List of usage examples for org.bouncycastle.asn1.x509 Extension Extension
public Extension(ASN1ObjectIdentifier extnId, boolean critical, ASN1OctetString value)
From source file:prototype.AlwaysValidOcspSource.java
License:GNU General Public License
public OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws DSSException { try {/*from w w w .j a v a 2 s. c o m*/ final DigestCalculator digestCalculator = DSSUtils.getSHA1DigestCalculator(); // Generate the getFileId for the certificate we are looking for CertificateID id = new CertificateID(digestCalculator, new X509CertificateHolder(issuerCert.getEncoded()), serialNumber); // basic request generation with nonce OCSPReqBuilder ocspGen = new OCSPReqBuilder(); ocspGen.addRequest(id); // create details for nonce extension BigInteger nonce = BigInteger.valueOf(ocspDate.getTime()); Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, new DEROctetString(nonce.toByteArray())); ocspGen.setRequestExtensions(new Extensions(new Extension[] { ext })); return ocspGen.build(); } catch (OCSPException e) { throw new DSSException(e); } catch (IOException e) { throw new DSSException(e); } catch (CertificateEncodingException e) { throw new DSSException(e); } }
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.CertificationAuthority.java
License:Open Source License
public AaaCertificate issueXCert(AaaCertificate orgCert) throws IOException { DbCAParam cp = CaSQLiteUtil.getParameter(caDir, CERT_SERIAL_KEY); if (cp == null) { return null; }//from w w w. j a va2 s . co m nextSerial = cp.getIntValue(); BigInteger certSerial = BigInteger.valueOf(nextSerial); List<Extension> extList = new ArrayList<>(); Iterator<ExtensionInfo> e = orgCert.getExtensionInfoList().iterator(); //System.out.println("Original cert extensions:"); //Get extensions form orgCert boolean policy = false; if (e != null) { while (e.hasNext()) { ExtensionInfo ext = e.next(); //System.out.println(ext.getObjectID().getNameAndID() + " " + ext.toString()); //Replace policy with AnyPolicy if (ext.getExtensionType().equals(SupportedExtension.certificatePolicies)) { CertificatePolicies cpe = getAnyCertificatePolicies(); ext.setExtDataASN1(cpe.toASN1Primitive()); ext.setExtData(cpe.getEncoded()); policy = true; } switch (ext.getExtensionType()) { case cRLDistributionPoints: case basicConstraints: case authorityInfoAccess: case authorityKeyIdentifier: case policyConstraints: case policyMappings: case qCStatements: break; default: if (ext.getOid().getId().equalsIgnoreCase("1.3.6.1.4.1.8301.3.5")) { // German signature law validation rules break; } extList.add(new Extension(ext.getOid(), ext.isCritical(), ext.getExtData())); } } } else { extList.add( new Extension(Extension.basicConstraints, false, new BasicConstraints(true).getEncoded("DER"))); policy = false; } // If no policy in orgCert then add AnyPolicy to list if (!policy) { CertificatePolicies cpe = getAnyCertificatePolicies(); extList.add(new Extension(Extension.certificatePolicies, false, cpe.getEncoded("DER"))); } //Copy to extension list // V3Extension[] extensions = new V3Extension[extList.size()]; // for (int i = 0; i < extList.size(); i++) { // V3Extension ext = extList.get(i); // extensions[i] = ext; // } AaaCertificate xCert = createCertificate(orgCert, certSerial, caRoot, CertFactory.SHA256WITHRSA, extList); //System.out.println((char) 10 + "Issued XCert" + (char) 10 + xCert.toString(true)); CaSQLiteUtil.addCertificate(xCert, caDir); //update log DbCALog caLog = new DbCALog(); caLog.setLogCode(ISSUE_EVENT); caLog.setEventString("Certificate issued"); caLog.setLogParameter(nextSerial); caLog.setLogTime(System.currentTimeMillis()); CaSQLiteUtil.addCertLog(caLog, caDir); //Store next serial number cp.setIntValue(nextSerial + 1); CaSQLiteUtil.storeParameter(cp, caDir); return xCert; }
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.CertificationAuthority.java
