LTSLLC Blog

Friday, June 30, 2017

Java and SSL: Creating a Certificate Signing Request from Java

Creating a CSR from Java:

X500Name x500Name = new X500Name(distinguishedName);

String signatureAlgorithmName = "SHA1WithRSA";
Signature signature = Signature.getInstance(signatureAlgorithmName);
signature.initSign(getPrivateKey());

PKCS10 pkcs10 = new PKCS10(getPublicKey());
pkcs10.encodeAndSign(x500Name,signature);

return pkcs10;

This was relatively easy to find out how to do. The one snag I hit was around the "encodeAndSign" method, which at first I thought needed an instance of X500Singer. It seems that support was dropped for X500Singer as of JDK1.7. It turned out that X500Singer is not needed, and that it just needs an instance of X500Name.

Wednesday, June 28, 2017

Java and SSL: Creating a Certificate Signing Request with Keytool

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Creating a Certificate Signing Request with Keytool

keytool -certreq -keystore temp -storepass whatever -file temp.csr

Tuesday, June 27, 2017

Java and SSL: How to Create a Certificate in Java

A brief digression: what is a certificate?
How to create a certificate signing request
How to sign a CSR
How to import the certificate to a keystore

As the bullet points indicate, there are 3 steps to creating a certificate: creating the certificate signing request (CSR), signing the CSR, and importing the resulting certificate to the keystore.

A certificate is merely a public key that has been "signed" but another party. The signature takes the form of a one-way hash of the public key to be signed, encrypted with the private key of the signer. The public key is singed by the sender, to ensure that the public key is genuine.

Others can verify the certificate by computing the hash of the public key, and decrypting the value from the certificate with the signer's public key. If the computed hash matches the decrypted value, then the certificate is considered good.

For this scheme to work, the public key of the signer must be widely available, and the hashing algorithm and the signature must be readily available, which is why file formats are so important with SSL.

Java and SSL: How to Generate a Key Pair Using Java

This post is part of a series about the worlds of Java and SSL. I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Generate a Key Pair Using Java

public KeyPair createKeyPair () throws GeneralSecurityException {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
return keyPairGenerator.genKeyPair();
}

After generating a certificate, generating a key pair was almost anti-climatic.

Sunday, June 25, 2017

Java and SSL: How to Generate a Key Pair with Keytool

How to Generate a Key Pair with Keytool

keytool -genkeypair -keystore keystore -storepass whatever -alias private \
-keyalg rsa

What is your first and last name?
[Unknown]: development.sun.com
What is the name of your organizational unit?
[Unknown]: Development
What is the name of your organization?
[Unknown]: Sun
What is the name of your City or Locality?
[Unknown]: Monrovia
What is the name of your State or Province?
[Unknown]: California
What is the two-letter country code for this unit?
[Unknown]: US
Is
C=US> correct?
[no]: yes

Enter key password for

(RETURN if same as keystore password):

This was taken from:

https://docs.oracle.com/cd/E19509-01/820-3503/ggezy/index.html

With a few alterations.

Java and SSL: How to Generate a Key Pair

How to Generate a Key Pair

Using keytool
Programmatically

Saturday, June 24, 2017

Java and SSL: How to Create a Self-signed Certificate Programmatically

How to Create a Self-signed Certificate Programmatically

public X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm)
throws GeneralSecurityException, IOException {
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(dn);

info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, owner);
info.set(X509CertInfo.ISSUER, owner);
info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);

// Update the algorith, and resign.
algo = (AlgorithmId) cert.get(X509CertImpl.SIG_ALG);
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, algo);
cert = new X509CertImpl(info);
cert.sign(privkey, algorithm);
return cert;
}

This was ridiculously difficult to figure out. I kept getting an exception like this:

java.security.cert.CertificateException: Subject class type invalid.

But the problem was that the original code was using X509CertInfo.set instead of using an instance of X500Name.