Thursday, February 3, 2011

BouncyCastle Unleashed!

Bouncy Castle is a collection of cryptographic APIs for both Java  & C#. 

Installing the Java Cryptography Extension (JCE) Unlimited Strength Policy Files:

Download the archive jce_policy-6.zip from JavaSE Downloads page.
Copy the files local_policy.jar and US_export_policy.jar from the archive to the folder %JAVA_HOME%\jre\lib\security, overwriting the files already present in the directory.

Generating KeyPair
KeyPair caKeyPair = null;
        try {
            KeyPairGenerator  keyGen = KeyPairGenerator.getInstance("RSA");
            keyGen.initialize(1024);
            caKeyPair = keyGen.generateKeyPair();
        } catch (NoSuchAlgorithmException ex) {
            
        }



Self Signed Certificates

try
{ 
    //create X509 Name
    X509Name issuerName = new   X509Name("C=IN,ST=AP,L=Hyderabad,E=rootca@mail.com,CN=RootCA;"); 
    //init the generator 
    X509V3CertificateGenerator v3CertGenerator = new X509V3CertificateGenerator(); 
    //set the parameters
    v3CertGenerator.setIssuerDN(issuerName);
    v3CertGenerator.setNotBefore(now.getTime());
    v3CertGenerator.setNotAfter(yearAfter.getTime());
    v3CertGenerator.setPublicKey(caKeyPair.getPublic());
    v3CertGenerator.setSerialNumber(BigInteger.ONE);
    v3CertGenerator.setSignatureAlgorithm("SHA512withRSAEncryption");
    v3CertGenerator.setSubjectDN(issuerName);
    //add key usage extensions
    v3CertGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign));
    v3CertGenerator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.anyExtendedKeyUsage)); 
   //add the distribution point
   GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, "www.pathtocrl.com/crl.crl");
   DistributionPointName distributionPointname = new DistributionPointName(DistributionPointName.FULL_NAME, gn);
   DistributionPoint distributionPoint = new DistributionPoint(distributionPointname, new ReasonFlags(ReasonFlags.keyCompromise), new GeneralNames(new GeneralName(issuerName)));
   v3CertGenerator.addExtension(X509Extensions.CRLDistributionPoints, true, new CRLDistPoint(new DistributionPoint[]{distributionPoint}));
    //generate the cert
    X509Certificate caCert = v3CertGenerator.generate(caKeyPair.getPrivate()); // self signed
}
catch (CertificateEncodingException ex) {
    ex.printStackTrace();
} catch (IllegalStateException ex) {
    ex.printStackTrace();
} catch (NoSuchAlgorithmException ex) {
    ex.printStackTrace();
} catch (SignatureException ex) {
    ex.printStackTrace();
} catch (InvalidKeyException ex) {
    ex.printStackTrace();
}

PKCS10 Certification Request
//subjectName is the X509 Name 
PKCS10CertificationRequest pkcs10Req = new PKCS10CertificationRequest(
                "",
                subjectName,
                keyPair.getPublic(),
                null,  keyPair.getPrivate());

PKCS12 KeyStore
try
{ 
    //init the KeyStore 
    KeyStore store = KeyStore.getInstance("PKCS12", "BC");
    store.load(null, null);
    Certificate[] chain = new Certificate[2]; 
    //add Certificates to the chain 
    chain[1] = caCert;
    chain[0] = userCertificate; 
    //set the key entry 
    store.setKeyEntry("My Key", userKeyPair.getPrivate(), password, chain);
    FileOutputStream fOut = new FileOutputStream("id.p12");
    store.store(fOut, password);
}
catch (IOException ex) {
    ex.printStackTrace();
} catch (NoSuchAlgorithmException ex) {
    ex.printStackTrace();
} catch (CertificateException ex) {
    ex.printStackTrace();
} catch (KeyStoreException ex) {
    ex.printStackTrace();
} catch (NoSuchProviderException ex) {
    ex.printStackTrace();
}

Publishing CRLs
try
{
    X509V2CRLGenerator crlGen = new X509V2CRLGenerator();
    crlGen.setIssuerDN(caCert.getIssuerX500Principal());
    crlGen.setThisUpdate(now.getTime());
    crlGen.setNextUpdate(yearAfter.getTime());
    crlGen.setSignatureAlgorithm("SHA512withRSAEncryption");
    crlGen.addCRLEntry(BigInteger.TEN, yearAfter.getTime(), CRLReason.superseded);
    crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.ONE));
    crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
    crl = crlGen.generate(caKeyPair.getPrivate(), "BC");
}
catch (CRLException ex) {
    ex.printStackTrace();
} catch (IllegalStateException ex) {
    ex.printStackTrace();
} catch (NoSuchProviderException ex) {
    ex.printStackTrace();
} catch (NoSuchAlgorithmException ex) {
    ex.printStackTrace();
} catch (SignatureException ex) {
    ex.printStackTrace();
} catch (InvalidKeyException ex) {
    ex.printStackTrace();
}
Posted by Naveed at 12:26 AM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)