Package fi.protonode.certy
Class Credential
java.lang.Object
fi.protonode.certy.Credential
Credential is a builder class for generating certificates and PKI hierarchies programmatically.
It is intended to be used in unit tests to create test certificates on-demand, to make it unnecessary to commit them into git repo as test data.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic enumExtended key usage values forextKeyUsages.static enumKey type values forkeyType.static enumKey usage values forkeyUsages. -
Field Summary
FieldsModifier and TypeFieldDescriptionprotected Certificateprotected Credentialprotected KeyPairprotected BigIntegerprotected org.bouncycastle.asn1.x500.X500Name -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionDefines basic constraints CA attribute.Defines URI for CRL distribution point extension.protected voidDefinesnotAfterby duration from current time.Defines an optional list of x509 extended key usages.generate()(Re)generate certificate and private key with currently set values.Returns certificate.Returns PEM block containing X509 certificate.Returns certificate and its chain (if any).Returns PEM bundle containing X509 certificate and its chain (if any).Returns private key.Returns PEM block containing private key in PKCS8 format.Returns certificate.Returns certificate and its chain (if any).issuer(Credential val) Defines the issuer Certificate.keySize(int val) Defines the key length in bits.Defines the certificate key algorithm.keyUsages(List<Credential.KeyUsage> val) Defines a sequence of values for x509 key usage extension.Defines certificate not to be valid after given time.Defines certificate not to be valid before given time.serial(BigInteger val) Defines serial number.protected static StringDefines the distinguished name for the certificate (mandatory).subjectAltName(String val) Defines an optional value for x509 Subject Alternative Name extension.subjectAltNames(List<String> val) Defines an optional list of values for x509 Subject Alternative Name extension.Writes X509 certificate to a file as PEM block.Writes PEM bundle containing X509 certificate and its chain (if any).writePrivateKeyAsPem(Path out) Writes private key in PKCS8 format to a file as PEM block.
-
Field Details
-
subject
protected org.bouncycastle.asn1.x500.X500Name subject -
issuer
-
serial
-
keyPair
-
certificate
-
-
Constructor Details
-
Credential
public Credential()Creates new credential builder.
-
-
Method Details
-
subject
Defines the distinguished name for the certificate (mandatory).Example:
"CN=Joe".- Parameters:
val- Subject name.- Returns:
- The Credential itself.
-
subjectAltNames
Defines an optional list of values for x509 Subject Alternative Name extension.Examples:
"DNS:www.example.com","IP:1.2.3.4","URI:https://www.example.com".- Parameters:
val- List of subject alternative names.- Returns:
- The Credential itself.
-
subjectAltName
Defines an optional value for x509 Subject Alternative Name extension.Examples:
"DNS:www.example.com","IP:1.2.3.4","URI:https://www.example.com".- Parameters:
val- Subject alternative name.- Returns:
- The Credential itself.
-
keyType
Defines the certificate key algorithm. Defaults toKeyType.ECif not set.- Parameters:
val- Key type.- Returns:
- The Credential itself.
-
keySize
Defines the key length in bits. Default value is 256 (EC) or 2048 (RSA) if keySize is not set.Examples: For keyType EC: 256, 384, 521. For keyType RSA: 1024, 2048, 4096. For keyType ED25519: 255.
- Parameters:
val- Key size.- Returns:
- The Credential itself.
-
expires
DefinesnotAfterby duration from current time.notAftertakes precedence over expires. The default value is 1 year ifexpiresis not set.- Parameters:
val- Time until expiration.- Returns:
- The Credential itself.
-
notBefore
Defines certificate not to be valid before given time. The default value is current time ifnotBeforeis not set.- Parameters:
val- Time when certificate becomes valid.- Returns:
- The Credential itself.
-
notAfter
Defines certificate not to be valid after given time. Default value is current time + expires ifnotAfteris not set.- Parameters:
val- Time when certificate expires.- Returns:
- The Credential itself.
-
keyUsages
Defines a sequence of values for x509 key usage extension.Following defaults are used if
keyUsagesis not set:CertSign and CRLSign are set for CA certificates. KeyEncipherment and DigitalSignature are set for end-entity certificates with RSA key. KeyEncipherment, DigitalSignature and KeyAgreement are set for end-entity certificates with EC key.
