List of usage examples for org.bouncycastle.asn1.x500 X500Name X500Name
public X500Name(String dirName)
From source file:keywhiz.auth.ldap.LdapAuthenticator.java
License:Apache License
private Set<String> rolesFromDN(String userDN) throws LDAPException, GeneralSecurityException { SearchRequest searchRequest = new SearchRequest(config.getRoleBaseDN(), SearchScope.SUB, Filter.createEqualityFilter("uniqueMember", userDN)); Set<String> roles = Sets.newLinkedHashSet(); LDAPConnection connection = connectionFactory.getLDAPConnection(); try {// ww w .jav a2 s . c o m SearchResult sr = connection.search(searchRequest); for (SearchResultEntry sre : sr.getSearchEntries()) { X500Name x500Name = new X500Name(sre.getDN()); RDN[] rdns = x500Name.getRDNs(BCStyle.CN); if (rdns.length == 0) { logger.error("Could not create X500 Name for role:" + sre.getDN()); } else { String commonName = IETFUtils.valueToString(rdns[0].getFirst().getValue()); roles.add(commonName); } } } finally { connection.close(); } return roles; }
From source file:keywhiz.service.providers.ClientAuthFactory.java
License:Apache License
static Optional<String> getClientName(ContainerRequest request) { Principal principal = request.getSecurityContext().getUserPrincipal(); if (principal == null) { return Optional.empty(); }/*www . j a v a 2s. co m*/ X500Name name = new X500Name(principal.getName()); RDN[] rdns = name.getRDNs(BCStyle.CN); if (rdns.length == 0) { logger.warn("Certificate does not contain CN=xxx,...: {}", principal.getName()); return Optional.empty(); } return Optional.of(IETFUtils.valueToString(rdns[0].getFirst().getValue())); }
From source file:net.etfbl.cryptodigitalcertificate.tool.CryptoDCTool.java
private X509v3CertificateBuilder setupCertificateData(X509Certificate cacert, PKCS10CertificationRequest request) throws CertIOException { X500Name issuer = new X500Name(cacert.getSubjectX500Principal().getName()); BigInteger serial = new BigInteger(32, new SecureRandom()); Date from = new Date(); Date to = new Date(System.currentTimeMillis() + (DEFAULT_NUMBER_OF_DAYS * 86400000L)); X509v3CertificateBuilder certgen = new X509v3CertificateBuilder(issuer, serial, from, to, request.getSubject(), request.getSubjectPublicKeyInfo()); ///*from w ww . j a v a2s. c o m*/ // Setup the certificate extensions // // Basic Constraints certgen.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); // Authority Key Identifier SubjectPublicKeyInfo caSubjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(cacert.getPublicKey().getEncoded()); // Key Usage certgen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.nonRepudiation | KeyUsage.keyEncipherment)); return certgen; }
From source file:net.jmhertlein.mcanalytics.api.auth.SSLUtil.java
License:Open Source License
/** * Given a certificate signing request, produce a signed certificate. * * @param caKey/*from www . j a v a 2 s .co m*/ * @param caCert * @param r * @param makeAuthority * @return */ public static X509Certificate fulfillCertRequest(PrivateKey caKey, X509Certificate caCert, PKCS10CertificationRequest r, boolean makeAuthority) { X509v3CertificateBuilder b = new JcaX509v3CertificateBuilder(new X500Name(caCert.getSubjectDN().getName()), // the order of O,OU,CN returned is very important BigInteger.probablePrime(128, new SecureRandom()), Date.from(Instant.now().minusSeconds(1)), Date.from(LocalDateTime.now().plusYears(3).toInstant(ZoneOffset.UTC)), r.getSubject(), getPublicKeyFromInfo(r.getSubjectPublicKeyInfo())); try { b.addExtension(Extension.basicConstraints, true, new BasicConstraints(makeAuthority)); } catch (CertIOException ex) { Logger.getLogger(SSLUtil.class.getName()).log(Level.SEVERE, null, ex); } try { ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider("BC").build(caKey); X509CertificateHolder build = b.build(signer); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(build); } catch (OperatorCreationException | CertificateException ex) { Logger.getLogger(SSLUtil.class.getName()).log(Level.SEVERE, null, ex); return null; } }
From source file:net.maritimecloud.identityregistry.keycloak.spi.authenticators.certificate.utils.CertificateUtil.java
License:Apache License
