List of usage examples for org.bouncycastle.asn1.x509 Extension nameConstraints
ASN1ObjectIdentifier nameConstraints
To view the source code for org.bouncycastle.asn1.x509 Extension nameConstraints.
Click Source Link
From source file:com.bettertls.nameconstraints.KeyStoreGenerator.java
License:Apache License
public KeyStore build() throws Exception { KeyPairGenerator rsa = KeyPairGenerator.getInstance("RSA"); rsa.initialize(2048);/*from ww w . j ava2s . co m*/ KeyPair kp = rsa.generateKeyPair(); X509CertificateHolder caCertHolder; if (caKeyEntry != null) { caCertHolder = new X509CertificateHolder(caKeyEntry.getCertificate().getEncoded()); } else { caCertHolder = null; } Calendar cal = Calendar.getInstance(); cal.add(Calendar.MONTH, 12); if (caCertHolder != null && cal.getTime().after(caCertHolder.getNotAfter())) { cal.setTime(caCertHolder.getNotAfter()); } byte[] pk = kp.getPublic().getEncoded(); SubjectPublicKeyInfo bcPk = SubjectPublicKeyInfo.getInstance(pk); String subjectNameStr = "C=US, ST=California, L=Los Gatos, O=Netflix Inc, OU=Platform Security (" + System.nanoTime() + ")"; if (commonName != null) { subjectNameStr += ", CN=" + commonName; } X500Name subjectName = new X500Name(subjectNameStr); X509v3CertificateBuilder certGen = new X509v3CertificateBuilder( caCertHolder == null ? subjectName : caCertHolder.getSubject(), BigInteger.valueOf(System.nanoTime()), new Date(), cal.getTime(), subjectName, bcPk); certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(isCa)); if (nameConstraints != null) { certGen.addExtension(Extension.nameConstraints, true, nameConstraints); } if (sans != null) { certGen.addExtension(Extension.subjectAlternativeName, false, sans); } X509CertificateHolder certHolder = certGen.build(new JcaContentSignerBuilder("SHA256withRSA") .build(caKeyEntry == null ? kp.getPrivate() : caKeyEntry.getPrivateKey())); java.security.cert.Certificate certificate; try (ByteArrayInputStream bais = new ByteArrayInputStream(certHolder.getEncoded())) { certificate = CertificateFactory.getInstance("X.509").generateCertificate(bais); } java.security.cert.Certificate[] certificateChain; if (caKeyEntry == null) { certificateChain = new java.security.cert.Certificate[] { certificate }; } else { certificateChain = new java.security.cert.Certificate[caKeyEntry.getCertificateChain().length + 1]; certificateChain[0] = certificate; System.arraycopy(caKeyEntry.getCertificateChain(), 0, certificateChain, 1, caKeyEntry.getCertificateChain().length); } KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, null); keyStore.setKeyEntry(DEFAULT_ALIAS, kp.getPrivate(), KEYSTORE_PASSWORD.toCharArray(), certificateChain); return keyStore; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.NameConstraint.java
License:Open Source License
@Override public void init(CertificateProfile certProf) { super.setOID(Extension.nameConstraints.getId()); super.setCriticalFlag(certProf.getNameConstraintsCritical()); }
From source file:org.cesecore.util.CertTools.java
License:Open Source License
/** * Checks that the given SubjectDN / SAN satisfies the Name Constraints of the given issuer (if there are any). * This method checks the Name Constraints in the given issuer only. A complete implementation of * name constraints should check the whole certificate chain. * //from w w w. ja v a 2 s . c o m * @param issuer Issuing CA. * @param subjectDNName Subject DN to check. Optional. * @param subjectAltName Subject Alternative Name to check. Optional. * @throws CertificateExtensionException */ public static void checkNameConstraints(X509Certificate issuer, X500Name subjectDNName, GeneralNames subjectAltName) throws IllegalNameException { final byte[] ncbytes = issuer.getExtensionValue(Extension.nameConstraints.getId()); final ASN1OctetString ncstr = (ncbytes != null ? DEROctetString.getInstance(ncbytes) : null); final ASN1Sequence ncseq = (ncbytes != null ? DERSequence.getInstance(ncstr.getOctets()) : null); final NameConstraints nc = (ncseq != null ? NameConstraints.getInstance(ncseq) : null); if (nc != null) { if (subjectDNName != null) { // Skip check for root CAs final X500Name issuerDNName = X500Name.getInstance(issuer.getSubjectX500Principal().getEncoded()); if (issuerDNName.equals(subjectDNName)) { return; } } final PKIXNameConstraintValidator validator = new PKIXNameConstraintValidator(); GeneralSubtree[] permitted = nc.getPermittedSubtrees(); GeneralSubtree[] excluded = nc.getExcludedSubtrees(); if (permitted != null) { validator.intersectPermittedSubtree(permitted); } if (excluded != null) { for (GeneralSubtree subtree : excluded) { validator.addExcludedSubtree(subtree); } } if (subjectDNName != null) { GeneralName dngn = new GeneralName(subjectDNName); try { validator.checkPermitted(dngn); validator.checkExcluded(dngn); } catch (PKIXNameConstraintValidatorException e) { final String dnStr = subjectDNName.toString(); final boolean isLdapOrder = dnHasMultipleComponents(dnStr) && !isDNReversed(dnStr); if (isLdapOrder) { final String msg = intres.getLocalizedMessage("nameconstraints.x500dnorderrequired"); throw new IllegalNameException(msg); } else { final String msg = intres.getLocalizedMessage("nameconstraints.forbiddensubjectdn", subjectDNName); throw new IllegalNameException(msg, e); } } } if (subjectAltName != null) { for (GeneralName sangn : subjectAltName.getNames()) { try { validator.checkPermitted(sangn); validator.checkExcluded(sangn); } catch (PKIXNameConstraintValidatorException e) { final String msg = intres.getLocalizedMessage("nameconstraints.forbiddensubjectaltname", sangn); throw new IllegalNameException(msg, e); } } } } }
From source file:org.cesecore.util.CertToolsTest.java
License:Open Source License
/** * Tests the following methods:// www .j a v a2 s. c om * <ul> * <li>{@link CertTools.checkNameConstraints}</li> * <li>{@link NameConstraint.parseNameConstraintsList}</li> * <li>{@link NameConstraint.toGeneralSubtrees}</li> * </ul> */ @Test public void testNameConstraints() throws Exception { final String permitted = "C=SE,CN=example.com\n" + "example.com\n" + "@mail.example\n" + "user@host.com\n" + "10.0.0.0/8\n" + " C=SE, CN=spacing \n"; final String excluded = "forbidden.example.com\n" + "postmaster@mail.example\n" + "10.1.0.0/16\n" + "::/0"; // IPv6 final List<Extension> extensions = new ArrayList<Extension>(); GeneralSubtree[] permittedSubtrees = NameConstraint .toGeneralSubtrees(NameConstraint.parseNameConstraintsList(permitted)); GeneralSubtree[] excludedSubtrees = NameConstraint .toGeneralSubtrees(NameConstraint.parseNameConstraintsList(excluded)); byte[] extdata = new NameConstraints(permittedSubtrees, excludedSubtrees).toASN1Primitive().getEncoded(); extensions.add(new Extension(Extension.nameConstraints, false, extdata)); final KeyPair testkeys = KeyTools.genKeys("512", AlgorithmConstants.KEYALGORITHM_RSA); X509Certificate cacert = CertTools.genSelfCertForPurpose("C=SE,CN=Test Name Constraints CA", 365, null, testkeys.getPrivate(), testkeys.getPublic(), AlgorithmConstants.SIGALG_SHA1_WITH_RSA, true, X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign, null, null, "BC", true, extensions); // Allowed subject DNs final X500Name validDN = new X500Name("C=SE,CN=example.com"); // re-used below CertTools.checkNameConstraints(cacert, validDN, null); CertTools.checkNameConstraints(cacert, new X500Name("C=SE,CN=spacing"), null); // Allowed subject alternative names CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.dNSName, "example.com"))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.dNSName, "x.sub.example.com"))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "someuser@mail.example"))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "user@host.com"))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("10.0.0.1").getAddress())))); CertTools.checkNameConstraints(cacert, validDN, new GeneralNames(new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("10.255.255.255").getAddress())))); // Disallowed