List of usage examples for org.bouncycastle.asn1.x500 X500Name X500Name
public X500Name(String dirName)
From source file:org.jcryptool.visual.jctca.listeners.UserShowCertsListener.java
License:Open Source License
@Override public void widgetSelected(SelectionEvent e) { List lst = (List) e.getSource(); int selected = lst.getSelectionIndex(); KeyStoreAlias ksAlias = (KeyStoreAlias) lst.getData(Integer.toString(selected)); // get public key for the ksAlias and cast it to a X509 Certificate X509Certificate pubKey = null; try {/* ww w .j ava 2 s . c o m*/ pubKey = (X509Certificate) KeyStoreManager.getInstance().getCertificate(ksAlias); } catch (UnrecoverableEntryException e1) { LogUtil.logError(e1); } catch (NoSuchAlgorithmException e1) { LogUtil.logError(e1); } // create X500Name from the X509 certificate Subjects distinguished name X500Name x500name = new X500Name(pubKey.getSubjectX500Principal().toString()); // I don't know what this next line does exactly, it just works RDN rdn = x500name.getRDNs(BCStyle.CN)[0]; lbl_value_common.setText(rdn.getFirst().getValue().toString()); lbl_value_org.setText(Messages.UserShowCertsListener_not_part_of_cert); lbl_value_orgUnit.setText(Messages.UserShowCertsListener_not_part_of_cert); rdn = x500name.getRDNs(BCStyle.L)[0]; lbl_value_city.setText(rdn.getFirst().getValue().toString()); rdn = x500name.getRDNs(BCStyle.C)[0]; lbl_value_country.setText(rdn.getFirst().getValue().toString()); rdn = x500name.getRDNs(BCStyle.E)[0]; lbl_value_mail.setText(rdn.getFirst().getValue().toString()); x500name = new X500Name(pubKey.getIssuerDN().toString()); rdn = x500name.getRDNs(BCStyle.CN)[0]; lbl_value_common_by.setText(rdn.getFirst().getValue().toString()); rdn = x500name.getRDNs(BCStyle.O)[0]; lbl_value_org_by.setText(rdn.getFirst().getValue().toString()); rdn = x500name.getRDNs(BCStyle.OU)[0]; lbl_value_orgUnit_by.setText(rdn.getFirst().getValue().toString()); lbl_value_issued_on.setText(pubKey.getNotBefore().toString()); lbl_value_expired_on.setText(pubKey.getNotAfter().toString()); btn_revoke.setData("selected", ksAlias); //$NON-NLS-1$ if (Util.isCertificateRevoked(pubKey.getSerialNumber())) { btn_revoke.setEnabled(false); btn_revoke.setText(Messages.UserShowCertsListener_btn_revoke_cert_was_revoked); } else { btn_revoke.setEnabled(true); btn_revoke.setText(Messages.UserShowCertsListener_btn_revoke_cert); } lbl_value_common.getParent().layout(); }
From source file:org.jcryptool.visual.jctca.Util.java
License:Open Source License
public static boolean isSignedByJCTCA(KeyStoreAlias ksAlias) { KeyStoreManager ksm = KeyStoreManager.getInstance(); X509Certificate pubKey = null; try {/* www . j a va 2 s . c o m*/ pubKey = (X509Certificate) ksm.getCertificate(ksAlias); } catch (UnrecoverableEntryException e) { LogUtil.logError(e); } catch (NoSuchAlgorithmException e) { LogUtil.logError(e); } // create X500Name from the X509 certificate Subjects distinguished name X500Name x500name = new X500Name(pubKey.getIssuerDN().toString()); RDN rdn = x500name.getRDNs(BCStyle.OU)[0]; if (rdn.getFirst().getValue().toString().equals("JCT-CA Visual")) {//$NON-NLS-1$ return true; } else { return false; } }
From source file:org.jmrtd.lds.SignedDataUtil.java
License:Open Source License
public static SignerInfo createSignerInfo(String digestAlgorithm, String digestEncryptionAlgorithm, String contentTypeOID, ContentInfo contentInfo, byte[] encryptedDigest, X509Certificate docSigningCertificate) throws NoSuchAlgorithmException { /* Get the issuer name (CN, O, OU, C) from the cert and put it in a SignerIdentifier struct. */ X500Principal docSignerPrincipal = ((X509Certificate) docSigningCertificate).getIssuerX500Principal(); X500Name docSignerName = new X500Name(docSignerPrincipal.getName(X500Principal.RFC2253)); BigInteger serial = ((X509Certificate) docSigningCertificate).getSerialNumber(); SignerIdentifier sid = new SignerIdentifier(new IssuerAndSerialNumber(docSignerName, serial)); AlgorithmIdentifier digestAlgorithmObject = new AlgorithmIdentifier( new ASN1ObjectIdentifier(SignedDataUtil.lookupOIDByMnemonic(digestAlgorithm))); AlgorithmIdentifier digestEncryptionAlgorithmObject = new AlgorithmIdentifier( new ASN1ObjectIdentifier(SignedDataUtil.lookupOIDByMnemonic(digestEncryptionAlgorithm))); ASN1Set authenticatedAttributes = createAuthenticatedAttributes(digestAlgorithm, contentTypeOID, contentInfo); // struct containing the hash of content ASN1OctetString encryptedDigestObject = new DEROctetString(encryptedDigest); // this is the signature ASN1Set unAuthenticatedAttributes = null; // should be empty set? return new SignerInfo(sid, digestAlgorithmObject, authenticatedAttributes, digestEncryptionAlgorithmObject, encryptedDigestObject, unAuthenticatedAttributes); }
