List of usage examples for org.bouncycastle.asn1.x509 Extension keyUsage
ASN1ObjectIdentifier keyUsage
To view the source code for org.bouncycastle.asn1.x509 Extension keyUsage.
Click Source Link
From source file:com.enioka.jqm.pki.CertificateRequest.java
License:Open Source License
private void generateX509() throws Exception { SecureRandom random = new SecureRandom(); X500Name dnName = new X500Name(Subject); Calendar endValidity = Calendar.getInstance(); endValidity.add(Calendar.YEAR, validityYear); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); X509v3CertificateBuilder gen = new X509v3CertificateBuilder( authorityCertificate == null ? dnName : authorityCertificate.getSubject(), BigIntegers.createRandomInRange(BigInteger.ZERO, BigInteger.valueOf(Long.MAX_VALUE), random), new Date(), endValidity.getTime(), dnName, publicKeyInfo); // Public key ID DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc); gen.addExtension(Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(publicKeyInfo)); // EKU//w w w. j a v a2 s .c om gen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(EKU)); // Basic constraints (is CA?) if (authorityCertificate == null) { gen.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); } // Key usage gen.addExtension(Extension.keyUsage, true, new KeyUsage(keyUsage)); // Subject Alt names ? // Authority if (authorityCertificate != null) { gen.addExtension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(authorityCertificate.getSubjectPublicKeyInfo())); } // Signer ContentSigner signer = new JcaContentSignerBuilder("SHA512WithRSAEncryption") .setProvider(Constants.JCA_PROVIDER).build(authorityKey == null ? privateKey : authorityKey); // Go holder = gen.build(signer); }
From source file:com.linkedin.mitm.services.CACertificateService.java
License:Open Source License
protected void buildExtensions(X509v3CertificateBuilder x509v3CertificateBuilder, PublicKey publicKey) throws IOException { x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); // The Key Usage, Extended Key Usage, and Basic Constraints extensions act together to define the purposes for // which the certificate is intended to be used x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, BASIC_CONSTRAINTS); x509v3CertificateBuilder.addExtension(Extension.keyUsage, false, KEY_USAGE); x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, EXTERNAL_KEY_USAGE); }
From source file:com.spotify.helios.client.tls.X509CertificateFactory.java
License:Apache License
private CertificateAndPrivateKey generate(final AgentProxy agentProxy, final Identity identity, final String username) { final UUID uuid = new UUID(); final Calendar calendar = Calendar.getInstance(); final X500Name issuerDN = new X500Name("C=US,O=Spotify,CN=helios-client"); final X500Name subjectDN = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); calendar.add(Calendar.MILLISECOND, -validBeforeMilliseconds); final Date notBefore = calendar.getTime(); calendar.add(Calendar.MILLISECOND, validBeforeMilliseconds + validAfterMilliseconds); final Date notAfter = calendar.getTime(); // Reuse the UUID time as a SN final BigInteger serialNumber = BigInteger.valueOf(uuid.getTime()).abs(); try {//www . ja v a 2 s. com final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC"); keyPairGenerator.initialize(KEY_SIZE, new SecureRandom()); final KeyPair keyPair = keyPairGenerator.generateKeyPair(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDN, serialNumber, notBefore, notAfter, subjectDN, subjectPublicKeyInfo); final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); final SubjectKeyIdentifier keyId = utils.createSubjectKeyIdentifier(subjectPublicKeyInfo); final String keyIdHex = KEY_ID_ENCODING.encode(keyId.getKeyIdentifier()); log.info("generating an X509 certificate for {} with key ID={} and identity={}", username, keyIdHex, identity.getComment()); builder.addExtension(Extension.subjectKeyIdentifier, false, keyId); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(new SshAgentContentSigner(agentProxy, identity)); final X509Certificate certificate = CERTIFICATE_CONVERTER.getCertificate(holder); log.debug("generated certificate:\n{}", asPEMString(certificate)); return new CertificateAndPrivateKey(certificate, keyPair.getPrivate()); } catch (Exception e) { throw Throwables.propagate(e); } }
From source file:com.spotify.sshagenttls.X509CertKeyCreator.java
License:Apache License
