List of usage examples for org.bouncycastle.asn1.x509 Extension authorityKeyIdentifier
ASN1ObjectIdentifier authorityKeyIdentifier
To view the source code for org.bouncycastle.asn1.x509 Extension authorityKeyIdentifier.
Click Source Link
From source file:com.spotify.sshtlsclient.X509CertificateFactory.java
License:Apache License
static Certificate get(final SshAgentContentSigner signer, final Identity identity, final String username) { final UUID uuid = new UUID(); final Calendar calendar = Calendar.getInstance(); final X500Name issuerDN = new X500Name("C=US,O=Spotify,CN=helios-client"); final X500Name subjectDN = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(identity.getPublicKey().getEncoded())); calendar.add(Calendar.HOUR, -HOURS_BEFORE); final Date notBefore = calendar.getTime(); calendar.add(Calendar.HOUR, HOURS_BEFORE + HOURS_AFTER); final Date notAfter = calendar.getTime(); // Reuse the UUID time as a SN final BigInteger serialNumber = BigInteger.valueOf(uuid.getTime()).abs(); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDN, serialNumber, notBefore, notAfter, subjectDN, subjectPublicKeyInfo); try {// www . j a va2s .co m final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); builder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(signer); return new Certificate(new org.bouncycastle.asn1.x509.Certificate[] { holder.toASN1Structure(), }); } catch (Exception e) { throw Throwables.propagate(e); } }
From source file:com.vmware.admiral.common.util.CertificateUtil.java
License:Open Source License
private static List<ExtensionHolder> getServerExtensions(X509Certificate issuerCertificate) throws CertificateEncodingException, NoSuchAlgorithmException, IOException { List<ExtensionHolder> extensions = new ArrayList<>(); // SSO forces us to allow data encipherment extensions.add(new ExtensionHolder(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment))); extensions.add(new ExtensionHolder(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth))); Extension authorityKeyExtension = new Extension(Extension.authorityKeyIdentifier, false, new DEROctetString(new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerCertificate))); extensions.add(new ExtensionHolder(authorityKeyExtension.getExtnId(), authorityKeyExtension.isCritical(), authorityKeyExtension.getParsedValue())); return extensions; }
From source file:craterdog.security.RsaCertificateManager.java
License:Open Source License
@Override public X509Certificate createCertificateAuthority(PrivateKey privateKey, PublicKey publicKey, String subjectString, BigInteger serialNumber, long lifetime) { try {//www . ja v a2 s . c o m logger.entry(); logger.debug("Initializing the certificate generator..."); Date startDate = new Date(); Date expiryDate = new Date(startDate.getTime() + lifetime); X500Principal issuer = new X500Principal(subjectString); X500Principal subject = new X500Principal(subjectString); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serialNumber, startDate, expiryDate, subject, publicKey); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); builder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(publicKey)); builder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); // adds CA:TRUE extension builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); ContentSigner signer = new JcaContentSignerBuilder(ASYMMETRIC_SIGNATURE_ALGORITHM) .setProvider(PROVIDER_NAME).build(privateKey); X509Certificate result = new JcaX509CertificateConverter().setProvider(PROVIDER_NAME) .getCertificate(builder.build(signer)); result.checkValidity(new Date()); result.verify(result.getPublicKey()); logger.exit(); return result; } catch (CertIOException | CertificateException | InvalidKeyException | OperatorCreationException | NoSuchProviderException | NoSuchAlgorithmException | SignatureException e) { RuntimeException exception = new RuntimeException( "An unexpected exception occurred while attempting to generate a new certificate authority.", e); throw logger.throwing(exception); } }
From source file:craterdog.security.RsaCertificateManager.java
License:Open Source License
