(openwebbeans-meecrowave) 02/02: MEECROWAVE-338 move from sun.security to bouncy castle

Tue, 11 Jun 2024 07:43:47 -0700 

This is an automated email from the ASF dual-hosted git repository.

struberg pushed a commit to branch fb_jakarta
in repository https://gitbox.apache.org/repos/asf/openwebbeans-meecrowave.git

commit 58ac9ffaba6b62488e83da0fb08a69164a88357d
Author: Mark Struberg <strub...@apache.org>
AuthorDate: Tue Jun 11 16:24:47 2024 +0200

    MEECROWAVE-338 move from sun.security to bouncy castle
---
 .../org/apache/meecrowave/oauth2/Keystores.java    | 109 +++++++--------------
 1 file changed, 33 insertions(+), 76 deletions(-)

diff --git 
a/meecrowave-oauth2-minimal/src/test/java/org/apache/meecrowave/oauth2/Keystores.java
 
b/meecrowave-oauth2-minimal/src/test/java/org/apache/meecrowave/oauth2/Keystores.java
index 38a88f5..a1c7d75 100644
--- 
a/meecrowave-oauth2-minimal/src/test/java/org/apache/meecrowave/oauth2/Keystores.java
+++ 
b/meecrowave-oauth2-minimal/src/test/java/org/apache/meecrowave/oauth2/Keystores.java
@@ -23,11 +23,15 @@ import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
 import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
 import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 
+import java.io.FileOutputStream;
+import java.io.OutputStream;
 import java.math.BigInteger;
 import java.security.*;
 import java.io.File;
+import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.Date;
@@ -38,97 +42,50 @@ public final class Keystores {
     }
 
     public static PublicKey create(final File keystore) throws Exception {
+        Security.setProperty("crypto.policy", "unlimited");
+
         final KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(null, "password".toCharArray());
 
-        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
-        keyGen.initialize(2048);
-        KeyPair keyPair = keyGen.generateKeyPair();
-        final PrivateKey rootPrivateKey = keyPair.getPrivate();
-
-        X500Name issuerName = new X500Name("OU=apache,CN=mwtest");
-
-        JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
-                issuerName,
-                BigInteger.valueOf(System.currentTimeMillis()),
-                Date.from(Instant.now()), 
Date.from(Instant.now().plusMillis(1096 * 24 * 60 * 60)),
-                issuerName, keyPair.getPublic());
-        ContentSigner signer = new 
JcaContentSignerBuilder("SHA256WithRSA").build(rootPrivateKey);
-        X509CertificateHolder certHolder = builder.build(signer);
-        X509Certificate certificate = new 
JcaX509CertificateConverter().getCertificate(certHolder);
-
-        return keyPair.getPublic();
-
-        //X TODO
-        /*X TODO fixme
-        CryptoUtils.installBouncyCastleProvider();
-
-
-        final CertAndKeyGen keyGen = new CertAndKeyGen("RSA", "SHA256WithRSA", 
null);
-        keyGen.generate(2048);
-        final PrivateKey rootPrivateKey = keyGen.getPrivateKey();
-
-        X509Certificate rootCertificate = keyGen.getSelfCertificate(new 
X500Name("cn=root"), (long) 365 * 24 * 60 * 60);
-
-        final CertAndKeyGen keyGen1 = new CertAndKeyGen("RSA", 
"SHA256WithRSA", null);
-        keyGen1.generate(2048);
-        final PrivateKey middlePrivateKey = keyGen1.getPrivateKey();
-
-        X509Certificate middleCertificate = keyGen1.getSelfCertificate(new 
X500Name("CN=MIDDLE"), (long) 365 * 24 * 60 * 60);
+        KeyPair rootKeyPair = generateKeyPair();
+        X500Name rootIssuerName = new X500Name("OU=apache,CN=root");
+        X509Certificate rootCertificate = getCertificate(rootKeyPair, 
rootIssuerName, rootKeyPair.getPrivate());
 
