List of usage examples for org.bouncycastle.asn1.x509 Extension subjectAlternativeName
ASN1ObjectIdentifier subjectAlternativeName
To view the source code for org.bouncycastle.asn1.x509 Extension subjectAlternativeName.
Click Source Link
From source file:org.shredzone.acme4j.util.CertificateUtils.java
License:Apache License
/** * Creates a self-signed {@link X509Certificate} that can be used for * {@link org.shredzone.acme4j.challenge.TlsSni01Challenge}. The certificate is valid * for 7 days.//from w ww .j av a 2s . co m * * @param keypair * A domain {@link KeyPair} to be used for the challenge * @param subject * Subject to create a certificate for * @return Created certificate * @deprecated Will be removed when * {@link org.shredzone.acme4j.challenge.TlsSni01Challenge} is removed */ @Deprecated public static X509Certificate createTlsSniCertificate(KeyPair keypair, String subject) throws IOException { final long now = System.currentTimeMillis(); final long validSpanMs = 7 * 24 * 60 * 60 * 1000L; final String signatureAlg = "SHA256withRSA"; try { X500Name issuer = new X500Name("CN=acme.invalid"); BigInteger serial = BigInteger.valueOf(now); Date notBefore = new Date(now); Date notAfter = new Date(now + validSpanMs); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, issuer, keypair.getPublic()); GeneralName[] gns = new GeneralName[1]; gns[0] = new GeneralName(GeneralName.dNSName, subject); certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(gns)); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlg); byte[] cert = certBuilder.build(signerBuilder.build(keypair.getPrivate())).getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(cert)); } catch (CertificateException | OperatorCreationException ex) { throw new IOException(ex); } }
From source file:org.shredzone.acme4j.util.CertificateUtils.java
License:Apache License
/** * Creates a self-signed {@link X509Certificate} that can be used for * {@link TlsSni02Challenge}. The certificate is valid for 7 days. * * @param keypair/* w ww .j a v a2 s .c o m*/ * A domain {@link KeyPair} to be used for the challenge * @param sanA * SAN-A to be used in the certificate * @param sanB * SAN-B to be used in the certificate * @return Created certificate */ public static X509Certificate createTlsSni02Certificate(KeyPair keypair, String sanA, String sanB) throws IOException { final long now = System.currentTimeMillis(); final long validSpanMs = 7 * 24 * 60 * 60 * 1000L; final String signatureAlg = "SHA256withRSA"; try { X500Name issuer = new X500Name("CN=acme.invalid"); BigInteger serial = BigInteger.valueOf(now); Date notBefore = new Date(now); Date notAfter = new Date(now + validSpanMs); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, issuer, keypair.getPublic()); GeneralName[] gns = new GeneralName[2]; gns[0] = new GeneralName(GeneralName.dNSName, sanA); gns[1] = new GeneralName(GeneralName.dNSName, sanB); certBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(gns)); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlg); byte[] cert = certBuilder.build(signerBuilder.build(keypair.getPrivate())).getEncoded(); CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(cert)); } catch (CertificateException | OperatorCreationException ex) { throw new IOException(ex); } }
From source file:org.shredzone.acme4j.util.CSRBuilder.java
License:Apache License
/** * Signs the completed CSR./*from w ww . j a v a 2s. c om*/ * * @param keypair * {@link KeyPair} to sign the CSR with */ public void sign(KeyPair keypair) throws IOException { if (namelist.isEmpty()) { throw new IllegalStateException("No domain was set"); } if (keypair == null) { throw new IllegalArgumentException("keypair must not be null"); } try { GeneralName[] gns = new GeneralName[namelist.size()]; for (int ix = 0; ix < namelist.size(); ix++) { gns[ix] = new GeneralName(GeneralName.dNSName, namelist.get(ix)); } GeneralNames subjectAltName = new GeneralNames(gns); PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder( namebuilder.build(), keypair.getPublic()); ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator(); extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, subjectAltName); p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate()); PrivateKey pk = keypair.getPrivate(); JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder( pk instanceof ECKey ? EC_SIGNATURE_ALG : SIGNATURE_ALG); ContentSigner signer = csBuilder.build(pk); csr = p10Builder.build(signer); } catch (OperatorCreationException ex) { throw new IOException("Could not generate CSR", ex); } }
