This is an automated email from the ASF dual-hosted git repository. struberg pushed a commit to branch fb_jakarta in repository https://gitbox.apache.org/repos/asf/openwebbeans-meecrowave.git
commit 58ac9ffaba6b62488e83da0fb08a69164a88357d Author: Mark Struberg <strub...@apache.org> AuthorDate: Tue Jun 11 16:24:47 2024 +0200 MEECROWAVE-338 move from sun.security to bouncy castle --- .../org/apache/meecrowave/oauth2/Keystores.java | 109 +++++++-------------- 1 file changed, 33 insertions(+), 76 deletions(-) diff --git a/meecrowave-oauth2-minimal/src/test/java/org/apache/meecrowave/oauth2/Keystores.java b/meecrowave-oauth2-minimal/src/test/java/org/apache/meecrowave/oauth2/Keystores.java index 38a88f5..a1c7d75 100644 --- a/meecrowave-oauth2-minimal/src/test/java/org/apache/meecrowave/oauth2/Keystores.java +++ b/meecrowave-oauth2-minimal/src/test/java/org/apache/meecrowave/oauth2/Keystores.java @@ -23,11 +23,15 @@ import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import java.io.FileOutputStream; +import java.io.OutputStream; import java.math.BigInteger; import java.security.*; import java.io.File; +import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.time.Instant; import java.util.Date; @@ -38,97 +42,50 @@ public final class Keystores { } public static PublicKey create(final File keystore) throws Exception { + Security.setProperty("crypto.policy", "unlimited"); + final KeyStore ks = KeyStore.getInstance("JKS"); ks.load(null, "password".toCharArray()); - KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); - keyGen.initialize(2048); - KeyPair keyPair = keyGen.generateKeyPair(); - final PrivateKey rootPrivateKey = keyPair.getPrivate(); - - X500Name issuerName = new X500Name("OU=apache,CN=mwtest"); - - JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder( - issuerName, - BigInteger.valueOf(System.currentTimeMillis()), - Date.from(Instant.now()), Date.from(Instant.now().plusMillis(1096 * 24 * 60 * 60)), - issuerName, keyPair.getPublic()); - ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA").build(rootPrivateKey); - X509CertificateHolder certHolder = builder.build(signer); - X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(certHolder); - - return keyPair.getPublic(); - - //X TODO - /*X TODO fixme - CryptoUtils.installBouncyCastleProvider(); - - - final CertAndKeyGen keyGen = new CertAndKeyGen("RSA", "SHA256WithRSA", null); - keyGen.generate(2048); - final PrivateKey rootPrivateKey = keyGen.getPrivateKey(); - - X509Certificate rootCertificate = keyGen.getSelfCertificate(new X500Name("cn=root"), (long) 365 * 24 * 60 * 60); - - final CertAndKeyGen keyGen1 = new CertAndKeyGen("RSA", "SHA256WithRSA", null); - keyGen1.generate(2048); - final PrivateKey middlePrivateKey = keyGen1.getPrivateKey(); - - X509Certificate middleCertificate = keyGen1.getSelfCertificate(new X500Name("CN=MIDDLE"), (long) 365 * 24 * 60 * 60); + KeyPair rootKeyPair = generateKeyPair(); + X500Name rootIssuerName = new X500Name("OU=apache,CN=root"); + X509Certificate rootCertificate = getCertificate(rootKeyPair, rootIssuerName, rootKeyPair.getPrivate()); - //Generate leaf certificate - final CertAndKeyGen keyGen2 = new CertAndKeyGen("RSA", "SHA256WithRSA", null); - keyGen2.generate(2048); - final PrivateKey topPrivateKey = keyGen2.getPrivateKey(); + KeyPair middleKeyPair = generateKeyPair(); + X500Name middleIssuerName = new X500Name("OU=apache,CN=middle"); + X509Certificate middleCertificate = getCertificate(middleKeyPair, middleIssuerName, rootKeyPair.getPrivate()); + KeyPair topKeyPair = generateKeyPair(); + X500Name topIssuerName = new X500Name("OU=apache,CN=top"); + X509Certificate topCertificate = getCertificate(topKeyPair, topIssuerName, middleKeyPair.getPrivate()); - X509Certificate topCertificate = keyGen2.getSelfCertificate(new X500Name("cn=root"), (long) 365 * 24 * 60 * 60); - - rootCertificate = createSignedCertificate(rootCertificate, rootCertificate, rootPrivateKey); - middleCertificate = createSignedCertificate(middleCertificate, rootCertificate, rootPrivateKey); - topCertificate = createSignedCertificate(topCertificate, middleCertificate, middlePrivateKey); final X509Certificate[] chain = new X509Certificate[]{topCertificate, middleCertificate, rootCertificate}; - - ks.setKeyEntry("alice", topPrivateKey, "pwd".toCharArray(), chain); - - + ks.setKeyEntry("alice", topKeyPair.getPrivate(), "pwd".toCharArray(), chain); keystore.getParentFile().mkdirs(); try (final OutputStream os = new FileOutputStream(keystore)) { ks.store(os, "password".toCharArray()); } - return keyGen2.getPublicKey(); -*/ + return topKeyPair.getPublic(); } - private static X509Certificate createSignedCertificate(final X509Certificate cetrificate, final X509Certificate issuerCertificate, - final PrivateKey issuerPrivateKey) { - return null; -/*X TODO fixme - try { - Principal issuer = issuerCertificate.getSubjectDN(); - String issuerSigAlg = issuerCertificate.getSigAlgName(); - - byte[] inCertBytes = cetrificate.getTBSCertificate(); - X509CertInfo info = new X509CertInfo(inCertBytes); - info.set(X509CertInfo.ISSUER, (X500Name) issuer); - - //No need to add the BasicContraint for leaf cert - if (!cetrificate.getSubjectDN().getName().equals("CN=TOP")) { - CertificateExtensions exts = new CertificateExtensions(); - BasicConstraintsExtension bce = new BasicConstraintsExtension(true, -1); - exts.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(false, bce.getExtensionValue())); - info.set(X509CertInfo.EXTENSIONS, exts); - } - - final X509CertImpl outCert = new X509CertImpl(info); - outCert.sign(issuerPrivateKey, issuerSigAlg); + private static KeyPair generateKeyPair() throws NoSuchAlgorithmException { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); + keyGen.initialize(2048); + return keyGen.generateKeyPair(); + } - return outCert; - } catch (final Exception ex) { - throw new IllegalStateException(ex); - } -*/ + private static X509Certificate getCertificate(KeyPair certKeyPair, X500Name issuerName, PrivateKey signerKey) + throws OperatorCreationException, CertificateException { + JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder( + issuerName, + BigInteger.valueOf(System.currentTimeMillis()), + Date.from(Instant.now()), Date.from(Instant.now().plusMillis(1096 * 24 * 60 * 60)), + issuerName, certKeyPair.getPublic()); + ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA").build(signerKey); + X509CertificateHolder certHolder = builder.build(signer); + return new JcaX509CertificateConverter().getCertificate(certHolder); } + }