Java 类sun.security.x509.CertificateX509Key 实例源码

private static void setKeyEntry(KeyStore ks, String dn, long expire)
        throws GeneralSecurityException, IOException {
    KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
    kpg.initialize(1024);
    KeyPair keyPair = kpg.genKeyPair();
    long now = System.currentTimeMillis();
    X509CertInfo info = new X509CertInfo();
    info.set("version", new CertificateVersion(2));
    info.set("serialNumber", new CertificateSerialNumber(new BigInteger(128, random)));
    info.set("algorithmID",
            new CertificateAlgorithmId(AlgorithmId.get("SHA1withRSA")));
    X500Name x500Name = new X500Name(dn);
    info.set("subject", x500Name);
    info.set("key", new CertificateX509Key(keyPair.getPublic()));
    info.set("validity", new CertificateValidity(new
            Date(now), new Date(now + expire)));
    info.set("issuer", x500Name);
    X509CertImpl cert = new X509CertImpl(info);
    cert.sign(keyPair.getPrivate(), "SHA1withRSA");
    ks.setKeyEntry(Bytes.toHexLower(Bytes.random(16)),
            keyPair.getPrivate(), new char[0], new X509Certificate[] {cert});
}

private String createEphemeralCert(Duration shiftIntoPast)
    throws GeneralSecurityException, IOException {
  Duration validFor = Duration.standardHours(1);
  DateTime notBefore = DateTime.now().minus(shiftIntoPast);
  DateTime notAfter = notBefore.plus(validFor);

  CertificateValidity interval = new CertificateValidity(notBefore.toDate(), notAfter.toDate());

  X509CertInfo info = new X509CertInfo();
  info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(1));
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get("SHA1withRSA")));
  info.set(
      X509CertInfo.SUBJECT, new X500Name("C = US, O = Google\\, Inc, CN=temporary-subject"));
  info.set(X509CertInfo.KEY, new CertificateX509Key(clientKeyPair.getPublic()));
  info.set(X509CertInfo.VALIDITY, interval);
  info.set(
      X509CertInfo.ISSUER,
      new X500Name("C = US, O = Google\\, Inc, CN=Google Cloud SQL Signing CA foo:baz"));

  KeyFactory keyFactory = KeyFactory.getInstance("RSA");
  PKCS8EncodedKeySpec keySpec =
      new PKCS8EncodedKeySpec(DatatypeConverter.parseBase64Binary(
          TestKeys.SIGNING_CA_PRIVATE_KEY));
  PrivateKey signingKey = keyFactory.generatePrivate(keySpec);

  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(signingKey, "SHA1withRSA");

  StringBuilder sb = new StringBuilder();
  sb.append("-----BEGIN CERTIFICATE-----\n");
  sb.append(
      DatatypeConverter.printBase64Binary(cert.getEncoded())
          .replaceAll("(.{64})", "$1\n"));
  sb.append("\n");
  sb.append("-----END CERTIFICATE-----\n");

  return sb.toString();
}

/**
 * Create a self-signed X.509 Certificate.
 * From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
 *
 * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param pair the KeyPair
 * @param days how many days from now the Certificate is valid for
 * @param algorithm the signing algorithm, eg "SHA1withRSA"
 * @return the self-signed certificate
 * @throws IOException thrown if an IO error ocurred.
 * @throws GeneralSecurityException thrown if an Security error ocurred.
 */
public static X509Certificate generateCertificate(String dn, KeyPair pair,
                                                  int days, String algorithm)
  throws GeneralSecurityException, IOException {
  PrivateKey privkey = pair.getPrivate();
  X509CertInfo info = new X509CertInfo();
  Date from = new Date();
  Date to = new Date(from.getTime() + days * 86400000l);
  CertificateValidity interval = new CertificateValidity(from, to);
  BigInteger sn = new BigInteger(64, new SecureRandom());
  X500Name owner = new X500Name(dn);

  info.set(X509CertInfo.VALIDITY, interval);
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
  info
    .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

