Package fi.protonode.certy

Class Credential

java.lang.Object

fi.protonode.certy.Credential

public class Credential
extends Object

Credential is a builder class for generating certificates and PKI hierarchies programmatically. It is intended to be used in unit tests to create test certificates on-demand, to make it unnecessary to commit them into git repo as test data.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static enum	Credential.ExtKeyUsage	Extended key usage values for extKeyUsages.
static enum	Credential.KeyType	Key type values for keyType.
static enum	Credential.KeyUsage	Key usage values for keyUsages.

Field Summary

Fields

Modifier and Type	Field	Description
protected Certificate	certificate
protected Credential	issuer
protected KeyPair	keyPair
protected BigInteger	serial
protected org.bouncycastle.asn1.x500.X500Name	subject

Constructor Summary

Constructors

Constructor	Description
Credential()	Creates new credential builder.

Method Summary

Modifier and Type	Method	Description
Credential	ca(Boolean val)	Defines basic constraints CA attribute.
Credential	crlDistributionPointUri(String val)	Defines URI for CRL distribution point extension.
protected void	ensureGenerated()
Credential	expires(Duration val)	Defines notAfter by duration from current time.
Credential	extKeyUsages(List<Credential.ExtKeyUsage> val)	Defines an optional list of x509 extended key usages.
Credential	generate()	(Re)generate certificate and private key with currently set values.
Certificate	getCertificate()	Returns certificate.
String	getCertificateAsPem()	Returns PEM block containing X509 certificate.
Certificate[]	getCertificates()	Returns certificate and its chain (if any).
String	getCertificatesAsPem()	Returns PEM bundle containing X509 certificate and its chain (if any).
PrivateKey	getPrivateKey()	Returns private key.
String	getPrivateKeyAsPem()	Returns PEM block containing private key in PKCS8 format.
X509Certificate	getX509Certificate()	Returns certificate.
Credential	issuer(Credential val)	Defines the issuer Certificate.
Credential	keySize(int val)	Defines the key length in bits.
Credential	keyType(Credential.KeyType val)	Defines the certificate key algorithm.
Credential	keyUsages(List<Credential.KeyUsage> val)	Defines a sequence of values for x509 key usage extension.
Credential	notAfter(Date val)	Defines certificate not to be valid after given time.
Credential	notBefore(Date val)	Defines certificate not to be valid before given time.
Credential	serial(BigInteger val)	Defines serial number.
protected static String	signatureAlgorithm(PublicKey pub)
Credential	subject(String val)	Defines the distinguished name for the certificate (mandatory).
Credential	subjectAltName(String val)	Defines an optional value for x509 Subject Alternative Name extension.
Credential	subjectAltNames(List<String> val)	Defines an optional list of values for x509 Subject Alternative Name extension.
Credential	writeCertificateAsPem(Path out)	Writes X509 certificate to a file as PEM block.
Credential	writeCertificatesAsPem(Path out)	Writes PEM bundle containing X509 certificate and its chain (if any).
Credential	writePrivateKeyAsPem(Path out)	Writes private key in PKCS8 format to a file as PEM block.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

subject

protected org.bouncycastle.asn1.x500.X500Name subject

issuer

protected Credential issuer

serial

protected BigInteger serial

keyPair

protected KeyPair keyPair

certificate

protected Certificate certificate

Constructor Details

Credential

public Credential()

Creates new credential builder.

Method Details

subject

public Credential subject(String val)

Defines the distinguished name for the certificate (mandatory).

Example: "CN=Joe".

Parameters:

val - Subject name.

Returns:

The Credential itself.

subjectAltNames

public Credential subjectAltNames(List<String> val)

Defines an optional list of values for x509 Subject Alternative Name extension.

Examples: "DNS:www.example.com", "IP:1.2.3.4", "URI:https://www.example.com".

Parameters:

val - List of subject alternative names.

Returns:

The Credential itself.

subjectAltName

public Credential subjectAltName(String val)

Defines an optional value for x509 Subject Alternative Name extension.

Examples: "DNS:www.example.com", "IP:1.2.3.4", "URI:https://www.example.com".

Parameters:

val - Subject alternative name.

Returns:

The Credential itself.

keyType

public Credential keyType(Credential.KeyType val)

Defines the certificate key algorithm. Defaults to KeyType.EC if not set.

Parameters:

val - Key type.

Returns:

The Credential itself.

keySize

public Credential keySize(int val)

Defines the key length in bits. Default value is 256 (EC) or 2048 (RSA) if keySize is not set.

Examples: For keyType EC: 256, 384, 521. For keyType RSA: 1024, 2048, 4096.

Parameters:

val - Key size.

Returns:

The Credential itself.

expires

public Credential expires(Duration val)

Defines notAfter by duration from current time. notAfter takes precedence over expires. The default value is 1 year if expires is not set.

Parameters:

val - Time until expiration.

Returns:

The Credential itself.

notBefore

public Credential notBefore(Date val)

Defines certificate not to be valid before given time. The default value is current time if notBefore is not set.

Parameters:

val - Time when certificate becomes valid.

Returns:

The Credential itself.

notAfter

public Credential notAfter(Date val)

Defines certificate not to be valid after given time. Default value is current time + expires if notAfter is not set.

