CODEWITHSUNDEEP
javabouncycastlejce
nablex
nablex

Reputation: 4757

Bouncy castle 1.47 and standard JCE

I am trying to create some helper methods to create (and sign) CSR, self signed certificates etc... I already had some methods implemented with now-deprecated functionality. In the interest of keeping up with the latest, I have upgraded bouncycastle to 1.47 which seems to be largely different and I was wondering two things:

1) I can't seem to track down a concise list of examples. Due to the added verbosity of the code now necessary to accomplish similar things as before, this would be very welcome.

2) It seems unreasonably hard to work with bouncycastle while mixing in classic JCE stuff, at least much more so then before. Is there a reason for this?

As an example of the latter, take the generation of a csr, it used to be as simple as doing this:

org.bouncycastle.jce.PKCS10CertificationRequest request = new org.bouncycastle.jce.PKCS10CertificationRequest(type.toString(), subject, pair.getPublic(), null, pair.getPrivate());

Where subject is a "javax.security.auth.x500.X500Principal", the private & public key stem from a general "java.security.KeyPair" etc.

Now I have something like:

public byte[] generatePKCS10(KeyPair pair, SignatureType type, X500Principal subject) throws IOException {
    PKCS10CertificationRequestBuilder builder = new PKCS10CertificationRequestBuilder(
        new X500Name(subject.getName()),
        SubjectPublicKeyInfo.getInstance(pair.getPublic())
    );
    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(type.toString());
    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
    AsymmetricKeyParameter keyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
    try {
        ContentSigner signer = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(keyParam);
        PKCS10CertificationRequest csr = builder.build(signer);
        ContentVerifierProvider verifier = new JcaContentVerifierProviderBuilder().setProvider(new BouncyCastleProvider()).build(pair.getPublic());
        csr.isSignatureValid(verifier);
        return csr.getEncoded();
    }
    catch (OperatorCreationException e) {
        throw new IOException(e);
    }
    catch (PKCSException e) {
        throw new IOException(e);
    }
}

Is there a whole host of easy conversion utilities or overloaded methods or JCE-specific implementations that I'm missing? It does not help that a lot of google-searches highlight old (read: deprecated) ways of doing things.

Upvotes: 1

Views: 2573

Answers (1)

nablex
nablex

Reputation: 4757

I stumbled upon a JCE-compliant solution shortly after posting this. It seems quite a few of their classes have a JCA-specific extension which handles all the necessary conversion. For example "X509v1CertificateBuilder" can be instantiated as "new JcaX509v1CertificateBuilder()" which takes JCE parameters instead of bouncycastle-specific ones.

For the example above:

PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(
    subject,
    pair.getPublic()
);

I hope this pattern holds...

Upvotes: 1

Related Questions