{"id":26641180,"url":"https://github.com/maritimeconnectivity/mcp-pki","last_synced_at":"2025-04-10T20:45:24.939Z","repository":{"id":43676236,"uuid":"86076874","full_name":"maritimeconnectivity/MCP-PKI","owner":"maritimeconnectivity","description":"PKI library of Maritime Connectivity Platform Identity Registry (MIR)","archived":false,"fork":false,"pushed_at":"2025-02-06T11:59:21.000Z","size":1075,"stargazers_count":2,"open_issues_count":0,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-24T18:19:58.457Z","etag":null,"topics":["java-library","maritime","maritime-connectivity-platform","mcp","pki"],"latest_commit_sha":null,"homepage":"http://maritimeconnectivity.net/#core_components","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/maritimeconnectivity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-03-24T14:29:36.000Z","updated_at":"2025-02-06T11:57:43.000Z","dependencies_parsed_at":"2024-08-29T09:41:12.874Z","dependency_job_id":"3dc41a38-055b-4e93-9bd9-c0efd7d3c9fa","html_url":"https://github.com/maritimeconnectivity/MCP-PKI","commit_stats":null,"previous_names":[],"tags_count":30,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maritimeconnectivity%2FMCP-PKI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maritimeconnectivity%2FMCP-PKI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maritimeconnectivity%2FMCP-PKI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/maritimeconnectivity%2FMCP-PKI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/maritimeconnectivity","download_url":"https://codeload.github.com/maritimeconnectivity/MCP-PKI/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248294747,"owners_count":21079960,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["java-library","maritime","maritime-connectivity-platform","mcp","pki"],"created_at":"2025-03-24T18:20:09.525Z","updated_at":"2025-04-10T20:45:24.920Z","avatar_url":"https://github.com/maritimeconnectivity.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Java CI with Maven](https://github.com/maritimeconnectivity/MCP-PKI/actions/workflows/maven.yml/badge.svg)](https://github.com/maritimeconnectivity/MCP-PKI/actions/workflows/maven.yml)\n[![Maven Central](https://img.shields.io/maven-central/v/net.maritimeconnectivity.pki/mcp-pki?label=Maven%20Central)](https://search.maven.org/search?q=g:net.maritimeconnectivity.pki%20AND%20a:mcp-pki)\n[![javadoc](https://javadoc.io/badge2/net.maritimeconnectivity.pki/mcp-pki/javadoc.svg)](https://javadoc.io/doc/net.maritimeconnectivity.pki/mcp-pki)\n\n# Maritime Connectivity Platform (MCP) Public Key Infrastructure (PKI)\n\nThis is a library / cmdline tool used to manage and check certificates in the MCP Public Key Infrastructure (PKI).\n\nBuilding using maven should be as simple as running `mvn install` under the assumption you have Java 21 installed already.\n\nMaritime Connectivity Platform is formerly known as the Maritime Cloud and therefore there might still be references to that in this project.  \n\nMCP-PKI implements the *certificate attributes* described in [the developer's page of identity registry](https://docs.maritimeconnectivity.net/en/latest/MIR.html#mcp-certificate) and used in [Maritime Identity Registry](https://github.com/MaritimeConnectivityPlatform/IdentityRegistry). \n\n## Using the lib\nThe primary function of this software is to make it easy/easier to use the MCP PKI for (Java) developers. \n\nThere is javadocs available [here](https://javadoc.io/doc/net.maritimeconnectivity.pki/mcp-pki/latest/index.html).\n\nUse PKIConfiguration for setting up configuration about Keystore and/or Truststore, use KeystoreHandler to load them and then you most like want to use CertificateHandler to, well, handle certificates...\n\nA short example of use can be seen below:\n```java\n    // Setup MCP PKI\n    PKIConfiguration pkiConf = new PKIConfiguration(\"urn:mrn:mcp:ca:idp1:maritimeconnectivity\");\n    pkiConf.setTruststorePath(\"/path/to/mcp-truststore.jks\");\n    pkiConf.setTruststorePassword(\"changeit\");\n    KeystoreHandler kh = new KeystoreHandler(pkiConf);\n    // Get the certificate that should be validated\n    X509Certificate cert = getUserCertificate();\n    // Validate certificate\n    CertificateHandler.verifyCertificateChain(cert, kh.getTrustStore());\n    // Extract Identity information from the certificate\n    PKIIdentity user = CertificateHandler.getIdentityFromCert(cert);\n```\nHere the parameter \"urn:mrn:mcp:ca:idp1:maritimeconnectivity\" states the *root-ca-alias* which will be defined differently to each identity provider.\n\n## Commandline interface\nThe secondary function of this software is to provide a (relatively) easy to use interface for the PKI manager. How to use is will be described below.\n\nIf you have build using maven you should now have a `mcp-pki-cli-1.2.0-SNAPSHOT.jar` and a `mcp-pki-cli-1.2.0-SNAPSHOT-jar-with-dependencies.jar` (or similar) in the `target` folders. It is the latter we will be using since it can easily be run from the commandline.