List of usage examples for org.bouncycastle.asn1.x500 X500Name X500Name
public X500Name(String dirName)
From source file:org.demoiselle.signer.policy.impl.cades.pkcs7.attribute.impl.RevocationRefs.java
License:Open Source License
/** * /*from www. ja va 2s . c o m*/ * * @param extract * CrlValidatedID from X509CRL * @return a CrlValidatedID * @throws NoSuchAlgorithmException * @throws CRLException */ private CrlValidatedID makeCrlValidatedID(X509CRL crl) throws NoSuchAlgorithmException, CRLException { Digest digest = DigestFactory.getInstance().factoryDefault(); digest.setAlgorithm(DigestAlgorithmEnum.SHA_256); OtherHashAlgAndValue otherHashAlgAndValue = new OtherHashAlgAndValue( new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256), new DEROctetString(digest.digest(crl.getEncoded()))); OtherHash hash = new OtherHash(otherHashAlgAndValue); BigInteger crlnumber; CrlIdentifier crlid; if (crl.getExtensionValue("2.5.29.20") != null) { ASN1Integer varASN1Integer = new ASN1Integer(crl.getExtensionValue("2.5.29.20")); crlnumber = varASN1Integer.getPositiveValue(); crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal().getName()), new DERUTCTime(crl.getThisUpdate()), crlnumber); } else { crlid = new CrlIdentifier(new X500Name(crl.getIssuerX500Principal().getName()), new DERUTCTime(crl.getThisUpdate())); } CrlValidatedID crlvid = new CrlValidatedID(hash, crlid); return crlvid; }
From source file:org.demoiselle.signer.policy.impl.cades.pkcs7.attribute.impl.SigningCertificate.java
License:Open Source License
@Override public Attribute getValue() { try {/*from w w w. ja v a 2s.c o m*/ X509Certificate cert = (X509Certificate) certificates[0]; Digest digest = DigestFactory.getInstance().factoryDefault(); digest.setAlgorithm(DigestAlgorithmEnum.SHA_1); byte[] hash = digest.digest(cert.getEncoded()); X500Name dirName = new X500Name(cert.getSubjectDN().getName()); GeneralName name = new GeneralName(dirName); GeneralNames issuer = new GeneralNames(name); ASN1Integer serial = new ASN1Integer(cert.getSerialNumber()); IssuerSerial issuerSerial = new IssuerSerial(issuer, serial); ESSCertID essCertId = new ESSCertID(hash, issuerSerial); return new Attribute(new ASN1ObjectIdentifier(identifier), new DERSet(new DERSequence( new ASN1Encodable[] { new DERSequence(essCertId), new DERSequence(DERNull.INSTANCE) }))); } catch (CertificateEncodingException ex) { throw new SignerException(ex.getMessage()); } }
From source file:org.demoiselle.signer.policy.impl.cades.pkcs7.attribute.impl.SigningCertificateV2.java
License:Open Source License
@Override public Attribute getValue() throws SignerException { try {/*from w w w .ja va 2 s .c om*/ X509Certificate cert = (X509Certificate) certificates[0]; X509Certificate issuerCert = (X509Certificate) certificates[1]; Digest digest = DigestFactory.getInstance().factoryDefault(); digest.setAlgorithm(DigestAlgorithmEnum.SHA_256); byte[] certHash = digest.digest(cert.getEncoded()); X500Name dirName = new X500Name(issuerCert.getSubjectX500Principal().getName()); GeneralName name = new GeneralName(dirName); GeneralNames issuer = new GeneralNames(name); ASN1Integer serialNumber = new ASN1Integer(cert.getSerialNumber()); IssuerSerial issuerSerial = new IssuerSerial(issuer, serialNumber); AlgorithmIdentifier algId = new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256);// SHA-256 ESSCertIDv2 essCertIDv2 = new ESSCertIDv2(algId, certHash, issuerSerial); // return new Attribute(new ASN1ObjectIdentifier(identifier), new DERSet(new DERSequence(essCertIDv2))); return new Attribute(new ASN1ObjectIdentifier(identifier), new DERSet(new DERSequence(new ASN1Encodable[] { new DERSequence(essCertIDv2) }))); } catch (CertificateEncodingException ex) { throw new SignerException(ex.getMessage()); } }
From source file:org.digidoc4j.impl.bdoc.BDocSignature.java