public Map<String, String> getUserFromCert(X509Certificate userCertificate) { Map<String, String> user = new HashMap<>(); String certDN = userCertificate.getSubjectDN().getName(); X500Name x500name = new X500Name(certDN); logger.warn("Parsed certificate, DN: " + certDN); String fullname = getElement(x500name, BCStyle.CN); user.put("fullname", fullname); String combinedOrg = getElement(x500name, BCStyle.O); user.put("email", getElement(x500name, BCStyle.EmailAddress)); // Extract first and last name from full name String lastName = ""; String firstName = ""; if (fullname.split("\\w+").length > 1) { lastName = fullname.substring(fullname.lastIndexOf(" ") + 1); firstName = fullname.substring(0, fullname.lastIndexOf(' ')); } else {/*from w w w . j a v a2 s . c o m*/ firstName = fullname; } user.put("lastName", lastName); user.put("firstName", firstName); String[] orgNames = combinedOrg.split(";"); String orgShortName = orgNames[0].toLowerCase(); user.put("orgShortName", orgShortName); user.put("orgFullName", orgNames[1]); // prefix orgUserName with org shortname if not already done String orgUserName = getElement(x500name, BCStyle.UID).toLowerCase(); if (!orgUserName.startsWith(orgShortName + ".")) { orgUserName = orgShortName.toLowerCase() + "." + orgUserName; } user.put("orgUserName", orgUserName); user.put("type", getElement(x500name, BCStyle.OU)); // Extract info from Subject Alternative Name extension Collection<List<?>> san = null; try { san = userCertificate.getSubjectAlternativeNames(); } catch (CertificateParsingException e) { logger.warn("could not extract info from Subject Alternative Names - will be ignored."); } // Check that the certificate includes the SubjectAltName extension if (san != null) { // Use the type OtherName to search for the certified server name for (List item : san) { Integer type = (Integer) item.get(0); if (type == 0) { // Type OtherName found so return the associated value ASN1InputStream decoder = null; String oid = ""; String value = ""; try { // Value is encoded using ASN.1 so decode it to get it out again decoder = new ASN1InputStream((byte[]) item.toArray()[1]); DLSequence seq = (DLSequence) decoder.readObject(); ASN1ObjectIdentifier asnOID = (ASN1ObjectIdentifier) seq.getObjectAt(0); ASN1Encodable encoded = seq.getObjectAt(1); encoded = ((DERTaggedObject) encoded).getObject(); encoded = ((DERTaggedObject) encoded).getObject(); oid = asnOID.getId(); value = ((DERUTF8String) encoded).getString(); } catch (UnsupportedEncodingException e) { logger.error("Error decoding subjectAltName" + e.getLocalizedMessage(), e); continue; } catch (Exception e) { logger.error("Error decoding subjectAltName" + e.getLocalizedMessage(), e); continue; } finally { if (decoder != null) { try { decoder.close(); } catch (IOException e) { } } } logger.debug("oid: " + oid + ", value: " + value); switch (oid) { case MC_OID_FLAGSTATE: case MC_OID_CALLSIGN: case MC_OID_IMO_NUMBER: case MC_OID_MMSI_NUMBER: case MC_OID_AIS_SHIPTYPE: case MC_OID_PORT_OF_REGISTER: logger.debug("Ship specific OIDs are ignored"); break; case MC_OID_MRN: // We only support 1 mrn user.put("mrn", value); break; case MC_OID_PERMISSIONS: user.put("permissions", value); break; default: logger.error("Unknown OID!"); break; } } else { // Other types are not supported so ignore them logger.warn("SubjectAltName of invalid type found: " + type); } } } return user; }
From source file:net.maritimecloud.identityregistry.security.x509.X509UserDetailsService.java
License:Apache License
@Override public UserDetails loadUserByUsername(String certDN) throws UsernameNotFoundException { logger.debug("certDN: " + certDN); SimpleGrantedAuthority role = new SimpleGrantedAuthority("ROLE_USER"); Collection<GrantedAuthority> roles = new ArrayList<>(); roles.add(role);/*from www . jav a 2 s.c om*/ X500Name x500name = new X500Name(certDN); //User user = new User(getElement(x500name, BCStyle.CN), "", true /*enabled*/, true /* not-expired */, true /* cred-not-expired*/, true /* not-locked*/, roles); //InetOrgPerson person = new InetOrgPerson(); InetOrgPerson.Essence essence = new InetOrgPerson.Essence(); String name = CertificateHandler.getElement(x500name, BCStyle.CN); essence.setUsername(name); essence.setUid(name); essence.setDn(certDN); essence.setCn(new String[] { name }); essence.setSn(name); essence.setO(CertificateHandler.getElement(x500name, BCStyle.O)); essence.setOu(CertificateHandler.getElement(x500name, BCStyle.OU)); essence.setAuthorities(roles); essence.setDescription(certDN); logger.debug("Parsed certificate, name: " + name); return essence.createUserDetails(); }
