users@jax-rpc.java.net

Re: Generating keystores and truststores for jwsdp-1.5 based on

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Tue, 12 Apr 2005 12:28:22 +0530

Hi,

  
jagan wrote:

> Hello V B Kumar Jayanti,
>
> Thank you very much for your information. When I try to load
> private key I am getting exception while generating the instance of
> the private key in the method "generatePrivate". I used openssl to
> create private and public keys as well as CA.

the code i had sent requires all the certs and keys to be in DER format.
U can use openssl x509 command to convert PEM files generated by openssl
into DER format. Similarly the openssl rsa command can be used to
convert private keys from PEM to DER format.

Please let me know if you need any additional help. U will first need to
generate a CA. There is a CA.sh utility that comes with openssl that is
more user friendly and simpler to use than openssl directly.

>
> I run the following commands for generating keys and CA.
>
> openssl genrsa -des3 -out
> /home/jagan/jwsdp-1.5/xws-security/etc/client.key
> openssl req -new -key
> /home/jagan/jwsdp-1.5/xws-security/etc/client.key -out
>
> /home/jagan/jwsdp-1.5/xws-security/etc/client.csr
> openssl ca -in /home/jagan/jwsdp-1.5/xws-security/etc/client.csr -out
> /home/jagan/jwsdp-1.5/xws-security/etc/client.crt -notext -passin
> pass:capass
> ======================================================
> I added the following function in addition to your code you sent in
> previous mail,
>
> public static void main(String[] args){
> try{
> X509Certificate cert =
> readX509Cert("/home/jagan/jwsdp-1.5/xws-security/etc/client.crt");
> System.out.println("The certificate has been loaded");
> PrivateKey key =
> readPrivateKey("/home/jagan/jwsdp-1.5/xws-security/etc/client.key");
> System.out.println("The key has been loaded");
> generateAndSaveKeyStore(cert, key, "changeit",
> "xws-security-client","changeit","/home/jagan/jwsdp-1.5/xws-security/etc/client-keystore");
> }
> catch(Exception e){System.out.println("The exception raised");}
>
> System.out.println("I am jagan ");
> }
> ======================================================
> I am getting the following exception .............
>
> [jagan_at_dione CA]$ java SecuritySample
> The certificate has been loaded
> The exception raised
> I am jagan
> [jagan_at_dione CA]$
> ----------------------------------------------------------
> The configuration of the openssl is also enclosed to this mail.
>
> Could you mind to help me please?
>
> with regards,
>
> Jagan Kommineni
>
> V B Kumar Jayanti wrote:
>
>> Alessio Cervellin wrote:
>>
>>>>==========================
>>>>Date: Tue, 05 Apr 2005 09:21:58 +1000
>>>>From: jagan <Jagan.Kommineni_at_infotech.monash.edu.au>
>>>>[CUT]
>>>>application. When I try to generate keystore and truststore using
>>>>keytool and openssl based on
>>>>"http://www.devx.com/Java/Article/10185/1954?pf=true", I am facing
>>>>problems. As these stores are based on version 1 of x.509. I
>>>>suspect
>>>>XWS-Security requires V3 certificates.
>>>>
>>>>
>>>
>>>Yes, AFAIK XWS requires V3 certificates (though I heard there has been some discussion in the past months within the OASIS working group about adding the support for x509v1)
>>>
>>>
>>>
>>>>I will be grateful if any body could give me some details for
>>>>establishing new certificates based on v3 .
>>>>
>>>>
>>>
>>>If you are facing problems with keytool/openssl, the fastest way to get your target coulb be to use a frontend like "Keystore Explorer" (you can get a free trial somewhere on internet), then you can use its GUI to do the following steps:
>>>1- create a new jks keystore
>>>2- generate a new key pair
>>>3- create a CSR bound to the previous key
>>>4- send the CSR to some CA (e.g. you can do it for free from the Verisign site)
>>>5- import the CA certificate (e.g. for Verisign you can download it from their site) in your trustore
>>>6- import the certificate that will be sent back to you from the CA you sent the CSR to in your keystore
>>>
>>>
>> You can use the following peice of code to import certificates into
>> keystores (JKS).
>>
>>> import java.io.*;
>>>
>>> import java.security.*;
>>> import java.security.cert.*;
>>> import java.security.spec.*;
>>>
>>> public class SecuritySample {
>>>
>>> public static X509Certificate readX509Cert(String fileLocation)
>>> throws Exception {
>>> FileInputStream fis = new FileInputStream(fileLocation);
>>> BufferedInputStream bis = new BufferedInputStream(fis);
