karasiq / cryptoutils   1.4.3

MIT License GitHub

Scala wrappers for JCA/BouncyCastle

Scala versions: 2.12 2.11

cryptoutils Build Status Maven Central

Scala wrappers for JCA/BouncyCastle classes

How to use

Add to build.sbt:

libraryDependencies ++= Seq(
  "org.bouncycastle" % "bcprov-jdk15on" % "1.58",
  "org.bouncycastle" % "bcpkix-jdk15on" % "1.58",
  "com.github.karasiq" %% "cryptoutils" % "1.4.3"
)

Managing key pairs and certificates

Generating X.509 certificate

val keyGenerator = CertificateGenerator()

// Self-signed CA certificate
val caSubject = X509Utils.subject("Example Root CA", "US", "California", "San Francisco", "Example", "Example Root CA", "[email protected]")
val ca: TLS.CertificateKey = keyGenerator.generate(caSubject, "RSA", 2048, extensions = CertExtension.certificationAuthorityExtensions()) 
println(s"Self-signed: ${ca.certificate.getSubject}")

// CA-signed certificate
val subject = X509Utils.subject("Example Subject", "US", "California", "San Francisco", "Example", "Example", "[email protected]")
val cert: TLS.CertificateKey = keyGenerator.generate(subject, "RSA", 2048, Some(ca), BigInt(1))
println(s"CA signed: ${cert.certificate.getSubject}")

X.509 certification request

val keyGenerator = CertificateGenerator()

val subject = X509Utils.subject("Example Subject", "US", "California", "San Francisco", "Example", "Example", "[email protected]")
val keyPair: java.security.KeyPair = ??? // Generate/load key pair

// Creating request
val request = keyGenerator.createRequest(keyPair, subject)

// Signing request
val ca: TLS.CertificateKey = ... // Certification authority certificate and private key
val cert: TLS.CertificateChain = keyGenerator.signRequest(request, ca) // Resulting certificate chain

Verifying X.509 certificate

val verifier = CertificateVerifier(CertificateStatusProvider.CRL, ca.certificate) // Or from java trust store: CertificateVerifier.fromTrustStore(TrustStore.fromFile("example-trust.jks"), CertificateStatusProvider.CRL)
if (verifier.isChainValid(cert.certificateChain)) {
  println(s"Verified: ${cert.getSubject}")
}

Using PEM files

val certificationAuthority = PEM.certificate.fromFile("ca.crt")
val myCertificate = PEM.certificate.fromFile("mycert.crt")
val keyPair = PEM.keyPair.fromFile("mykey.key")

val certKey = TLS.CertificateKey(new TLS.CertificateChain(Array(myCertificate, certificationAuthority)), keyPair)

Using Java Key Store

// Open key store
val keyStore = TLSKeyStore.open("example.jks", "123456")

// Reading key
val (key, chain) = (keyStore.getKey("example"), keyStore.getCertificateChain("example"))

// Reading key set
val keySet: TLS.KeySet = keyStore.getKeySet("example")

// Adding new key
val newKey: TLS.CertificateKey = ??? // Generate key and certificate (see above)
keyStore.putKey("example-new", newKey)

// Saving to file
keyStore.saveAs("example.jks")

Using TLS (transport layer security)

TLS client

val verifier: CertificateVerifier = ??? // Certificate verifier
val clientKeySet: TLS.KeySet = ??? // Client authorization
val address = new InetSocketAddress("example.com", 443) // Server address

// Opening connection:
val clientWrapper = new TLSClientWrapper(verifier, address, clientKeySet)
val socket = clientWrapper(SocketChannel.open(address))
// ... Do read/write, etc ...
socket.close()

TLS server

val verifier: CertificateVerifier = ... // Client certificate verifier
val serverKeySet: TLS.KeySet = keyStore.getKeySet("example-server") // Server certificate is required

// Accepting connection
val serverWrapper = new TLSServerWrapper(serverKeySet, clientAuth = true, verifier)
val serverSocket = ServerSocketChannel.open()
serverSocket.bind(new InetSocketAddress("0.0.0.0", 443))

val socket = serverWrapper(serverSocket.accept())
// ... Do read/write, etc ...
socket.close()