List of usage examples for org.bouncycastle.asn1.x509 Extension authorityKeyIdentifier
ASN1ObjectIdentifier authorityKeyIdentifier
To view the source code for org.bouncycastle.asn1.x509 Extension authorityKeyIdentifier.
Click Source Link
From source file:org.kse.gui.KeyStoreTableModel.java
License:Open Source License
private String getCertificateAKI(String alias, KeyStore keyStore) throws CryptoException, KeyStoreException { X509Certificate x509Cert = getCertificate(alias, keyStore); try {/*from w ww. j a v a 2s . c o m*/ byte[] akiValue = x509Cert.getExtensionValue(Extension.authorityKeyIdentifier.getId()); byte[] octets = DEROctetString.getInstance(akiValue).getOctets(); byte[] akiBytes = AuthorityKeyIdentifier.getInstance(octets).getKeyIdentifier(); return HexUtil.getHexString(akiBytes); } catch (Exception e) { return "-"; } }
From source file:org.opcfoundation.ua.transport.security.BcCertificateProvider.java
License:Open Source License
/** * Generates a new certificate using the Bouncy Castle implementation. * <p>//from www . ja va 2 s . co m * The method is used from * {@link CertificateUtils#createApplicationInstanceCertificate(String, String, String, int, String...)} * and * {@link CertificateUtils#renewApplicationInstanceCertificate(String, String, String, int, org.opcfoundation.ua.transport.security.KeyPair, String...)} * * @param domainName * the X500 domain name for the certificate * @param publicKey * the public key of the cert * @param privateKey * the private key of the cert * @param issuerKeys * the certificate and private key of the issuer * @param from * validity start time * @param to * validity end time * @param serialNumber * a unique serial number for the certificate * @param applicationUri * the OPC UA ApplicationUri of the application - added to * SubjectAlternativeName * @param hostNames * the additional host names to add to SubjectAlternativeName * @return the generated certificate * @throws GeneralSecurityException * if the generation fails * @throws IOException * if the generation fails due to an IO exception */ @Override public X509Certificate generateCertificate(String domainName, PublicKey publicKey, PrivateKey privateKey, KeyPair issuerKeys, Date from, Date to, BigInteger serial, String applicationUri, String... hostNames) throws IOException, GeneralSecurityException { JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); X509v3CertificateBuilder certBldr; AuthorityKeyIdentifier authorityKeyIdentifier; PrivateKey signerKey; if (issuerKeys == null) { X500Name dn = new X500Name(domainName); certBldr = new JcaX509v3CertificateBuilder(dn, serial, from, to, dn, publicKey); authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(publicKey); signerKey = privateKey; } else { X509Certificate caCert = issuerKeys.getCertificate().getCertificate(); certBldr = new JcaX509v3CertificateBuilder(caCert, serial, from, to, new X500Principal(domainName), publicKey); authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(caCert); signerKey = issuerKeys.getPrivateKey().getPrivateKey(); } certBldr.addExtension(Extension.authorityKeyIdentifier, false, authorityKeyIdentifier) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)) .addExtension(Extension.basicConstraints, false, new BasicConstraints(false)).addExtension( Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation | KeyUsage.dataEncipherment | KeyUsage.keyCertSign)); // BC 1.49: certBldr.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage( new KeyPurposeId[] { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth })); // create the extension value // URI Name List<GeneralName> names = new ArrayList<GeneralName>(); names.add(new GeneralName(GeneralName.uniformResourceIdentifier, applicationUri)); // Add DNS name from ApplicationUri boolean hasDNSName = false; String uriHostName = null; try { String[] appUriParts = applicationUri.split("[:/]"); if (appUriParts.length > 1) { uriHostName = appUriParts[1]; if (!uriHostName.toLowerCase().equals("localhost")) { GeneralName dnsName = new GeneralName(GeneralName.dNSName, uriHostName); names.add(dnsName); hasDNSName = true; } } } catch (Exception e) { logger.warn("Cannot initialize DNS Name to Certificate from ApplicationUri {}", applicationUri); } // Add other DNS Names List<GeneralName> ipAddressNames = new ArrayList<GeneralName>(); if (hostNames != null) for (String hostName : hostNames) { boolean isIpAddress = hostName.matches("^[0-9.]