/** * Convenience method to return a new {@link Builder} instance. */ public static Builder builder() { return new Builder(); }
/** * Returns a TrustSource that contains no trusted CAs. Can be used in conjunction with the add() methods to build * a TrustSource containing custom CAs from a variety of sources (PEM files, KeyStores, etc.). */ public static TrustSource empty() { return new TrustSource(); }
@Override public CertificateAndKey get() { return rootCertificateSource.load(); } });
/** * Convenience method to return a new {@link Builder} instance that will dynamically create EC root certificates and * EC server certificates, but otherwise uses default values. */ public static Builder builderWithECC() { return new Builder() .serverKeyGenerator(new ECKeyGenerator()) .rootCertificateSource(RootCertificateGenerator.builder() .keyGenerator(new ECKeyGenerator()) .build()); }
@Override public CertificateInfo generate(List<String> hostnames, X509Certificate originalCertificate) { if (hostnames == null || hostnames.size() < 1) { throw new IllegalArgumentException("Cannot create X.509 certificate without server hostname"); } // take the first entry as the CN String commonName = hostnames.get(0); return new CertificateInfo() .commonName(commonName) .organization(DEFAULT_IMPERSONATED_CERT_ORG) .organizationalUnit(DEFAULT_IMPERSONATED_CERT_ORG_UNIT) .notBefore(getNotBefore()) .notAfter(getNotAfter()) .subjectAlternativeNames(hostnames); }
X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE); if (certificateInfo.getCommonName() != null) { x500NameBuilder.addRDN(BCStyle.CN, certificateInfo.getCommonName()); if (certificateInfo.getOrganization() != null) { x500NameBuilder.addRDN(BCStyle.O, certificateInfo.getOrganization()); if (certificateInfo.getOrganizationalUnit() != null) { x500NameBuilder.addRDN(BCStyle.OU, certificateInfo.getOrganizationalUnit()); if (certificateInfo.getEmail() != null) { x500NameBuilder.addRDN(BCStyle.E, certificateInfo.getEmail()); if (certificateInfo.getLocality() != null) { x500NameBuilder.addRDN(BCStyle.L, certificateInfo.getLocality()); if (certificateInfo.getState() != null) { x500NameBuilder.addRDN(BCStyle.ST, certificateInfo.getState()); if (certificateInfo.getCountryCode() != null) { x500NameBuilder.addRDN(BCStyle.C, certificateInfo.getCountryCode());
@Override public KeyStore createRootCertificateKeyStore(String keyStoreType, CertificateAndKey rootCertificateAndKey, String privateKeyAlias, String password) { return KeyStoreUtil.createRootCertificateKeyStore(keyStoreType, rootCertificateAndKey.getCertificate(), privateKeyAlias, rootCertificateAndKey.getPrivateKey(), password, null); }
/** * Saves the private key as PEM-encoded data to a file, using the specified password to encrypt the private key and * the {@link #DEFAULT_PEM_ENCRYPTION_ALGORITHM}. If the password is null, the private key will be stored unencrypted. * In general, private keys should not be stored unencrypted. * * @param file file to save the private key to * @param passwordForPrivateKey password to protect the private key */ public void savePrivateKeyAsPemFile(File file, String passwordForPrivateKey) { String pemEncodedPrivateKey = securityProviderTool.encodePrivateKeyAsPem(generatedCertificateAndKey.get().getPrivateKey(), passwordForPrivateKey, DEFAULT_PEM_ENCRYPTION_ALGORITHM); EncryptionUtil.writePemStringToFile(file, pemEncodedPrivateKey); }
/** * Saves the root certificate as PEM-encoded data to the specified file. */ public void saveRootCertificateAsPemFile(File file) { String pemEncodedCertificate = securityProviderTool.encodeCertificateAsPem(generatedCertificateAndKey.get().getCertificate()); EncryptionUtil.writePemStringToFile(file, pemEncodedCertificate); }