License:GNU General Public License
@Override public X509Cert getOCSPCertificate() { logger.debug(""); if (origin.getOCSPSource().getContainedOCSPResponses().size() == 0) return null; String ocspCN = getOCSPCommonName(); for (CertificateToken cert : origin.getCertPool().getCertificateTokens()) { String value = getCN(new X500Name(cert.getSubjectX500Principal().getName())); if (value.equals(ocspCN)) return new X509Cert(cert.getCertificate()); }/*from w w w. j a v a2 s . c o m*/ CertificateNotFoundException exception = new CertificateNotFoundException( "Certificate for " + ocspCN + " not found in TSL"); logger.error(exception.getMessage()); throw exception; }
From source file:org.digidoc4j.impl.bdoc.xades.TimemarkSignature.java
License:GNU General Public License
private X509Cert findOcspCertificate() { String ocspCN = getOCSPCommonName(); for (CertificateToken cert : getDssSignature().getCertificates()) { String certCn = getCN(new X500Name(cert.getSubjectX500Principal().getName())); if (StringUtils.equals(certCn, ocspCN)) { return new X509Cert(cert.getCertificate()); }//from ww w. ja va2 s . c om } logger.error("OCSP certificate for " + ocspCN + " was not found in TSL"); throw new CertificateNotFoundException("OCSP certificate for " + ocspCN + " was not found in TSL"); }
From source file:org.eclipse.milo.opcua.stack.core.util.CertificateUtil.java
License:Open Source License
/** * Generate a {@link PKCS10CertificationRequest}. * * @param keyPair the {@link KeyPair} containing Public and Private keys. * @param subjectName the subject name, in RFC 4519 style. (CN=foo,O=bar) * @param sanUri the URI to request in the SAN. * @param sanDnsNames the DNS names to request in the SAN. * @param sanIpAddresses the IP addresses to request in the SAN. * @param signatureAlgorithm the signature algorithm to use when generating the signature to validate the * certificate. * @return a {@link PKCS10CertificationRequest}. * @throws Exception if creating the signing request fails for any reason. *//* www.j a v a 2 s. c om*/ public static PKCS10CertificationRequest generateCsr(KeyPair keyPair, String subjectName, String sanUri, List<String> sanDnsNames, List<String> sanIpAddresses, String signatureAlgorithm) throws Exception { X500Name subject = new X500Name(IETFUtils.rDNsFromString(subjectName, RFC4519Style.INSTANCE)); return generateCsr(keyPair, subject, sanUri, sanDnsNames, sanIpAddresses, signatureAlgorithm); }
From source file:org.eclipse.milo.opcua.stack.core.util.CertificateValidationUtilTest.java
License:Open Source License
private X509CRL generateCrl(X509Certificate ca, PrivateKey caPrivateKey, X509Certificate... revoked) throws Exception { X509v2CRLBuilder builder = new X509v2CRLBuilder(new X500Name(ca.getSubjectDN().getName()), new Date()); for (X509Certificate certificate : revoked) { builder.addCRLEntry(certificate.getSerialNumber(), new Date(), CRLReason.privilegeWithdrawn); }/* www . j ava 2s . co m*/ JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption"); contentSignerBuilder.setProvider("BC"); X509CRLHolder crlHolder = builder.build(contentSignerBuilder.build(caPrivateKey)); JcaX509CRLConverter converter = new JcaX509CRLConverter(); converter.setProvider("BC"); return converter.getCRL(crlHolder); }
From source file:org.ejbca.core.ejb.ca.sign.SignSessionWithRsaTest.java
License:Open Source License
