List of usage examples for org.bouncycastle.asn1.x500 X500Name X500Name
public X500Name(String dirName)
From source file:fathom.x509.X509Utils.java
License:Apache License
/** * Creates a new client certificate PKCS#12 and PEM store. Any existing * stores are destroyed./*from w ww.jav a 2 s . c o m*/ * * @param clientMetadata a container for dynamic parameters needed for generation * @param caPrivateKey * @param caCert * @param targetFolder * @return */ public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) { try { KeyPair pair = newKeyPair(); X500Name userDN = buildDistinguishedName(clientMetadata); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); // create a new certificate signed by the Fathom CA certificate X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore, clientMetadata.notAfter, userDN, pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); if (!Strings.isNullOrEmpty(clientMetadata.emailAddress)) { GeneralNames subjectAltName = new GeneralNames( new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(signer)); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate(); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pair.getPublic())); // confirm the validity of the user certificate userCert.checkValidity(); userCert.verify(caCert.getPublicKey()); userCert.getIssuerDN().equals(caCert.getSubjectDN()); // verify user certificate chain verifyChain(userCert, caCert); targetFolder.mkdirs(); // save certificate, stamped with unique name String date = new SimpleDateFormat("yyyyMMdd").format(new Date()); String id = date; File certFile = new File(targetFolder, id + ".cer"); int count = 0; while (certFile.exists()) { id = date + "_" + Character.toString((char) (0x61 + count)); certFile = new File(targetFolder, id + ".cer"); count++; } // save user private key, user certificate and CA certificate to a PKCS#12 store File p12File = new File(targetFolder, clientMetadata.commonName + ".p12"); if (p12File.exists()) { p12File.delete(); } KeyStore userStore = openKeyStore(p12File, clientMetadata.password); userStore.setKeyEntry( MessageFormat.format("Fathom ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate[] { userCert }); userStore.setCertificateEntry( MessageFormat.format("Fathom ({0}) Certificate Authority", clientMetadata.serverHostname), caCert); saveKeyStore(p12File, userStore, clientMetadata.password); // save user private key, user certificate, and CA certificate to a PEM store File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem"); if (pemFile.exists()) { pemFile.delete(); } PEMWriter pemWriter = new PEMWriter(new FileWriter(pemFile)); pemWriter.writeObject(pair.getPrivate(), "DES-EDE3-CBC", clientMetadata.password.toCharArray(), new SecureRandom()); pemWriter.writeObject(userCert); pemWriter.writeObject(caCert); pemWriter.flush(); pemWriter.close(); // save certificate after successfully creating the key stores saveCertificate(userCert, certFile); // update serial number in metadata object clientMetadata.serialNumber = userCert.getSerialNumber().toString(); return userCert; } catch (Throwable t) { throw new RuntimeException("Failed to generate client certificate!", t); } }
From source file:fi.aalto.cs.drumbeat.CACertificateCreator.java
License:Open Source License
public X509Certificate createCACert(PublicKey publicKey, PrivateKey privateKey) { X509Certificate ca_cert = null; try {/*from ww w . java2 s . c o m*/ X500Name issuerName = new X500Name("CN=" + data_store.getCa_certificate().getCommon_name() + ", O=" + data_store.getCa_certificate().getOrganization() + ", L=" + data_store.getCa_certificate().getCity() + ", ST=" + data_store.getCa_certificate().getCountry().getCountry_Name() + ", C=" + data_store.getCa_certificate().getCountry().getCountry_Code()); X500Name subjectName = issuerName; BigInteger serial = BigInteger.valueOf(new Random().nextInt()); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerName, serial, CertificateCommons.NOT_BEFORE, CertificateCommons.NOT_AFTER, subjectName, publicKey); builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); KeyUsage usage = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign); builder.addExtension(Extension.keyUsage, false, usage); ASN1EncodableVector purposes = new ASN1EncodableVector(); purposes.add(KeyPurposeId.id_kp_serverAuth); purposes.add(KeyPurposeId.id_kp_clientAuth); purposes.add(KeyPurposeId.anyExtendedKeyUsage); builder.addExtension(Extension.extendedKeyUsage, false, new DERSequence(purposes)); ca_cert = signCertificate(builder, privateKey); ca_cert.checkValidity(new Date()); ca_cert.verify(publicKey); } catch (Exception e) { e.printStackTrace(); } return ca_cert; }
