List of usage examples for java.security.cert X509Certificate verify
public abstract void verify(PublicKey key) throws CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException;
From source file:org.apache.nifi.toolkit.tls.service.client.TlsCertificateSigningRequestPerformer.java
/** * Submits a CSR to the Certificate authority, checks the resulting hmac, and returns the chain if everything succeeds * * @param keyPair the keypair to generate the csr for * @throws IOException if there is a problem during the process * @return the resulting certificate chain *//*from ww w .ja v a 2 s. co m*/ public X509Certificate[] perform(KeyPair keyPair) throws IOException { try { List<X509Certificate> certificates = new ArrayList<>(); HttpClientBuilder httpClientBuilder = httpClientBuilderSupplier.get(); SSLContextBuilder sslContextBuilder = SSLContextBuilder.create(); sslContextBuilder.useProtocol("TLSv1.2"); // We will be validating that we are talking to the correct host once we get the response's hmac of the token and public key of the ca sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy()); httpClientBuilder.setSSLSocketFactory(new TlsCertificateAuthorityClientSocketFactory( sslContextBuilder.build(), caHostname, certificates)); String jsonResponseString; int responseCode; try (CloseableHttpClient client = httpClientBuilder.build()) { JcaPKCS10CertificationRequest request = TlsHelper.generateCertificationRequest(dn, domainAlternativeNames, keyPair, signingAlgorithm); TlsCertificateAuthorityRequest tlsCertificateAuthorityRequest = new TlsCertificateAuthorityRequest( TlsHelper.calculateHMac(token, request.getPublicKey()), TlsHelper.pemEncodeJcaObject(request)); HttpPost httpPost = new HttpPost(); httpPost.setEntity( new ByteArrayEntity(objectMapper.writeValueAsBytes(tlsCertificateAuthorityRequest))); if (logger.isInfoEnabled()) { logger.info("Requesting certificate with dn " + dn + " from " + caHostname + ":" + port); } try (CloseableHttpResponse response = client.execute(new HttpHost(caHostname, port, "https"), httpPost)) { jsonResponseString = IOUtils.toString( new BoundedInputStream(response.getEntity().getContent(), 1024 * 1024), StandardCharsets.UTF_8); responseCode = response.getStatusLine().getStatusCode(); } } if (responseCode != Response.SC_OK) { throw new IOException( RECEIVED_RESPONSE_CODE + responseCode + " with payload " + jsonResponseString); } if (certificates.size() != 1) { throw new IOException(EXPECTED_ONE_CERTIFICATE); } TlsCertificateAuthorityResponse tlsCertificateAuthorityResponse = objectMapper .readValue(jsonResponseString, TlsCertificateAuthorityResponse.class); if (!tlsCertificateAuthorityResponse.hasHmac()) { throw new IOException(EXPECTED_RESPONSE_TO_CONTAIN_HMAC); } X509Certificate caCertificate = certificates.get(0); byte[] expectedHmac = TlsHelper.calculateHMac(token, caCertificate.getPublicKey()); if (!MessageDigest.isEqual(expectedHmac, tlsCertificateAuthorityResponse.getHmac())) { throw new IOException(UNEXPECTED_HMAC_RECEIVED_POSSIBLE_MAN_IN_THE_MIDDLE); } if (!tlsCertificateAuthorityResponse.hasCertificate()) { throw new IOException(EXPECTED_RESPONSE_TO_CONTAIN_CERTIFICATE); } X509Certificate x509Certificate = TlsHelper .parseCertificate(new StringReader(tlsCertificateAuthorityResponse.getPemEncodedCertificate())); x509Certificate.verify(caCertificate.getPublicKey()); if (logger.isInfoEnabled()) { logger.info("Got certificate with dn " + x509Certificate.getSubjectX500Principal()); } return new X509Certificate[] { x509Certificate, caCertificate }; } catch (IOException e) { throw e; } catch (Exception e) { throw new IOException(e); } }
From source file:com.thoughtworks.go.security.X509CertificateGenerator.java
private X509Certificate createIntermediateCertificate(PrivateKey caPrivKey, X509Certificate caCert, Date startDate, KeyPair keyPair) throws Exception { X500Name issuerDn = JcaX500NameUtil.getSubject(caCert); X500NameBuilder subjectBuilder = new X500NameBuilder(BCStyle.INSTANCE); subjectBuilder.addRDN(BCStyle.OU, INTERMEDIATE_CERT_OU); subjectBuilder.addRDN(BCStyle.EmailAddress, CERT_EMAIL); X500Name subjectDn = subjectBuilder.build(); X509CertificateGenerator.V3X509CertificateGenerator v3CertGen = new V3X509CertificateGenerator(startDate, issuerDn, subjectDn, keyPair.getPublic(), serialNumber()); // extensions v3CertGen.addSubjectKeyIdExtension(keyPair.getPublic()); v3CertGen.addAuthorityKeyIdExtension(caCert); v3CertGen.addBasicConstraintsExtension(); X509Certificate cert = v3CertGen.generate(caPrivKey); Date now = new Date(); cert.checkValidity(now);/*w ww . j ava2 s . c om*/ cert.verify(caCert.getPublicKey()); PKCS12BagAttributeSetter.usingBagAttributeCarrier(cert).setFriendlyName(INTERMEDIATE_CERT_OU); PKCS12BagAttributeSetter.usingBagAttributeCarrier(keyPair.getPrivate()).setFriendlyName(FRIENDLY_NAME) .setLocalKeyId(keyPair.getPublic()); return cert; }
