org.opcfoundation.ua.utils
Class CertificateUtils

java.lang.Object
  extended by org.opcfoundation.ua.utils.CertificateUtils

public class CertificateUtils
extends Object

A utility class for generating self-signed certificates for UA clients and servers and for using them.


Constructor Summary
CertificateUtils()
           
 
Method Summary
static KeyPair createApplicationInstanceCertificate(String commonName, String organisation, String applicationUri, int validityTime, KeyPair issuerKeys, String... hostNames)
          createApplicationInstanceCertificate.
static KeyPair createApplicationInstanceCertificate(String commonName, String organisation, String applicationUri, int validityTime, String... hostNames)
          createApplicationInstanceCertificate.
static KeyPair createHttpsCertificate(String hostName, String applicationUri, int days, KeyPair issuerCert)
          Create a new certificate that can be used with the HTTPS protocol.
static KeyPair createIssuerCertificate(String commonName, int days, KeyPair issuerCert)
          Create a new issuer certificate that can be used to issue certificates built with createApplicationInstanceCertificate(String, String, String, int, String...)
static byte[] createThumbprint(byte[] data)
          Create SHA-1 Thumbprint
static X509Certificate decodeX509Certificate(byte[] encodedCertificate)
          Decode X509 Certificate
static String getApplicationUriOfCertificate(Cert certificate)
          getApplicationUriOfCertificate.
static String getApplicationUriOfCertificate(X509Certificate certificate)
          getApplicationUriOfCertificate.
static CertificateProvider getCertificateProvider()
          Getter for the field certificateProvider.
static String getCertificateSignatureAlgorithm()
          Getter for the field certificateSignatureAlgorithm.
static int getKeySize()
          Getter for the field keySize.
protected static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
          getSubjectAlternativeNames.
static RSAPrivateKey loadFromKeyStore(URL keystoreUrl, String password)
          Load private key from a key store
static KeyPair loadKeyPairFromProtectedStore(String storeLocation, String alias, String storePW, String privatePW)
          Load a KeyPair from a Java Key Store.
static X509Certificate readX509Certificate(File file)
          Load X.509 Certificate from a file
static X509Certificate readX509Certificate(URL url)
          Load X.509 Certificate from an url
static KeyPair renewApplicationInstanceCertificate(String commonName, String organisation, String applicationUri, int validityTime, KeyPair oldKeys, KeyPair issuerKeys, String... hostNames)
          Renew a certificate KeyPair using the old keys.
static KeyPair renewApplicationInstanceCertificate(String commonName, String organisation, String applicationUri, int validityTime, KeyPair oldKeys, String... hostNames)
          Renew a certificate KeyPair.
static boolean saveKeyPairToProtectedStore(KeyPair keyPairToSave, String storeLocation, String alias, String storePW, String privatePW)
          Save the KeyPair to a Java Key Store.
static void saveToProtectedStore(PrivateKey privateKey, Certificate certificate, File storeLocation, String alias, String privateKeyPassword, String keyStorePassword, String keyStoreType)
          Save the private key to a jks or pfx (PKCS12)-keystore.
static void setCertificateProvider(CertificateProvider certificateProvider)
          Define the preferred CertificateProvider.
static void setCertificateSignatureAlgorithm(String certificateSignatureAlgorithm)
          Define the algorithm to use for certificate signatures.
static void setKeySize(int keySize)
          Define the key size for the certificates.
static SignatureData sign(PrivateKey signerKey, SecurityAlgorithm algorithm, byte[] dataToSign)
          Deprecated. Use CryptoUtil.signAsymm(PrivateKey, SecurityAlgorithm, byte[]) instead.
static KeyPair toKeyPair(X509Certificate cert, PrivateKey privateKey)
          toKeyPair.
static boolean verify(X509Certificate certificate, SecurityAlgorithm algorithm, byte[] data, byte[] signature)
          Deprecated. Use CryptoUtil.verifyAsymm(X509Certificate, SecurityAlgorithm, byte[], byte[]) instead.
static void writeToPem(X509Certificate key, File file)
          writeToPem.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

CertificateUtils

public CertificateUtils()
Method Detail

sign

public static SignatureData sign(PrivateKey signerKey,
                                 SecurityAlgorithm algorithm,
                                 byte[] dataToSign)
                          throws NoSuchAlgorithmException,
                                 SignatureException,
                                 InvalidKeyException
Deprecated. Use CryptoUtil.signAsymm(PrivateKey, SecurityAlgorithm, byte[]) instead.