@Test public void testProfileSignatureAlgorithm() throws Exception { // Create a good certificate profile (good enough), using QC statement final String testName = "TESTSIGALG"; certificateProfileSession.removeCertificateProfile(internalAdmin, testName); final CertificateProfile certprof = new CertificateProfile( CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); // Default profile uses "inherit from CA" certificateProfileSession.addCertificateProfile(internalAdmin, testName, certprof); int cprofile = certificateProfileSession.getCertificateProfileId(testName); // Create a good end entity profile (good enough) endEntityProfileSession.removeEndEntityProfile(internalAdmin, testName); EndEntityProfile profile = new EndEntityProfile(); profile.addField(DnComponents.COUNTRY); profile.addField(DnComponents.COMMONNAME); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.toString(SecConst.ALLCAS)); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.toString(cprofile)); endEntityProfileSession.addEndEntityProfile(internalAdmin, testName, profile); try {/*from www.jav a2 s . c o m*/ int eeprofile = endEntityProfileSession.getEndEntityProfileId(testName); int rsacaid = caSession.getCAInfo(internalAdmin, getTestCAName()).getCAId(); EndEntityInformation user = new EndEntityInformation(RSA_USERNAME, "C=SE,CN=testsigalg", rsacaid, null, "foo@anatom.nu", new EndEntityType(EndEntityTypes.ENDUSER), eeprofile, cprofile, SecConst.TOKEN_SOFT_PEM, 0, null); user.setPassword("foo123"); user.setStatus(EndEntityConstants.STATUS_NEW); // Change a user that we know... endEntityManagementSession.changeUser(internalAdmin, user, false); // Create a P10 // Create PKCS#10 certificate request PKCS10CertificationRequest req = CertTools.genPKCS10CertificationRequest("SHA256WithRSA", new X500Name("C=SE,CN=testsigalg"), rsakeys.getPublic(), null, rsakeys.getPrivate(), null); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(req.toASN1Structure()); dOut.close(); byte[] p10bytes = bOut.toByteArray(); PKCS10RequestMessage p10 = new PKCS10RequestMessage(p10bytes); p10.setUsername(RSA_USERNAME); p10.setPassword("foo123"); // See if the request message works... ResponseMessage resp = signSession.createCertificate(internalAdmin, p10, X509ResponseMessage.class, null); X509Certificate cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=testsigalg,C=SE", cert.getSubjectDN().getName()); assertEquals(AlgorithmConstants.SIGALG_SHA1_WITH_RSA, AlgorithmTools.getSignatureAlgorithm(cert)); // Change so that we can override signature algorithm CertificateProfile prof = certificateProfileSession.getCertificateProfile(cprofile); prof.setSignatureAlgorithm(AlgorithmConstants.SIGALG_SHA256_WITH_RSA); certificateProfileSession.changeCertificateProfile(internalAdmin, testName, prof); endEntityManagementSession.changeUser(internalAdmin, user, false); resp = signSession.createCertificate(internalAdmin, p10, X509ResponseMessage.class, null); cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=testsigalg,C=SE", cert.getSubjectDN().getName()); assertEquals(AlgorithmConstants.SIGALG_SHA256_WITH_RSA, AlgorithmTools.getSignatureAlgorithm(cert)); } finally { endEntityProfileSession.removeEndEntityProfile(internalAdmin, testName); certificateProfileSession.removeCertificateProfile(internalAdmin, testName); } }
From source file:org.ejbca.core.ejb.ca.sign.SignSessionWithRsaTest.java
License:Open Source License
@Test public void testExtensionOverride() throws Exception { final String altnames = "dNSName=foo1.bar.com,dNSName=foo2.bar.com,dNSName=foo3.bar.com,dNSName=foo4.bar.com,dNSName=foo5.bar.com,dNSName=foo6.bar.com,dNSName=foo7.bar.com," + "dNSName=foo8.bar.com,dNSName=foo9.bar.com,dNSName=foo10.bar.com,dNSName=foo11.bar.com,dNSName=foo12.bar.com,dNSName=foo13.bar.com,dNSName=foo14.bar.com," + "dNSName=foo15.bar.com,dNSName=foo16.bar.com,dNSName=foo17.bar.com,dNSName=foo18.bar.com,dNSName=foo19.bar.com,dNSName=foo20.bar.com,dNSName=foo21.bar.com"; // Create a good certificate profile (good enough), using QC statement final String profileName = "TESTEXTENSIONOVERRIDE"; certificateProfileSession.removeCertificateProfile(internalAdmin, profileName); final CertificateProfile certprof = new