List of usage examples for org.bouncycastle.asn1.x500 X500Name X500Name
public X500Name(String dirName)
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private static X500Name removeEmptyRdns(final X500Name name) { RDN[] rdns = name.getRDNs();/*from w ww.j a v a 2 s. co m*/ List<RDN> tmpRdns = new ArrayList<>(rdns.length); boolean changed = false; for (RDN rdn : rdns) { String textValue = X509Util.rdnValueToString(rdn.getFirst().getValue()); if (StringUtil.isBlank(textValue)) { changed = true; } else { tmpRdns.add(rdn); } } return changed ? new X500Name(tmpRdns.toArray(new RDN[0])) : name; }
From source file:org.xipki.pki.ca.server.impl.X509Ca.java
License:Open Source License
private static Object[] incSerialNumber(final IdentifiedX509Certprofile profile, final X500Name origName, final String latestSn) throws BadFormatException { RDN[] rdns = origName.getRDNs();//from w w w .j a va 2 s . co m int commonNameIndex = -1; int serialNumberIndex = -1; for (int i = 0; i < rdns.length; i++) { RDN rdn = rdns[i]; ASN1ObjectIdentifier type = rdn.getFirst().getType(); if (ObjectIdentifiers.DN_CN.equals(type)) { commonNameIndex = i; } else if (ObjectIdentifiers.DN_SERIALNUMBER.equals(type)) { serialNumberIndex = i; } } String newSerialNumber = profile.incSerialNumber(latestSn); RDN serialNumberRdn = new RDN(ObjectIdentifiers.DN_SERIALNUMBER, new DERPrintableString(newSerialNumber)); X500Name newName; if (serialNumberIndex != -1) { rdns[serialNumberIndex] = serialNumberRdn; newName = new X500Name(rdns); } else { List<RDN> newRdns = new ArrayList<>(rdns.length + 1); if (commonNameIndex == -1) { newRdns.add(serialNumberRdn); } for (int i = 0; i < rdns.length; i++) { newRdns.add(rdns[i]); if (i == commonNameIndex) { newRdns.add(serialNumberRdn); } } newName = new X500Name(newRdns.toArray(new RDN[0])); } return new Object[] { newName, newSerialNumber }; }
From source file:org.xipki.pki.ca.server.mgmt.shell.cert.ListCertCmd.java
License:Open Source License
/** * @return comma-separated serial numbers (in hex). *///from www . j ava2 s . c om @Override protected Object doExecute() throws Exception { Date validFrom = getDate(validFromS); Date validTo = getDate(validToS); X500Name subjectPattern = null; if (StringUtil.isNotBlank(subjectPatternS)) { subjectPattern = new X500Name(subjectPatternS); } CertListOrderBy orderBy = null; if (orderByS != null) { orderBy = CertListOrderBy.forValue(orderByS); if (orderBy == null) { throw new IllegalCmdParamException("invalid order '" + orderByS + "'"); } } List<CertListInfo> certInfos = caManager.listCertificates(caName, subjectPattern, validFrom, validTo, orderBy, num); final int n = certInfos.size(); if (n == 0) { println("found no certificate"); return null; } println(" | serial | notBefore | notAfter | subject"); println("-----+----------------------+----------------+----------------+-----------------"); for (int i = 0; i < n; i++) { CertListInfo info = certInfos.get(i); println(format(i + 1, info)); } return null; }
From source file:org.xipki.pki.scep.client.test.AbstractCaTest.java
License:Open Source License
@Test public void test() throws Exception { CaIdentifier caId = new CaIdentifier("http://localhost:8080/scep/pkiclient.exe", null); CaCertValidator caCertValidator = new PreprovisionedCaCertValidator( X509Util.toX509Cert(scepServer.getCaCert())); ScepClient client = new ScepClient(caId, caCertValidator); client.setUseInsecureAlgorithms(useInsecureAlgorithms()); client.refresh();/* w w w . ja v a 2 s . c om*/ CaCaps expCaCaps = getExpectedCaCaps(); // CACaps CaCaps caCaps = client.getCaCaps(); Assert.assertEquals("CACaps", expCaCaps, caCaps); // CA certificate Certificate expCaCert = scepServer.getCaCert(); X509Certificate caCert = client.getAuthorityCertStore().getCaCert(); if (!equals(expCaCert, caCert)) { Assert.fail("Configured and received CA certificate not the same"); } boolean withRa = isWithRa(); // RA if (withRa) { Certificate expRaCert = scepServer.getRaCert(); X509Certificate raSigCert = client.getAuthorityCertStore().getSignatureCert(); X509Certificate raEncCert = client.getAuthorityCertStore().getEncryptionCert(); Assert.assertEquals("RA