+$"); if (!hostName.equals(uriHostName) && !hostName.toLowerCase().equals("localhost")) { GeneralName dnsName = new GeneralName( hostName.matches("^[0-9.]+$") ? GeneralName.iPAddress : GeneralName.dNSName, hostName); if (isIpAddress) ipAddressNames.add(dnsName); else { names.add(dnsName); hasDNSName = true; } } } // Add IP Addresses, if no host names are defined if (!hasDNSName) for (GeneralName n : ipAddressNames) names.add(n); final GeneralNames subjectAltNames = new GeneralNames(names.toArray(new GeneralName[0])); certBldr.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); // ***** generate certificate ***********/ try { ContentSigner signer = new JcaContentSignerBuilder(CertificateUtils.getCertificateSignatureAlgorithm()) .setProvider("BC").build(signerKey); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBldr.build(signer)); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } }
From source file:org.opcfoundation.ua.transport.security.BcCertificateProvider.java
License:Open Source License
/** * Build a X509 V3 certificate to use as an issuer (CA) certificate. The * certificate does not define OPC UA specific fields, so it cannot be used * for an application instance certificate. * /* www .j a v a 2 s. c o m*/ * @param publicKey * the public key to use for the certificate * @param privateKey * the private key corresponding to the publicKey * @param issuerKeys * the certificate and private key of the certificate issuer: if * null a self-signed certificate is created. * @param commonName * the CommonName to use for the subject of the certificate. * @param serialNr * @param startDate * @param expiryDate * @throws OperatorCreationException */ @Override public X509Certificate generateIssuerCert(PublicKey publicKey, PrivateKey privateKey, KeyPair issuerKeys, String commonName, BigInteger serialNr, Date startDate, Date expiryDate) throws GeneralSecurityException, IOException { JcaX509v3CertificateBuilder certBldr; JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); AuthorityKeyIdentifier authorityKeyIdentifier; if (issuerKeys == null) { X500Name dn = new X500Name(commonName); certBldr = new JcaX509v3CertificateBuilder(dn, serialNr, startDate, expiryDate, dn, publicKey); authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(publicKey); } else { X509Certificate caCert = issuerKeys.getCertificate().getCertificate(); certBldr = new JcaX509v3CertificateBuilder(caCert, serialNr, startDate, expiryDate, new X500Principal(commonName), publicKey); authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(caCert); } certBldr.addExtension(Extension.authorityKeyIdentifier, false, authorityKeyIdentifier) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); ContentSigner signer; try { signer = new JcaContentSignerBuilder(CertificateUtils.getCertificateSignatureAlgorithm()) .setProvider("BC").build(privateKey); } catch (OperatorCreationException e) { throw new GeneralSecurityException("Failed to sign the certificate", e); } return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBldr.build(signer)); }
From source file:org.opcfoundation.ua.utils.BouncyCastleUtils.java
License:Open Source License
/** * Build a X509 V3 certificate to use as an issuer (CA) certificate. The * certificate does not define OPC UA specific fields, so it cannot be used * for an application instance certificate. * /*from w w w.j a v a 2 s . c om*/ * @param publicKey * the public key to use for the certificate * @param privateKey * the private key corresponding to the publicKey * @param issuerKeys * the certificate and private key of the certificate issuer: if * null a self-signed certificate is created. * @param commonName * the CommonName to use for the subject of the certificate. * @param serialNr * @param startDate * @param expiryDate * @throws OperatorCreationException */ public static X509Certificate generateIssuerCert(PublicKey publicKey, PrivateKey privateKey, KeyPair issuerKeys, String commonName, BigInteger serialNr, Date startDate, Date expiryDate) throws GeneralSecurityException, IOException { JcaX509v3CertificateBuilder certBldr; JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); AuthorityKeyIdentifier authorityKeyIdentifier; if (issuerKeys == null) { X500Name dn = new X500Name(commonName); certBldr = new JcaX509v3CertificateBuilder(dn, serialNr, startDate, expiryDate, dn, publicKey); authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(publicKey); } else { X509Certificate caCert = issuerKeys.getCertificate().getCertificate(); certBldr = new