List of usage examples for org.bouncycastle.asn1.x509 Extension subjectKeyIdentifier
ASN1ObjectIdentifier subjectKeyIdentifier
To view the source code for org.bouncycastle.asn1.x509 Extension subjectKeyIdentifier.
Click Source Link
From source file:com.aqnote.shared.encrypt.cert.gen.BCCertGenerator.java
License:Open Source License
private static void addSubjectKID(X509v3CertificateBuilder certBuilder, PublicKey pubKey) throws Exception { JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pubKey)); }
From source file:com.enioka.jqm.pki.CertificateRequest.java
License:Open Source License
private void generateX509() throws Exception { SecureRandom random = new SecureRandom(); X500Name dnName = new X500Name(Subject); Calendar endValidity = Calendar.getInstance(); endValidity.add(Calendar.YEAR, validityYear); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); X509v3CertificateBuilder gen = new X509v3CertificateBuilder( authorityCertificate == null ? dnName : authorityCertificate.getSubject(), BigIntegers.createRandomInRange(BigInteger.ZERO, BigInteger.valueOf(Long.MAX_VALUE), random), new Date(), endValidity.getTime(), dnName, publicKeyInfo); // Public key ID DigestCalculator digCalc = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc); gen.addExtension(Extension.subjectKeyIdentifier, false, x509ExtensionUtils.createSubjectKeyIdentifier(publicKeyInfo)); // EKU//from w ww .j av a 2 s .c o m gen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(EKU)); // Basic constraints (is CA?) if (authorityCertificate == null) { gen.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); } // Key usage gen.addExtension(Extension.keyUsage, true, new KeyUsage(keyUsage)); // Subject Alt names ? // Authority if (authorityCertificate != null) { gen.addExtension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(authorityCertificate.getSubjectPublicKeyInfo())); } // Signer ContentSigner signer = new JcaContentSignerBuilder("SHA512WithRSAEncryption") .setProvider(Constants.JCA_PROVIDER).build(authorityKey == null ? privateKey : authorityKey); // Go holder = gen.build(signer); }
From source file:com.linkedin.mitm.services.CACertificateService.java
License:Open Source License
protected void buildExtensions(X509v3CertificateBuilder x509v3CertificateBuilder, PublicKey publicKey) throws IOException { x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); // The Key Usage, Extended Key Usage, and Basic Constraints extensions act together to define the purposes for // which the certificate is intended to be used x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, BASIC_CONSTRAINTS); x509v3CertificateBuilder.addExtension(Extension.keyUsage, false, KEY_USAGE); x509v3CertificateBuilder.addExtension(Extension.extendedKeyUsage, false, EXTERNAL_KEY_USAGE); }
From source file:com.linkedin.mitm.services.IdentityCertificateService.java
License:Open Source License
@Override protected void buildExtensions(X509v3CertificateBuilder x509v3CertificateBuilder, PublicKey publicKey) throws IOException { x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); x509v3CertificateBuilder.addExtension(Extension.basicConstraints, false, BASIC_CONSTRAINTS); }
From source file:com.redhat.akashche.keystoregen.KeystoreGenerator.java
License:Apache License
private Certificate createIntermediateCert(KeystoreConfig.Entry en, Keys keys, X509Certificate caCert) throws Exception { String label = en.getLabel() + "_INTERMEDIATE"; X500NameBuilder subject = new X500NameBuilder(); subject.addRDN(BCStyle.C, en.getX500_C()); subject.addRDN(BCStyle.O, en.getX500_O()); subject.addRDN(BCStyle.OU, en.getX500_OU()); subject.addRDN(BCStyle.CN, label);// w ww . ja v a2 s.c o m X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(caCert, BigInteger.valueOf(2), en.getValidFrom(), en.getValidTo(), subject.build(), keys.intPublic); JcaX509ExtensionUtils eu = new JcaX509ExtensionUtils(); builder.addExtension(Extension.subjectKeyIdentifier, false, eu.createSubjectKeyIdentifier(keys.intPublic)); builder.addExtension(Extension.authorityKeyIdentifier, false, eu.createAuthorityKeyIdentifier(caCert)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); X509CertificateHolder holder = builder .build(new JcaContentSignerBuilder(en.getAlgorithm()).setProvider(BCPROV).build(keys.caPrivate)); X509Certificate cert = new JcaX509CertificateConverter().setProvider(BCPROV).getCertificate(holder); cert.checkValidity(new Date()); cert.verify(caCert.getPublicKey()); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(label)); return cert; }
From source file:com.redhat.akashche.keystoregen.KeystoreGenerator.java
License:Apache License
private Certificate createCert(KeystoreConfig.Entry en, Keys keys) throws Exception { X500NameBuilder issuer = new X500NameBuilder(); issuer.addRDN(BCStyle.C, en.getX500_C()); issuer.addRDN(BCStyle.O, en.getX500_O()); issuer.addRDN(BCStyle.OU, en.getX500_OU()); issuer.addRDN(BCStyle.CN, en.getLabel() + "_INTERMEDIATE"); String label = en.getLabel() + "_CERT"; X500NameBuilder subject = new X500NameBuilder(); subject.addRDN(BCStyle.C, en.getX500_C()); subject.addRDN(BCStyle.O, en.getX500_O()); subject.addRDN(BCStyle.OU, en.getX500_OU()); subject.addRDN(BCStyle.CN, label);//from w ww.j av a 2s. c om X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer.build(), BigInteger.valueOf(3), en.getValidFrom(), en.getValidTo(), subject.build(), keys.certPublic); JcaX509ExtensionUtils eu = new JcaX509ExtensionUtils(); builder.addExtension(Extension.subjectKeyIdentifier, false, eu.createSubjectKeyIdentifier(keys.certPublic)); builder.addExtension(Extension.authorityKeyIdentifier, false, eu.createAuthorityKeyIdentifier(keys.caPublic)); X509CertificateHolder holder = builder .build(new JcaContentSignerBuilder(en.getAlgorithm()).setProvider(BCPROV).build(keys.caPrivate)); X509Certificate cert = new JcaX509CertificateConverter().setProvider(BCPROV).getCertificate(holder); cert.checkValidity(new Date()); cert.verify(keys.caPublic); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(label)); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, eu.createSubjectKeyIdentifier(keys.certPublic)); return cert; }
