Package org.apache.hadoop.hbase.io.crypto.tls

Class X509TestHelpers

java.lang.Object
org.apache.hadoop.hbase.io.crypto.tls.X509TestHelpers
@Private final class X509TestHelpers extends Object
This class contains helper methods for creating X509 certificates and key pairs, and for serializing them to JKS, PEM or other keystore type files.

This file has been copied from the Apache ZooKeeper project.

See Also:

  • Field Details

  • Constructor Details

  • Method Details

    • newSelfSignedCACert

      public static X509Certificate newSelfSignedCACert(org.bouncycastle.asn1.x500.X500Name subject, KeyPair keyPair) throws IOException, org.bouncycastle.operator.OperatorCreationException, GeneralSecurityException
      Uses the private key of the given key pair to create a self-signed CA certificate with the public half of the key pair and the given subject and expiration. The issuer of the new cert will be equal to the subject. Returns the new certificate. The returned certificate should be used as the trust store. The private key of the input key pair should be used to sign certificates that are used by test peers to establish TLS connections to each other.
      Parameters:
      subject - the subject of the new certificate being created.
      keyPair - the key pair to use. The public key will be embedded in the new certificate, and the private key will be used to self-sign the certificate.
      Returns:
      a new self-signed CA certificate.
      Throws:
      IOException
      org.bouncycastle.operator.OperatorCreationException
      GeneralSecurityException

    • newCert

      public static X509Certificate newCert(X509Certificate caCert, KeyPair caKeyPair, org.bouncycastle.asn1.x500.X500Name certSubject, PublicKey certPublicKey) throws IOException, org.bouncycastle.operator.OperatorCreationException, GeneralSecurityException
      Using the private key of the given CA key pair and the Subject of the given CA cert as the Issuer, issues a new cert with the given subject and public key. The returned certificate, combined with the private key half of the certPublicKey, should be used as the key store.
      Parameters:
      caCert - the certificate of the CA that's doing the signing.
      caKeyPair - the key pair of the CA. The private key will be used to sign. The public key must match the public key in the caCert.
      certSubject - the subject field of the new cert being issued.
      certPublicKey - the public key of the new cert being issued.
      Returns:
      a new certificate signed by the CA's private key.
      Throws:
      IOException
      org.bouncycastle.operator.OperatorCreationException
      GeneralSecurityException

    • newCert

      public static X509Certificate newCert(X509Certificate caCert, KeyPair caKeyPair, org.bouncycastle.asn1.x500.X500Name certSubject, PublicKey certPublicKey, org.bouncycastle.asn1.x509.GeneralNames subjectAltNames) throws IOException, org.bouncycastle.operator.OperatorCreationException, GeneralSecurityException
      Using the private key of the given CA key pair and the Subject of the given CA cert as the Issuer, issues a new cert with the given subject and public key. The returned certificate, combined with the private key half of the certPublicKey, should be used as the key store.
      Parameters:
      caCert - the certificate of the CA that's doing the signing.
      caKeyPair - the key pair of the CA. The private key will be used to sign. The public key must match the public key in the caCert.
      certSubject - the subject field of the new cert being issued.
      certPublicKey - the public key of the new cert being issued.
      subjectAltNames - the subject alternative names to use, or null if none
      Returns:
      a new certificate signed by the CA's private key.
      Throws:
      IOException
      org.bouncycastle.operator.OperatorCreationException
      GeneralSecurityException

    • getLocalhostSubjectAltNames

      private static org.bouncycastle.asn1.x509.GeneralNames getLocalhostSubjectAltNames() throws UnknownHostException
      Returns subject alternative names for "localhost".
      Returns:
      the subject alternative names for "localhost".
      Throws:
      UnknownHostException

    • initCertBuilder

      private static org.bouncycastle.cert.X509v3CertificateBuilder initCertBuilder(org.bouncycastle.asn1.x500.X500Name issuer, LocalDate notBefore, LocalDate notAfter, org.bouncycastle.asn1.x500.X500Name subject, PublicKey subjectPublicKey)
      Helper method for newSelfSignedCACert() and newCert(). Initializes a X509v3CertificateBuilder with logic that's common to both methods.
      Parameters:
      issuer - Issuer field of the new cert.
      notBefore - date before which the new cert is not valid.
      notAfter - date after which the new cert is not valid.
      subject - Subject field of the new cert.
      subjectPublicKey - public key to store in the new cert.
      Returns:
      a X509v3CertificateBuilder that can be further customized to finish creating the new cert.

