001// Copyright (C) 2002 IAIK 002// https://sic.tech/ 003// 004// Copyright (C) 2003 - 2025 Stiftung Secure Information and 005// Communication Technologies SIC 006// https://sic.tech/ 007// 008// All rights reserved. 009// 010// This source is provided for inspection purposes and recompilation only, 011// unless specified differently in a contract with IAIK. This source has to 012// be kept in strict confidence and must not be disclosed to any third party 013// under any circumstances. Redistribution in source and binary forms, with 014// or without modification, are <not> permitted in any case! 015// 016// THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 017// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 018// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 019// ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 020// FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 021// DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 022// OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 023// HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 024// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 025// OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 026// SUCH DAMAGE. 027// 028// $Header: /IAIK-CMS/current/src/demo/keystore/SetupCMSKeyStore.java 42 12.02.25 17:58 Dbratko $ 029// $Revision: 42 $ 030// 031 032package demo.keystore; 033 034import iaik.asn1.CodingException; 035import iaik.asn1.ObjectID; 036import iaik.asn1.structures.AlgorithmID; 037import iaik.asn1.structures.GeneralName; 038import iaik.asn1.structures.GeneralNames; 039import iaik.asn1.structures.Name; 040import iaik.asn1.structures.PolicyInformation; 041import iaik.asn1.structures.PolicyQualifierInfo; 042import iaik.cms.SecurityProvider; 043import iaik.cms.Utils; 044import iaik.pkcs.pkcs1.MGF1ParameterSpec; 045import iaik.pkcs.pkcs1.MaskGenerationAlgorithm; 046import iaik.pkcs.pkcs1.RSAPssParameterSpec; 047import iaik.security.rsa.RSAPssKeyPairGenerator; 048import iaik.x509.SimpleChainVerifier; 049import iaik.x509.X509Certificate; 050import iaik.x509.X509ExtensionException; 051import iaik.x509.extensions.AuthorityKeyIdentifier; 052import iaik.x509.extensions.BasicConstraints; 053import iaik.x509.extensions.CertificatePolicies; 054import iaik.x509.extensions.ExtendedKeyUsage; 055import iaik.x509.extensions.KeyUsage; 056import iaik.x509.extensions.SubjectAltName; 057import iaik.x509.extensions.SubjectKeyIdentifier; 058 059import java.io.BufferedReader; 060import java.io.File; 061import java.io.FileInputStream; 062import java.io.FileOutputStream; 063import java.io.IOException; 064import java.io.InputStreamReader; 065import java.math.BigInteger; 066import java.security.InvalidAlgorithmParameterException; 067import java.security.InvalidKeyException; 068import java.security.KeyPair; 069import java.security.KeyPairGenerator; 070import java.security.KeyStore; 071import java.security.KeyStoreException; 072import java.security.MessageDigest; 073import java.security.NoSuchAlgorithmException; 074import java.security.NoSuchProviderException; 075import java.security.PrivateKey; 076import java.security.PublicKey; 077import java.security.cert.CertificateException; 078import java.util.Calendar; 079import java.util.GregorianCalendar; 080import java.util.Random; 081 082import demo.DemoUtil; 083 084 085/** 086 * Creates a default KeyStore in the current working directory. 087 * These keys are used by many demos included in IAIK-JCE. 088 * The aliases and the password for accessing the keys and 089 * certificates can be found in {@link demo.keystore.CMSKeyStoreConstants CMSKeyStoreConstants}. 090 * 091 * @see CMSKeyStoreConstants 092 */ 093public class SetupCMSKeyStore implements CMSKeyStoreConstants { 094 095 // the keylength of the CA certificate shall be 1024 096 private final static int CA_KEYLENGTH = 2048; 097 098 // the key store to create 099 KeyStore key_store; 100 // the file where the key store shall be saved 101 String keystore_file; 102 // takes the existing keys from the KeyStore and only creates new certificates 103 boolean create_only_certificates = true; 104 105 // the private keys 106 107 // CA keys 108 KeyPair ca_dsa = null; 109 KeyPair ca_rsa = null; 110 KeyPair ca_rsa_pss = null; 111 112 // RSA for signing 113 KeyPair rsa2048_sign_1 = null; 114 KeyPair rsa2048_sign_2 = null; 115 KeyPair rsa2048_sign_3 = null; 116 // RSA for encrypting 117 KeyPair rsa2048_crypt_1 = null; 118 KeyPair rsa2048_crypt_2 = null; 119 KeyPair rsa2048_crypt_3 = null; 120 // RSA-PSS for signing 121 KeyPair rsapss2048_sha1_sign = null; 122 KeyPair rsapss2048_sha256_sign = null; 123 KeyPair rsapss2048_sha384_sign = null; 124 KeyPair rsapss2048_sha512_sign = null; 125 126 // DSA signing 127 KeyPair dsa1024 = null; 128 // DSA with SHA224 129 KeyPair dsa2048 = null; 130 // DSA with SHA256 131 KeyPair dsa3072 = null; 132 133 // DH key exchange 134 KeyPair esdh2048_1 = null; 135 KeyPair esdh2048_2 = null; 136 KeyPair ssdh2048_1 = null; 137 KeyPair ssdh2048_2 = null; 138 139 // TSP Server 140 KeyPair tsp_server = null; 141 142 // create RSA keys and certificates 143 boolean create_rsa; 144 // create RSA-PSS key and certificates 145 boolean create_rsa_pss; 146 // create DSA keys and certificates 147 boolean create_dsa; 148 // create DSA SHA-2 keys and certificates 149 boolean create_dsa_sha2; 150 // create ESDH keys and certificates 151 boolean create_esdh; 152 // create SSDH keys and certificates 153 boolean create_ssdh; 154 // create TSP server key and certificate 155 boolean create_tspserver; 156 157 /** 158 * The KeyStore file name. 159 */ 160 String ks_filename = KS_FILENAME; 161 162 163 /** 164 * Default Constructor. 