List of usage examples for org.bouncycastle.asn1.misc NetscapeCertType sslServer
int sslServer
To view the source code for org.bouncycastle.asn1.misc NetscapeCertType sslServer.
Click Source Link
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String getNetscapeCertificateTypeStringValue(byte[] value) throws IOException { // @formatter:off /*// www. j av a 2s. c o m * NetscapeCertType ::= BIT STRING { sslClient (0), sslServer (1), smime * (2), objectSigning (3), reserved (4), sslCA (5), smimeCA (6), * objectSigningCA (7) } */ // @formatter:on StringBuilder sb = new StringBuilder(); @SuppressWarnings("resource") // we have a ByteArrayInputStream here which does not need to be closed DERBitString netscapeCertType = DERBitString.getInstance(new ASN1InputStream(value).readObject()); int netscapeCertTypes = netscapeCertType.intValue(); if (isCertType(netscapeCertTypes, NetscapeCertType.sslClient)) { sb.append(res.getString("SslClientNetscapeCertificateType")); sb.append(NEWLINE); } if (isCertType(netscapeCertTypes, NetscapeCertType.sslServer)) { sb.append(res.getString("SslServerNetscapeCertificateType")); sb.append(NEWLINE); } if (isCertType(netscapeCertTypes, NetscapeCertType.smime)) { sb.append(res.getString("SmimeNetscapeCertificateType")); sb.append(NEWLINE); } if (isCertType(netscapeCertTypes, NetscapeCertType.objectSigning)) { sb.append(res.getString("ObjectSigningNetscapeCertificateType")); sb.append(NEWLINE); } if (isCertType(netscapeCertTypes, NetscapeCertType.reserved)) { sb.append(res.getString("ReservedNetscapeCertificateType")); sb.append(NEWLINE); } if (isCertType(netscapeCertTypes, NetscapeCertType.sslCA)) { sb.append(res.getString("SslCaNetscapeCertificateType")); sb.append(NEWLINE); } if (isCertType(netscapeCertTypes, NetscapeCertType.smimeCA)) { sb.append(res.getString("SmimeCaNetscapeCertificateType")); sb.append(NEWLINE); } if (isCertType(netscapeCertTypes, NetscapeCertType.objectSigningCA)) { sb.append(res.getString("ObjectSigningCaNetscapeCertificateType")); sb.append(NEWLINE); } return sb.toString(); }
From source file:net.sf.keystore_explorer.gui.dialogs.extensions.DNetscapeCertificateType.java
License:Open Source License
private void prepopulateWithValue(byte[] value) throws IOException { @SuppressWarnings("resource") // we have a ByteArrayInputStream here which does not need to be closed DERBitString netscapeCertType = DERBitString.getInstance(new ASN1InputStream(value).readObject()); int netscapeCertTypes = netscapeCertType.intValue(); jcbSslClient.setSelected(isCertType(netscapeCertTypes, NetscapeCertType.sslClient)); jcbSslServer.setSelected(isCertType(netscapeCertTypes, NetscapeCertType.sslServer)); jcbSmime.setSelected(isCertType(netscapeCertTypes, NetscapeCertType.smime)); jcbObjectSigning.setSelected(isCertType(netscapeCertTypes, NetscapeCertType.objectSigning)); jcbReserved.setSelected(isCertType(netscapeCertTypes, NetscapeCertType.reserved)); jcbSslCa.setSelected(isCertType(netscapeCertTypes, NetscapeCertType.sslCA)); jcbSmimeCa.setSelected(isCertType(netscapeCertTypes, NetscapeCertType.smimeCA)); jcbObjectSigningCa.setSelected(isCertType(netscapeCertTypes, NetscapeCertType.objectSigningCA)); }
From source file:net.sf.keystore_explorer.gui.dialogs.extensions.DNetscapeCertificateType.java
License:Open Source License
private void okPressed() { if (!jcbSslClient.isSelected() && !jcbSslServer.isSelected() && !jcbSmime.isSelected() && !jcbObjectSigning.isSelected() && !jcbReserved.isSelected() && !jcbSslCa.isSelected() && !jcbSmimeCa.isSelected() && !jcbObjectSigningCa.isSelected()) { JOptionPane.showMessageDialog(this, res.getString("DNetscapeCertificateType.