  // Sign the cert to identify the algorithm that's used.
  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);

  // Update the algorith, and resign.
  algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
  info
    .set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,
         algo);
  cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
  return cert;
}

/**
 * Create a self-signed X.509 Certificate.
 * From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
 *
 * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param pair the KeyPair
 * @param days how many days from now the Certificate is valid for
 * @param algorithm the signing algorithm, eg "SHA1withRSA"
 * @return the self-signed certificate
 * @throws IOException thrown if an IO error ocurred.
 * @throws GeneralSecurityException thrown if an Security error ocurred.
 */
public static X509Certificate generateCertificate(String dn, KeyPair pair,
                                                  int days, String algorithm)
  throws GeneralSecurityException, IOException {
  PrivateKey privkey = pair.getPrivate();
  X509CertInfo info = new X509CertInfo();
  Date from = new Date();
  Date to = new Date(from.getTime() + days * 86400000l);
  CertificateValidity interval = new CertificateValidity(from, to);
  BigInteger sn = new BigInteger(64, new SecureRandom());
  X500Name owner = new X500Name(dn);

  info.set(X509CertInfo.VALIDITY, interval);
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
  info
    .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

  // Sign the cert to identify the algorithm that's used.
  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);

  // Update the algorith, and resign.
  algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
  info
    .set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,
         algo);
  cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
  return cert;
}

/**
 * Create a self-signed X.509 Certificate.
 * From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
 *
 * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param pair the KeyPair
 * @param days how many days from now the Certificate is valid for
 * @param algorithm the signing algorithm, eg "SHA1withRSA"
 * @return the self-signed certificate
 * @throws IOException thrown if an IO error ocurred.
 * @throws GeneralSecurityException thrown if an Security error ocurred.
 */
public static X509Certificate generateCertificate(String dn, KeyPair pair,
                                                  int days, String algorithm)
  throws GeneralSecurityException, IOException {
  PrivateKey privkey = pair.getPrivate();
  X509CertInfo info = new X509CertInfo();
  Date from = new Date();
  Date to = new Date(from.getTime() + days * 86400000l);
  CertificateValidity interval = new CertificateValidity(from, to);
  BigInteger sn = new BigInteger(64, new SecureRandom());
  X500Name owner = new X500Name(dn);

  info.set(X509CertInfo.VALIDITY, interval);
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
  info
    .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

  // Sign the cert to identify the algorithm that's used.
  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);

  // Update the algorith, and resign.
  algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
  info
    .set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,
         algo);
  cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
  return cert;
}

private static X509Certificate generateCert(
    String hostname, KeyPair kp, boolean isCertAuthority,
    PublicKey signerPublicKey, PrivateKey signerPrivateKey)
    throws IOException, CertificateException, NoSuchProviderException,
    NoSuchAlgorithmException, InvalidKeyException, SignatureException {
  X500Name issuer = new X500Name("CN=root" + issuerDirString);
  X500Name subject;
  if (hostname == null) {
    subject = issuer;
  } else {
    subject = new X500Name("CN=" + hostname + issuerDirString);
  }

  X509CertInfo info = new X509CertInfo();
  Date from = new Date();
  Date to = new Date(from.getTime() + 365 * 86400000l);
  CertificateValidity interval = new CertificateValidity(from, to);
  BigInteger sn = new BigInteger(64, new SecureRandom());

  info.set(X509CertInfo.VALIDITY, interval);
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(subject));
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer));
  info.set(X509CertInfo.KEY, new CertificateX509Key(kp.getPublic()));
  info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

  // Sign the cert to identify the algorithm that's used.
  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(signerPrivateKey, signingAlgorithm);

  // Update the algorithm, and resign.
  algo = (AlgorithmId)cert.get(X509CertImpl.SIG_ALG);
  info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
  cert = new X509CertImpl(info);
  cert.sign(signerPrivateKey, signingAlgorithm);
  return cert;
}

