I am trying to use Https over http, I generated the CA certificate with bouncy castle and generated from the .cer file the jks file, spring boot started successfully with the properties provided with an embedded tomcat.
The problem is that I'm getting always insecure ssl certificate from the browser (for example from chrome : This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.) while I add the trust store programatically with another config class.
Here is my code:
import org.apache.commons.codec.binary.Base64; import org.bouncycastle.asn1.DERSequence; import org.bouncycastle.asn1.cmp.CertRepMessage; import org.bouncycastle.asn1.cmp.PKIBody; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.GeneralName; import org.bouncycastle.cert.CertException; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.X509v3CertificateBuilder; import org.bouncycastle.cert.cmp.CMPException; import org.bouncycastle.cert.cmp.ProtectedPKIMessage; import org.bouncycastle.cert.cmp.ProtectedPKIMessageBuilder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.ContentSigner; import org.bouncycastle.operator.ContentVerifierProvider; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
import java.io.FileOutputStream; import java.io.IOException; import java.io.OutputStream; import java.math.BigInteger; import java.security.*; import java.security.cert.X509Certificate; import java.util.Date;
public class generateService {
private static final String BC = BouncyCastleProvider.PROVIDER_NAME;
private static X509CertificateHolder makeV3Certificate(KeyPair subKP, String _subDN, KeyPair issKP, String _issDN)
throws GeneralSecurityException, IOException, OperatorCreationException, CertException
{
PublicKey subPub = subKP.getPublic();
PrivateKey issPriv = issKP.getPrivate();
PublicKey issPub = issKP.getPublic();
X509v3CertificateBuilder v1CertGen = new JcaX509v3CertificateBuilder(
new X500Name(_issDN),
BigInteger.valueOf(System.currentTimeMillis()),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100)),
new X500Name(_subDN),
subPub);
ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA").setProvider(BC).build(issPriv);
X509CertificateHolder certHolder = v1CertGen.build(signer);
ContentVerifierProvider verifier = new JcaContentVerifierProviderBuilder().setProvider(BC).build(issPub);
return certHolder;
}
public X509Certificate test(KeyPair kp) throws OperatorCreationException, GeneralSecurityException, CertException, IOException, CMPException {
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
X509CertificateHolder cert = makeV3Certificate(kp, "CN=CA", kp, "CN=CA");
GeneralName sender = new GeneralName(new X500Name("CN=CA"));
GeneralName recipient = new GeneralName(new X500Name("CN=CA"));
ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BC).build(kp.getPrivate());
ProtectedPKIMessage message = new ProtectedPKIMessageBuilder(sender, recipient)
.setBody(new PKIBody(PKIBody.TYPE_INIT_REP, CertRepMessage.getInstance(new DERSequence(new DERSequence()))))
.addCMPCertificate(cert)
.build(signer);
X509Certificate jcaCert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(message.getCertificates()[0]);
return jcaCert;
}
public void generateJKS() throws GeneralSecurityException, IOException, OperatorCreationException, CMPException, CertException {
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair keyPair = keyPairGenerator.generateKeyPair();
X509Certificate certificate = test(keyPair);
final FileOutputStream os = new FileOutputStream("E:\\cert4.cer");
os.write("-----BEGIN CERTIFICATE-----\n".getBytes("US-ASCII"));
os.write(Base64.encodeBase64(certificate.getEncoded(), true));
os.write("-----END CERTIFICATE-----\n".getBytes("US-ASCII"));
os.close();
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null,null);
X509Certificate[] certChain = new X509Certificate[1];
certChain[0] = certificate;
keyStore.setKeyEntry("myaliaskey", (Key)keyPair.getPrivate(), "secret".toCharArray(), certChain);