JcaX509v3CertificateBuilder(caCert, serialNr, startDate, expiryDate, new X500Principal(commonName), publicKey); authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(caCert); } certBldr.addExtension(Extension.authorityKeyIdentifier, false, authorityKeyIdentifier) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); ContentSigner signer; try { signer = new JcaContentSignerBuilder(CertificateUtils.getCertificateSignatureAlgorithm()) .setProvider("BC").build(privateKey); } catch (OperatorCreationException e) { throw new GeneralSecurityException("Failed to sign the certificate", e); } return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBldr.build(signer)); }
From source file:org.opcfoundation.ua.utils.BouncyCastleUtils.java
License:Open Source License
/** * Generates a new certificate using the Bouncy Castle implementation. * <p>// w w w . j a v a 2s. c o m * The method is used from * {@link CertificateUtils#createApplicationInstanceCertificate(String, String, String, int, String...)} * and * {@link CertificateUtils#renewApplicationInstanceCertificate(String, String, String, int, org.opcfoundation.ua.transport.security.KeyPair, String...)} * * @param domainName * the X500 domain name for the certificate * @param publicKey * the public key of the cert * @param privateKey * the private key of the cert * @param issuerKeys * the certificate and private key of the issuer * @param from * validity start time * @param to * validity end time * @param serialNumber * a unique serial number for the certificate * @param applicationUri * the OPC UA ApplicationUri of the application - added to * SubjectAlternativeName * @param hostNames * the additional host names to ass to SubjectAlternativeName * @return the generated certificate * @throws GeneralSecurityException * if the generation fails * @throws IOException * if the generation fails due to an IO exception */ public static X509Certificate generateCertificate(String domainName, PublicKey publicKey, PrivateKey privateKey, KeyPair issuerKeys, Date from, Date to, BigInteger serial, String applicationUri, String... hostNames) throws IOException, GeneralSecurityException { JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); X509v3CertificateBuilder certBldr; AuthorityKeyIdentifier authorityKeyIdentifier; PrivateKey signerKey; if (issuerKeys == null) { X500Name dn = new X500Name(domainName); certBldr = new JcaX509v3CertificateBuilder(dn, serial, from, to, dn, publicKey); authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(publicKey); signerKey = privateKey; } else { X509Certificate caCert = issuerKeys.getCertificate().getCertificate(); certBldr = new JcaX509v3CertificateBuilder(caCert, serial, from, to, new X500Principal(domainName), publicKey); authorityKeyIdentifier = extUtils.createAuthorityKeyIdentifier(caCert); signerKey = issuerKeys.getPrivateKey().getPrivateKey(); } certBldr.addExtension(Extension.authorityKeyIdentifier, false, authorityKeyIdentifier) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)) .addExtension(Extension.basicConstraints, false, new BasicConstraints(false)).addExtension( Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.nonRepudiation | KeyUsage.dataEncipherment | KeyUsage.keyCertSign)); certBldr.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage( new KeyPurposeId[] { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth })); // Vector<KeyPurposeId> extendedKeyUsages = new Vector<KeyPurposeId>(); // extendedKeyUsages.add(KeyPurposeId.id_kp_serverAuth); // extendedKeyUsages.add(KeyPurposeId.id_kp_clientAuth); // certBldr.addExtension(Extension.extendedKeyUsage, false, // new ExtendedKeyUsage(extendedKeyUsages)); // BC 1.49: // certBldr.addExtension(X509Extension.extendedKeyUsage, false, // new ExtendedKeyUsage(new KeyPurposeId[] { // KeyPurposeId.id_kp_serverAuth, // KeyPurposeId.id_kp_clientAuth })); // create the extension value // URI Name List<GeneralName> names = new ArrayList<GeneralName>(); names.add(new GeneralName(GeneralName.uniformResourceIdentifier, applicationUri)); // Add DNS name from ApplicationUri boolean hasDNSName = false; String uriHostName = null; try { String[] appUriParts = applicationUri.split("[:/]"); if (appUriParts.length > 1) { uriHostName = appUriParts[1]; if (!uriHostName.toLowerCase().equals("localhost")) { GeneralName dnsName = new GeneralName(GeneralName.dNSName, uriHostName); names.add(dnsName); hasDNSName = true; } } } catch (Exception e) { logger.warn("Cannot initialize DNS Name to Certificate from ApplicationUri {}", applicationUri); } // Add other DNS Names List<GeneralName> ipAddressNames = new ArrayList<GeneralName>(); if (hostNames != null) for (String hostName : hostNames) { boolean isIpAddress = hostName.matches("^[0-9.]