputStream input,
java.lang.String storePassword)
Helper method to open an existing keystore for modification/read
|
java.security.KeyPair |
loadOrCreateKeyPairFromKeyStore(java.nio.file.Path keyStoreFilePath,
java.lang.String storePassword,
java.lang.String keyPassword,
java.lang.String alias,
kotlin.jvm.functions.Function0<net.corda.core.crypto.X509Utilities.CACertAndKey> keyGenerator)
Extract public and private keys from a KeyStore file assuming storage alias is known, or
create a new pair of keys using the provided function if the keys not exist.
|
java.security.KeyStore |
loadOrCreateKeyStore(java.nio.file.Path keyStoreFilePath,
java.lang.String storePassword)
Helper method to either open an existing keystore for modification, or create a new blank keystore.
|
void |
saveCertificateAsPEMFile(java.security.cert.X509Certificate x509Certificate,
java.nio.file.Path filename)
Helper method to store a .pem/.cer format file copy of a certificate if required for import into a PC/Mac, or for inspection
|
void |
saveKeyStore(java.security.KeyStore keyStore,
java.nio.file.Path keyStoreFilePath,
java.lang.String storePassword)
Helper method save KeyStore to storage
|
public static X509Utilities INSTANCE
public java.lang.String getSIGNATURE_ALGORITHM()
public java.lang.String getKEY_GENERATION_ALGORITHM()
public java.lang.String getECDSA_CURVE()
public java.lang.String getKEYSTORE_TYPE()
public java.lang.String getCORDA_ROOT_CA_PRIVATE_KEY()
public java.lang.String getCORDA_ROOT_CA()
public java.lang.String getCORDA_INTERMEDIATE_CA_PRIVATE_KEY()
public java.lang.String getCORDA_INTERMEDIATE_CA()
public java.lang.String getCORDA_CLIENT_CA_PRIVATE_KEY()
public java.lang.String getCORDA_CLIENT_CA()
public org.bouncycastle.asn1.x500.X500Name getDevX509Name(java.lang.String commonName)
Return a bogus X509 for dev purposes. Use getX509Name for something more real.
public org.bouncycastle.asn1.x500.X500Name getX509Name(java.lang.String myLegalName, java.lang.String nearestCity, java.lang.String email)
public java.security.KeyStore loadOrCreateKeyStore(java.nio.file.Path keyStoreFilePath, java.lang.String storePassword)
Helper method to either open an existing keystore for modification, or create a new blank keystore.
keyStoreFilePath
- location of KeyStore filestorePassword
- password to open the store. This does not have to be the same password as any keys stored,
but for SSL purposes this is recommended.public java.security.KeyStore loadKeyStore(java.nio.file.Path keyStoreFilePath, java.lang.String storePassword)
Helper method to open an existing keystore for modification/read
keyStoreFilePath
- location of KeyStore file which must exist, or this will throw FileNotFoundExceptionstorePassword
- password to open the store. This does not have to be the same password as any keys stored,
but for SSL purposes this is recommended.public java.security.KeyStore loadKeyStore(java.io.InputStream input, java.lang.String storePassword)
Helper method to open an existing keystore for modification/read
input
- stream containing a KeyStore e.g. loaded from a resource filestorePassword
- password to open the store. This does not have to be the same password as any keys stored,
but for SSL purposes this is recommended.public void saveKeyStore(java.security.KeyStore keyStore, java.nio.file.Path keyStoreFilePath, java.lang.String storePassword)
Helper method save KeyStore to storage
keyStore
- the KeyStore to persistkeyStoreFilePath
- the file location to save tostorePassword
- password to access the store in future. This does not have to be the same password as any keys stored,
but for SSL purposes this is recommended.public void addOrReplaceKey(java.security.KeyStore $receiver, java.lang.String alias, java.security.Key key, char[] password, java.security.cert.Certificate[] chain)
Helper extension method to add, or overwrite any key data in store
alias
- name to record the private key and certificate chain underkey
- cryptographic key to storepassword
- password for unlocking the key entry in the future. This does not have to be the same password as any keys stored,
but for SSL purposes this is recommended.chain
- the sequence of certificates starting with the public key certificate for this key and extending to the root CA certpublic void addOrReplaceCertificate(java.security.KeyStore $receiver, java.lang.String alias, java.security.cert.Certificate cert)
Helper extension method to add, or overwrite any public certificate data in store
alias
- name to record the public certificate undercert
- certificate to storepublic java.security.KeyPair generateECDSAKeyPairForSSL()
Generate a standard curve ECDSA KeyPair suitable for TLS, although the rest of Corda uses newer curves.
public org.bouncycastle.pkcs.PKCS10CertificationRequest createCertificateSigningRequest(java.lang.String myLegalName, java.lang.String nearestCity, java.lang.String email, java.security.KeyPair keyPair)
Create certificate signing request using provided information.
myLegalName
- The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC.nearestCity
- The city where your organization is located.email
- An email address used to contact your organization.keyPair
- Standard curve ECDSA KeyPair generated for TLS.public X509Utilities.CACertAndKey createSelfSignedCACert(java.lang.String myLegalName)
Create a de novo root self-signed X509 v3 CA cert and KeyPair.
public X509Utilities.CACertAndKey createIntermediateCert(java.lang.String domain, X509Utilities.CACertAndKey certificateAuthority)
Create a de novo root intermediate X509 v3 CA cert and KeyPair.