From source file:fi.aalto.cs.drumbeat.ClientCertificateCreator.java
License:Open Source License
public X509Certificate createClientCert(PublicKey publicKey, X509Certificate certificateAuthorityCert, PrivateKey certificateAuthorityPrivateKey, PublicKey certificateAuthorityPublicKey) throws Exception { X500Name issuer = new X509CertificateHolder(certificateAuthorityCert.getEncoded()).getSubject(); X500Name subject = new X500Name("CN=" + data_store.getClient_certificate().getCommon_name() + ", O=" + data_store.getClient_certificate().getOrganization() + ", L=" + data_store.getClient_certificate().getCity() + ", ST=" + data_store.getClient_certificate().getCountry().getCountry_Name() + ", C=" + data_store.getClient_certificate().getCountry().getCountry_Code()); BigInteger serial = BigInteger.valueOf(new Random().nextInt()); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serial, CertificateCommons.NOT_BEFORE, CertificateCommons.NOT_AFTER, subject, publicKey); addURI(data_store.getCLIENT_SUBJECT_ALT_NAME_URI()); fillInto(builder);//from w ww .jav a 2s. c om builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); X509Certificate cert = signCertificate(builder, certificateAuthorityPrivateKey); cert.checkValidity(new Date()); cert.verify(certificateAuthorityPublicKey); return cert; }
From source file:gui.ExtensionsPopup.java
private void addIssuerAltNameButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_addIssuerAltNameButtonActionPerformed String extension = issuerAltNameTextField.getText(); issuerAltNameTextField.setText(""); if (!extension.isEmpty()) { String extName = (String) issuerAltNameComboBox.getSelectedItem(); try {/*from www.jav a 2 s . c o m*/ switch (extName) { case "Other Name": generalNamesBuilder.addName(new GeneralName(GeneralName.otherName, extension)); break; case "RFC822 Name": generalNamesBuilder.addName(new GeneralName(GeneralName.rfc822Name, extension)); break; case "DNS Name": generalNamesBuilder.addName(new GeneralName(GeneralName.dNSName, extension)); break; case "x400 Address": generalNamesBuilder.addName(new GeneralName(GeneralName.x400Address, extension)); break; case "Directory Name": generalNamesBuilder .addName(new GeneralName(GeneralName.directoryName, new X500Name(extension))); break; case "EDI Party Name": generalNamesBuilder.addName(new GeneralName(GeneralName.ediPartyName, extension)); break; case "URI": generalNamesBuilder.addName(new GeneralName(GeneralName.uniformResourceIdentifier, extension)); break; case "IP Address": generalNamesBuilder.addName(new GeneralName(GeneralName.iPAddress, extension)); break; case "Registered ID": generalNamesBuilder.addName(new GeneralName(GeneralName.registeredID, extension)); break; } } catch (Exception e) { JOptionPane.showMessageDialog(this, Errors.EXTENSION_INVALID_FORMAT, "Error", JOptionPane.ERROR_MESSAGE); return; } issuerAltNameTextArea.append(extName + ": " + extension + "\n"); } }
From source file:io.airlift.security.csr.TestCertificationRequest.java
License:Apache License
@Test public void test() throws Exception { // test only with state because BC encodes every other value using UTF8String instead of PrintableString used by the JDK String name = "C=country"; KeyPairGenerator generator = KeyPairGenerator.getInstance("EC"); generator.initialize(new ECGenParameterSpec("secp256r1")); KeyPair keyPair = generator.generateKeyPair(); CertificationRequestInfo certificationRequestInfo = new CertificationRequestInfo(new X500Principal(name), keyPair.getPublic());//from w w w .j a v a2 s . c om SignatureAlgorithmIdentifier signatureAlgorithmIdentifier = findSignatureAlgorithmIdentifier( "SHA256withECDSA"); byte[] signature = certificationRequestInfo.sign(signatureAlgorithmIdentifier, keyPair.getPrivate()); CertificationRequest certificationRequest = new