Parameters:

val - Time when certificate expires.

Returns:

The Credential itself.

keyUsages

public Credential keyUsages(List<Credential.KeyUsage> val)

Defines a sequence of values for x509 key usage extension.

Following defaults are used if keyUsages is not set:

CertSign and CRLSign are set for CA certificates. KeyEncipherment and DigitalSignature are set for end-entity certificates with RSA key. KeyEncipherment, DigitalSignature and KeyAgreement are set for end-entity certificates with EC key.

Parameters:

val - List of key usages.

Returns:

The Credential itself.

extKeyUsages

public Credential extKeyUsages(List<Credential.ExtKeyUsage> val)

Defines an optional list of x509 extended key usages.

Parameters:

val - List of extended key usages.

Returns:

The Credential itself.

issuer

public Credential issuer(Credential val)

Defines the issuer Certificate. Self-signed certificate is generated if issuer is not defined.

Parameters:

val - Instance of Credential that will be used to sign this certificate.

Returns:

The Credential itself.

ca

public Credential ca(Boolean val)

Defines basic constraints CA attribute. Self-signed certificates are automatically set CA:true, others default to CA:false.

Parameters:

val - Value for CA attribute of basic constraints.

Returns:

The Credential itself.

serial

public Credential serial(BigInteger val)

Defines serial number. Default value is current time in milliseconds.

Parameters:

val - Value for serial number.

Returns:

The Credential itself.

crlDistributionPointUri

public Credential crlDistributionPointUri(String val)

Defines URI for CRL distribution point extension.

Parameters:

val - URI for CRL distribution point.

Returns:

The Credential itself.

generate

public Credential generate()
                    throws CertificateException,
NoSuchAlgorithmException

(Re)generate certificate and private key with currently set values.

Returns:

The Credential itself.

Throws:

CertificateException

NoSuchAlgorithmException

getCertificateAsPem

public String getCertificateAsPem()
                           throws CertificateException,
NoSuchAlgorithmException,
IOException

Returns PEM block containing X509 certificate. To get PEM bundle including certificate chain see getCertificatesAsPem().

Returns:

String containing the certificate as PEM.

Throws:

CertificateException

NoSuchAlgorithmException

IOException

getCertificatesAsPem

public String getCertificatesAsPem()
                            throws CertificateException,
NoSuchAlgorithmException,
IOException

Returns PEM bundle containing X509 certificate and its chain (if any).

Returns:

String containing PEM bundle.

Throws:

CertificateException

NoSuchAlgorithmException

IOException

getPrivateKeyAsPem

public String getPrivateKeyAsPem()
                          throws IOException,
CertificateException,
NoSuchAlgorithmException

Returns PEM block containing private key in PKCS8 format.

Returns:

String containing the private key.

Throws:

IOException

CertificateException

NoSuchAlgorithmException

writeCertificateAsPem

public Credential writeCertificateAsPem(Path out)
                                 throws IOException,
CertificateException,
NoSuchAlgorithmException

Writes X509 certificate to a file as PEM block. To write PEM bundle including certificate chain see writeCertificatesAsPem(java.nio.file.Path).

Parameters:

out - Path to write the PEM file to.

Returns:

The Credential itself.

Throws:

IOException

CertificateException

NoSuchAlgorithmException

writeCertificatesAsPem

public Credential writeCertificatesAsPem(Path out)
                                  throws IOException,
CertificateException,
NoSuchAlgorithmException

Writes PEM bundle containing X509 certificate and its chain (if any).

Parameters:

out - Path to write the PEM file to.

Returns:

The Credential itself.

Throws:

IOException

CertificateException

NoSuchAlgorithmException

writePrivateKeyAsPem

public Credential writePrivateKeyAsPem(Path out)
                                throws IOException,
CertificateException,
NoSuchAlgorithmException

Writes private key in PKCS8 format to a file as PEM block.

Parameters:

out - Path to write the PEM file to.

Returns:

The Credential itself.

Throws:

IOException

CertificateException

NoSuchAlgorithmException

getCertificate

public Certificate getCertificate()
                           throws CertificateException,
NoSuchAlgorithmException

Returns certificate. To get certificate including certificate chain see getCertificates()

Returns:

Certificate.

Throws:

CertificateException

NoSuchAlgorithmException

getCertificates

public Certificate[] getCertificates()
                              throws CertificateException,
NoSuchAlgorithmException

Returns certificate and its chain (if any).

Returns:

Array of certificates.

Throws:

CertificateException

NoSuchAlgorithmException

getX509Certificate

public X509Certificate getX509Certificate()
                                   throws CertificateException,
NoSuchAlgorithmException

Returns certificate.

Returns:

Certificate as X509Certificate.

Throws:

CertificateException

NoSuchAlgorithmException

getPrivateKey

public PrivateKey getPrivateKey()
                         throws CertificateException,
NoSuchAlgorithmException

Returns private key.

Returns:

Private key.

Throws:

CertificateException

NoSuchAlgorithmException

ensureGenerated

protected void ensureGenerated()
                        throws CertificateException,
NoSuchAlgorithmException

Throws:

CertificateException

NoSuchAlgorithmException

signatureAlgorithm

protected static String signatureAlgorithm(PublicKey pub)