From source file:org.shredzone.acme4j.util.CSRBuilderTest.java
License:Apache License
/** * Checks if the CSR contains the right parameters. * <p>//from ww w . ja va2 s.co m * This is not supposed to be a Bouncy Castle test. If the * {@link PKCS10CertificationRequest} contains the right parameters, we assume that * Bouncy Castle encodes it properly. */ @SuppressWarnings("unchecked") private void csrTest(PKCS10CertificationRequest csr) { X500Name name = csr.getSubject(); assertThat(name.getRDNs(BCStyle.CN), arrayContaining(new RDNMatcher("abc.de"))); assertThat(name.getRDNs(BCStyle.C), arrayContaining(new RDNMatcher("XX"))); assertThat(name.getRDNs(BCStyle.L), arrayContaining(new RDNMatcher("Testville"))); assertThat(name.getRDNs(BCStyle.O), arrayContaining(new RDNMatcher("Testing Co"))); assertThat(name.getRDNs(BCStyle.OU), arrayContaining(new RDNMatcher("Testunit"))); assertThat(name.getRDNs(BCStyle.ST), arrayContaining(new RDNMatcher("ABC"))); Attribute[] attr = csr.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); assertThat(attr.length, is(1)); ASN1Encodable[] extensions = attr[0].getAttrValues().toArray(); assertThat(extensions.length, is(1)); GeneralNames names = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName); assertThat(names.getNames(), arrayContaining(new GeneralNameMatcher("abc.de"), new GeneralNameMatcher("fg.hi"), new GeneralNameMatcher("jklm.no"), new GeneralNameMatcher("pqr.st"), new GeneralNameMatcher("uv.wx"), new GeneralNameMatcher("y.z"))); }
From source file:org.usrz.libs.crypto.cert.X509CertificateBuilder.java
License:Apache License
/** * Build the final {@link X509Certificate} instance. *//*from www . ja v a 2 s . c o m*/ public X509Certificate build() { if (subject == null) throw new IllegalStateException("Subject not specified"); if (issuer == null) throw new IllegalStateException("Issuer not specified"); if (serial == null) throw new IllegalStateException("Serial not specified"); if (!notAfter.after(notBefore)) throw new IllegalStateException("Date \"not-after\" before or equal to \"not-before\""); if (issuerPrivateKey == null) throw new IllegalStateException("Issuer private key not specified"); if (subjectPublicKey == null) throw new IllegalStateException("Sobject public key not specified"); /* Standard subject public key and X500 names */ final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(subjectPublicKey.getEncoded()); final X500Name subjectName = X500Name.getInstance(subject.getEncoded()); final X500Name issuerName = X500Name.getInstance(issuer.getEncoded()); /* Derive the issuer public key from the private one if needed/possible */ if ((issuerPublicKey == null) && (issuerPrivateKey instanceof RSAPrivateCrtKey)) try { final RSAPrivateCrtKey key = (RSAPrivateCrtKey) issuerPrivateKey; final RSAPublicKeySpec spec = new RSAPublicKeySpec(key.getModulus(), key.getPublicExponent()); issuerPublicKey = KeyFactory.getInstance("RSA").generatePublic(spec); } catch (InvalidKeySpecException | NoSuchAlgorithmException exception) { Logger.getLogger(this.getClass().getName()).log(Level.FINE, "Unable to generate public key from private", exception); } final X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(issuerName, serial, notBefore, notAfter, subjectName, subjectPublicKeyInfo); try { final JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils(); /* Are we a certificate authority? */ certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(Mode.AUTHORITY.equals(mode))); /* Add our subject key identifier */ certificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(subjectPublicKeyInfo)); /* Do we have Standard key usages? */ if (!standardKeyUsage.isEmpty()) certificateBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(StandardKeyUsage.combine(standardKeyUsage))); /* Do we have extended key