Java tutorial
/** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information * regarding copyright ownership. The ASF licenses this file * to you under the Apache License, Version 2.0 (the * "License"); you may not use this file except in compliance * with the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.apache.hadoop.gateway.services.security.impl; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.lang.reflect.Constructor; import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; import java.math.BigInteger; import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.SecureRandom; import java.security.cert.Certificate; import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Date; import org.apache.hadoop.gateway.i18n.messages.MessagesFactory; import org.apache.commons.codec.binary.Base64; import org.apache.hadoop.gateway.i18n.GatewaySpiMessages; public class X509CertificateUtil { private static GatewaySpiMessages LOG = MessagesFactory.get(GatewaySpiMessages.class); /** * Create a self-signed X.509 Certificate * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB" * @param pair the KeyPair * @param days how many days from now the Certificate is valid for * @param algorithm the signing algorithm, eg "SHA1withRSA" */ public static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm) throws GeneralSecurityException, IOException { PrivateKey privkey = pair.getPrivate(); Object x509CertImplObject = null; try { Date from = new Date(); Date to = new Date(from.getTime() + days * 86400000l); Class<?> certInfoClass = Class.forName(getX509CertInfoModuleName()); Constructor<?> certInfoConstr = certInfoClass.getConstructor(); Object certInfoObject = certInfoConstr.newInstance(); // CertificateValidity interval = new CertificateValidity(from, to); Class<?> certValidityClass = Class.forName(getX509CertifValidityModuleName()); Constructor<?> certValidityConstr = certValidityClass .getConstructor(new Class[] { Date.class, Date.class }); Object certValidityObject = certValidityConstr.newInstance(from, to); BigInteger sn = new BigInteger(64, new SecureRandom()); // X500Name owner = new X500Name(dn); Class<?> x500NameClass = Class.forName(getX509X500NameModuleName()); Constructor<?> x500NameConstr = x500NameClass.getConstructor(new Class[] { String.class }); Object x500NameObject = x500NameConstr.newInstance(dn); Method methodSET = certInfoObject.getClass().getMethod("set", String.class, Object.class); // info.set(X509CertInfo.VALIDITY, interval); methodSET.invoke(certInfoObject, getSetField(certInfoObject, "VALIDITY"), certValidityObject); // info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn)); Class<?> certificateSerialNumberClass = Class.forName(getCertificateSerialNumberModuleName()); Constructor<?> certificateSerialNumberConstr = certificateSerialNumberClass .getConstructor(new Class[] { BigInteger.class }); Object certificateSerialNumberObject = certificateSerialNumberConstr.newInstance(sn); methodSET.invoke(certInfoObject, getSetField(certInfoObject, "SERIAL_NUMBER"), certificateSerialNumberObject); // info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner)); try { Class<?> certificateSubjectNameClass = Class.forName(getCertificateSubjectNameModuleName()); Constructor<?> certificateSubjectNameConstr = certificateSubjectNameClass .getConstructor(new Class[] { x500NameClass }); Object certificateSubjectNameObject = certificateSubjectNameConstr.newInstance(x500NameObject); methodSET.invoke(certInfoObject, getSetField(certInfoObject, "SUBJECT"), certificateSubjectNameObject); } catch (InvocationTargetException ite) { methodSET.invoke(certInfoObject, getSetField(certInfoObject, "SUBJECT"), x500NameObject); } // info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner)); try { Class<?> certificateIssuerNameClass = Class.forName(getCertificateIssuerNameModuleName()); Constructor<?> certificateIssuerNameConstr = certificateIssuerNameClass .getConstructor(new Class[] { x500NameClass }); Object certificateIssuerNameObject = certificateIssuerNameConstr.newInstance(x500NameObject); methodSET.invoke(certInfoObject, getSetField(certInfoObject, "ISSUER"), certificateIssuerNameObject); } catch (InvocationTargetException ite) { methodSET.invoke(certInfoObject, getSetField(certInfoObject, "ISSUER"), x500NameObject); } // info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic())); Class<?> certificateX509KeyClass = Class.forName(getCertificateX509KeyModuleName()); Constructor<?> certificateX509KeyConstr = certificateX509KeyClass .getConstructor(new Class[] { PublicKey.class }); Object certificateX509KeyObject = certificateX509KeyConstr.newInstance(pair.getPublic()); methodSET.invoke(certInfoObject, getSetField(certInfoObject, "KEY"), certificateX509KeyObject); // info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3)); Class<?> certificateVersionClass = Class.forName(getCertificateVersionModuleName()); Constructor<?> certificateVersionConstr = certificateVersionClass .getConstructor(new Class[] { int.class }); Constructor<?> certificateVersionConstr0 = certificateVersionClass.getConstructor(); Object certInfoObject0 = certificateVersionConstr0.newInstance(); Field v3IntField = certInfoObject0.getClass().getDeclaredField("V3"); v3IntField.setAccessible(true); int fValue = (int) v3IntField.getInt(certInfoObject0); Object certificateVersionObject = certificateVersionConstr.newInstance(fValue); methodSET.invoke(certInfoObject, getSetField(certInfoObject, "VERSION"), certificateVersionObject); // AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid); Class<?