List of usage examples for org.bouncycastle.asn1.x509 Extension subjectAlternativeName
ASN1ObjectIdentifier subjectAlternativeName
To view the source code for org.bouncycastle.asn1.x509 Extension subjectAlternativeName.
Click Source Link
From source file:com.yahoo.athenz.auth.util.Crypto.java
License:Apache License
public static List<String> extractX509CSRIPAddresses(PKCS10CertificationRequest certReq) { List<String> ipAddresses = new ArrayList<>(); Attribute[] attributes = certReq.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); for (Attribute attribute : attributes) { for (ASN1Encodable value : attribute.getAttributeValues()) { Extensions extensions = Extensions.getInstance(value); GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName); for (GeneralName name : gns.getNames()) { if (name.getTagNo() == GeneralName.iPAddress) { try { InetAddress addr = InetAddress .getByAddress(((DEROctetString) name.getName()).getOctets()); ipAddresses.add(addr.getHostAddress()); } catch (UnknownHostException e) { }/*from w w w . j a v a2 s.c om*/ } } } } return ipAddresses; }
From source file:com.yahoo.athenz.auth.util.Crypto.java
License:Apache License
public static String generateX509CSR(PrivateKey privateKey, PublicKey publicKey, String x500Principal, GeneralName[] sanArray) throws OperatorCreationException, IOException { // Create Distinguished Name X500Principal subject = new X500Principal(x500Principal); // Create ContentSigner JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder(Crypto.RSA_SHA256); ContentSigner signer = csBuilder.build(privateKey); // Create the CSR PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(subject, publicKey); // Add SubjectAlternativeNames (SAN) if specified if (sanArray != null) { ExtensionsGenerator extGen = new ExtensionsGenerator(); GeneralNames subjectAltNames = new GeneralNames(sanArray); extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); }/* ww w . j a v a 2 s . c om*/ PKCS10CertificationRequest csr = p10Builder.build(signer); // write to openssl PEM format PemObject pemObject = new PemObject("CERTIFICATE REQUEST", csr.getEncoded()); StringWriter strWriter; try (JcaPEMWriter pemWriter = new JcaPEMWriter(strWriter = new StringWriter())) { pemWriter.writeObject(pemObject); } return strWriter.toString(); }
From source file:com.yahoo.athenz.auth.util.Crypto.java
License:Apache License
public static X509Certificate generateX509Certificate(PKCS10CertificationRequest certReq, PrivateKey caPrivateKey, X500Name issuer, int validityTimeout, boolean basicConstraints) { // set validity for the given number of minutes from now Date notBefore = new Date(); Calendar cal = Calendar.getInstance(); cal.setTime(notBefore);//from w w w. j av a 2 s . c o m cal.add(Calendar.MINUTE, validityTimeout); Date notAfter = cal.getTime(); // Generate self-signed certificate X509Certificate cert = null; try { JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = new JcaPKCS10CertificationRequest( certReq); PublicKey publicKey = jcaPKCS10CertificationRequest.getPublicKey(); X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(issuer, BigInteger.valueOf(System.currentTimeMillis()), notBefore, notAfter, certReq.getSubject(), publicKey) .addExtension(Extension.basicConstraints, false, new BasicConstraints(basicConstraints)) .addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.keyEncipherment)) .addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth })); // see if we have the dns/rfc822/ip address extensions specified in the csr ArrayList<GeneralName> altNames = new ArrayList<>(); Attribute[] certAttributes = jcaPKCS10CertificationRequest .getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); if (certAttributes != null && certAttributes.length > 0) { for (Attribute attribute : certAttributes) { Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0)); GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName); if (gns == null) { continue; } GeneralName[] names = gns.getNames(); for (int i = 0; i < names.length; i++) { switch (names[i].getTagNo()) { case GeneralName.dNSName: case GeneralName.iPAddress: case GeneralName.rfc822Name: altNames.add(names[i]); break; } } } if (!altNames.isEmpty()) { caBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(altNames.toArray(new GeneralName[altNames.size()]))); } } String signatureAlgorithm = getSignatureAlgorithm(caPrivateKey.getAlgorithm(), SHA256); ContentSigner caSigner = new JcaContentSignerBuilder(signatureAlgorithm).setProvider(BC_PROVIDER) .build(caPrivateKey); JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC_PROVIDER); cert = converter.getCertificate(caBuilder.build(caSigner)); } catch (CertificateException ex) { LOG.error("generateX509Certificate: Caught CertificateException when generating certificate: " + ex.getMessage()); throw new CryptoException(ex); } catch (OperatorCreationException ex) { LOG.error( "generateX509Certificate: Caught OperatorCreationException when creating JcaContentSignerBuilder: " + ex.getMessage()); throw new CryptoException(ex); } catch (InvalidKeyException ex) { LOG.error("generateX509Certificate: Caught InvalidKeySpecException, invalid key spec is being used: " + ex.getMessage()); throw new CryptoException(ex); } catch (NoSuchAlgorithmException ex) { LOG.error( "generateX509Certificate: Caught NoSuchAlgorithmException, check to make sure the algorithm is supported by the provider: " + ex.getMessage()); throw new CryptoException(ex); } catch (Exception ex) { LOG.error("generateX509Certificate: unable to generate X509 Certificate: " + ex.getMessage()); throw new CryptoException("Unable to generate X509 Certificate"); } return cert; }
From source file:edu.nps.moves.mmowgli.CACManager.java
License:Open Source License
private static void parseCert(String cert, CACData data) { cert = cert.replace(' ', '\r'); cert = cert.replace("BEGIN\rCERTIFICATE", "BEGIN CERTIFICATE"); cert = cert.replace("END\rCERTIFICATE", "END CERTIFICATE"); PEMParser pr = new PEMParser(new StringReader(cert)); try {/* w ww . ja va2s. c o m*/ Object o = pr.readObject(); pr.close(); if (o instanceof X509CertificateHolder) { X509CertificateHolder x509 = (X509CertificateHolder) o; X500Name x500name = x509.getSubject(); RDN cnRdns[] = x500name.getRDNs(BCStyle.CN); String cn = IETFUtils.valueToString(cnRdns[0].getFirst().getValue()); parseCN(cn, data); GeneralNames gns = GeneralNames.fromExtensions(x509.getExtensions(), Extension.subjectAlternativeName); if (gns != null) { GeneralName[] subjectAltNames = gns.getNames(); for (GeneralName gn : subjectAltNames) { if (gn.getTagNo() == GeneralName.rfc822Name) { // check for email String s = DERIA5String.getInstance(gn.getName()).getString(); if (s.contains("@")) { data.userEmail = s; break; } } } } // Create the unique card identifier (issuer+serial) which when hashed goes into the database for quick login String uniqueCertId = x509.getIssuer().toString() + " " + x509.getSerialNumber().toString(); MessageDigest md = MessageDigest.getInstance("SHA-256"); md.update(uniqueCertId.getBytes("UTF-8")); // or UTF-16 byte[] digest = md.digest(); data.cacId = Hex.encodeHexString(digest); /* Alternatively, this will do a salted hash, but the output is not the same for the same input; better security * but the login performance would be bad since the user list has to be polled instead of indexed try { data.cacId = PasswordHash.createHash(uniqueCertId); } catch(Exception ex) { MSysOut.println(MmowgliConstants.SYSTEM_LOGS,"Program error, could not create CAC hash; auto-login disabled"); data.cacId = null; } System.out.println("data