OutputStream outputStream = new FileOutputStream("E:\\keystoreRSA4.jks");
keyStore.store(outputStream, "secret".toCharArray());
outputStream.flush();
outputStream.close();
}
public static void main(String[] args) throws Exception {
new generateService().generateJKS();
} }
Application.properties:
server.port = 8443 server.http.port = 8080 server.ssl.key-store = E:\\keystoreRSA4.jks server.ssl.key-password = secret server.ssl.keyAlias = myaliaskey
/***************************************************************************/
import org.springframework.context.annotation.Configuration;
import javax.annotation.PostConstruct;
#Configuration public class SSLConfig {
#PostConstruct
private void configureSSL() {
System.setProperty("https.protocols", "TLSv1.2");
System.setProperty("javax.net.ssl.trustStore", "E:\\keystoreRSA4.jks");
System.setProperty("javax.net.ssl.keyStore", "E:\\keystoreRSA4.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
} }
import org.apache.catalina.Context; import org.apache.catalina.connector.Connector; import org.apache.tomcat.util.descriptor.web.SecurityCollection; import org.apache.tomcat.util.descriptor.web.SecurityConstraint; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.context.embedded.EmbeddedServletContainerFactory; import org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration;
#Configuration public class TomcatConfig {
#Value("${server.http.port}")
private int httpPort;
#Value("${server.port}")
private int httpsPort;
#Bean
public EmbeddedServletContainerFactory servletContainer() {
TomcatEmbeddedServletContainerFactory tomcat = new TomcatEmbeddedServletContainerFactory() {
#Override
protected void postProcessContext(Context context) {
SecurityConstraint securityConstraint = new SecurityConstraint();
securityConstraint.setUserConstraint("CONFIDENTIAL");
SecurityCollection collection = new SecurityCollection();
collection.addPattern("/*");
securityConstraint.addCollection(collection);
context.addConstraint(securityConstraint);
}
};
tomcat.addAdditionalTomcatConnectors(initiateHttpConnector());
return tomcat;
}
public Connector initiateHttpConnector() {
Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
connector.setScheme("https");
connector.setPort(httpPort);
connector.setSecure(true);
connector.setRedirectPort(httpsPort);
return connector;
} }
Any help will be appreciated and thank you in advance.
how i can figure it to let the browser accept it as trust certificate?
Fortunately, you can't. There's a discussion about the topic in this question:
If we simply said "HTTPS is now possible with self-signed certificates", your browser could not distinguish whether a site you are trying to visit has a self-signed cert because it is supposed to, or because you are being attacked. Thus, it would decrease security.
You have to add an exception to your browser to accept your certificate. Normally during development. For production use, you have to buy a certificate from a trusted vendor like Verisign.
To add an exception to your browser, please see this other question.
Cheers!
Related
I am trying to implement a HTTPS (SSL) server in Java, and I'd like to leverage com.sun.net.httpserver.HttpsServer.
I have been able to cobble together some code from different places that kind of works, but I want to be able to specify which protocols, e.g., SSLv3, TLSv!, etc. that my HTTPS server is willing able to support, but I have not been able to figure out how to do that.
I'm posting the code I have so far, and was wondering if anyone could tell me how I can add the ability to specify the protocols?
import java.io.FileInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;
import com.sun.net.httpserver.HttpsServer;
import com.sun.net.httpserver.HttpsConfigurator;
import com.sun.net.httpserver.HttpsParameters;
public class Test {
static private String PROGVERSION = "V1.00";
static private String keystoreFile = "";
static private int listenPort = 0;
