List of usage examples for org.bouncycastle.asn1.x500 X500Name X500Name
public X500Name(String dirName)
From source file:org.apache.nifi.registry.security.util.CertificateUtils.java
License:Apache License
/** * Generates a self-signed {@link X509Certificate} suitable for use as a Certificate Authority. * * @param keyPair the {@link KeyPair} to generate the {@link X509Certificate} for * @param dn the distinguished name to user for the {@link X509Certificate} * @param signingAlgorithm the signing algorithm to use for the {@link X509Certificate} * @param certificateDurationDays the duration in days for which the {@link X509Certificate} should be valid * @return a self-signed {@link X509Certificate} suitable for use as a Certificate Authority * @throws CertificateException if there is an generating the new certificate *///from w w w. ja v a2 s .c o m public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) throws CertificateException { try { ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm) .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate()); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); Date startDate = new Date(); Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(certificateDurationDays)); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(dn)), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo); // Set certificate extensions // (1) digitalSignature extension certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation | KeyUsage.cRLSign | KeyUsage.keyCertSign)); certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic())); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic())); // (2) extendedKeyUsage extension certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage( new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth })); // Sign the certificate X509CertificateHolder certificateHolder = certBuilder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(certificateHolder); } catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) { throw new CertificateException(e); } }
From source file:org.apache.nifi.registry.security.util.CertificateUtils.java
License:Apache License
/** * Generates an issued {@link X509Certificate} from the given issuer certificate and {@link KeyPair} * * @param dn the distinguished name to use * @param publicKey the public key to issue the certificate to * @param extensions extensions extracted from the CSR * @param issuer the issuer's certificate * @param issuerKeyPair the issuer's keypair * @param signingAlgorithm the signing algorithm to use * @param days the number of days it should be valid for * @return an issued {@link X509Certificate} from the given issuer certificate and {@link KeyPair} * @throws CertificateException if there is an error issuing the certificate *//*w w w . j a v a 2 s . c om*/ public static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, Extensions extensions, X509Certificate issuer, KeyPair issuerKeyPair, String signingAlgorithm, int days) throws CertificateException { try { ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm) .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(issuerKeyPair.getPrivate()); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); Date startDate = new Date(); Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(days)); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( reverseX500Name(new X500Name(issuer.getSubjectX500Principal().getName())), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey)); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerKeyPair.getPublic())); // Set certificate extensions // (1) digitalSignature extension certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation)); certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); // (2) extendedKeyUsage extension certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage( new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth })); // (3) subjectAlternativeName if (extensions != null && extensions.getExtension(Extension.subjectAlternativeName) != null) { certBuilder.addExtension(Extension.subjectAlternativeName, false, extensions.getExtensionParsedValue(Extension.subjectAlternativeName)); } X509CertificateHolder certificateHolder = certBuilder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(certificateHolder); } catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) { throw new CertificateException(e); } }
From source file:org.apache.nifi.toolkit.tls.service.server.TlsCertificateAuthorityServiceHandlerTest.java
License:Apache License
@Test public void testSuccess() throws IOException, ServletException, GeneralSecurityException, CRMFException { tlsCertificateAuthorityRequest = new TlsCertificateAuthorityRequest(testHmac, testPemEncodedCsr); tlsCertificateAuthorityServiceHandler.handle(null, baseRequest, httpServletRequest, httpServletResponse); assertEquals(Response.SC_OK, statusCode); assertArrayEquals(testCaHmac, getResponse().getHmac()); X509Certificate certificate = TlsHelper .parseCertificate(new StringReader(getResponse().getPemEncodedCertificate())); assertEquals(certificateKeyPair.getPublic(), certificate.getPublicKey()); assertEquals(new X500Name(requestedDn), new X500Name(certificate.getSubjectDN().toString())); certificate.verify(caCert.getPublicKey()); }
From source file:org.apache.nifi.toolkit.tls.util.TlsHelper.java
License:Apache License
public static JcaPKCS10CertificationRequest generateCertificationRequest(String requestedDn, String domainAlternativeNames, KeyPair keyPair, String signingAlgorithm) throws OperatorCreationException { JcaPKCS10CertificationRequestBuilder jcaPKCS10CertificationRequestBuilder = new JcaPKCS10CertificationRequestBuilder( new X500Name(requestedDn), keyPair.getPublic()); // add Subject Alternative Name(s) try {/* ww w . j av a 2 s . c om*/ jcaPKCS10CertificationRequestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, createDomainAlternativeNamesExtensions(domainAlternativeNames, requestedDn)); } catch (IOException e) { throw new OperatorCreationException( "Error while adding " + domainAlternativeNames + " as Subject Alternative Name.", e); } JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(signingAlgorithm); return new JcaPKCS10CertificationRequest( jcaPKCS10CertificationRequestBuilder.build(jcaContentSignerBuilder.build(keyPair.getPrivate()))); }