/** * When true, no upstream certificate verification will be performed. <b>This will make it possible for * attackers to MITM communications with the upstream server</b>, so use trustAllServers only when testing. * Calling this method with 'true' will remove any trustSource set with {@link #trustSource(TrustSource)}. * Calling this method with 'false' has no effect unless trustAllServers was previously called with 'true'. * To set a specific TrustSource, use {@link #trustSource(TrustSource)}. */ public Builder trustAllServers(boolean trustAllServers) { if (trustAllServers) { this.trustSource = null; } else { // if the TrustSource was previously removed, restore it to the default. otherwise keep the existing TrustSource. if (this.trustSource == null) { this.trustSource = TrustSource.defaultTrustSource(); } } return this; }
/** * Returns a TrustSource containing the default CAs trusted by this JVM. See {@link TrustUtil#getJavaTrustedCAs()}. */ public static TrustSource javaTrustSource() { return new TrustSource(TrustUtil.getJavaTrustedCAs()); }
/** * Returns a TrustSource containing only the builtin trusted CAs and does not include the JVM's trusted CAs. * See {@link TrustUtil#getBuiltinTrustedCAs()}. */ public static TrustSource builtinTrustSource() { return new TrustSource(TrustUtil.getBuiltinTrustedCAs()); }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus the trusted CAs in the specified * TrustSource. * * @param trustSource TrustSource to combine with this TrustSource * @return a new TrustSource containing both TrustSources' trusted CAs */ public TrustSource add(TrustSource trustSource) { if (trustSource == null) { throw new IllegalArgumentException("TrustSource cannot be null"); } return add(trustSource.getTrustedCAs()); } }
/** * Returns the generated private key as a PEM-encoded String, encrypted using the specified password and the * {@link #DEFAULT_PEM_ENCRYPTION_ALGORITHM}. * * @param privateKeyPassword password to use to encrypt the private key */ public String encodePrivateKeyAsPem(String privateKeyPassword) { return securityProviderTool.encodePrivateKeyAsPem(generatedCertificateAndKey.get().getPrivateKey(), privateKeyPassword, DEFAULT_PEM_ENCRYPTION_ALGORITHM); }
/** * Returns the generated root certificate as a PEM-encoded String. */ public String encodeRootCertificateAsPem() { return securityProviderTool.encodeCertificateAsPem(generatedCertificateAndKey.get().getCertificate()); }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more CAs contained in * the PEM-encoded String. The String may contain multiple certificates and may contain comments or other non-PEM-encoded * text, as long as the PEM-encoded certificates are delimited by appropriate BEGIN_CERTIFICATE and END_CERTIFICATE * text blocks. * * @param trustedPemEncodedCAs String containing PEM-encoded certificates to trust * @return a new TrustSource containing this TrustSource's trusted CAs plus the CAs in the specified String */ public TrustSource add(String trustedPemEncodedCAs) { if (trustedPemEncodedCAs == null) { throw new IllegalArgumentException("PEM-encoded trusted CA String cannot be null"); } X509Certificate[] trustedCertificates = TrustUtil.readX509CertificatesFromPem(trustedPemEncodedCAs); return add(trustedCertificates); }
@Override public CertificateAndKey load() { return new CertificateAndKey(rootCertificate, privateKey); } }
public RootCertificateGenerator build() { return new RootCertificateGenerator(certificateInfo, messageDigest, keyGenerator, securityProviderTool); } }
@Override public void setTrustAllServers(boolean trustAllServers) { if (isStarted()) { throw new IllegalStateException("Cannot disable upstream server verification after the proxy has been started"); } if (trustAllServers) { trustSource = null; } else { if (trustSource == null) { trustSource = TrustSource.defaultTrustSource(); } } }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more additional * trusted X509Certificates. If trustedCertificates is null or empty, returns this same TrustSource. * * @param trustedCertificates X509Certificates of CAs to trust * @return a new TrustSource containing this TrustSource's trusted CAs plus the specified CAs */ public TrustSource add(X509Certificate... trustedCertificates) { if (trustedCertificates == null || trustedCertificates.length == 0) { return this; } X509Certificate[] newTrustedCAs = ObjectArrays.concat(trustedCAs, trustedCertificates, X509Certificate.class); return new TrustSource(newTrustedCAs); }