List of usage examples for org.bouncycastle.asn1.x509 Extension authorityKeyIdentifier
ASN1ObjectIdentifier authorityKeyIdentifier
To view the source code for org.bouncycastle.asn1.x509 Extension authorityKeyIdentifier.
Click Source Link
From source file:org.xwiki.crypto.pkix.internal.extension.DefaultX509ExtensionBuilder.java
License:Open Source License
@Override public X509ExtensionBuilder addAuthorityKeyIdentifier(PublicKeyParameters subject) { if (subject == null) { return this; }/*from ww w . j ava 2s . c o m*/ return addExtension(Extension.authorityKeyIdentifier, false, new BcX509ExtensionUtils().createAuthorityKeyIdentifier(BcUtils.getSubjectPublicKeyInfo(subject))); }
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.CertificationAuthority.java
License:Open Source License
public AaaCertificate createCertificate(AaaCertificate orgCert, BigInteger certSerial, AaaCertificate issuerCert, String algorithm, List<Extension> extensions) { AaaCertificate cert = null;/* w ww . ja v a 2 s. c o m*/ // create a new certificate try { CertRequestModel reqModel = new CertRequestModel(); reqModel.setIssuerDN(issuerCert.getSubject()); reqModel.setPublicKey(orgCert.getCert().getPublicKey()); reqModel.setSerialNumber(certSerial); reqModel.setSubjectDN(orgCert.getSubject()); reqModel.setNotBefore(orgCert.getNotBefore()); if (issuerCert.getNotAfter().after(orgCert.getNotAfter())) { reqModel.setNotAfter(orgCert.getNotAfter()); } else { reqModel.setNotAfter(issuerCert.getNotAfter()); } // Add AKI X509ExtensionUtils extUtil = CertUtils.getX509ExtensionUtils(); AuthorityKeyIdentifier aki = extUtil.createAuthorityKeyIdentifier(issuerCert); extensions.add(new Extension(Extension.authorityKeyIdentifier, false, aki.getEncoded("DER"))); DistributionPoint dp = new DistributionPoint( new DistributionPointName( new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, crlDpUrl))), null, null); CRLDistPoint cdp = new CRLDistPoint(new DistributionPoint[] { dp }); extensions.add(new Extension(Extension.cRLDistributionPoints, false, cdp.getEncoded("DER"))); reqModel.setExtensionList(extensions); reqModel.setSigner( new JcaContentSignerBuilder(algorithm).build((PrivateKey) key_store.getKey(ROOT, KS_PASSWORD))); cert = new AaaCertificate(reqModel); } catch (Exception ex) { cert = null; LOG.warning("Error creating the certificate: " + ex.getMessage()); } return cert; }
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.CertificationAuthority.java
License:Open Source License
public X509CRLHolder revokeCertificates() { long currentTime = System.currentTimeMillis(); long nextUpdateTime = currentTime + crlValPeriod; List<DbCert> certList = CaSQLiteUtil.getCertificates(caDir, true); DbCAParam cp = CaSQLiteUtil.getParameter(caDir, CRL_SERIAL_KEY); if (cp == null) { return null; }/*w w w.j a va 2s .c o m*/ long nextCrlSerial = cp.getIntValue(); try { AaaCRL crl = new AaaCRL(new Date(currentTime), new Date(nextUpdateTime), caRoot, (PrivateKey) key_store.getKey(ROOT, KS_PASSWORD), CertFactory.SHA256WITHRSA, crlFile); List<Extension> extList = new ArrayList<Extension>(); // Add AKI X509ExtensionUtils extu = CertUtils.getX509ExtensionUtils(); AuthorityKeyIdentifier aki = extu.createAuthorityKeyIdentifier(caRoot); extList.add(new Extension(Extension.authorityKeyIdentifier, false, aki.getEncoded("DER"))); // CRLNumber to be adjusted to an incremental number CRLNumber crlNumber = new CRLNumber(BigInteger.valueOf(nextCrlSerial)); extList.add(new Extension(Extension.cRLNumber, false, crlNumber.getEncoded("DER"))); GeneralNames distributionPointName = new GeneralNames( new GeneralName(GeneralName.uniformResourceIdentifier, crlDpUrl)); DistributionPointName dpn = new DistributionPointName(distributionPointName); IssuingDistributionPoint idp = new IssuingDistributionPoint(dpn, false, false); extList.add(new Extension(Extension.issuingDistributionPoint, true, idp.getEncoded("DER"))); // IssuingDistributionPoint List<CRLEntryData> crlEdList = new ArrayList<>(); certList.forEach((dbCert) -> { Date revTime = new Date(); BigInteger serialNumber = dbCert.getCertificate().getSerialNumber(); crlEdList.add(new CRLEntryData(serialNumber, new Date(dbCert.getRevDate()), CRLReason.privilegeWithdrawn)); }); crl.updateCrl(new Date(currentTime), new Date(nextUpdateTime), crlEdList, extList); logRevocation(certList); // receive CRL latestCrl = crl.getCrl(); cp.setIntValue(nextCrlSerial + 1); CaSQLiteUtil.storeParameter(cp, caDir); // Store CRL FileOps.saveByteFile(FileOps.readBinaryFile(crlFile), exportCrlFile); return latestCrl; } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CRLException | CertificateException | OperatorCreationException ex) { LOG.warning(ex.getMessage()); return null; } }
From source file:support.revocation.RevocationInfo.java
License:Apache License
