Package net.maritimeconnectivity.pki

Class CAHandler

java.lang.Object

net.maritimeconnectivity.pki.CAHandler

public class CAHandler
extends Object

Class that holds functions for generating root and intermediate CAs

Constructor Summary

Constructors

Constructor	Description
CAHandler(CertificateBuilder certificateBuilder, PKIConfiguration pkiConfiguration)

Method Summary

Modifier and Type	Method	Description
void	createSubCa(String subCaCertDN, String rootCAAlias, int validityPeriod)	Creates a sub Certificate Authority for the MC PKI.
void	createSubCAPKCS11(String subCaCertDN, String rootCAAlias, PKIConfiguration subCaConfiguration, int validityPeriod)	Creates a sub Certificate Authority for the MC PKI using an HSM.
void	generateRootCRL(String outputCaCrlPath, String revocationFile, String rootCAAlias)	Generates a CRL for the root CA.
void	generateRootCRLP11(String outputCaCrlPath, String revocationFile, String rootCAAlias)	Generates a root CA CRL using a private key stored in an HSM.
void	initRootCA(String rootCertX500Name, String crlUrl, String rootCAAlias, int validityPeriod)	Generates a self-signed certificate and saves it in the keystore and truststore.
void	initRootCAPKCS11(String rootCertX500Name, String crlUrl, String rootCAAlias, int validityPeriod)	Generates a self-signed certificate and saves it and the private key in a HSM using PKCS#11 and the certificate only in a truststore.
List<RevocationInfo>	loadRevocationFile(String revocationFile)	Loads a CSV file with information about revoked certificates into a RevocationInfo list.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CAHandler

public CAHandler(CertificateBuilder certificateBuilder,
                 PKIConfiguration pkiConfiguration)

Method Detail

createSubCa

public void createSubCa(String subCaCertDN,
                        String rootCAAlias,
                        int validityPeriod)

Creates a sub Certificate Authority for the MC PKI. The certificate and keypair is placed in a "SubCaKeystore" defined in PKIConfiguration and in the truststore, also defined in PKIConfiguration. The SubCaKeystore will be created if it does not exist already, but the truststore is expected to exist already. It is also expected that a RootCaKeystore is defined in PKIConfiguration and exists.

Parameters:

subCaCertDN - The DN of the new sub CA certificate.

rootCAAlias - The alias of the root CA

validityPeriod - How many months the certificate should be valid

createSubCAPKCS11

public void createSubCAPKCS11(String subCaCertDN,
                              String rootCAAlias,
                              PKIConfiguration subCaConfiguration,
                              int validityPeriod)

Creates a sub Certificate Authority for the MC PKI using an HSM. The certificate and keypair are placed in the HSM using the given configuration. It is also expected that a RootCaKeystore is defined in PKIConfiguration and exists.

Parameters:

subCaCertDN - The DN of the new sub CA certificate.

rootCAAlias - The alias of the root CA

subCaConfiguration - Holds the configuration for the sub CA HSM. Must be a P11PKIConfiguration

validityPeriod - How many months the certificate should be valid

initRootCA

public void initRootCA(String rootCertX500Name,
                       String crlUrl,
                       String rootCAAlias,
                       int validityPeriod)

Generates a self-signed certificate and saves it in the keystore and truststore. Should only be used to init the root CA. It is expected that info about the root keystore and the truststore is available in PKIConfiguration. If they already exists they will be overwritten!

Parameters:

rootCertX500Name - The DN of the new root CA Certificate

crlUrl - CRL endpoint

rootCAAlias - The alias of the root CA

validityPeriod - How many months the certificate should be valid

initRootCAPKCS11

public void initRootCAPKCS11(String rootCertX500Name,
                             String crlUrl,
                             String rootCAAlias,
                             int validityPeriod)

Generates a self-signed certificate and saves it and the private key in a HSM using PKCS#11 and the certificate only in a truststore. If an entry already exists in the specified HSM slot it will be overwritten.

Parameters:

rootCertX500Name - The DN of the new root CA Certificate

crlUrl - CRL endpoint

rootCAAlias - The alias of the root CA

validityPeriod - How many months the certificate should be valid

loadRevocationFile

public List<RevocationInfo> loadRevocationFile(String revocationFile)

Loads a CSV file with information about revoked certificates into a RevocationInfo list. The CSV file must use semi-colon for separation and in the format: serial-number;revocation-reason;date An example: 345678954765889809876543;cacompromise;2017-04-31

Parameters:

revocationFile - Path to the file that should be loaded.

Returns:

List of certificates that have been/should be revoked.

generateRootCRL

public void generateRootCRL(String outputCaCrlPath,
                            String revocationFile,
                            String rootCAAlias)

Generates a CRL for the root CA. It is expected that a RootCaKeystore is defined in PKIConfiguration and exists.

Parameters:

outputCaCrlPath - Output path where to place the CRL.

revocationFile - Path to the CSV file which contains revocation info.

rootCAAlias - The alias of the root CA.

generateRootCRLP11

public void generateRootCRLP11(String outputCaCrlPath,
                               String revocationFile,
                               String rootCAAlias)

Generates a root CA CRL using a private key stored in an HSM.

Parameters:

outputCaCrlPath - Output path where to place the CRL.

revocationFile - Path to the CSV file which contains revocation info.

rootCAAlias - The alias of the root CA.