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return;//from w w w. j a v a2s . c o m } int netscapeCertTypeIntValue = 0; netscapeCertTypeIntValue |= jcbSslClient.isSelected() ? NetscapeCertType.sslClient : 0; netscapeCertTypeIntValue |= jcbSslServer.isSelected() ? NetscapeCertType.sslServer : 0; netscapeCertTypeIntValue |= jcbSmime.isSelected() ? NetscapeCertType.smime : 0; netscapeCertTypeIntValue |= jcbObjectSigning.isSelected() ? NetscapeCertType.objectSigning : 0; netscapeCertTypeIntValue |= jcbReserved.isSelected() ? NetscapeCertType.reserved : 0; netscapeCertTypeIntValue |= jcbSslCa.isSelected() ? NetscapeCertType.sslCA : 0; netscapeCertTypeIntValue |= jcbSmimeCa.isSelected() ? NetscapeCertType.smimeCA : 0; netscapeCertTypeIntValue |= jcbObjectSigningCa.isSelected() ? NetscapeCertType.objectSigningCA : 0; NetscapeCertType netscapeCertType = new NetscapeCertType(netscapeCertTypeIntValue); try { value = netscapeCertType.getEncoded(ASN1Encoding.DER); } catch (IOException ex) { DError dError = new DError(this, ex); dError.setLocationRelativeTo(this); dError.setVisible(true); return; } closeDialog(); }
From source file:net.sf.taverna.t2.activities.wsdl.servicedescriptions.ConfirmTrustedCertificateDialog.java
License:Open Source License
/** * Gets the intended certificate uses, i.e. Netscape Certificate Type * extension (2.16.840.1.113730.1.1) value as a string * //from w w w . j av a 2 s .co m * @param value * Extension value as a DER-encoded OCTET string * @return Extension value as a string */ private String getIntendedUses(byte[] value) { // Netscape Certificate Types (2.16.840.1.113730.1.1) int[] INTENDED_USES = new int[] { NetscapeCertType.sslClient, NetscapeCertType.sslServer, NetscapeCertType.smime, NetscapeCertType.objectSigning, NetscapeCertType.reserved, NetscapeCertType.sslCA, NetscapeCertType.smimeCA, NetscapeCertType.objectSigningCA, }; // Netscape Certificate Type strings (2.16.840.1.113730.1.1) HashMap<String, String> INTENDED_USES_STRINGS = new HashMap<String, String>(); INTENDED_USES_STRINGS.put("128", "SSL Client"); INTENDED_USES_STRINGS.put("64", "SSL Server"); INTENDED_USES_STRINGS.put("32", "S/MIME"); INTENDED_USES_STRINGS.put("16", "Object Signing"); INTENDED_USES_STRINGS.put("8", "Reserved"); INTENDED_USES_STRINGS.put("4", "SSL CA"); INTENDED_USES_STRINGS.put("2", "S/MIME CA"); INTENDED_USES_STRINGS.put("1", "Object Signing CA"); // Get octet string from extension value ASN1OctetString fromByteArray = new DEROctetString(value); byte[] octets = fromByteArray.getOctets(); DERBitString fromByteArray2 = new DERBitString(octets); int val = new NetscapeCertType(fromByteArray2).intValue(); StringBuffer strBuff = new StringBuffer(); for (int i = 0, len = INTENDED_USES.length; i < len; i++) { int use = INTENDED_USES[i]; if ((val & use) == use) { strBuff.append(INTENDED_USES_STRINGS.get(String.valueOf(use)) + ", \n"); } } // remove the last ", \n" from the end of the buffer String str = strBuff.toString(); str = str.substring(0, str.length() - 3); return str; }
From source file:org.mailster.core.crypto.MailsterKeyStoreFactory.java
License:Open Source License
private void generateSSLServerCertificate(KeyStore store, X500PrivateCredential rootCredential) throws Exception { LOG.info("Generating SSL server certificate ..."); KeyPair pair = CertificateUtilities.generateRSAKeyPair(getCryptoStrength()); String DN = "CN=localhost, " + DN_ROOT; X509V3CertificateGenerator v3CertGen = CertificateUtilities.initCertificateGenerator(pair, rootCredential.getCertificate().getSubjectX500Principal().getName(), DN, false, CertificateUtilities.DEFAULT_VALIDITY_PERIOD); v3CertGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType, false, new NetscapeCertType(NetscapeCertType.sslServer | NetscapeCertType.sslClient)); // Firefox 2 disallows these extensions in an SSL server cert. IE7 doesn't care. // v3CertGen.addExtension(X509Extensions.KeyUsage, // true, new KeyUsage(KeyUsage.dataEncipherment | KeyUsage.keyAgreement | // KeyUsage.keyEncipherment)); Vector<KeyPurposeId> typicalSSLServerExtendedKeyUsages = new Vector<KeyPurposeId>(); typicalSSLServerExtendedKeyUsages.add(KeyPurposeId.id_kp_serverAuth); typicalSSLServerExtendedKeyUsages.add(KeyPurposeId.id_kp_clientAuth); v3CertGen.addExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(typicalSSLServerExtendedKeyUsages)); X509Certificate publicKeyCertificate = v3CertGen.generate(pair.getPrivate()); store.setKeyEntry(MAILSTER_SSL_ALIAS, pair.getPrivate(), KEYSTORE_PASSWORD, new Certificate[] { publicKeyCertificate, rootCredential.getCertificate() }); CertificateUtilities.exportCertificate(publicKeyCertificate, SSL_CERT_FULL_PATH, false); }