@Override public X509Certificate createCertificate(PrivateKey caPrivateKey, X509Certificate caCertificate, PublicKey publicKey, String subjectString, BigInteger serialNumber, long lifetime) { try {//from ww w. j a va 2 s.co m logger.entry(); logger.debug("Initializing the certificate generator..."); Date startDate = new Date(); Date expiryDate = new Date(startDate.getTime() + lifetime); X509Certificate issuer = caCertificate; X500Principal subject = new X500Principal(subjectString); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serialNumber, startDate, expiryDate, subject, publicKey); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); builder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCertificate)); builder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); ContentSigner signer = new JcaContentSignerBuilder(ASYMMETRIC_SIGNATURE_ALGORITHM) .setProvider(PROVIDER_NAME).build(caPrivateKey); X509Certificate result = new JcaX509CertificateConverter().setProvider(PROVIDER_NAME) .getCertificate(builder.build(signer)); result.checkValidity(new Date()); result.verify(caCertificate.getPublicKey()); logger.exit(); return result; } catch (CertIOException | OperatorCreationException | CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException | SignatureException e) { RuntimeException exception = new RuntimeException( "An unexpected exception occurred while attempting to generate a new certificate.", e); throw logger.throwing(exception); } }
From source file:de.carne.certmgr.store.provider.bouncycastle.BouncyCastleStoreProvider.java
License:Open Source License
@Override public X509CRL generateAndSignCRL(X509CRL currentCRL, X509CRLParams crlParams, Map<BigInteger, RevokeReason> revokeSerials, KeyPair issuerKey, X509Certificate issuerCRT) throws IOException, GeneralSecurityException { Date lastUpdate = Date .from(crlParams.getLastUpdate().atStartOfDay().atZone(ZoneId.systemDefault()).toInstant()); JcaX509v2CRLBuilder crlBuilder = new JcaX509v2CRLBuilder(issuerCRT.getSubjectX500Principal(), lastUpdate); LocalDate nextUpdateParam = crlParams.getNextUpdate(); if (nextUpdateParam != null) { crlBuilder.setNextUpdate(/* w w w . j a va 2 s. co m*/ Date.from(nextUpdateParam.atStartOfDay().atZone(ZoneId.systemDefault()).toInstant())); } CRLNumber crlNumber; if (currentCRL != null) { X509CRLHolder crlHolder = new X509CRLHolder(currentCRL.getEncoded()); ASN1Integer currentSerial = (ASN1Integer) crlHolder.getExtension(Extension.cRLNumber).getParsedValue(); crlNumber = new CRLNumber(currentSerial.getValue().add(BigInteger.ONE)); } else { crlNumber = new CRLNumber(BigInteger.ONE); } for (Map.Entry<BigInteger, RevokeReason> revokeListEntry : revokeSerials.entrySet()) { crlBuilder.addCRLEntry(revokeListEntry.getKey(), lastUpdate, revokeListEntry.getValue().value()); } JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerCRT.getPublicKey())); crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber); ContentSigner crlSigner; try { crlSigner = new JcaContentSignerBuilder(crlParams.getSigAlg()).build(issuerKey.getPrivate()); } catch (OperatorCreationException e) { throw new StoreProviderException(e.getMessage(), e); } return new JcaX509CRLConverter().getCRL(crlBuilder.build(crlSigner)); }
From source file:de.carne.certmgr.store.provider.bouncycastle.BouncyCastleStoreProvider.java
License:Open Source License
private void addKeyIdentifierExtensions(X509v3CertificateBuilder crtBuilder, PublicKey publicKey, PublicKey issuerPublicKey) throws IOException, GeneralSecurityException { JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); crtBuilder.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(publicKey)); if (!publicKey.equals(issuerPublicKey)) { crtBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerPublicKey)); }/*from w w w .j a va 2s. com*/ }
From source file:de.petendi.commons.crypto.connector.BCConnector.java
License:Apache License
@Override public X509Certificate createCertificate(String dn, String issuer, String crlUri, PublicKey publicKey, PrivateKey privateKey) throws CryptoException { Calendar date = Calendar.getInstance(); // Serial Number BigInteger serialNumber = BigInteger.valueOf(date.getTimeInMillis()); // Subject and Issuer DN X500Name subjectDN = new X500Name(dn); X500Name issuerDN = new X500Name(issuer); // Validity/*from w ww .ja v a 2 s . co m*/ Date notBefore = date.getTime(); date.add(Calendar.YEAR, 20); Date notAfter = date.getTime(); // SubjectPublicKeyInfo SubjectPublicKeyInfo subjPubKeyInfo = new SubjectPublicKeyInfo( ASN1Sequence.getInstance(publicKey.getEncoded())); X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(issuerDN, serialNumber, notBefore, notAfter, subjectDN, subjPubKeyInfo); DigestCalculator digCalc = null; try { digCalc = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc); // Subject Key Identifier certGen.addExtension(Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(subjPubKeyInfo)); // Authority Key Identifier certGen.addExtension(Extension.authorityKeyIdentifier, false, x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo)); // Key Usage certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.dataEncipherment)); if (crlUri != null) { // CRL Distribution Points DistributionPointName distPointOne = new DistributionPointName( new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, crlUri))); DistributionPoint[] distPoints = new DistributionPoint[1]; distPoints[0] = new DistributionPoint(distPointOne, null, null); certGen.