Package fi.protonode.certy
Class Credential
java.lang.Object
fi.protonode.certy.Credential
Credential is a builder class for generating certificates and PKI hierarchies programmatically.
It is intended to be used in unit tests to create test certificates on-demand, to make it unnecessary to commit them into git repo as test data.
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
Extended key usage values forextKeyUsages
.static enum
Key type values forkeyType
.static enum
Key usage values forkeyUsages
. -
Field Summary
Modifier and TypeFieldDescriptionprotected Certificate
protected Credential
protected KeyPair
protected BigInteger
protected org.bouncycastle.asn1.x500.X500Name
-
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionDefines basic constraints CA attribute.Defines URI for CRL distribution point extension.protected void
DefinesnotAfter
by duration from current time.Defines an optional list of x509 extended key usages.generate()
(Re)generate certificate and private key with currently set values.Returns certificate.Returns PEM block containing X509 certificate.Returns certificate and its chain (if any).Returns PEM bundle containing X509 certificate and its chain (if any).Returns private key.Returns PEM block containing private key in PKCS8 format.Returns certificate.issuer
(Credential val) Defines the issuer Certificate.keySize
(int val) Defines the key length in bits.Defines the certificate key algorithm.keyUsages
(List<Credential.KeyUsage> val) Defines a sequence of values for x509 key usage extension.Defines certificate not to be valid after given time.Defines certificate not to be valid before given time.serial
(BigInteger val) Defines serial number.protected static String
Defines the distinguished name for the certificate (mandatory).subjectAltName
(String val) Defines an optional value for x509 Subject Alternative Name extension.subjectAltNames
(List<String> val) Defines an optional list of values for x509 Subject Alternative Name extension.Writes X509 certificate to a file as PEM block.Writes PEM bundle containing X509 certificate and its chain (if any).writePrivateKeyAsPem
(Path out) Writes private key in PKCS8 format to a file as PEM block.
-
Field Details
-
subject
protected org.bouncycastle.asn1.x500.X500Name subject -
issuer
-
serial
-
keyPair
-
certificate
-
-
Constructor Details
-
Credential
public Credential()Creates new credential builder.
-
-
Method Details
-
subject
Defines the distinguished name for the certificate (mandatory).Example:
"CN=Joe"
.- Parameters:
val
- Subject name.- Returns:
- The Credential itself.
-
subjectAltNames
Defines an optional list of values for x509 Subject Alternative Name extension.Examples:
"DNS:www.example.com"
,"IP:1.2.3.4"
,"URI:https://www.example.com"
.- Parameters:
val
- List of subject alternative names.- Returns:
- The Credential itself.
-
subjectAltName
Defines an optional value for x509 Subject Alternative Name extension.Examples:
"DNS:www.example.com"
,"IP:1.2.3.4"
,"URI:https://www.example.com"
.- Parameters:
val
- Subject alternative name.- Returns:
- The Credential itself.
-
keyType
Defines the certificate key algorithm. Defaults toKeyType.EC
if not set.- Parameters:
val
- Key type.- Returns:
- The Credential itself.
-
keySize
Defines the key length in bits. Default value is 256 (EC) or 2048 (RSA) if keySize is not set.Examples: For keyType EC: 256, 384, 521. For keyType RSA: 1024, 2048, 4096.
- Parameters:
val
- Key size.- Returns:
- The Credential itself.
-
expires
DefinesnotAfter
by duration from current time.notAfter
takes precedence over expires. The default value is 1 year ifexpires
is not set.- Parameters:
val
- Time until expiration.- Returns:
- The Credential itself.
-
notBefore
Defines certificate not to be valid before given time. The default value is current time ifnotBefore
is not set.- Parameters:
val
- Time when certificate becomes valid.- Returns:
- The Credential itself.
-
notAfter
Defines certificate not to be valid after given time. Default value is current time + expires ifnotAfter
is not set.- Parameters:
val
- Time when certificate expires.- Returns:
- The Credential itself.
-
keyUsages
Defines a sequence of values for x509 key usage extension.Following defaults are used if
keyUsages
is not set:CertSign and CRLSign are set for CA certificates. KeyEncipherment and DigitalSignature are set for end-entity certificates with RSA key. KeyEncipherment, DigitalSignature and KeyAgreement are set for end-entity certificates with EC key.
