Generating X509 Certificate using Bouncy Castle Java

Solution 1:

Creation of KeyPairGenerator:

private KeyPairGenerator createKeyPairGenerator(String algorithmIdentifier,
        int bitCount) throws NoSuchProviderException,
        NoSuchAlgorithmException {
    KeyPairGenerator kpg = KeyPairGenerator.getInstance(
            algorithmIdentifier, BouncyCastleProvider.PROVIDER_NAME);
    kpg.initialize(bitCount);
    return kpg;
}

Creation of keyPair:

private KeyPair createKeyPair(String encryptionType, int byteCount)
    throws NoSuchProviderException, NoSuchAlgorithmException
{
    KeyPairGenerator keyPairGenerator = createKeyPairGenerator(encryptionType, byteCount);
    KeyPair keyPair = keyPairGenerator.genKeyPair();
    return keyPair;
}

KeyPair keyPair = createKeyPair("RSA", 4096);

Converting things to PEM (can be written to file):

  private String convertCertificateToPEM(X509Certificate signedCertificate) throws IOException {
    StringWriter signedCertificatePEMDataStringWriter = new StringWriter();
    JcaPEMWriter pemWriter = new JcaPEMWriter(signedCertificatePEMDataStringWriter);
    pemWriter.writeObject(signedCertificate);
    pemWriter.close();
    return signedCertificatePEMDataStringWriter.toString();
  }

Creation of X509Certificate:

X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(
    serverCertificate, new BigInteger("1"),
    new Date(System.currentTimeMillis()),
    new Date(System.currentTimeMillis() + 30L * 365L * 24L * 60L * 60L * 1000L),
    jcaPKCS10CertificationRequest.getSubject(),
    jcaPKCS10CertificationRequest.getPublicKey()
/*).addExtension(
    new ASN1ObjectIdentifier("2.5.29.35"),
    false,
    new AuthorityKeyIdentifier(keyPair.getPublic().getEncoded())*/
).addExtension(
        new ASN1ObjectIdentifier("2.5.29.19"),
        false,
        new BasicConstraints(false) // true if it is allowed to sign other certs
).addExtension(
        new ASN1ObjectIdentifier("2.5.29.15"),
        true,
        new X509KeyUsage(
            X509KeyUsage.digitalSignature |
                X509KeyUsage.nonRepudiation   |
                X509KeyUsage.keyEncipherment  |
                X509KeyUsage.dataEncipherment));

Signing:

    ContentSigner sigGen = new JcaContentSignerBuilder("SHA256withRSA").build(signingKeyPair.getPrivate());


    X509CertificateHolder x509CertificateHolder = certificateBuilder.build(sigGen);
    org.spongycastle.asn1.x509.Certificate eeX509CertificateStructure =
      x509CertificateHolder.toASN1Structure();
    return eeX509CertificateStructure;
  }

  private X509Certificate readCertificateFromASN1Certificate(
    org.spongycastle.asn1.x509.Certificate eeX509CertificateStructure,
    CertificateFactory certificateFactory)
    throws IOException, CertificateException { //
    // Read Certificate
    InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
    X509Certificate signedCertificate =
      (X509Certificate) certificateFactory.generateCertificate(is1);
    return signedCertificate;
  }

CertificateFactory:

    certificateFactory = CertificateFactory.getInstance("X.509",
        BouncyCastleProvider.PROVIDER_NAME);

Solution 2:

The X509v3CertificateBuilder seems like the class to use. There are some examples of using the new API on the bouncycastle wiki.