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(distPoints)); } // Content Signer ContentSigner sigGen = new JcaContentSignerBuilder(getSignAlgorithm()).setProvider(getProviderName()) .build(privateKey); // Certificate return new JcaX509CertificateConverter().setProvider(getProviderName()) .getCertificate(certGen.build(sigGen)); } catch (Exception e) { throw new CryptoException(e); } }
From source file:eu.betaas.taas.securitymanager.common.certificate.utils.GWCertificateUtilsBc.java
License:Apache License
/** * /* ww w. j av a 2 s . c o m*/ * @param intKey * @param caKey * @param caCert * @return * @throws Exception */ public static X509CertificateHolder buildIntermediateCert(X500Name subject, AsymmetricKeyParameter intKey, AsymmetricKeyParameter caKey, X509CertificateHolder caCert) throws Exception { SubjectPublicKeyInfo intKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(intKey); if (subject == null) subject = new X500Name("CN = BETaaS Instance CA Certificate"); X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(caCert.getSubject(), BigInteger.valueOf(1), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + VALIDITY_PERIOD), subject, intKeyInfo); X509ExtensionUtils extUtils = new X509ExtensionUtils(new SHA1DigestCalculator()); certBldr.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(intKeyInfo)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); AlgorithmIdentifier sigAlg = algFinder.find(ALG_NAME); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); ContentSigner signer = new BcECDSAContentSignerBuilder(sigAlg, digAlg).build(caKey); return certBldr.build(signer); }
From source file:eu.betaas.taas.securitymanager.common.certificate.utils.GWCertificateUtilsBc.java
License:Apache License
/** * /*from w w w. ja v a2s. c om*/ * @param entityKey - public key of the requesting GW * @param caKey * @param caCert * @return * @throws Exception */ public static X509CertificateHolder buildEndEntityCert(X500Name subject, AsymmetricKeyParameter entityKey, AsymmetricKeyParameter caKey, X509CertificateHolder caCert, String ufn) throws Exception { SubjectPublicKeyInfo entityKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(entityKey); if (subject == null) subject = new X500Name("CN = BETaaS Gateway Certificate"); X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(caCert.getSubject(), BigInteger.valueOf(1), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + VALIDITY_PERIOD), subject, entityKeyInfo); X509ExtensionUtils extUtils = new X509ExtensionUtils(new SHA1DigestCalculator()); certBldr.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKeyInfo)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(false)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)) .addExtension(Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, ufn))); AlgorithmIdentifier sigAlg = algFinder.find(ALG_NAME); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); ContentSigner signer = new BcECDSAContentSignerBuilder(sigAlg, digAlg).build(caKey); return certBldr.build(signer); }
From source file:eu.europa.esig.dss.test.gen.CRLGenerator.java
License:Open Source License
public X509CRL generateCRL(X509Certificate certToRevoke, MockPrivateKeyEntry issuerEntry, Date dateOfRevoke, int reason) throws Exception { Date now = new Date(); X500Name x500nameIssuer = new JcaX509CertificateHolder(issuerEntry.getCertificate().getCertificate()) .getSubject();/* w ww. j a v a 2 s . com*/ X509v2CRLBuilder crlGen = new X509v2CRLBuilder(x500nameIssuer, now); crlGen.setNextUpdate(new Date(now.getTime() + (60 * 60 * 1000))); crlGen.addCRLEntry(certToRevoke.getSerialNumber(), dateOfRevoke, reason); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); crlGen.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(issuerEntry.getCertificate().getPublicKey())); X509CRLHolder crlHolder = crlGen .build(new JcaContentSignerBuilder(issuerEntry.getCertificate().getCertificate().getSigAlgName()) .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(issuerEntry.getPrivateKey())); JcaX509CRLConverter converter = new JcaX509CRLConverter(); return converter.getCRL(crlHolder); }