License:Open Source License
public AaaCertificate createCertificate(AaaCertificate orgCert, BigInteger certSerial, AaaCertificate issuerCert, String algorithm, List<Extension> extensions) { AaaCertificate cert = null;/* w w w . j av a 2s.com*/ // create a new certificate try { CertRequestModel reqModel = new CertRequestModel(); reqModel.setIssuerDN(issuerCert.getSubject()); reqModel.setPublicKey(orgCert.getCert().getPublicKey()); reqModel.setSerialNumber(certSerial); reqModel.setSubjectDN(orgCert.getSubject()); reqModel.setNotBefore(orgCert.getNotBefore()); if (issuerCert.getNotAfter().after(orgCert.getNotAfter())) { reqModel.setNotAfter(orgCert.getNotAfter()); } else { reqModel.setNotAfter(issuerCert.getNotAfter()); } // Add AKI X509ExtensionUtils extUtil = CertUtils.getX509ExtensionUtils(); AuthorityKeyIdentifier aki = extUtil.createAuthorityKeyIdentifier(issuerCert); extensions.add(new Extension(Extension.authorityKeyIdentifier, false, aki.getEncoded("DER"))); DistributionPoint dp = new DistributionPoint( new DistributionPointName( new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, crlDpUrl))), null, null); CRLDistPoint cdp = new CRLDistPoint(new DistributionPoint[] { dp }); extensions.add(new Extension(Extension.cRLDistributionPoints, false, cdp.getEncoded("DER"))); reqModel.setExtensionList(extensions); reqModel.setSigner( new JcaContentSignerBuilder(algorithm).build((PrivateKey) key_store.getKey(ROOT, KS_PASSWORD))); cert = new AaaCertificate(reqModel); } catch (Exception ex) { cert = null; LOG.warning("Error creating the certificate: " + ex.getMessage()); } return cert; }
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.CertificationAuthority.java
License:Open Source License
public X509CRLHolder revokeCertificates() { long currentTime = System.currentTimeMillis(); long nextUpdateTime = currentTime + crlValPeriod; List<DbCert> certList = CaSQLiteUtil.getCertificates(caDir, true); DbCAParam cp = CaSQLiteUtil.getParameter(caDir, CRL_SERIAL_KEY); if (cp == null) { return null; }/*ww w .j ava2 s. c o m*/ long nextCrlSerial = cp.getIntValue(); try { AaaCRL crl = new AaaCRL(new Date(currentTime), new Date(nextUpdateTime), caRoot, (PrivateKey) key_store.getKey(ROOT, KS_PASSWORD), CertFactory.SHA256WITHRSA, crlFile); List<Extension> extList = new ArrayList<Extension>(); // Add AKI X509ExtensionUtils extu = CertUtils.getX509ExtensionUtils(); AuthorityKeyIdentifier aki = extu.createAuthorityKeyIdentifier(caRoot); extList.add(new Extension(Extension.authorityKeyIdentifier, false, aki.getEncoded("DER"))); // CRLNumber to be adjusted to an incremental number CRLNumber crlNumber = new CRLNumber(BigInteger.valueOf(nextCrlSerial)); extList.add(new Extension(Extension.cRLNumber, false, crlNumber.getEncoded("DER"))); GeneralNames distributionPointName = new GeneralNames( new GeneralName(GeneralName.uniformResourceIdentifier, crlDpUrl)); DistributionPointName dpn = new DistributionPointName(distributionPointName); IssuingDistributionPoint idp = new IssuingDistributionPoint(dpn, false, false); extList.add(new Extension(Extension.issuingDistributionPoint, true, idp.getEncoded("DER"))); // IssuingDistributionPoint List<CRLEntryData> crlEdList = new ArrayList<>(); certList.forEach((dbCert) -> { Date revTime = new Date(); BigInteger serialNumber = dbCert.getCertificate().getSerialNumber(); crlEdList.add(new CRLEntryData(serialNumber, new Date(dbCert.getRevDate()), CRLReason.privilegeWithdrawn)); }); crl.updateCrl(new Date(currentTime), new Date(nextUpdateTime), crlEdList, extList); logRevocation(certList); // receive CRL latestCrl = crl.getCrl(); cp.setIntValue(nextCrlSerial + 1); CaSQLiteUtil.storeParameter(cp, caDir); // Store CRL FileOps.saveByteFile(FileOps.readBinaryFile(crlFile), exportCrlFile); return latestCrl; } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CRLException | CertificateException | OperatorCreationException ex) { LOG.warning(ex.getMessage()); return null; } }