certificate", raSigCert, raEncCert); if (!equals(expRaCert, raSigCert)) { Assert.fail("Configured and received RA certificate not the same"); } } // getNextCA if (isWithNextCa()) { AuthorityCertStore nextCa = client.scepNextCaCert(); Certificate expNextCaCert = scepServer.getNextCaCert(); X509Certificate nextCaCert = nextCa.getCaCert(); if (!equals(expNextCaCert, nextCaCert)) { Assert.fail("Configured and received next CA certificate not the same"); } if (withRa) { Certificate expNextRaCert = scepServer.getNextRaCert(); X509Certificate nextRaSigCert = nextCa.getSignatureCert(); X509Certificate nextRaEncCert = nextCa.getEncryptionCert(); Assert.assertEquals("Next RA certificate", nextRaSigCert, nextRaEncCert); if (!equals(expNextRaCert, nextRaSigCert)) { Assert.fail("Configured and received next RA certificate not the same"); } } } // enrol CertificationRequest csr; X509Certificate selfSignedCert; X509Certificate enroledCert; X500Name issuerName = X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()); PrivateKey privKey; { KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA"); kpGen.initialize(2048); KeyPair keypair = kpGen.generateKeyPair(); privKey = keypair.getPrivate(); SubjectPublicKeyInfo subjectPublicKeyInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic()); X500Name subject = new X500Name("CN=EE1, OU=emulator, O=xipki.org, C=DE"); // first try without secret PKCS10CertificationRequest p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, null, null); csr = p10Req.toASN1Structure(); selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey); EnrolmentResponse enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert); PkiStatus status = enrolResp.getPkcsRep().getPkiStatus(); Assert.assertEquals("PkiStatus without secret", PkiStatus.FAILURE, status); // first try invalid secret p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, "invalid-" + secret, null); csr = p10Req.toASN1Structure(); selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey); enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert); status = enrolResp.getPkcsRep().getPkiStatus(); Assert.assertEquals("PkiStatus with invalid secret", PkiStatus.FAILURE, status); p10Req = ScepUtil.generateRequest(privKey, subjectPublicKeyInfo, subject, secret, null); csr = p10Req.toASN1Structure(); selfSignedCert = ScepUtil.generateSelfsignedCert(p10Req.toASN1Structure(), privKey); enrolResp = client.scepPkcsReq(p10Req.toASN1Structure(), privKey, selfSignedCert); List<X509Certificate> certs = enrolResp.getCertificates(); Assert.assertTrue("number of received certificates", certs.size() > 0); X509Certificate cert = certs.get(0); Assert.assertNotNull("enroled certificate", cert); enroledCert = cert; } // certPoll EnrolmentResponse enrolResp = client.scepCertPoll(privKey, selfSignedCert, csr, issuerName); List<X509Certificate> certs = enrolResp.getCertificates(); Assert.assertTrue("number of received certificates", certs.size() > 0); X509Certificate cert = certs.get(0); Assert.assertNotNull("enrolled certificate", cert); // getCert certs = client.scepGetCert(privKey, selfSignedCert, issuerName, enroledCert.getSerialNumber()); Assert.assertTrue("number of received certificates", certs.size() > 0); cert = certs.get(0); Assert.assertNotNull("received certificate", cert); // getCRL X509CRL crl = client.scepGetCrl(privKey, enroledCert, issuerName, enroledCert.getSerialNumber()); Assert.assertNotNull("received CRL", crl); // getNextCA AuthorityCertStore nextCa = client.scepNextCaCert(); Assert.assertNotNull("nextCa", nextCa); }
From source file:org.xipki.pki.scep.serveremulator.ScepServer.java
License:Open Source License
