Hi Bernd, I'm not sure what you mean about exporting the package. I only have it working on JDK 1.8 right now, and I'm not sure about configuring it for multiple JDK versions.
All of the code in X509CertificateCreator depends heavily <https://github.com/tersesystems/securitybuilder/blob/master/src/main/java/com/tersesystems/securitybuilder/X509CertificateCreator.java#L20> on the x509 implementation import sun.security.x509.AlgorithmId; import sun.security.x509.BasicConstraintsExtension; import sun.security.x509.CertificateAlgorithmId; import sun.security.x509.CertificateExtensions; import sun.security.x509.CertificateSerialNumber; import sun.security.x509.CertificateValidity; import sun.security.x509.CertificateVersion; import sun.security.x509.CertificateX509Key; import sun.security.x509.KeyUsageExtension; import sun.security.x509.X500Name; import sun.security.x509.X509CertImpl; import sun.security.x509.X509CertInfo; But I don't see a way to get around that, and this package seems to be required by OpenJDK. Other than that, the only requirement on a "sun" package is a call out to JCAUtil: https://github.com/tersesystems/securitybuilder/blob/master/src/main/java/com/tersesystems/securitybuilder/EntropySource.java#L4 which can be easily removed. On Mon, Oct 15, 2018 at 1:27 PM Bernd Eckenfels <e...@zusammenkunft.net> wrote: > Thats very cool! > > > > Maybe this is the right thread to discuss the future of the > sun.security.x509 package. > > > > Currently your implementation will only work if that package is exported. > The Depth of implementation of those classes however would be a nice > Addition to an (optional?) API. > > > > Gruss > > Bernd > > -- > http://bernd.eckenfels.net > > > > *Von: *Will Sargent <will.sarg...@gmail.com> > *Gesendet: *Montag, 15. Oktober 2018 22:13 > *An: *security-dev@openjdk.java.net > *Betreff: *Fluent builder API for JCA/JSSE classes > > > > Hi all, > > > > I've released a library that adds a fluent builder API library for JCA > factory and generator classes. The primary use of this package is to set up > test X.509 certificates, private keys and trust stores, but it's also > helpful for picking out good defaults and working on a higher level than > the raw JCA classes themselves. It's available at > https://github.com/tersesystems/securitybuilder > > > > Example below of building up an SSLContext from scratch: > > > > public class X509CertificateCreatorTest { > > @Test > > public void testFunctionalStyle() throws Exception { > > FinalStage<RSAKeyPair> keyPairCreator = > KeyPairCreator.creator().withRSA().withKeySize(2048); > > RSAKeyPair rootKeyPair = keyPairCreator.create(); > > RSAKeyPair intermediateKeyPair = keyPairCreator.create(); > > RSAKeyPair eePair = keyPairCreator.create(); > > > > IssuerStage<RSAPrivateKey> creator = > > > X509CertificateCreator.creator().withSHA256withRSA().withDuration(Duration.ofDays(365)); > > > > String issuer = "CN=letsencrypt.derp,O=Root CA"; > > X509Certificate[] chain = > > creator > > .withRootCA(issuer, rootKeyPair, 2) > > .chain( > > rootKeyPair.getPrivate(), > > rootCreator -> > > rootCreator > > .withPublicKey(intermediateKeyPair.getPublic()) > > .withSubject("OU=intermediate CA") > > .withCertificateAuthorityExtensions(0) > > .chain( > > intermediateKeyPair.getPrivate(), > > intCreator -> > > intCreator > > .withPublicKey(eePair.getPublic()) > > .withSubject("CN=tersesystems.com") > > .withEndEntityExtensions() > > .chain())) > > .create(); > > > > PrivateKeyStore privateKeyStore = > > PrivateKeyStore.create("tersesystems.com", eePair.getPrivate(), > chain); > > TrustStore trustStore = TrustStore.create(singletonList(chain[2]), cert > -> "letsencrypt.derp"); > > > > try { > > final PKIXCertPathValidatorResult result = > CertificateChainValidator.validator() > > .withAnchor(new TrustAnchor(issuer, rootKeyPair.getPublic(), null)) > > .withCertificates(chain) > > .validate(); > > final PublicKey subjectPublicKey = result.getPublicKey(); > > assertThat(subjectPublicKey).isEqualTo(eePair.getPublic()); > > } catch (final CertPathValidatorException cpve) { > > fail("Cannot test exception", cpve); > > } > > > > SSLContext sslContext = > > SSLContextBuilder.builder() > > .withTLS() > > .withKeyManager( > > KeyManagerBuilder.builder() > > .withSunX509() > > .withPrivateKeyStore(privateKeyStore) > > .build()) > > .withTrustManager( > > TrustManagerBuilder.builder() > > .withDefaultAlgorithm() > > .withTrustStore(trustStore) > > .build()) > > .build(); > > assertThat(sslContext).isNotNull(); > > } > > } > > > > Thanks, > Will. > > >