usages? */ if (!extendedKeyUsage.isEmpty()) certificateBuilder.addExtension(Extension.extendedKeyUsage, false, ExtendedKeyUsage.combine(extendedKeyUsage)); /* Add our authority key identifer */ if (issuerPublicKey != null) { final SubjectPublicKeyInfo authorityPublicKeyInfo = SubjectPublicKeyInfo .getInstance(issuerPublicKey.getEncoded()); certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(authorityPublicKeyInfo)); } /* Add our alternative names */ if (!alternativeNames.isEmpty()) { final GeneralName[] names = alternativeNames.toArray(new GeneralName[alternativeNames.size()]); certificateBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(names)); } /* Add CRL distribution points */ if (!crlDistributionPoints.isEmpty()) { final DistributionPoint[] distributionPoints = new DistributionPoint[crlDistributionPoints.size()]; int position = 0; for (GeneralName generalName : crlDistributionPoints) { final DistributionPointName distributionPointName = new DistributionPointName( new GeneralNames(generalName)); distributionPoints[position++] = new DistributionPoint(distributionPointName, null, null); } final CRLDistPoint crlDistributionPoint = new CRLDistPoint(distributionPoints); certificateBuilder.addExtension(Extension.cRLDistributionPoints, false, crlDistributionPoint); } } catch (CertIOException | NoSuchAlgorithmException exception) { throw new IllegalStateException("Exception adding extensions", exception); } try { final CertificateFactory factory = CertificateFactory.getInstance("X.509"); final String signatureAlgorithm = CryptoUtils.getSignatureAlgorithm(issuerPrivateKey, hash); final ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey); final X509CertificateHolder certificateHolder = certificateBuilder.build(signer); return (X509Certificate) factory .generateCertificate(new ByteArrayInputStream(certificateHolder.getEncoded())); } catch (OperatorCreationException exception) { throw new IllegalStateException("Unable to create certificate signature", exception); } catch (IOException exception) { throw new IllegalStateException("Unable to generate certificate data", exception); } catch (CertificateException exception) { throw new IllegalStateException("Unable to generate certificate", exception); } }
From source file:org.xipki.ca.certprofile.internal.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType Certprofile_SubCA_Complex() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile SubCA with most extensions", true, "8y", false, new String[] { "SHA256", "SHA1" }); // Subject//from w w w . java 2 s. co m Subject subject = profile.getSubject(); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRDN(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE|FR" }, null, null)); rdnControls.add(createRDN(ObjectIdentifiers.DN_O, 1, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_OU, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_SN, 0, 1, new String[] { REGEX_SN }, null, null)); rdnControls.add(createRDN(ObjectIdentifiers.DN_CN, 1, 1, null, "PREFIX ", " SUFFIX")); // Extensions ExtensionsType extensions = profile.getExtensions(); List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); list.add(createExtension(Extension.freshestCRL, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = createBasicConstraints(1); list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(false); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages(new KeyUsageEnum[] { KeyUsageEnum.KEY_CERT_SIGN }, new KeyUsageEnum[] { KeyUsageEnum.C_RL_SIGN }); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); // Certificate Policies extensionValue = createCertificatePolicies(new ASN1ObjectIdentifier("1.2.3.4.5"), new ASN1ObjectIdentifier("2.4.3.2.1")); list.add(createExtension(Extension.certificatePolicies, true, false, extensionValue)); // Policy Mappings PolicyMappings policyMappings = new PolicyMappings(); policyMappings.getMapping().add(createPolicyIdMapping(new ASN1ObjectIdentifier("1.1.1.1.1"), new ASN1ObjectIdentifier("2.1.1.1.1"))); policyMappings.getMapping().add(createPolicyIdMapping(new ASN1ObjectIdentifier("1.1.1.1.2"), new ASN1ObjectIdentifier("2.1.1.1.2"))); extensionValue = createExtensionValueType(policyMappings); list.add(createExtension(Extension.policyMappings, true, true, extensionValue)); // Policy Constraints PolicyConstraints policyConstraints = createPolicyConstraints(2, 2); extensionValue = createExtensionValueType(policyConstraints); list.add(createExtension(Extension.policyConstraints, true, true, extensionValue)); // Name Constrains NameConstraints nameConstraints = createNameConstraints(); extensionValue = createExtensionValueType(nameConstraints); list.add(createExtension(Extension.nameConstraints, true, true, extensionValue)); // Inhibit anyPolicy InhibitAnyPolicy inhibitAnyPolicy = createInhibitAnyPolicy(1); extensionValue = createExtensionValueType(inhibitAnyPolicy); list.add(createExtension(Extension.inhibitAnyPolicy, true, true, extensionValue)); // SubjectAltName SubjectAltName subjectAltNameMode = new SubjectAltName(); OtherName otherName = new OtherName(); otherName.getType().add(createOidType(ObjectIdentifiers.DN_O)); subjectAltNameMode.setOtherName(otherName); subjectAltNameMode.setRfc822Name(""); subjectAltNameMode.setDNSName(""); subjectAltNameMode.setDirectoryName(""); subjectAltNameMode.setEdiPartyName(""); subjectAltNameMode.setUniformResourceIdentifier(""); subjectAltNameMode.setIPAddress(""); subjectAltNameMode.setRegisteredID(""); extensionValue = createExtensionValueType(subjectAltNameMode); list.add(createExtension(Extension.subjectAlternativeName, true, false, extensionValue)); // SubjectInfoAccess SubjectInfoAccess subjectInfoAccessMode = new SubjectInfoAccess(); SubjectInfoAccess.Access access = new SubjectInfoAccess.Access(); access.setAccessMethod(createOidType(ObjectIdentifiers.id_ad_caRepository)); GeneralNameType accessLocation = new GeneralNameType(); access.setAccessLocation(accessLocation); accessLocation.setDirectoryName(""); accessLocation.setUniformResourceIdentifier(""); subjectInfoAccessMode.getAccess().add(access); extensionValue = createExtensionValueType(subjectInfoAccessMode); list.add(createExtension(Extension.subjectInfoAccess, true, false, extensionValue)); // Custom Extension ASN1ObjectIdentifier customExtensionOid = new ASN1ObjectIdentifier("1.2.3.4"); extensionValue = createConstantExtValue(DERNull.INSTANCE.getEncoded()); list.add(createExtension(customExtensionOid, true, false, extensionValue, "custom extension 1")); return profile; }
From source file:org.xipki.ca.certprofile.internal.ProfileConfCreatorDemo.java
License:Open Source License
private static X509ProfileType Certprofile_gSMC_K() throws Exception { X509ProfileType profile = getBaseProfile("Certprofile gSMC_K", false, "5y", false, new String[] { "SHA256" }); profile.setDuplicateSubject(true);/* w ww. j a va 2s. com*/ // SpecialBehavior profile.setSpecialBehavior(SpecialX509CertprofileBehavior.gematik_gSMC_K.name()); // Maximal liftime Parameters profileParams = new Parameters(); profile.setParameters(profileParams); NameValueType nv = new NameValueType(); nv.setName(SpecialX509CertprofileBehavior.PARAMETER_MAXLIFTIME); nv.setValue(Integer.toString(20 * 365)); profileParams.getParameter().add(nv); // Subject Subject subject = profile.getSubject(); subject.setIncSerialNumber(false); List<RdnType> rdnControls = subject.getRdn(); rdnControls.add(createRDN(ObjectIdentifiers.DN_C, 1, 1, new String[] { "DE" }, null, null)); rdnControls.add(createRDN(ObjectIdentifiers.DN_O, 1, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_OU, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_ST, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_L, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_POSTAL_CODE, 0, 1)); rdnControls.add(createRDN(ObjectIdentifiers.DN_STREET, 0, 1)); // regex: ICCSN-yyyyMMdd String regex = "80276[\\d]{15,15}-20\\d\\d(0[1-9]|1[012])(0[1-9]|[12][0-9]|3[01])"; rdnControls.add(createRDN(ObjectIdentifiers.DN_CN, 1, 1, new String[] { regex }, null, null)); // Extensions ExtensionsType extensions = profile.getExtensions(); List<ExtensionType> list = extensions.getExtension(); list.add(createExtension(Extension.subjectKeyIdentifier, true, false, null)); list.add(createExtension(Extension.cRLDistributionPoints, false, false, null)); // Extensions - basicConstraints ExtensionValueType