public static void main(String[] args) throws Exception {
System.out.println("JavaHttpsServer " + PROGVERSION);
keystoreFile = args[0];
listenPort = Integer.parseInt(args[1]);
System.out.println("keystoreFile=[" + keystoreFile + "]");
System.out.println("listenPort=[" + listenPort + "]");
SSLContext ssl = SSLContext.getInstance("SSLv3");
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
//Load the JKS file (located, in this case, at D:\keystore.jks, with password 'test'
//store.load(new FileInputStream("C:\\Users\\Eclipse-workspaces\\Test\\keystore.jks"), "changeit".toCharArray());
store.load(new FileInputStream(keystoreFile), "changeit".toCharArray());
//init the key store, along with the password 'changeit'
kmf.init(store, "changeit".toCharArray());
KeyManager[] keyManagers = new KeyManager[1];
keyManagers = kmf.getKeyManagers();
// Init the trust manager factory
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// It will reference the same key store as the key managers
tmf.init(store);
TrustManager[] trustManagers = tmf.getTrustManagers();
ssl.init(keyManagers, trustManagers, new SecureRandom());
// Init a configuration with our SSL context
HttpsConfigurator configurator = new HttpsConfigurator(ssl);
//configurator.configure(hparams);
// Create a new HTTPS Server instance, listening on port 8000
HttpsServer server = HttpsServer.create(new InetSocketAddress(listenPort), 0);
server.setHttpsConfigurator(configurator);
server.createContext("/test", new MyHandler());
server.setExecutor(null); // creates a default executor
server.start();
}
static class MyHandler implements HttpHandler {
#Override
public void handle(HttpExchange t) throws IOException {
String x = t.getRemoteAddress().getHostString();
System.out.println("In handle: Request from (getHostString) = [" + x + "]");
x = t.getRequestURI().toASCIIString();
System.out.println("In handle: getRequestURI = [" + x + "]");
if (x.equalsIgnoreCase("/test?stop")) {
System.out.println("In handle: Received request to exit, so will exit now...");
System.exit(0);
}
System.out.println("In handle: About to send response...");
String response = "This is the response";
t.sendResponseHeaders(200, response.length());
OutputStream os = t.getResponseBody();
os.write(response.getBytes());
System.out.println("In handle: Finished sending response...");
os.close();
}
}
}
I am not sure if I understand the question correctly, because your code already shows, how to set the protocol. You provide the protocol in the getInstance() method of SSLContext. In your example you initialize SSLContext with SSLv3. You can use one of the strings described here: https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
To verify, which protocol your server uses, you can use the "s_client" command of OpenSSL: openssl s_client -connect localhost:8443
I am using this java program to validate a digital signature using public key (cer file). I am using opensaml 2.6.3 jars
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.validation.Schema;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.X509EncodedKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.opensaml.DefaultBootstrap;
import org.opensaml.common.xml.SAMLSchemaBuilder;
import org.opensaml.saml2.core.NewEncryptedID;
import org.opensaml.saml2.core.Response;
import org.opensaml.xml.Configuration;
import org.opensaml.xml.XMLObject;
import org.opensaml.xml.io.Unmarshaller;
import org.opensaml.xml.io.UnmarshallerFactory;
import org.opensaml.xml.parse.BasicParserPool;
import org.opensaml.xml.security.x509.BasicX509Credential;
import org.opensaml.xml.signature.Signature;
import org.opensaml.xml.signature.SignatureValidator;
import org.opensaml.xml.validation.ValidationException;
public class FinalTester
{
public static void main(String[] args)
{
try
{
//initialize the opensaml library
DefaultBootstrap.bootstrap();
Schema schema = SAMLSchemaBuilder.getSAML11Schema();
//get parser pool manager
BasicParserPool parserPoolManager = new BasicParserPool();
