List of usage examples for org.bouncycastle.asn1.x500 X500Name X500Name
public X500Name(String dirName)
From source file:org.apache.airavata.gfac.impl.task.utils.bes.MyProxyLogon.java
License:Apache License
private org.bouncycastle.pkcs.PKCS10CertificationRequest generateCertificationRequest(String dn, KeyPair kp) throws Exception { X500Name subject = new X500Name(dn); PublicKey pubKey = kp.getPublic(); PrivateKey privKey = kp.getPrivate(); AsymmetricKeyParameter pubkeyParam = PublicKeyFactory.createKey(pubKey.getEncoded()); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(pubkeyParam); PKCS10CertificationRequestBuilder builder = new PKCS10CertificationRequestBuilder(subject, publicKeyInfo); AlgorithmIdentifier signatureAi = new AlgorithmIdentifier(OIWObjectIdentifiers.sha1WithRSA); BcRSAContentSignerBuilder signerBuilder = new BcRSAContentSignerBuilder(signatureAi, AlgorithmIdentifier.getInstance(OIWObjectIdentifiers.idSHA1)); AsymmetricKeyParameter pkParam = PrivateKeyFactory.createKey(privKey.getEncoded()); ContentSigner signer = signerBuilder.build(pkParam); return builder.build(signer); }
From source file:org.apache.cloudstack.utils.security.CertUtils.java
License:Apache License
public static X509Certificate generateV1Certificate(final KeyPair keyPair, final String subject, final String issuer, final int validityYears, final String signatureAlgorithm) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { final DateTime now = DateTime.now(DateTimeZone.UTC); final X509v1CertificateBuilder certBuilder = new JcaX509v1CertificateBuilder(new X500Name(issuer), generateRandomBigInt(), now.minusDays(1).toDate(), now.plusYears(validityYears).toDate(), new X500Name(subject), keyPair.getPublic()); final ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).setProvider("BC") .build(keyPair.getPrivate()); final X509CertificateHolder certHolder = certBuilder.build(signer); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder); }
From source file:org.apache.cloudstack.utils.security.CertUtils.java
License:Apache License
public static X509Certificate generateV3Certificate(final X509Certificate caCert, final KeyPair caKeyPair, final PublicKey clientPublicKey, final String subject, final String signatureAlgorithm, final int validityDays, final List<String> dnsNames, final List<String> publicIPAddresses) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, InvalidKeyException, SignatureException, OperatorCreationException { final DateTime now = DateTime.now(DateTimeZone.UTC); final BigInteger serial = generateRandomBigInt(); final JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); final X509v3CertificateBuilder certBuilder; if (caCert == null) { // Generate CA certificate certBuilder = new JcaX509v3CertificateBuilder(new X500Name(subject), serial, now.minusHours(12).toDate(), now.plusDays(validityDays).toDate(), new X500Name(subject), clientPublicKey);//from w w w .j av a 2s . com certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign)); } else { // Generate client certificate certBuilder = new JcaX509v3CertificateBuilder(caCert, serial, now.minusHours(12).toDate(), now.plusDays(validityDays).toDate(), new X500Principal(subject), clientPublicKey); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)); } certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(clientPublicKey)); final List<ASN1Encodable> subjectAlternativeNames = new ArrayList<ASN1Encodable>(); if (publicIPAddresses != null) { for (final String publicIPAddress : publicIPAddresses) { if (Strings.isNullOrEmpty(publicIPAddress)) { continue; } subjectAlternativeNames.add(new GeneralName(GeneralName.iPAddress, publicIPAddress)); } } if (dnsNames != null) { for (final String dnsName : dnsNames) { if (Strings.isNullOrEmpty(dnsName)) { continue; } subjectAlternativeNames.add(new GeneralName(GeneralName.dNSName, dnsName)); } } if (subjectAlternativeNames.size() > 0) { final GeneralNames subjectAltNames = GeneralNames .getInstance(new DERSequence(subjectAlternativeNames.toArray(new ASN1Encodable[] {}))); certBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); } final ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).setProvider("BC") .build(caKeyPair.getPrivate()); final X509CertificateHolder certHolder = certBuilder.build(signer); final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certHolder); if (caCert != null) { cert.verify(caCert.getPublicKey()); } else { cert.verify(caKeyPair.getPublic()); } return cert; }
From source file:org.apache.felix.deploymentadmin.itest.util.CertificateUtil.java
License:Apache License
private static X509Certificate createSelfSignedCert(String commonName, KeyPair keypair) throws Exception { PublicKey publicKey = keypair.getPublic(); String keyAlg = DPSigner.getSignatureAlgorithm(publicKey); X500Name issuer = new X500Name(commonName); BigInteger serial = BigInteger.probablePrime(16, new Random()); Date notBefore = new Date(System.currentTimeMillis() - 1000); Date notAfter = new Date(notBefore.getTime() + 6000); SubjectPublicKeyInfo pubKeyInfo;//from w ww .j a va 2s . c o m try (ASN1InputStream is = new ASN1InputStream(publicKey.getEncoded())) { pubKeyInfo = SubjectPublicKeyInfo.getInstance(is.readObject()); } X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, issuer, pubKeyInfo); builder.addExtension( new Extension(Extension.basicConstraints, true, new DEROctetString(new BasicConstraints(false)))); X509CertificateHolder certHolder = builder .build(new JcaContentSignerBuilder(keyAlg).build(keypair.getPrivate())); return new JcaX509CertificateConverter().getCertificate(certHolder); }
