List of usage examples for org.bouncycastle.asn1.x509 Extension basicConstraints
ASN1ObjectIdentifier basicConstraints
To view the source code for org.bouncycastle.asn1.x509 Extension basicConstraints.
Click Source Link
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.CertificationAuthority.java
License:Open Source License
public AaaCertificate issueXCert(AaaCertificate orgCert) throws IOException { DbCAParam cp = CaSQLiteUtil.getParameter(caDir, CERT_SERIAL_KEY); if (cp == null) { return null; }//from ww w . j av a 2s . c o m nextSerial = cp.getIntValue(); BigInteger certSerial = BigInteger.valueOf(nextSerial); List<Extension> extList = new ArrayList<>(); Iterator<ExtensionInfo> e = orgCert.getExtensionInfoList().iterator(); //System.out.println("Original cert extensions:"); //Get extensions form orgCert boolean policy = false; if (e != null) { while (e.hasNext()) { ExtensionInfo ext = e.next(); //System.out.println(ext.getObjectID().getNameAndID() + " " + ext.toString()); //Replace policy with AnyPolicy if (ext.getExtensionType().equals(SupportedExtension.certificatePolicies)) { CertificatePolicies cpe = getAnyCertificatePolicies(); ext.setExtDataASN1(cpe.toASN1Primitive()); ext.setExtData(cpe.getEncoded()); policy = true; } switch (ext.getExtensionType()) { case cRLDistributionPoints: case basicConstraints: case authorityInfoAccess: case authorityKeyIdentifier: case policyConstraints: case policyMappings: case qCStatements: break; default: if (ext.getOid().getId().equalsIgnoreCase("1.3.6.1.4.1.8301.3.5")) { // German signature law validation rules break; } extList.add(new Extension(ext.getOid(), ext.isCritical(), ext.getExtData())); } } } else { extList.add( new Extension(Extension.basicConstraints, false, new BasicConstraints(true).getEncoded("DER"))); policy = false; } // If no policy in orgCert then add AnyPolicy to list if (!policy) { CertificatePolicies cpe = getAnyCertificatePolicies(); extList.add(new Extension(Extension.certificatePolicies, false, cpe.getEncoded("DER"))); } //Copy to extension list // V3Extension[] extensions = new V3Extension[extList.size()]; // for (int i = 0; i < extList.size(); i++) { // V3Extension ext = extList.get(i); // extensions[i] = ext; // } AaaCertificate xCert = createCertificate(orgCert, certSerial, caRoot, CertFactory.SHA256WITHRSA, extList); //System.out.println((char) 10 + "Issued XCert" + (char) 10 + xCert.toString(true)); CaSQLiteUtil.addCertificate(xCert, caDir); //update log DbCALog caLog = new DbCALog(); caLog.setLogCode(ISSUE_EVENT); caLog.setEventString("Certificate issued"); caLog.setLogParameter(nextSerial); caLog.setLogTime(System.currentTimeMillis()); CaSQLiteUtil.addCertLog(caLog, caDir); //Store next serial number cp.setIntValue(nextSerial + 1); CaSQLiteUtil.storeParameter(cp, caDir); return xCert; }
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.RootCAFactory.java
License:Open Source License
private static void generateRootCertificate() { try {//from w w w . j a va 2 s .c o m // Generate root key System.out.println("Generating Root RSA key..."); ca_rsa = generateKeyPair("RSA", CA_KEYLENGTH); // Now create the certificates //CertRequestModel reqMod = new CertRequestModel(); Map<SubjectDnType, String> subjNameMap = new HashMap<>(); subjNameMap.put(SubjectDnType.country, conf.getCaCountry()); subjNameMap.put(SubjectDnType.orgnaizationName, conf.getCaOrganizationName()); subjNameMap.put(SubjectDnType.orgnaizationalUnitName, conf.getCaOrgUnitName()); // Name rootIssuer; // rootIssuer = new Name(); // rootIssuer.addRDN(ObjectID.country, conf.getCaCountry()); // rootIssuer.addRDN(ObjectID.organization, conf.getCaOrganizationName()); // rootIssuer.addRDN(ObjectID.organizationalUnit, conf.getCaOrgUnitName()); String modelName = conf.getCaCommonName(); int