+$"); if (!hostName.equals(uriHostName) && !hostName.toLowerCase().equals("localhost")) { GeneralName dnsName = new GeneralName( hostName.matches("^[0-9.]+$") ? GeneralName.iPAddress : GeneralName.dNSName, hostName); if (isIpAddress) ipAddressNames.add(dnsName); else { names.add(dnsName); hasDNSName = true; } } } // Add IP Addresses, if no host names are defined if (!hasDNSName) for (GeneralName n : ipAddressNames) names.add(n); final GeneralNames subjectAltNames = new GeneralNames(names.toArray(new GeneralName[0])); certBldr.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); //***** generate certificate ***********/ try { ContentSigner signer = new JcaContentSignerBuilder(CertificateUtils.getCertificateSignatureAlgorithm()) .setProvider("BC").build(signerKey); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBldr.build(signer)); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } }
From source file:org.openfact.common.util.CertificateUtils.java
License:Apache License
/** * Generates version 3 {@link X509Certificate}. * * @param keyPair the key pair/*from w ww.j a va2 s.co m*/ * @param caPrivateKey the CA private key * @param caCert the CA certificate * @param subject the subject name * * @return the x509 certificate * * @throws Exception the exception */ public static X509Certificate generateV3Certificate(KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert, String subject) throws Exception { try { X500Name subjectDN = new X500Name("CN=" + subject); // Serial Number SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); BigInteger serialNumber = BigInteger.valueOf(Math.abs(random.nextInt())); // Validity Date notBefore = new Date(System.currentTimeMillis()); Date notAfter = new Date(System.currentTimeMillis() + (((1000L * 60 * 60 * 24 * 30)) * 12) * 3); // SubjectPublicKeyInfo SubjectPublicKeyInfo subjPubKeyInfo = new SubjectPublicKeyInfo( ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); X509v3CertificateBuilder certGen = new X509v3CertificateBuilder( new X500Name(caCert.getSubjectDN().getName()), serialNumber, notBefore, notAfter, subjectDN, subjPubKeyInfo); DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc); // Subject Key Identifier certGen.addExtension(Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(subjPubKeyInfo)); // Authority Key Identifier certGen.addExtension(Extension.authorityKeyIdentifier, false, x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo)); // Key Usage certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); // Extended Key Usage KeyPurposeId[] EKU = new KeyPurposeId[2]; EKU[0] = KeyPurposeId.id_kp_emailProtection; EKU[1] = KeyPurposeId.id_kp_serverAuth; certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(EKU)); // Basic Constraints certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); // Content Signer ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider("BC") .build(caPrivateKey); // Certificate return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen)); } catch (Exception e) { throw new RuntimeException("Error creating X509v3Certificate.", e); } }
From source file:org.picketlink.pki.internal.util.X509Util.java
License:Open Source License
/** * Generate version 3 {@link java.security.cert.X509Certificate}. * * @param rootCertificate the root certificate * @param issuerKeyPair the issuer key pair * @param subjectDN the subject dn/*from www.j a va 2s . c o m*/ * @param subjectKeyPair the subject key pair * @param certificateConfig the certificate config * * @return the x509 certificate */ public static X509Certificate generateV3Certificate(X509Certificate rootCertificate, KeyPair issuerKeyPair, X500Name subjectDN, KeyPair subjectKeyPair, CertificateAuthorityConfig certificateConfig) { try { // Serial Number SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); BigInteger serialNumber = BigInteger.valueOf(Math.abs(random.nextInt())); // Validity Date notBefore = new Date(System.currentTimeMillis()); Date notAfter = new Date(System.currentTimeMillis() + (((1000L * 60 * 60 * 24 * 30)) * 12) * 3); // SubjectPublicKeyInfo SubjectPublicKeyInfo subjPubKeyInfo = new SubjectPublicKeyInfo( ASN1Sequence.getInstance(subjectKeyPair.getPublic().getEncoded())); X509v3CertificateBuilder