/**
 * Create a self-signed X.509 Certificate.
 * From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
 *
 * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param pair the KeyPair
 * @param days how many days from now the Certificate is valid for
 * @param algorithm the signing algorithm, eg "SHA1withRSA"
 * @return the self-signed certificate
 * @throws IOException thrown if an IO error ocurred.
 * @throws GeneralSecurityException thrown if an Security error ocurred.
 */
public static X509Certificate generateCertificate(String dn, KeyPair pair,
                                                  int days, String algorithm)
  throws GeneralSecurityException, IOException {
  PrivateKey privkey = pair.getPrivate();
  X509CertInfo info = new X509CertInfo();
  Date from = new Date();
  Date to = new Date(from.getTime() + days * 86400000l);
  CertificateValidity interval = new CertificateValidity(from, to);
  BigInteger sn = new BigInteger(64, new SecureRandom());
  X500Name owner = new X500Name(dn);

  info.set(X509CertInfo.VALIDITY, interval);
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
  info
    .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

  // Sign the cert to identify the algorithm that's used.
  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);

  // Update the algorith, and resign.
  algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
  info
    .set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,
         algo);
  cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
  return cert;
}

/**
 * Create a self-signed X.509 Certificate.
 * From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
 *
 * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param pair the KeyPair
 * @param days how many days from now the Certificate is valid for
 * @param algorithm the signing algorithm, eg "SHA1withRSA"
 * @return the self-signed certificate
 * @throws IOException thrown if an IO error ocurred.
 * @throws GeneralSecurityException thrown if an Security error ocurred.
 */
public static X509Certificate generateCertificate(String dn, KeyPair pair,
                                                  int days, String algorithm)
  throws GeneralSecurityException, IOException {
  PrivateKey privkey = pair.getPrivate();
  X509CertInfo info = new X509CertInfo();
  Date from = new Date();
  Date to = new Date(from.getTime() + days * 86400000l);
  CertificateValidity interval = new CertificateValidity(from, to);
  BigInteger sn = new BigInteger(64, new SecureRandom());
  X500Name owner = new X500Name(dn);

  info.set(X509CertInfo.VALIDITY, interval);
  info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
  info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
  info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
  info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
  info
    .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
  AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
  info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

  // Sign the cert to identify the algorithm that's used.
  X509CertImpl cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);

  // Update the algorith, and resign.
  algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
  info
    .set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM,
         algo);
  cert = new X509CertImpl(info);
  cert.sign(privkey, algorithm);
  return cert;
}

private static SSLContext getSSLContext(String dn, long expire)
        throws IOException, GeneralSecurityException {
    KeyManager[] kms;
    if (dn == null) {
        kms = SSLManagers.DEFAULT_KEY_MANAGERS;
    } else {
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(null, null);
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
        kpg.initialize(1024);
        KeyPair keyPair = kpg.genKeyPair();
        long now = System.currentTimeMillis();
        X509CertInfo info = new X509CertInfo();
        info.set("version", new CertificateVersion(2));
        info.set("serialNumber", new CertificateSerialNumber(0));
        info.set("algorithmID",
                new CertificateAlgorithmId(AlgorithmId.get("SHA1withRSA")));
        X500Name x500Name = new X500Name(dn);
        info.set("subject", x500Name);
        info.set("key", new CertificateX509Key(keyPair.getPublic()));
        info.set("validity", new CertificateValidity(new
                Date(now), new Date(now + expire)));
        info.set("issuer", x500Name);
        X509CertImpl cert = new X509CertImpl(info);
        cert.sign(keyPair.getPrivate(), "SHA1withRSA");
        ks.setKeyEntry("", keyPair.getPrivate(), new char[0],
                new X509Certificate[] {cert});
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, new char[0]);
        kms = kmf.getKeyManagers();
    }
    SSLContext sslc = SSLContext.getInstance("TLS");
    sslc.init(kms, SSLManagers.DEFAULT_TRUST_MANAGERS, null);
    return sslc;
}