Sign data

Parameters:
signerKey - a PrivateKey object.
algorithm - asymmetric signer algorithm, See SecurityAlgorithm
dataToSign - an array of byte.
Returns:
signature data
Throws:
NoSuchAlgorithmException - if any.
SignatureException - if any.
InvalidKeyException - if any.

verify

public static boolean verify(X509Certificate certificate,
                             SecurityAlgorithm algorithm,
                             byte[] data,
                             byte[] signature)
                      throws SignatureException,
                             InvalidKeyException,
                             NoSuchAlgorithmException
Deprecated. Use CryptoUtil.verifyAsymm(X509Certificate, SecurityAlgorithm, byte[], byte[]) instead.

Verify a signature.

Parameters:
certificate - a X509Certificate object.
algorithm - asymmetric signer algorithm, See SecurityAlgorithm
data - an array of byte.
signature - an array of byte.
Returns:
true if verified
Throws:
SignatureException - if any.
InvalidKeyException - if any.
NoSuchAlgorithmException - if any.

readX509Certificate

public static X509Certificate readX509Certificate(URL url)
                                           throws IOException,
                                                  CertificateException
Load X.509 Certificate from an url

Parameters:
url - a URL object.
Returns:
Certificate
Throws:
IOException - if any.
CertificateException - In case the certificate is not valid

readX509Certificate

public static X509Certificate readX509Certificate(File file)
                                           throws IOException,
                                                  CertificateException
Load X.509 Certificate from a file

Parameters:
file - a File object.
Returns:
Certificate
Throws:
IOException - if any.
CertificateException - In case the certificate is not valid

createThumbprint

public static byte[] createThumbprint(byte[] data)
Create SHA-1 Thumbprint

Parameters:
data - an array of byte.
Returns:
thumbprint

decodeX509Certificate

public static X509Certificate decodeX509Certificate(byte[] encodedCertificate)
                                             throws CertificateException
Decode X509 Certificate

Parameters:
encodedCertificate - an array of byte.
Returns:
X509 certificate
Throws:
CertificateException - if any.

loadFromKeyStore

public static RSAPrivateKey loadFromKeyStore(URL keystoreUrl,
                                             String password)
                                      throws IOException,
                                             NoSuchAlgorithmException,
                                             CertificateException,
                                             KeyStoreException,
                                             UnrecoverableKeyException
Load private key from a key store

Parameters:
keystoreUrl - url to key store
password - password to key store
Returns:
private key
Throws:
IOException - if any.
CertificateException - if any.
NoSuchAlgorithmException - if any.
KeyStoreException - if any.
UnrecoverableKeyException - if any.

saveKeyPairToProtectedStore

public static boolean saveKeyPairToProtectedStore(KeyPair keyPairToSave,
                                                  String storeLocation,
                                                  String alias,
                                                  String storePW,
                                                  String privatePW)
                                           throws KeyStoreException,
                                                  IOException,
                                                  NoSuchAlgorithmException,
                                                  CertificateException
Save the KeyPair to a Java Key Store.

Parameters:
keyPairToSave - a KeyPair object.
storeLocation - a String object.
alias - a String object.
storePW - a String object.
privatePW - a String object.
Returns:
a boolean.
Throws:
KeyStoreException - if any.
IOException - if any.
NoSuchAlgorithmException - if any.
CertificateException - if any.

loadKeyPairFromProtectedStore

public static KeyPair loadKeyPairFromProtectedStore(String storeLocation,
                                                    String alias,
                                                    String storePW,
                                                    String privatePW)
                                             throws KeyStoreException,
                                                    IOException,
                                                    NoSuchAlgorithmException,
                                                    CertificateException,
                                                    UnrecoverableKeyException
Load a KeyPair from a Java Key Store.

Parameters:
storeLocation - a String object.
alias - a String object.
storePW - a String object.
privatePW - a String object.
Returns:
a KeyPair object.
Throws:
KeyStoreException - if any.
IOException - if any.
NoSuchAlgorithmException - if any.
CertificateException - if any.
UnrecoverableKeyException - if any.

renewApplicationInstanceCertificate

public static KeyPair renewApplicationInstanceCertificate(String commonName,
                                                          String organisation,
                                                          String applicationUri,
                                                          int validityTime,
                                                          KeyPair oldKeys,
                                                          KeyPair issuerKeys,
                                                          String... hostNames)
                                                   throws IOException,
                                                          IllegalStateException,
                                                          GeneralSecurityException
Renew a certificate KeyPair using the old keys.