From source file:org.apache.nifi.toolkit.tls.util.TlsHelper.java
License:Apache License
public static Extensions createDomainAlternativeNamesExtensions(String domainAlternativeNames, String requestedDn) throws IOException { List<GeneralName> namesList = new ArrayList<>(); try {// w ww . j a va 2s .c o m final String cn = IETFUtils .valueToString(new X500Name(requestedDn).getRDNs(BCStyle.CN)[0].getFirst().getValue()); namesList.add(new GeneralName(GeneralName.dNSName, cn)); } catch (Exception e) { throw new IOException("Failed to extract CN from request DN: " + requestedDn, e); } if (StringUtils.isNotBlank(domainAlternativeNames)) { for (String alternativeName : domainAlternativeNames.split(",")) { namesList.add(new GeneralName(GeneralName.dNSName, alternativeName)); } } GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName[] {})); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); return extGen.generate(); }
From source file:org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidatorTest.java
License:Apache License
/** * Generates a signed certificate with a specific keypair. * * @param dn the DN/*from www . j a v a 2 s . co m*/ * @param keyPair the public key will be included in the certificate and the the private key is used to sign the certificate * @return the certificate * @throws IOException if an exception occurs * @throws NoSuchAlgorithmException if an exception occurs * @throws CertificateException if an exception occurs * @throws NoSuchProviderException if an exception occurs * @throws SignatureException if an exception occurs * @throws InvalidKeyException if an exception occurs * @throws OperatorCreationException if an exception occurs */ private static X509Certificate generateCertificate(String dn, KeyPair keyPair) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { PrivateKey privateKey = keyPair.getPrivate(); ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER) .build(privateKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); Date startDate = new Date(YESTERDAY); Date endDate = new Date(ONE_YEAR_FROM_NOW); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(new X500Name(dn), BigInteger.valueOf(System.currentTimeMillis()), startDate, endDate, new X500Name(dn), subPubKeyInfo); // Set certificate extensions // (1) digitalSignature extension certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement)); // (2) extendedKeyUsage extension Vector<KeyPurposeId> ekUsages = new Vector<>(); ekUsages.add(KeyPurposeId.id_kp_clientAuth); ekUsages.add(KeyPurposeId.id_kp_serverAuth); certBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(ekUsages)); // Sign the certificate X509CertificateHolder certificateHolder = certBuilder.build(sigGen); return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certificateHolder); }
From source file:org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidatorTest.java
License:Apache License
/** * Generates a certificate with a specific public key signed by the issuer key. * * @param dn the subject DN/*from w w w . j a v a 2s. co m*/ * @param publicKey the subject public key * @param issuerDn the issuer DN * @param issuerKey the issuer private key * @return the certificate * @throws IOException if an exception occurs * @throws NoSuchAlgorithmException if an exception occurs * @throws CertificateException if an exception occurs * @throws NoSuchProviderException if an exception occurs * @throws SignatureException if an exception occurs * @throws InvalidKeyException if an exception occurs * @throws OperatorCreationException if an exception occurs */ private static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, String issuerDn, PrivateKey issuerKey) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER) .build(issuerKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); Date startDate = new Date(YESTERDAY); Date endDate = new Date(ONE_YEAR_FROM_NOW); X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(new X500Name(issuerDn), BigInteger.valueOf(System.currentTimeMillis()), startDate, endDate, new X500Name(dn), subPubKeyInfo); X509CertificateHolder certificateHolder = v3CertGen.build(sigGen); return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certificateHolder); }
From source file:org.apache.openejb.client.HttpsConnectionTest.java
License:Apache License
private File createKeyStore() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {/*w w w . j av a 2s.co m*/ dropKeyStore(); File keyStore = new File(STORE_PATH); keyStore.getParentFile().mkdirs(); try (final FileOutputStream fos = new FileOutputStream(keyStore)) { final KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA"); keyGenerator.initialize(1024); final KeyPair pair = keyGenerator.generateKeyPair(); final boolean addBc = Security.getProvider("BC") == null; if (addBc) { Security.addProvider(new BouncyCastleProvider()); } try { final X509v1CertificateBuilder x509v1CertificateBuilder = new JcaX509v1CertificateBuilder( new X500Name("cn=" + SERVER), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - TimeUnit.DAYS.toMillis(1)), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)), new X500Name("cn=" + SERVER), pair.getPublic()); final X509CertificateHolder certHldr = x509v1CertificateBuilder.build( new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(pair.getPrivate())); final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certHldr); final KeyStore ks = KeyStore.getInstance("JKS"); ks.load(null, STORE_PWD.toCharArray()); ks.setKeyEntry(SERVER, pair.getPrivate(), STORE_PWD.toCharArray(), new Certificate[] { cert }); ks.store(fos, STORE_PWD.toCharArray()); } finally { if (addBc) { Security.removeProvider("BC"); } } } catch (final Exception e) { Assert.fail(e.getMessage()); } return keyStore; }