From source file:org.keycloak.common.util.CertificateUtils.java
License:Apache License
/** * Generates version 3 {@link java.security.cert.X509Certificate}. * * @param keyPair the key pair/* w w w. jav a 2s. c o m*/ * @param caPrivateKey the CA private key * @param caCert the CA certificate * @param subject the subject name * * @return the x509 certificate * * @throws Exception the exception */ public static X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert, String subject) throws Exception { try { X500Name subjectDN = new X500Name("CN=" + subject); // Serial Number SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); BigInteger serialNumber = BigInteger.valueOf(Math.abs(random.nextInt())); // Validity Date notBefore = new Date(System.currentTimeMillis()); Date notAfter = new Date(System.currentTimeMillis() + (((1000L * 60 * 60 * 24 * 30)) * 12) * 3); // SubjectPublicKeyInfo SubjectPublicKeyInfo subjPubKeyInfo = new SubjectPublicKeyInfo( ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); X509v3CertificateBuilder certGen = new X509v3CertificateBuilder( new X500Name(caCert.getSubjectDN().getName()), serialNumber, notBefore, notAfter, subjectDN, subjPubKeyInfo); DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc); // Subject Key Identifier certGen.addExtension(Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(subjPubKeyInfo)); // Authority Key Identifier certGen.addExtension(Extension.authorityKeyIdentifier, false, x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo)); // Key Usage certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); // Extended Key Usage KeyPurposeId[] EKU = new KeyPurposeId[2]; EKU[0] = KeyPurposeId.id_kp_emailProtection; EKU[1] = KeyPurposeId.id_kp_serverAuth; certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(EKU)); // Basic Constraints certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); // Content Signer ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider("BC") .build(caPrivateKey); // Certificate return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen)); } catch (Exception e) { throw new RuntimeException("Error creating X509v3Certificate.", e); } }
From source file:org.keycloak.common.util.CertificateUtils.java
License:Apache License
public static X509Certificate generateV1SelfSignedCertificate(KeyPair caKeyPair, String subject, BigInteger serialNumber) { try {//w w w.j a v a2 s. c o m X500Name subjectDN = new X500Name("CN=" + subject); Date validityStartDate = new Date(System.currentTimeMillis() - 100000); Calendar calendar = Calendar.getInstance(); calendar.add(Calendar.YEAR, 10); Date validityEndDate = new Date(calendar.getTime().getTime()); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo .getInstance(caKeyPair.getPublic().getEncoded()); X509v1CertificateBuilder builder = new X509v1CertificateBuilder(subjectDN, serialNumber, validityStartDate, validityEndDate, subjectDN, subPubKeyInfo); X509CertificateHolder holder = builder.build(createSigner(caKeyPair.getPrivate())); return new JcaX509CertificateConverter().getCertificate(holder); } catch (Exception e) { throw new RuntimeException("Error creating X509v1Certificate.", e); } }
From source file:org.keycloak.common.util.OCSPUtils.java
License:Apache License