@Override public CertKey createCertKey(final String username, final X500Principal x500Principal) { final Calendar calendar = Calendar.getInstance(); final BigInteger serialNumber = BigInteger.valueOf(calendar.getTimeInMillis()).abs(); final X500Name issuerDn = new X500Name(x500Principal.getName(X500Principal.RFC1779)); final X500Name subjectDn = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); calendar.add(Calendar.MILLISECOND, -validBeforeMillis); final Date notBefore = calendar.getTime(); calendar.add(Calendar.MILLISECOND, validBeforeMillis + validAfterMillis); final Date notAfter = calendar.getTime(); try {/*from w w w.j av a2 s .c o m*/ final KeyPair keyPair = generateRandomKeyPair(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDn, serialNumber, notBefore, notAfter, subjectDn, subjectPublicKeyInfo); final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); final SubjectKeyIdentifier keyId = utils.createSubjectKeyIdentifier(subjectPublicKeyInfo); final String keyIdHex = KEY_ID_ENCODING.encode(keyId.getKeyIdentifier()); LOG.info("generating an X.509 certificate for {} with key ID={}", username, keyIdHex); builder.addExtension(Extension.subjectKeyIdentifier, false, keyId); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(contentSigner); final X509Certificate cert = CERT_CONVERTER.getCertificate(holder); LOG.debug("generated certificate:\n{}", Utils.asPemString(cert)); return CertKey.create(cert, keyPair.getPrivate()); } catch (Exception e) { throw new RuntimeException(e); } }
From source file:com.spotify.sshtlsclient.X509CertificateFactory.java
License:Apache License
static Certificate get(final SshAgentContentSigner signer, final Identity identity, final String username) { final UUID uuid = new UUID(); final Calendar calendar = Calendar.getInstance(); final X500Name issuerDN = new X500Name("C=US,O=Spotify,CN=helios-client"); final X500Name subjectDN = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(identity.getPublicKey().getEncoded())); calendar.add(Calendar.HOUR, -HOURS_BEFORE); final Date notBefore = calendar.getTime(); calendar.add(Calendar.HOUR, HOURS_BEFORE + HOURS_AFTER); final Date notAfter = calendar.getTime(); // Reuse the UUID time as a SN final BigInteger serialNumber = BigInteger.valueOf(uuid.getTime()).abs(); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDN, serialNumber, notBefore, notAfter, subjectDN, subjectPublicKeyInfo); try {/*from w ww .jav a2 s .c om*/ final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); builder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(signer); return new Certificate(new org.bouncycastle.asn1.x509.Certificate[] { holder.toASN1Structure(), }); } catch (Exception e) { throw Throwables.propagate(e); } }
From source file:com.vmware.admiral.common.util.CertificateUtil.java
License:Open Source License
private static List<ExtensionHolder> getClientExtensions() { List<ExtensionHolder> extensions = new ArrayList<>(); extensions.add(new ExtensionHolder(Extension.basicConstraints, true, new BasicConstraints(false))); extensions.add(new ExtensionHolder(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature))); extensions.add(new ExtensionHolder(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth))); return extensions; }
From source file:com.vmware.admiral.common.util.CertificateUtil.java
License:Open Source License
private static List<ExtensionHolder> getServerExtensions(X509Certificate issuerCertificate) throws CertificateEncodingException, NoSuchAlgorithmException, IOException { List<ExtensionHolder> extensions = new ArrayList<>(); // SSO forces us to allow data encipherment extensions.add(new ExtensionHolder(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment))); extensions.add(new ExtensionHolder(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth))); Extension authorityKeyExtension = new Extension(Extension.authorityKeyIdentifier, false, new DEROctetString(new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerCertificate))); extensions.add(new ExtensionHolder(authorityKeyExtension.getExtnId(), authorityKeyExtension.isCritical(), authorityKeyExtension.getParsedValue())); return extensions; }
From source file:com.vvote.thirdparty.ximix.util.BLSKeyStore.java
License:Apache License
private X509CertificateHolder createCertificate(String keyID, int sequenceNo, PrivateKey privKey) throws GeneralSecurityException, OperatorCreationException, IOException { String name = "C=AU, O=Ximix Network Node, OU=" + "Util"; ///*from ww w . ja v a2s . com*/ // create the certificate - version 3 // X509v3CertificateBuilder v3CertBuilder = new X509v3CertificateBuilder(new X500Name(name), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30), new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365)), new X500Name(name), this.fetchPublicKey(keyID)); // we use keyUsage extension to distinguish between signing and encryption keys if (signingKeys.contains(keyID)) { v3CertBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); } else { v3CertBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.dataEncipherment)); } v3CertBuilder.addExtension(XimixObjectIdentifiers.ximixShareIdExtension, true, new ASN1Integer(sequenceNo)); return v3CertBuilder.build(new JcaContentSignerBuilder("SHA1withECDSA").setProvider("BC").build(privKey)); }
From source file:com.wandrell.util.ksgen.BouncyCastleKeyStoreFactory.java
License:Open Source License