CertificateProfile( CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); // Default profile does not allow Extension override certprof.setValidity(298);/*from w w w. j a v a 2 s . c o m*/ certificateProfileSession.addCertificateProfile(internalAdmin, profileName, certprof); int cprofile = certificateProfileSession.getCertificateProfileId(profileName); // Create a good end entity profile (good enough), allowing multiple UPN // names endEntityProfileSession.removeEndEntityProfile(internalAdmin, profileName); EndEntityProfile profile = new EndEntityProfile(); profile.addField(DnComponents.COUNTRY); profile.addField(DnComponents.COMMONNAME); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.toString(SecConst.ALLCAS)); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.toString(cprofile)); endEntityProfileSession.addEndEntityProfile(internalAdmin, profileName, profile); try { int eeprofile = endEntityProfileSession.getEndEntityProfileId(profileName); int rsacaid = caSession.getCAInfo(internalAdmin, getTestCAName()).getCAId(); EndEntityInformation user = new EndEntityInformation(RSA_USERNAME, "C=SE,CN=extoverride", rsacaid, null, "foo@anatom.nu", new EndEntityType(EndEntityTypes.ENDUSER), eeprofile, cprofile, SecConst.TOKEN_SOFT_PEM, 0, null); user.setPassword("foo123"); user.setStatus(EndEntityConstants.STATUS_NEW); // Change a user that we know... endEntityManagementSession.changeUser(internalAdmin, user, false); // Create a P10 with extensions, in this case altNames with a lot of DNS // names ASN1EncodableVector extensionattr = new ASN1EncodableVector(); extensionattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); GeneralNames san = CertTools.getGeneralNamesFromAltName(altnames); ExtensionsGenerator extgen = new ExtensionsGenerator(); extgen.addExtension(Extension.subjectAlternativeName, false, san); Extensions exts = extgen.generate(); extensionattr.add(new DERSet(exts)); // Complete the Attribute section of the request, the set (Attributes) // contains one sequence (Attribute) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(extensionattr)); DERSet attributes = new DERSet(v); // Create PKCS#10 certificate request PKCS10CertificationRequest req = CertTools.genPKCS10CertificationRequest("SHA256WithRSA", new X500Name("C=SE,CN=extoverride"), rsakeys.getPublic(), attributes, rsakeys.getPrivate(), null); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(req.toASN1Structure()); dOut.close(); byte[] p10bytes = bOut.toByteArray(); PKCS10RequestMessage p10 = new PKCS10RequestMessage(p10bytes); p10.setUsername(RSA_USERNAME); p10.setPassword("foo123"); // See if the request message works... Extensions p10exts = p10.getRequestExtensions(); assertNotNull(p10exts); ResponseMessage resp = signSession.createCertificate(internalAdmin, p10, X509ResponseMessage.class, null); X509Certificate cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be none Collection<List<?>> c = cert.getSubjectAlternativeNames(); assertNull(c); // Change so that we allow override of validity time CertificateProfile prof = certificateProfileSession.getCertificateProfile(cprofile); prof.setAllowExtensionOverride(true); certificateProfileSession.changeCertificateProfile(internalAdmin, profileName, prof); endEntityManagementSession.changeUser(internalAdmin, user, false); resp = signSession.createCertificate(internalAdmin, p10, X509ResponseMessage.class, null); cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be one altName c = cert.getSubjectAlternativeNames(); assertNotNull(c); assertEquals(21, c.size()); String retAltNames = CertTools.getSubjectAlternativeName(cert); List<String> originalNames = Arrays.asList(altnames.split(",")); List<String> returnNames = Arrays.asList(retAltNames.split(", ")); assertTrue(originalNames.containsAll(returnNames)); } finally { certificateProfileSession.removeCertificateProfile(internalAdmin, profileName); endEntityProfileSession.removeEndEntityProfile(internalAdmin, profileName); } }