certGen = new X509v3CertificateBuilder( new X500Name(rootCertificate.getSubjectDN().getName()), serialNumber, notBefore, notAfter, subjectDN, subjPubKeyInfo); DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc); // Subject Key Identifier certGen.addExtension(Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(subjPubKeyInfo)); // Authority Key Identifier certGen.addExtension(Extension.authorityKeyIdentifier, false, x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo)); // Key Usage certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); // Extended Key Usage KeyPurposeId[] EKU = new KeyPurposeId[2]; EKU[0] = KeyPurposeId.id_kp_emailProtection; EKU[1] = KeyPurposeId.id_kp_serverAuth; certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(EKU)); // Basic Constraints certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); // Certificate Policies /* PolicyInformation[] certPolicies = new PolicyInformation[2]; certPolicies[0] = new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.2.1.11.5")); certPolicies[1] = new PolicyInformation(new ASN1ObjectIdentifier("2.16.840.1.101.2.1.11.18")); certGen.addExtension(Extension.certificatePolicies, false, new CertificatePolicies(certPolicies)); // Authority Information Access AccessDescription caIssuers = new AccessDescription(AccessDescription.id_ad_caIssuers, new GeneralName( GeneralName.uniformResourceIdentifier, new DERIA5String("http://www.somewebsite.com/ca.cer"))); AccessDescription ocsp = new AccessDescription(AccessDescription.id_ad_ocsp, new GeneralName( GeneralName.uniformResourceIdentifier, new DERIA5String("http://ocsp.somewebsite.com"))); ASN1EncodableVector aia_ASN = new ASN1EncodableVector(); aia_ASN.add(caIssuers); aia_ASN.add(ocsp); certGen.addExtension(Extension.authorityInfoAccess, false, new DERSequence(aia_ASN)); // CRL Distribution Points DistributionPointName distPointOne = new DistributionPointName(new GeneralNames(new GeneralName( GeneralName.uniformResourceIdentifier, "http://crl.somewebsite.com/master.crl"))); DistributionPointName distPointTwo = new DistributionPointName( new GeneralNames( new GeneralName(GeneralName.uniformResourceIdentifier, "ldap://crl.somewebsite.com/cn%3dSecureCA%2cou%3dPKI%2co%3dCyberdyne%2cc%3dUS?certificaterevocationlist;binary"))); DistributionPoint[] distPoints = new DistributionPoint[2]; distPoints[0] = new DistributionPoint(distPointOne, null, null); distPoints[1] = new DistributionPoint(distPointTwo, null, null); certGen.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(distPoints));*/ // Content Signer ContentSigner sigGen = new JcaContentSignerBuilder("SHA1WithRSAEncryption").setProvider("BC") .build(issuerKeyPair.getPrivate()); // Certificate return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen)); } catch (Exception e) { throw new RuntimeException("Error creating X509v3Certificate.", e); } }
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
/** * Create the credentials of a ZoneAdministrator. * //from ww w . j av a 2 s . c om * The ZoneAdministrator credentials are long validity. * * @param req * @return * @throws CryptoCertificateException */ public static PKIXCredential createZoneAdministratorCredential(ZoneAdministrationCredentialSpecifier req) throws CryptoCertificateException { KeyPair kp = null; try { kp = req.getKeyAlgorithm().generateNewKeyPair(); } catch (CryptoException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_KEYPAIR_GENERATION, e); } PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); X500NameBuilder subjectBuilder = new X500NameBuilder(); if (StringUtils.hasText(req.getCountry())) { subjectBuilder.addRDN(BCStyle.C, req.getCountry()); } if (StringUtils.hasText(req.getLocation())) { subjectBuilder.addRDN(BCStyle.L, req.getLocation()); } if (StringUtils.hasText(req.getOrg())) { subjectBuilder.addRDN(BCStyle.O, req.getOrg()); } if (StringUtils.hasText(req.getOrgUnit())) { if (TDMX_DOMAIN_CA_OU.equals(req.getOrgUnit())) { throw new CryptoCertificateException(CertificateResultCode.ERROR_INVALID_OU); } subjectBuilder.addRDN(BCStyle.OU, req.getOrgUnit()); } if (StringUtils.hasText(req.getEmailAddress())) { subjectBuilder.addRDN(BCStyle.E, req.getEmailAddress()); } if (StringUtils.hasText(req.getTelephoneNumber())) { subjectBuilder.addRDN(BCStyle.TELEPHONE_NUMBER, req.getTelephoneNumber()); } if (StringUtils.hasText(req.getCn())) { subjectBuilder.addRDN(BCStyle.CN, req.getCn()); } X500Name subject = subjectBuilder.build(); X500Name issuer = subject; JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, new BigInteger("1"), req.getNotBefore().getTime(), req.getNotAfter().getTime(), subject, publicKey); try { BasicConstraints cA = new BasicConstraints(1); certBuilder.addExtension(Extension.basicConstraints, true, cA); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(publicKey)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); KeyUsage ku = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign); certBuilder.addExtension(Extension.keyUsage, false, ku); // RFC5280 http://tools.ietf.org/html/rfc5280#section-4.2.1.10 // The CA has a CN which is not part of the name constraint - but we can constrain // any domain certificate issued to be limited to some OU under the O. X500NameBuilder subjectConstraintBuilder = new X500NameBuilder(); if (StringUtils.hasText(req.getCountry())) { subjectConstraintBuilder.addRDN(BCStyle.C, req.getCountry()); } if (StringUtils.hasText(req.getLocation())) { subjectConstraintBuilder.addRDN(BCStyle.L, req.getLocation()); } if (StringUtils.hasText(req.getOrg())) { subjectConstraintBuilder.addRDN(BCStyle.O, req.getOrg()); } if (StringUtils.hasText(req.getOrgUnit())) { subjectConstraintBuilder.addRDN(BCStyle.OU, req.getOrgUnit()); } subjectConstraintBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); X500Name nameConstraint = subjectConstraintBuilder.build(); GeneralName snc = new GeneralName(GeneralName.directoryName, nameConstraint); GeneralSubtree snSubtree = new GeneralSubtree(snc, new BigInteger("0"), null); NameConstraints nc = new NameConstraints(new GeneralSubtree[] { snSubtree }, null); certBuilder.addExtension(Extension.nameConstraints, true, nc); certBuilder.addExtension(TdmxZoneInfo.tdmxZoneInfo, false, req.getZoneInfo()); ContentSigner signer = SignatureAlgorithm.getContentSigner(privateKey, req.getSignatureAlgorithm()); byte[] certBytes = certBuilder.build(signer).getEncoded(); PKIXCertificate c = CertificateIOUtils.decodeX509(certBytes); return new PKIXCredential(c, privateKey); } catch (CertIOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (NoSuchAlgorithmException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (IOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } }
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
/** * Create the credentials of a DomainAdministrator. * //w w w. j a va2 s.c om * @param req * @return * @throws CryptoCertificateException */ public static PKIXCredential createDomainAdministratorCredential(DomainAdministrationCredentialSpecifier req) throws CryptoCertificateException { KeyPair kp = null; try { kp = req.getKeyAlgorithm().generateNewKeyPair(); } catch (CryptoException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_KEYPAIR_GENERATION, e); } PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); PKIXCredential issuerCredential = req.getZoneAdministratorCredential(); PKIXCertificate issuerPublicCert = issuerCredential.getPublicCert(); PublicKey issuerPublicKey = issuerPublicCert.getCertificate().getPublicKey(); PrivateKey issuerPrivateKey = issuerCredential.getPrivateKey(); X500NameBuilder subjectBuilder = new X500NameBuilder(); if (StringUtils.hasText(issuerPublicCert.getCountry())) { subjectBuilder.addRDN(BCStyle.C, issuerPublicCert.getCountry()); } if (StringUtils.hasText(issuerPublicCert.getLocation())) { subjectBuilder.addRDN(BCStyle.L, issuerPublicCert.getLocation()); } if (StringUtils.hasText(issuerPublicCert.getOrganization())) { subjectBuilder.addRDN(BCStyle.O, issuerPublicCert.getOrganization()); } if (StringUtils.hasText(issuerPublicCert.getOrgUnit())) { subjectBuilder.addRDN(BCStyle.OU, issuerPublicCert.getOrgUnit()); } subjectBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); subjectBuilder.addRDN(BCStyle.CN, req.getDomainName()); X500Name subject = subjectBuilder.build(); X500Name issuer = issuerPublicCert.getSubjectName(); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, new BigInteger("1"), req.getNotBefore().getTime(), req.getNotAfter().getTime(), subject, publicKey); try { BasicConstraints cA = new BasicConstraints(0); certBuilder.addExtension(Extension.basicConstraints, true, cA); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(issuerPublicKey)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); KeyUsage ku = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign); certBuilder.addExtension(Extension.keyUsage, false, ku); // RFC5280 http://tools.ietf.org/html/rfc5280#section-4.2.1.10 // The CA has