extensionValue = null; list.add(createExtension(Extension.basicConstraints, true, true, extensionValue)); // Extensions - AuthorityInfoAccess extensionValue = createAuthorityInfoAccess(); list.add(createExtension(Extension.authorityInfoAccess, true, false, extensionValue)); // Extensions - AuthorityKeyIdentifier extensionValue = createAuthorityKeyIdentifier(true); list.add(createExtension(Extension.authorityKeyIdentifier, true, false, extensionValue)); // Extensions - keyUsage extensionValue = createKeyUsages( new KeyUsageEnum[] { KeyUsageEnum.DIGITAL_SIGNATURE, KeyUsageEnum.KEY_ENCIPHERMENT }, null); list.add(createExtension(Extension.keyUsage, true, true, extensionValue)); // Extensions - extenedKeyUsage extensionValue = createExtendedKeyUsage(new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_serverAuth }, new ASN1ObjectIdentifier[] { ObjectIdentifiers.id_kp_clientAuth }); list.add(createExtension(Extension.extendedKeyUsage, true, false, extensionValue)); // Extensions - Policy CertificatePolicies policies = new CertificatePolicies(); ASN1ObjectIdentifier[] policyIds = new ASN1ObjectIdentifier[] { id_gematik.branch("79"), id_gematik.branch("163") }; for (ASN1ObjectIdentifier id : policyIds) { CertificatePolicyInformationType policyInfo = new CertificatePolicyInformationType(); policies.getCertificatePolicyInformation().add(policyInfo); policyInfo.setPolicyIdentifier(createOidType(id)); } extensionValue = createExtensionValueType(policies); list.add(createExtension(Extension.certificatePolicies, true, false, extensionValue)); // Extension - Adminssion Admission admission = new Admission(); admission.getProfessionOid().add(createOidType(id_gematik.branch("103"))); admission.getProfessionItem().add("Anwendungskonnektor"); extensionValue = createExtensionValueType(admission); list.add(createExtension(ObjectIdentifiers.id_extension_admission, true, false, extensionValue)); // SubjectAltNames extensionValue = null; list.add(createExtension(Extension.subjectAlternativeName, false, false, extensionValue)); return profile; }
From source file:org.xipki.ca.certprofile.XmlX509Certprofile.java
License:Open Source License
private void doInitialize(final String data) throws CertprofileException { byte[] bytes; try {/* w w w .jav a2 s . co m*/ bytes = data.getBytes("UTF-8"); } catch (UnsupportedEncodingException e) { bytes = data.getBytes(); } X509ProfileType conf = XmlX509CertprofileUtil.parse(new ByteArrayInputStream(bytes)); if (conf.getVersion() != null) { int intVersion = conf.getVersion().intValue(); this.version = X509CertVersion.getInstance(intVersion); if (this.version == null) { throw new CertprofileException("invalid version " + intVersion); } } else { this.version = X509CertVersion.V3; } if (conf.getSignatureAlgorithms() != null) { List<String> algoNames = conf.getSignatureAlgorithms().getAlgorithm(); this.signatureAlgorithms = new ArrayList<>(algoNames.size()); for (String algoName : algoNames) { try { this.signatureAlgorithms.add(AlgorithmUtil.canonicalizeSignatureAlgo(algoName)); } catch (NoSuchAlgorithmException e) { throw new CertprofileException(e.getMessage(), e); } } } this.raOnly = conf.isRaOnly(); this.qaOnly = conf.isQaOnly(); this.validity = CertValidity.getInstance(conf.getValidity()); this.ca = conf.isCa(); this.notBeforeMidnight = "midnight".equalsIgnoreCase(conf.getNotBeforeTime()); String specialBehavior = conf.getSpecialBehavior(); if (specialBehavior != null) { this.specialBehavior = SpecialX509CertprofileBehavior.getInstance(specialBehavior); } if (conf.isDuplicateKey() != null) { duplicateKeyPermitted = conf.isDuplicateKey().booleanValue(); } if (conf.isDuplicateSubject() != null) { duplicateSubjectPermitted = conf.isDuplicateSubject().booleanValue(); } if (conf.isSerialNumberInReq() != null) { serialNumberInReqPermitted = conf.isSerialNumberInReq().booleanValue(); } // KeyAlgorithms KeyAlgorithms keyAlgos = conf.getKeyAlgorithms(); if (keyAlgos != null) { this.keyAlgorithms = XmlX509CertprofileUtil.buildKeyAlgorithms(keyAlgos); } // parameters Parameters confParams = conf.getParameters(); if (confParams == null) { parameters = null; } else { Map<String, String> tMap = new HashMap<>(); for (NameValueType nv : confParams.getParameter()) { tMap.put(nv.getName(), nv.getValue()); } parameters = Collections.unmodifiableMap(tMap); } // Subject Subject subject = conf.getSubject(); if (subject != null) { this.backwardsSubject = subject.isDnBackwards(); this.incSerialNoIfSubjectExists = subject.isIncSerialNumber(); this.subjectDNControls = new HashSet<RDNControl>(); this.subjectDNOptions = new HashMap<>(); for (RdnType t : subject.getRdn()) { DirectoryStringType directoryStringEnum = XmlX509CertprofileUtil .convertDirectoryStringType(t.getDirectoryStringType()); ASN1ObjectIdentifier type = new ASN1ObjectIdentifier(t.getType().getValue()); RDNControl occ = new RDNControl(type, t.getMinOccurs(), t.getMaxOccurs(), directoryStringEnum); this.subjectDNControls.add(occ); List<Pattern> patterns = null; if (CollectionUtil.isNotEmpty(t.getRegex())) { patterns = new LinkedList<>(); for (String regex : t.getRegex()) { Pattern pattern = Pattern.compile(regex); patterns.add(pattern); } } SubjectDNOption option = new SubjectDNOption(t.getPrefix(), t.getSuffix(), patterns, t.getMinLen(), t.getMaxLen()); this.subjectDNOptions.put(type, option); } } // Extensions ExtensionsType extensionsType = conf.getExtensions(); // Extension controls this.extensionControls = XmlX509CertprofileUtil.buildExtensionControls(extensionsType); // BasicConstrains ASN1ObjectIdentifier type = Extension.basicConstraints; if (extensionControls.containsKey(type)) { BasicConstraints extConf = (BasicConstraints) getExtensionValue(type, extensionsType, BasicConstraints.class); if (extConf != null) { this.pathLen = extConf.getPathLen(); } } // AuthorityInfoAccess type = Extension.authorityInfoAccess; if (extensionControls.containsKey(type)) { AuthorityInfoAccess extConf = (AuthorityInfoAccess) getExtensionValue(type, extensionsType, AuthorityInfoAccess.class); if (extConf != null) { Boolean b = extConf.isIncludeCaIssuers(); boolean includesCaIssuers = b == null ? true : b.booleanValue(); b = extConf.isIncludeOcsp(); boolean includesOcsp = b == null ? true : b.booleanValue(); this.aIAControl = new AuthorityInfoAccessControl(includesCaIssuers, includesOcsp); } } // Extension KeyUsage type = Extension.keyUsage; if (extensionControls.containsKey(type)) { KeyUsage extConf = (KeyUsage) getExtensionValue(type, extensionsType, KeyUsage.class); if (extConf != null) { this.keyusages = XmlX509CertprofileUtil.buildKeyUsageOptions(extConf); } } // ExtendedKeyUsage type = Extension.extendedKeyUsage; if (extensionControls.containsKey(type)) { ExtendedKeyUsage extConf = (ExtendedKeyUsage) getExtensionValue(type, extensionsType, ExtendedKeyUsage.class); if (extConf != null) { this.extendedKeyusages = XmlX509CertprofileUtil.buildExtKeyUsageOptions(extConf); } } // AuthorityKeyIdentifier type = Extension.authorityKeyIdentifier; if (extensionControls.containsKey(type)) { AuthorityKeyIdentifier extConf = (AuthorityKeyIdentifier) getExtensionValue(type, extensionsType, AuthorityKeyIdentifier.class); if (extConf != null) { this.includeIssuerAndSerialInAKI = extConf.isIncludeIssuerAndSerial(); } } // Certificate Policies type = Extension.certificatePolicies; if (extensionControls.containsKey(type)) { CertificatePolicies extConf = (CertificatePolicies) getExtensionValue(type, extensionsType, CertificatePolicies.class); if (extConf != null) { List<CertificatePolicyInformation> policyInfos = XmlX509CertprofileUtil .buildCertificatePolicies(extConf); org.bouncycastle.asn1.x509.CertificatePolicies value = X509CertUtil .createCertificatePolicies(policyInfos); this.certificatePolicies = new ExtensionValue(extensionControls.get(type).isCritical(), value); } } // Policy Mappings type = Extension.policyMappings; if (extensionControls.containsKey(type)) { PolicyMappings extConf = (PolicyMappings) getExtensionValue(type, extensionsType, PolicyMappings.class); if (extConf != null) { org.bouncycastle.asn1.x509.PolicyMappings value = XmlX509CertprofileUtil .buildPolicyMappings(extConf); this.policyMappings = new ExtensionValue(extensionControls.get(type).isCritical(), value); } } // Name Constrains type = Extension.nameConstraints; if (extensionControls.containsKey(type)) { NameConstraints