From source file:org.ejbca.core.ejb.ca.sign.SignSessionWithRsaTest.java
License:Open Source License
@Test public void testDNOverride() throws Exception { // Create a good certificate profile (good enough), using QC statement certificateProfileSession.removeCertificateProfile(internalAdmin, "TESTDNOVERRIDE"); final CertificateProfile certprof = new CertificateProfile( CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); // Default profile does not allow DN override certprof.setValidity(298);//from www . j a v a 2s .c om certificateProfileSession.addCertificateProfile(internalAdmin, "TESTDNOVERRIDE", certprof); int cprofile = certificateProfileSession.getCertificateProfileId("TESTDNOVERRIDE"); // Create a good end entity profile (good enough), allowing multiple UPN // names endEntityProfileSession.removeEndEntityProfile(internalAdmin, "TESTDNOVERRIDE"); EndEntityProfile profile = new EndEntityProfile(); profile.addField(DnComponents.COUNTRY); profile.addField(DnComponents.COMMONNAME); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.toString(SecConst.ALLCAS)); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.toString(cprofile)); endEntityProfileSession.addEndEntityProfile(internalAdmin, "TESTDNOVERRIDE", profile); int eeprofile = endEntityProfileSession.getEndEntityProfileId("TESTDNOVERRIDE"); int rsacaid = caSession.getCAInfo(internalAdmin, getTestCAName()).getCAId(); final String dnOverrideEndEntityName = "DnOverride"; createEndEntity(dnOverrideEndEntityName, eeprofile, cprofile, rsacaid); try { EndEntityInformation user = new EndEntityInformation(dnOverrideEndEntityName, "C=SE,CN=dnoverride", rsacaid, null, "foo@anatom.nu", new EndEntityType(EndEntityTypes.ENDUSER), eeprofile, cprofile, SecConst.TOKEN_SOFT_PEM, 0, null); user.setPassword("foo123"); user.setStatus(EndEntityConstants.STATUS_NEW); // Change a user that we know... endEntityManagementSession.changeUser(internalAdmin, user, false); // Create a P10 with strange order DN PKCS10CertificationRequest req = CertTools.genPKCS10CertificationRequest("SHA256WithRSA", new X500Name("CN=foo,C=SE,NAME=AnaTom,O=My org"), rsakeys.getPublic(), new DERSet(), rsakeys.getPrivate(), null); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(req.toASN1Structure()); dOut.close(); PKCS10CertificationRequest req2 = new PKCS10CertificationRequest(bOut.toByteArray()); ContentVerifierProvider verifier = CertTools.genContentVerifierProvider(rsakeys.getPublic()); boolean verify = req2.isSignatureValid(verifier); log.debug("Verify returned " + verify); assertTrue(verify); log.debug("CertificationRequest generated successfully."); byte[] bcp10 = bOut.toByteArray(); PKCS10RequestMessage p10 = new PKCS10RequestMessage(bcp10); p10.setUsername(dnOverrideEndEntityName); p10.setPassword("foo123"); ResponseMessage resp = signSession.createCertificate(internalAdmin, p10, X509ResponseMessage.class, null); X509Certificate cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=dnoverride,C=SE", cert.getSubjectDN().getName()); // Change so that we allow override of validity time CertificateProfile prof = certificateProfileSession.getCertificateProfile(cprofile); prof.setAllowDNOverride(true); certificateProfileSession.changeCertificateProfile(internalAdmin, "TESTDNOVERRIDE", prof); endEntityManagementSession.changeUser(internalAdmin, user, false); resp = signSession.createCertificate(internalAdmin, p10, X509ResponseMessage.class, null); cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=foo,C=SE,Name=AnaTom,O=My org", cert.getSubjectDN().getName()); } finally { endEntityManagementSession.deleteUser(internalAdmin, dnOverrideEndEntityName); } }