private static void verifyResponse(BasicOCSPResp basicOcspResponse, X509Certificate issuerCertificate, X509Certificate responderCertificate, byte[] requestNonce, Date date) throws NoSuchProviderException, NoSuchAlgorithmException, CertificateNotYetValidException, CertificateExpiredException, CertPathValidatorException { List<X509CertificateHolder> certs = new ArrayList<>(Arrays.asList(basicOcspResponse.getCerts())); X509Certificate signingCert = null; try {/*from ww w . j a v a 2s . co m*/ certs.add(new JcaX509CertificateHolder(issuerCertificate)); if (responderCertificate != null) { certs.add(new JcaX509CertificateHolder(responderCertificate)); } } catch (CertificateEncodingException e) { e.printStackTrace(); } if (certs.size() > 0) { X500Name responderName = basicOcspResponse.getResponderId().toASN1Primitive().getName(); byte[] responderKey = basicOcspResponse.getResponderId().toASN1Primitive().getKeyHash(); if (responderName != null) { logger.log(Level.INFO, "Responder Name: {0}", responderName.toString()); for (X509CertificateHolder certHolder : certs) { try { X509Certificate tempCert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certHolder); X500Name respName = new X500Name(tempCert.getSubjectX500Principal().getName()); if (responderName.equals(respName)) { signingCert = tempCert; logger.log(Level.INFO, "Found a certificate whose principal \"{0}\" matches the responder name \"{1}\"", new Object[] { tempCert.getSubjectDN().getName(), responderName.toString() }); break; } } catch (CertificateException e) { logger.log(Level.FINE, e.getMessage()); } } } else if (responderKey != null) { SubjectKeyIdentifier responderSubjectKey = new SubjectKeyIdentifier(responderKey); logger.log(Level.INFO, "Responder Key: {0}", Arrays.toString(responderKey)); for (X509CertificateHolder certHolder : certs) { try { X509Certificate tempCert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certHolder); SubjectKeyIdentifier subjectKeyIdentifier = null; if (certHolder.getExtensions() != null) { subjectKeyIdentifier = SubjectKeyIdentifier.fromExtensions(certHolder.getExtensions()); } if (subjectKeyIdentifier != null) { logger.log(Level.INFO, "Certificate: {0}\nSubject Key Id: {1}", new Object[] { tempCert.getSubjectDN().getName(), Arrays.toString(subjectKeyIdentifier.getKeyIdentifier()) }); } if (subjectKeyIdentifier != null && responderSubjectKey.equals(subjectKeyIdentifier)) { signingCert = tempCert; logger.log(Level.INFO, "Found a signer certificate \"{0}\" with the subject key extension value matching the responder key", signingCert.getSubjectDN().getName()); break; } subjectKeyIdentifier = new JcaX509ExtensionUtils() .createSubjectKeyIdentifier(tempCert.getPublicKey()); if (responderSubjectKey.equals(subjectKeyIdentifier)) { signingCert = tempCert; logger.log(Level.INFO, "Found a certificate \"{0}\" with the subject key matching the OCSP responder key", signingCert.getSubjectDN().getName()); break; } } catch (CertificateException e) { logger.log(Level.FINE, e.getMessage()); } } } } if (signingCert != null) { if (signingCert.equals(issuerCertificate)) { logger.log(Level.INFO, "OCSP response is signed by the target''s Issuing CA"); } else if (responderCertificate != null && signingCert.equals(responderCertificate)) { // https://www.ietf.org/rfc/rfc2560.txt // 2.6 OCSP Signature Authority Delegation // - The responder certificate is issued to the responder by CA logger.log(Level.INFO, "OCSP response is signed by an authorized responder certificate"); } else { // 4.2.2.2 Authorized Responders // 3. Includes a value of id-ad-ocspSigning in an ExtendedKeyUsage // extension and is issued by the CA that issued the certificate in // question." if (!signingCert.getIssuerX500Principal().equals(issuerCertificate.getSubjectX500Principal())) { logger.log(Level.INFO, "Signer certificate''s Issuer: {0}\nIssuer certificate''s Subject: {1}", new Object[] { signingCert.getIssuerX500Principal().getName(), issuerCertificate.getSubjectX500Principal().getName() }); throw new CertPathValidatorException( "Responder\'s certificate is not authorized to sign OCSP responses"); } try { List<String> purposes = signingCert.getExtendedKeyUsage(); if (purposes != null && !purposes.contains(KeyPurposeId.id_kp_OCSPSigning.getId())) { logger.log(Level.INFO, "OCSPSigning extended usage is not set"); throw new CertPathValidatorException( "Responder\'s certificate not valid for signing OCSP responses"); } } catch (CertificateParsingException e) { logger.log(Level.FINE, "Failed to get certificate''s extended key usage extension\n{0}", e.getMessage()); } if (date == null) { signingCert.checkValidity(); } else { signingCert.checkValidity(date); } try { Extension noOCSPCheck = new JcaX509CertificateHolder(signingCert) .getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck); // TODO If the extension is present, the OCSP client can trust the // responder's certificate for the