165 */ 166 public SetupCMSKeyStore() { 167 this(KS_FILENAME); 168 } 169 170 /** 171 * Creates a SetupCMSKeyStore for the given keystore filename. 172 * 173 * @param ksFileName the KeyStore filename 174 */ 175 public SetupCMSKeyStore(String ksFileName) { 176 ks_filename = ksFileName; 177 create_rsa = true; 178 create_rsa_pss = true; 179 create_dsa = true; 180 create_dsa_sha2 = ((create_dsa) && (Utils.getIaikProviderVersion() >= 3.18)); 181 create_esdh = create_ssdh = Utils.isClassAvailable("iaik.security.dh.ESDHPublicKey"); 182 create_tspserver = true; 183 184 } 185 186 /** 187 * Generate a KeyPair using the specified algorithm with the given size. 188 * 189 * @param algorithm the algorithm to use 190 * @param bits the length of the key (modulus) in bits 191 * @return the KeyPair 192 */ 193 private static KeyPair generateKeyPair(String algorithm, int bits) 194 throws NoSuchAlgorithmException { 195 196 KeyPairGenerator generator = null; 197 try { 198 generator = KeyPairGenerator.getInstance(algorithm, "IAIK"); 199 } catch (NoSuchProviderException ex) { 200 throw new NoSuchAlgorithmException("Provider IAIK not found!"); 201 } 202 generator.initialize(bits); 203 KeyPair kp = generator.generateKeyPair(); 204 return kp; 205 } 206 207 /** 208 * Generates a RSASSA-PSS KeyPair. 209 * 210 * @param int keyLength the key length 211 * @param hashAlgID the hash algorithm id (for the RSA-PSS params) 212 * @param saltLength the salt length to be used 213 * 214 * @return the key pair 215 */ 216 private static KeyPair generateRSAPssKeyPair(int keyLength, 217 AlgorithmID hashAlgID, int saltLength) throws NoSuchAlgorithmException { 218 KeyPair kp = null; 219 220 221 KeyPairGenerator keyGen = null; 222 try { 223 keyGen = KeyPairGenerator.getInstance("RSASSA-PSS", "IAIK"); 224 } catch (NoSuchProviderException e) { 225 throw new NoSuchAlgorithmException(e.toString()); 226 } 227 228 // initialization with parameters for demonstration purposes (cast required) 229 RSAPssKeyPairGenerator rsaPsskeyGen = (RSAPssKeyPairGenerator) keyGen; 230 231 RSAPssParameterSpec pssParamSpec = null; 232 if (hashAlgID != null) { 233 // create PSS parameters for specifying hash, mgf algorithms and salt length: 234 // hash and mgf algorithm ids 235 AlgorithmID hashID = (AlgorithmID) hashAlgID.clone(); 236 AlgorithmID mgfID = (AlgorithmID) AlgorithmID.mgf1.clone(); 237 mgfID.setParameter(hashID.toASN1Object()); 238 // hash and mgf engines 239 MessageDigest hashEngine = hashID.getMessageDigestInstance(); 240 MaskGenerationAlgorithm mgfEngine = mgfID.getMaskGenerationAlgorithmInstance(); 241 MGF1ParameterSpec mgf1ParamSpec = new MGF1ParameterSpec(hashID); 242 mgf1ParamSpec.setHashEngine(hashEngine); 243 try { 244 mgfEngine.setParameters(mgf1ParamSpec); 245 } catch (InvalidAlgorithmParameterException e) { 246 throw new NoSuchAlgorithmException(e.toString()); 247 } 248 // create the RSAPssParameterSpec 249 pssParamSpec = new RSAPssParameterSpec(hashID, mgfID, 250 saltLength); 251 // set engines 252 pssParamSpec.setHashEngine(hashEngine); 253 pssParamSpec.setMGFEngine(mgfEngine); 254 } 255 // initialize key pair generator 256 if (pssParamSpec != null) { 257 rsaPsskeyGen.initialize(keyLength, pssParamSpec); 258 } else { 259 rsaPsskeyGen.initialize(keyLength); 260 } 261 kp = rsaPsskeyGen.generateKeyPair(); 262 263 return kp; 264 } 265 266 /** 267 * Creates a certificate from the given values. 268 * 269 * @param subject the subject of the certificate 270 * @param publicKey the public key to include 271 * @param issuer the issuer of the certificate 272 * @param privateKey the private key for signing the certificate 273 * @param algorithm the signature algorithm to use 274 * @param keyID the key id for the AuthotityKeyIdentifier extension 275 * @param forSigning if the certificate to be created shall be used for signing or encryption 276 * @param tspServer whether to create a TSP server certificate 277 * 278 * @return the certificate just created 279 */ 280 private static X509Certificate createCertificate(Name subject, PublicKey publicKey, 281 Name issuer, PrivateKey privateKey, AlgorithmID algorithm, byte[] keyID, 282 boolean forSigning, boolean tspServer) { 283 284 // create a new certificate 285 X509Certificate cert = new X509Certificate(); 286 287 try { 288 // set the values 289 cert.setSerialNumber(new BigInteger(20, new Random())); 290 cert.setSubjectDN(subject); 