Parameters:
commonName - - Common Name (CN) for generated certificate
organisation - - Organisation (O) for generated certificate
applicationUri - - Alternative name (one of x509 extensiontype) for generated certificate. Must not be null
validityTime - - the time that the certificate is valid (in days)
oldKeys - the old keys to renew
issuerKeys - the optional issuer certificate and private key to use for signing the certificate
hostNames - a String object.
Returns:
a KeyPair object.
Throws:
IOException - if any.
IllegalStateException - if any.
GeneralSecurityException - if any.

renewApplicationInstanceCertificate

public static KeyPair renewApplicationInstanceCertificate(String commonName,
                                                          String organisation,
                                                          String applicationUri,
                                                          int validityTime,
                                                          KeyPair oldKeys,
                                                          String... hostNames)
                                                   throws IOException,
                                                          IllegalStateException,
                                                          GeneralSecurityException
Renew a certificate KeyPair. Sign with the own key.

Parameters:
commonName - - Common Name (CN) for generated certificate
organisation - - Organisation (O) for generated certificate
applicationUri - - Alternative name (one of x509 extensiontype) for generated certificate. Must not be null
validityTime - - the time that the certificate is valid (in days)
oldKeys - the old keys to renew
hostNames - a String object.
Returns:
a KeyPair object.
Throws:
IOException - if any.
IllegalStateException - if any.
GeneralSecurityException - if any.

setCertificateSignatureAlgorithm

public static void setCertificateSignatureAlgorithm(String certificateSignatureAlgorithm)
Define the algorithm to use for certificate signatures.

The OPC UA specification defines that the algorithm should be (at least) "SHA1WithRSA" for application instance certificates used for security policies Basic128Rsa15 and Basic256. For Basic256Sha256 it should be "SHA256WithRSA".

Default: "SHA256WithRSA"

Parameters:
certificateSignatureAlgorithm - the certificateSignatureAlgorithm to set

getKeySize

public static int getKeySize()

Getter for the field keySize.

Returns:
the key size for new certificates

setKeySize

public static void setKeySize(int keySize)
Define the key size for the certificates. Default: 2048

Parameters:
keySize - size of the certificates. Good values are multiples of 1024,2048(,3072) and 4096
Throws:
IllegalArgumentException - if the value is not accepted

getCertificateProvider

public static CertificateProvider getCertificateProvider()

Getter for the field certificateProvider.

Returns:
a CertificateProvider object.

setCertificateProvider

public static void setCertificateProvider(CertificateProvider certificateProvider)
Define the preferred CertificateProvider. Usually this is determined automatically, but you may define the provider that you wish to use yourself.

Parameters:
certificateProvider - the certificateProvider to set

createApplicationInstanceCertificate

public static KeyPair createApplicationInstanceCertificate(String commonName,
                                                           String organisation,
                                                           String applicationUri,
                                                           int validityTime,
                                                           String... hostNames)
                                                    throws IOException,
                                                           GeneralSecurityException

createApplicationInstanceCertificate.

Parameters:
commonName - - Common Name (CN) for generated certificate
organisation - - Organisation (O) for generated certificate
applicationUri - - Alternative name (one of x509 extensiontype) for generated certificate. Must not be null
validityTime - - the time that the certificate is valid (in days)
hostNames - - alternate host names or IP addresses to add to SubjectAlternativeNames
Returns:
a KeyPair object.
Throws:
IOException - if any.
GeneralSecurityException - if any.

createApplicationInstanceCertificate

public static KeyPair createApplicationInstanceCertificate(String commonName,
                                                           String organisation,
                                                           String applicationUri,
                                                           int validityTime,
                                                           KeyPair issuerKeys,
                                                           String... hostNames)
                                                    throws IOException,
                                                           GeneralSecurityException

createApplicationInstanceCertificate.

Parameters:
commonName - - Common Name (CN) for the generated certificate
organisation - - Organisation (O) for the generated certificate
applicationUri - - Alternative name (one of x509 extensiontype) for generated certificate. Must not be null
validityTime - - the time that the certificate is valid (in days)
issuerKeys - the optional issuer certificate and private key to use for signing the certificate. If null a self-signed certificate is generated
hostNames - - alternate host names or IP addresses to add to SubjectAlternativeNames
Returns:
a KeyPair object.
Throws:
IOException - if any.
GeneralSecurityException - if any.

toKeyPair

public static KeyPair toKeyPair(X509Certificate cert,
                                PrivateKey privateKey)
                         throws CertificateEncodingException

toKeyPair.