>>> CertificateFactory cf = CertificateFactory.getInstance("X.509");
>>> X509Certificate cert = null;
>>> while (bis.available() > 0) {
>>> cert = (X509Certificate) cf.generateCertificate(bis);
>>> }
>>> return cert;
>>> }
>>>
>>> /**
>>> * Private key should be in "DER" format.
>>> */
>>> public static PrivateKey readPrivateKey(String fileLocation)
>>> throws Exception {
>>>
>>> FileInputStream fis = new FileInputStream(fileLocation);
>>> byte input[] = new byte[fis.available()];
>>> fis.read(input, 0, input.length);
>>> PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(input);
>>> KeyFactory key_fac = KeyFactory.getInstance("RSA");
>>> return key_fac.generatePrivate(spec);
>>> }
>>>
>>> /**
>>> * Generate a keystore with a single cert-privKey pair.
>>> */
>>> public static void generateAndSaveKeyStore(
>>> X509Certificate cert,
>>> PrivateKey key,
>>> String keystorePassword,
>>> String alias,
>>> String keyPassword,
>>> String keystoreLocation)
>>> throws Exception {
>>>
>>> KeyStore ks = KeyStore.getInstance("JKS");
>>> ks.load(null, keystorePassword.toCharArray());
>>> X509Certificate[] chain = new X509Certificate[1];
>>> chain[0] = cert;
>>> ks.setKeyEntry(alias, key, keyPassword.toCharArray(), chain);
>>> ks.store(
>>> new FileOutputStream(keystoreLocation),
>>> keystorePassword.toCharArray());
>>> }
>>> }
>>>
>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
>>>For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net
>>>
>>>
>>>
>>
>------------------------------------------------------------------------
>
>#
># OpenSSL example configuration file.
># This is mostly being used for generation of certificate requests.
>#
>
># This definition stops the following lines choking if HOME isn't
># defined.
>HOME = .
>RANDFILE = $ENV::HOME/.rnd
>
># Extra OBJECT IDENTIFIER info:
>#oid_file = $ENV::HOME/.oid
>oid_section = new_oids
>
># To use this configuration file with the "-extfile" option of the
># "openssl x509" utility, name here the section containing the
># X.509v3 extensions to use:
># extensions =
># (Alternatively, use a configuration file that has only
># X.509v3 extensions in its main [= default] section.)
>
>[ new_oids ]
>
># We can add new OIDs in here for use by 'ca' and 'req'.
># Add a simple OID like this:
># testoid1=1.2.3.4
># Or use config file substitution like this:
># testoid2=${testoid1}.5.6
>
>####################################################################
>[ ca ]
>default_ca = CA_default # The default ca section
>
>####################################################################
>[ CA_default ]
>
>dir = ./demoCA # Where everything is kept
>certs = $dir/certs # Where the issued certs are kept
>crl_dir = $dir/crl # Where the issued crl are kept
>database = $dir/index.txt # database index file.
>new_certs_dir = $dir/newcerts # default place for new certs.
>
>certificate = $dir/cacert.pem # The CA certificate
>serial = $dir/serial # The current serial number
>crl = $dir/crl.pem # The current CRL
>private_key = $dir/private/cakey.pem# The private key
>RANDFILE = $dir/private/.rand # private random number file
>
>x509_extensions = usr_cert # The extentions to add to the cert
>
># Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
># so this is commented out by default to leave a V1 CRL.
># crl_extensions = crl_ext
>
>default_days = 365 # how long to certify for
>default_crl_days= 30 # how long before next CRL
>default_md = md5 # which md to use.
>preserve = no # keep passed DN ordering
>
># A few difference way of specifying how similar the request should look
># For type CA, the listed attributes must be the same, and the optional
># and supplied fields are just that :-)
>#policy = policy_match
>policy = policy_anything
># For the CA policy
>[ policy_match ]
>countryName = match
>stateOrProvinceName = match
>organizationName = match
>organizationalUnitName = optional
>commonName = supplied
>emailAddress = optional
>
># For the 'anything' policy
># At this point in time, you must list all acceptable 'object'
># types.
>[ policy_anything ]
>countryName = optional
>stateOrProvinceName = optional
>localityName = optional
>organizationName = optional
>organizationalUnitName = optional
>commonName = supplied
>emailAddress = optional
>
>####################################################################
>[ req ]
>default_bits = 1024
>default_keyfile = privkey.pem
>distinguished_name = req_distinguished_name
>attributes = req_attributes
>x509_extensions = v3_ca # The extentions to add to the self signed cert
