List of usage examples for org.bouncycastle.asn1.x500 X500Name X500Name
public X500Name(String dirName)
From source file:org.picketlink.pki.internal.DefaultCertificateAuthority.java
License:Open Source License
static void issueSelf(Partition partition, PartitionManager partitionManager, CertificateAuthorityConfig config, EventBridge eventBridge) {//from w w w . j a va 2 s . c om if (!hasCertificate(partition, partitionManager)) { try { KeyPair partitionKeys = DefaultKeyAuthority.getKeyPair(partition, partitionManager); if (partitionKeys == null) { partitionKeys = generateKeyPair(partition, partitionManager, eventBridge, config); } X500Name partitionDN = new X500Name("CN=" + partition.getName() + "," + config.getBaseDN()); CertificateCreateEvent createEvent = new CertificateCreateEvent(partition); eventBridge.raiseEvent(createEvent); X509Certificate x509Certificate = createEvent.getX509Certificate(); if (createEvent.getX509Certificate() == null) { x509Certificate = generateV1Certificate(partitionDN, partitionKeys, config); } CertificateType newCertificate = new CertificateType(partition, x509Certificate, config); IdentityManager identityManager = partitionManager.createIdentityManager(partition); identityManager.add(newCertificate); X509CRLHolder crlHolder = createRevocationList(partitionKeys, x509Certificate, config); CertificateRevocationListType crl = new CertificateRevocationListType(partition, encodeBytes(crlHolder.getEncoded())); identityManager.add(crl); } catch (Exception e) { throw new RuntimeException("Could not initialize partition as CA.", e); } } }
From source file:org.picketlink.pki.internal.DefaultCertificateRequest.java
License:Open Source License
public DefaultCertificateRequest(User user, CertificateAuthority certificateAuthority) { try {/* www .java2s.c o m*/ KeyPair userKeyPair = certificateAuthority.getKeyAuthority().getKeyPair(user); SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(userKeyPair.getPublic().getEncoded()); ContentSigner sigGen = X509Util.createSigner(userKeyPair.getPrivate(), certificateAuthority.getConfiguration()); X500Name userDN = new X500Name( "CN=" + user.getLoginName() + "," + certificateAuthority.getConfiguration().getBaseDN()); PKCS10CertificationRequest build = new PKCS10CertificationRequestBuilder(userDN, subjectPublicKeyInfo) .build(sigGen); this.message = build.getEncoded(); } catch (Exception e) { throw new RuntimeException("Could not create CSR", e); } this.user = user; }
From source file:org.picketlink.pki.internal.util.X509Util.java
License:Open Source License
/** * Generate version 3 {@link java.security.cert.X509Certificate}. * * @param rootCertificate the root certificate * @param issuerKeyPair the issuer key pair * @param subjectDN the subject dn// ww w . ja va2s. co m * @param subjectKeyPair the subject key pair * @param certificateConfig the certificate config * * @return the x509 certificate */ public static X509Certificate generateV3Certificate(X509Certificate rootCertificate, KeyPair issuerKeyPair, X500Name subjectDN, KeyPair subjectKeyPair, CertificateAuthorityConfig certificateConfig) { try { // Serial Number SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); BigInteger serialNumber = BigInteger.valueOf(Math.abs(random.nextInt())); // Validity Date notBefore = new Date(System.currentTimeMillis()); Date notAfter = new Date(System.currentTimeMillis() + (((1000L * 60 * 60 * 24 * 30)) * 12) * 3); // SubjectPublicKeyInfo SubjectPublicKeyInfo subjPubKeyInfo = new SubjectPublicKeyInfo( ASN1Sequence.getInstance(subjectKeyPair.getPublic().getEncoded())); X509v3CertificateBuilder certGen = new X509v3CertificateBuilder( new X500Name(rootCertificate.getSubjectDN().getName()), serialNumber, notBefore, notAfter, subjectDN, subjPubKeyInfo); DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc); // Subject Key Identifier certGen.addExtension(Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(subjPubKeyInfo)); // Authority Key Identifier certGen.addExtension(Extension.authorityKeyIdentifier, false, x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo)); // Key Usage certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); // Extended Key Usage KeyPurposeId[] EKU = new