cybervillains.ca
Class CertificateCreator

java.lang.Object
  extended by cybervillains.ca.CertificateCreator

public class CertificateCreator
extends Object

Methods for creating certificates. *************************************************************************************** Copyright (c) 2007, Information Security Partners, LLC All rights reserved. In a special exception, Selenium/OpenQA is allowed to use this code under the Apache License 2.0.

Author:
Brad Hill

Field Summary
static String KEYGEN_ALGO
          The default key generation algorithm for this package is RSA.
static String OID_AUTHORITY_INFO_ACCESS
          X.509 OID for Authority Information Access - Omitted when duplicating a cert by default.
static String OID_AUTHORITY_KEY_IDENTIFIER
          X.509 OID for Subject Authority Key Identifier - Replaced when duplicating a cert.
static String OID_CRL_DISTRIBUTION_POINT
          X.509 OID for Certificate Revocation List Distribution Point - Omitted when duplicating a cert by default.
static String OID_ID_AD_CAISSUERS
          X.509 OID for Additional CA Issuers for AIA - Omitted when duplicating a cert by default.
static String OID_ISSUER_ALTERNATIVE_NAME
          X.509 OID for Issuer Alternative Name - Omitted when duplicating a cert by default.
static String OID_ISSUER_ALTERNATIVE_NAME_2
          X.509 OID for Issuer Alternative Name 2 - Omitted when duplicating a cert by default.
static String OID_SUBJECT_KEY_IDENTIFIER
          X.509 OID for Subject Key Identifier Extension - Replaced when duplicating a cert.
static String SIGN_ALGO
          The default sign algorithm for this package is SHA1 with RSA.
 
Constructor Summary
CertificateCreator()
           
 
Method Summary
static X509Certificate createTypicalMasterCert(KeyPair keyPair)
          Creates a typical Certification Authority (CA) certificate.
static X509Certificate generateStdSSLServerCertificate(PublicKey newPubKey, X509Certificate caCert, PrivateKey caPrivateKey, String subject, String certificateRevocationListPath)
          Utility method for generating a "standard" server certificate.
static X509Certificate mitmDuplicateCertificate(X509Certificate originalCert, PublicKey newPubKey, X509Certificate caCert, PrivateKey caPrivateKey)
          Convenience method for the most common case of certificate duplication.
static X509Certificate mitmDuplicateCertificate(X509Certificate originalCert, PublicKey newPubKey, X509Certificate caCert, PrivateKey caPrivateKey, Set<String> extensionOidsNotToCopy, Map<String,org.bouncycastle.asn1.DEREncodable> criticalCustomExtensions, Map<String,org.bouncycastle.asn1.DEREncodable> noncriticalCustomExtensions)
          This method creates an X509v3 certificate based on an an existing certificate.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

KEYGEN_ALGO

public static final String KEYGEN_ALGO
The default key generation algorithm for this package is RSA.

See Also:
Constant Field Values

SIGN_ALGO

public static final String SIGN_ALGO
The default sign algorithm for this package is SHA1 with RSA.

See Also:
Constant Field Values

OID_SUBJECT_KEY_IDENTIFIER

public static final String OID_SUBJECT_KEY_IDENTIFIER
X.509 OID for Subject Key Identifier Extension - Replaced when duplicating a cert.

See Also:
Constant Field Values

OID_AUTHORITY_KEY_IDENTIFIER

public static final String OID_AUTHORITY_KEY_IDENTIFIER
X.509 OID for Subject Authority Key Identifier - Replaced when duplicating a cert.

See Also:
Constant Field Values

OID_ISSUER_ALTERNATIVE_NAME

public static final String OID_ISSUER_ALTERNATIVE_NAME
X.509 OID for Issuer Alternative Name - Omitted when duplicating a cert by default.

See Also:
Constant Field Values

OID_ISSUER_ALTERNATIVE_NAME_2

public static final String OID_ISSUER_ALTERNATIVE_NAME_2
X.509 OID for Issuer Alternative Name 2 - Omitted when duplicating a cert by default.

See Also:
Constant Field Values

OID_CRL_DISTRIBUTION_POINT

public static final String OID_CRL_DISTRIBUTION_POINT
X.509 OID for Certificate Revocation List Distribution Point - Omitted when duplicating a cert by default.

See Also:
Constant Field Values

OID_AUTHORITY_INFO_ACCESS

public static final String OID_AUTHORITY_INFO_ACCESS
X.509 OID for Authority Information Access - Omitted when duplicating a cert by default.

See Also:
Constant Field Values

OID_ID_AD_CAISSUERS

public static final String OID_ID_AD_CAISSUERS
X.509 OID for Additional CA Issuers for AIA - Omitted when duplicating a cert by default.