subject DN checkNCException(cacert, new X500Name("C=DK,CN=example.com"), null, "Disallowed DN (wrong field value) was accepted"); checkNCException(cacert, new X500Name("C=SE,O=Company,CN=example.com"), null, "Disallowed DN (extra field) was accepted"); // Disallowed SAN // The commented out lines are allowed by BouncyCastle but disallowed by the RFC checkNCException(cacert, validDN, new GeneralName(GeneralName.dNSName, "bad.com"), "Disallowed SAN (wrong DNS name) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.dNSName, "forbidden.example.com"), "Disallowed SAN (excluded DNS subdomain) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.rfc822Name, "wronguser@host.com"), "Disallowed SAN (wrong e-mail) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("10.1.0.1").getAddress())), "Disallowed SAN (excluded IPv4 address) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("192.0.2.1").getAddress())), "Disallowed SAN (wrong IPv4 address) was accepted"); checkNCException(cacert, validDN, new GeneralName(GeneralName.iPAddress, new DEROctetString(InetAddress.getByName("2001:DB8::").getAddress())), "Disallowed SAN (IPv6 address) was accepted"); }
From source file:org.conscrypt.java.security.TestKeyStore.java
License:Apache License
private static X509Certificate createCertificate(PublicKey publicKey, PrivateKey privateKey, X500Principal subject, X500Principal issuer, int keyUsage, boolean ca, List<KeyPurposeId> extendedKeyUsages, List<Boolean> criticalExtendedKeyUsages, List<GeneralName> subjectAltNames, List<GeneralSubtree> permittedNameConstraints, List<GeneralSubtree> excludedNameConstraints, BigInteger serialNumber) throws Exception { // Note that there is no way to programmatically make a // Certificate using java.* or javax.* APIs. The // CertificateFactory interface assumes you want to read // in a stream of bytes, typically the X.509 factory would // allow ASN.1 DER encoded bytes and optionally some PEM // formats. Here we use Bouncy Castle's // X509V3CertificateGenerator and related classes. long millisPerDay = 24 * 60 * 60 * 1000; long now = System.currentTimeMillis(); Date start = new Date(now - millisPerDay); Date end = new Date(now + millisPerDay); String keyAlgorithm = privateKey.getAlgorithm(); String signatureAlgorithm;//from www . j a va2 s.c o m if (keyAlgorithm.equals("RSA")) { signatureAlgorithm = "sha256WithRSA"; } else if (keyAlgorithm.equals("DSA")) { signatureAlgorithm = "sha256WithDSA"; } else if (keyAlgorithm.equals("EC")) { signatureAlgorithm = "sha256WithECDSA"; } else if (keyAlgorithm.equals("EC_RSA")) { signatureAlgorithm = "sha256WithRSA"; } else { throw new IllegalArgumentException("Unknown key algorithm " + keyAlgorithm); } if (serialNumber == null) { byte[] serialBytes = new byte[16]; new SecureRandom().nextBytes(serialBytes); serialNumber = new BigInteger(1, serialBytes); } X509v3CertificateBuilder x509cg = new X509v3CertificateBuilder(X500Name.getInstance(issuer.getEncoded()), serialNumber, start, end, X500Name.getInstance(subject.getEncoded()), SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())); if (keyUsage != 0) { x509cg.addExtension(Extension.keyUsage, true, new KeyUsage(keyUsage)); } if (ca) { x509cg.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); } for (int i = 0; i < extendedKeyUsages.size(); i++) { KeyPurposeId keyPurposeId = extendedKeyUsages.get(i); boolean critical = criticalExtendedKeyUsages.get(i); x509cg.addExtension(Extension.extendedKeyUsage, critical, new ExtendedKeyUsage(keyPurposeId)); } if (!subjectAltNames.isEmpty()) { x509cg.