Thursday, July 05, 2012

Exporting Trusted Certificates in Java

I was trying to export some trusted certificates in Java, and I discovered that the default Java keytool will not do it much to my dismay. So I decided to write a little utility class to export the certificates into PEM files from X509 certificates so it would be easier to move them around.

I thought I would clean up my little tool, and share it with the world.

It requires the GlassFish webservices-osgi.jar which is located in the glassfish-3.1.2/glassfish/modules/ directory along with Apache commons-cli-1.2 and commons-io-2.1.

The application takes a couple of command line arguments to work. It has usages, but the project properties also shows all of them in action. You will need to set that up to match your environment in the IDE. Here is an example.

java -jar certificate-manager.jar -f /Applications/NetBeans/jboss-5.0.1.GA/server/default/conf/server.keystore -i "CN=John Yeary, OU=Development, O=Blue Lotus Software, L=Greenville, ST=South Carolina, C=US" -s 4f2ac2cf -p changeit -e

-----BEGIN CERTIFICATE-----
MIICgTCCAeqgAwIBAgIETyrCzzANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCVVMxFzAVBgNV
BAgTDlNvdXRoIENhcm9saW5hMRMwEQYDVQQHEwpHcmVlbnZpbGxlMRwwGgYDVQQKExNCbHVlIExv
dHVzIFNvZnR3YXJlMRQwEgYDVQQLEwtEZXZlbG9wbWVudDETMBEGA1UEAxMKSm9obiBZZWFyeTAe
Fw0xMjAyMDIxNzA3MjdaFw0xMjA1MDIxNzA3MjdaMIGEMQswCQYDVQQGEwJVUzEXMBUGA1UECBMO
U291dGggQ2Fyb2xpbmExEzARBgNVBAcTCkdyZWVudmlsbGUxHDAaBgNVBAoTE0JsdWUgTG90dXMg
U29mdHdhcmUxFDASBgNVBAsTC0RldmVsb3BtZW50MRMwEQYDVQQDEwpKb2huIFllYXJ5MIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQCa564RyVtq+i+L+BsA0YzmpY4WMkfEn++3s10AbUv/IidT
25TixYqc7ghOkA5HI0z893Gy/ozzB6sGJ6gk8W28VjlU0Y4r0NUhUALuDYnkReWeUiUp4ubPoj/G
71WWu8FFQul+DJWAL7c/963rui812HofQuEWnyZjenrXQMvAUwIDAQABMA0GCSqGSIb3DQEBBQUA
A4GBAECXGuLB/ZB33nGauRsW4kqjiPwpkUoc8N7h44JBVATGx210HzNufixYSqq+AQhW86X2DYJ0
yyBGawVQvpUWoBHCVmmNmu6XdYDfSaCUsPeEt0RoFezruTMz6kaedRwK4zP3H3gp6fHYyiq/mD2M
jTna0zCi4o25E3eiOGKvGBd9
-----END CERTIFICATE-----

The project was developed with NetBeans and GlassFish 3.1.2.

The NetBeans project files can be downloaded here: certificate-manager.zip

TrustedCertificatePEMExportUtility.java

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
package com.bluelotussoftware.security;
 
import com.sun.xml.wss.util.XWSSUtil;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.*;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import org.apache.commons.cli.*;
import org.apache.commons.io.IOUtils;
import sun.misc.BASE64Encoder;
import sun.security.provider.X509Factory;
 
/**
 * <p>
This utility class is for exporting Trusted Certificates from the trusted
 * certificate store. This is usually a file called <strong>cacerts.keystore</strong>, or
 * <strong>cacerts.jks</strong>.</p>
<p>
<strong>Note:</strong> The default implementation of the
 * Java keytool will not export trusted certificates.</p>
*
 * @author John Yeary
 * @version 1.0
 */
public class TrustedCertificatePEMExportUtility extends XWSSUtil {
 
    /**
     * Main application entry point.
     *
     * @param args command line arguments to be processed.
     * @throws KeyStoreException if an exception occurs while processing trusted
     * key store.
     * @throws NoSuchProviderException if an exception occurs while loading
     * certificate store.
     * @throws IOException if an IO exception occurs during reading keystore, or
     * writing certificate.
     * @throws NoSuchAlgorithmException while trying to load the keystore.
     * @throws CertificateException if there is an exception while handling
     * certificate.
     * @throws ParseException if the command line arguments could not be parsed.
     */
    public static void main(String[] args) throws ParseException, KeyStoreException,
            IOException, NoSuchAlgorithmException, CertificateException {
        BASE64Encoder encoder = new BASE64Encoder();
 
        Options options = new Options();
        options.addOption("f", true, "Trusted Keystore File Name");
        options.addOption("i", true, "Certificate Issuer Name");
        options.addOption("s", true, "Certificate Serial Number");
        options.addOption("p", true, "Keystore Password");
        options.addOption("c", false, "Output Certificate Information");
        options.addOption("e", false, "Export X509 PEM certificate");
        options.addOption("h", "help", false, "Help");
 
        CommandLineParser parser = new PosixParser();
        CommandLine cmd = parser.parse(options, args);
 
        if (cmd.hasOption('h')) {
            HelpFormatter formatter = new HelpFormatter();
            formatter.printHelp("com.bluelotussoftware.security.TrustedCertificatePEMExportUtility", options, true);
            System.exit(0);
        }
 
        if (!cmd.hasOption('f')) {
            System.out.println("The trusted keystore must be provided. -h or --help for usage");
            System.exit(-1);
        }
 
        File trustedKeystoreFile = new File(cmd.getOptionValue('f'));
        String issuerName = cmd.getOptionValue('i');
        int i = Integer.parseInt(cmd.getOptionValue('s'), 16);
        BigInteger serialNumber = new BigInteger(Integer.toString(i));
        char[] keystorePassword = cmd.getOptionValue('p').toCharArray();
 
 
        KeyStore trustedKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustedKeyStore.load(new FileInputStream(trustedKeystoreFile), keystorePassword);
        X509Certificate x509 = getCertificateFromTrustStore(issuerName, serialNumber, trustedKeyStore);
 
        //Print out certificate information to verify certificate output prior to creating PEM
        if (cmd.hasOption("c")) {
            System.out.println("\nX509 Certificate Information. Please verify before using PEM Output!\n");
            System.out.println(x509);
            System.out.println("");
        }
 
        //Output PEM format
        StringBuilder sb = new StringBuilder();
        sb.append(X509Factory.BEGIN_CERT).append("\n");
        sb.append(encoder.encode(x509.getEncoded()));
        sb.append("\n").append(X509Factory.END_CERT).append("\n");
        System.out.println(sb.toString());
 
        if (cmd.hasOption('e')) {
            String fileName = cmd.getOptionValue("e", "x509.pem");
            IOUtils.write(sb.toString(), new FileOutputStream(fileName));
            System.out.println("Certificate Exported to " + fileName);
        }
 
        try {
            PrivateKey privateKey = getPrivateKey(x509, trustedKeyStore, keystorePassword.toString());
            if (privateKey != null) {
                System.out.println("-----BEGIN PRIVATE KEY-----");
                encoder.encodeBuffer(privateKey.getEncoded(), System.out);
                System.out.println("-----END PRIVATE KEY-----");
            }
        } catch (IOException e) {
            System.out.println(e.getMessage());
        }
 
    }
}
Labels: , , , , , , , , ,

0 comments :

Post a Comment

Subscribe to: Post Comments ( Atom )

Popular Posts