From source file:org.mailster.gui.dialogs.CertificateDialog.java
License:Open Source License
private void generateExtensionNode(TreeItem parent, X509Certificate cert, X509Extensions extensions, String oid) {// w w w .java 2 s. c om DERObjectIdentifier derOID = new DERObjectIdentifier(oid); X509Extension ext = extensions.getExtension(derOID); if (ext.getValue() == null) return; byte[] octs = ext.getValue().getOctets(); ASN1InputStream dIn = new ASN1InputStream(octs); StringBuilder buf = new StringBuilder(); try { if (ext.isCritical()) buf.append(Messages.getString("MailsterSWT.dialog.certificate.criticalExt")); //$NON-NLS-1$ else buf.append(Messages.getString("MailsterSWT.dialog.certificate.nonCriticalExt")); //$NON-NLS-1$ if (derOID.equals(X509Extensions.BasicConstraints)) { BasicConstraints bc = new BasicConstraints((ASN1Sequence) dIn.readObject()); if (bc.isCA()) buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.isCA")); //$NON-NLS-1$ else buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.notCA")); //$NON-NLS-1$ buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.maxIntermediateCA")); //$NON-NLS-1$ if (bc.getPathLenConstraint() == null || bc.getPathLenConstraint().intValue() == Integer.MAX_VALUE) buf.append(Messages.getString("MailsterSWT.dialog.certificate.BasicConstraints.unlimited")); //$NON-NLS-1$ else buf.append(bc.getPathLenConstraint()).append('\n'); generateNode(parent, Messages.getString(oid), buf); } else if (derOID.equals(X509Extensions.KeyUsage)) { KeyUsage us = new KeyUsage((DERBitString) dIn.readObject()); if ((us.intValue() & KeyUsage.digitalSignature) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.digitalSignature")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.nonRepudiation) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.nonRepudiation")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyEncipherment) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyEncipherment")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.dataEncipherment) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.dataEncipherment")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyAgreement) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyAgreement")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.keyCertSign) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.keyCertSign")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.cRLSign) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.cRLSign")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.encipherOnly) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.encipherOnly")); //$NON-NLS-1$ if ((us.intValue() & KeyUsage.decipherOnly) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.KeyUsage.decipherOnly")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf); } else if (derOID.equals(X509Extensions.SubjectKeyIdentifier)) { SubjectKeyIdentifier id = new SubjectKeyIdentifier((DEROctetString) dIn.readObject()); generateNode(parent, Messages.getString(oid), buf.toString() + CertificateUtilities.byteArrayToString(id.getKeyIdentifier())); } else if (derOID.equals(X509Extensions.AuthorityKeyIdentifier)) { AuthorityKeyIdentifier id = new AuthorityKeyIdentifier((ASN1Sequence) dIn.readObject()); generateNode(parent, Messages.getString(oid), buf.toString() + id.getAuthorityCertSerialNumber()); } else if (derOID.equals(MiscObjectIdentifiers.netscapeRevocationURL)) { buf.append(new NetscapeRevocationURL((DERIA5String) dIn.readObject())).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(MiscObjectIdentifiers.verisignCzagExtension)) { buf.append(new VerisignCzagExtension((DERIA5String) dIn.readObject())).