Fluent builder API for JCA/JSSE classes

Will Sargent will.sargent at gmail.com
Tue Oct 16 16:17:40 UTC 2018 

Hi Bernd,

I'm not sure what you mean about exporting the package.  I only have it
working on JDK 1.8 right now, and I'm not sure about configuring it for
multiple JDK versions.

All of the code in X509CertificateCreator depends heavily
<https://github.com/tersesystems/securitybuilder/blob/master/src/main/java/com/tersesystems/securitybuilder/X509CertificateCreator.java#L20>
on the x509 implementation

import sun.security.x509.AlgorithmId;
import sun.security.x509.BasicConstraintsExtension;
import sun.security.x509.CertificateAlgorithmId;
import sun.security.x509.CertificateExtensions;
import sun.security.x509.CertificateSerialNumber;
import sun.security.x509.CertificateValidity;
import sun.security.x509.CertificateVersion;
import sun.security.x509.CertificateX509Key;
import sun.security.x509.KeyUsageExtension;
import sun.security.x509.X500Name;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CertInfo;

But I don't see a way to get around that, and this package seems to be
required by OpenJDK.

Other than that, the only requirement on a "sun" package is a call out to
JCAUtil:
https://github.com/tersesystems/securitybuilder/blob/master/src/main/java/com/tersesystems/securitybuilder/EntropySource.java#L4

which can be easily removed.



On Mon, Oct 15, 2018 at 1:27 PM Bernd Eckenfels <ecki at zusammenkunft.net>
wrote:

> Thats very cool!
>
>
>
> Maybe this is the right thread to discuss the future of the
> sun.security.x509 package.
>
>
>
> Currently your implementation will only work if that package is exported.
> The Depth of implementation of those classes however would be a nice
> Addition to an (optional?) API.
>
>
>
> Gruss
>
> Bernd
>
> --
> http://bernd.eckenfels.net
>
>
>
> *Von: *Will Sargent <will.sargent at gmail.com>
> *Gesendet: *Montag, 15. Oktober 2018 22:13
> *An: *security-dev at openjdk.java.net
> *Betreff: *Fluent builder API for JCA/JSSE classes
>
>
>
> Hi all,
>
>
>
> I've released a library that adds a fluent builder API library for JCA
> factory and generator classes. The primary use of this package is to set up
> test X.509 certificates, private keys and trust stores, but it's also
> helpful for picking out good defaults and working on a higher level than
> the raw JCA classes themselves.  It's available at
> https://github.com/tersesystems/securitybuilder
>
>
>
> Example below of building up an SSLContext from scratch:
>
>
>
> public class X509CertificateCreatorTest {
>
>   @Test
>
>   public void testFunctionalStyle() throws Exception {
>
>     FinalStage<RSAKeyPair> keyPairCreator = KeyPairCreator.creator().withRSA().withKeySize(2048);
>
>     RSAKeyPair rootKeyPair = keyPairCreator.create();
>
>     RSAKeyPair intermediateKeyPair = keyPairCreator.create();
>
>     RSAKeyPair eePair = keyPairCreator.create();
>
>
>
>     IssuerStage<RSAPrivateKey> creator =
>
>         X509CertificateCreator.creator().withSHA256withRSA().withDuration(Duration.ofDays(365));
>
>
>
>     String issuer = "CN=letsencrypt.derp,O=Root CA";
>
>     X509Certificate[] chain =
>
>         creator
>
>             .withRootCA(issuer, rootKeyPair, 2)
>
>             .chain(
>
>                 rootKeyPair.getPrivate(),
>
>                 rootCreator ->
>
>                     rootCreator
>
>                         .withPublicKey(intermediateKeyPair.getPublic())
>
>                         .withSubject("OU=intermediate CA")
>
>                         .withCertificateAuthorityExtensions(0)
>
>                         .chain(
>
>                             intermediateKeyPair.getPrivate(),
>
>                             intCreator ->
>
>                                 intCreator
>
>                                     .withPublicKey(eePair.getPublic())
>
>                                     .withSubject("CN=tersesystems.com")
>
>                                     .withEndEntityExtensions()
>
>                                     .chain()))
>
>             .create();
>
>
>
>     PrivateKeyStore privateKeyStore =
>
>         PrivateKeyStore.create("tersesystems.com", eePair.getPrivate(), chain);
>
>     TrustStore trustStore = TrustStore.create(singletonList(chain[2]), cert -> "letsencrypt.derp");
>
>
>
>     try {
>
>       final PKIXCertPathValidatorResult result = CertificateChainValidator.validator()
>
>           .withAnchor(new TrustAnchor(issuer, rootKeyPair.getPublic(), null))
>
>           .withCertificates(chain)
>
>           .validate();
>
>       final PublicKey subjectPublicKey = result.getPublicKey();
>
>       assertThat(subjectPublicKey).isEqualTo(eePair.getPublic());
>
>     } catch (final CertPathValidatorException cpve) {
>
>       fail("Cannot test exception", cpve);
>
>     }
>
>
>
>     SSLContext sslContext =
>
>         SSLContextBuilder.builder()
>
>             .withTLS()
>
>             .withKeyManager(
>
>                 KeyManagerBuilder.builder()
>
>                     .withSunX509()
>
>                     .withPrivateKeyStore(privateKeyStore)
>
>                     .build())
>
>             .withTrustManager(
>
>                 TrustManagerBuilder.builder()
>
>                     .withDefaultAlgorithm()
>
>                     .withTrustStore(trustStore)
>
>                     .build())
>
>             .build();
>
>     assertThat(sslContext).isNotNull();
>
>   }
>
> }
>
>
>
> Thanks,
> Will.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20181016/1a5ee582/attachment.htm>

More information about the security-dev mailing list