CertificationRequest(certificationRequestInfo, signatureAlgorithmIdentifier, signature); assertEquals(certificationRequest.getCertificationRequestInfo(), certificationRequestInfo); assertEquals(certificationRequest.getSignatureAlgorithmIdentifier(), signatureAlgorithmIdentifier); assertEquals(base16().encode(certificationRequest.getSignature()), base16().encode(signature)); assertEquals(certificationRequest, certificationRequest); assertEquals(certificationRequest.hashCode(), certificationRequest.hashCode()); PKCS10CertificationRequest expectedCertificationRequest = new PKCS10CertificationRequest( new org.bouncycastle.asn1.pkcs.CertificationRequest( new org.bouncycastle.asn1.pkcs.CertificationRequestInfo(new X500Name(name), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()), new DERSet()), new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withECDSA"), new DERBitString(signature))); assertEquals(base16().encode(certificationRequest.getEncoded()), base16().encode(expectedCertificationRequest.getEncoded())); }
From source file:io.airlift.security.csr.TestCertificationRequestInfo.java
License:Apache License
@Test public void test() throws Exception { // test only with state because BC encodes every other value using UTF8String instead of PrintableString used by the JDK String name = "C=country"; KeyPairGenerator generator = KeyPairGenerator.getInstance("EC"); generator.initialize(new ECGenParameterSpec("secp256r1")); KeyPair keyPair = generator.generateKeyPair(); CertificationRequestInfo actualInfo = new CertificationRequestInfo(new X500Principal(name), keyPair.getPublic());// www . ja v a2 s . c om assertEquals(actualInfo.getPublicKey(), keyPair.getPublic()); assertEquals(actualInfo.getSubject().getName(), name); assertEquals(actualInfo, actualInfo); assertEquals(actualInfo.hashCode(), actualInfo.hashCode()); org.bouncycastle.asn1.pkcs.CertificationRequestInfo expectedInfo = new org.bouncycastle.asn1.pkcs.CertificationRequestInfo( new X500Name(name), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()), new DERSet()); assertEquals(base16().encode(actualInfo.getEncoded()), base16().encode(expectedInfo.getEncoded("DER"))); SignatureAlgorithmIdentifier signatureAlgorithmIdentifier = findSignatureAlgorithmIdentifier( "SHA256withECDSA"); byte[] actualSignature = actualInfo.sign(signatureAlgorithmIdentifier, keyPair.getPrivate()); Signature signature = Signature.getInstance(signatureAlgorithmIdentifier.getName()); signature.initVerify(keyPair.getPublic()); signature.update(actualInfo.getEncoded()); assertTrue(signature.verify(actualSignature)); }
From source file:io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator.java
License:Apache License
static String[] generate(String fqdn, KeyPair keypair, SecureRandom random) throws Exception { PrivateKey key = keypair.getPrivate(); // Prepare the information required for generating an X.509 certificate. X500Name owner = new X500Name("CN=" + fqdn); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(owner, new BigInteger(64, random), NOT_BEFORE, NOT_AFTER, owner, keypair.getPublic()); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(key); X509CertificateHolder certHolder = builder.build(signer); X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder); cert.verify(keypair.getPublic());// w w w . ja va 2 s . c om return newSelfSignedCertificate(fqdn, key, cert); }
From source file:io.vertx.config.vault.utils.Certificates.java
License:Apache License
/** * See http://www.programcreek.com/java-api-examples/index.php?api=org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder * * @param keyPair The RSA keypair with which to generate the certificate * @param issuer The issuer (and subject) to use for the certificate * @return An X509 certificate/*from w w w . j a v a 2s . co m*/ * @throws IOException * @throws OperatorCreationException * @throws CertificateException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws InvalidKeyException * @throws SignatureException */ private static X509Certificate generateCert(final KeyPair keyPair, final String issuer) throws IOException, OperatorCreationException, CertificateException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException { final String subject = issuer; final X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(new