From source file:net.maritimecloud.identityregistry.security.X509UserDetailsService.java
License:Apache License
@Override public UserDetails loadUserByUsername(String certDN) throws UsernameNotFoundException { SimpleGrantedAuthority role = new SimpleGrantedAuthority("ROLE_USER"); Collection<GrantedAuthority> roles = new ArrayList<GrantedAuthority>(); roles.add(role);//from w w w . jav a2s . com X500Name x500name = new X500Name(certDN); //User user = new User(getElement(x500name, BCStyle.CN), "", true /*enabled*/, true /* not-expired */, true /* cred-not-expired*/, true /* not-locked*/, roles); //InetOrgPerson person = new InetOrgPerson(); InetOrgPerson.Essence essence = new InetOrgPerson.Essence(); String name = getElement(x500name, BCStyle.CN); essence.setUsername(name); essence.setUid(name); essence.setDn(certDN); essence.setCn(new String[] { name }); essence.setSn(name); essence.setO(getElement(x500name, BCStyle.O)); essence.setOu(getElement(x500name, BCStyle.OU)); essence.setAuthorities(roles); essence.setDescription(certDN); return essence.createUserDetails(); }
From source file:net.maritimecloud.identityregistry.utils.CertificateUtil.java
License:Apache License
/** * Generates a self-signed certificate based on the keypair and saves it in the keystore. * Should only be used to init the CA./*from www . j a va2 s. com*/ */ public void initCA(String rootCertX500Name, String mcidregCertX500Name, String crlUrl, String ocspUrl, String outputCaCrlPath) { if (KEYSTORE_PASSWORD == null) { KEYSTORE_PASSWORD = "changeit"; } if (ROOT_KEYSTORE_PATH == null) { ROOT_KEYSTORE_PATH = "mc-root-keystore.jks"; } if (INTERMEDIATE_KEYSTORE_PATH == null) { INTERMEDIATE_KEYSTORE_PATH = "mc-it-keystore.jks"; } if (TRUSTSTORE_PASSWORD == null) { TRUSTSTORE_PASSWORD = "changeit"; } if (TRUSTSTORE_PATH == null) { TRUSTSTORE_PATH = "mc-truststore.jks"; } if (CRL_URL == null) { CRL_URL = crlUrl; } if (OCSP_URL == null) { OCSP_URL = ocspUrl; } KeyPair cakp = generateKeyPair(); KeyPair imkp = generateKeyPair(); KeyStore rootks = null; KeyStore itks; KeyStore ts; FileOutputStream rootfos = null; FileOutputStream itfos = null; FileOutputStream tsfos = null; try { rootks = KeyStore.getInstance(KEYSTORE_TYPE); // KeyStore.getDefaultType() rootks.load(null, KEYSTORE_PASSWORD.toCharArray()); itks = KeyStore.getInstance(KEYSTORE_TYPE); // KeyStore.getDefaultType() itks.load(null, KEYSTORE_PASSWORD.toCharArray()); // Store away the keystore. rootfos = new FileOutputStream(ROOT_KEYSTORE_PATH); itfos = new FileOutputStream(INTERMEDIATE_KEYSTORE_PATH); X509Certificate cacert; try { cacert = buildAndSignCert(generateSerialNumber(), cakp.getPrivate(), cakp.getPublic(), cakp.getPublic(), new X500Name(rootCertX500Name), new X500Name(rootCertX500Name), null, "ROOTCA"); } catch (Exception e) { throw new RuntimeException(e.getMessage(), e); } X509Certificate imcert; try { imcert = buildAndSignCert(generateSerialNumber(), cakp.getPrivate(), cakp.getPublic(), imkp.getPublic(), new X500Name(rootCertX500Name), new X500Name(mcidregCertX500Name), null, "INTERMEDIATE"); } catch (Exception e) { throw new RuntimeException(e.getMessage(), e); } Certificate[] certChain = new Certificate[1]; certChain[0] = cacert; rootks.setKeyEntry(ROOT_CERT_ALIAS, cakp.getPrivate(), KEYSTORE_PASSWORD.toCharArray(), certChain); rootks.store(rootfos, KEYSTORE_PASSWORD.toCharArray()); rootks = KeyStore.getInstance(KeyStore.getDefaultType()); rootks.load(null, KEYSTORE_PASSWORD.toCharArray()); certChain = new Certificate[2]; certChain[0] = imcert; certChain[1] = cacert; itks.setKeyEntry(INTERMEDIATE_CERT_ALIAS, imkp.getPrivate(), KEYSTORE_PASSWORD.toCharArray(), certChain); itks.store(itfos, KEYSTORE_PASSWORD.toCharArray()); // Store away the truststore. ts = KeyStore.getInstance(KeyStore.getDefaultType()); ts.load(null, TRUSTSTORE_PASSWORD.toCharArray()); tsfos = new FileOutputStream(TRUSTSTORE_PATH); ts.setCertificateEntry(ROOT_CERT_ALIAS, cacert); ts.setCertificateEntry(INTERMEDIATE_CERT_ALIAS, imcert); ts.store(tsfos, TRUSTSTORE_PASSWORD.toCharArray()); } catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) { throw new RuntimeException(e.getMessage(), e); } finally { safeClose(rootfos); safeClose(itfos); safeClose(tsfos); KeyStore.ProtectionParameter protParam = new KeyStore.PasswordProtection( KEYSTORE_PASSWORD.toCharArray()); PrivateKeyEntry rootCertEntry; try { rootCertEntry = (PrivateKeyEntry) rootks.getEntry(ROOT_CERT_ALIAS, protParam); generateRootCACRL(rootCertX500Name, null, rootCertEntry, outputCaCrlPath); } catch (NoSuchAlgorithmException | UnrecoverableEntryException | KeyStoreException e) { // todo, I think is an irrecoverable state, but we should not throw exception from finally, perhaps this code should not be in a finally block log.error("unable to generate RootCACRL", e); } } }