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.CRLNumber)) { buf.append((DERInteger) dIn.readObject()).append("\n"); generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.ReasonCode)) { ReasonFlags rf = new ReasonFlags((DERBitString) dIn.readObject()); if ((rf.intValue() & ReasonFlags.unused) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.unused")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.keyCompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.keyCompromise")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.cACompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.cACompromise")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.affiliationChanged) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.affiliationChanged")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.superseded) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.superseded")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.cessationOfOperation) > 0) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.cessationOfOperation")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.certificateHold) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.certificateHold")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.privilegeWithdrawn) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.privilegeWithdrawn")); //$NON-NLS-1$ if ((rf.intValue() & ReasonFlags.aACompromise) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.ReasonCode.aACompromise")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(MiscObjectIdentifiers.netscapeCertType)) { NetscapeCertType type = new NetscapeCertType((DERBitString) dIn.readObject()); if ((type.intValue() & NetscapeCertType.sslClient) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslClient")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.sslServer) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslServer")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.smime) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.smime")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.objectSigning) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.objectSigning")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.reserved) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.reserved")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.sslCA) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.sslCA")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.smimeCA) > 0) buf.append(Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.smimeCA")); //$NON-NLS-1$ if ((type.intValue() & NetscapeCertType.objectSigningCA) > 0) buf.append( Messages.getString("MailsterSWT.dialog.certificate.NetscapeCertType.objectSigningCA")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else if (derOID.equals(X509Extensions.ExtendedKeyUsage)) { ExtendedKeyUsage eku = new ExtendedKeyUsage((ASN1Sequence) dIn.readObject()); if (eku.hasKeyPurposeId(KeyPurposeId.anyExtendedKeyUsage)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.anyExtendedKeyUsage")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_clientAuth)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_clientAuth")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_codeSigning)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_codeSigning")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_emailProtection)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_emailProtection")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecEndSystem)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecEndSystem")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecTunnel)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecTunnel")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_ipsecUser)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_ipsecUser")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_OCSPSigning)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_OCSPSigning")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_serverAuth)) buf.append( Messages.getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_serverAuth")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_smartcardlogon)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_smartcardlogon")); //$NON-NLS-1$ if (eku.hasKeyPurposeId(KeyPurposeId.id_kp_timeStamping)) buf.append(Messages .getString("MailsterSWT.dialog.certificate.ExtendedKeyUsage.id_kp_timeStamping")); //$NON-NLS-1$ generateNode(parent, Messages.getString(oid), buf.toString()); } else generateNode(parent, MessageFormat.format(Messages.getString("MailsterSWT.dialog.certificate.objectIdentifier"), //$NON-NLS-1$ new Object[] { oid.replace('.', ' ') }), CertificateUtilities.byteArrayToString((cert.getExtensionValue(oid)))); } catch (Exception ex) { ex.printStackTrace(); } }
From source file:org.openmaji.implementation.security.utility.cert.CertUtil.java
License:Open Source License
/** * Creates a lower level certificate, adding authority key-id and subject * key-id extensions to the resulting certificate (version 3). * //from w w w .ja v a2 s. c om * @param pubKey * @param serialNumber * @param name * @param notBefore * @param notAfter * @param signatureAlgorithm * @param issuerPrivKey * @param issuerCert * @param friendlyName * @return X509Certificate * @throws Exception */ public static X509Certificate createCert(PublicKey pubKey, BigInteger serialNumber, String name, Date notBefore, Date notAfter, String signatureAlgorithm, PrivateKey issuerPrivKey, X509Certificate issuerCert, String friendlyName) throws Exception { byte[] nameBytes = new X500Principal(name).getEncoded(); // // create the certificate - version 3 // v3CertGen.reset(); v3CertGen.setSerialNumber(serialNumber); v3CertGen.setIssuerDN(new X509Principal(issuerCert.getSubjectX500Principal().getEncoded())); v3CertGen.setNotBefore(notBefore); v3CertGen.setNotAfter(notAfter); v3CertGen.setSubjectDN(new X509Principal(nameBytes)); v3CertGen.setPublicKey(pubKey); v3CertGen.setSignatureAlgorithm(signatureAlgorithm); // // add the extensions // v3CertGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(pubKey)); v3CertGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerCert.getPublicKey(), new X509Principal(issuerCert.getSubjectX500Principal().getEncoded()), serialNumber)); v3CertGen.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(false)); v3CertGen.addExtension(MiscObjectIdentifiers.netscapeCertType, false, new NetscapeCertType(NetscapeCertType.sslServer | NetscapeCertType.sslClient | NetscapeCertType.objectSigning | NetscapeCertType.smime)); X509Certificate cert = v3CertGen.generateX509Certificate(issuerPrivKey); if (friendlyName != null) { PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName)); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, createSubjectKeyId(pubKey)); } return cert; }
From source file:org.owasp.webscarab.util.SunCertificateUtils.java
License:Open Source License
public static X509Certificate sign(X500Principal subject, PublicKey pubKey, X500Principal issuer, PublicKey caPubKey, PrivateKey caKey, Date begin, Date ends, BigInteger serialNo, X509Certificate baseCrt)//from w w w . j av a 2 s .c om throws GeneralSecurityException, CertIOException, OperatorCreationException, IOException { if (baseCrt != null) { subject = baseCrt.getSubjectX500Principal(); } JcaX509v3CertificateBuilder certificateBuilder; certificateBuilder = new JcaX509v3CertificateBuilder(issuer, serialNo, begin, ends, subject, pubKey); if (subject.equals(issuer)) { certificateBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(5)); } else { JcaX509ExtensionUtils jxeu = new JcaX509ExtensionUtils(); if (baseCrt != null) { byte[] sans = baseCrt.getExtensionValue(X509Extension.subjectAlternativeName.getId()); if (sans != null) { certificateBuilder.copyAndAddExtension(X509Extension.subjectAlternativeName, true, baseCrt); } } SubjectKeyIdentifier subjectKeyIdentifier = jxeu.createSubjectKeyIdentifier(pubKey); certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, subjectKeyIdentifier); AuthorityKeyIdentifier authorityKeyIdentifier = jxeu.createAuthorityKeyIdentifier(caPubKey); certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); certificateBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false)); NetscapeCertType netscapeCertType = new NetscapeCertType( NetscapeCertType.sslClient | NetscapeCertType.sslServer); certificateBuilder.addExtension(MiscObjectIdentifiers.netscapeCertType, false, netscapeCertType); KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment); certificateBuilder.addExtension(X509Extension.keyUsage, true, keyUsage); ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage( new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }); certificateBuilder.addExtension(X509Extension.extendedKeyUsage, false, extendedKeyUsage); } JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(SIGALG); X509CertificateHolder holder = certificateBuilder.build(signerBuilder.build(caKey)); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate; certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(holder.getEncoded())); return certificate; }
From source file:test.unit.org.owasp.webscarab.util.SunCertificateUtilsTest.java
License:Open Source License
@Test public void testSign() throws Exception { // setup/* w ww .java 2 s .c o m*/ KeyPair caKeyPair = generateKeyPair(); KeyPair entityKeyPair = generateKeyPair(); X500Principal subject = new X500Principal("CN=Test"); PublicKey pubKey = entityKeyPair.getPublic(); X500Principal issuer = new X500Principal("CN=CA"); PublicKey caPubKey = caKeyPair.getPublic(); PrivateKey caKey = caKeyPair.getPrivate(); Date begin = new Date(); Date ends = new Date(begin.getTime() + (long) 1000 * 60 * 60 * 24 * 30); BigInteger serialNo = BigInteger.valueOf(1234); JcaX509ExtensionUtils jxeu = new JcaX509ExtensionUtils(); // operate X509Certificate resultCert = SunCertificateUtils.sign(subject, pubKey, issuer, caPubKey, caKey, begin, ends, serialNo, null); // verify assertNotNull(resultCert); LOG.debug("result certificate: " + resultCert); resultCert.verify(caPubKey); assertEquals(subject, resultCert.getSubjectX500Principal()); assertEquals(issuer, resultCert.getIssuerX500Principal()); assertEquals(serialNo, resultCert.getSerialNumber()); assertEquals(pubKey, resultCert.getPublicKey()); LOG.debug("expected begin: " + begin.getTime()); LOG.debug("actual begin: " + resultCert.getNotBefore().getTime()); /* * BouncyCastle drops the milliseconds. */ assertTrue(Math.abs(begin.getTime() - resultCert.getNotBefore().getTime()) < 1000); assertTrue(Math.abs(ends.getTime() - resultCert.getNotAfter().getTime()) < 1000); byte[] subjectKeyIdentifierExtValue = resultCert .getExtensionValue(X509Extension.subjectKeyIdentifier.getId()); assertNotNull(subjectKeyIdentifierExtValue); ASN1Primitive subjectKeyIdentifier = JcaX509ExtensionUtils .parseExtensionValue(subjectKeyIdentifierExtValue); ASN1Primitive expSKI = jxeu.createSubjectKeyIdentifier(pubKey).toASN1Primitive(); assertArrayEquals(expSKI.getEncoded(), subjectKeyIdentifier.getEncoded()); byte[] authorityKeyIdentifierExtValue = resultCert .getExtensionValue(X509Extension.authorityKeyIdentifier.getId()); ASN1Primitive authorityKeyIdentifier = JcaX509ExtensionUtils .parseExtensionValue(authorityKeyIdentifierExtValue); ASN1Primitive expAKI = jxeu.createAuthorityKeyIdentifier(caPubKey).toASN1Primitive(); assertArrayEquals(expAKI.getEncoded(), authorityKeyIdentifier.getEncoded()); assertEquals(-1, resultCert.getBasicConstraints()); byte[] netscapeCertTypeExtValue = resultCert .getExtensionValue(MiscObjectIdentifiers.netscapeCertType.getId()); assertNotNull(netscapeCertTypeExtValue); DERBitString netscapeCertTypeExt = (DERBitString) X509ExtensionUtil .fromExtensionValue(netscapeCertTypeExtValue); NetscapeCertType netscapeCertType = new NetscapeCertType(netscapeCertTypeExt); assertEquals(NetscapeCertType.sslClient, netscapeCertType.intValue() & NetscapeCertType.sslClient); assertEquals(NetscapeCertType.sslServer, netscapeCertType.intValue() & NetscapeCertType.sslServer); assertTrue(resultCert.getKeyUsage()[0]); assertTrue(resultCert.getKeyUsage()[2]); byte[] extendedKeyUsageExtValue = resultCert.getExtensionValue(X509Extension.extendedKeyUsage.getId()); assertNotNull(extendedKeyUsageExtValue); ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage .getInstance(X509ExtensionUtil.fromExtensionValue(extendedKeyUsageExtValue)); assertTrue(extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_clientAuth)); assertTrue(extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_serverAuth)); }