parserPoolManager.setNamespaceAware(true);
parserPoolManager.setIgnoreElementContentWhitespace(true);
parserPoolManager.setSchema(schema);
////get KeyFactory object that creates key objects, specifying RSA
KeyFactory keyFactory = KeyFactory.getInstance("RSA");
String state=
"PHNhbWxwOlJlc3BvbnNlIHhtbG5zOmFzcnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElzc3VlSW5zdGFudD0iMjAxNC0xMC0xN1QxODo1MTowOC4yMjE5NTk1WiIgRGVzdGluYXRpb249Imh0dHBzOi8vcWEubGV4aXNuZXhpcy5jb20vc2FtbF9zaWduaW4iIENvbnNlbnQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjb25zZW50OnVuc3BlY2lmaWVkIiBJRD0iY2VvZGtoaW1rZW9iaWdqb2ZqZ2hmY2djZGVubW5rbXBjbW1kZnBrZyIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIj4NCgk8YXNydDpJc3N1ZXI+RGVsb2l0dGU8L2FzcnQ6SXNzdWVyPg0KCTxTaWduYXR1cmUgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPg0KCQk8U2lnbmVkSW5mbz4NCgkJCTxDYW5vbmljYWxpemF0aW9uTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIiAvPg0KCQkJPFNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIgLz4NCgkJCTxSZWZlcmVuY2UgVVJJPSIjY2VvZGtoaW1rZW9iaWdqb2ZqZ2hmY2djZGVubW5rbXBjbW1kZnBrZyI+DQoJCQkJPFRyYW5zZm9ybXM+DQoJCQkJCTxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIgLz4NCgkJCQkJPFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgLz4NCgkJCQk8L1RyYW5zZm9ybXM+DQoJCQkJPERpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIiAvPg0KCQkJCTxEaWdlc3RWYWx1ZT5Xc0w2QU9nbEVmWVdneE9CNmJ6YXpWN2dnZkU9PC9EaWdlc3RWYWx1ZT4NCgkJCTwvUmVmZXJlbmNlPg0KCQk8L1NpZ25lZEluZm8+DQoJCTxTaWduYXR1cmVWYWx1ZT5FZXZ2MXQ5amZ3YmZNc0h2aXRuWXFXSldBS0RkWk9zRmNLK25xei8yd1A1TjlhNGdnNTZ5YzZBMjJISnh2aUQrRjEweVhCMjVkdG5xN1Rac1BlYUNMTlpVRWRzWjJSblNpTFZjTGRVeHg2SGs1STdFcDlibTBIRG5TYVpPV0Z4N2NBTnQ2WWJzNDZLKzJ1T3JwOVdRbDVoTkFOYmo3UWNaYWdZZnZtNmQ1MVR3ZFBwZ0NxQXNWc3BkeW4zRFlaUVpKL2ZQZDZCRGNuSWN5eU1qVkU4b3lra1dCL1VRN0h3aDd6NWFwYyt4cTU0S1FOM1NWUWlLVjM2TFJXdG5SVVp3Z3hEbUEyRERTYVlRQWpGM2VMZGpBeXhsOGxMTXdTajlNVHZMdTJmSHlDMGM2ZXBudHYzSnFVZmtYNktTRHg2Vm9hdjQxaGxzaEhwMW9wNUxqZ2JMMVE9PTwvU2lnbmF0dXJlVmFsdWU+DQoJPC9TaWduYXR1cmU+DQoJPHNhbWxwOlN0YXR1cz4NCgkJPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz4NCgk8L3NhbWxwOlN0YXR1cz4NCgk8YXNydDpBc3NlcnRpb24gSXNzdWVJbnN0YW50PSIyMDE0LTEwLTE3VDE4OjUxOjA4LjIyMTk1OTVaIiBJRD0iZ2tma2Rub2psZ2FrbXBwcGlkaWVoYWVobWJobGVrZGNiZGhmZ2FoaCIgVmVyc2lvbj0iMi4wIj4NCgkJPGFzcnQ6SXNzdWVyPkRlbG9pdHRlPC9hc3J0Oklzc3Vlcj4NCgkJPGFzcnQ6U3ViamVjdD4NCgkJCTxhc3J0Ok5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsQWRkcmVzcyI+YmhnYW5kaGlAdHN0LmRlbG9pdHRlLmNvbTwvYXNydDpOYW1lSUQ+DQoJCQk8YXNydDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+DQoJCQkJPGFzcnQ6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDE0LTEwLTE3VDE4OjU2OjA4LjIyMTk1OTVaIiBSZWNpcGllbnQ9Imh0dHBzOi8vcWEubGV4aXNuZXhpcy5jb20vc2FtbF9zaWduaW4iIC8+DQoJCQk8L2FzcnQ6U3ViamVjdENvbmZpcm1hdGlvbj4NCgkJPC9hc3J0OlN1YmplY3Q+DQoJCTxhc3J0OkNvbmRpdGlvbnMgTm90T25PckFmdGVyPSIyMDE0LTEwLTE3VDE4OjU2OjA4LjIyMTk1OTVaIiBOb3RCZWZvcmU9IjIwMTQtMTAtMTdUMTg6NDY6MDguMjIxOTU5NVoiPg0KCQkJPGFzcnQ6QXVkaWVuY2VSZXN0cmljdGlvbj4NCgkJCQk8YXNydDpBdWRpZW5jZT5odHRwczovL3FhLmxleGlzbmV4aXMuY29tL3NhbWxfc2lnbmluPC9hc3J0OkF1ZGllbmNlPg0KCQkJPC9hc3J0OkF1ZGllbmNlUmVzdHJpY3Rpb24+DQoJCTwvYXNydDpDb25kaXRpb25zPg0KCQk8YXNydDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+DQoJCQk8YXNydDpBdHRyaWJ1dGUgTmFtZT0iRmlyc3QgTmFtZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+DQoJCQkJPGFzcnQ6QXR0cmlidXRlVmFsdWUgeG1sbnM6cTE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiBkNXAxOnR5cGU9InExOnN0cmluZyIgeG1sbnM6ZDVwMT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiPkJyZW50PC9hc3J0OkF0dHJpYnV0ZVZhbHVlPg0KCQkJPC9hc3J0OkF0dHJpYnV0ZT4NCgkJCTxhc3J0OkF0dHJpYnV0ZSBOYW1lPSJMYXN0IE5hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KCQkJCTxhc3J0OkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnEyPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgZDVwMTp0eXBlPSJxMjpzdHJpbmciIHhtbG5zOmQ1cDE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5SdWJpbzwvYXNydDpBdHRyaWJ1dGVWYWx1ZT4NCgkJCTwvYXNydDpBdHRyaWJ1dGU+DQoJCQk8YXNydDpBdHRyaWJ1dGUgTmFtZT0iRW1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KCQkJCTxhc3J0OkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnEzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgZDVwMTp0eXBlPSJxMzpzdHJpbmciIHhtbG5zOmQ1cDE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5iaGdhbmRoaUB0c3QuZGVsb2l0dGUuY29tPC9hc3J0OkF0dHJpYnV0ZVZhbHVlPg0KCQkJPC9hc3J0OkF0dHJpYnV0ZT4NCgkJCTxhc3J0OkF0dHJpYnV0ZSBOYW1lPSJQZXJzb25uZWxOdW1iZXIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPg0KCQkJCTxhc3J0OkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnE0PSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgZDVwMTp0eXBlPSJxNDpzdHJpbmciIHhtbG5zOmQ1cDE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj4wMDMwNjg2NTwvYXNydDpBdHRyaWJ1dGVWYWx1ZT4NCgkJCTwvYXNydDpBdHRyaWJ1dGU+DQoJCQk8YXNydDpBdHRyaWJ1dGUgTmFtZT0iUGVyc29uSUQiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPg0KCQkJCTxhc3J0OkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnE1PSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgZDVwMTp0eXBlPSJxNTpzdHJpbmciIHhtbG5zOmQ1cDE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5QZXJzb25JRDwvYXNydDpBdHRyaWJ1dGVWYWx1ZT4NCgkJCTwvYXNydDpBdHRyaWJ1dGU+DQoJCQk8YXNydDpBdHRyaWJ1dGUgTmFtZT0iTG9jYXRpb24iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPg0KCQkJCTxhc3J0OkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnE2PSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgZDVwMTp0eXBlPSJxNjpzdHJpbmciIHhtbG5zOmQ1cDE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj4xNC8xNFMwNTNBPC9hc3J0OkF0dHJpYnV0ZVZhbHVlPg0KCQkJPC9hc3J0OkF0dHJpYnV0ZT4NCgkJPC9hc3J0OkF0dHJpYnV0ZVN0YXRlbWVudD4NCgkJPGFzcnQ6QXV0aG5TdGF0ZW1lbnQgU2Vzc2lvbkluZGV4PSJiZWNpcGxlbW5lbGRwa2JhaWhtaGhmZmVpcG5maGtwam1tYm1lYWhuIiBBdXRobkluc3RhbnQ9IjIwMTQtMTAtMTdUMTg6NTE6MDguMjIxOTU5NVoiPg0KCQkJPGFzcnQ6QXV0aG5Db250ZXh0Pg0KCQkJCTxhc3J0OkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOkludGVybmV0UHJvdG9jb2w8L2FzcnQ6QXV0aG5Db250ZXh0Q2xhc3NSZWY+DQoJCQk8L2FzcnQ6QXV0aG5Db250ZXh0Pg0KCQk8L2FzcnQ6QXV0aG5TdGF0ZW1lbnQ+DQoJPC9hc3J0OkFzc2VydGlvbj4NCjwvc2FtbHA6UmVzcG9uc2U+";
byte[] xmlString = Base64.decodeBase64(state);
String s = new String(xmlString);
Document document = parserPoolManager.parse(new ByteArrayInputStream(s.getBytes("UTF-8")));
Element metadataRoot = (Element) document.getDocumentElement();
QName qName= new QName(metadataRoot.getNamespaceURI(), metadataRoot.getLocalName(), metadataRoot.getPrefix());
// //get an unmarshaller
Unmarshaller unmarshaller = Configuration.getUnmarshallerFactory().getUnmarshaller(qName);
// //unmarshall using the document root element
Response response = (Response)unmarshaller.unmarshall(metadataRoot);
//get the signature to validate from the response object
Signature signature = response.getSignature();
/***************************************************************************************************/
//grab the certificate file
File certificateFile = new File("C:\\samlwork\\domain.com_B64.cer");
//get the certificate from the file
InputStream inputStream2 = new FileInputStream(certificateFile);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate certificate = (X509Certificate)certificateFactory.generateCertificate(inputStream2);
inputStream2.close();
//pull out the public key part of the certificate into a KeySpec
X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(certificate.getPublicKey().getEncoded());
//generate public key to validate signatures
PublicKey publicKey = keyFactory.generatePublic(publicKeySpec);
//create credentials
BasicX509Credential publicCredential = new BasicX509Credential();
//add public key value
publicCredential.setPublicKey(publicKey);
//create SignatureValidator
SignatureValidator signatureValidator = new SignatureValidator(publicCredential);
//try to validate
try
{
signatureValidator.validate(signature);
}
catch (ValidationException ve)
{
System.out.println("Signature is NOT valid.");
