Fluent builder API for JCA/JSSE classes
Bernd Eckenfels
ecki at zusammenkunft.net
Mon Oct 15 20:27:01 UTC 2018
Thats very cool!
Maybe this is the right thread to discuss the future of the sun.security.x509 package.
Currently your implementation will only work if that package is exported. The Depth of implementation of those classes however would be a nice Addition to an (optional?) API.
Gruss
Bernd
--
http://bernd.eckenfels.net
Von: Will Sargent
Gesendet: Montag, 15. Oktober 2018 22:13
An: security-dev at openjdk.java.net
Betreff: Fluent builder API for JCA/JSSE classes
Hi all,
I've released a library that adds a fluent builder API library for JCA factory and generator classes. The primary use of this package is to set up test X.509 certificates, private keys and trust stores, but it's also helpful for picking out good defaults and working on a higher level than the raw JCA classes themselves. It's available at https://github.com/tersesystems/securitybuilder
Example below of building up an SSLContext from scratch:
public class X509CertificateCreatorTest {
@Test
public void testFunctionalStyle() throws Exception {
FinalStage<RSAKeyPair> keyPairCreator = KeyPairCreator.creator().withRSA().withKeySize(2048);
RSAKeyPair rootKeyPair = keyPairCreator.create();
RSAKeyPair intermediateKeyPair = keyPairCreator.create();
RSAKeyPair eePair = keyPairCreator.create();
IssuerStage<RSAPrivateKey> creator =
X509CertificateCreator.creator().withSHA256withRSA().withDuration(Duration.ofDays(365));
String issuer = "CN=letsencrypt.derp,O=Root CA";
X509Certificate[] chain =
creator
.withRootCA(issuer, rootKeyPair, 2)
.chain(
rootKeyPair.getPrivate(),
rootCreator ->
rootCreator
.withPublicKey(intermediateKeyPair.getPublic())
.withSubject("OU=intermediate CA")
.withCertificateAuthorityExtensions(0)
.chain(
intermediateKeyPair.getPrivate(),
intCreator ->
intCreator
.withPublicKey(eePair.getPublic())
.withSubject("CN=tersesystems.com")
.withEndEntityExtensions()
.chain()))
.create();
PrivateKeyStore privateKeyStore =
PrivateKeyStore.create("tersesystems.com", eePair.getPrivate(), chain);
TrustStore trustStore = TrustStore.create(singletonList(chain[2]), cert -> "letsencrypt.derp");
try {
final PKIXCertPathValidatorResult result = CertificateChainValidator.validator()
.withAnchor(new TrustAnchor(issuer, rootKeyPair.getPublic(), null))
.withCertificates(chain)
.validate();
final PublicKey subjectPublicKey = result.getPublicKey();
assertThat(subjectPublicKey).isEqualTo(eePair.getPublic());
} catch (final CertPathValidatorException cpve) {
fail("Cannot test exception", cpve);
}
SSLContext sslContext =
SSLContextBuilder.builder()
.withTLS()
.withKeyManager(
KeyManagerBuilder.builder()
.withSunX509()
.withPrivateKeyStore(privateKeyStore)
.build())
.withTrustManager(
TrustManagerBuilder.builder()
.withDefaultAlgorithm()
.withTrustStore(trustStore)
.build())
.build();
assertThat(sslContext).isNotNull();
}
}
Thanks,
Will.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181015/656c41e6/attachment.htm>
More information about the security-dev
mailing list