static SSLContext get(String dn, long expire)
        throws IOException, GeneralSecurityException {
    KeyManager[] kms;
    if (dn == null) {
        kms = SSLManagers.DEFAULT_KEY_MANAGERS;
    } else {
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(null, null);
        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
        kpg.initialize(1024);
        KeyPair keyPair = kpg.genKeyPair();
        long now = System.currentTimeMillis();
        X509CertInfo info = new X509CertInfo();
        info.set("version", new CertificateVersion(2));
        info.set("serialNumber", new CertificateSerialNumber(new BigInteger(128, random)));
        info.set("algorithmID",
                new CertificateAlgorithmId(AlgorithmId.get("SHA1withRSA")));
        X500Name x500Name = new X500Name(dn);
        info.set("subject", x500Name);
        info.set("key", new CertificateX509Key(keyPair.getPublic()));
        info.set("validity", new CertificateValidity(new
                Date(now), new Date(now + expire)));
        info.set("issuer", x500Name);
        X509CertImpl cert = new X509CertImpl(info);
        cert.sign(keyPair.getPrivate(), "SHA1withRSA");
        ks.setKeyEntry("", keyPair.getPrivate(), new char[0],
                new X509Certificate[] {cert});
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, new char[0]);
        kms = kmf.getKeyManagers();
    }
    SSLContext sslc = SSLContext.getInstance("TLS");
    sslc.init(kms, SSLManagers.DEFAULT_TRUST_MANAGERS, null);
    return sslc;
}

/**
 * Create a self-signed X.509 Example
 *
 * @param dn
 *            the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param pair
 *            the KeyPair
 * @param days
 *            how many days from now the Example is valid for
 * @param algorithm
 *            the signing algorithm, eg "SHA1withRSA"
 */
public static CX509Certificate generateCertificate(final String aDn,
        final KeyPair aKeyPair, final int aNbDays, String aAlgorithm)
        throws IOException, CertificateException, InvalidKeyException,
        NoSuchAlgorithmException, NoSuchProviderException,
        SignatureException {
    if (aAlgorithm == null) {
        aAlgorithm = "SHA1withRSA";
    }
    PrivateKey privkey = aKeyPair.getPrivate();
    X509CertInfo wInfo = new X509CertInfo();
    Date from = new Date();
    Date to = new Date(from.getTime() + aNbDays * 86400000l);
    CertificateValidity interval = new CertificateValidity(from, to); // compute
                                                                        // certificate
                                                                        // validatity
    BigInteger sn = new BigInteger(64, new SecureRandom());
    X500Name owner = new X500Name(aDn);

    wInfo.set(X509CertInfo.VALIDITY, interval);
    wInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    wInfo.set(X509CertInfo.SUBJECT, owner);
    wInfo.set(X509CertInfo.ISSUER, owner);
    wInfo.set(X509CertInfo.KEY,
            new CertificateX509Key(aKeyPair.getPublic()));
    wInfo.set(X509CertInfo.VERSION, new CertificateVersion(
            CertificateVersion.V3));
    AlgorithmId wAlgo = new AlgorithmId(
            AlgorithmId.md5WithRSAEncryption_oid);
    wInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(wAlgo));

    // Sign the cert to identify the algorithm that's used.
    X509CertImpl wCert = new X509CertImpl(wInfo);
    wCert.sign(privkey, aAlgorithm);

    // Update the algorith, and resign.
    wAlgo = (AlgorithmId) wCert.get(X509CertImpl.SIG_ALG);
    wInfo.set(CertificateAlgorithmId.NAME + "."
            + CertificateAlgorithmId.ALGORITHM, wAlgo);
    wCert = new X509CertImpl(wInfo);
    wCert.sign(privkey, aAlgorithm);
    return new CX509Certificate(wCert);

}