    • buildAndSignCertificate

      private static X509Certificate buildAndSignCertificate(PrivateKey privateKey, org.bouncycastle.cert.X509v3CertificateBuilder builder) throws IOException, org.bouncycastle.operator.OperatorCreationException, CertificateException
      Signs the certificate being built by the given builder using the given private key and returns the certificate.
      Parameters:
      privateKey - the private key to sign the certificate with.
      builder - the cert builder that contains the certificate data.
      Returns:
      the signed certificate.
      Throws:
      IOException
      org.bouncycastle.operator.OperatorCreationException
      CertificateException

    • generateKeyPair

      public static KeyPair generateKeyPair(X509KeyType keyType) throws GeneralSecurityException
      Generates a new asymmetric key pair of the given type.
      Parameters:
      keyType - the type of key pair to generate.
      Returns:
      the new key pair.
      Throws:
      GeneralSecurityException - if your java crypto providers are messed up.

    • generateRSAKeyPair

      public static KeyPair generateRSAKeyPair() throws GeneralSecurityException
      Generates an RSA key pair with a 2048-bit private key and F4 (65537) as the public exponent.
      Returns:
      the key pair.
      Throws:
      GeneralSecurityException

    • generateECKeyPair

      public static KeyPair generateECKeyPair() throws GeneralSecurityException
      Generates an elliptic curve key pair using the "secp256r1" aka "prime256v1" aka "NIST P-256" curve.
      Returns:
      the key pair.
      Throws:
      GeneralSecurityException

    • pemEncodeCertAndPrivateKey

      public static String pemEncodeCertAndPrivateKey(X509Certificate cert, PrivateKey privateKey, char[] keyPassword) throws IOException, org.bouncycastle.operator.OperatorCreationException
      PEM-encodes the given X509 certificate and private key (compatible with OpenSSL), optionally protecting the private key with a password. Concatenates them both and returns the result as a single string. This creates the PEM encoding of a key store.
      Parameters:
      cert - the X509 certificate to PEM-encode.
      privateKey - the private key to PEM-encode.
      keyPassword - an optional key password. If empty or null, the private key will not be encrypted.
      Returns:
      a String containing the PEM encodings of the certificate and private key.
      Throws:
      IOException - if converting the certificate or private key to PEM format fails.
      org.bouncycastle.operator.OperatorCreationException - if constructing the encryptor from the given password fails.

    • pemEncodePrivateKey

      public static String pemEncodePrivateKey(PrivateKey key, char[] password) throws IOException, org.bouncycastle.operator.OperatorCreationException
      PEM-encodes the given private key (compatible with OpenSSL), optionally protecting it with a password, and returns the result as a String.
      Parameters:
      key - the private key.
      password - an optional key password. If empty or null, the private key will not be encrypted.
      Returns:
      a String containing the PEM encoding of the private key.
      Throws:
      IOException - if converting the key to PEM format fails.
      org.bouncycastle.operator.OperatorCreationException - if constructing the encryptor from the given password fails.

    • pemEncodeX509Certificate

      public static String pemEncodeX509Certificate(X509Certificate cert) throws IOException
      PEM-encodes the given X509 certificate (compatible with OpenSSL) and returns the result as a String.
      Parameters:
      cert - the certificate.
      Returns:
      a String containing the PEM encoding of the certificate.
      Throws:
      IOException - if converting the certificate to PEM format fails.

    • certToJavaTrustStoreBytes

      public static byte[] certToJavaTrustStoreBytes(X509Certificate cert, char[] keyPassword) throws IOException, GeneralSecurityException
      Encodes the given X509Certificate as a JKS TrustStore, optionally protecting the cert with a password (though it's unclear why one would do this since certificates only contain public information and do not need to be kept secret). Returns the byte array encoding of the trust store, which may be written to a file and loaded to instantiate the trust store at a later point or in another process.
      Parameters:
      cert - the certificate to serialize.
      keyPassword - an optional password to encrypt the trust store. If empty or null, the cert will not be encrypted.
      Returns:
      the serialized bytes of the JKS trust store.
      Throws:
      IOException
      GeneralSecurityException

