Interface KeyAndCertificateFactory

All Known Implementing Classes:
BCKeyAndCertificateFactory

public interface KeyAndCertificateFactory
Author:
jamesdbloom
  • Field Details

    • DEFAULT_KEY_GENERATION_AND_SIGNING_ALGORITHM

      static final AsymmetricKeyPairAlgorithm DEFAULT_KEY_GENERATION_AND_SIGNING_ALGORITHM
      default key pair generation and signing algorithm
    • CERTIFICATE_VALIDITY_YEARS

      static final long CERTIFICATE_VALIDITY_YEARS
      Number of years the generated CA and leaf certificates remain valid. The generated CA is the trust anchor users pin into their trust stores, so it needs to outlive a typical test/CI lifetime rather than expiring after a single year and silently breaking pinned-CA deployments. Ten years is long enough to avoid surprise expiry while staying well below the X.509 ceiling that older clients (e.g. Apple iOS 8, issue #6) reject.
      See Also:
    • ROOT_COMMON_NAME

      static final String ROOT_COMMON_NAME
      CN for CA distinguishing name
      See Also:
    • CERTIFICATE_DOMAIN

      static final String CERTIFICATE_DOMAIN
      default CN for leaf distinguishing name
      See Also:
    • ORGANISATION

      static final String ORGANISATION
      O for distinguishing name
      See Also:
    • LOCALITY

      static final String LOCALITY
      L for distinguishing name
      See Also:
    • STATE

      static final String STATE
      ST for distinguishing name
      See Also:
    • COUNTRY

      static final String COUNTRY
      C for distinguishing name
      See Also:
    • PROXY_SETUP_CA_CERTIFICATE_FILE_NAME

      static final String PROXY_SETUP_CA_CERTIFICATE_FILE_NAME
      Stable filename, under directoryToSaveDynamicSSLCertificate, that the active Certificate Authority X.509 certificate (public certificate only — never the private key) is written to so it can be pinned into client trust stores when MockServer is used as a TLS-intercepting proxy.
      See Also:
  • Method Details

    • notBefore

      static Date notBefore()
      The not-before validity bound for a freshly issued certificate: the current time minus 5 days, just in case the software clock goes back due to time synchronization.

      Computed per issuance (rather than once at class load) so that certificates generated on the fly — e.g. leaf certificates minted long after the JVM started — are anchored to issuance time rather than to JVM start time.

    • notAfter

      static Date notAfter()
      The not-after validity bound for a freshly issued certificate, CERTIFICATE_VALIDITY_YEARS years in the future from issuance time.

      The maximum possible value in the X.509 specification is 9999-12-31 23:59:59 (new Date(253402300799000L)), but Apple iOS 8 fails with a certificate expiration date greater than Mon, 24 Jan 6084 02:07:59 GMT (issue #6).

      Computed per issuance (rather than once at class load) so that on-the-fly generated certificates are anchored to issuance time rather than to JVM start time.

    • buildAndSaveCertificateAuthorityPrivateKeyAndX509Certificate

      void buildAndSaveCertificateAuthorityPrivateKeyAndX509Certificate()
    • buildAndSavePrivateKeyAndX509Certificate

      void buildAndSavePrivateKeyAndX509Certificate()
    • certificateNotYetCreated

      boolean certificateNotYetCreated()
    • privateKey

      PrivateKey privateKey()
    • x509Certificate

      X509Certificate x509Certificate()
    • certificateAuthorityX509Certificate

      X509Certificate certificateAuthorityX509Certificate()
    • certificateChain

      List<X509Certificate> certificateChain()
    • writeCertificateAuthorityToDisk

      default String writeCertificateAuthorityToDisk()
      Materialise the active Certificate Authority X.509 certificate (the baked-in public CA, a custom supplied CA, or the dynamically generated CA, whichever is in effect) to <directoryToSaveDynamicSSLCertificate>/"mockserver-ca.pem". Only the public certificate is written, never the private key.

      This default implementation is self-contained (no BouncyCastle dependency): it PEM-encodes the DER bytes of certificateAuthorityX509Certificate() and writes them atomically, using the directory from the global ConfigurationProperties.directoryToSaveDynamicSSLCertificate(). Implementations that hold their own Configuration (e.g. the BouncyCastle factory) override this to honour their instance-scoped directory.

      Returns:
      the absolute path of the written CA certificate PEM file
    • writeCertificateAuthorityPem

      static String writeCertificateAuthorityPem(X509Certificate caCertificate, String directory)
      PEM-encode the public certificate (never a private key) and write it atomically to <directory>/"mockserver-ca.pem" — written to a sibling temp file then moved into place (ATOMIC_MOVE where supported) so a concurrent reader never observes a truncated/empty file.
      Parameters:
      caCertificate - the public CA certificate to write
      directory - the directory to write the "mockserver-ca.pem" file into
      Returns:
      the absolute path of the written CA certificate PEM file