From source file:com.thoughtworks.go.security.X509CertificateGenerator.java
private X509Certificate createAgentCertificate(PublicKey publicKey, PrivateKey intermediatePrivateKey, PublicKey intermediatePublicKey, String hostname, Date startDate) throws Exception { X500NameBuilder issuerBuilder = new X500NameBuilder(BCStyle.INSTANCE); issuerBuilder.addRDN(BCStyle.OU, INTERMEDIATE_CERT_OU); issuerBuilder.addRDN(BCStyle.EmailAddress, CERT_EMAIL); X500Name issuerDn = issuerBuilder.build(); X500NameBuilder subjectBuilder = new X500NameBuilder(BCStyle.INSTANCE); subjectBuilder.addRDN(BCStyle.OU, AGENT_CERT_OU); subjectBuilder.addRDN(BCStyle.CN, hostname); subjectBuilder.addRDN(BCStyle.EmailAddress, CERT_EMAIL); X500Name subjectDn = subjectBuilder.build(); X509CertificateGenerator.V3X509CertificateGenerator v3CertGen = new V3X509CertificateGenerator(startDate, issuerDn, subjectDn, publicKey, BigInteger.valueOf(3)); // add the extensions v3CertGen.addSubjectKeyIdExtension(publicKey); v3CertGen.addAuthorityKeyIdExtension(intermediatePublicKey); X509Certificate cert = v3CertGen.generate(intermediatePrivateKey); Date now = new Date(); cert.checkValidity(now);/* www.j a v a 2s . c o m*/ cert.verify(intermediatePublicKey); PKCS12BagAttributeSetter.usingBagAttributeCarrier(cert).setFriendlyName("cruise-agent") .setLocalKeyId(publicKey); return cert; }
From source file:com.aqnote.shared.encrypt.cert.gen.BCCertGenerator.java
public X509Certificate createClass3RootCert(KeyPair keyPair, PrivateKey ppk, X509Certificate caCert) throws Exception { X500Name idn = CertificateUtil.getSubject(caCert); BigInteger sno = BigInteger.valueOf(5); Date nb = new Date(System.currentTimeMillis() - HALF_DAY); Date na = new Date(nb.getTime() + TWENTY_YEAR); X500Name sdn = X500NameUtil.createClass3RootPrincipal(); PublicKey pubKey = keyPair.getPublic(); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(idn, sno, nb, na, sdn, pubKey); addSubjectKID(certBuilder, pubKey);/*from w w w. j av a 2 s . c o m*/ addAuthorityKID(certBuilder, caCert.getPublicKey()); certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(Boolean.TRUE)); X509Certificate certificate = signCert(certBuilder, ppk); certificate.checkValidity(new Date()); certificate.verify(caCert.getPublicKey()); setPKCS9Info(certificate); return certificate; }
From source file:com.aqnote.shared.encrypt.cert.gen.BCCertGenerator.java
public X509Certificate createClass1CaCert(KeyPair keyPair, PrivateKey ppk, X509Certificate caCert) throws Exception { X500Name idn = CertificateUtil.getSubject(caCert); BigInteger sno = BigInteger.valueOf(3); Date nb = new Date(System.currentTimeMillis() - HALF_DAY); Date na = new Date(nb.getTime() + TWENTY_YEAR); X500Name sdn = X500NameUtil.createClass1RootPrincipal(); PublicKey pubKey = keyPair.getPublic(); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(idn, sno, nb, na, sdn, pubKey); addSubjectKID(certBuilder, pubKey);//from w w w . j av a2 s.c o m addAuthorityKID(certBuilder, caCert.getPublicKey()); certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(3)); certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(BASE_EKU)); X509Certificate certificate = signCert(certBuilder, ppk); certificate.checkValidity(new Date()); certificate.verify(caCert.getPublicKey()); setPKCS9Info(certificate); return certificate; }
From source file:com.aqnote.shared.cryptology.cert.gen.CertGenerator.java
private X509Certificate createRootCaCert(X500Name idn, KeyPair keyPair) throws Exception { PublicKey pubKey = keyPair.getPublic(); PrivateKey privKey = keyPair.getPrivate(); BigInteger sno = BigInteger.valueOf(1); Date nb = new Date(System.currentTimeMillis() - ONE_DAY); Date na = new Date(nb.getTime() + TWENTY_YEAR); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(idn, sno, nb, na, idn, pubKey); addSubjectKID(certBuilder, pubKey);/* w ww. j ava 2 s . c o m*/ addAuthorityKID(certBuilder, pubKey); addCRLDistributionPoints(certBuilder); addAuthorityInfoAccess(certBuilder); certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(Boolean.TRUE)); X509Certificate certificate = signCert(certBuilder, privKey); certificate.checkValidity(new Date()); certificate.verify(pubKey); setPKCS9Info(certificate); return certificate; }