From source file:org.apache.hadoop.security.ssl.KeyStoreTestUtil.java
License:Apache License
@SuppressWarnings("deprecation") /**/*from www .jav a 2 s . c om*/ * Create a self-signed X.509 Certificate. * * @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB" * @param pair the KeyPair * @param days how many days from now the Certificate is valid for * @param algorithm the signing algorithm, eg "SHA1withRSA" * @return the self-signed certificate */ public static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException { Date from = new Date(); Date to = new Date(from.getTime() + days * 86400000l); BigInteger sn = new BigInteger(64, new SecureRandom()); KeyPair keyPair = pair; X500Name x500Name = new X500Name(dn); try { ContentSigner sigGen = new JcaContentSignerBuilder(algorithm).setProvider("BC") .build(pair.getPrivate()); X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(x500Name, sn, from, to, x500Name, pair.getPublic()); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen)); } catch (OperatorCreationException | CertificateException ex) { throw new InvalidKeyException(ex); } }
From source file:org.apache.hadoop.security.ssl.KeyStoreTestUtil.java
License:Apache License
public static X509Certificate generateSignedCertificate(String dn, KeyPair pair, int days, String algorithm, PrivateKey caKey, X509Certificate caCert) throws CertificateParsingException, CertificateEncodingException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, NoSuchProviderException { Date from = new Date(); Date to = new Date(from.getTime() + days * 86400000l); BigInteger sn = new BigInteger(64, new SecureRandom()); X500Name x500Name = new X500Name(dn); X500Name issuer = new X500Name(caCert.getSubjectX500Principal().getName()); try {// w ww. j av a2s . co m JcaX509ExtensionUtils extUtil = new JcaX509ExtensionUtils(); ContentSigner sigGen = new JcaContentSignerBuilder(algorithm).setProvider("BC").build(caKey); X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(issuer, sn, from, to, x500Name, pair.getPublic()) .addExtension(Extension.authorityKeyIdentifier, false, extUtil.createAuthorityKeyIdentifier(caCert.getPublicKey())) .addExtension(Extension.subjectKeyIdentifier, false, extUtil.createSubjectKeyIdentifier(pair.getPublic())); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen)); } catch (OperatorCreationException | CertificateException | CertIOException ex) { throw new InvalidKeyException(ex); } }
From source file:org.apache.hadoop.security.ssl.KeyStoreTestUtil.java
License:Apache License
public static X509CRL generateCRL(X509Certificate caCert, PrivateKey caPrivateKey, String signAlgorith, X509CRL existingCRL, BigInteger serialNumberToRevoke) throws GeneralSecurityException { LocalDate currentTime = LocalDate.now(); Date nowDate = Date.from(currentTime.atStartOfDay(ZoneId.systemDefault()).toInstant()); LocalDate nextUpdate = currentTime.plus(1, ChronoUnit.WEEKS); Date nextUpdateDate = Date.from(nextUpdate.atStartOfDay(ZoneId.systemDefault()).toInstant()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(new X500Name(caCert.getSubjectX500Principal().getName()), nowDate);/* w w w . j a v a2s . co m*/ crlBuilder.setNextUpdate(nextUpdateDate); if (existingCRL != null) { crlBuilder.addCRL(new JcaX509CRLHolder(existingCRL)); } if (serialNumberToRevoke != null) { crlBuilder.addCRLEntry(serialNumberToRevoke, nowDate, CRLReason.privilegeWithdrawn); } JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); try { crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE)); X509CRLHolder crlHolder = crlBuilder .build(new JcaContentSignerBuilder(signAlgorith).setProvider("BC").build(caPrivateKey)); return new JcaX509CRLConverter().setProvider("BC").getCRL(crlHolder); } catch (CertIOException | OperatorCreationException ex) { throw new GeneralSecurityException(ex); } }
From source file:org.apache.jmeter.assertions.SMIMEAssertion.java
License:Apache License