- Parameters:
val
- List of key usages.- Returns:
- The Credential itself.
-
extKeyUsages
Defines an optional list of x509 extended key usages.- Parameters:
val
- List of extended key usages.- Returns:
- The Credential itself.
-
issuer
Defines the issuer Certificate. Self-signed certificate is generated if issuer is not defined.- Parameters:
val
- Instance ofCredential
that will be used to sign this certificate.- Returns:
- The Credential itself.
-
ca
Defines basic constraints CA attribute. Self-signed certificates are automatically setCA:true
, others default toCA:false
.- Parameters:
val
- Value for CA attribute of basic constraints.- Returns:
- The Credential itself.
-
serial
Defines serial number. Default value is current time in milliseconds.- Parameters:
val
- Value for serial number.- Returns:
- The Credential itself.
-
crlDistributionPointUri
Defines URI for CRL distribution point extension.- Parameters:
val
- URI for CRL distribution point.- Returns:
- The Credential itself.
-
generate
(Re)generate certificate and private key with currently set values.- Returns:
- The Credential itself.
- Throws:
CertificateException
NoSuchAlgorithmException
-
getCertificateAsPem
public String getCertificateAsPem() throws CertificateException, NoSuchAlgorithmException, IOExceptionReturns PEM block containing X509 certificate. To get PEM bundle including certificate chain seegetCertificatesAsPem()
.- Returns:
- String containing the certificate as PEM.
- Throws:
CertificateException
NoSuchAlgorithmException
IOException
-
getCertificatesAsPem
public String getCertificatesAsPem() throws CertificateException, NoSuchAlgorithmException, IOExceptionReturns PEM bundle containing X509 certificate and its chain (if any).- Returns:
- String containing PEM bundle.
- Throws:
CertificateException
NoSuchAlgorithmException
IOException
-
getPrivateKeyAsPem
public String getPrivateKeyAsPem() throws IOException, CertificateException, NoSuchAlgorithmExceptionReturns PEM block containing private key in PKCS8 format.- Returns:
- String containing the private key.
- Throws:
IOException
CertificateException
NoSuchAlgorithmException
-
writeCertificateAsPem
public Credential writeCertificateAsPem(Path out) throws IOException, CertificateException, NoSuchAlgorithmException Writes X509 certificate to a file as PEM block. To write PEM bundle including certificate chain seewriteCertificatesAsPem(java.nio.file.Path)
.- Parameters:
out
- Path to write the PEM file to.- Returns:
- The Credential itself.
- Throws:
IOException
CertificateException
NoSuchAlgorithmException
-
writeCertificatesAsPem
public Credential writeCertificatesAsPem(Path out) throws IOException, CertificateException, NoSuchAlgorithmException Writes PEM bundle containing X509 certificate and its chain (if any).- Parameters:
out
- Path to write the PEM file to.- Returns:
- The Credential itself.
- Throws:
IOException
CertificateException
NoSuchAlgorithmException
-
writePrivateKeyAsPem
public Credential writePrivateKeyAsPem(Path out) throws IOException, CertificateException, NoSuchAlgorithmException Writes private key in PKCS8 format to a file as PEM block.- Parameters:
out
- Path to write the PEM file to.- Returns:
- The Credential itself.
- Throws:
IOException
CertificateException
NoSuchAlgorithmException
-
getCertificate
Returns certificate. To get certificate including certificate chain seegetCertificates()
- Returns:
- Certificate.
- Throws:
CertificateException
NoSuchAlgorithmException
-
getCertificates
Returns certificate and its chain (if any).- Returns:
- Array of certificates.
- Throws:
CertificateException
NoSuchAlgorithmException
-
getX509Certificate
Returns certificate.- Returns:
- Certificate as
X509Certificate
. - Throws:
CertificateException
NoSuchAlgorithmException
-
getPrivateKey
Returns private key.- Returns:
- Private key.
- Throws:
CertificateException
NoSuchAlgorithmException
-
ensureGenerated
-
signatureAlgorithm
-