291 cert.setPublicKey(publicKey); 292 cert.setIssuerDN(issuer); 293 294 GregorianCalendar date = new GregorianCalendar(); 295 // not before now 296 cert.setValidNotBefore(date.getTime()); 297 298 if (issuer.equals(subject)) { 299 // CA certificate 300 date.add(Calendar.YEAR, 10); 301 BasicConstraints basicConstraints = new BasicConstraints(true); 302 cert.addExtension(basicConstraints); 303 KeyUsage keyUsage = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign); 304 cert.addExtension(keyUsage); 305 } else { 306 date.add(Calendar.YEAR, 9); 307 KeyUsage keyUsage = null; 308 if (forSigning) { 309 keyUsage = new KeyUsage(KeyUsage.digitalSignature | 310 KeyUsage.nonRepudiation); 311 if (tspServer) { 312 // certificate for time stamp server 313 ExtendedKeyUsage extKeyUsage = new ExtendedKeyUsage(ExtendedKeyUsage.timeStamping); 314 extKeyUsage.setCritical(true); 315 cert.addExtension(extKeyUsage); 316 } 317 } else { 318 if (publicKey.getAlgorithm().toUpperCase().endsWith("DH")) { 319 keyUsage = new KeyUsage(KeyUsage.keyAgreement) ; 320 } else { 321 keyUsage = new KeyUsage(KeyUsage.keyEncipherment | 322 KeyUsage.dataEncipherment); 323 } 324 } 325 cert.addExtension(keyUsage); 326 AuthorityKeyIdentifier authID = new AuthorityKeyIdentifier(); 327 authID.setKeyIdentifier(keyID); 328 cert.addExtension(authID); 329 GeneralNames generalNames = new GeneralNames(); 330 generalNames.addName(new GeneralName(GeneralName.rfc822Name, "smimetest@iaik.tugraz.at")); 331 SubjectAltName subjectAltName = new SubjectAltName(generalNames); 332 cert.addExtension(subjectAltName); 333 } 334 String explicitText = "This certificate may be used for testing purposes only"; 335 PolicyQualifierInfo policyQualifier = new PolicyQualifierInfo(null, null, explicitText); 336 PolicyInformation[] policyInformations = 337 { new PolicyInformation(new ObjectID("1.3.6.1.4.1.2706.2.2.4.1.1.1.1"), 338 new PolicyQualifierInfo[] { policyQualifier }) }; 339 CertificatePolicies certPolicies = new CertificatePolicies(policyInformations); 340 341 SubjectKeyIdentifier subjectKeyID = new SubjectKeyIdentifier(cert.getPublicKey()); 342 cert.addExtension(subjectKeyID); 343 344 cert.addExtension(certPolicies); 345 cert.setValidNotAfter(date.getTime()); 346 // and sign the certificate 347 cert.sign(algorithm ,privateKey); 348 } catch (CertificateException ex) { 349 throw new RuntimeException("Error creating the certificate: "+ex.getMessage()); 350 } catch (InvalidKeyException ex) { 351 throw new RuntimeException("Error creating the certificate: "+ex.getMessage()); 352 } catch (NoSuchAlgorithmException ex) { 353 throw new RuntimeException("Error creating the certificate: "+ex.getMessage()); 354 } catch (X509ExtensionException ex) { 355 throw new RuntimeException("Error adding extension: "+ex.getMessage()); 356 } catch (CodingException ex) { 357 throw new RuntimeException("Error adding SubjectKeyIdentifier extension: "+ex.getMessage()); 358 } 359 return cert; 360 } 361 362 /** 363 * Load or create a KeyStore and initialize it. 364 */ 365 private void initializeKeyStore() { 366 367 BufferedReader reader = null; 368 if (!DemoUtil.CREATE_DEMO_KEYSTORE_AUTOMATICAllY) { 369 reader = new BufferedReader(new InputStreamReader(System.in)); 370 } 371 String line; 372 373 try { 374 // default directory is the current user dir 375 String keystore_dir = System.getProperty("user.dir"); 376 File ks = new File(keystore_dir, ks_filename); 377 378 // KeyStore does already exist 379 if (ks.exists()) { 380 keystore_file = ks.getAbsolutePath(); 381 if (create_only_certificates) { 382 System.out.println("Create only new certificates from already existing keys!"); 383 } 384 else { 385 System.out.println("Existing KeyStore will be deleted!"); 386 } 387 System.out.println("KeyStore: "+keystore_file); 388 } 389 else { 390 // there is no KeyStore -> create also new keys 391 create_only_certificates = false; 392 393 if (!DemoUtil.CREATE_DEMO_KEYSTORE_AUTOMATICAllY) { 394 while (true) { 395 System.out.print("Create new KeyStore in directory: "+keystore_dir+" [y]"); 396 line = readLine(reader); 397 if (line.length() == 0 || line.equals("y")) { 398 ks = new File(keystore_dir, ks_filename); 399 keystore_file = ks.getAbsolutePath(); 400 System.out.println("KeyStore will be saved to: "+keystore_file); 401 break; 402 } 403 System.out.print("Enter directory: "); 404 keystore_dir = reader.readLine(); 405 } 406 } else { 407 System.out.print("Create new KeyStore in directory: "+keystore_dir+" ..."); 408 ks = new File(keystore_dir, ks_filename); 409 keystore_file = ks.getAbsolutePath(); 410 System.out.println("KeyStore will be saved to: "+keystore_file); 411 } 412 } 413 414 // get a new KeyStore object 415 key_store = SecurityProvider.getSecurityProvider().getKeyStore("IAIKKeyStore"); 416 417 if (create_only_certificates) { 418 // take private keys from existing KeyStore 419 FileInputStream fis = null; 420 try { 421 fis = new FileInputStream(ks); 422 key_store.load(fis, KS_PASSWORD); 423 } finally { 424 if (fis != null) { 425 try { 426 fis.close(); 427 } catch (IOException ex) { 428 // ignore 429 } 430 } 431 } 432 } 433 else { 434 // create a new KeyStore 435 key_store.load(null, null); 436 } 437 438 } catch (Exception ex) { 439 System.out.println("Error creating new IAIK KeyStore!"); 440 throw new RuntimeException("Error creating new KeyStore: "+ex.getMessage()); 441 } 442 } 443 444 /** 445 * Save the KeyStore to disk. 446 */ 447 private void saveKeyStore() { 448 FileOutputStream os = null; 449 try { 450 // write the KeyStore to disk 451 os = new FileOutputStream(keystore_file); 452 key_store.store(os, KS_PASSWORD); 453 454 } catch (Exception ex) { 455 System.out.println("Error saving KeyStore!"); 456 ex.printStackTrace(); 457 } finally { 458 if (os != null) { 459 try { 460 os.close(); 461 } catch (IOException ex) { 462 // ignore 463 } 464 } 465 } 466 } 467 468 /** 469 * Adds the private key and the certificate chain to the key store. 470 * 471 * @param keyPair the key pair with the private key to be added 472 * @param chain the certificate chain to be added 473 * @param alias the alias for the keystore entry 474 * 475 * @throws KeyStoreException if an error occurs when trying to add the key 476 */ 477 public void addToKeyStore(KeyPair keyPair, X509Certificate[] chain, String alias) throws KeyStoreException { 478 key_store.setKeyEntry(alias, keyPair.getPrivate(), KS_PASSWORD, chain); 479 } 480 481 /** 482 * Returns a KeyPair form the KeyStore. 483 * 484 * @return the KeyPair of the given type 485 * 486 * @throws Exception if some error occurs 487 */ 488 private KeyPair getKeyPair(String type) throws Exception { 489 KeyPair kp = null; 490 PrivateKey privKey = (PrivateKey)key_store.getKey(type, KS_PASSWORD); 491 if (privKey != null) { 492 PublicKey pubKey = key_store.getCertificateChain(type)[0].getPublicKey(); 493 kp = new KeyPair(pubKey, privKey); 494 } 495 return kp; 496 } 497 498 /** 499 * Get all private keys from the KeyStore. 500 */ 501 private void getPrivateKeys() { 502 // RSA 503 try { 504 ca_rsa = getKeyPair(CA_RSA); 505 // for signing 506 rsa2048_sign_1 = getKeyPair(RSA_2048_SIGN_1); 507 rsa2048_sign_2 = getKeyPair(RSA_2048_SIGN_2); 508 rsa2048_sign_3 = getKeyPair(RSA_2048_SIGN_3); 509 // for encrypting 510 rsa2048_crypt_1 = getKeyPair(RSA_2048_CRYPT_1); 511 rsa2048_crypt_2 = getKeyPair(RSA_2048_CRYPT_2); 512 rsa2048_crypt_3 = getKeyPair(RSA_2048_CRYPT_3); 513 } catch (Exception ex) { 514 System.out.println("Unable to get RSA keys from KeyStore: " + ex.toString()); 515 create_rsa = false; 516 } 517 // DSA 518 try { 519 ca_dsa = getKeyPair(CA_DSA); 520 dsa1024 = getKeyPair(DSA_1024); 521 } catch (Exception ex) { 522 System.out.println("Unable to get DSA keys from KeyStore: " + ex.toString()); 523 create_dsa = false; 524 } 525 // DSA with SHA-2 526 try { 527 dsa2048 = getKeyPair(DSA_2048); 528 dsa3072 = getKeyPair(DSA_3072); 529 } catch (Exception ex) { 530 System.out.println("Unable to get DSA SHA-2 keys from KeyStore: " + ex.toString()); 531 create_dsa_sha2 = false; 532 } 533 // ESDH 534 try { 535 esdh2048_1 = getKeyPair(ESDH_2048_1); 536 esdh2048_2 = getKeyPair(ESDH_2048_2); 537 } catch (Exception ex) { 538 System.out.println("Unable to get ESDH keys from KeyStore: " + ex.toString()); 539 create_esdh = false; 540 } 541 // SSDH 542 try { 543 ssdh2048_1 = getKeyPair(SSDH_2048_1); 544 ssdh2048_2 = getKeyPair(SSDH_2048_2); 545 } catch (Exception ex) { 546 System.out.println("Unable to get SSDH keys from KeyStore: " + ex.toString()); 547 create_ssdh = false; 548 } 549 // TSP server 550 try { 551 tsp_server = getKeyPair(TSP_SERVER); 552 } catch (Exception ex) { 553 System.out.println("Unable to get TSP server key from KeyStore: " + ex.toString()); 554 create_tspserver = false; 555 } 556 557 // RSA-PSS 558 try { 559 ca_rsa_pss = getKeyPair(CA_RSAPSS); 560 // for signing 561 rsapss2048_sha1_sign = getKeyPair(RSAPSS_2048_SHA1_SIGN); 562 rsapss2048_sha256_sign = getKeyPair(RSAPSS_2048_SHA256_SIGN); 563 rsapss2048_sha384_sign = getKeyPair(RSAPSS_2048_SHA384_SIGN); 564 rsapss2048_sha512_sign = getKeyPair(RSAPSS_2048_SHA512_SIGN); 565 } catch (Exception ex) { 566 System.out.println("Unable to get RSA-PSS keys from KeyStore: " + ex.toString()); 567 create_rsa_pss = false; 568 } 569 570 } 571 572 /** 573 * Generates new prviate keys. 574 */ 575 private void generatePrivateKeys() { 576 try { 577 // first create the KeyPairs 578 if (create_rsa) { 579 try { 580 System.out.println("generate RSA KeyPair for CA certificate ["+CA_KEYLENGTH+" bits]..."); 581 ca_rsa = generateKeyPair("RSA", CA_KEYLENGTH); 582 System.out.println("Generate RSA signing keys..."); 583 System.out.println("generate RSA KeyPair for a test certificate [2048 bits]..."); 584 rsa2048_sign_1 = generateKeyPair("RSA", 2048); 585 System.out.println("generate second RSA KeyPair for a test certificate [2048 bits]..."); 586 rsa2048_sign_2 = generateKeyPair("RSA", 2048); 587 System.out.println("generate third RSA KeyPair for a test certificate [2048 bits]..."); 588 rsa2048_sign_3 = generateKeyPair("RSA", 2048); 589 System.out.println("Generate RSA encryption keys..."); 590 System.out.println("generate RSA KeyPair for a test certificate [2048 bits]..."); 591 rsa2048_crypt_1 = generateKeyPair("RSA", 2048); 592 System.out.println("generate second RSA KeyPair for a test certificate [2048 bits]..."); 593 rsa2048_crypt_2 = generateKeyPair("RSA", 2048); 594 System.out.println("generate third RSA KeyPair for a test certificate [2048 bits]..."); 595 rsa2048_crypt_3 = generateKeyPair("RSA", 2048); 596 597 } catch (NoSuchAlgorithmException ex) { 598 create_rsa = false; 599 System.out.println("No implementation for RSA! RSA certificates are not created!