Pkix.java

package org.haox.pki;

import org.apache.commons.ssl.PKCS8Key;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

public class Pkix {

    public static List<Certificate> getCerts(String certFile) throws IOException, CertificateException {
        InputStream is = new FileInputStream(new File(certFile));
        return getCerts(is);
    }

    public static List<Certificate> getCerts(InputStream inputStream) throws IOException, CertificateException {
        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
        Collection<? extends Certificate> certs =
                (Collection<? extends Certificate>) certFactory.generateCertificates(inputStream);

        return new ArrayList<Certificate>(certs);
    }

    public static PrivateKey getPrivateKey(String keyFile, String password) throws IOException, GeneralSecurityException {
        InputStream in = new FileInputStream("/path/to/pkcs8_private_key.der");
        return getPrivateKey(in, password);
    }

    public static PrivateKey getPrivateKey(InputStream inputStream, String password) throws GeneralSecurityException, IOException {
        if (password == null) password = "";
        // If the provided InputStream is encrypted, we need a password to decrypt
        // it. If the InputStream is not encrypted, then the password is ignored
        // (can be null).  The InputStream can be DER (raw ASN.1) or PEM (base64).
        PKCS8Key pkcs8 = new PKCS8Key(inputStream, password.toCharArray());

        // If an unencrypted PKCS8 key was provided, then this actually returns
        // exactly what was originally passed inputStream (with no changes).  If an OpenSSL
        // key was provided, it gets reformatted as PKCS #8 first, and so these
        // bytes will still be PKCS #8, not OpenSSL.
        byte[] decrypted = pkcs8.getDecryptedBytes();
        PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(decrypted);

        // A Java PrivateKey object is born.
        PrivateKey pk = null;
        if (pkcs8.isDSA()) {
            pk = KeyFactory.getInstance("DSA").generatePrivate(spec);
        }
        else if (pkcs8.isRSA()) {
            pk = KeyFactory.getInstance("RSA").generatePrivate(spec);
        }

        // For lazier types:
        pk = pkcs8.getPrivateKey();

        return pk;
    }
}