/** * Returns a certificate builder./*from w ww . ja va2 s . c o m*/ * * @param publicKey * public key for the certificate builder * @param issuer * issuer for the certificate builder * @return a certificate builder * @throws IOException * if any format error occurrs while creating the certificate */ private final X509v3CertificateBuilder getCertificateBuilder(final PublicKey publicKey, final String issuer) throws IOException { final X500Name issuerName; // Issuer name final X500Name subjectName; // Subject name final BigInteger serial; // Serial number final X509v3CertificateBuilder builder; // Certificate builder final Date start; // Certificate start date final Date end; // Certificate end date final KeyUsage usage; // Key usage final ASN1EncodableVector purposes; // Certificate purposes issuerName = new X500Name(issuer); subjectName = issuerName; serial = BigInteger.valueOf(getRandom().nextInt()); // Dates for the certificate start = getOneYearBackDate(); end = getOneHundredYearsFutureDate(); builder = new JcaX509v3CertificateBuilder(issuerName, serial, start, end, subjectName, publicKey); builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); usage = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign); builder.addExtension(Extension.keyUsage, false, usage); purposes = new ASN1EncodableVector(); purposes.add(KeyPurposeId.id_kp_serverAuth); purposes.add(KeyPurposeId.id_kp_clientAuth); purposes.add(KeyPurposeId.anyExtendedKeyUsage); builder.addExtension(Extension.extendedKeyUsage, false, new DERSequence(purposes)); return builder; }
From source file:com.yahoo.athenz.auth.util.Crypto.java
License:Apache License
public static X509Certificate generateX509Certificate(PKCS10CertificationRequest certReq, PrivateKey caPrivateKey, X500Name issuer, int validityTimeout, boolean basicConstraints) { // set validity for the given number of minutes from now Date notBefore = new Date(); Calendar cal = Calendar.getInstance(); cal.setTime(notBefore);/*from w w w. ja va 2 s . c o m*/ cal.add(Calendar.MINUTE, validityTimeout); Date notAfter = cal.getTime(); // Generate self-signed certificate X509Certificate cert = null; try { JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = new JcaPKCS10CertificationRequest( certReq); PublicKey publicKey = jcaPKCS10CertificationRequest.getPublicKey(); X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(issuer, BigInteger.valueOf(System.currentTimeMillis()), notBefore, notAfter, certReq.getSubject(), publicKey) .addExtension(Extension.basicConstraints, false, new BasicConstraints(basicConstraints)) .addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.keyEncipherment)) .addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth })); // see if we have the dns/rfc822/ip address extensions specified in the csr ArrayList<GeneralName> altNames = new ArrayList<>(); Attribute[] certAttributes = jcaPKCS10CertificationRequest .getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); if (certAttributes != null && certAttributes.length > 0) { for (Attribute attribute : certAttributes) { Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0)); GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName); if (gns == null) { continue; } GeneralName[] names = gns.getNames(); for (int i = 0; i < names.length; i++) { switch (names[i].getTagNo()) { case GeneralName.dNSName: case GeneralName.iPAddress: case GeneralName.rfc822Name: altNames.add(names[i]); break; } } } if (!altNames.isEmpty()) { caBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(altNames.toArray(new GeneralName[altNames.size()]))); } } String signatureAlgorithm = getSignatureAlgorithm(caPrivateKey.getAlgorithm(), SHA256); ContentSigner caSigner = new JcaContentSignerBuilder(signatureAlgorithm).setProvider(BC_PROVIDER) .build(caPrivateKey); JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC_PROVIDER); cert = converter.getCertificate(caBuilder.build(caSigner)); } catch (CertificateException ex) { LOG.error("generateX509Certificate: Caught CertificateException when generating certificate: " + ex.getMessage()); throw new CryptoException(ex); } catch (OperatorCreationException ex) { LOG.error( "generateX509Certificate: Caught OperatorCreationException when creating JcaContentSignerBuilder: " + ex.getMessage()); throw new CryptoException(ex); } catch (InvalidKeyException ex) { LOG.error("generateX509Certificate: Caught InvalidKeySpecException, invalid key spec is being used: " + ex.getMessage()); throw new CryptoException(ex); } catch (NoSuchAlgorithmException ex) { LOG.error( "generateX509Certificate: Caught NoSuchAlgorithmException, check to make sure the algorithm is supported by the provider: " + ex.getMessage()); throw new CryptoException(ex); } catch (Exception ex) { LOG.error("generateX509Certificate: unable to generate X509 Certificate: " + ex.getMessage()); throw new CryptoException("Unable to generate X509 Certificate"); } return cert; }