lifetime of the certificate. logger.log(Level.INFO, "OCSP no-check extension is {0} present", noOCSPCheck == null ? "not" : ""); } catch (CertificateEncodingException e) { logger.log(Level.FINE, "Certificate encoding exception: {0}", e.getMessage()); } try { signingCert.verify(issuerCertificate.getPublicKey()); logger.log(Level.INFO, "OCSP response is signed by an Authorized Responder"); } catch (GeneralSecurityException ex) { signingCert = null; } } } if (signingCert == null) { throw new CertPathValidatorException("Unable to verify OCSP Response\'s signature"); } else { if (!verifySignature(basicOcspResponse, signingCert)) { throw new CertPathValidatorException("Error verifying OCSP Response\'s signature"); } else { Extension responseNonce = basicOcspResponse.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (responseNonce != null && requestNonce != null && !Arrays.equals(requestNonce, responseNonce.getExtnValue().getOctets())) { throw new CertPathValidatorException("Nonces do not match."); } else { // See Sun's OCSP implementation. // https://www.ietf.org/rfc/rfc2560.txt, if nextUpdate is not set, // the responder is indicating that newer update is avilable all the time long current = date == null ? System.currentTimeMillis() : date.getTime(); Date stop = new Date(current + (long) TIME_SKEW); Date start = new Date(current - (long) TIME_SKEW); Iterator<SingleResp> iter = Arrays.asList(basicOcspResponse.getResponses()).iterator(); SingleResp singleRes = null; do { if (!iter.hasNext()) { return; } singleRes = iter.next(); } while (!stop.before(singleRes.getThisUpdate()) && !start.after(singleRes.getNextUpdate() != null ? singleRes.getNextUpdate() : singleRes.getThisUpdate())); throw new CertPathValidatorException( "Response is unreliable: its validity interval is out-of-date"); } } } }
From source file:org.kse.gui.crypto.DDistinguishedNameChooser.java
License:Open Source License
public static void main(String[] args) throws Exception { UIManager.setLookAndFeel(UIManager.getSystemLookAndFeelClassName()); EventQueue.invokeLater(new Runnable() { @Override//from w w w . j ava 2 s .c o m public void run() { try { DDistinguishedNameChooser dialog = new DDistinguishedNameChooser(new javax.swing.JFrame(), "DN Chooser", new X500Name( "CN=test, OU=Development, OU=Software, O=ACME Ltd., C=UK, E=test@example.com"), true); dialog.addWindowListener(new java.awt.event.WindowAdapter() { @Override public void windowClosing(java.awt.event.WindowEvent e) { System.exit(0); } @Override public void windowDeactivated(java.awt.event.WindowEvent e) { System.exit(0); } }); dialog.setVisible(true); } catch (Exception e) { e.printStackTrace(); } } }); }
From source file:org.kse.gui.dialogs.DViewPem.java
License:Open Source License
public static void main(String[] args) throws Exception { Security.addProvider(new BouncyCastleProvider()); UIManager.setLookAndFeel(UIManager.getSystemLookAndFeelClassName()); java.awt.EventQueue.invokeLater(new Runnable() { @Override// w w w .j a v a2 s.c o m public void run() { try { KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "BC"); KeyPair keyPair = keyGen.genKeyPair(); JcaPKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder( new X500Name("cn=test"), keyPair.getPublic()); PKCS10CertificationRequest csr = csrBuilder.build(new JcaContentSignerBuilder("SHA256withRSA") .setProvider("BC").build(keyPair.getPrivate())); DViewPem dialog = new DViewPem(new javax.swing.JFrame(), "Title", csr); dialog.addWindowListener(new java.awt.event.WindowAdapter() { @Override public void windowClosing(java.awt.event.WindowEvent e) { System.exit(0); } }); dialog.setVisible(true); } catch (Exception e) { e.printStackTrace(); } } }); }
From source file:org.kse.gui.dnchooser.DistinguishedNameChooser.java
License:Open Source License
public X500Name getDN() { boolean noEmptyRdns = true; List<RDN> rdns = listPanel.getRdns(noEmptyRdns); Collections.reverse(rdns);//from w w w . j av a 2 s. co m return new X500Name(rdns.toArray(new RDN[rdns.size()])); }
From source file:org.kse.gui.dnchooser.DistinguishedNameChooser.java
License:Open Source License
public X500Name getDNWithEmptyRdns() { List<RDN> rdns = listPanel.getRdns(false); Collections.reverse(rdns);// ww w . j a v a2 s . c o m return new X500Name(rdns.toArray(new RDN[rdns.size()])); }