private static AssertionResult verifySignature(SMIMEAssertionTestElement testElement, SMIMESignedParser s, String name) throws CMSException { AssertionResult res = new AssertionResult(name); try {//from www . j ava2s . c om Store certs = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Iterator<?> signerIt = signers.getSigners().iterator(); if (signerIt.hasNext()) { SignerInformation signer = (SignerInformation) signerIt.next(); Iterator<?> certIt = certs.getMatches(signer.getSID()).iterator(); if (certIt.hasNext()) { // the signer certificate X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); if (testElement.isVerifySignature()) { SignerInformationVerifier verifier = null; try { verifier = new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert); } catch (OperatorCreationException e) { log.error("Can't create a provider", e); } if (verifier == null || !signer.verify(verifier)) { res.setFailure(true); res.setFailureMessage("Signature is invalid"); } } if (testElement.isSignerCheckConstraints()) { StringBuilder failureMessage = new StringBuilder(); String serial = testElement.getSignerSerial(); if (!JOrphanUtils.isBlank(serial)) { BigInteger serialNbr = readSerialNumber(serial); if (!serialNbr.equals(cert.getSerialNumber())) { res.setFailure(true); failureMessage.append("Serial number ").append(serialNbr) .append(" does not match serial from signer certificate: ") .append(cert.getSerialNumber()).append("\n"); } } String email = testElement.getSignerEmail(); if (!JOrphanUtils.isBlank(email)) { List<String> emailFromCert = getEmailFromCert(cert); if (!emailFromCert.contains(email)) { res.setFailure(true); failureMessage.append("Email address \"").append(email) .append("\" not present in signer certificate\n"); } } String subject = testElement.getSignerDn(); if (subject.length() > 0) { final X500Name certPrincipal = cert.getSubject(); log.debug("DN from cert: " + certPrincipal.toString()); X500Name principal = new X500Name(subject); log.debug("DN from assertion: " + principal.toString()); if (!principal.equals(certPrincipal)) { res.setFailure(true); failureMessage.append("Distinguished name of signer certificate does not match \"") .append(subject).append("\"\n"); } } String issuer = testElement.getIssuerDn(); if (issuer.length() > 0) { final X500Name issuerX500Name = cert.getIssuer(); log.debug("IssuerDN from cert: " + issuerX500Name.toString()); X500Name principal = new X500Name(issuer); log.debug("IssuerDN from assertion: " + principal); if (!principal.equals(issuerX500Name)) { res.setFailure(true); failureMessage .append("Issuer distinguished name of signer certificate does not match \"") .append(subject).append("\"\n"); } } if (failureMessage.length() > 0) { res.setFailureMessage(failureMessage.toString()); } } if (testElement.isSignerCheckByFile()) { CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509CertificateHolder certFromFile; InputStream inStream = null; try { inStream = new BufferedInputStream( new FileInputStream(testElement.getSignerCertFile())); certFromFile = new JcaX509CertificateHolder( (X509Certificate) cf.generateCertificate(inStream)); } finally { IOUtils.closeQuietly(inStream); } if (!certFromFile.equals(cert)) { res.setFailure(true); res.setFailureMessage("Signer certificate does not match certificate " + testElement.getSignerCertFile()); } } } else { res.setFailure(true); res.setFailureMessage("No signer certificate found in signature"); } } // TODO support multiple signers if (signerIt.hasNext()) { log.warn("SMIME message contains multiple signers! Checking multiple signers is not supported."); } } catch (GeneralSecurityException e) { log.error(e.getMessage(), e); res.setError(true); res.setFailureMessage(e.getMessage()); } catch (FileNotFoundException e) { res.setFailure(true); res.setFailureMessage("certificate file not found: " + e.getMessage()); } return res; }
From source file:org.apache.nifi.registry.security.util.CertificateUtils.java
License:Apache License
/** * Reorders DN to the order the elements appear in the RFC 2253 table * * https://www.ietf.org/rfc/rfc2253.txt/*from w ww. j a v a 2 s . c om*/ * * String X.500 AttributeType * ------------------------------ * CN commonName * L localityName * ST stateOrProvinceName * O organizationName * OU organizationalUnitName * C countryName * STREET streetAddress * DC domainComponent * UID userid * * @param dn a possibly unordered DN * @return the ordered dn */ public static String reorderDn(String dn) { RDN[] rdNs = new X500Name(dn).getRDNs(); Arrays.sort(rdNs, new Comparator<RDN>() { @Override public int compare(RDN o1, RDN o2) { AttributeTypeAndValue o1First = o1.getFirst(); AttributeTypeAndValue o2First = o2.getFirst(); ASN1ObjectIdentifier o1Type = o1First.getType(); ASN1ObjectIdentifier o2Type = o2First.getType(); Integer o1Rank = dnOrderMap.get(o1Type); Integer o2Rank = dnOrderMap.get(o2Type); if (o1Rank == null) { if (o2Rank == null) { int idComparison = o1Type.getId().compareTo(o2Type.getId()); if (idComparison != 0) { return idComparison; } return String.valueOf(o1Type).compareTo(String.valueOf(o2Type)); } return 1; } else if (o2Rank == null) { return -1; } return o1Rank - o2Rank; } }); return new X500Name(rdNs).toString(); }
From source file:org.apache.nifi.registry.security.util.CertificateUtils.java
License:Apache License
/** * Reverses the X500Name in order make the certificate be in the right order * [see http://stackoverflow.com/questions/7567837/attributes-reversed-in-certificate-subject-and-issuer/12645265] * * @param x500Name the X500Name created with the intended order * @return the X500Name reversed//from ww w . j a v a 2s. c o m */ private static X500Name reverseX500Name(X500Name x500Name) { List<RDN> rdns = Arrays.asList(x500Name.getRDNs()); Collections.reverse(rdns); return new X500Name(rdns.toArray(new RDN[rdns.size()])); }