-        //Generate leaf certificate
-        final CertAndKeyGen keyGen2 = new CertAndKeyGen("RSA", 
"SHA256WithRSA", null);
-        keyGen2.generate(2048);
-        final PrivateKey topPrivateKey = keyGen2.getPrivateKey();
+        KeyPair middleKeyPair = generateKeyPair();
+        X500Name middleIssuerName = new X500Name("OU=apache,CN=middle");
+        X509Certificate middleCertificate = getCertificate(middleKeyPair, 
middleIssuerName, rootKeyPair.getPrivate());
 
+        KeyPair topKeyPair = generateKeyPair();
+        X500Name topIssuerName = new X500Name("OU=apache,CN=top");
+        X509Certificate topCertificate = getCertificate(topKeyPair, 
topIssuerName, middleKeyPair.getPrivate());
 
-        X509Certificate topCertificate = keyGen2.getSelfCertificate(new 
X500Name("cn=root"), (long) 365 * 24 * 60 * 60);
-
-        rootCertificate = createSignedCertificate(rootCertificate, 
rootCertificate, rootPrivateKey);
-        middleCertificate = createSignedCertificate(middleCertificate, 
rootCertificate, rootPrivateKey);
-        topCertificate = createSignedCertificate(topCertificate, 
middleCertificate, middlePrivateKey);
 
         final X509Certificate[] chain = new X509Certificate[]{topCertificate, 
middleCertificate, rootCertificate};
-
-        ks.setKeyEntry("alice", topPrivateKey, "pwd".toCharArray(), chain);
-
-
+        ks.setKeyEntry("alice", topKeyPair.getPrivate(), "pwd".toCharArray(), 
chain);
         keystore.getParentFile().mkdirs();
         try (final OutputStream os = new FileOutputStream(keystore)) {
             ks.store(os, "password".toCharArray());
         }
 
-        return keyGen2.getPublicKey();
-*/
+        return topKeyPair.getPublic();
     }
 
-    private static X509Certificate createSignedCertificate(final 
X509Certificate cetrificate, final X509Certificate issuerCertificate,
-                                                           final PrivateKey 
issuerPrivateKey) {
-        return null;
-/*X TODO fixme
-        try {
-            Principal issuer = issuerCertificate.getSubjectDN();
-            String issuerSigAlg = issuerCertificate.getSigAlgName();
-
-            byte[] inCertBytes = cetrificate.getTBSCertificate();
-            X509CertInfo info = new X509CertInfo(inCertBytes);
-            info.set(X509CertInfo.ISSUER, (X500Name) issuer);
-
-            //No need to add the BasicContraint for leaf cert
-            if (!cetrificate.getSubjectDN().getName().equals("CN=TOP")) {
-                CertificateExtensions exts = new CertificateExtensions();
-                BasicConstraintsExtension bce = new 
BasicConstraintsExtension(true, -1);
-                exts.set(BasicConstraintsExtension.NAME, new 
BasicConstraintsExtension(false, bce.getExtensionValue()));
-                info.set(X509CertInfo.EXTENSIONS, exts);
-            }
-
-            final X509CertImpl outCert = new X509CertImpl(info);
-            outCert.sign(issuerPrivateKey, issuerSigAlg);
+    private static KeyPair generateKeyPair() throws NoSuchAlgorithmException {
+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+        keyGen.initialize(2048);
+        return keyGen.generateKeyPair();
+    }
 
-            return outCert;
-        } catch (final Exception ex) {
-            throw new IllegalStateException(ex);
-        }
-*/
+    private static X509Certificate getCertificate(KeyPair certKeyPair, 
X500Name issuerName, PrivateKey signerKey)
+            throws OperatorCreationException, CertificateException {
+        JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+                issuerName,
+                BigInteger.valueOf(System.currentTimeMillis()),
+                Date.from(Instant.now()), 
Date.from(Instant.now().plusMillis(1096 * 24 * 60 * 60)),
+                issuerName, certKeyPair.getPublic());
+        ContentSigner signer = new 
JcaContentSignerBuilder("SHA256WithRSA").build(signerKey);
+        X509CertificateHolder certHolder = builder.build(signer);
+        return new JcaX509CertificateConverter().getCertificate(certHolder);
     }
+
 }

Reply via email to