X500Name(issuer), BigInteger.ONE, new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30), new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30)), new X500Name(subject), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); final GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.iPAddress, "127.0.0.1")); certificateBuilder.addExtension(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName, false, subjectAltNames); final AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder() .find("SHA1WithRSAEncryption"); final AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); final BcContentSignerBuilder signerBuilder = new BcRSAContentSignerBuilder(sigAlgId, digAlgId); final AsymmetricKeyParameter keyp = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded()); final ContentSigner signer = signerBuilder.build(keyp); final X509CertificateHolder x509CertificateHolder = certificateBuilder.build(signer); final X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(x509CertificateHolder); certificate.checkValidity(new Date()); certificate.verify(keyPair.getPublic()); return certificate; }
From source file:KerberosAPI.Certificate.java
public static X509Certificate createCertFromCSR(PKCS10CertificationRequest csr, KeyPair kp, X509Certificate xCert) {/*from ww w . j a va 2 s . co m*/ Security.addProvider(new BouncyCastleProvider()); //String subject = subj; //proprietaire de la cl signer KeyPair keyPair = kp; X509Certificate x509CertCSR = null; //System.out.print("Cration d'un Certificat partir d'une CSR : "); try { Security.addProvider(new BouncyCastleProvider()); BigInteger bigInt = new BigInteger(String.valueOf(System.currentTimeMillis())); Calendar cal = Calendar.getInstance(); Date notbefore = cal.getTime(); cal.add(Calendar.YEAR, 2); Date notafter = cal.getTime(); AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA"); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter parameterCa = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded()); SubjectPublicKeyInfo keyInfo = csr.getSubjectPublicKeyInfo(); X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder( new X500Name(xCert.getSubjectDN().getName()), bigInt, notbefore, notafter, csr.getSubject(), keyInfo); ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(parameterCa); myCertificateGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); myCertificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(xCert)); SubjectKeyIdentifier subjectKeyIdentifier = new JcaX509ExtensionUtils() .createSubjectKeyIdentifier(keyInfo); myCertificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyIdentifier); KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.digitalSignature); myCertificateGenerator.addExtension(Extension.keyUsage, true, keyUsage); X509CertificateHolder holder = myCertificateGenerator.build(sigGen); java.security.cert.Certificate certificate = java.security.cert.CertificateFactory.getInstance("X.509") .generateCertificate(new ByteArrayInputStream(holder.getEncoded())); CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream bais = new ByteArrayInputStream(certificate.getEncoded()); x509CertCSR = (X509Certificate) cf.generateCertificate(bais); //cert = (X509Certificate) java.security.cert.CertificateFactory.getInstance("X.509", "BC").generateCertificate(new ByteArrayInputStream(holder.getEncoded())); if (x509CertCSR != null) { //System.out.println("OK"); return x509CertCSR; } } catch (Exception e) { System.err.println("Echec de cration de certificat pour le client avec ce csr: " + e); } return null; }
From source file:KerberosAPI.CSRManager.java
public static PKCS10CertificationRequest generateCSR(String name, KeyPair kp) { Security.addProvider(new BouncyCastleProvider()); PKCS10CertificationRequestBuilder csrBuilder = null; ContentSigner contentSign = null;//from w ww . ja v a 2 s . co m try { KeyPair keyPair = kp; X500Name subject = new X500Name("cn=" + name); SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); csrBuilder = new PKCS10CertificationRequestBuilder(subject, keyInfo); contentSign = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(keyPair.getPrivate()); return csrBuilder.build(contentSign); } catch (Exception e) { System.out.println("Echec de gnration du CSR : " + e); } return null; }