domain
- The Common (CN) field of the cert Subject will be populated with the domain stringcertificateAuthority
- The Public certificate and KeyPair of the root CA certificate above this used to sign itpublic java.security.cert.X509Certificate createServerCert(org.bouncycastle.asn1.x500.X500Name subject, java.security.PublicKey publicKey, X509Utilities.CACertAndKey certificateAuthority, java.util.List<java.lang.String> subjectAlternativeNameDomains, java.util.List<java.lang.String> subjectAlternativeNameIps)
Create an X509v3 certificate suitable for use in TLS roles.
subject
- The contents to put in the subject field of the certificatepublicKey
- The PublicKey to be wrapped in the certificatecertificateAuthority
- The Public certificate and KeyPair of the parent CA that will sign this certificatesubjectAlternativeNameDomains
- A set of alternate DNS names to be supported by the certificate during validation of the TLS handshakessubjectAlternativeNameIps
- A set of alternate IP addresses to be supported by the certificate during validation of the TLS handshakespublic void saveCertificateAsPEMFile(java.security.cert.X509Certificate x509Certificate, java.nio.file.Path filename)
Helper method to store a .pem/.cer format file copy of a certificate if required for import into a PC/Mac, or for inspection
x509Certificate
- certificate to savefilename
- Target filenamepublic java.security.cert.X509Certificate loadCertificateFromPEMFile(java.nio.file.Path filename)
Helper method to load back a .pem/.cer format file copy of a certificate
filename
- Source filenamepublic java.security.KeyPair loadKeyPairFromKeyStore(java.nio.file.Path keyStoreFilePath, java.lang.String storePassword, java.lang.String keyPassword, java.lang.String alias)
Extract public and private keys from a KeyStore file assuming storage alias is known.
keyStoreFilePath
- Path to load KeyStore fromstorePassword
- Password to unlock the KeyStorekeyPassword
- Password to unlock the private key entriesalias
- The name to lookup the Key and Certificate chain frompublic java.security.KeyPair loadOrCreateKeyPairFromKeyStore(java.nio.file.Path keyStoreFilePath, java.lang.String storePassword, java.lang.String keyPassword, java.lang.String alias, kotlin.jvm.functions.Function0<net.corda.core.crypto.X509Utilities.CACertAndKey> keyGenerator)
Extract public and private keys from a KeyStore file assuming storage alias is known, or create a new pair of keys using the provided function if the keys not exist.
keyStoreFilePath
- Path to load KeyStore fromstorePassword
- Password to unlock the KeyStorekeyPassword
- Password to unlock the private key entriesalias
- The name to lookup the Key and Certificate chain fromkeyGenerator
- Function for generating new keyspublic java.security.cert.X509Certificate loadCertificateFromKeyStore(java.nio.file.Path keyStoreFilePath, java.lang.String storePassword, java.lang.String alias)
Extract public X509 certificate from a KeyStore file assuming storage alias is know
keyStoreFilePath
- Path to load KeyStore fromstorePassword
- Password to unlock the KeyStorealias
- The name to lookup the Key and Certificate chain frompublic java.security.KeyStore createCAKeyStoreAndTrustStore(java.nio.file.Path keyStoreFilePath, java.lang.String storePassword, java.lang.String keyPassword, java.nio.file.Path trustStoreFilePath, java.lang.String trustStorePassword)
All in one wrapper to manufacture a root CA cert and an Intermediate CA cert. Normally this would be run once and then the outputs would be re-used repeatedly to manufacture the server certs
keyStoreFilePath
- The output KeyStore path to publish the private keys of the CA root and intermediate certs into.storePassword
- The storage password to protect access to the generated KeyStore and public certificateskeyPassword
- The password that protects the CA private keys.
Unlike the SSL libraries that tend to assume the password is the same as the keystore password.
These CA private keys should be protected more effectively with a distinct password.trustStoreFilePath
- The output KeyStore to place the Root CA public certificate, which can be used as an SSL truststoretrustStorePassword
- The password to protect the truststorepublic X509Utilities.CACertAndKey loadCertificateAndKey(java.security.KeyStore keyStore, java.lang.String keyPassword, java.lang.String alias)
Helper method to load a Certificate and KeyPair from their KeyStore. The access details should match those of the createCAKeyStoreAndTrustStore call used to manufacture the keys.
keyStore
- Source KeyStore to look in for the datakeyPassword
- The password for the PrivateKey (not the store access password)alias
- The name to search for the data. Typically if generated with the methods here this will be one of
CERT_PRIVATE_KEY_ALIAS, ROOT_CA_CERT_PRIVATE_KEY_ALIAS, INTERMEDIATE_CA_PRIVATE_KEY_ALIAS defined abovepublic java.security.KeyStore createKeystoreForSSL(java.nio.file.Path keyStoreFilePath, java.lang.String storePassword, java.lang.String keyPassword, java.security.KeyStore caKeyStore, java.lang.String caKeyPassword, java.lang.String commonName)
An all in wrapper to manufacture a server certificate and keys all stored in a KeyStore suitable for running TLS on the local machine
keyStoreFilePath
- KeyStore path to save output tostorePassword
- access password for KeyStorekeyPassword
- PrivateKey access password for the generated keys.
It is recommended that this is the same as the storePassword as most TLS libraries assume they are the same.caKeyStore
- KeyStore containing CA keys generated by createCAKeyStoreAndTrustStorecaKeyPassword
- password to unlock private keys in the CA KeyStore