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(subjectAltNames.toArray(new GeneralName[0])).getEncoded()); } if (!permittedNameConstraints.isEmpty() || !excludedNameConstraints.isEmpty()) { x509cg.addExtension(Extension.nameConstraints, true, new NameConstraints( permittedNameConstraints.toArray(new GeneralSubtree[permittedNameConstraints.size()]), excludedNameConstraints.toArray(new GeneralSubtree[excludedNameConstraints.size()]))); } X509CertificateHolder x509holder = x509cg .build(new JcaContentSignerBuilder(signatureAlgorithm).build(privateKey)); CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); X509Certificate x509c = (X509Certificate) certFactory .generateCertificate(new ByteArrayInputStream(x509holder.getEncoded())); if (StandardNames.IS_RI) { /* * The RI can't handle the BC EC signature algorithm * string of "ECDSA", since it expects "...WITHEC...", * so convert from BC to RI X509Certificate * implementation via bytes. */ CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream bais = new ByteArrayInputStream(x509c.getEncoded()); Certificate c = cf.generateCertificate(bais); x509c = (X509Certificate) c; } return x509c; }
From source file:org.ejbca.ra.RaCertificateDetails.java
License:Open Source License
public void reInitialize(final CertificateDataWrapper cdw, final Map<Integer, String> cpIdToNameMap, final Map<Integer, String> eepIdToNameMap, final Map<String, String> caSubjectToNameMap) { this.cdw = cdw; final CertificateData certificateData = cdw.getCertificateData(); this.cpId = certificateData.getCertificateProfileId(); this.cpName = cpId == null ? null : cpIdToNameMap.get(cpId); this.eepId = certificateData.getEndEntityProfileIdOrZero(); this.eepName = eepIdToNameMap.get(Integer.valueOf(eepId)); this.issuerDn = certificateData.getIssuerDN(); this.caName = getCaNameFromIssuerDn(caSubjectToNameMap, issuerDn); this.status = certificateData.getStatus(); this.revocationReason = certificateData.getRevocationReason(); this.fingerprint = certificateData.getFingerprint(); this.serialnumberRaw = certificateData.getSerialNumber(); try {/*from w w w. ja v a2 s.com*/ this.serialnumber = new BigInteger(this.serialnumberRaw).toString(16); } catch (NumberFormatException e) { if (log.isDebugEnabled()) { log.debug("Failed to format serial number as hex. Probably a CVC certificate. Message: " + e.getMessage()); } } this.username = certificateData.getUsername() == null ? "" : certificateData.getUsername(); this.subjectDn = certificateData.getSubjectDN(); final Certificate certificate = cdw.getCertificate(); byte[] certificateEncoded = null; if (certificate != null) { try { certificateEncoded = certificate.getEncoded(); } catch (CertificateEncodingException e) { if (log.isDebugEnabled()) { log.debug("Failed to encode the certificate as a byte array: " + e.getMessage()); } } } if (certificate != null || certificateEncoded != null) { this.type = certificate.getType(); this.fingerprintSha256 = new String( Hex.encode(CertTools.generateSHA256Fingerprint(certificateEncoded))); final PublicKey publicKey = certificate.getPublicKey(); this.publicKeyAlgorithm = AlgorithmTools.getKeyAlgorithm(publicKey); this.publicKeySpecification = AlgorithmTools.getKeySpecification(publicKey); if (publicKey instanceof RSAPublicKey) { this.publicKeyParameter = ((RSAPublicKey) publicKey).getModulus().toString(16); } else if (certificate.getPublicKey() instanceof DSAPublicKey) { this.publicKeyParameter = ((DSAPublicKey) publicKey).getY().toString(16); } else if (certificate.getPublicKey() instanceof ECPublicKey) { this.publicKeyParameter = ((ECPublicKey) publicKey).getW().getAffineX().toString(16) + " " + ((ECPublicKey) publicKey).getW().getAffineY().toString(16); } this.created = ValidityDate.formatAsISO8601ServerTZ(CertTools.getNotBefore(certificate).getTime(), TimeZone.getDefault()); this.signatureAlgorithm = AlgorithmTools.getCertSignatureAlgorithmNameAsString(certificate); if (certificate instanceof X509Certificate) { final X509Certificate x509Certificate = (X509Certificate) certificate; this.typeVersion = Integer.toString(x509Certificate.getVersion()); this.subjectAn = CertTools.getSubjectAlternativeName(certificate); try { this.subjectDa = SubjectDirAttrExtension.getSubjectDirectoryAttributes(certificate); } catch (ParseException e) { if (log.isDebugEnabled()) { log.debug("Failed to parse Subject Directory Attributes extension: " + e.getMessage()); } } final int basicConstraints = x509Certificate.getBasicConstraints(); if (basicConstraints == Integer.MAX_VALUE) { this.basicConstraints = ""; } else if (basicConstraints == -1) { this.basicConstraints = callbacks.getRaLocaleBean() .getMessage("component_certdetails_info_basicconstraints_ee"); } else { this.basicConstraints = callbacks.getRaLocaleBean() .getMessage("component_certdetails_info_basicconstraints_ca", basicConstraints); } keyUsages.clear(); final boolean[] keyUsageArray = x509Certificate.getKeyUsage(); for (int i = 0; i < keyUsageArray.length; i++) { if (keyUsageArray[i]) { keyUsages.add(String.valueOf(i)); } } extendedKeyUsages.clear(); try { final List<String> extendedKeyUsages = x509Certificate.getExtendedKeyUsage(); if (extendedKeyUsages != null) { this.extendedKeyUsages.addAll(extendedKeyUsages); } } catch (CertificateParsingException e) { if (log.isDebugEnabled()) { log.debug("Failed to parse Extended Key Usage extension: " + e.getMessage()); } } this.hasNameConstraints = x509Certificate .getExtensionValue(Extension.nameConstraints.getId()) != null; final CertificateTransparency ct = CertificateTransparencyFactory.getInstance(); this.hasCertificateTransparencyScts = ct != null ? ct.hasSCTs(certificate) : false; this.hasQcStatements = QCStatementExtension.hasQcStatement(certificate); } else if (certificate instanceof CardVerifiableCertificate) { final CardVerifiableCertificate cardVerifiableCertificate = (CardVerifiableCertificate) certificate; this.typeVersion = String.valueOf(CVCertificateBody.CVC_VERSION); // Role and access rights try { final AuthorizationField authorizationField = cardVerifiableCertificate.getCVCertificate() .getCertificateBody().getAuthorizationTemplate().getAuthorizationField(); if (authorizationField != null) { this.cvcAuthorizationRole = String.valueOf(authorizationField.getAuthRole()); this.cvcAuthorizationAccessRights = String.valueOf(authorizationField.getAccessRights()); } } catch (NoSuchFieldException e) { if (log.isDebugEnabled()) { log.debug("Failed to parse CVC AuthorizationTemplate's AuthorizationField: " + e.getMessage()); } } } } this.expireDate = certificateData.getExpireDate(); this.expires = ValidityDate.formatAsISO8601ServerTZ(expireDate, TimeZone.getDefault()); if (status == CertificateConstants.CERT_ARCHIVED || status == CertificateConstants.CERT_REVOKED) { this.updated = ValidityDate.formatAsISO8601ServerTZ(certificateData.getRevocationDate(), TimeZone.getDefault()); this.revocationDate = ValidityDate.formatAsISO8601ServerTZ(certificateData.getRevocationDate(), TimeZone.getDefault()); } else { this.updated = ValidityDate.formatAsISO8601ServerTZ(certificateData.getUpdateTime(), TimeZone.getDefault()); } final String subjectKeyIdB64 = certificateData.getSubjectKeyId(); if (subjectKeyIdB64 != null) { this.subjectKeyId = new String(Hex.encode(Base64.decode(subjectKeyIdB64.getBytes()))); } styleRowCallCounter = 0; // Reset }
From source file:org.ejbca.ui.web.CertificateView.java
License:Open Source License
public boolean hasNameConstraints() { if (certificate instanceof X509Certificate) { X509Certificate x509cert = (X509Certificate) certificate; byte[] ext = x509cert.getExtensionValue(Extension.nameConstraints.getId()); return ext != null; }/* w w w . j a va2s . co m*/ return false; }
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
/** * Create the credentials of a ZoneAdministrator. * /*from w w w . j a v a 2 s. c o m*/ * The ZoneAdministrator credentials are long validity. * * @param req * @return * @throws CryptoCertificateException */ public static PKIXCredential createZoneAdministratorCredential(ZoneAdministrationCredentialSpecifier req) throws CryptoCertificateException { KeyPair kp = null; try { kp = req.getKeyAlgorithm().generateNewKeyPair(); } catch (CryptoException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_KEYPAIR_GENERATION, e); } PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); X500NameBuilder