a CN which is not part of the name constraint - but we can constrain // any domain certificate issued to be limited to some OU under the O. X500NameBuilder subjectConstraintBuilder = new X500NameBuilder(); if (StringUtils.hasText(issuerPublicCert.getCountry())) { subjectConstraintBuilder.addRDN(BCStyle.C, issuerPublicCert.getCountry()); } if (StringUtils.hasText(issuerPublicCert.getLocation())) { subjectConstraintBuilder.addRDN(BCStyle.L, issuerPublicCert.getLocation()); } if (StringUtils.hasText(issuerPublicCert.getOrganization())) { subjectConstraintBuilder.addRDN(BCStyle.O, issuerPublicCert.getOrganization()); } if (StringUtils.hasText(issuerPublicCert.getOrgUnit())) { subjectConstraintBuilder.addRDN(BCStyle.OU, issuerPublicCert.getOrgUnit()); } subjectConstraintBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); subjectConstraintBuilder.addRDN(BCStyle.OU, req.getDomainName()); X500Name nameConstraint = subjectConstraintBuilder.build(); GeneralName snc = new GeneralName(GeneralName.directoryName, nameConstraint); GeneralSubtree snSubtree = new GeneralSubtree(snc, new BigInteger("0"), null); NameConstraints nc = new NameConstraints(new GeneralSubtree[] { snSubtree }, null); certBuilder.addExtension(Extension.nameConstraints, true, nc); certBuilder.addExtension(TdmxZoneInfo.tdmxZoneInfo, false, issuerPublicCert.getTdmxZoneInfo()); ContentSigner signer = SignatureAlgorithm.getContentSigner(issuerPrivateKey, req.getSignatureAlgorithm()); byte[] certBytes = certBuilder.build(signer).getEncoded(); PKIXCertificate c = CertificateIOUtils.decodeX509(certBytes); return new PKIXCredential(c, issuerCredential.getCertificateChain(), privateKey); } catch (CertIOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (NoSuchAlgorithmException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (IOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } }
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
public static PKIXCredential createUserCredential(UserCredentialSpecifier req) throws CryptoCertificateException { KeyPair kp = null;//from w w w. ja va2 s . co m try { kp = req.getKeyAlgorithm().generateNewKeyPair(); } catch (CryptoException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_KEYPAIR_GENERATION, e); } PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); PKIXCredential issuerCredential = req.getDomainAdministratorCredential(); PKIXCertificate issuerPublicCert = issuerCredential.getPublicCert(); PublicKey issuerPublicKey = issuerPublicCert.getCertificate().getPublicKey(); PrivateKey issuerPrivateKey = issuerCredential.getPrivateKey(); X500NameBuilder subjectBuilder = new X500NameBuilder(); if (StringUtils.hasText(issuerPublicCert.getCountry())) { subjectBuilder.addRDN(BCStyle.C, issuerPublicCert.getCountry()); } if (StringUtils.hasText(issuerPublicCert.getLocation())) { subjectBuilder.addRDN(BCStyle.L, issuerPublicCert.getLocation()); } if (StringUtils.hasText(issuerPublicCert.getOrganization())) { subjectBuilder.addRDN(BCStyle.O, issuerPublicCert.getOrganization()); } if (StringUtils.hasText(issuerPublicCert.getOrgUnit())) { subjectBuilder.addRDN(BCStyle.OU, issuerPublicCert.getOrgUnit()); } subjectBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); subjectBuilder.addRDN(BCStyle.OU, issuerPublicCert.getCommonName()); subjectBuilder.addRDN(BCStyle.CN, req.getName()); X500Name subject = subjectBuilder.build(); X500Name issuer = issuerPublicCert.getSubjectName(); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, new BigInteger("1"), req.getNotBefore().getTime(), req.getNotAfter().getTime(), subject, publicKey); try { JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(issuerPublicKey)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); KeyUsage ku = new KeyUsage( KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment); certBuilder.addExtension(Extension.keyUsage, false, ku); certBuilder.addExtension(TdmxZoneInfo.tdmxZoneInfo, false, issuerPublicCert.getTdmxZoneInfo()); ContentSigner signer = SignatureAlgorithm.getContentSigner(issuerPrivateKey, req.getSignatureAlgorithm()); byte[] certBytes = certBuilder.build(signer).getEncoded(); PKIXCertificate c = CertificateIOUtils.decodeX509(certBytes); return new PKIXCredential(c, issuerCredential.getCertificateChain(), privateKey); } catch (CertIOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (NoSuchAlgorithmException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (IOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } }