List of usage examples for org.bouncycastle.asn1.pkcs Attribute getInstance
public static Attribute getInstance(Object o)
From source file:eu.europa.esig.dss.pades.InfiniteLoopDSS621Test.java
License:Open Source License
/** * These signatures are invalid because of non ordered signed attributes *///from w w w. jav a 2 s. c o m @Test public void manualTest() throws Exception { File pdfFile = new File(FILE_PATH); FileInputStream fis = new FileInputStream(pdfFile); byte[] pdfBytes = IOUtils.toByteArray(fis); PDDocument document = PDDocument.load(pdfFile); List<PDSignature> signatures = document.getSignatureDictionaries(); assertEquals(6, signatures.size()); int idx = 0; for (PDSignature pdSignature : signatures) { byte[] contents = pdSignature.getContents(pdfBytes); byte[] signedContent = pdSignature.getSignedContent(pdfBytes); logger.info("Byte range : " + Arrays.toString(pdSignature.getByteRange())); IOUtils.write(contents, new FileOutputStream("target/sig" + (idx++) + ".p7s")); ASN1InputStream asn1sInput = new ASN1InputStream(contents); ASN1Sequence asn1Seq = (ASN1Sequence) asn1sInput.readObject(); logger.info("SEQ : " + asn1Seq.toString()); ASN1ObjectIdentifier oid = ASN1ObjectIdentifier.getInstance(asn1Seq.getObjectAt(0)); assertEquals(PKCSObjectIdentifiers.signedData, oid); SignedData signedData = SignedData .getInstance(DERTaggedObject.getInstance(asn1Seq.getObjectAt(1)).getObject()); ASN1Set digestAlgorithmSet = signedData.getDigestAlgorithms(); ASN1ObjectIdentifier oidDigestAlgo = ASN1ObjectIdentifier .getInstance(ASN1Sequence.getInstance(digestAlgorithmSet.getObjectAt(0)).getObjectAt(0)); DigestAlgorithm digestAlgorithm = DigestAlgorithm.forOID(oidDigestAlgo.getId()); logger.info("DIGEST ALGO : " + digestAlgorithm); ContentInfo encapContentInfo = signedData.getEncapContentInfo(); ASN1ObjectIdentifier contentTypeOID = encapContentInfo.getContentType(); logger.info("ENCAPSULATED CONTENT INFO TYPE : " + contentTypeOID); if (!PKCSObjectIdentifiers.id_ct_TSTInfo.equals(contentTypeOID)) { // If not timestamp assertEquals(PKCSObjectIdentifiers.data, contentTypeOID); ASN1Encodable content = encapContentInfo.getContent(); logger.info("ENCAPSULATED CONTENT INFO CONTENT : " + content); assertNull(content); List<X509Certificate> certificates = extractCertificates(signedData); ASN1Set signerInfosAsn1 = signedData.getSignerInfos(); logger.info("SIGNER INFO ASN1 : " + signerInfosAsn1.toString()); SignerInfo signedInfo = SignerInfo .getInstance(ASN1Sequence.getInstance(signerInfosAsn1.getObjectAt(0))); ASN1Set authenticatedAttributeSet = signedInfo.getAuthenticatedAttributes(); logger.info("AUTHENTICATED ATTR : " + authenticatedAttributeSet); Attribute attributeDigest = null; for (int i = 0; i < authenticatedAttributeSet.size(); i++) { Attribute attribute = Attribute.getInstance(authenticatedAttributeSet.getObjectAt(i)); if (PKCSObjectIdentifiers.pkcs_9_at_messageDigest.equals(attribute.getAttrType())) { attributeDigest = attribute; break; } } assertNotNull(attributeDigest); ASN1OctetString asn1ObjString = ASN1OctetString .getInstance(attributeDigest.getAttrValues().getObjectAt(0)); String embeddedDigest = Base64.encodeBase64String(asn1ObjString.getOctets()); logger.info("MESSAGE DIGEST : " + embeddedDigest); byte[] digestSignedContent = DSSUtils.digest(digestAlgorithm, signedContent); String computedDigestSignedContentEncodeBase64 = Base64.encodeBase64String(digestSignedContent); logger.info("COMPUTED DIGEST SIGNED CONTENT BASE64 : " + computedDigestSignedContentEncodeBase64); assertEquals(embeddedDigest, computedDigestSignedContentEncodeBase64); SignerIdentifier sid = signedInfo.getSID(); logger.info("SIGNER IDENTIFIER : " + sid.getId()); IssuerAndSerialNumber issuerAndSerialNumber = IssuerAndSerialNumber .getInstance(signedInfo.getSID()); ASN1Integer signerSerialNumber = issuerAndSerialNumber.getSerialNumber(); logger.info("ISSUER AND SN : " + issuerAndSerialNumber.getName() + " " + signerSerialNumber); BigInteger serial = issuerAndSerialNumber.getSerialNumber().getValue(); X509Certificate signerCertificate = null; for (X509Certificate x509Certificate : certificates) { if (serial.equals(x509Certificate.getSerialNumber())) { signerCertificate = x509Certificate; } } assertNotNull(signerCertificate); String algorithm = signerCertificate.getPublicKey().getAlgorithm(); EncryptionAlgorithm encryptionAlgorithm = EncryptionAlgorithm.forName(algorithm); ASN1OctetString encryptedInfoOctedString = signedInfo.getEncryptedDigest(); String signatureValue = Hex.toHexString(encryptedInfoOctedString.getOctets()); logger.info("SIGNATURE VALUE : " + signatureValue); Cipher cipher = Cipher.getInstance(encryptionAlgorithm.getName()); cipher.init(Cipher.DECRYPT_MODE, signerCertificate); byte[] decrypted = cipher.doFinal(encryptedInfoOctedString.getOctets()); ASN1InputStream inputDecrypted = new ASN1InputStream(decrypted); ASN1Sequence seqDecrypt = (ASN1Sequence) inputDecrypted.readObject(); logger.info("DECRYPTED : " + seqDecrypt); DigestInfo digestInfo = new DigestInfo(seqDecrypt); assertEquals(oidDigestAlgo, digestInfo.getAlgorithmId().getAlgorithm()); String decryptedDigestEncodeBase64 = Base64.encodeBase64String(digestInfo.getDigest()); logger.info("DECRYPTED BASE64 : " + decryptedDigestEncodeBase64); byte[] encoded = authenticatedAttributeSet.getEncoded(); byte[] digest = DSSUtils.digest(digestAlgorithm, encoded); String computedDigestFromSignatureEncodeBase64 = Base64.encodeBase64String(digest); logger.info("COMPUTED DIGEST FROM SIGNATURE BASE64 : " + computedDigestFromSignatureEncodeBase64); assertEquals(decryptedDigestEncodeBase64, computedDigestFromSignatureEncodeBase64); IOUtils.closeQuietly(inputDecrypted); } IOUtils.closeQuietly(asn1sInput); } IOUtils.closeQuietly(fis); document.close(); }
From source file:io.aos.crypto.spl06.PKCS10CertCreateExample.java
License:Apache License
public static X509Certificate[] buildChain() throws Exception { // create the certification request KeyPair pair = Utils.generateRSAKeyPair(); PKCS10CertificationRequest request = PKCS10ExtensionExample.generateRequest(pair); // create a root certificate KeyPair rootPair = Utils.generateRSAKeyPair(); X509Certificate rootCert = X509V1CreateExample.generateV1Certificate(rootPair); // validate the certification request if (!request.verify("BC")) { System.out.println("request failed to verify!"); System.exit(1);/*from w w w .j av a 2 s.c o m*/ } // create the certificate using the information in the request X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(rootCert.getSubjectX500Principal()); certGen.setNotBefore(new Date(System.currentTimeMillis())); certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject()); certGen.setPublicKey(request.getPublicKey("BC")); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(rootCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC"))); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); // extract the extension request attribute ASN1Set attributes = request.getCertificationRequestInfo().getAttributes(); for (int i = 0; i != attributes.size(); i++) { Attribute attr = Attribute.getInstance(attributes.getObjectAt(i)); // process extension request if (attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) { X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0)); Enumeration e = extensions.oids(); while (e.hasMoreElements()) { DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement(); X509Extension ext = extensions.getExtension(oid); certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets()); } } } X509Certificate issuedCert = certGen.generateX509Certificate(rootPair.getPrivate()); return new X509Certificate[] { issuedCert, rootCert }; }
From source file:org.jruby.ext.openssl.impl.SignerInfoWithPkey.java
License:LGPL
/** c: static get_attribute * *//*from www. j a v a 2 s . c o m*/ public static ASN1Encodable getAttribute(ASN1Set sk, int nid) { Attribute xa = null; ASN1ObjectIdentifier o = ASN1Registry.nid2obj(nid); if (null == o || null == sk) { return null; } for (Enumeration e = sk.getObjects(); e.hasMoreElements();) { Object val = e.nextElement(); if (val instanceof Attribute) { xa = (Attribute) val; } else { xa = Attribute.getInstance(val); } if (o.equals(xa.getAttrType())) { if (xa.getAttrValues().size() > 0) { return xa.getAttrValues().getObjectAt(0); } else { return null; } } } return null; }
From source file:org.jruby.ext.openssl.impl.SignerInfoWithPkey.java
License:LGPL