public ScepServlet getServlet() throws Exception { if (servlet != null) { return servlet; }/*from w w w . jav a 2s.c om*/ KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA"); X500Name rcaSubject; kpGen.initialize(2048); KeyPair keypair = kpGen.generateKeyPair(); // CHECKSTYLE:SKIP PrivateKey rcaKey = keypair.getPrivate(); rcaSubject = new X500Name("CN=RCA1, OU=emulator, O=xipki.org, C=DE"); kpGen.initialize(2048); keypair = kpGen.generateKeyPair(); SubjectPublicKeyInfo pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic()); X500Name subject = new X500Name("CN=CA1, OU=emulator, O=xipki.org, C=DE"); this.caCert = issueSubCaCert(rcaKey, rcaSubject, pkInfo, subject, BigInteger.valueOf(2), new Date(System.currentTimeMillis() - 10 * CaEmulator.MIN_IN_MS)); CaEmulator ca = new CaEmulator(keypair.getPrivate(), this.caCert, generateCrl); RaEmulator ra = null; if (withRa) { kpGen.initialize(2048); keypair = kpGen.generateKeyPair(); pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic()); subject = new X500Name("CN=RA1, OU=emulator, O=xipki.org, C=DE"); this.raCert = ca.generateCert(pkInfo, subject); ra = new RaEmulator(keypair.getPrivate(), this.raCert); } NextCaAndRa nextCaAndRa = null; if (withNextCa) { kpGen.initialize(2048); keypair = kpGen.generateKeyPair(); pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic()); subject = new X500Name("CN=CA2, OU=emulator, O=xipki.org, C=DE"); Date startTime = new Date(System.currentTimeMillis() + 365 * CaEmulator.DAY_IN_MS); this.nextCaCert = issueSubCaCert(rcaKey, rcaSubject, pkInfo, subject, BigInteger.valueOf(2), startTime); CaEmulator tmpCa = new CaEmulator(keypair.getPrivate(), this.nextCaCert, generateCrl); if (withRa) { kpGen.initialize(2048); keypair = kpGen.generateKeyPair(); pkInfo = ScepUtil.createSubjectPublicKeyInfo(keypair.getPublic()); subject = new X500Name("CN=RA2, OU=emulator, O=xipki.org, C=DE"); Date raStartTime = new Date(startTime.getTime() + 10 * CaEmulator.DAY_IN_MS); this.nextRaCert = tmpCa.generateCert(pkInfo, subject, raStartTime); } // end if(withRA) nextCaAndRa = new NextCaAndRa(this.nextCaCert, this.nextRaCert); } // end if(withNextCA) ScepResponder scepResponder = new ScepResponder(caCaps, ca, ra, nextCaAndRa, control); if (maxSigningTimeBiasInMs != null) { scepResponder.setMaxSigningTimeBias(maxSigningTimeBiasInMs); } this.servlet = new ScepServlet(scepResponder); this.servlet.setAuditService(new Slf4jAuditServiceImpl()); return this.servlet; }
From source file:org.xipki.security.HttpsHostnameVerifier.java
License:Open Source License
/** * Verify that the host name is an acceptable match with * the server's authentication scheme./*from w w w.j av a 2s . co m*/ * * @param hostname the host name * @param session SSLSession used on the connection to host * @return true if the host name is acceptable */ @Override public boolean verify(final String hostname, final SSLSession session) { if (trustAll) { return true; } LOG.info("hostname: {}", hostname); String commonName = null; try { Principal peerPrincipal = session.getPeerPrincipal(); if (peerPrincipal == null) { return false; } commonName = X509Util.getCommonName(new X500Name(peerPrincipal.getName())); LOG.info("commonName: {}", commonName); } catch (Exception e) { LOG.error("Error: {}", e.getMessage()); return false; } Set<String> hostnames = hostnameMap.get(commonName); return hostnames == null ? false : hostnames.contains(hostname); }
From source file:org.xipki.security.P10RequestGenerator.java
License:Open Source License
public PKCS10CertificationRequest generateRequest(final SecurityFactory securityFactory, final String signerType, final String signerConf, final SubjectPublicKeyInfo subjectPublicKeyInfo, final String subject, final List<Extension> extensions) throws PasswordResolverException, SignerException { X500Name subjectDN = new X500Name(subject); return generateRequest(securityFactory, signerType, signerConf, subjectPublicKeyInfo, subjectDN, extensions);//from w w w . j a v a 2s .c om }
From source file:org.xipki.security.P10RequestGenerator.java
License:Open Source License
