Hi,
First, I am a novice in security issues.
Problem:
I know how to generate CSR using PKCS#10 format with keytool. However I need to implement this functionality in my application. Unfortunately I can't find any docs describing this issue.
Do anybody know about some API where I just pass data and it will generate CSR for me?
Many Thanks,
Miso
Hi again,
After a long research I am finally able to generate PKCS#10 cert. request files:
public static void generatePKCS10() throws Exception {
// generate PKCS10 certificate request
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
String sigAlg = "MD5WithRSA";
// generate private key - use java.util.SecureRandom for entropy
keyGen.initialize(1024, new SecureRandom());
KeyPair keypair = keyGen.generateKeyPair();
PublicKey publicKey = keypair.getPublic();
PrivateKey privateKey = keypair.getPrivate();
PKCS10 pkcs10 = new PKCS10(publicKey);
Signature signature = Signature.getInstance(sigAlg);
signature.initSign(privateKey);
//common, orgUnit, org, locality, state, country
X500Name x500Name = new X500Name(
"CName",// CN
"OUnit",// OU
"Organization",// O
"Bratislava",// L
"Slovakia",// S
"SK");// C
pkcs10.encodeAndSign(new X500Signer(signature, x500Name));
// PKCS10 request generated
pkcs10.print(System.out);
}
Problem 1:
However, this generates only a request with X500 subject's name ("CN, OU, O, ..."). But I also want to specify other things like "Key Usage" (example: "Digital Signature, Key Encipherment, etc.") or "Generic IA5 String" (example: "Only for test purposes."). How to do that?
Problem 2:
I'm also having trouble to find javadoc for "sun.security" package. As you can see, I'm using "sun.security.pkcs.PKCS10" class for generating CSR in PKCS10 format, but can't find any javadoc for it.
Many thanks,
Miso
http://archives.java.sun.com/cgi-bin/wa?A2=ind9705&L=java-security&P=5208 -> Here it is written that, quote: "sun.security.pkcs.PKCS10 is not publicly supported and you'll need to get a source license to the JDK in order to get documentation to that particular class.".
Question 1:
OK, but what other class should I use instead?
By the way, Cert. Signing Requests generated by sun.security.pkcs.PKCS10 seem to be OK. I've sent a PKCS#10 request to one "test CA" and it was successful - CA issued me a certificate.
Question 2:
Why is sun.security.pkcs.PKCS10 class not publicly supported?
> Problem 2:
> I'm also having trouble to find javadoc for
> "sun.security" package. As you can see, I'm
> using "sun.security.pkcs.PKCS10" class for
> generating CSR in PKCS10 format, but can't find any
> javadoc for it.
Any packages that start with sun are internal sun packages. They contain classes that are not part of the public API. 2 things to be aware of if you use them are that Sun will not guarantee they won't change in future versions of Java and other JVMs (blackdown, IBM, etc) may not contain the implementation.
I really wonder why some of this stuff isn't public, like the Base64 encoder/decoder as it would be very useful.
Dave
Never use sun.security classes directly, they may be changed at any time.
A safer way (not safe in Sun's standard) is that you can call a keytool function directly through "sun.security.tools.KeyTool.main(...)". Although this one is also a sun.security class, at least the keytool command line options are defined in javadoc and Sun needs to keep compatibility with the old keytool.
