wolfSSL
diff --git a/‎java/wolfssl-openjdk-fips-root/test-images/netty-tests/CertGen.java‎
Lines changed: 332 additions & 0 deletions b/‎java/wolfssl-openjdk-fips-root/test-images/netty-tests/CertGen.java‎
Lines changed: 332 additions & 0 deletions
@@ -0,0 +1,332 @@
+/*
+ * CertGen.java - Certificate generation utility using BouncyCastle
+ *
+ * Replaces all openssl calls in apply_netty_fips_fixes.sh.
+ * Compiled and run in the Docker builder stage using BouncyCastle jars
+ * from Netty's Maven dependencies.
+ *
+ * Commands:
+ *   pkcs8 <inFile> <outFile>
+ *       Convert PKCS#1 (RSA PRIVATE KEY) PEM to PKCS#8 (PRIVATE KEY) PEM
+ *
+ *   genca <certOut> <keyOut> <subject>
+ *       Generate a self-signed CA certificate with RSA 2048-bit key
+ *
+ *   signcert <caCert> <caKey> <certOut> <keyOut> <cn> <san1> [san2...]
+ *       Generate RSA 2048-bit key, create cert signed by CA with SAN extensions
+ *       Key output is PKCS#8 PEM format
+ *
+ *   encrypt <inFile> <outFile> <password>
+ *       Convert unencrypted PEM key to PBES2/PBKDF2-SHA256/AES-256-CBC encrypted PKCS#8
+ */
+
+import org.bouncycastle.asn1.DERNull;
+import org.bouncycastle.asn1.nist.NISTObjectIdentifiers;
+import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMKeyPair;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfoBuilder;
+import org.bouncycastle.pkcs.jcajce.JcePKCSPBEOutputEncryptorBuilder;
+
+import java.io.FileReader;
+import java.io.FileWriter;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.List;
+
+public class CertGen {
+
+    static {
+        Security.addProvider(new BouncyCastleProvider());
+    }
+
+    public static void main(String[] args) throws Exception {
+        if (args.length < 1) {
+            System.err.println("Usage: CertGen <command> [args...]");
+            System.err.println("Commands: pkcs8, genca, signcert, encrypt");
+            System.exit(1);
+        }
+
+        String command = args[0];
+        switch (command) {
+            case "pkcs8":
+                if (args.length != 3) {
+                    System.err.println("Usage: CertGen pkcs8 <inFile> <outFile>");
+                    System.exit(1);
+                }
+                convertToPkcs8(args[1], args[2]);
+                break;
+
+            case "genca":
+                if (args.length != 4) {
+                    System.err.println("Usage: CertGen genca <certOut> <keyOut> <subject>");
+                    System.exit(1);
+                }
+                generateCA(args[1], args[2], args[3]);
+                break;
+
+            case "signcert":
+                if (args.length < 7) {
+                    System.err.println("Usage: CertGen signcert <caCert> <caKey> <certOut> <keyOut> <cn> <san1> [san2...]");
+                    System.exit(1);
+                }
+                String[] sans = new String[args.length - 6];
+                System.arraycopy(args, 6, sans, 0, sans.length);
+                signCert(args[1], args[2], args[3], args[4], args[5], sans);
+                break;
+
+            case "encrypt":
+                if (args.length != 4) {
+                    System.err.println("Usage: CertGen encrypt <inFile> <outFile> <password>");
+                    System.exit(1);
+                }
+                encryptKey(args[1], args[2], args[3]);
+                break;
+
+            default:
+                System.err.println("Unknown command: " + command);
+                System.exit(1);
+        }
+    }
+
+    /**
+     * Convert PKCS#1 PEM key to PKCS#8 PEM key (unencrypted).
+     */
+    private static void convertToPkcs8(String inFile, String outFile) throws Exception {
+        PrivateKey key = readPrivateKey(inFile);
+        // key.getEncoded() returns PKCS#8 encoded form
+        writePem(outFile, key);
+    }
+
+    /**
+     * Generate a self-signed CA certificate with RSA 2048 key.
+     * Key output is PKCS#8 PEM format.