From source file:com.aqnote.shared.encrypt.cert.gen.BCCertGenerator.java
public X509Certificate createRootCaCert(final KeyPair keyPair) throws Exception { PublicKey pubKey = keyPair.getPublic(); PrivateKey privKey = keyPair.getPrivate(); X500Name idn = X500NameUtil.createRootPrincipal(); BigInteger sno = BigInteger.valueOf(1); Date nb = new Date(System.currentTimeMillis() - ONE_DAY); Date na = new Date(nb.getTime() + TWENTY_YEAR); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(idn, sno, nb, na, idn, pubKey); addSubjectKID(certBuilder, pubKey);//from www .j av a2 s.co m addAuthorityKID(certBuilder, pubKey); addCRLDistributionPoints(certBuilder); addAuthorityInfoAccess(certBuilder); certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(Boolean.TRUE)); X509Certificate certificate = signCert(certBuilder, privKey); certificate.checkValidity(new Date()); certificate.verify(pubKey); setPKCS9Info(certificate); return certificate; }
From source file:com.aqnote.shared.encrypt.cert.gen.BCCertGenerator.java
public X509Certificate createClass1EndCert(X500Name sdn, PublicKey pubKey, KeyPair pKeyPair) throws Exception { PublicKey pPubKey = pKeyPair.getPublic(); PrivateKey pPrivKey = pKeyPair.getPrivate(); X500Name issuer = X500NameUtil.createClass1RootPrincipal(); BigInteger sno = BigInteger.valueOf(System.currentTimeMillis()); Date nb = new Date(System.currentTimeMillis() - HALF_DAY); Date na = new Date(nb.getTime() + FIVE_YEAR); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, sno, nb, na, sdn, pubKey); addSubjectKID(certBuilder, pubKey);//from ww w.jav a 2 s .c o m addAuthorityKID(certBuilder, pPubKey); certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(BASE_EKU)); certBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(END_KEY_USAGE)); X509Certificate certificate = signCert(certBuilder, pPrivKey); certificate.checkValidity(new Date()); certificate.verify(pPubKey); setPKCS9Info(certificate); return certificate; }
From source file:com.aqnote.shared.cryptology.cert.gen.CertGenerator.java
private X509Certificate createEndCert(X500Name subject, PublicKey pubKey, KeyPair pKeyPair, X500Name issuer) throws Exception { PublicKey pPubKey = pKeyPair.getPublic(); PrivateKey pPrivKey = pKeyPair.getPrivate(); BigInteger sno = BigInteger.valueOf(System.currentTimeMillis()); Date nb = new Date(System.currentTimeMillis() - HALF_DAY); Date na = new Date(nb.getTime() + FIVE_YEAR); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, sno, nb, na, subject, pubKey);/*from w w w . jav a 2 s . c o m*/ addSubjectKID(certBuilder, pubKey); addAuthorityKID(certBuilder, pPubKey); certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(BASE_EKU)); certBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(END_KEY_USAGE)); X509Certificate certificate = signCert(certBuilder, pPrivKey); certificate.checkValidity(new Date()); certificate.verify(pPubKey); setPKCS9Info(certificate); return certificate; }
From source file:com.aqnote.shared.cryptology.cert.gen.CertGenerator.java
public X509Certificate createClass3EndCert(long sno, X500Name sdn, Map<String, String> exts, PublicKey pubKey, KeyPair pKeyPair) throws Exception { PublicKey pPubKey = pKeyPair.getPublic(); PrivateKey pPrivKey = pKeyPair.getPrivate(); X500Name idn = X500NameUtil.createClass3CaPrincipal(); BigInteger _sno = BigInteger.valueOf(sno <= 0 ? System.currentTimeMillis() : sno); Date nb = new Date(System.currentTimeMillis() - HALF_DAY); Date na = new Date(nb.getTime() + FIVE_YEAR); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(idn, _sno, nb, na, sdn, pubKey); addSubjectKID(certBuilder, pubKey);// w ww . j av a 2 s . co m addAuthorityKID(certBuilder, pPubKey); certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(MOST_EKU)); certBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(END_KEY_USAGE)); if (exts != null) { Set<String> key = exts.keySet(); for (Iterator<String> it = key.iterator(); it.hasNext();) { String oid = it.next(); String value = exts.get(oid); if (!StringUtils.isBlank(value)) { certBuilder.addExtension(new ASN1ObjectIdentifier(oid), false, new DEROctetString(value.getBytes())); } } } X509Certificate certificate = signCert(certBuilder, pPrivKey); certificate.checkValidity(new Date()); certificate.verify(pPubKey); setPKCS9Info(certificate); return certificate; }