/** * Creates a new <code>RevocationInfo</code> instance based on the given * certificate/*from w w w . j a v a2s. c om*/ * @param certificate */ public RevocationInfo(Certificate certificate) { if (certificate instanceof X509Certificate) try { X509Certificate x509cert = (X509Certificate) certificate; // process Authority Information Access extension // to determine OCSP services AuthorityInformationAccess info = AuthorityInformationAccess .getInstance(certificateExtension(x509cert, Extension.authorityInfoAccess.getId())); if (info != null) for (AccessDescription desc : info.getAccessDescriptions()) if (desc.getAccessMethod().equals(AccessDescription.id_ad_ocsp)) { String url = urlFromGeneralName(desc.getAccessLocation()); if (url != null) ocsp.add(url); } ocsp = Collections.unmodifiableList(ocsp); // process CRL Distribution Points extension // to determine CRL services CRLDistPoint points = CRLDistPoint .getInstance(certificateExtension(x509cert, Extension.cRLDistributionPoints.getId())); if (points != null) for (DistributionPoint point : points.getDistributionPoints()) { // no support for CRLs issued from another CA GeneralNames crlIssuer = point.getCRLIssuer(); if (crlIssuer != null && !crlIssuer.equals(DERNull.INSTANCE)) continue; // no support for partial CRLs ReasonFlags reasons = point.getReasons(); if (reasons != null && !reasons.equals(DERNull.INSTANCE)) continue; // use all distribution points ASN1Encodable names = point.getDistributionPoint().getName(); if (names instanceof GeneralNames) for (GeneralName name : ((GeneralNames) names).getNames()) { String url = urlFromGeneralName(name); if (url != null) crl.add(url); } } crl = Collections.unmodifiableList(crl); // Authority Key Identifier AuthorityKeyIdentifier authorityKeyId = AuthorityKeyIdentifier .getInstance(certificateExtension(x509cert, Extension.authorityKeyIdentifier.getId())); if (authorityKeyId != null) { byte[] keyidentifier = authorityKeyId.getKeyIdentifier(); if (keyidentifier != null) { authorityKeyIdentifier = new ArrayList<>(keyidentifier.length); for (byte value : keyidentifier) authorityKeyIdentifier.add(value); authorityKeyIdentifier = Collections.unmodifiableList(authorityKeyIdentifier); } BigInteger serial = authorityKeyId.getAuthorityCertSerialNumber(); if (serial != null) authoritySerial = serial.toString(); } // Subject Key Identifier SubjectKeyIdentifier subjectKeyId = SubjectKeyIdentifier .getInstance(certificateExtension(x509cert, Extension.subjectKeyIdentifier.getId())); if (subjectKeyId != null) { byte[] keyidentifier = subjectKeyId.getKeyIdentifier(); if (keyidentifier != null) { subjectKeyIdentifier = new ArrayList<>(keyidentifier.length); for (byte value : keyidentifier) subjectKeyIdentifier.add(value); subjectKeyIdentifier = Collections.unmodifiableList(subjectKeyIdentifier); } } } catch (ClassCastException | IllegalArgumentException e) { e.printStackTrace(); } }
From source file:uk.ac.cam.gpe21.droidssl.mitm.crypto.cert.CertificateGenerator.java
License:Apache License
public X509CertificateHolder generate(String cn, String[] sans) { try {// w ww . ja v a2 s . c o m /* basic certificate structure */ //serial = serial.add(BigInteger.ONE); // TODO: temporary workaround as reusing serial numbers makes Firefox complain serial = new BigInteger(Long.toString(System.currentTimeMillis())); Calendar notBefore = new GregorianCalendar(UTC); notBefore.add(Calendar.HOUR, -1); Calendar notAfter = new GregorianCalendar(UTC); notAfter.add(Calendar.HOUR, 24); X500Name subject = new X500NameBuilder().addRDN(BCStyle.CN, cn).build(); BcX509ExtensionUtils utils = new BcX509ExtensionUtils(); X509v3CertificateBuilder builder = new BcX509v3CertificateBuilder(ca.getCertificate(), serial, notBefore.getTime(), notAfter.getTime(), subject, keyPair.getPublic()); /* subjectAlernativeName extension */ if (sans.length > 0) { GeneralName[] names = new GeneralName[sans.length]; for (int i = 0; i < names.length; i++) { names[i] = new GeneralName(GeneralName.dNSName, sans[i]); } builder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(names)); } /* basicConstraints extension */ builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); /* subjectKeyIdentifier extension */ builder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(keyPair.getPublic())); /* authorityKeyIdentifier extension */ builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(ca.getPublicKey())); /* keyUsage extension */ int usage = KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.keyAgreement; builder.addExtension(Extension.keyUsage, true, new KeyUsage(usage)); /* extendedKeyUsage extension */ KeyPurposeId[] usages = { KeyPurposeId.id_kp_serverAuth }; builder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(usages)); /* create the signer */ AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder() .find("SHA1withRSA"); AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder() .find(signatureAlgorithm); ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm) .build(ca.getPrivateKey()); /* build and sign the certificate */ return builder.build(signer); } catch (IOException | OperatorCreationException ex) { throw new CertificateGenerationException(ex); } }