System.out.println(ve.getMessage());
return;
}
//no validation exception was thrown
System.out.println("Signature is valid.");
}
catch (Exception ex)
{
ex.printStackTrace();
}
}
}
This code if i run this in eclipse it says that the signature is valid. But if I run in RAD8.2 it says signature is invalid. Please help me with this. I am using different workspaces in rad and eclipse
I successfully make X.509 certificate from certificate request.
However, I need to insert CERT Path informatin in the X.509 certificate.
I know that I have to use CertPathBuilder method but I don't know how to use it.
could you give me an code example that suitable for the following code?
import java.io.FileInputStream;
import java.io.FileWriter;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMReader;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import chapter6.X509V1CreateExample;
//example of a basic CA
public class PKCS10CertCreateExample
{
public static X509Certificate[] buildChain() throws Exception
{
PEMReader pRd = new PEMReader(
new InputStreamReader(
new FileInputStream("pkcs10.req")));
PKCS10CertificationRequest request = (PKCS10CertificationRequest)pRd.readObject();
//create a root certificate
KeyPair rootPair=chapter6.Utils.generateRSAKeyPair();
X509Certificate rootCert = X509V1CreateExample.generateV1Certificate(rootPair);
//validate the certification request
if(!request.verify("BC"))
{
System.out.println("request failed to verify!");
System.exit(1);
}
//create the certificate using the information in the request
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(rootCert.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis()+50000));
certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(request.getPublicKey("BC"));
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC")));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
//certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
//extract the extension request attribute
ASN1Set attributes = request.getCertificationRequestInfo().getAttributes();
for(int i=0;i!=attributes.size();i++)
{
Attribute attr = Attribute.getInstance(attributes.getObjectAt(i));
//process extension request
if(attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest))
{
X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
Enumeration<?> e = extensions.oids();
while(e.hasMoreElements())
{
DERObjectIdentifier oid = (DERObjectIdentifier)e.nextElement();
X509Extension ext = extensions.getExtension(oid);
certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
}
}
}
X509Certificate issuedCert = certGen.generateX509Certificate(rootPair.getPrivate());
return new X509Certificate[]{issuedCert, rootCert};
}
public static void pemEncodeToFile(String filename, Object obj, char[] password) throws Exception{
PEMWriter pw = new PEMWriter(new FileWriter(filename));
if (password != null && password.length > 0) {
pw.writeObject(obj, "DESEDE", password, new SecureRandom());
} else {
pw.writeObject(obj);
}
pw.flush();
pw.close();
}
public static void main(String[] args) throws Exception
{
X509Certificate[] chain = buildChain();
PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out));
pemWrt.writeObject(chain[0]);
pemEncodeToFile("pkcs10.pem", chain[0], null);
pemWrt.close();
}
}
The below code may help you
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
X509CertSelector certSelector = new X509CertSelector();
certSelector.setCertificate((X509Certificate) myKeyStore.getCertificate("mykey"));
PKIXBuilderParameters cpp = new PKIXBuilderParameters(trustAnchors, certSelector);
cpp.addCertStore(cs);
cpp.setRevocationEnabled(true);
cpp.setMaxPathLength(6);
cpp.setDate(new Date());
CertPathBuilderResult a = cpb.build(cpp);
CertPath certPath = a.getCertPath();
CSR reply is normally signed by intermediate CA, hence the cert chain is incomplete missing root CA. Suppose you have all the root CA certs in the collection trustCerts, and the cert array certChain from CSR reply.