extConf = (NameConstraints) getExtensionValue(type, extensionsType, NameConstraints.class); if (extConf != null) { org.bouncycastle.asn1.x509.NameConstraints value = XmlX509CertprofileUtil .buildNameConstrains(extConf); this.nameConstraints = new ExtensionValue(extensionControls.get(type).isCritical(), value); } } // Policy Constraints type = Extension.policyConstraints; if (extensionControls.containsKey(type)) { PolicyConstraints extConf = (PolicyConstraints) getExtensionValue(type, extensionsType, PolicyConstraints.class); if (extConf != null) { ASN1Sequence value = XmlX509CertprofileUtil.buildPolicyConstrains(extConf); this.policyConstraints = new ExtensionValue(extensionControls.get(type).isCritical(), value); } } // Inhibit anyPolicy type = Extension.inhibitAnyPolicy; if (extensionControls.containsKey(type)) { InhibitAnyPolicy extConf = (InhibitAnyPolicy) getExtensionValue(type, extensionsType, InhibitAnyPolicy.class); if (extConf != null) { int skipCerts = extConf.getSkipCerts(); if (skipCerts < 0) { throw new CertprofileException( "negative inhibitAnyPolicy.skipCerts is not allowed: " + skipCerts); } ASN1Integer value = new ASN1Integer(BigInteger.valueOf(skipCerts)); this.inhibitAnyPolicy = new ExtensionValue(extensionControls.get(type).isCritical(), value); } } // admission type = ObjectIdentifiers.id_extension_admission; if (extensionControls.containsKey(type)) { Admission extConf = (Admission) getExtensionValue(type, extensionsType, Admission.class); if (extConf != null) { List<ASN1ObjectIdentifier> professionOIDs; List<String> professionItems; List<String> items = type == null ? null : extConf.getProfessionItem(); professionItems = CollectionUtil.unmodifiableList(items, true, true); List<OidWithDescType> oidWithDescs = (type == null) ? null : extConf.getProfessionOid(); professionOIDs = XmlX509CertprofileUtil.toOIDList(oidWithDescs); this.admission = createAdmission(extensionControls.get(type).isCritical(), professionOIDs, professionItems, extConf.getRegistrationNumber(), extConf.getAddProfessionInfo()); } } // SubjectAltNameMode type = Extension.subjectAlternativeName; if (extensionControls.containsKey(type)) { SubjectAltName extConf = (SubjectAltName) getExtensionValue(type, extensionsType, SubjectAltName.class); if (extConf != null) { this.allowedSubjectAltNameModes = XmlX509CertprofileUtil.buildGeneralNameMode(extConf); } } // SubjectInfoAccess type = Extension.subjectInfoAccess; if (extensionControls.containsKey(type)) { SubjectInfoAccess extConf = (SubjectInfoAccess) getExtensionValue(type, extensionsType, SubjectInfoAccess.class); if (extConf != null) { List<Access> list = extConf.getAccess(); this.allowedSubjectInfoAccessModes = new HashMap<>(); for (Access entry : list) { this.allowedSubjectInfoAccessModes.put( new ASN1ObjectIdentifier(entry.getAccessMethod().getValue()), XmlX509CertprofileUtil.buildGeneralNameMode(entry.getAccessLocation())); } } } // constant extensions this.constantExtensions = XmlX509CertprofileUtil.buildConstantExtesions(extensionsType); }
From source file:org.xipki.ca.certprofile.XmlX509Certprofile.java
License:Open Source License
@Override public SubjectInfo getSubject(final X500Name requestedSubject) throws CertprofileException, BadCertTemplateException { verifySubjectDNOccurence(requestedSubject); checkSubjectContent(requestedSubject); RDN[] requstedRDNs = requestedSubject.getRDNs(); Set<RDNControl> occurences = getSubjectDNControls(); List<RDN> rdns = new LinkedList<>(); List<ASN1ObjectIdentifier> types = backwardsSubject() ? ObjectIdentifiers.getBackwardDNs() : ObjectIdentifiers.getForwardDNs(); for (ASN1ObjectIdentifier type : types) { if (Extension.subjectAlternativeName.equals(type) || Extension.subjectInfoAccess.equals(type)) { continue; }/* ww w .j a va 2s . c o m*/ RDNControl control = null; if (occurences != null) { control = getRDNControl(occurences, type); if (control == null || control.getMaxOccurs() < 1) { continue; } } RDN[] thisRDNs = getRDNs(requstedRDNs, type); int n = thisRDNs == null ? 0 : thisRDNs.length; if (n == 0) { continue; } if (n == 1) { String value = X509Util.rdnValueToString(thisRDNs[0].getFirst().getValue()); rdns.add(createSubjectRDN(value, type, control, 0)); } else { String[] values = new String[n]; for (int i = 0; i < n; i++) { values[i] = X509Util.rdnValueToString(thisRDNs[i].getFirst().getValue()); } values = sortRDNs(type, values); int i = 0; for (String value : values) { rdns.add(createSubjectRDN(value, type, control, i++)); } } } X500Name grantedSubject = new X500Name(rdns.toArray(new RDN[0])); return new SubjectInfo(grantedSubject, null); }