+     */
+    private static void generateCA(String certOut, String keyOut, String subject) throws Exception {
+        KeyPair keyPair = generateRSAKeyPair();
+
+        X500Name issuer = new X500Name(subject);
+
+        Calendar cal = Calendar.getInstance();
+        Date notBefore = cal.getTime();
+        cal.add(Calendar.YEAR, 10);
+        Date notAfter = cal.getTime();
+
+        BigInteger serial = new BigInteger(128, new SecureRandom());
+
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+                issuer, serial, notBefore, notAfter, issuer, keyPair.getPublic());
+
+        // CA extensions
+        certBuilder.addExtension(Extension.basicConstraints, true,
+                new BasicConstraints(true));
+        certBuilder.addExtension(Extension.keyUsage, true,
+                new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign));
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA")
+                .setProvider("BC").build(keyPair.getPrivate());
+
+        X509CertificateHolder certHolder = certBuilder.build(signer);
+        X509Certificate cert = new JcaX509CertificateConverter()
+                .setProvider("BC").getCertificate(certHolder);
+
+        writePem(certOut, cert);
+        writePem(keyOut, keyPair.getPrivate());
+    }
+
+    /**
+     * Generate a certificate signed by a CA with SAN extensions.
+     * Key output is PKCS#8 PEM format.
+     */
+    private static void signCert(String caCertFile, String caKeyFile,
+                                  String certOut, String keyOut,
+                                  String cn, String[] sans) throws Exception {
+        // Load CA cert and key
+        X509Certificate caCert = readCertificate(caCertFile);
+        PrivateKey caKey = readPrivateKey(caKeyFile);
+
+        // Generate new key pair for the certificate
+        KeyPair keyPair = generateRSAKeyPair();
+
+        // Use DER encoding to preserve exact DN bytes (string round-trip
+        // mangles emailAddress OID, breaking wolfSSL issuer/subject matching)
+        X509CertificateHolder caCertHolder = new X509CertificateHolder(caCert.getEncoded());
+        X500Name issuer = caCertHolder.getSubject();
+        X500Name subject = new X500Name("CN=" + cn);
+
+        Calendar cal = Calendar.getInstance();
+        Date notBefore = cal.getTime();
+        cal.add(Calendar.YEAR, 10);
+        Date notAfter = cal.getTime();
+
+        BigInteger serial = new BigInteger(128, new SecureRandom());
+
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+                issuer, serial, notBefore, notAfter, subject, keyPair.getPublic());
+
+        // Not a CA
+        certBuilder.addExtension(Extension.basicConstraints, false,
+                new BasicConstraints(false));
+
+        // Key usage
+        certBuilder.addExtension(Extension.keyUsage, false,
+                new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
+
+        // Extended key usage - server auth
+        certBuilder.addExtension(Extension.extendedKeyUsage, false,
+                new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
+
+        // Subject Alternative Names
+        List<GeneralName> sanList = new ArrayList<>();
+        for (String san : sans) {
+            if (san.matches("\\d+\\.\\d+\\.\\d+\\.\\d+")) {
+                // IP address
+                sanList.add(new GeneralName(GeneralName.iPAddress, san));
+            } else {
+                // DNS name
+                sanList.add(new GeneralName(GeneralName.dNSName, san));
+            }
+        }
+        if (!sanList.isEmpty()) {
+            certBuilder.addExtension(Extension.subjectAlternativeName, false,
+                    new GeneralNames(sanList.toArray(new GeneralName[0])));
+        }
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA")
+                .setProvider("BC").build(caKey);
+
+        X509CertificateHolder certHolder = certBuilder.build(signer);
+        X509Certificate cert = new JcaX509CertificateConverter()
+                .setProvider("BC").getCertificate(certHolder);
+
+        writePem(certOut, cert);
+        writePem(keyOut, keyPair.getPrivate());
+    }
+
+    /**
+     * Encrypt a PEM private key with PBES2/PBKDF2-HMAC-SHA256/AES-256-CBC.