/** c: static add_attribute * *//*from ww w . j a v a2 s.co m*/ private ASN1Set addAttribute(ASN1Set base, int atrType, ASN1Encodable value) { ASN1EncodableVector vector = new ASN1EncodableVector(); if (base == null) { base = new DERSet(); } Attribute attr = null; for (Enumeration e = base.getObjects(); e.hasMoreElements();) { Object val = e.nextElement(); if (val instanceof Attribute) { attr = (Attribute) val; } else { attr = Attribute.getInstance(val); } if (ASN1Registry.obj2nid(attr.getAttrType()) != atrType) { vector.add(attr); } } ASN1ObjectIdentifier ident = ASN1Registry.nid2obj(atrType); attr = new org.bouncycastle.asn1.pkcs.Attribute(ident, new DERSet(value)); vector.add(attr); return new DERSet(vector); }
From source file:org.jruby.ext.openssl.X509Request.java
License:LGPL
private Attribute newAttributeImpl(final ThreadContext context, final X509Attribute attribute) { return Attribute.getInstance(attribute.toASN1(context)); }
From source file:org.nuxeo.ecm.platform.signature.core.pki.CertServiceImpl.java
License:Open Source License
protected X509Certificate createCertificateFromCSR(PKCS10CertificationRequest csr) throws CertException { X509Certificate cert;/*from w w w.java2 s. c o m*/ try { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(getRootCertificate().getIssuerX500Principal()); certGen.setSubjectDN(csr.getCertificationRequestInfo().getSubject()); certGen.setNotBefore(getCertStartDate()); certGen.setNotAfter(getCertEndDate()); certGen.setPublicKey(csr.getPublicKey("BC")); certGen.setSignatureAlgorithm(CERT_SIGNATURE_ALGORITHM); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(csr.getPublicKey("BC"))); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(getRootCertificate())); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); ASN1Set attributes = csr.getCertificationRequestInfo().getAttributes(); for (int i = 0; i != attributes.size(); i++) { Attribute attr = Attribute.getInstance(attributes.getObjectAt(i)); if (attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) { X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0)); @SuppressWarnings("rawtypes") Enumeration e = extensions.oids(); while (e.hasMoreElements()) { DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement(); X509Extension ext = extensions.getExtension(oid); certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets()); } } } KeyPair rootKeyPair = getKeyPair(rootService.getRootKeyStore(), rootService.getRootKeyAlias(), rootService.getRootCertificateAlias(), rootService.getRootKeyPassword()); cert = certGen.generate(rootKeyPair.getPrivate(), "BC"); } catch (CertificateParsingException e) { throw new CertException(e); } catch (CertificateEncodingException e) { throw new CertException(e); } catch (InvalidKeyException e) { throw new CertException(e); } catch (IllegalStateException e) { throw new CertException(e); } catch (NoSuchProviderException e) { throw new CertException(e); } catch (NoSuchAlgorithmException e) { throw new CertException(e); } catch (java.security.SignatureException e) { throw new CertException(e); } LOG.debug("Certificate generated for subject: " + cert.getSubjectDN()); return cert; }
From source file:org.xipki.ca.qa.shell.CheckCertCommand.java
License:Open Source License
@Override protected Object _doExecute() throws Exception { Set<String> issuerNames = qaSystemManager.getIssuerNames(); if (isEmpty(issuerNames)) { throw new IllegalCmdParamException("no issuer is configured"); }//from w w w . jav a 2 s. co m if (issuerName == null) { if (issuerNames.size() != 1) { throw new IllegalCmdParamException("no issuer is specified"); } issuerName = issuerNames.iterator().next(); } if (issuerNames.contains(issuerName) == false) { throw new IllegalCmdParamException( "issuer " + issuerName + " is not within the configured issuers " + issuerNames); } X509IssuerInfo issuerInfo = qaSystemManager.getIssuer(issuerName); X509CertprofileQA qa = qaSystemManager.getCertprofile(profileName); if (qa == null) { throw new IllegalCmdParamException("found no certificate profile named '" + profileName + "'"); } CertificationRequest p10Req = CertificationRequest.getInstance(IoUtil.read(p10File)); Extensions extensions = null; ASN1Set attrs = p10Req.getCertificationRequestInfo().getAttributes(); for (int i = 0; i < attrs.size(); i++) { Attribute attr = Attribute.getInstance(attrs.getObjectAt(i)); if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) { extensions = Extensions.getInstance(attr.getAttributeValues()[0]); } } byte[] certBytes = IoUtil.read(certFile); ValidationResult result = qa.checkCert(certBytes, issuerInfo, p10Req.getCertificationRequestInfo().getSubject(), p10Req.getCertificationRequestInfo().getSubjectPublicKeyInfo(), extensions); StringBuilder sb = new StringBuilder(); sb.append("certificate is "); sb.append(result.isAllSuccessful() ? "valid" : "invalid"); if (verbose.booleanValue()) { for (ValidationIssue issue : result.getValidationIssues()) { sb.append("\n"); format(issue, " ", sb); } } out(sb.toString()); if (result.isAllSuccessful() == false) { throw new CmdFailure("certificate is invalid"); } return null; }
From source file:org.xipki.ca.server.impl.CAManagerImpl.java
License:Open Source License
@Override public X509Certificate generateCertificate(final String caName, final String profileName, final String user, final byte[] encodedPkcs10Request) throws CAMgmtException { ParamChecker.assertNotBlank("caName", caName); ParamChecker.assertNotBlank("profileName", profileName); ParamChecker.assertNotNull("encodedPkcs10Request", encodedPkcs10Request); X509CA ca = getX509CA(caName);/*ww w . j a v a 2 s. c o m*/ CertificationRequest p10cr; try { p10cr = CertificationRequest.getInstance(encodedPkcs10Request); } catch (Exception e) { throw new CAMgmtException("invalid PKCS#10 request. ERROR: " + e.getMessage()); } if (securityFactory.verifyPOPO(p10cr) == false) { throw new CAMgmtException("could not validate POP for the pkcs#10 requst"); } CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo(); Extensions extensions = null; ASN1Set attrs = certTemp.getAttributes(); for (int i = 0; i < attrs.size(); i++) { Attribute attr = Attribute.getInstance(attrs.getObjectAt(i)); if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) { extensions = Extensions.getInstance(attr.getAttributeValues()[0]); } } X500Name subject = certTemp.getSubject(); SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo(); X509CertificateInfo certInfo; try { certInfo = ca.generateCertificate(false, null, profileName, user, subject, publicKeyInfo, null, null, extensions); } catch (OperationException e) { throw new CAMgmtException(e.getMessage(), e); } return certInfo.getCert().getCert(); }
From source file:org.xipki.ca.server.impl.X509CACmpResponder.java
License:Open Source License
/** * handle the PKI body with the choice {@code p10cr}<br/> * Since it is not possible to add attribute to the PKCS#10 request, the certificate profile * must be specified in the attribute regInfo-utf8Pairs (1.3.6.1.5.5.7.5.2.1) within * PKIHeader.generalInfo/*ww w . jav a 2s .c o m*/ * */ private PKIBody processP10cr(final CmpRequestorInfo requestor, final String user, final ASN1OctetString tid, final PKIHeader reqHeader, final CertificationRequest p10cr, final long confirmWaitTime, final boolean sendCaCert, final AuditEvent auditEvent) throws InsuffientPermissionException { // verify the POP first CertResponse certResp; ASN1Integer certReqId = new ASN1Integer(-1); AuditChildEvent childAuditEvent = null; if (auditEvent != null) { childAuditEvent = new AuditChildEvent(); auditEvent.addChildAuditEvent(childAuditEvent); } if (securityFactory.verifyPOPO(p10cr) == false) { LOG.warn("could not validate POP for the pkcs#10 requst"); PKIStatusInfo status = generateCmpRejectionStatus(PKIFailureInfo.badPOP, null); certResp = new CertResponse(certReqId, status); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", "invalid POP")); } } else { CertificationRequestInfo certTemp = p10cr.getCertificationRequestInfo(); Extensions extensions = null; ASN1Set attrs = certTemp.getAttributes(); for (int i = 0; i < attrs.size(); i++) { Attribute attr = Attribute.getInstance(attrs.getObjectAt(i)); if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) { extensions = Extensions.getInstance(attr.getAttributeValues()[0]); } } X500Name subject = certTemp.getSubject(); if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("subject", X509Util.getRFC4519Name(subject))); } SubjectPublicKeyInfo publicKeyInfo = certTemp.getSubjectPublicKeyInfo(); try { CmpUtf8Pairs keyvalues = CmpUtil.extract(reqHeader.getGeneralInfo()); String certprofileName = keyvalues == null ? null : keyvalues.getValue(CmpUtf8Pairs.KEY_CERT_PROFILE); if (certprofileName == null) { throw new CMPException("no certificate profile is specified"); } if (childAuditEvent != null) { childAuditEvent.addEventData(new AuditEventData("certprofile", certprofileName)); } checkPermission(requestor, certprofileName); certResp = generateCertificate(requestor, user, tid, certReqId, subject, publicKeyInfo, null, extensions, certprofileName, false, confirmWaitTime, childAuditEvent); } catch (CMPException e) { certResp = new CertResponse(certReqId, generateCmpRejectionStatus(PKIFailureInfo.badCertTemplate, e.getMessage())); if (childAuditEvent != null) { childAuditEvent.setStatus(AuditStatus.FAILED); childAuditEvent.addEventData(new AuditEventData("message", "badCertTemplate")); } } // end try } CMPCertificate[] caPubs = sendCaCert ? new CMPCertificate[] { getCA().getCAInfo().getCertInCMPFormat() } : null; CertRepMessage repMessage = new CertRepMessage(caPubs, new CertResponse[] { certResp }); return new PKIBody(PKIBody.TYPE_CERT_REP, repMessage); }
From source file:org.xipki.ca.server.impl.X509SelfSignedCertBuilder.java
License:Open Source License
private static X509Certificate generateCertificate(final ConcurrentContentSigner signer, final IdentifiedX509Certprofile certprofile, final CertificationRequest p10Request, final long serialNumber, SubjectPublicKeyInfo publicKeyInfo, final List<String> cacertUris, final List<String> ocspUris, final List<String> crlUris, final List<String> deltaCrlUris) throws OperationException { try {/*from w ww . ja va 2 s . c o m*/ publicKeyInfo = X509Util.toRfc3279Style(publicKeyInfo); } catch (InvalidKeySpecException e) { LOG.warn("SecurityUtil.toRfc3279Style", e); throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e.getMessage()); } try { certprofile.checkPublicKey(publicKeyInfo); } catch (BadCertTemplateException e) { LOG.warn("certprofile.checkPublicKey", e); throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e.getMessage()); } X500Name requestedSubject = p10Request.getCertificationRequestInfo().getSubject(); SubjectInfo subjectInfo; // subject try { subjectInfo = certprofile.getSubject(requestedSubject); } catch (CertprofileException e) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + certprofile.getName()); } catch (BadCertTemplateException e) { LOG.warn("certprofile.getSubject", e); throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e.getMessage()); } Date notBefore = certprofile.getNotBefore(null); if (notBefore == null) { notBefore = new Date(); } CertValidity validity = certprofile.getValidity(); if (validity == null) { throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "no validity specified in the profile " + certprofile.getName()); } Date notAfter = validity.add(notBefore); X500Name grantedSubject = subjectInfo.getGrantedSubject(); BigInteger _serialNumber = BigInteger.valueOf(serialNumber); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(grantedSubject, _serialNumber, notBefore, notAfter, grantedSubject, publicKeyInfo); PublicCAInfo publicCaInfo = new PublicCAInfo(grantedSubject, _serialNumber, null, null, cacertUris, ocspUris, crlUris, deltaCrlUris); Extensions extensions = null; ASN1Set attrs = p10Request.getCertificationRequestInfo().getAttributes(); for (int i = 0; i < attrs.size(); i++) { Attribute attr = Attribute.getInstance(attrs.getObjectAt(i)); if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) { extensions = Extensions.getInstance(attr.getAttributeValues()[0]); } } try { addExtensions(certBuilder, certprofile, requestedSubject, extensions, publicKeyInfo, publicCaInfo); ContentSigner contentSigner = signer.borrowContentSigner(); Certificate bcCert; try { bcCert = certBuilder.build(contentSigner).toASN1Structure(); } finally { signer.returnContentSigner(contentSigner); } byte[] encodedCert = bcCert.getEncoded(); CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(encodedCert)); } catch (BadCertTemplateException e) { throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, e.getMessage()); } catch (NoIdleSignerException | CertificateException | IOException | CertprofileException | NoSuchAlgorithmException | NoSuchProviderException e) { throw new OperationException(ErrorCode.SYSTEM_FAILURE, e.getClass().getName() + ": " + e.getMessage()); } }