To build complete cert chain, firstly, add all the root CA certs to trustAnchors.
Set<TrustAnchor> trustAnchors = new HashSet<>();
trustAnchors.addAll(trustCerts.stream.map(cert -> new TrustAnchors(cert, null)).toList());
Then configure CertSelector with the targeting end certificate.
X509CertSelector selector = new X509CertSelector();
selector.setCertificate(certChain[0]);
Create build parameters. Disable revocation check if not using it.
PKIXBuilderParameters parameters = new PKIXBuilderParameters(trustAnchors, selector);
parameters.setRevocationEnabled(false);
Add intermediate CA certs into build parameters. Since certChain contains both intermediate CA and end certificate, just add it to parameter.
CertStore intermediate = CertStore.getInstance("Collection", new CollectionCertStoreParameters(Arrays.asList(certChain)));
parameters.addCertStore(intermediate);
Instantiate builder instance and build path
CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
PKIXCertPathBuilderResult cpbResult = (PKIXCertPathBuilderResult) cpb.build(parameters);
CertPath cp = cpbResult.getCertPath();
List<X509Certificate> completeCertChain = (List<X509Certificate>) cp.getCertificates();
I would like to create x.509 certificate,
so I copy the following codes from Wrox, Beggining Cryptography with Java, chapter 6.
import java.io.OutputStreamWriter;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import org.bouncycastle.asn1.ASN1Set;
import org.bouncycastle.asn1.DERObjectIdentifier;
import org.bouncycastle.asn1.pkcs.Attribute;
import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
import org.bouncycastle.asn1.x509.BasicConstraints;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.asn1.x509.X509Extension;
import org.bouncycastle.asn1.x509.X509Extensions;
import org.bouncycastle.jce.PKCS10CertificationRequest;
import org.bouncycastle.openssl.PEMWriter;
import org.bouncycastle.x509.X509V3CertificateGenerator;
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure;
import org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure;
import chapter6.PKCS10ExtensionExample;
import chapter6.X509V1CreateExample;
//example of a basic CA
public class PKCS10CertCreateExample
{
public static X509Certificate[] buildChain() throws Exception
{
//create the certification request
KeyPair pair = chapter7.Utils.generateRSAKeyPair();
PKCS10CertificationRequest request = PKCS10ExtensionExample.generateRequest(pair);
//create a root certificate
KeyPair rootPair=chapter7.Utils.generateRSAKeyPair();
X509Certificate rootCert = X509V1CreateExample.generateV1Certificate(rootPair);
//validate the certification request
if(!request.verify("BC"))
{
System.out.println("request failed to verify!");
System.exit(1);
}
//create the certificate using the information in the request
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(rootCert.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis()+50000));
certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(request.getPublicKey("BC"));
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC")));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
//extract the extension request attribute
ASN1Set attributes = request.getCertificationRequestInfo().getAttributes();
for(int i=0;i!=attributes.size();i++)
{
Attribute attr = Attribute.getInstance(attributes.getObjectAt(i));
//process extension request
if(attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest))
{
X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
Enumeration<?> e = extensions.oids();
while(e.hasMoreElements())
{
DERObjectIdentifier oid = (DERObjectIdentifier)e.nextElement();
X509Extension ext = extensions.getExtension(oid);
certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
}
}
}
X509Certificate issuedCert = certGen.generateX509Certificate(rootPair.getPrivate());
return new X509Certificate[]{issuedCert, rootCert};
}
public static void main(String[] args) throws Exception
{
X509Certificate[] chain = buildChain();
PEMWriter pemWrt = new PEMWriter(new OutputStreamWriter(System.out));
pemWrt.writeObject(chain[0]);
pemWrt.writeObject(chain[1]);
pemWrt.close();
}
}
However, the codes shows errors as follows
Exception in thread "main" java.lang.IllegalArgumentException: extension 2.5.29.15 already added
at org.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension(Unknown Source)
at org.bouncycastle.asn1.x509.X509ExtensionsGenerator.addExtension(Unknown Source)
at org.bouncycastle.x509.X509V3CertificateGenerator.addExtension(Unknown Source)
at PKCS10CertCreateExample.buildChain(PKCS10CertCreateExample.java:68)
at PKCS10CertCreateExample.main(PKCS10CertCreateExample.java:100)
please, help me..
Googling extension 2.5.29.15 will tell you that refers to KeyUsage
Googling the source code for X509V3CertificateGenerator shows that addExtension() calls X509ExtensionsGenerator.addExtension() which throws an exception if the extension provided has already been added.
The source code you provide above does just that, and the exception is thrown:
certGen.addExtension(X509Extensions.KeyUsage, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
This is a bug in the code. You need to remove one of them. I would guess the first.
I want to sign a text file (may be a .exe file or something else in the future)
using PKCS#7 and verify the signature using Java.
What do I need to know?
Where will I find an API (.jar and documentation)?
What are the steps I need to follow in order to sign data and verify the data?
Please provide me code snippet if possible.
I reckon you need the following 2 Bouncy Castle jars to generate the PKCS7 digital signature:
bcprov-jdk15on-147.jar (for JDK 1.5 - JDK 1.7)
bcmail-jdk15on-147.jar (for JDK 1.5 - JDK 1.7)
You can download the Bouncy Castle jars from here.
You need to setup your keystore with the public & private key pair.
You need only the private key to generate the digital signature & the public key to verify it.
Here's how you'd pkcs7 sign content (Exception handling omitted for brevity) :
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.List;
import org.bouncycastle.cert.jcajce.JcaCertStore;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
import org.bouncycastle.cms.CMSSignedDataGenerator;
import org.bouncycastle.cms.CMSTypedData;
import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
import org.bouncycastle.util.Store;
import org.bouncycastle.util.encoders.Base64;
public final class PKCS7Signer {
private static final String PATH_TO_KEYSTORE = "/path/to/keyStore";
private static final String KEY_ALIAS_IN_KEYSTORE = "My_Private_Key";
private static final String KEYSTORE_PASSWORD = "MyPassword";
private static final String SIGNATUREALGO = "SHA1withRSA";
public PKCS7Signer() {
}
KeyStore loadKeyStore() throws Exception {
KeyStore keystore = KeyStore.getInstance("JKS");
InputStream is = new FileInputStream(PATH_TO_KEYSTORE);
keystore.load(is, KEYSTORE_PASSWORD.toCharArray());
return keystore;
}
CMSSignedDataGenerator setUpProvider(final KeyStore keystore) throws Exception {
Security.addProvider(new BouncyCastleProvider());
Certificate[] certchain = (Certificate[]) keystore.getCertificateChain(KEY_ALIAS_IN_KEYSTORE);
final List<Certificate> certlist = new ArrayList<Certificate>();
for (int i = 0, length = certchain == null ? 0 : certchain.length; i < length; i++) {
certlist.add(certchain[i]);
}
Store certstore = new JcaCertStore(certlist);
Certificate cert = keystore.getCertificate(KEY_ALIAS_IN_KEYSTORE);
ContentSigner signer = new JcaContentSignerBuilder(SIGNATUREALGO).setProvider("BC").
build((PrivateKey) (keystore.getKey(KEY_ALIAS_IN_KEYSTORE, KEYSTORE_PASSWORD.toCharArray())));
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
generator.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().setProvider("BC").
build()).build(signer, (X509Certificate) cert));
generator.addCertificates(certstore);
return generator;
}
byte[] signPkcs7(final byte[] content, final CMSSignedDataGenerator generator) throws Exception {
CMSTypedData cmsdata = new CMSProcessableByteArray(content);
CMSSignedData signeddata = generator.generate(cmsdata, true);
return signeddata.getEncoded();
}
public static void main(String[] args) throws Exception {
PKCS7Signer signer = new PKCS7Signer();
KeyStore keyStore = signer.loadKeyStore();
CMSSignedDataGenerator signatureGenerator = signer.setUpProvider(keyStore);
String content = "some bytes to be signed";
byte[] signedBytes = signer.signPkcs7(content.getBytes("UTF-8"), signatureGenerator);
System.out.println("Signed Encoded Bytes: " + new String(Base64.encode(signedBytes)));
}
}
PKCS#7 is known as CMS now (Cryptographic Message Syntax), and you will need the Bouncy Castle PKIX libraries to create one. It has ample documentation and a well established mailing list.
I won't supply code snippet, it is against house rules. Try yourself first.