Interface KeyAndCertificateFactory
- All Known Implementing Classes:
BCKeyAndCertificateFactory
- Author:
- jamesdbloom
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final Stringdefault CN for leaf distinguishing namestatic final longNumber of years the generated CA and leaf certificates remain valid.static final StringC for distinguishing namestatic final AsymmetricKeyPairAlgorithmdefault key pair generation and signing algorithmstatic final StringL for distinguishing namestatic final StringO for distinguishing namestatic final StringStable filename, underdirectoryToSaveDynamicSSLCertificate, that the active Certificate Authority X.509 certificate (public certificate only — never the private key) is written to so it can be pinned into client trust stores when MockServer is used as a TLS-intercepting proxy.static final StringCN for CA distinguishing namestatic final StringST for distinguishing name -
Method Summary
Modifier and TypeMethodDescriptionvoidvoidbooleanstatic DatenotAfter()The not-after validity bound for a freshly issued certificate,CERTIFICATE_VALIDITY_YEARSyears in the future from issuance time.static DateThe not-before validity bound for a freshly issued certificate: the current time minus 5 days, just in case the software clock goes back due to time synchronization.static StringwriteCertificateAuthorityPem(X509Certificate caCertificate, String directory) PEM-encode the public certificate (never a private key) and write it atomically to<directory>/"mockserver-ca.pem" — written to a sibling temp file then moved into place (ATOMIC_MOVE where supported) so a concurrent reader never observes a truncated/empty file.default StringMaterialise the active Certificate Authority X.509 certificate (the baked-in public CA, a custom supplied CA, or the dynamically generated CA, whichever is in effect) to<directoryToSaveDynamicSSLCertificate>/"mockserver-ca.pem".
-
Field Details
-
DEFAULT_KEY_GENERATION_AND_SIGNING_ALGORITHM
default key pair generation and signing algorithm -
CERTIFICATE_VALIDITY_YEARS
static final long CERTIFICATE_VALIDITY_YEARSNumber of years the generated CA and leaf certificates remain valid. The generated CA is the trust anchor users pin into their trust stores, so it needs to outlive a typical test/CI lifetime rather than expiring after a single year and silently breaking pinned-CA deployments. Ten years is long enough to avoid surprise expiry while staying well below the X.509 ceiling that older clients (e.g. Apple iOS 8, issue #6) reject.- See Also:
-
ROOT_COMMON_NAME
CN for CA distinguishing name- See Also:
-
CERTIFICATE_DOMAIN
default CN for leaf distinguishing name- See Also:
-
ORGANISATION
O for distinguishing name- See Also:
-
LOCALITY
L for distinguishing name- See Also:
-
STATE
ST for distinguishing name- See Also:
-
COUNTRY
C for distinguishing name- See Also:
-
PROXY_SETUP_CA_CERTIFICATE_FILE_NAME
Stable filename, underdirectoryToSaveDynamicSSLCertificate, that the active Certificate Authority X.509 certificate (public certificate only — never the private key) is written to so it can be pinned into client trust stores when MockServer is used as a TLS-intercepting proxy.- See Also:
-
-
Method Details
-
notBefore
The not-before validity bound for a freshly issued certificate: the current time minus 5 days, just in case the software clock goes back due to time synchronization.Computed per issuance (rather than once at class load) so that certificates generated on the fly — e.g. leaf certificates minted long after the JVM started — are anchored to issuance time rather than to JVM start time.
-
notAfter
The not-after validity bound for a freshly issued certificate,CERTIFICATE_VALIDITY_YEARSyears in the future from issuance time.The maximum possible value in the X.509 specification is 9999-12-31 23:59:59 (new Date(253402300799000L)), but Apple iOS 8 fails with a certificate expiration date greater than Mon, 24 Jan 6084 02:07:59 GMT (issue #6).
Computed per issuance (rather than once at class load) so that on-the-fly generated certificates are anchored to issuance time rather than to JVM start time.
-
buildAndSaveCertificateAuthorityPrivateKeyAndX509Certificate
void buildAndSaveCertificateAuthorityPrivateKeyAndX509Certificate() -
buildAndSavePrivateKeyAndX509Certificate
void buildAndSavePrivateKeyAndX509Certificate() -
certificateNotYetCreated
boolean certificateNotYetCreated() -
privateKey
PrivateKey privateKey() -
x509Certificate
X509Certificate x509Certificate() -
certificateAuthorityX509Certificate
X509Certificate certificateAuthorityX509Certificate() -
certificateChain
List<X509Certificate> certificateChain() -
writeCertificateAuthorityToDisk
Materialise the active Certificate Authority X.509 certificate (the baked-in public CA, a custom supplied CA, or the dynamically generated CA, whichever is in effect) to<directoryToSaveDynamicSSLCertificate>/"mockserver-ca.pem". Only the public certificate is written, never the private key.This default implementation is self-contained (no BouncyCastle dependency): it PEM-encodes the DER bytes of
certificateAuthorityX509Certificate()and writes them atomically, using the directory from the globalConfigurationProperties.directoryToSaveDynamicSSLCertificate(). Implementations that hold their ownConfiguration(e.g. the BouncyCastle factory) override this to honour their instance-scoped directory.- Returns:
- the absolute path of the written CA certificate PEM file
-
writeCertificateAuthorityPem
PEM-encode the public certificate (never a private key) and write it atomically to<directory>/"mockserver-ca.pem" — written to a sibling temp file then moved into place (ATOMIC_MOVE where supported) so a concurrent reader never observes a truncated/empty file.- Parameters:
caCertificate- the public CA certificate to writedirectory- the directory to write the "mockserver-ca.pem" file into- Returns:
- the absolute path of the written CA certificate PEM file
-