    • certToPKCS12TrustStoreBytes

      public static byte[] certToPKCS12TrustStoreBytes(X509Certificate cert, char[] keyPassword) throws IOException, GeneralSecurityException
      Encodes the given X509Certificate as a PKCS12 TrustStore, optionally protecting the cert with a password (though it's unclear why one would do this since certificates only contain public information and do not need to be kept secret). Returns the byte array encoding of the trust store, which may be written to a file and loaded to instantiate the trust store at a later point or in another process.
      Parameters:
      cert - the certificate to serialize.
      keyPassword - an optional password to encrypt the trust store. If empty or null, the cert will not be encrypted.
      Returns:
      the serialized bytes of the PKCS12 trust store.
      Throws:
      IOException
      GeneralSecurityException

    • certToBCFKSTrustStoreBytes

      public static byte[] certToBCFKSTrustStoreBytes(X509Certificate cert, char[] keyPassword) throws IOException, GeneralSecurityException
      Encodes the given X509Certificate as a BCFKS TrustStore, optionally protecting the cert with a password (though it's unclear why one would do this since certificates only contain public information and do not need to be kept secret). Returns the byte array encoding of the trust store, which may be written to a file and loaded to instantiate the trust store at a later point or in another process.
      Parameters:
      cert - the certificate to serialize.
      keyPassword - an optional password to encrypt the trust store. If empty or null, the cert will not be encrypted.
      Returns:
      the serialized bytes of the BCFKS trust store.
      Throws:
      IOException
      GeneralSecurityException

    • certToTrustStoreBytes

      private static byte[] certToTrustStoreBytes(X509Certificate cert, char[] keyPassword, KeyStore trustStore) throws IOException, GeneralSecurityException
      Throws:
      IOException
      GeneralSecurityException

    • certAndPrivateKeyToJavaKeyStoreBytes

      public static byte[] certAndPrivateKeyToJavaKeyStoreBytes(X509Certificate cert, PrivateKey privateKey, char[] keyPassword) throws IOException, GeneralSecurityException
      Encodes the given X509Certificate and private key as a JKS KeyStore, optionally protecting the private key (and possibly the cert?) with a password. Returns the byte array encoding of the key store, which may be written to a file and loaded to instantiate the key store at a later point or in another process.
      Parameters:
      cert - the X509 certificate to serialize.
      privateKey - the private key to serialize.
      keyPassword - an optional key password. If empty or null, the private key will not be encrypted.
      Returns:
      the serialized bytes of the JKS key store.
      Throws:
      IOException
      GeneralSecurityException

    • certAndPrivateKeyToPKCS12Bytes

      public static byte[] certAndPrivateKeyToPKCS12Bytes(X509Certificate cert, PrivateKey privateKey, char[] keyPassword) throws IOException, GeneralSecurityException
      Encodes the given X509Certificate and private key as a PKCS12 KeyStore, optionally protecting the private key (and possibly the cert?) with a password. Returns the byte array encoding of the key store, which may be written to a file and loaded to instantiate the key store at a later point or in another process.
      Parameters:
      cert - the X509 certificate to serialize.
      privateKey - the private key to serialize.
      keyPassword - an optional key password. If empty or null, the private key will not be encrypted.
      Returns:
      the serialized bytes of the PKCS12 key store.
      Throws:
      IOException
      GeneralSecurityException

    • certAndPrivateKeyToBCFKSBytes

      public static byte[] certAndPrivateKeyToBCFKSBytes(X509Certificate cert, PrivateKey privateKey, char[] keyPassword) throws IOException, GeneralSecurityException
      Encodes the given X509Certificate and private key as a BCFKS KeyStore, optionally protecting the private key (and possibly the cert?) with a password. Returns the byte array encoding of the key store, which may be written to a file and loaded to instantiate the key store at a later point or in another process.
      Parameters:
      cert - the X509 certificate to serialize.
      privateKey - the private key to serialize.
      keyPassword - an optional key password. If empty or null, the private key will not be encrypted.
      Returns:
      the serialized bytes of the BCFKS key store.
      Throws:
      IOException
      GeneralSecurityException

    • certAndPrivateKeyToBytes

      private static byte[] certAndPrivateKeyToBytes(X509Certificate cert, PrivateKey privateKey, char[] keyPassword, KeyStore keyStore) throws IOException, GeneralSecurityException
      Throws:
      IOException
      GeneralSecurityException

    • toX509Cert

      public static X509Certificate toX509Cert(org.bouncycastle.cert.X509CertificateHolder certHolder) throws CertificateException
      Convenience method to convert a bouncycastle X509CertificateHolder to a java X509Certificate.
      Parameters:
      certHolder - a bouncycastle X509CertificateHolder.
      Returns:
      a java X509Certificate
      Throws:
      CertificateException - if the conversion fails.