+     */
+    private static void encryptKey(String inFile, String outFile, String password) throws Exception {
+        PrivateKey key = readPrivateKey(inFile);
+
+        // Build PKCS#8 encrypted private key using PBES2 with PBKDF2-HMAC-SHA256 and AES-256-CBC
+        PrivateKeyInfo pkInfo = PrivateKeyInfo.getInstance(key.getEncoded());
+        PKCS8EncryptedPrivateKeyInfoBuilder encBuilder =
+                new PKCS8EncryptedPrivateKeyInfoBuilder(pkInfo);
+
+        // Use PBES2 with PBKDF2-HMAC-SHA256 and AES-256-CBC
+        JcePKCSPBEOutputEncryptorBuilder encryptorBuilder =
+                new JcePKCSPBEOutputEncryptorBuilder(
+                        NISTObjectIdentifiers.id_aes256_CBC);
+        encryptorBuilder.setProvider("BC");
+        encryptorBuilder.setIterationCount(2048);
+        // Set PRF to HMAC-SHA256 (default is HMAC-SHA1)
+        encryptorBuilder.setPRF(
+                new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA256, DERNull.INSTANCE));
+
+        org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo encryptedInfo =
+                encBuilder.build(encryptorBuilder.build(password.toCharArray()));
+
+        // Write as PEM
+        try (JcaPEMWriter writer = new JcaPEMWriter(new FileWriter(outFile))) {
+            writer.writeObject(encryptedInfo);
+        }
+    }
+
+    // --- Helper methods ---
+
+    private static KeyPair generateRSAKeyPair() throws Exception {
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "BC");
+        kpg.initialize(2048, new SecureRandom());
+        return kpg.generateKeyPair();
+    }
+
+    /**
+     * Read a private key from PEM file (handles both PKCS#1 and PKCS#8 format).
+     */
+    private static PrivateKey readPrivateKey(String file) throws Exception {
+        try (FileReader reader = new FileReader(file);
+             PEMParser parser = new PEMParser(reader)) {
+
+            Object obj = parser.readObject();
+            JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
+
+            if (obj instanceof PEMKeyPair) {
+                // PKCS#1: -----BEGIN RSA PRIVATE KEY-----
+                return converter.getPrivateKey(((PEMKeyPair) obj).getPrivateKeyInfo());
+            } else if (obj instanceof PrivateKeyInfo) {
+                // PKCS#8: -----BEGIN PRIVATE KEY-----
+                return converter.getPrivateKey((PrivateKeyInfo) obj);
+            } else {
+                throw new IllegalArgumentException(
+                        "Unknown key format in " + file + ": " +
+                                (obj != null ? obj.getClass().getName() : "null"));
+            }
+        }
+    }
+
+    /**
+     * Read an X.509 certificate from PEM file.
+     */
+    private static X509Certificate readCertificate(String file) throws Exception {
+        try (FileReader reader = new FileReader(file);
+             PEMParser parser = new PEMParser(reader)) {
+
+            Object obj = parser.readObject();
+            if (obj instanceof X509CertificateHolder) {
+                return new JcaX509CertificateConverter()
+                        .setProvider("BC").getCertificate((X509CertificateHolder) obj);
+            } else {
+                throw new IllegalArgumentException(
+                        "Not a certificate in " + file + ": " +
+                                (obj != null ? obj.getClass().getName() : "null"));
+            }
+        }
+    }
+
+    /**
+     * Write an object as PEM to file.
+     * Private keys are written in PKCS#8 format (BEGIN PRIVATE KEY).
+     */
+    private static void writePem(String file, Object obj) throws IOException {
+        try (JcaPEMWriter writer = new JcaPEMWriter(new FileWriter(file))) {
+            if (obj instanceof PrivateKey) {
+                // Write as PKCS#8 (BEGIN PRIVATE KEY) not PKCS#1 (BEGIN RSA PRIVATE KEY)
+                PrivateKey pk = (PrivateKey) obj;
+                org.bouncycastle.openssl.PKCS8Generator gen =
+                    new org.bouncycastle.openssl.jcajce.JcaPKCS8Generator(pk, null);
+                writer.writeObject(gen);
+            } else {
+                writer.writeObject(obj);
+            }
+        }
+    }
+}