KeyPurposeId[2]; EKU[0] = KeyPurposeId.id_kp_emailProtection; EKU[1] = KeyPurposeId.id_kp_serverAuth; certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(EKU)); // Basic Constraints certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); // Certificate Policies /* PolicyInformation[] certPolicies = new PolicyInformation[2]; certPolicies[0] = new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.2.1.11.5")); certPolicies[1] = new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.2.1.11.18")); certGen.addExtension(Extension.certificatePolicies, false, new CertificatePolicies(certPolicies)); // Authority Information Access AccessDescription caIssuers = new AccessDescription(AccessDescription.id_ad_caIssuers, new GeneralName( GeneralName.uniformResourceIdentifier, new DERIA5String("http://www.somewebsite.com/ca.cer"))); AccessDescription ocsp = new AccessDescription(AccessDescription.id_ad_ocsp, new GeneralName( GeneralName.uniformResourceIdentifier, new DERIA5String("http://ocsp.somewebsite.com"))); ASN1EncodableVector aia_ASN = new ASN1EncodableVector(); aia_ASN.add(caIssuers); aia_ASN.add(ocsp); certGen.addExtension(Extension.authorityInfoAccess, false, new DERSequence(aia_ASN)); // CRL Distribution Points DistributionPointName distPointOne = new DistributionPointName(new GeneralNames(new GeneralName( GeneralName.uniformResourceIdentifier, "http://crl.somewebsite.com/master.crl"))); DistributionPointName distPointTwo = new DistributionPointName( new GeneralNames( new GeneralName(GeneralName.uniformResourceIdentifier, "ldap://crl.somewebsite.com/cn%3dSecureCA%2cou%3dPKI%2co%3dCyberdyne%2cc%3dUS?certificaterevocationlist;binary"))); DistributionPoint[] distPoints = new DistributionPoint[2]; distPoints[0] = new DistributionPoint(distPointOne, null, null); distPoints[1] = new DistributionPoint(distPointTwo, null, null); certGen.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(distPoints));*/ // Content Signer ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider("BC") .build(issuerKeyPair.getPrivate()); // Certificate return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen)); } catch (Exception e) { throw new RuntimeException("Error creating X509v3Certificate.", e); } }
From source file:org.shredzone.acme4j.util.CertificateUtils.java
License:Apache License
/** * Creates a self-signed {@link X509Certificate} that can be used for * {@link org.shredzone.acme4j.challenge.TlsSni01Challenge}. The certificate is valid * for 7 days.//www . ja v a 2 s. c om * * @param keypair * A domain {@link KeyPair} to be used for the challenge * @param subject * Subject to create a certificate for * @return Created certificate * @deprecated Will be removed when * {@link org.shredzone.acme4j.challenge.TlsSni01Challenge} is removed */ @Deprecated public static X509Certificate createTlsSniCertificate(KeyPair keypair, String subject) throws IOException { final long now = System.currentTimeMillis(); final long validSpanMs = 7 * 24 * 60 * 60 * 1000L; final String signatureAlg = "SHA256withRSA"; try { X500Name issuer = new X500Name("CN=acme.invalid"); BigInteger serial = BigInteger.valueOf(now); Date notBefore = new Date(now); Date notAfter = new Date(now + validSpanMs); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, issuer, keypair.getPublic()); GeneralName[] gns = new GeneralName[1]; gns[0] = new GeneralName(GeneralName.dNSName, subject); certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(gns)); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlg); byte[] cert = certBuilder.build(signerBuilder.build(keypair.getPrivate())).getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(cert)); } catch (CertificateException | OperatorCreationException ex) { throw new IOException(ex); } }
From source file:org.shredzone.acme4j.util.CertificateUtils.java
License:Apache License