From source file:org.apache.poi.poifs.crypt.PkiTestUtils.java
License:Apache License
static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, Date notBefore, Date notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage) throws IOException, OperatorCreationException, CertificateException { String signatureAlgorithm = "SHA1withRSA"; X500Name issuerName;//w w w . ja v a 2s . c o m if (issuerCertificate != null) { issuerName = new X509CertificateHolder(issuerCertificate.getEncoded()).getIssuer(); } else { issuerName = new X500Name(subjectDn); } RSAPublicKey rsaPubKey = (RSAPublicKey) subjectPublicKey; RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent()); SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec); DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build() .get(CertificateID.HASH_SHA1); X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(issuerName, new BigInteger(128, new SecureRandom()), notBefore, notAfter, new X500Name(subjectDn), subjectPublicKeyInfo); X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc); SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo); AuthorityKeyIdentifier autKeyId = (issuerCertificate != null) ? exUtils.createAuthorityKeyIdentifier(new X509CertificateHolder(issuerCertificate.getEncoded())) : exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo); certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId); certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId); if (caFlag) { BasicConstraints bc; if (-1 == pathLength) { bc = new BasicConstraints(true); } else { bc = new BasicConstraints(pathLength); } certificateGenerator.addExtension(Extension.basicConstraints, false, bc); } if (null != crlUri) { int uri = GeneralName.uniformResourceIdentifier; DERIA5String crlUriDer = new DERIA5String(crlUri); GeneralName gn = new GeneralName(uri, crlUriDer); DERSequence gnDer = new DERSequence(gn); GeneralNames gns = GeneralNames.getInstance(gnDer); DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPoint distp = new DistributionPoint(dpn, null, null); DERSequence distpDer = new DERSequence(distp); certificateGenerator.addExtension(Extension.cRLDistributionPoints, false, distpDer); } if (null != ocspUri) { int uri = GeneralName.uniformResourceIdentifier; GeneralName ocspName = new GeneralName(uri, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } if (null != keyUsage) { certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage); } JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); signerBuilder.setProvider("BC"); X509CertificateHolder certHolder = certificateGenerator.build(signerBuilder.build(issuerPrivateKey)); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ // CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); // certificate = (X509Certificate) certificateFactory // .generateCertificate(new ByteArrayInputStream(certificate // .getEncoded())); return new JcaX509CertificateConverter().getCertificate(certHolder); }
From source file:org.apache.tomee.embedded.SslTomEETest.java
License:Apache License
@Test public void test() throws Exception { final File keystore = new File("target/keystore"); { // generate keystore/trustore if (keystore.exists()) { Files.delete(keystore); }//from w w w . ja va 2 s . co m keystore.getParentFile().mkdirs(); try (final FileOutputStream fos = new FileOutputStream(keystore)) { final KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA"); keyGenerator.initialize(1024); final KeyPair pair = keyGenerator.generateKeyPair(); final boolean addBc = Security.getProvider("BC") == null; if (addBc) { Security.addProvider(new BouncyCastleProvider()); } try { final X509v1CertificateBuilder x509v1CertificateBuilder = new JcaX509v1CertificateBuilder( new X500Name("cn=serveralias"), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - TimeUnit.DAYS.toMillis(1)), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)), new X500Name("cn=serveralias"), pair.getPublic()); final X509CertificateHolder certHldr = x509v1CertificateBuilder.build( new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(pair.getPrivate())); final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certHldr); final KeyStore ks = KeyStore.getInstance("JKS"); ks.load(null, "changeit".toCharArray()); ks.setKeyEntry("serveralias", pair.getPrivate(), "changeit".toCharArray(), new Certificate[] { cert }); ks.store(fos, "changeit".toCharArray()); } finally { if (addBc) { Security.removeProvider("BC"); } } } catch (final Exception e) { Assert.fail(e.getMessage()); } } final Configuration configuration = new Configuration(); configuration.setSsl(true); configuration.setKeystoreFile(keystore.getAbsolutePath()); configuration.setKeystorePass("changeit"); configuration.setKeyAlias("serveralias"); final Container container = new Container(); container.setup(configuration); container.start(); Connector[] connectors = container.getTomcat().getService().findConnectors(); for (Connector conn : connectors) { if (conn.getPort() == 8443) { Object propertyObject = conn.getProperty("keystoreFile"); assertNotNull(propertyObject); assertEquals(keystore.getAbsolutePath(), propertyObject.toString()); } } try { assertEquals(8443, ManagementFactory.getPlatformMBeanServer() .getAttribute(new ObjectName("Tomcat:type=ProtocolHandler,port=8443"), "port")); } finally { container.stop(); } // ensure it is not always started configuration.setSsl(false); container.setup(configuration); container.start(); try { assertFalse(ManagementFactory.getPlatformMBeanServer() .isRegistered(new ObjectName("Tomcat:type=ProtocolHandler,port=8443"))); } finally { container.close(); } }