See Also:
Constant Field Values
Constructor Detail

CertificateCreator

public CertificateCreator()
Method Detail

generateStdSSLServerCertificate

public static X509Certificate generateStdSSLServerCertificate(PublicKey newPubKey,
                                                              X509Certificate caCert,
                                                              PrivateKey caPrivateKey,
                                                              String subject,
                                                              String certificateRevocationListPath)
                                                       throws CertificateParsingException,
                                                              SignatureException,
                                                              InvalidKeyException,
                                                              CertificateExpiredException,
                                                              CertificateNotYetValidException,
                                                              CertificateException,
                                                              NoSuchAlgorithmException,
                                                              NoSuchProviderException
Utility method for generating a "standard" server certificate. Recognized by most browsers as valid for SSL/TLS. These certificates are generated de novo, not from a template, so they will not retain the structure of the original certificate and may not be suitable for applications that require Extended Validation/High Assurance SSL or other distinct extensions or EKU.

Parameters:
newPubKey -
caCert -
caPrivateKey -
hostname -
Returns:
Throws:
CertificateParsingException
SignatureException
InvalidKeyException
CertificateExpiredException
CertificateNotYetValidException
CertificateException
NoSuchAlgorithmException
NoSuchProviderException

mitmDuplicateCertificate

public static X509Certificate mitmDuplicateCertificate(X509Certificate originalCert,
                                                       PublicKey newPubKey,
                                                       X509Certificate caCert,
                                                       PrivateKey caPrivateKey,
                                                       Set<String> extensionOidsNotToCopy,
                                                       Map<String,org.bouncycastle.asn1.DEREncodable> criticalCustomExtensions,
                                                       Map<String,org.bouncycastle.asn1.DEREncodable> noncriticalCustomExtensions)
                                                throws CertificateParsingException,
                                                       SignatureException,
                                                       InvalidKeyException,
                                                       CertificateException,
                                                       NoSuchAlgorithmException,
                                                       NoSuchProviderException
This method creates an X509v3 certificate based on an an existing certificate. It attempts to create as faithful a copy of the existing certificate as possible by duplicating all certificate extensions. If you are testing an application that makes use of additional certificate extensions (e.g. logotype, S/MIME capabilities) this method will preserve those fields. You may optionally include a set of OIDs not to copy from the original certificate. The most common reason to do this would be to remove fields that would cause inconsistency, such as Authority Info Access or Issuer Alternative Name where these are not defined for the MITM authority certificate. OIDs 2.5.29.14 : Subject Key Identifier and 2.5.29.35 : Authority Key Identifier, are never copied, but generated directly based on the input keys and certificates. You may also optionally include maps of custom extensions which will be added to or replace extensions with the same OID on the original certificate for the the MITM certificate. FUTURE WORK: JDK 1.5 is very strict in parsing extensions. In particular, known extensions that include URIs must parse to valid URIs (including URL encoding all non-valid URI characters) or the extension will be rejected and not available to copy to the MITM certificate. Will need to directly extract these as ASN.1 fields and re-insert (hopefully BouncyCastle will handle them)

Parameters:
originalCert - The original certificate to duplicate.
newPubKey - The new public key for the MITM certificate.
caCert - The certificate of the signing authority fot the MITM certificate.
caPrivateKey - The private key of the signing authority.
extensionOidsNotToCopy - An optional list of certificate extension OIDs not to copy to the MITM certificate.
criticalCustomExtensions - An optional map of critical extension OIDs to add/replace on the MITM certificate.
noncriticalCustomExtensions - An optional map of non-critical extension OIDs to add/replace on the MITM certificate.
Returns:
The new MITM certificate.
Throws:
CertificateParsingException
SignatureException
InvalidKeyException
CertificateExpiredException
CertificateNotYetValidException
CertificateException
NoSuchAlgorithmException
NoSuchProviderException

mitmDuplicateCertificate

public static X509Certificate mitmDuplicateCertificate(X509Certificate originalCert,
                                                       PublicKey newPubKey,
                                                       X509Certificate caCert,
                                                       PrivateKey caPrivateKey)
                                                throws CertificateParsingException,
                                                       SignatureException,
                                                       InvalidKeyException,
                                                       CertificateExpiredException,
                                                       CertificateNotYetValidException,
                                                       CertificateException,
                                                       NoSuchAlgorithmException,
                                                       NoSuchProviderException
Convenience method for the most common case of certificate duplication. This method will not add any custom extensions and won't copy the extensions 2.5.29.8 : Issuer Alternative Name, 2.5.29.18 : Issuer Alternative Name 2, 2.5.29.31 : CRL Distribution Point or 1.3.6.1.5.5.7.1.1 : Authority Info Access, if they are present.

Parameters:
originalCert -
newPubKey -
caCert -
caPrivateKey -
Returns:
Throws:
CertificateParsingException
SignatureException
InvalidKeyException
CertificateExpiredException
CertificateNotYetValidException
CertificateException
NoSuchAlgorithmException
NoSuchProviderException

createTypicalMasterCert

public static X509Certificate createTypicalMasterCert(KeyPair keyPair)
                                               throws SignatureException,
                                                      InvalidKeyException,
                                                      SecurityException,
                                                      CertificateException,
                                                      NoSuchAlgorithmException,
                                                      NoSuchProviderException
Creates a typical Certification Authority (CA) certificate.

Parameters:
keyPair -
Throws:
SecurityException
InvalidKeyException
NoSuchProviderException
NoSuchAlgorithmException
CertificateException
SignatureException


Copyright © 2011. All Rights Reserved.