From source file:org.xipki.ca.client.shell.EnrollCertCommand.java
License:Open Source License
@Override protected Object _doExecute() throws Exception { EnrollCertRequestType request = new EnrollCertRequestType(EnrollCertRequestType.Type.CERT_REQ); CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder(); ConcurrentContentSigner signer = getSigner(hashAlgo, new SignatureAlgoControl(rsaMgf1, dsaPlain)); X509CertificateHolder ssCert = signer.getCertificateAsBCObject(); X500Name x500Subject = subject == null ? ssCert.getSubject() : new X500Name(subject); certTemplateBuilder.setSubject(x500Subject); certTemplateBuilder.setPublicKey(ssCert.getSubjectPublicKeyInfo()); if (needExtensionTypes == null) { needExtensionTypes = new LinkedList<>(); }/*from w w w .j av a2 s . c o m*/ // SubjectAltNames List<Extension> extensions = new LinkedList<>(); if (isNotEmpty(subjectAltNames)) { extensions.add(P10RequestGenerator.createExtensionSubjectAltName(subjectAltNames, false)); needExtensionTypes.add(Extension.subjectAlternativeName.getId()); } // SubjectInfoAccess if (isNotEmpty(subjectInfoAccesses)) { extensions.add(P10RequestGenerator.createExtensionSubjectInfoAccess(subjectInfoAccesses, false)); needExtensionTypes.add(Extension.subjectInfoAccess.getId()); } // Keyusage if (isNotEmpty(keyusages)) { Set<KeyUsage> usages = new HashSet<>(); for (String usage : keyusages) { usages.add(KeyUsage.getKeyUsage(usage)); } org.bouncycastle.asn1.x509.KeyUsage extValue = X509Util.createKeyUsage(usages); ASN1ObjectIdentifier extType = Extension.keyUsage; extensions.add(new Extension(extType, false, extValue.getEncoded())); needExtensionTypes.add(extType.getId()); } // ExtendedKeyusage if (isNotEmpty(extkeyusages)) { Set<ASN1ObjectIdentifier> oids = new HashSet<>(SecurityUtil.textToASN1ObjectIdentifers(extkeyusages)); ExtendedKeyUsage extValue = X509Util.createExtendedUsage(oids); ASN1ObjectIdentifier extType = Extension.extendedKeyUsage; extensions.add(new Extension(extType, false, extValue.getEncoded())); needExtensionTypes.add(extType.getId()); } if (isNotEmpty(needExtensionTypes) || isNotEmpty(wantExtensionTypes)) { ExtensionExistence ee = new ExtensionExistence( SecurityUtil.textToASN1ObjectIdentifers(needExtensionTypes), SecurityUtil.textToASN1ObjectIdentifers(wantExtensionTypes)); extensions.add(new Extension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions, false, ee.toASN1Primitive().getEncoded())); } if (isNotEmpty(extensions)) { Extensions asn1Extensions = new Extensions(extensions.toArray(new Extension[0])); certTemplateBuilder.setExtensions(asn1Extensions); } CertRequest certReq = new CertRequest(1, certTemplateBuilder.build(), null); ProofOfPossessionSigningKeyBuilder popoBuilder = new ProofOfPossessionSigningKeyBuilder(certReq); ContentSigner contentSigner = signer.borrowContentSigner(); POPOSigningKey popoSk; try { popoSk = popoBuilder.build(contentSigner); } finally { signer.returnContentSigner(contentSigner); } ProofOfPossession popo = new ProofOfPossession(popoSk); EnrollCertRequestEntryType reqEntry = new EnrollCertRequestEntryType("id-1", profile, certReq, popo); request.addRequestEntry(reqEntry); RequestResponseDebug debug = getRequestResponseDebug(); EnrollCertResult result; try { result = caClient.requestCerts(request, caName, user, debug); } finally { saveRequestResponse(debug); } X509Certificate cert = null; if (result != null) { String id = result.getAllIds().iterator().next(); CertOrError certOrError = result.getCertificateOrError(id); cert = (X509Certificate) certOrError.getCertificate(); } if (cert == null) { throw new CmdFailure("no certificate received from the server"); } File certFile = new File(outputFile); saveVerbose("saved certificate to file", certFile, cert.getEncoded()); return null; }