subjectBuilder = new X500NameBuilder(); if (StringUtils.hasText(req.getCountry())) { subjectBuilder.addRDN(BCStyle.C, req.getCountry()); } if (StringUtils.hasText(req.getLocation())) { subjectBuilder.addRDN(BCStyle.L, req.getLocation()); } if (StringUtils.hasText(req.getOrg())) { subjectBuilder.addRDN(BCStyle.O, req.getOrg()); } if (StringUtils.hasText(req.getOrgUnit())) { if (TDMX_DOMAIN_CA_OU.equals(req.getOrgUnit())) { throw new CryptoCertificateException(CertificateResultCode.ERROR_INVALID_OU); } subjectBuilder.addRDN(BCStyle.OU, req.getOrgUnit()); } if (StringUtils.hasText(req.getEmailAddress())) { subjectBuilder.addRDN(BCStyle.E, req.getEmailAddress()); } if (StringUtils.hasText(req.getTelephoneNumber())) { subjectBuilder.addRDN(BCStyle.TELEPHONE_NUMBER, req.getTelephoneNumber()); } if (StringUtils.hasText(req.getCn())) { subjectBuilder.addRDN(BCStyle.CN, req.getCn()); } X500Name subject = subjectBuilder.build(); X500Name issuer = subject; JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, new BigInteger("1"), req.getNotBefore().getTime(), req.getNotAfter().getTime(), subject, publicKey); try { BasicConstraints cA = new BasicConstraints(1); certBuilder.addExtension(Extension.basicConstraints, true, cA); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(publicKey)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); KeyUsage ku = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign); certBuilder.addExtension(Extension.keyUsage, false, ku); // RFC5280 http://tools.ietf.org/html/rfc5280#section-4.2.1.10 // The CA has a CN which is not part of the name constraint - but we can constrain // any domain certificate issued to be limited to some OU under the O. X500NameBuilder subjectConstraintBuilder = new X500NameBuilder(); if (StringUtils.hasText(req.getCountry())) { subjectConstraintBuilder.addRDN(BCStyle.C, req.getCountry()); } if (StringUtils.hasText(req.getLocation())) { subjectConstraintBuilder.addRDN(BCStyle.L, req.getLocation()); } if (StringUtils.hasText(req.getOrg())) { subjectConstraintBuilder.addRDN(BCStyle.O, req.getOrg()); } if (StringUtils.hasText(req.getOrgUnit())) { subjectConstraintBuilder.addRDN(BCStyle.OU, req.getOrgUnit()); } subjectConstraintBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); X500Name nameConstraint = subjectConstraintBuilder.build(); GeneralName snc = new GeneralName(GeneralName.directoryName, nameConstraint); GeneralSubtree snSubtree = new GeneralSubtree(snc, new BigInteger("0"), null); NameConstraints nc = new NameConstraints(new GeneralSubtree[] { snSubtree }, null); certBuilder.addExtension(Extension.nameConstraints, true, nc); certBuilder.addExtension(TdmxZoneInfo.tdmxZoneInfo, false, req.getZoneInfo()); ContentSigner signer = SignatureAlgorithm.getContentSigner(privateKey, req.getSignatureAlgorithm()); byte[] certBytes = certBuilder.build(signer).getEncoded(); PKIXCertificate c = CertificateIOUtils.decodeX509(certBytes); return new PKIXCredential(c, privateKey); } catch (CertIOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (NoSuchAlgorithmException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (IOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } }
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
/** * Create the credentials of a DomainAdministrator. * /*from ww w . j a va2 s . c om*/ * @param req * @return * @throws CryptoCertificateException */ public static PKIXCredential createDomainAdministratorCredential(DomainAdministrationCredentialSpecifier req) throws CryptoCertificateException { KeyPair kp = null; try { kp = req.getKeyAlgorithm().generateNewKeyPair(); } catch (CryptoException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_KEYPAIR_GENERATION, e); } PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); PKIXCredential issuerCredential = req.getZoneAdministratorCredential(); PKIXCertificate issuerPublicCert = issuerCredential.getPublicCert(); PublicKey issuerPublicKey = issuerPublicCert.getCertificate().getPublicKey(); PrivateKey