- Parameters:
val- List of key usages.- Returns:
- The Credential itself.
-
extKeyUsages
Defines an optional list of x509 extended key usages.- Parameters:
val- List of extended key usages.- Returns:
- The Credential itself.
-
issuer
Defines the issuer Certificate. Self-signed certificate is generated if issuer is not defined.- Parameters:
val- Instance ofCredentialthat will be used to sign this certificate.- Returns:
- The Credential itself.
-
ca
Defines basic constraints CA attribute. Self-signed certificates are automatically setCA:true, others default toCA:false.- Parameters:
val- Value for CA attribute of basic constraints.- Returns:
- The Credential itself.
-
serial
Defines serial number. Default value is current time in milliseconds.- Parameters:
val- Value for serial number.- Returns:
- The Credential itself.
-
crlDistributionPointUri
Defines URI for CRL distribution point extension.- Parameters:
val- URI for CRL distribution point.- Returns:
- The Credential itself.
-
generate
(Re)generate certificate and private key with currently set values.- Returns:
- The Credential itself.
- Throws:
CertificateExceptionNoSuchAlgorithmException
-
getCertificateAsPem
public String getCertificateAsPem() throws CertificateException, NoSuchAlgorithmException, IOExceptionReturns PEM block containing X509 certificate. To get PEM bundle including certificate chain seegetCertificatesAsPem().- Returns:
- String containing the certificate as PEM.
- Throws:
CertificateExceptionNoSuchAlgorithmExceptionIOException
-
getCertificatesAsPem
public String getCertificatesAsPem() throws CertificateException, NoSuchAlgorithmException, IOExceptionReturns PEM bundle containing X509 certificate and its chain (if any).- Returns:
- String containing PEM bundle.
- Throws:
CertificateExceptionNoSuchAlgorithmExceptionIOException
-
getPrivateKeyAsPem
public String getPrivateKeyAsPem() throws IOException, CertificateException, NoSuchAlgorithmExceptionReturns PEM block containing private key in PKCS8 format.- Returns:
- String containing the private key.
- Throws:
IOExceptionCertificateExceptionNoSuchAlgorithmException
-
writeCertificateAsPem
public Credential writeCertificateAsPem(Path out) throws IOException, CertificateException, NoSuchAlgorithmException Writes X509 certificate to a file as PEM block. To write PEM bundle including certificate chain seewriteCertificatesAsPem(java.nio.file.Path).- Parameters:
out- Path to write the PEM file to.- Returns:
- The Credential itself.
- Throws:
IOExceptionCertificateExceptionNoSuchAlgorithmException
-
writeCertificatesAsPem
public Credential writeCertificatesAsPem(Path out) throws IOException, CertificateException, NoSuchAlgorithmException Writes PEM bundle containing X509 certificate and its chain (if any).- Parameters:
out- Path to write the PEM file to.- Returns:
- The Credential itself.
- Throws:
IOExceptionCertificateExceptionNoSuchAlgorithmException
-
writePrivateKeyAsPem
public Credential writePrivateKeyAsPem(Path out) throws IOException, CertificateException, NoSuchAlgorithmException Writes private key in PKCS8 format to a file as PEM block.- Parameters:
out- Path to write the PEM file to.- Returns:
- The Credential itself.
- Throws:
IOExceptionCertificateExceptionNoSuchAlgorithmException
-
getCertificate
Returns certificate. To get certificate including certificate chain seegetCertificates()- Returns:
- Certificate.
- Throws:
CertificateExceptionNoSuchAlgorithmException
-
getCertificates
Returns certificate and its chain (if any).- Returns:
- Array of certificates.
- Throws:
CertificateExceptionNoSuchAlgorithmException
-
getX509Certificate
Returns certificate.- Returns:
- Certificate as
X509Certificate. - Throws:
CertificateExceptionNoSuchAlgorithmException
-
getX509Certificates
public X509Certificate[] getX509Certificates() throws CertificateException, NoSuchAlgorithmExceptionReturns certificate and its chain (if any).- Returns:
- Array of certificates as
X509Certificate. - Throws:
CertificateExceptionNoSuchAlgorithmException
-
getPrivateKey
Returns private key.- Returns:
- Private key.
- Throws:
CertificateExceptionNoSuchAlgorithmException
-
ensureGenerated
-
signatureAlgorithm
-