> algorithmIdClass = Class.forName(getAlgorithmIdModuleName()); Field md5WithRSAField = algorithmIdClass.getDeclaredField("md5WithRSAEncryption_oid"); md5WithRSAField.setAccessible(true); Class<?> objectIdentifierClass = Class.forName(getObjectIdentifierModuleName()); Object md5WithRSAValue = md5WithRSAField.get(algorithmIdClass); Constructor<?> algorithmIdConstr = algorithmIdClass .getConstructor(new Class[] { objectIdentifierClass }); Object algorithmIdObject = algorithmIdConstr.newInstance(md5WithRSAValue); // info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo)); Class<?> certificateAlgorithmIdClass = Class.forName(getCertificateAlgorithmIdModuleName()); Constructor<?> certificateAlgorithmIdConstr = certificateAlgorithmIdClass .getConstructor(new Class[] { algorithmIdClass }); Object certificateAlgorithmIdObject = certificateAlgorithmIdConstr.newInstance(algorithmIdObject); methodSET.invoke(certInfoObject, getSetField(certInfoObject, "ALGORITHM_ID"), certificateAlgorithmIdObject); // Sign the cert to identify the algorithm that's used. // X509CertImpl cert = new X509CertImpl(info); Class<?> x509CertImplClass = Class.forName(getX509CertImplModuleName()); Constructor<?> x509CertImplConstr = x509CertImplClass.getConstructor(new Class[] { certInfoClass }); x509CertImplObject = x509CertImplConstr.newInstance(certInfoObject); // cert.sign(privkey, algorithm); Method methoSIGN = x509CertImplObject.getClass().getMethod("sign", PrivateKey.class, String.class); methoSIGN.invoke(x509CertImplObject, privkey, algorithm); // Update the algorith, and resign. // algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG); Method methoGET = x509CertImplObject.getClass().getMethod("get", String.class); String sig_alg = getSetField(x509CertImplObject, "SIG_ALG"); String certAlgoIdNameValue = getSetField(certificateAlgorithmIdObject, "NAME"); String certAlgoIdAlgoValue = getSetField(certificateAlgorithmIdObject, "ALGORITHM"); // info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo); methodSET.invoke(certInfoObject, certAlgoIdNameValue + "." + certAlgoIdAlgoValue, methoGET.invoke(x509CertImplObject, sig_alg)); // cert = new X509CertImpl(info); x509CertImplObject = x509CertImplConstr.newInstance(certInfoObject); // cert.sign(privkey, algorithm); methoSIGN.invoke(x509CertImplObject, privkey, algorithm); } catch (Exception e) { LOG.failedToGenerateCertificate(e); } return (X509Certificate) x509CertImplObject; } private static String getX509CertInfoModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.X509CertInfo" : "sun.security.x509.X509CertInfo"; } private static String getX509CertifValidityModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.CertificateValidity" : "sun.security.x509.CertificateValidity"; } private static String getX509X500NameModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.X500Name" : "sun.security.x509.X500Name"; } private static String getCertificateSerialNumberModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.CertificateSerialNumber" : "sun.security.x509.CertificateSerialNumber"; } private static String getCertificateSubjectNameModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.CertificateSubjectName" : "sun.security.x509.CertificateSubjectName"; } private static String getCertificateIssuerNameModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.CertificateIssuerName" : "sun.security.x509.CertificateIssuerName"; } private static String getCertificateX509KeyModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.CertificateX509Key" : "sun.security.x509.CertificateX509Key"; } private static String getCertificateVersionModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.CertificateVersion" : "sun.security.x509.CertificateVersion"; } private static String getAlgorithmIdModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.AlgorithmId" : "sun.security.x509.AlgorithmId"; } private static String getObjectIdentifierModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.util.ObjectIdentifier" : "sun.security.util.ObjectIdentifier"; } private static String getCertificateAlgorithmIdModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.CertificateAlgorithmId" : "sun.security.x509.CertificateAlgorithmId"; } private static String getX509CertImplModuleName() { return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.x509.X509CertImpl" : "sun.security.x509.X509CertImpl"; } private static String getSetField(Object obj, String setString) throws Exception { Field privateStringField = obj.getClass().getDeclaredField(setString); privateStringField.setAccessible(true); String fieldValue = (String) privateStringField.get(obj); return fieldValue; } public static void writeCertificateToFile(Certificate cert, final File file) throws CertificateEncodingException, IOException { byte[] bytes = cert.getEncoded(); Base64 encoder = new Base64(76, "\n".getBytes("ASCII")); try (final FileOutputStream out = new FileOutputStream(file)) { out.write("-----BEGIN CERTIFICATE-----\n".getBytes("ASCII")); out.write(encoder.encodeToString(bytes).getBytes("ASCII")); out.write("-----END CERTIFICATE-----\n".getBytes("ASCII")); } } public static void writeCertificateToJKS(Certificate cert, final File file) throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException { KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); char[] password = "changeit".toCharArray(); ks.load(null, password); ks.setCertificateEntry("gateway-identity", cert); FileOutputStream fos = new FileOutputStream(file); /* Coverity Scan CID 1361992 */ try { ks.store(fos, password); } finally { fos.close(); } } }