cacId: "+data.cacId); */ } } catch (IOException | NoSuchAlgorithmException ex) { MSysOut.println(MmowgliConstants.SYSTEM_LOGS, ex.getClass().getSimpleName() + ": Program error, could not parse CAC"); data.cacId = null; data.isCACPresent = false; } // Some informational stuff /* this gives same info as the x509 methods below RDN rdns[] = x500name.getRDNs(); for(RDN rdn : rdns) { AttributeTypeAndValue[] tandV = rdn.getTypesAndValues(); for(AttributeTypeAndValue tv : tandV) { System.out.println(tv.getType()); System.out.println(IETFUtils.valueToString(tv.getType())); System.out.println(tv.getValue()); System.out.println(IETFUtils.valueToString(tv.getValue())); } } */ /* System.out.println("X509 version: "+x509.getVersionNumber()); System.out.println("X509 Serial num: "+x509.getSerialNumber()); System.out.println("X509 Sig algo: "+x509.getSignatureAlgorithm().getAlgorithm().toASN1Primitive()); System.out.println("X509 Issuer: "+x509.getIssuer()); System.out.println("X509 Not before: "+x509.getNotBefore()); System.out.println("X509 Not after: "+x509.getNotAfter()); System.out.println("X509 Subject: "+x509.getSubject()); System.out.println("X509 Subject Public Key Info: "+x509.getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm()); */ /* System.out.println("CriticalExtensionOIDs: "); Set<?> set = x509.getCriticalExtensionOIDs(); Iterator<?> itr = set.iterator(); while(itr.hasNext()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)itr.next(); System.out.println(oid.toString()+" : "+x509.getExtension(oid).getParsedValue()); } System.out.println("NonCriticalExtensionOIDs: "); set = x509.getNonCriticalExtensionOIDs(); itr = set.iterator(); while(itr.hasNext()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)itr.next(); System.out.println(oid.toString()+" : "+x509.getExtension(oid).getParsedValue()); } System.out.println("Other api: getExtensionOIDs"); List<?> lis = x509.getExtensionOIDs(); itr = lis.iterator(); while(itr.hasNext()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)itr.next(); System.out.println(oid.toString()+" : "+x509.getExtension(oid).getParsedValue()); } System.out.println("From the extensions \"block\""); Extensions exts = x509.getExtensions(); ASN1ObjectIdentifier[] ids = exts.getExtensionOIDs(); for(ASN1ObjectIdentifier oid : ids) { org.bouncycastle.asn1.x509.Extension ext = exts.getExtension(oid); System.out.println(oid.toString()+": "+IETFUtils.valueToString(ext.getParsedValue())); } // */ }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
public X509Certificate generateUserCertificate(RSAPublicKey pubkey, boolean signature, String firstname, String lastname, String idcode, String email) throws InvalidKeyException, ParseException, IOException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException { Date startDate = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2015-01-01"); Date endDate = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2015-12-31"); String template = "C=EE,O=ESTEID,OU=%s,CN=%s\\,%s\\,%s,SURNAME=%s,GIVENNAME=%s,SERIALNUMBER=%s"; // Normalize. lastname = lastname.toUpperCase();// w ww . j av a 2 s.c o m firstname = firstname.toUpperCase(); idcode = idcode.toUpperCase(); email = email.toLowerCase(); String subject = String.format(template, (signature ? "digital signature" : "authentication"), lastname, firstname, idcode, lastname, firstname, idcode); byte[] serialBytes = new byte[16]; SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG"); rnd.nextBytes(serialBytes); serialBytes[0] &= 0x7F; // Can't be negative BigInteger serial = new BigInteger(serialBytes); X509CertificateHolder real; if (signature) { real = getRealCert("/resources/sk-sign.pem"); } else { real = getRealCert("/resources/sk-auth.pem"); } serial = real.getSerialNumber(); System.out.println("Generating from subject: " + real.getSubject()); System.out.println("Generating subject: " + new X500Name(subject).toString()); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), serial, startDate, endDate, new X500Name(subject), pubkey); @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions, except altName for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); if (ext.getExtnId().equals(Extension.subjectAlternativeName)) { // altName must be changed builder.addExtension(ext.getExtnId(), ext.isCritical(), new GeneralNames(new GeneralName(GeneralName.rfc822Name, email))); } else { builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); } } // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(esteidKey); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:eu.betaas.taas.securitymanager.authentication.service.impl.GWEcmqvExtService.java
License:Apache License
public EcmqvMessage initEcmqv(byte[] ephPubX, byte[] ephPubY, byte[] certByte) { // decode the certificate X509CertificateHolder cert = null;/*from w w w.j a v a2 s . c o m*/ try { cert = new X509CertificateHolder(certByte); } catch (IOException e1) { log.error("Error in decoding the submitted certificate!!"); e1.printStackTrace(); } // validate the certificate boolean isCertValid = false; try { isCertValid = validateCert(cert); } catch (Exception e) { log.error("Error in verifying the submitted certificate: " + e.getMessage()); e.printStackTrace(); } if (!isCertValid) { log.error("The submitted certificate is not valid!!"); return null; } log.debug("Passed the certificate validation!!"); // decode the ephemeral public key try { ephPub = ECKeyPairGen.generateECPublicKey192(new BigInteger(ephPubX), new BigInteger(ephPubY)); } catch (Exception e) { log.error("Error in decoding the submitted ephemeral public key: " + e.getMessage()); e.printStackTrace(); } // perform embedded public key validation boolean pubValid = ECMQVUtils.validateEmbedPubKey(ephPub); if (!pubValid) { log.error("The submitted ephemeral public key is not valid!!"); return null; } log.debug("Passed the embedded ephemeral public key validation!!"); // generates its own ephemeral key pairs, we assume that in this stage the // ephemeral key pairs were not generated AsymmetricCipherKeyPair myEphKp = ECKeyPairGen.generateECKeyPair192(); myEphPub = (ECPublicKeyParameters) myEphKp.getPublic(); myEphPriv = (ECPrivateKeyParameters) myEphKp.getPrivate(); // computes the implicit signature --> the static private key was obtained // when we validate the certificate (upon loading the KeyStore) BigInteger implSig = ECMQVUtils.computeImplicitSig(myEphPub, myEphPriv, statPriv); // calculates the shared key K ECPoint K = null; try { K = ECMQVUtils.calculateSharedKey(ephPub, (ECPublicKeyParameters) PublicKeyFactory.createKey(cert.getSubjectPublicKeyInfo()), ephPub.getParameters().getH(), implSig); } catch (IOException e) { log.error("Error in calculating the shared key K: " + e.getMessage()); e.printStackTrace(); } // derive 2 symmetric keys from the shared key K byte[] Kx = K.normalize().getXCoord().toBigInteger().toByteArray(); int Lx = K.normalize().getXCoord().toBigInteger().bitLength(); double x = Math.log(Lx) / Math.log(2.0); double L = Math.pow(2, 1 + Math.ceil(x)); byte[] deriveK = ECMQVUtils.deriveKeyHKDF(Kx, (int) L / 8); // k1 and k2 split from newKey --> k1: to be MACed, k2: the session key k1 = new byte[deriveK.length / 2]; k2 = new byte[deriveK.length / 2]; int c = 0; for (byte b : deriveK) { if (c < deriveK.length / 2) { k1[c] = b; } else { k2[c - deriveK.length / 2] = b; } c++; } // retrieving my user friendly name from the SubjectAlternativeNames in my // certificate Extensions myExs = myCert.getExtensions(); if (myExs != null) { GeneralNames gns = GeneralNames.fromExtensions(myExs, Extension.subjectAlternativeName); for (int i = 0; i < gns.getNames().length; i++) { myUFN = gns.getNames()[i].getName().toString(); } } // retrieving other GW user friendly name from the SubjectAlternativeNames // in the submitted certificate Extensions oExs = cert.getExtensions(); if (oExs != null) { GeneralNames gns = GeneralNames.fromExtensions(oExs, Extension.subjectAlternativeName); for (int i = 0; i < gns.getNames().length; i++) { ufn = gns.getNames()[i].getName().toString(); } } // compute the MAC to be sent to the other gateway byte[] myMac = ECMQVUtils.computeMAC("2", myUFN, ufn, myEphPub.getQ().getEncoded(), ephPub.getQ().getEncoded(), k1); EcmqvMessage eMsg = new EcmqvMessage(); eMsg.setMyMac(myMac); try { eMsg.setMyCertificate(myCert.getEncoded()); } catch (IOException e) { log.error("Error in encoding the certificate: " + e.getMessage()); e.printStackTrace(); } eMsg.setEphemeralPublicX(myEphPub.getQ().normalize().getXCoord().toBigInteger().toByteArray()); eMsg.setEphemeralPublicY(myEphPub.getQ().normalize().getXCoord().toBigInteger().toByteArray()); return eMsg; }
From source file:eu.betaas.taas.securitymanager.authentication.service.impl.GWEcmqvIntService.java
License:Apache License
public byte[] responseEcmqv(EcmqvMessage eMsg) throws Exception { // decode the certificate X509CertificateHolder cert = new X509CertificateHolder(eMsg.getMyCertificate()); // decode the ECPublicKey ECPublicKeyParameters ephPub = ECKeyPairGen.generateECPublicKey192( new BigInteger(eMsg.getEphemeralPublicX()), new BigInteger(eMsg.getEphemeralPublicY())); // get the MAC 2 byte[] mac2 = eMsg.getMyMac(); // validate the certificate boolean isCertValid = false; isCertValid = validateCert(cert);//from w w w . ja v a 2 s . co m if (!isCertValid) { log.error("The submitted certificate is not valid!!"); return null; } log.debug("Passed the certificate validation!!"); // perform embedded public key validation boolean pubValid = ECMQVUtils.validateEmbedPubKey(ephPub); if (!pubValid) { log.error("The submitted ephemeral public key is not valid!!"); return null; } log.debug("Passed the embedded ephemeral public key validation!!"); // set the ephPub with this received ephPub this.ephPub = ephPub; // now, no need to generate my own ephemeral key here, because it is done // compute the implicit signature BigInteger implSig = ECMQVUtils.computeImplicitSig(myEphPub, myEphPriv, statPriv); // calculates the shared key K ECPublicKeyParameters statPub = (ECPublicKeyParameters) PublicKeyFactory .createKey(cert.getSubjectPublicKeyInfo()); org.bouncycastle.math.ec.ECPoint K = ECMQVUtils.calculateSharedKey(this.ephPub, statPub, this.ephPub.getParameters().getH(), implSig); // derive 2 symmetric keys from the shared key K byte[] Kx = K.normalize().getXCoord().toBigInteger().toByteArray(); int Lx = K.normalize().getXCoord().toBigInteger().bitLength(); double x = Math.log(Lx) / Math.log(2.0); double L = Math.pow(2, 1 + Math.ceil(x)); byte[] deriveK = ECMQVUtils.deriveKeyHKDF(Kx, (int) L / 8); // k1 and k2 split from newKey --> k1: to be MACed, k2: the session key k1 = new byte[deriveK.length / 2]; k2 = new byte[deriveK.length / 2]; int c = 0; for (byte b : deriveK) { if (c < deriveK.length / 2) { k1[c] = b; } else { k2[c - deriveK.length / 2] = b; } c++; } // retrieving my user friendly name from the SubjectAlternativeNames in my // certificate Extensions myExs = myCert.getExtensions(); if (myExs != null) { GeneralNames gns = GeneralNames.fromExtensions(myExs, Extension.subjectAlternativeName); for (int i = 0; i < gns.getNames().length; i++) { myUFN = gns.getNames()[i].getName().toString(); } } // retrieving other GW user friendly name from the SubjectAlternativeNames // in the submitted certificate Extensions oExs = cert.getExtensions(); if (oExs != null) { GeneralNames gns = GeneralNames.fromExtensions(oExs, Extension.subjectAlternativeName); for (int i = 0; i < gns.getNames().length; i++) { ufn = gns.getNames()[i].getName().toString(); } } // validate MAC 2, which is received from other GW boolean isMac2Valid = verifyMac2(mac2, ufn, myUFN, this.ephPub, myEphPub, k1); // compute the MAC to be sent to the other gateway if (!isMac2Valid) { log.error("Fails to verify the received MAC (2)!!"); return null; } log.debug("Successfully verifies the received MAC (2)!!"); byte[] mac3 = ECMQVUtils.computeMAC("3", myUFN, ufn, myEphPub.getQ().getEncoded(), ephPub.getQ().getEncoded(), k1); return mac3; }
From source file:eu.betaas.taas.securitymanager.common.certificate.utils.GWCertificateUtilsBc.java
License:Apache License
/** * //from w w w . j av a2 s . c o m * @param entityKey - public key of the requesting GW * @param caKey * @param caCert * @return * @throws Exception */ public static X509CertificateHolder buildEndEntityCert(X500Name subject, AsymmetricKeyParameter entityKey, AsymmetricKeyParameter caKey, X509CertificateHolder caCert, String ufn) throws Exception { SubjectPublicKeyInfo entityKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(entityKey); if (subject == null) subject = new X500Name("CN = BETaaS Gateway Certificate"); X509v3CertificateBuilder certBldr = new X509v3CertificateBuilder(caCert.getSubject(), BigInteger.valueOf(1), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + VALIDITY_PERIOD), subject, entityKeyInfo); X509ExtensionUtils extUtils = new X509ExtensionUtils(new SHA1DigestCalculator()); certBldr.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)) .addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKeyInfo)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(false)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)) .addExtension(Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, ufn))); AlgorithmIdentifier sigAlg = algFinder.find(ALG_NAME); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); ContentSigner signer = new BcECDSAContentSignerBuilder(sigAlg, digAlg).build(caKey); return certBldr.build(signer); }
From source file:eu.betaas.taas.securitymanager.common.certificate.utils.GWCertificateUtilsBc.java
License:Apache License
/** * A method to build PKCS10 Certification request (BC style) * @param subject: the subject info/data in X500Name format * @param kp: the subject's key pair// w ww .j av a 2 s. c o m * @param subjectAltName: subject's UFN * @return * @throws Exception */ public static PKCS10CertificationRequest buildCertificateRequest(X500Name subject, AsymmetricCipherKeyPair kp, String subjectAltName) throws Exception { String sigName = "SHA1withECDSA"; SignatureAlgorithmIdentifierFinder algFinder = new DefaultSignatureAlgorithmIdentifierFinder(); PKCS10CertificationRequestBuilder requestBuilder = new BcPKCS10CertificationRequestBuilder(subject, kp.getPublic()); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, subjectAltName + "@betaas.eu"))); requestBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); AlgorithmIdentifier sigAlg = algFinder.find(sigName); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); ContentSigner signer = new BcECDSAContentSignerBuilder(sigAlg, digAlg).build(kp.getPrivate()); PKCS10CertificationRequest req1 = requestBuilder.build(signer); return req1; }
From source file:fi.aalto.cs.drumbeat.ClientCertificateCreator.java
License:Open Source License
public void fillInto(X509v3CertificateBuilder certGen) throws CertIOException { if (!sans.isEmpty()) { ASN1Encodable[] encodables = sans.toArray(new ASN1Encodable[sans.size()]); certGen.addExtension(Extension.subjectAlternativeName, false, new DERSequence(encodables)); }//from ww w . j a va 2s . c om }