\n"); 600 } 601 } 602 603 if (create_rsa_pss) { 604 try { 605 System.out.println("generate RSA-PSS KeyPair for CA certificate 2048 bits]..."); 606 ca_rsa_pss = generateRSAPssKeyPair(2048, AlgorithmID.sha256, 32); 607 System.out.println("Generate RSA-PSS signing keys..."); 608 System.out.println("generate RSA-PSS KeyPair for a test certificate [2048 bits, SHA-1]..."); 609 rsapss2048_sha1_sign = generateRSAPssKeyPair(2048, AlgorithmID.sha1, 32); 610 System.out.println("generate RSA-PSS KeyPair for a test certificate [2048 bits, SHA-256]..."); 611 rsapss2048_sha256_sign = generateRSAPssKeyPair(2048, AlgorithmID.sha256, 32); 612 System.out.println("generate RSA-PSS KeyPair for a test certificate [2048 bits, SHA-384]..."); 613 rsapss2048_sha384_sign = generateRSAPssKeyPair(2048, AlgorithmID.sha384, 48); 614 System.out.println("generate RSA-PSS KeyPair for a test certificate [2048 bits, SHA-512]..."); 615 rsapss2048_sha512_sign = generateRSAPssKeyPair(2048, AlgorithmID.sha512, 64); 616 617 } catch (NoSuchAlgorithmException ex) { 618 create_rsa_pss = false; 619 System.out.println("No implementation for RSA! RSA certificates are not created!\n"); 620 } 621 } 622 623 if (create_dsa) { 624 try { 625 System.out.println("generate DSA KeyPair for CA certificate [3072 bits]..."); 626 ca_dsa = generateKeyPair("SHA256withDSA", 3072); 627 System.out.println("generate DSA KeyPair for a test certificate [1024 bits]..."); 628 dsa1024 = generateKeyPair("DSA", 1024); 629 } catch (NoSuchAlgorithmException ex) { 630 create_dsa = false; 631 System.out.println("No implementation for DSA! DSA certificates are not created!\n"); 632 } 633 } 634 635 if (create_dsa_sha2) { 636 try { 637 System.out.println("generate DSA SHA-224 KeyPair for a test certificate [2048 bits]..."); 638 dsa2048 = generateKeyPair("SHA224withDSA", 2048); 639 System.out.println("generate DSA SHA-256 KeyPair for a test certificate [3072 bits]..."); 640 dsa3072 = generateKeyPair("SHA256withDSA", 3072); 641 } catch (NoSuchAlgorithmException ex) { 642 create_dsa = false; 643 System.out.println("No implementation for SHA2-DSA! SHA2-DSA certificates are not created!\n"); 644 } 645 } 646 647 if (create_esdh) { 648 try { 649 System.out.println("generate ESDH KeyPair for a test certificate [2048 bits]..."); 650 esdh2048_1 = generateKeyPair("ESDH", 2048); 651 System.out.println("generate second ESDH KeyPair for a test certificate [2048 bits]..."); 652 esdh2048_2 = generateKeyPair("ESDH", 2048); 653 } catch (NoSuchAlgorithmException ex) { 654 create_esdh = false; 655 System.out.println("No implementation for ESDH! ESDH certificates are not created!\n"); 656 } 657 } 658 659 if (create_ssdh) { 660 try { 661 System.out.println("generate SSDH KeyPair for a test certificate [2048 bits]..."); 662 // key alg id the same as ESDH 663 ssdh2048_1 = generateKeyPair("ESDH", 2048); 664 System.out.println("generate second SSDH KeyPair for a test certificate [2048 bits]..."); 665 ssdh2048_2 = generateKeyPair("ESDH", 2048); 666 } catch (NoSuchAlgorithmException ex) { 667 create_ssdh = false; 668 System.out.println("No implementation for SSDH! SSDH certificates are not created!\n"); 669 } 670 } 671 672 if (create_tspserver) { 673 try { 674 System.out.println("generate RSA KeyPair for a tsp server test certificate [2048 bits]..."); 675 tsp_server = generateKeyPair("RSA", 2048); 676 } catch (NoSuchAlgorithmException ex) { 677 create_tspserver = false; 678 System.out.println("No implementation for RSA! TSP server certificate not created!\n"); 679 } 680 } 681 682 683 } catch (Exception ex) { 684 System.out.println("Exception: "+ex); 685 } 686 } 687 688 /** 689 * Generates the certificates. 690 */ 691 public void generateCertificates() { 692 693 try { 694 695 // Now create the certificates 696 Name issuer = new Name(); 697 issuer.addRDN(ObjectID.country, "AT"); 698 issuer.addRDN(ObjectID.organization ,"IAIK"); 699 issuer.addRDN(ObjectID.organizationalUnit ,"JavaSecurity"); 700 701 Name subject = new Name(); 702 subject.addRDN(ObjectID.country, "AT"); 703 subject.addRDN(ObjectID.organization ,"IAIK"); 704 subject.addRDN(ObjectID.organizationalUnit ,"JavaSecurity"); 705 706 AlgorithmID rsaPssSigningAlg = DemoUtil.createPssAlgorithmID(AlgorithmID.sha256, AlgorithmID.mgf1, 32); 707 708 // 709 // create self signed CA certs 710 // 711 X509Certificate caRSA = null; 712 X509Certificate caRSAPSS = null; 713 X509Certificate caDSA = null; 714 X509Certificate[] chain = new X509Certificate[1]; 715 // for verifying the created certificates 716 SimpleChainVerifier verifier = new SimpleChainVerifier(); 717 718 if (create_rsa) { 719 issuer.addRDN(ObjectID.commonName ,"IAIK RSA Test CA"); 720 System.out.println("create self signed RSA CA certificate..."); 721 caRSA = createCertificate(issuer, 722 ca_rsa.getPublic(), 723 issuer, 724 ca_rsa.getPrivate(), 725 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 726 null, 727 true, 728 false); 729 // verify the self signed certificate 730 caRSA.verify(); 731 // set the CA cert as trusted root 732 verifier.addTrustedCertificate(caRSA); 733 chain[0] = caRSA; 734 addToKeyStore(ca_rsa, chain, CA_RSA); 735 issuer.removeRDN(ObjectID.commonName); 736 } 737 738 if (create_rsa_pss) { 739 issuer.addRDN(ObjectID.commonName ,"IAIK RSA-PSS Test CA"); 740 System.out.println("create self signed RSA-PSS CA certificate..."); 741 caRSAPSS = createCertificate(issuer, 742 ca_rsa_pss.getPublic(), 743 issuer, 744 ca_rsa_pss.getPrivate(), 745 (AlgorithmID)rsaPssSigningAlg.clone(), 746 null, 747 true, 748 false); 749 // verify the self signed certificate 750 caRSAPSS.verify(); 751 // set the CA cert as trusted root 752 verifier.addTrustedCertificate(caRSAPSS); 753 chain[0] = caRSAPSS; 754 addToKeyStore(ca_rsa_pss, chain, CA_RSAPSS); 755 issuer.removeRDN(ObjectID.commonName); 756 } 757 758 if (create_dsa) { 759 issuer.addRDN(ObjectID.commonName ,"IAIK DSA Test CA"); 760 System.out.println("create self signed DSA CA certificate..."); 761 caDSA = createCertificate(issuer, 762 ca_dsa.getPublic(), 763 issuer, 764 ca_dsa.getPrivate(), 765 (AlgorithmID)AlgorithmID.dsaWithSHA256.clone(), 766 null, 767 true, 768 false); 769 // verify the self signed certificate 770 caDSA.verify(); 771 // set the CA cert as trusted root 772 verifier.addTrustedCertificate(caDSA); 773 chain[0] = caDSA; 774 addToKeyStore(ca_dsa, chain, CA_DSA); 775 issuer.removeRDN(ObjectID.commonName); 776 } 777 778 // 779 // create certificates 780 // 781 chain = new X509Certificate[2]; 782 783 // create a RSA certificate 784 if (create_rsa) { 785 issuer.addRDN(ObjectID.commonName ,"IAIK RSA Test CA"); 786 SubjectKeyIdentifier subjectKeyID = (SubjectKeyIdentifier)caRSA.getExtension(SubjectKeyIdentifier.oid); 787 subject.removeRDN(ObjectID.commonName); 788 789 // 2048 790 subject.addRDN(ObjectID.commonName ,"RSA 2048 bit Demo Signing Certificate 1"); 791 System.out.println("create 2048 bit RSA demo certificate..."); 792 chain[0] = createCertificate(subject, 793 rsa2048_sign_1.getPublic(), 794 issuer, 795 ca_rsa.getPrivate(), 796 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 797 subjectKeyID.get(), 798 true, 799 false); 800 chain[1] = caRSA; 801 verifier.verifyChain(chain); 802 803 addToKeyStore(rsa2048_sign_1, chain, RSA_2048_SIGN_1); 804 subject.removeRDN(ObjectID.commonName); 805 806 subject.addRDN(ObjectID.commonName ,"RSA 2048 bit Demo Signing Certificate 2"); 807 System.out.println("create second 2048 bit RSA demo certificate..."); 808 chain[0] = createCertificate(subject, 809 rsa2048_sign_2.getPublic(), 810 issuer, 811 ca_rsa.getPrivate(), 812 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 813 subjectKeyID.get(), 814 true, 815 false); 816 chain[1] = caRSA; 817 verifier.verifyChain(chain); 818 819 addToKeyStore(rsa2048_sign_2, chain, RSA_2048_SIGN_2); 820 subject.removeRDN(ObjectID.commonName); 821 822 subject.addRDN(ObjectID.commonName ,"RSA 2048 bit Demo Signing Certificate 3"); 823 System.out.println("create third 2048 bit RSA demo certificate..."); 824 chain[0] = createCertificate(subject, 825 rsa2048_sign_3.getPublic(), 826 issuer, 827 ca_rsa.getPrivate(), 828 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 829 subjectKeyID.get(), 830 true, 831 false); 832 chain[1] = caRSA; 833 verifier.verifyChain(chain); 834 835 addToKeyStore(rsa2048_sign_3, chain, RSA_2048_SIGN_3); 836 subject.removeRDN(ObjectID.commonName); 837 838 // for encrypting 839 System.out.println("Create RSA demo certificates to be used for encryption..."); 840 841 // 2048 842 843 subject.addRDN(ObjectID.commonName ,"RSA 2048 bit Demo Encryption Certificate 1"); 844 System.out.println("create 2048 bit RSA demo encryption certificate..."); 845 chain[0] = createCertificate(subject, 846 rsa2048_crypt_1.getPublic(), 847 issuer, 848 ca_rsa.getPrivate(), 849 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 850 subjectKeyID.get(), 851 false, 852 false); 853 chain[1] = caRSA; 854 verifier.verifyChain(chain); 855 addToKeyStore(rsa2048_crypt_1, chain, RSA_2048_CRYPT_1); 856 subject.removeRDN(ObjectID.commonName); 857 858 subject.addRDN(ObjectID.commonName ,"RSA 2048 bit Demo Encryption Certificate 2"); 859 System.out.println("create second 2048 bit RSA demo encryption certificate..."); 860 chain[0] = createCertificate(subject, 861 rsa2048_crypt_2.getPublic(), 862 issuer, 863 ca_rsa.getPrivate(), 864 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 865 subjectKeyID.get(), 866 false, 867 false); 868 chain[1] = caRSA; 869 verifier.verifyChain(chain); 870 