From source file:net.maritimecloud.identityregistry.utils.CertificateUtil.java
License:Apache License
/** * Generates a signed certificate for an entity. * /*from w ww .j a v a2 s . com*/ * @param country The country of org/entity * @param orgName The name of the organization the entity belongs to * @param type The type of the entity * @param callName The name of the entity * @param email The email of the entity * @param publickey The public key of the entity * @return Returns a signed X509Certificate */ public X509Certificate generateCertForEntity(BigInteger serialNumber, String country, String orgName, String type, String callName, String email, String uid, PublicKey publickey, Map<String, String> customAttr) { PrivateKeyEntry signingCertEntry = getSigningCertEntry(); java.security.cert.Certificate signingCert = signingCertEntry.getCertificate(); X509Certificate signingX509Cert = (X509Certificate) signingCert; // Try to find the correct country code, else we just use the country name as code String orgCountryCode = country; String[] locales = Locale.getISOCountries(); for (String countryCode : locales) { Locale loc = new Locale("", countryCode); if (loc.getDisplayCountry(Locale.ENGLISH).equals(orgCountryCode)) { orgCountryCode = loc.getCountry(); break; } } String orgSubjectDn = "C=" + orgCountryCode + ", " + "O=" + orgName + ", " + "OU=" + type + ", " + "CN=" + callName + ", " + "UID=" + uid; if (email != null && !email.isEmpty()) { orgSubjectDn += ", " + "E=" + email; } X509Certificate orgCert = null; try { orgCert = buildAndSignCert(serialNumber, signingCertEntry.getPrivateKey(), signingX509Cert.getPublicKey(), publickey, new JcaX509CertificateHolder(signingX509Cert).getSubject(), new X500Name(orgSubjectDn), customAttr, "ENTITY"); } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); } return orgCert; }
From source file:net.maritimecloud.identityregistry.utils.CertificateUtil.java
License:Apache License
/** * Creates a Certificate Revocation List (CRL) for the certificate serialnumbers given. * //from w w w. j ava2s . c o m * @param revokedCerts List of the serialnumbers that should be revoked. * @return a X509 certificate */ public X509CRL generateCRL(List<net.maritimecloud.identityregistry.model.database.Certificate> revokedCerts) { Date now = new Date(); Calendar cal = Calendar.getInstance(); cal.setTime(now); cal.add(Calendar.DATE, 7); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(new X500Name(MCIDREG_CERT_X500_NAME), now); crlBuilder.setNextUpdate(new Date(now.getTime() + 24 * 60 * 60 * 1000 * 7)); // The next CRL is next week (dummy value) for (net.maritimecloud.identityregistry.model.database.Certificate cert : revokedCerts) { String certReason = cert.getRevokeReason().toLowerCase(); int reason = getCRLReasonFromString(certReason); crlBuilder.addCRLEntry(cert.getSerialNumber(), cert.getRevokedAt(), reason); } //crlBuilder.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); //crlBuilder.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(1))); PrivateKeyEntry keyEntry = getSigningCertEntry(); JcaContentSignerBuilder signBuilder = new JcaContentSignerBuilder(SIGNER_ALGORITHM); signBuilder.setProvider(BC_PROVIDER_NAME); ContentSigner signer; try { signer = signBuilder.build(keyEntry.getPrivateKey()); } catch (OperatorCreationException e1) { // TODO Auto-generated catch block e1.printStackTrace(); return null; } X509CRLHolder cRLHolder = crlBuilder.build(signer); JcaX509CRLConverter converter = new JcaX509CRLConverter(); converter.setProvider(BC_PROVIDER_NAME); X509CRL crl = null; try { crl = converter.getCRL(cRLHolder); } catch (CRLException e) { // TODO Auto-generated catch block e.printStackTrace(); } return crl; }