issuerPrivateKey = issuerCredential.getPrivateKey(); X500NameBuilder subjectBuilder = new X500NameBuilder(); if (StringUtils.hasText(issuerPublicCert.getCountry())) { subjectBuilder.addRDN(BCStyle.C, issuerPublicCert.getCountry()); } if (StringUtils.hasText(issuerPublicCert.getLocation())) { subjectBuilder.addRDN(BCStyle.L, issuerPublicCert.getLocation()); } if (StringUtils.hasText(issuerPublicCert.getOrganization())) { subjectBuilder.addRDN(BCStyle.O, issuerPublicCert.getOrganization()); } if (StringUtils.hasText(issuerPublicCert.getOrgUnit())) { subjectBuilder.addRDN(BCStyle.OU, issuerPublicCert.getOrgUnit()); } subjectBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); subjectBuilder.addRDN(BCStyle.CN, req.getDomainName()); X500Name subject = subjectBuilder.build(); X500Name issuer = issuerPublicCert.getSubjectName(); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, new BigInteger("1"), req.getNotBefore().getTime(), req.getNotAfter().getTime(), subject, publicKey); try { BasicConstraints cA = new BasicConstraints(0); certBuilder.addExtension(Extension.basicConstraints, true, cA); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(issuerPublicKey)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); KeyUsage ku = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign); certBuilder.addExtension(Extension.keyUsage, false, ku); // RFC5280 http://tools.ietf.org/html/rfc5280#section-4.2.1.10 // The CA has a CN which is not part of the name constraint - but we can constrain // any domain certificate issued to be limited to some OU under the O. X500NameBuilder subjectConstraintBuilder = new X500NameBuilder(); if (StringUtils.hasText(issuerPublicCert.getCountry())) { subjectConstraintBuilder.addRDN(BCStyle.C, issuerPublicCert.getCountry()); } if (StringUtils.hasText(issuerPublicCert.getLocation())) { subjectConstraintBuilder.addRDN(BCStyle.L, issuerPublicCert.getLocation()); } if (StringUtils.hasText(issuerPublicCert.getOrganization())) { subjectConstraintBuilder.addRDN(BCStyle.O, issuerPublicCert.getOrganization()); } if (StringUtils.hasText(issuerPublicCert.getOrgUnit())) { subjectConstraintBuilder.addRDN(BCStyle.OU, issuerPublicCert.getOrgUnit()); } subjectConstraintBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); subjectConstraintBuilder.addRDN(BCStyle.OU, req.getDomainName()); X500Name nameConstraint = subjectConstraintBuilder.build(); GeneralName snc = new GeneralName(GeneralName.directoryName, nameConstraint); GeneralSubtree snSubtree = new GeneralSubtree(snc, new BigInteger("0"), null); NameConstraints nc = new NameConstraints(new GeneralSubtree[] { snSubtree }, null); certBuilder.addExtension(Extension.nameConstraints, true, nc); certBuilder.addExtension(TdmxZoneInfo.tdmxZoneInfo, false, issuerPublicCert.getTdmxZoneInfo()); ContentSigner signer = SignatureAlgorithm.getContentSigner(issuerPrivateKey, req.getSignatureAlgorithm()); byte[] certBytes = certBuilder.build(signer).getEncoded(); PKIXCertificate c = CertificateIOUtils.decodeX509(certBytes); return new PKIXCredential(c, issuerCredential.getCertificateChain(), privateKey); } catch (CertIOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (NoSuchAlgorithmException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (IOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } }
From source file:org.tdmx.client.crypto.certificate.PKIXCertificate.java
License:Open Source License
private X500Name getSubjectNameConstraint() { Extension e = holder.getExtension(Extension.nameConstraints); if (e != null && e.isCritical()) { NameConstraints nc = NameConstraints.getInstance(e.getParsedValue()); GeneralSubtree[] permitted = nc.getPermittedSubtrees(); if (permitted != null && permitted.length > 0) { GeneralName base = permitted[0].getBase(); if (base != null) { if (GeneralName.directoryName == base.getTagNo()) { X500Name baseName = X500Name.getInstance(base.getName()); return baseName; }//from w w w . ja va2 s. c o m } } } return null; }