>
># Passwords for private keys if not present they will be prompted for
># input_password = secret
># output_password = secret
>
># This sets a mask for permitted string types. There are several options.
># default: PrintableString, T61String, BMPString.
># pkix : PrintableString, BMPString.
># utf8only: only UTF8Strings.
># nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
># MASK:XXXX a literal mask value.
># WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
># so use this option with caution!
>string_mask = nombstr
>
># req_extensions = v3_req # The extensions to add to a certificate request
>
>[ req_distinguished_name ]
>countryName = Country Name (2 letter code)
>countryName_default = GB
>countryName_min = 2
>countryName_max = 2
>
>stateOrProvinceName = State or Province Name (full name)
>stateOrProvinceName_default = Berkshire
>
>localityName = Locality Name (eg, city)
>localityName_default = Newbury
>
>0.organizationName = Organization Name (eg, company)
>0.organizationName_default = My Company Ltd
>
># we can do this but it is not needed normally :-)
>#1.organizationName = Second Organization Name (eg, company)
>#1.organizationName_default = World Wide Web Pty Ltd
>
>organizationalUnitName = Organizational Unit Name (eg, section)
>#organizationalUnitName_default =
>
>commonName = Common Name (eg, your name or your server\'s hostname)
>commonName_max = 64
>
>emailAddress = Email Address
>emailAddress_max = 40
>
># SET-ex3 = SET extension number 3
>
>[ req_attributes ]
>challengePassword = A challenge password
>challengePassword_min = 4
>challengePassword_max = 20
>
>unstructuredName = An optional company name
>
>[ usr_cert ]
>
># These extensions are added when 'ca' signs a request.
>
># This goes against PKIX guidelines but some CAs do it and some software
># requires this to avoid interpreting an end user certificate as a CA.
>
>basicConstraints=CA:FALSE
>
># Here are some examples of the usage of nsCertType. If it is omitted
># the certificate can be used for anything *except* object signing.
>
># This is OK for an SSL server.
># nsCertType = server
>
># For an object signing certificate this would be used.
># nsCertType = objsign
>
># For normal client use this is typical
># nsCertType = client, email
>
># and for everything including object signing:
># nsCertType = client, email, objsign
>
># This is typical in keyUsage for a client certificate.
># keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
># This will be displayed in Netscape's comment listbox.
>nsComment = "OpenSSL Generated Certificate"
>
># PKIX recommendations harmless if included in all certificates.
>subjectKeyIdentifier=hash
>authorityKeyIdentifier=keyid,issuer:always
>
># This stuff is for subjectAltName and issuerAltname.
># Import the email address.
># subjectAltName=email:copy
>
># Copy subject details
># issuerAltName=issuer:copy
>
>#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
>#nsBaseUrl
>#nsRevocationUrl
>#nsRenewalUrl
>#nsCaPolicyUrl
>#nsSslServerName
>
>[ v3_req ]
>
># Extensions to add to a certificate request
>
>basicConstraints = CA:FALSE
>keyUsage = nonRepudiation, digitalSignature, keyEncipherment
>
>[ v3_ca ]
>
>
># Extensions for a typical CA
>
>
># PKIX recommendation.
>
>subjectKeyIdentifier=hash
>
>authorityKeyIdentifier=keyid:always,issuer:always
>
># This is what PKIX recommends but some broken software chokes on critical
># extensions.
>#basicConstraints = critical,CA:true
># So we do this instead.
>basicConstraints = CA:true
>
># Key usage: this is typical for a CA certificate. However since it will
># prevent it being used as an test self-signed certificate it is best
># left out by default.
># keyUsage = cRLSign, keyCertSign
>
># Some might want this also
># nsCertType = sslCA, emailCA
>
># Include email address in subject alt name: another PKIX recommendation
># subjectAltName=email:copy
># Copy issuer details
># issuerAltName=issuer:copy
>
># DER hex encoding of an extension: beware experts only!
># obj=DER:02:03
># Where 'obj' is a standard or added object
># You can even override a supported extension:
># basicConstraints= critical, DER:30:03:01:01:FF
>
>[ crl_ext ]
>
># CRL extensions.
># Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
>
># issuerAltName=issuer:copy
>authorityKeyIdentifier=keyid:always,issuer:always
>
>[ engine ]
>default = openssl
># rsa = openssl
># dsa = openssl
># dh = openssl
># rand = openssl
># bn_mod_exp = openssl
># bn_mod_exp_crt = openssl
>
>