/** * Creates a self-signed {@link X509Certificate} that can be used for * {@link TlsSni02Challenge}. The certificate is valid for 7 days. * * @param keypair// ww w . ja va2s . c om * A domain {@link KeyPair} to be used for the challenge * @param sanA * SAN-A to be used in the certificate * @param sanB * SAN-B to be used in the certificate * @return Created certificate */ public static X509Certificate createTlsSni02Certificate(KeyPair keypair, String sanA, String sanB) throws IOException { final long now = System.currentTimeMillis(); final long validSpanMs = 7 * 24 * 60 * 60 * 1000L; final String signatureAlg = "SHA256withRSA"; try { X500Name issuer = new X500Name("CN=acme.invalid"); BigInteger serial = BigInteger.valueOf(now); Date notBefore = new Date(now); Date notAfter = new Date(now + validSpanMs); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, issuer, keypair.getPublic()); GeneralName[] gns = new GeneralName[2]; gns[0] = new GeneralName(GeneralName.dNSName, sanA); gns[1] = new GeneralName(GeneralName.dNSName, sanB); certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(gns)); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlg); byte[] cert = certBuilder.build(signerBuilder.build(keypair.getPrivate())).getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(cert)); } catch (CertificateException | OperatorCreationException ex) { throw new IOException(ex); } }
From source file:org.signserver.module.pdfsigner.PDFSignerUnitTest.java
License:Open Source License
private X509CRL createCRL(PrivateKey caCrlPrivKey, byte[] data) throws Exception { X509v2CRLBuilder crlGen = new X509v2CRLBuilder(new X500Name("CN=CRL Issuer"), new Date()); crlGen.addCRLEntry(BigInteger.ONE, new Date(), CRLReason.privilegeWithdrawn); crlGen.addExtension(new ASN1ObjectIdentifier("1.2.3.4"), false, new DERBitString(data)); X509CRLHolder crl = crlGen.build(new JcaContentSignerBuilder("SHA1withRSA").build(caCrlPrivKey)); return new JcaX509CRLConverter().getCRL(crl); }
From source file:org.signserver.module.tsa.TimeStampSigner.java
License:Open Source License
private TimeStampTokenGenerator getTimeStampTokenGenerator(final ICryptoInstance crypto, final TimeStampRequest timeStampRequest, final LogMap logMap) throws IllegalRequestException, CryptoTokenOfflineException, InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException, CertStoreException, OperatorCreationException, SignServerException { TimeStampTokenGenerator timeStampTokenGen = null; try {/*from w w w . j a v a 2 s. c o m*/ ASN1ObjectIdentifier tSAPolicyOID = timeStampRequest.getReqPolicy(); if (tSAPolicyOID == null) { tSAPolicyOID = defaultTSAPolicyOID; } logMap.put(ITimeStampLogger.LOG_TSA_POLICYID, tSAPolicyOID.getId()); final X509Certificate signingCert = (X509Certificate) getSigningCertificate(crypto); if (signingCert == null) { throw new CryptoTokenOfflineException("No certificate for this signer"); } DigestCalculatorProvider calcProv = new BcDigestCalculatorProvider(); DigestCalculator calc = calcProv.get(new AlgorithmIdentifier(TSPAlgorithms.SHA1)); ContentSigner cs = new JcaContentSignerBuilder(signatureAlgorithm).setProvider(crypto.getProvider()) .build(crypto.getPrivateKey()); JcaSignerInfoGeneratorBuilder sigb = new JcaSignerInfoGeneratorBuilder(calcProv); X509CertificateHolder certHolder = new X509CertificateHolder(signingCert.getEncoded()); // set signed attribute table generator based on property sigb.setSignedAttributeGenerator( new OptionalSigningTimeSignedAttributeTableGenerator(includeSigningTimeAttribute)); SignerInfoGenerator sig = sigb.build(cs, certHolder); timeStampTokenGen = new TimeStampTokenGenerator(calc, sig, tSAPolicyOID); if (config.getProperties().getProperty(ACCURACYMICROS) != null) { timeStampTokenGen .setAccuracyMicros(Integer.parseInt(config.getProperties().getProperty(ACCURACYMICROS))); } if (config.getProperties().getProperty(ACCURACYMILLIS) != null) { timeStampTokenGen .setAccuracyMillis(Integer.parseInt(config.getProperties().getProperty(ACCURACYMILLIS))); } if (config.getProperties().getProperty(ACCURACYSECONDS) != null) { timeStampTokenGen .setAccuracySeconds(Integer.parseInt(config.getProperties().getProperty(ACCURACYSECONDS))); } timeStampTokenGen.setOrdering(ordering); timeStampTokenGen.setIncludeOrdering(includeOrdering); if (tsaName != null) { final X500Name x500Name = new X500Name(tsaName); timeStampTokenGen.setTSA(new GeneralName(x500Name)); } else if (tsaNameFromCert) { final X500Name x500Name = new JcaX509CertificateHolder(signingCert).getSubject(); timeStampTokenGen.setTSA(new GeneralName(x500Name)); } timeStampTokenGen .addCertificates(getCertStoreWithChain(signingCert, getSigningCertificateChain(crypto))); } catch (IllegalArgumentException