addToKeyStore(rsa2048_crypt_2, chain, RSA_2048_CRYPT_2); 871 subject.removeRDN(ObjectID.commonName); 872 873 subject.addRDN(ObjectID.commonName ,"RSA 2048 bit Demo Encryption Certificate 3"); 874 System.out.println("create third 2048 bit RSA demo encryption certificate..."); 875 chain[0] = createCertificate(subject, 876 rsa2048_crypt_3.getPublic(), 877 issuer, 878 ca_rsa.getPrivate(), 879 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 880 subjectKeyID.get(), 881 false, 882 false); 883 chain[1] = caRSA; 884 verifier.verifyChain(chain); 885 addToKeyStore(rsa2048_crypt_3, chain, RSA_2048_CRYPT_3); 886 subject.removeRDN(ObjectID.commonName); 887 issuer.removeRDN(ObjectID.commonName); 888 } 889 890 // create a RSA-PSS certificate 891 if (create_rsa_pss) { 892 issuer.addRDN(ObjectID.commonName ,"IAIK RSA-PSS Test CA"); 893 SubjectKeyIdentifier subjectKeyID = (SubjectKeyIdentifier)caRSAPSS.getExtension(SubjectKeyIdentifier.oid); 894 895 896 // 2048 897 898 // SHA-1 899 subject.addRDN(ObjectID.commonName ,"RSA-PSS 2048 bit SHA-1 Demo Signing Certificate"); 900 System.out.println("create 2048 bit RSA-PSS (SHA-1) demo certificate..."); 901 chain[0] = createCertificate(subject, 902 rsapss2048_sha1_sign.getPublic(), 903 issuer, 904 ca_rsa_pss.getPrivate(), 905 (AlgorithmID)rsaPssSigningAlg.clone(), 906 subjectKeyID.get(), 907 true, 908 false); 909 chain[1] = caRSAPSS; 910 verifier.verifyChain(chain); 911 912 addToKeyStore(rsapss2048_sha1_sign, chain, RSAPSS_2048_SHA1_SIGN); 913 subject.removeRDN(ObjectID.commonName); 914 915 // SHA-256 916 subject.addRDN(ObjectID.commonName ,"RSA-PSS 2048 bit SHA-256 Demo Signing Certificate"); 917 System.out.println("create 2048 bit RSA-PSS (SHA-256) demo certificate..."); 918 chain[0] = createCertificate(subject, 919 rsapss2048_sha256_sign.getPublic(), 920 issuer, 921 ca_rsa_pss.getPrivate(), 922 (AlgorithmID)rsaPssSigningAlg.clone(), 923 subjectKeyID.get(), 924 true, 925 false); 926 chain[1] = caRSAPSS; 927 verifier.verifyChain(chain); 928 929 addToKeyStore(rsapss2048_sha256_sign, chain, RSAPSS_2048_SHA256_SIGN); 930 subject.removeRDN(ObjectID.commonName); 931 932 // SHA-384 933 subject.addRDN(ObjectID.commonName ,"RSA-PSS 2048 bit SHA-384 Demo Signing Certificate"); 934 System.out.println("create 2048 bit RSA-PSS (SHA-384) demo certificate..."); 935 chain[0] = createCertificate(subject, 936 rsapss2048_sha384_sign.getPublic(), 937 issuer, 938 ca_rsa_pss.getPrivate(), 939 (AlgorithmID)rsaPssSigningAlg.clone(), 940 subjectKeyID.get(), 941 true, 942 false); 943 chain[1] = caRSAPSS; 944 verifier.verifyChain(chain); 945 946 addToKeyStore(rsapss2048_sha384_sign, chain, RSAPSS_2048_SHA384_SIGN); 947 subject.removeRDN(ObjectID.commonName); 948 949 // SHA-512 950 subject.addRDN(ObjectID.commonName ,"RSA-PSS 2048 bit SHA-512 Demo Signing Certificate"); 951 System.out.println("create 2048 bit RSA-PSS (SHA-512) demo certificate..."); 952 chain[0] = createCertificate(subject, 953 rsapss2048_sha512_sign.getPublic(), 954 issuer, 955 ca_rsa_pss.getPrivate(), 956 (AlgorithmID)rsaPssSigningAlg.clone(), 957 subjectKeyID.get(), 958 true, 959 false); 960 chain[1] = caRSAPSS; 961 verifier.verifyChain(chain); 962 963 addToKeyStore(rsapss2048_sha512_sign, chain, RSAPSS_2048_SHA512_SIGN); 964 subject.removeRDN(ObjectID.commonName); 965 966 967 } 968 969 // create a DSA test certificate 970 if (create_dsa) { 971 issuer.addRDN(ObjectID.commonName ,"IAIK DSA Test CA"); 972 SubjectKeyIdentifier subjectKeyID = (SubjectKeyIdentifier)caDSA.getExtension(SubjectKeyIdentifier.oid); 973 974 // 1024 975 subject.addRDN(ObjectID.commonName ,"DSA 1024 bit Demo Certificate"); 976 System.out.println("create 1024 bit DSA demo certificate..."); 977 chain[0] = createCertificate(subject, 978 dsa1024.getPublic(), 979 issuer, 980 ca_dsa.getPrivate(), 981 (AlgorithmID)AlgorithmID.dsaWithSHA256.clone(), 982 subjectKeyID.get(), 983 true, 984 false); 985 subject.removeRDN(ObjectID.commonName); 986 chain[1] = caDSA; 987 verifier.verifyChain(chain); 988 addToKeyStore(dsa1024, chain, DSA_1024); 989 issuer.removeRDN(ObjectID.commonName); 990 } 991 992 // create SHA-2 DSA test certificates 993 if (create_dsa_sha2) { 994 issuer.addRDN(ObjectID.commonName ,"IAIK DSA Test CA"); 995 // 2048 996 subject.addRDN(ObjectID.commonName ,"DSA SHA-224 2048 bit Test Certificate"); 997 System.out.println("create 2048 bit SHA224withDSA test certificate..."); 998 SubjectKeyIdentifier subjectKeyID = (SubjectKeyIdentifier)caDSA.getExtension(SubjectKeyIdentifier.oid); 999 chain[0] = createCertificate(subject, dsa2048.getPublic(), 1000 issuer, ca_dsa.getPrivate(), AlgorithmID.dsaWithSHA256, subjectKeyID.get(), true, false); 1001 subject.removeRDN(ObjectID.commonName); 1002 chain[1] = caDSA; 1003 verifier.verifyChain(chain); 1004 addToKeyStore(dsa2048, chain, DSA_2048); 1005 1006 // 3072 1007 subject.addRDN(ObjectID.commonName ,"DSA SHA-256 3072 bit Test Certificate"); 1008 System.out.println("create 3072 bit SHA256withDSA test certificate..."); 1009 chain[0] = createCertificate(subject, dsa3072.getPublic(), 