idx = modelName.indexOf("####"); String cName; if (idx > -1) { cName = modelName.substring(0, idx) + caName + modelName.substring(idx + 4); } else { cName = caName + " " + modelName; } subjNameMap.put(SubjectDnType.cn, cName); X500Name subjectAndIssuer = CertReqUtils.getDn(subjNameMap); // rootIssuer.addRDN(ObjectID.commonName, cName); List<Extension> extList = new ArrayList<>(); extList.add( new Extension(Extension.basicConstraints, false, new BasicConstraints(true).getEncoded("DER"))); extList.add(new Extension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign | KeyUsage.digitalSignature) .getEncoded("DER"))); extList.add(new Extension(Extension.certificatePolicies, false, getAnyCertificatePolicies().getEncoded("DER"))); GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, caRepSia); SubjectInformationAccess sia = new SubjectInformationAccess(SubjectInformationAccess.caRepository, generalName); extList.add(new Extension(Extension.subjectInfoAccess, false, sia.getEncoded("DER"))); // // create self signed CA cert // AaaCertificate caRoot = createRootCertificate(subjectAndIssuer, ca_rsa.getPublic(), ca_rsa.getPrivate(), CertFactory.SHA256WITHRSA, extList); // set the CA cert as trusted root X509Certificate[] chain = new X509Certificate[] { caRoot.getCert() }; addToKeyStore(ca_rsa, chain, ROOT); //System.out.println(caRoot.toString()); //rootIssuer.removeRDN(ObjectID.commonName); } catch (Exception ex) { LOG.warning(ex.getMessage()); } }
From source file:uk.ac.cam.gpe21.droidssl.mitm.crypto.cert.CertificateGenerator.java
License:Apache License
public X509CertificateHolder generate(String cn, String[] sans) { try {/*from w w w . ja v a 2s .c om*/ /* basic certificate structure */ //serial = serial.add(BigInteger.ONE); // TODO: temporary workaround as reusing serial numbers makes Firefox complain serial = new BigInteger(Long.toString(System.currentTimeMillis())); Calendar notBefore = new GregorianCalendar(UTC); notBefore.add(Calendar.HOUR, -1); Calendar notAfter = new GregorianCalendar(UTC); notAfter.add(Calendar.HOUR, 24); X500Name subject = new X500NameBuilder().addRDN(BCStyle.CN, cn).build(); BcX509ExtensionUtils utils = new BcX509ExtensionUtils(); X509v3CertificateBuilder builder = new BcX509v3CertificateBuilder(ca.getCertificate(), serial, notBefore.getTime(), notAfter.getTime(), subject, keyPair.getPublic()); /* subjectAlernativeName extension */ if (sans.length > 0) { GeneralName[] names = new GeneralName[sans.length]; for (int i = 0; i < names.length; i++) { names[i] = new GeneralName(GeneralName.dNSName, sans[i]); } builder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(names)); } /* basicConstraints extension */ builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); /* subjectKeyIdentifier extension */ builder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(keyPair.getPublic())); /* authorityKeyIdentifier extension */ builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(ca.getPublicKey())); /* keyUsage extension */ int usage = KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.keyAgreement; builder.addExtension(Extension.keyUsage, true, new KeyUsage(usage)); /* extendedKeyUsage extension */ KeyPurposeId[] usages = { KeyPurposeId.id_kp_serverAuth }; builder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(usages)); /* create the signer */ AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder() .find("SHA1withRSA"); AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder() .find(signatureAlgorithm); ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm) .build(ca.getPrivateKey()); /* build and sign the certificate */ return builder.build(signer); } catch (IOException | OperatorCreationException ex) { throw new CertificateGenerationException(ex); } }