/** * * @param taggedValue [tag]value, and the value for tags otherName and ediPartyName is type=value. * @param modes//from ww w . java2 s . co m * @return * @throws BadInputException */ public static GeneralName createGeneralName(final String taggedValue) throws BadInputException { int tag = -1; String value = null; if (taggedValue.charAt(0) == '[') { int idx = taggedValue.indexOf(']', 1); if (idx > 1 && idx < taggedValue.length() - 1) { String tagS = taggedValue.substring(1, idx); try { tag = Integer.parseInt(tagS); value = taggedValue.substring(idx + 1); } catch (NumberFormatException e) { } } } if (tag == -1) { throw new BadInputException("invalid taggedValue " + taggedValue); } switch (tag) { case GeneralName.otherName: { int idxSep = value.indexOf("="); if (idxSep == -1 || idxSep == 0 || idxSep == value.length() - 1) { throw new BadInputException("invalid otherName " + value); } String otherTypeOid = value.substring(0, idxSep); ASN1ObjectIdentifier type = new ASN1ObjectIdentifier(otherTypeOid); String otherValue = value.substring(idxSep + 1); ASN1EncodableVector vector = new ASN1EncodableVector(); vector.add(type); vector.add(new DERTaggedObject(true, 0, new DERUTF8String(otherValue))); DERSequence seq = new DERSequence(vector); return new GeneralName(GeneralName.otherName, seq); } case GeneralName.rfc822Name: return new GeneralName(tag, value); case GeneralName.dNSName: return new GeneralName(tag, value); case GeneralName.directoryName: { X500Name x500Name = X509Util.reverse(new X500Name(value)); return new GeneralName(GeneralName.directoryName, x500Name); } case GeneralName.ediPartyName: { int idxSep = value.indexOf("="); if (idxSep == -1 || idxSep == value.length() - 1) { throw new BadInputException("invalid ediPartyName " + value); } String nameAssigner = idxSep == 0 ? null : value.substring(0, idxSep); String partyName = value.substring(idxSep + 1); ASN1EncodableVector vector = new ASN1EncodableVector(); if (nameAssigner != null) { vector.add(new DERTaggedObject(false, 0, new DirectoryString(nameAssigner))); } vector.add(new DERTaggedObject(false, 1, new DirectoryString(partyName))); ASN1Sequence seq = new DERSequence(vector); return new GeneralName(GeneralName.ediPartyName, seq); } case GeneralName.uniformResourceIdentifier: return new GeneralName(tag, value); case GeneralName.iPAddress: return new GeneralName(tag, value); case GeneralName.registeredID: return new GeneralName(tag, value); default: throw new RuntimeException("unsupported tag " + tag); } // end switch(tag) }
From source file:org.xipki.security.p11.iaik.IaikP11Slot.java
License:Open Source License
private X509CertificateHolder generateCertificate(final Session session, final byte[] id, final String label, final String subject, final AlgorithmIdentifier signatureAlgId, final PrivateKeyAndPKInfo privateKeyAndPkInfo, Integer keyUsage, List<ASN1ObjectIdentifier> extendedKeyUsage) throws Exception { BigInteger serialNumber = BigInteger.ONE; Date startDate = new Date(); Date endDate = new Date(startDate.getTime() + 20 * YEAR); X500Name x500Name_subject = new X500Name(subject); x500Name_subject = X509Util.sortX509Name(x500Name_subject); V3TBSCertificateGenerator tbsGen = new V3TBSCertificateGenerator(); tbsGen.setSerialNumber(new ASN1Integer(serialNumber)); tbsGen.setSignature(signatureAlgId); tbsGen.setIssuer(x500Name_subject); tbsGen.setStartDate(new Time(startDate)); tbsGen.setEndDate(new Time(endDate)); tbsGen.setSubject(x500Name_subject); tbsGen.setSubjectPublicKeyInfo(privateKeyAndPkInfo.getPublicKeyInfo()); List<Extension> extensions = new ArrayList<>(2); if (keyUsage == null) { keyUsage = KeyUsage.keyCertSign | KeyUsage.cRLSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment; }/*from w w w .jav a2 s .com*/ extensions.add(new Extension(Extension.keyUsage, true, new DEROctetString(new KeyUsage(keyUsage)))); if (CollectionUtil.isNotEmpty(extendedKeyUsage)) { KeyPurposeId[] kps = new KeyPurposeId[extendedKeyUsage.size()]; int i = 0; for (ASN1ObjectIdentifier oid : extendedKeyUsage) { kps[i++] = KeyPurposeId.getInstance(oid); } extensions.add(new Extension(Extension.extendedKeyUsage, false, new DEROctetString(new ExtendedKeyUsage(kps)))); } Extensions paramX509Extensions = new Extensions(extensions.toArray(new Extension[0])); tbsGen.setExtensions(paramX509Extensions); TBSCertificate tbsCertificate = tbsGen.generateTBSCertificate(); byte[] encodedTbsCertificate = tbsCertificate.getEncoded(); byte[] signature = null; Digest digest = null; Mechanism sigMechanism = null; ASN1ObjectIdentifier sigAlgID = signatureAlgId.getAlgorithm(); if (sigAlgID.equals(PKCSObjectIdentifiers.sha256WithRSAEncryption)) { sigMechanism = Mechanism.get(PKCS11Constants.CKM_SHA256_RSA_PKCS); session.signInit(sigMechanism, privateKeyAndPkInfo.getPrivateKey()); signature = session.sign(encodedTbsCertificate); } else if (sigAlgID.equals(NISTObjectIdentifiers.dsa_with_sha256)) { digest = new SHA256Digest(); byte[] digestValue = new byte[digest.getDigestSize()]; digest.update(encodedTbsCertificate, 0, encodedTbsCertificate.length); digest.doFinal(digestValue, 0); session.signInit(Mechanism.get(PKCS11Constants.CKM_DSA), privateKeyAndPkInfo.getPrivateKey()); byte[] rawSignature = session.sign(digestValue); signature = convertToX962Signature(rawSignature); } else { if (sigAlgID.equals(X9ObjectIdentifiers.ecdsa_with_SHA1)) { digest = new SHA1Digest(); } else if (sigAlgID.equals(X9ObjectIdentifiers.ecdsa_with_SHA256)) { digest = new SHA256Digest(); } else if (sigAlgID.equals(X9ObjectIdentifiers.ecdsa_with_SHA384)) { digest = new SHA384Digest(); } else if (sigAlgID.equals(X9ObjectIdentifiers.ecdsa_with_SHA512)) { digest = new SHA512Digest(); } else { System.err.println("unknown algorithm ID: " + sigAlgID.getId()); return null; } byte[] digestValue = new byte[digest.getDigestSize()]; digest.update(encodedTbsCertificate, 0, encodedTbsCertificate.length); digest.doFinal(digestValue, 0); session.signInit(Mechanism.get(PKCS11Constants.CKM_ECDSA), privateKeyAndPkInfo.getPrivateKey()); byte[] rawSignature = session.sign(digestValue); signature = convertToX962Signature(rawSignature); } // build DER certificate ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCertificate); v.add(signatureAlgId); v.add(new DERBitString(signature)); DERSequence cert = new DERSequence(v); // build and store PKCS#11 certificate object X509PublicKeyCertificate certTemp = new X509PublicKeyCertificate(); certTemp.getToken().setBooleanValue(true); certTemp.getId().setByteArrayValue(id); certTemp.getLabel().setCharArrayValue(label.toCharArray()); certTemp.getSubject().setByteArrayValue(x500Name_subject.getEncoded()); certTemp.getIssuer().setByteArrayValue(x500Name_subject.getEncoded()); certTemp.getSerialNumber().setByteArrayValue(serialNumber.toByteArray()); certTemp.getValue().setByteArrayValue(cert.getEncoded()); session.createObject(certTemp); return new X509CertificateHolder(Certificate.getInstance(cert)); }
From source file:org.xipki.security.P12KeypairGenerator.java
License:Open Source License
public P12KeypairGenerationResult generateIdentity() throws Exception { KeyPairWithSubjectPublicKeyInfo kp = genKeypair(); Date now = new Date(); Date notBefore = new Date(now.getTime() - 10 * MIN); // 10 minutes past Date notAfter = new Date(notBefore.getTime() + validity * DAY); X500Name subjectDN = new X500Name(subject); subjectDN = X509Util.sortX509Name(subjectDN); SubjectPublicKeyInfo subjectPublicKeyInfo = kp.getSubjectPublicKeyInfo(); ContentSigner contentSigner = getContentSigner(kp.getKeypair().getPrivate()); // Generate keystore X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(subjectDN, BigInteger.valueOf(serialNumber), notBefore, notAfter, subjectDN, subjectPublicKeyInfo); X509KeyUsage ku;// w ww . ja v a 2s .c o m if (keyUsage == null) { ku = new X509KeyUsage(X509KeyUsage.nonRepudiation | X509KeyUsage.digitalSignature | X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign); } else { ku = new X509KeyUsage(keyUsage); } certGenerator.addExtension(Extension.keyUsage, true, ku); if (CollectionUtil.isNotEmpty(extendedKeyUsage)) { KeyPurposeId[] kps = new KeyPurposeId[extendedKeyUsage.size()]; int i = 0; for (ASN1ObjectIdentifier oid : extendedKeyUsage) { kps[i++] = KeyPurposeId.getInstance(oid); } certGenerator.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(kps)); } KeyAndCertPair identity = new KeyAndCertPair(certGenerator.build(contentSigner), kp.getKeypair().getPrivate()); KeyStore ks = KeyStore.getInstance("PKCS12", "BC"); ks.load(null, password); ks.setKeyEntry("main", identity.getKey(), password, new Certificate[] { identity.getJceCert() }); ByteArrayOutputStream ksStream = new ByteArrayOutputStream(); try { ks.store(ksStream, password); } finally { ksStream.flush(); } P12KeypairGenerationResult result = new P12KeypairGenerationResult(ksStream.toByteArray(), identity.getCert()); result.setKeystoreObject(ks); return result; }