Parameters:
cert - a X509Certificate object.
privateKey - a PrivateKey object.
Returns:
a KeyPair object.
Throws:
CertificateEncodingException - if any.

createIssuerCertificate

public static KeyPair createIssuerCertificate(String commonName,
                                              int days,
                                              KeyPair issuerCert)
                                       throws GeneralSecurityException,
                                              IOException
Create a new issuer certificate that can be used to issue certificates built with createApplicationInstanceCertificate(String, String, String, int, String...) or createHttpsCertificate(String, String, int, org.opcfoundation.ua.transport.security.KeyPair)

Parameters:
commonName - The common name to use for the Subject of the certificate (the name will be prepended with "CN=" if it does not start with it already)
days - - the time that the certificate is valid (in days)
issuerCert - - The certificate of the issuer that should sign the certificate. If null, a self-signed certificate is created
Returns:
the new certificate and private key
Throws:
GeneralSecurityException - if any.
IOException - if any.

createHttpsCertificate

public static KeyPair createHttpsCertificate(String hostName,
                                             String applicationUri,
                                             int days,
                                             KeyPair issuerCert)
                                      throws IOException,
                                             GeneralSecurityException
Create a new certificate that can be used with the HTTPS protocol. The certificate should be issued with a CA certificate, especially for the server applications, to ensure interoperability with other client applications.

Parameters:
hostName - - HostName of the computer in which the application is running: used to initialize the Subject field of the certificate. The client applications may validate this field of the server certificate, so it should match the hostName used in the ApplicationUri of the application.
applicationUri - - The ApplicationUri corresponding to the respective field of the ApplicationDescription of the application for which the certificate is created
days - - the time that the certificate is valid (in days)
issuerCert - - The certificate of the issuer that should sign the certificate. If null, a self-signed certificate is created
Returns:
the new certificate and private key
Throws:
IOException - if any.
GeneralSecurityException - if any.

writeToPem

public static void writeToPem(X509Certificate key,
                              File file)
                       throws IOException

writeToPem.

Parameters:
key - a X509Certificate object.
file - a File object.
Throws:
IOException - if any.

saveToProtectedStore

public static void saveToProtectedStore(PrivateKey privateKey,
                                        Certificate certificate,
                                        File storeLocation,
                                        String alias,
                                        String privateKeyPassword,
                                        String keyStorePassword,
                                        String keyStoreType)
                                 throws IOException,
                                        KeyStoreException,
                                        NoSuchProviderException,
                                        NoSuchAlgorithmException,
                                        CertificateException
Save the private key to a jks or pfx (PKCS12)-keystore.

Parameters:
storeLocation - save location of the keystore
alias - alias used for the keypair
privateKeyPassword - password to secure the private key, cannot be null for keyStoreType "JKS"
keyStorePassword - password to secure the key store
keyStoreType - type of the key store, "JKS" and "PKCS12" supported
privateKeyPassword - password to secure the private key, cannot be null for keyStoreType "JKS"
privateKey - a PrivateKey object.
certificate - a Certificate object.
Throws:
IOException - if storeLocation is not available
NoSuchProviderException - The required security Provider not found
KeyStoreException - keystore failed
CertificateException - certificate problem
NoSuchAlgorithmException - cryptographic algorithm not found

getCertificateSignatureAlgorithm

public static String getCertificateSignatureAlgorithm()

Getter for the field certificateSignatureAlgorithm.

Returns:
a String object.

getSubjectAlternativeNames

protected static Collection<List<?>> getSubjectAlternativeNames(X509Certificate cert)
                                                         throws CertificateParsingException

getSubjectAlternativeNames.

Parameters:
cert - a X509Certificate object.
Returns:
a Collection object.
Throws:
CertificateParsingException - if any.

getApplicationUriOfCertificate

public static String getApplicationUriOfCertificate(X509Certificate certificate)
                                             throws CertificateParsingException

getApplicationUriOfCertificate.

Parameters:
certificate - a X509Certificate object.
Returns:
a String object.
Throws:
CertificateParsingException - if any.

getApplicationUriOfCertificate

public static String getApplicationUriOfCertificate(Cert certificate)
                                             throws CertificateParsingException

getApplicationUriOfCertificate.

Parameters:
certificate - a Cert object.
Returns:
a String object.
Throws:
CertificateParsingException - if any.


Copyright © 2018. All rights reserved.