1010 issuer, ca_dsa.getPrivate(), AlgorithmID.dsaWithSHA256, subjectKeyID.get(), true, false); 1011 subject.removeRDN(ObjectID.commonName); 1012 chain[1] = caDSA; 1013 verifier.verifyChain(chain); 1014 addToKeyStore(dsa3072, chain, DSA_3072); 1015 issuer.removeRDN(ObjectID.commonName); 1016 } 1017 1018 1019 // create a ESDH test certificate 1020 if (create_esdh) { 1021 issuer.addRDN(ObjectID.commonName ,"IAIK RSA Test CA"); 1022 SubjectKeyIdentifier subjectKeyID = (SubjectKeyIdentifier)caRSA.getExtension(SubjectKeyIdentifier.oid); 1023 1024 // 2048 1025 subject.addRDN(ObjectID.commonName ,"ESDH 2048 bit Demo Certificate 1"); 1026 System.out.println("create 2048 bit ESDH demo certificate..."); 1027 chain[0] = createCertificate(subject, 1028 esdh2048_1.getPublic(), 1029 issuer, 1030 ca_rsa.getPrivate(), 1031 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 1032 subjectKeyID.get(), 1033 false, 1034 false); 1035 subject.removeRDN(ObjectID.commonName); 1036 chain[1] = caRSA; 1037 verifier.verifyChain(chain); 1038 addToKeyStore(esdh2048_1, chain, ESDH_2048_1); 1039 1040 subject.addRDN(ObjectID.commonName ,"ESDH 2048 bit Demo Certificate 2"); 1041 System.out.println("create second 2048 bit ESDH demo certificate..."); 1042 chain[0] = createCertificate(subject, 1043 esdh2048_2.getPublic(), 1044 issuer, 1045 ca_rsa.getPrivate(), 1046 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 1047 subjectKeyID.get(), 1048 false, 1049 false); 1050 subject.removeRDN(ObjectID.commonName); 1051 chain[1] = caRSA; 1052 verifier.verifyChain(chain); 1053 addToKeyStore(esdh2048_2, chain, ESDH_2048_2); 1054 1055 issuer.removeRDN(ObjectID.commonName); 1056 } 1057 1058 // create a SSDH test certificate 1059 if (create_ssdh) { 1060 issuer.addRDN(ObjectID.commonName ,"IAIK RSA Test CA"); 1061 SubjectKeyIdentifier subjectKeyID = (SubjectKeyIdentifier)caRSA.getExtension(SubjectKeyIdentifier.oid); 1062 // 2048 1063 subject.addRDN(ObjectID.commonName ,"SSDH 2048 bit Demo Certificate 1"); 1064 System.out.println("create 2048 bit SSDH demo certificate..."); 1065 chain[0] = createCertificate(subject, 1066 ssdh2048_1.getPublic(), 1067 issuer, 1068 ca_rsa.getPrivate(), 1069 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 1070 subjectKeyID.get(), 1071 false, 1072 false); 1073 subject.removeRDN(ObjectID.commonName); 1074 chain[1] = caRSA; 1075 verifier.verifyChain(chain); 1076 addToKeyStore(ssdh2048_1, chain, SSDH_2048_1); 1077 1078 subject.addRDN(ObjectID.commonName ,"SSDH 2048 bit Demo Certificate 2"); 1079 System.out.println("create second 2048 bit SSDH demo certificate..."); 1080 chain[0] = createCertificate(subject, 1081 ssdh2048_2.getPublic(), 1082 issuer, 1083 ca_rsa.getPrivate(), 1084 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 1085 subjectKeyID.get(), 1086 false, 1087 false); 1088 subject.removeRDN(ObjectID.commonName); 1089 chain[1] = caRSA; 1090 verifier.verifyChain(chain); 1091 addToKeyStore(ssdh2048_2, chain, SSDH_2048_2); 1092 issuer.removeRDN(ObjectID.commonName); 1093 } 1094 1095 if (create_tspserver) { 1096 issuer.addRDN(ObjectID.commonName ,"IAIK RSA Test CA"); 1097 SubjectKeyIdentifier subjectKeyID = (SubjectKeyIdentifier)caRSA.getExtension(SubjectKeyIdentifier.oid); 1098 subject.addRDN(ObjectID.commonName ,"IAIK TSP Demo Server Certificate"); 1099 System.out.println("create 2048 bit RSA TSP demo server certificate..."); 1100 chain[0] = createCertificate(subject, 1101 tsp_server.getPublic(), 1102 issuer, 1103 ca_rsa.getPrivate(), 1104 (AlgorithmID)AlgorithmID.sha256WithRSAEncryption.clone(), 1105 subjectKeyID.get(), 1106 true, 1107 true); 1108 chain[1] = caRSA; 1109 verifier.verifyChain(chain); 1110 addToKeyStore(tsp_server, chain, TSP_SERVER); 1111 subject.removeRDN(ObjectID.commonName); 1112 1113 } 1114 1115 System.out.println("\nCertificates created!"); 1116 1117 } catch (Exception ex) { 1118 System.out.println("Exception: "+ex); 1119 } 1120 } 1121 1122 /** 1123 * Starts the keystore setup. 1124 */ 1125 public static void start() { 1126 SetupCMSKeyStore suks = new SetupCMSKeyStore(); 1127 suks.initializeKeyStore(); 1128 if (suks.create_only_certificates) { 1129 suks.getPrivateKeys(); 1130 } 1131 else { 1132 suks.generatePrivateKeys(); 1133 } 1134 suks.generateCertificates(); 1135 suks.saveKeyStore(); 1136 } 1137 1138 /** 1139 * Reads the next line from the given BufferedReader. 1140 * 1141 * @param reader the reader from which to read the line 1142 * 1143 * @return the line just read 1144 * 1145 * @throws IOException if an I/O error occurs 1146 */ 1147 private final static String readLine(BufferedReader reader) throws IOException { 1148 String line = reader.readLine(); 1149 if (line != null) { 1150 line = line.trim(); 1151 } else { 1152 line = ""; 1153 } 1154 return line; 1155 } 1156 1157 /** 1158 * Creates the test certificates. 1159 */ 1160 public static void main(String arg[]) throws IOException { 1161 1162 DemoUtil.initDemos(); 1163 start(); 1164// if (!DemoUtil.CREATE_DEMO_KEYSTORE_AUTOMATICAllY) { 1165// System.in.read(); 1166// } 1167 } 1168}