\n\n### Initializing the PKI\nTo use the PKI we must first initialize it, which means create a root Certificate Authority (CA). This can be done with this command:\n```sh\njava -jar mcp-pki-cli-1.2.0-SNAPSHOT-jar-with-dependencies.jar \\\n    --init \\\n    --truststore-path mcp-truststore.jks \\\n    --truststore-password changeit \\\n    --root-keystore-path root-ca-keystore.jks \\\n    --root-keystore-password changeit \\\n    --root-key-password changeit \\\n    --root-ca-alias \"urn:mrn:mcp:ca:idp1:maritimeconnectivity\" \\\n    --x500-name \"C=DK, ST=Denmark, L=Copenhagen, O=MCP Test, OU=MCP Test, CN=MCP Test Root Certificate, E=info@maritimeconnectivity.net\" \\\n    --crl-endpoint \"http://localhost/x509/api/certificates/crl/urn:mrn:mcp:ca:idp1:maritimeconnectivity\" \\\n    --validity-period 120\n```\nNote that the truststore and root-keystore will be overwritten! Also note that crl-endpoint should end with `urn:mrn:mcp:ca:idp1:maritimeconnectivity` which is the value of *root-ca-alias*. The unit of *validity period* field is months. The root CA in this example will be valid for 10 years from the issued date.\n\nChange the passwords as you see fit.\n\n### Create root Certificate Revocation List\nWe must also create a root Certificate Revocation List to be able to tell if any sub CA has been revoked. This can be done with this command: \n```sh\njava -jar mcp-pki-cli-1.2.0-SNAPSHOT-jar-with-dependencies.jar \\\n    --generate-root-crl \\\n    --root-keystore-path root-ca-keystore.jks \\\n    --root-keystore-password changeit \\\n    --root-key-password changeit \\\n    --revoked-subca-file revoked-subca.csv \\\n    --root-ca-alias \"urn:mrn:mcp:ca:idp1:maritimeconnectivity\" \\\n    --root-crl-path root-ca.crl\n```\nThe revoked-subca-file CSV file must either be empty or have a format like this:\n```csv\n345678954765889809876543;cacompromise;2017-04-31\n```\nThat is `\u003cserial-number\u003e;\u003crevocation-reason\u003e;\u003crevocation-date\u003e`\n\nThe revocation reason can be one of the following: unspecified, keycompromise, cacompromise, affiliationchanged, superseded, cessationofoperation, certificatehold, removefromcrl, privilegewithdrawn or aacompromise.\n\nThe revocation date must be of the format: YYYY-MM-DD.\n\nRemember to keep the list of revoked sub ca. Each time a new sub CA is revoked you must add it to the CSV file and generate a new CRL. Note that a CRL is valid for exactly on year.\n\n### Create sub CA\nCreate a sub CA like this:\n```sh\njava -jar mcp-pki-cli-1.2.0-SNAPSHOT-jar-with-dependencies.jar \\\n    --create-subca \\\n    --root-keystore-path root-ca-keystore.jks \\\n    --root-keystore-password changeit \\\n    --root-key-password changeit \\\n    --truststore-path mcp-truststore.jks \\\n    --truststore-password changeit \\\n    --subca-keystore subca-keystore.jks \\\n    --subca-keystore-password changeit \\\n    --subca-key-password changeit \\\n    --root-ca-alias \"urn:mrn:mcp:ca:idp1:maritimeconnectivity\" \\\n    --x500-name \"UID=urn:mrn:mcp:ca:idp1:mcp-idreg, C=DK, ST=Denmark, L=Copenhagen, O=MCP Test, OU=MCP Test, CN=MCP Test Identity Registry, E=info@maritimeconnectivity.net\" \\\n    --crl-endpoint \"http://localhost/x509/api/certificates/crl/urn:mrn:mcp:ca:idp1:mcp-idreg\" \\\n    --validity-period 60\n```\n\nThe UID will be used as alias when stored in the truststore and subca-keystore. The root-keystore and truststore is expected to exist, while the subca-keystore will be created if it does not exist.\n\n### Checking client certificate\nYou can check the attributes of an MCP client certificate like this:\n```sh\njava -jar mcp-pki-cli-1.2.0-SNAPSHOT-jar-with-dependencies.jar --print-certificate \u003ccertificate-name\u003e.pem\n```\n\nAlternatively the [Identity Extractor Service](https://github.com/maritimeconnectivity/IdentityExtractorService) which is an implementation of a web service visualizing the MCP certificate is available.\n\n## License\nThis software is distributed under the Apache License, Version 2.0.\n\nThis project includes code from the Apache Xcf project (Apache License, Version 2.0), and the [POReID project](https://github.com/poreid/poreid) (MIT License). \n\n\n## Building\nBuilding the project requires that JDK (\u003e=21) and Maven (\u003e=v3.6.3) are installed on the system. The project can then be built like this:\n```sh\nmvn clean install\n```\n\nSign (requires a gpg key):\n```sh\nmvn -Dskip.signing=false install\n```\n\nDeploy (requires a gpg key registered at sonatype):\n```sh\nmvn -Dskip.signing=false clean deploy -Psonatype\n```\n\nBuild the javadocs used for the documentation available at https://maritimeconnectivity.github.io/MCP-PKI/\n```sh\n./javadocs.sh docs\n```\n\nBuild the javadocs used for the documentation available at https://maritimeconnectivity.github.io/MCP-PKI/ and push to github:\n```sh\n./javadocs.sh site\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaritimeconnectivity%2Fmcp-pki","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmaritimeconnectivity%2Fmcp-pki","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaritimeconnectivity%2Fmcp-pki/lists"}