e) { LOG.error("IllegalArgumentException: ", e); throw new IllegalRequestException(e.getMessage()); } catch (TSPException e) { LOG.error("TSPException: ", e); throw new IllegalRequestException(e.getMessage()); } catch (CertificateEncodingException e) { LOG.error("CertificateEncodingException: ", e); throw new IllegalRequestException(e.getMessage()); } catch (IOException e) { LOG.error("IOException: ", e); throw new IllegalRequestException(e.getMessage()); } return timeStampTokenGen; }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Test setting the TSA worker property. * @throws Exception/*from ww w . jav a2s .c om*/ */ @Test public void test32ExplicitTSAName() throws Exception { workerSession.setWorkerProperty(WORKER1, TimeStampSigner.TSA, "CN=test"); workerSession.reloadConfiguration(WORKER1); final TimeStampResponse response = assertSuccessfulTimestamp(WORKER1, true); final GeneralName name = response.getTimeStampToken().getTimeStampInfo().getTsa(); final GeneralName expectedName = new GeneralName(new X500Name("CN=test")); assertEquals("TSA included", expectedName, name); // restore workerSession.removeWorkerProperty(WORKER1, TimeStampSigner.TSA); workerSession.reloadConfiguration(WORKER1); }
From source file:org.signserver.module.tsa.TimeStampSignerTest.java
License:Open Source License
/** * Test using the TSA_FROM_CERT property to set the TSA name from * the signing cert./*w w w. j a v a 2s. co m*/ * * @throws Exception */ @Test public void test34TSANameFromCert() throws Exception { workerSession.setWorkerProperty(WORKER1, TimeStampSigner.TSA_FROM_CERT, "true"); workerSession.reloadConfiguration(WORKER1); final TimeStampResponse response = assertSuccessfulTimestamp(WORKER1, true); final GeneralName name = response.getTimeStampToken().getTimeStampInfo().getTsa(); final GeneralName expectedName = new GeneralName( new X500Name("CN=TS Signer 1,OU=Testing,O=SignServer,C=SE")); assertEquals("TSA included", expectedName, name); final GeneralName certName = new GeneralName( new JcaX509CertificateHolder((X509Certificate) workerSession.getSignerCertificate(WORKER1)) .getSubject()); assertTrue("TSA name content equals cert", Arrays.equals(certName.getEncoded(), name.getEncoded())); // restore workerSession.removeWorkerProperty(WORKER1, TimeStampSigner.TSA_FROM_CERT); workerSession.reloadConfiguration(WORKER1); }
From source file:org.signserver.server.cryptotokens.CryptoTokenBase.java
License:Open Source License
@Override public ICertReqData genCertificateRequest(ISignerCertReqInfo info, final boolean explicitEccParameters, final boolean defaultKey) throws CryptoTokenOfflineException { Base64SignerCertReqData retval = null; if (info instanceof PKCS10CertReqInfo) { PKCS10CertReqInfo reqInfo = (PKCS10CertReqInfo) info; PKCS10CertificationRequest pkcs10; final int purpose = defaultKey ? PURPOSE_SIGN : PURPOSE_NEXTKEY; if (log.isDebugEnabled()) { log.debug("Purpose: " + purpose); log.debug("signatureAlgorithm: " + reqInfo.getSignatureAlgorithm()); log.debug("subjectDN: " + reqInfo.getSubjectDN()); log.debug("explicitEccParameters: " + explicitEccParameters); }//from w ww. ja v a2 s . c om try { PublicKey publicKey = getPublicKey(purpose); // Handle ECDSA key with explicit parameters if (explicitEccParameters && publicKey.getAlgorithm().contains("EC")) { publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } // Generate request final JcaPKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder( new X500Name(CertTools.stringToBCDNString(reqInfo.getSubjectDN())), publicKey); final ContentSigner contentSigner = new JcaContentSignerBuilder(reqInfo.getSignatureAlgorithm()) .setProvider(getProvider(ICryptoToken.PROVIDERUSAGE_SIGN)).build(getPrivateKey(purpose)); pkcs10 = builder.build(contentSigner); retval = new Base64SignerCertReqData(Base64.encode(pkcs10.getEncoded())); } catch (IOException e) { log.error("Certificate request error: " + e.getMessage(), e); } catch (OperatorCreationException e) { log.error("Certificate request error: signer could not be initialized", e); } catch (NoSuchAlgorithmException e) { log.error("Certificate request error: " + e.getMessage(), e); } catch (NoSuchProviderException e) { log.error("Certificate request error: " + e.getMessage(), e); } } return retval; }