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.RootCAFactory.java
License:Open Source License
private static void generateRootCertificate() { try {//from w w w . j ava 2s .c o m // Generate root key System.out.println("Generating Root RSA key..."); ca_rsa = generateKeyPair("RSA", CA_KEYLENGTH); // Now create the certificates //CertRequestModel reqMod = new CertRequestModel(); Map<SubjectDnType, String> subjNameMap = new HashMap<>(); subjNameMap.put(SubjectDnType.country, conf.getCaCountry()); subjNameMap.put(SubjectDnType.orgnaizationName, conf.getCaOrganizationName()); subjNameMap.put(SubjectDnType.orgnaizationalUnitName, conf.getCaOrgUnitName()); // Name rootIssuer; // rootIssuer = new Name(); // rootIssuer.addRDN(ObjectID.country, conf.getCaCountry()); // rootIssuer.addRDN(ObjectID.organization, conf.getCaOrganizationName()); // rootIssuer.addRDN(ObjectID.organizationalUnit, conf.getCaOrgUnitName()); String modelName = conf.getCaCommonName(); int idx = modelName.indexOf("####"); String cName; if (idx > -1) { cName = modelName.substring(0, idx) + caName + modelName.substring(idx + 4); } else { cName = caName + " " + modelName; } subjNameMap.put(SubjectDnType.cn, cName); X500Name subjectAndIssuer = CertReqUtils.getDn(subjNameMap); // rootIssuer.addRDN(ObjectID.commonName, cName); List<Extension> extList = new ArrayList<>(); extList.add( new Extension(Extension.basicConstraints, false, new BasicConstraints(true).getEncoded("DER"))); extList.add(new Extension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign | KeyUsage.digitalSignature) .getEncoded("DER"))); extList.add(new Extension(Extension.certificatePolicies, false, getAnyCertificatePolicies().getEncoded("DER"))); GeneralName generalName = new GeneralName(GeneralName.uniformResourceIdentifier, caRepSia); SubjectInformationAccess sia = new SubjectInformationAccess(SubjectInformationAccess.caRepository, generalName); extList.add(new Extension(Extension.subjectInfoAccess, false, sia.getEncoded("DER"))); // // create self signed CA cert // AaaCertificate caRoot = createRootCertificate(subjectAndIssuer, ca_rsa.getPublic(), ca_rsa.getPrivate(), CertFactory.SHA256WITHRSA, extList); // set the CA cert as trusted root X509Certificate[] chain = new X509Certificate[] { caRoot.getCert() }; addToKeyStore(ca_rsa, chain, ROOT); //System.out.println(caRoot.toString()); //rootIssuer.removeRDN(ObjectID.commonName); } catch (Exception ex) { LOG.warning(ex.getMessage()); } }
From source file:se.tillvaxtverket.tsltrust.webservice.daemon.ca.RootCAFactory.java
License:Open Source License
private static AaaCertificate createRootCertificate(X500Name subjectIssuer, PublicKey publicKey, PrivateKey privateKey, String algorithm, List<Extension> extensions) throws OperatorCreationException, IOException, CertificateException { CertRequestModel reqMod = new CertRequestModel(); reqMod.setSubjectDN(subjectIssuer);// w w w .jav a 2s. co m reqMod.setIssuerDN(subjectIssuer); reqMod.setSerialNumber(BigInteger.ONE); reqMod.setPublicKey(publicKey); //Add Signer ContentSigner rooSigner = new JcaContentSignerBuilder(algorithm).build(privateKey); reqMod.setSigner(rooSigner); // ensure that EE certs are in the validity period of CA certs GregorianCalendar notBefore = new GregorianCalendar(); GregorianCalendar notAfter = new GregorianCalendar(); notBefore.add(Calendar.YEAR, -2); notAfter.add(Calendar.YEAR, 5); reqMod.setNotBefore(notBefore.getTime()); reqMod.setNotAfter(notAfter.getTime()); X509ExtensionUtils extUtil = CertUtils.getX509ExtensionUtils(); SubjectKeyIdentifier ski = extUtil.createSubjectKeyIdentifier(CertUtils.getPublicKeyInfo(publicKey)); extensions.add(new Extension(Extension.subjectKeyIdentifier, false, ski.getEncoded("DER"))); reqMod.setExtensionList(extensions); AaaCertificate cert = new AaaCertificate(reqMod); return cert; }