From source file:com.spotify.helios.client.tls.X509CertificateFactory.java
License:Apache License
private CertificateAndPrivateKey generate(final AgentProxy agentProxy, final Identity identity, final String username) { final UUID uuid = new UUID(); final Calendar calendar = Calendar.getInstance(); final X500Name issuerDN = new X500Name("C=US,O=Spotify,CN=helios-client"); final X500Name subjectDN = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); calendar.add(Calendar.MILLISECOND, -validBeforeMilliseconds); final Date notBefore = calendar.getTime(); calendar.add(Calendar.MILLISECOND, validBeforeMilliseconds + validAfterMilliseconds); final Date notAfter = calendar.getTime(); // Reuse the UUID time as a SN final BigInteger serialNumber = BigInteger.valueOf(uuid.getTime()).abs(); try {/*from w ww. j a v a2 s. c o m*/ final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC"); keyPairGenerator.initialize(KEY_SIZE, new SecureRandom()); final KeyPair keyPair = keyPairGenerator.generateKeyPair(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDN, serialNumber, notBefore, notAfter, subjectDN, subjectPublicKeyInfo); final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); final SubjectKeyIdentifier keyId = utils.createSubjectKeyIdentifier(subjectPublicKeyInfo); final String keyIdHex = KEY_ID_ENCODING.encode(keyId.getKeyIdentifier()); log.info("generating an X509 certificate for {} with key ID={} and identity={}", username, keyIdHex, identity.getComment()); builder.addExtension(Extension.subjectKeyIdentifier, false, keyId); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(new SshAgentContentSigner(agentProxy, identity)); final X509Certificate certificate = CERTIFICATE_CONVERTER.getCertificate(holder); log.debug("generated certificate:\n{}", asPEMString(certificate)); return new CertificateAndPrivateKey(certificate, keyPair.getPrivate()); } catch (Exception e) { throw Throwables.propagate(e); } }
From source file:com.spotify.sshagenttls.X509CertKeyCreator.java
License:Apache License
@Override public CertKey createCertKey(final String username, final X500Principal x500Principal) { final Calendar calendar = Calendar.getInstance(); final BigInteger serialNumber = BigInteger.valueOf(calendar.getTimeInMillis()).abs(); final X500Name issuerDn = new X500Name(x500Principal.getName(X500Principal.RFC1779)); final X500Name subjectDn = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); calendar.add(Calendar.MILLISECOND, -validBeforeMillis); final Date notBefore = calendar.getTime(); calendar.add(Calendar.MILLISECOND, validBeforeMillis + validAfterMillis); final Date notAfter = calendar.getTime(); try {/*from w w w .j a v a2 s .com*/ final KeyPair keyPair = generateRandomKeyPair(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDn, serialNumber, notBefore, notAfter, subjectDn, subjectPublicKeyInfo); final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); final SubjectKeyIdentifier keyId = utils.createSubjectKeyIdentifier(subjectPublicKeyInfo); final String keyIdHex = KEY_ID_ENCODING.encode(keyId.getKeyIdentifier()); LOG.info("generating an X.509 certificate for {} with key ID={}", username, keyIdHex); builder.addExtension(Extension.subjectKeyIdentifier, false, keyId); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(contentSigner); final X509Certificate cert = CERT_CONVERTER.getCertificate(holder); LOG.debug("generated certificate:\n{}", Utils.asPemString(cert)); return CertKey.create(cert, keyPair.getPrivate()); } catch (Exception e) { throw new RuntimeException(e); } }
From source file:com.spotify.sshtlsclient.X509CertificateFactory.java
License:Apache License
static Certificate get(final SshAgentContentSigner signer, final Identity identity, final String username) { final UUID uuid = new UUID(); final Calendar calendar = Calendar.getInstance(); final X500Name issuerDN = new X500Name("C=US,O=Spotify,CN=helios-client"); final X500Name subjectDN = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(identity.getPublicKey().getEncoded())); calendar.add(Calendar.HOUR, -HOURS_BEFORE); final Date notBefore = calendar.getTime(); calendar.add(Calendar.HOUR, HOURS_BEFORE + HOURS_AFTER); final Date notAfter = calendar.getTime(); // Reuse the UUID time as a SN final BigInteger serialNumber = BigInteger.valueOf(uuid.getTime()).abs(); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDN, serialNumber, notBefore, notAfter, subjectDN, subjectPublicKeyInfo); try {//from www . j ava2 s. co m final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); builder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(signer); return new Certificate(new org.bouncycastle.asn1.x509.Certificate[] { holder.toASN1Structure(), }); } catch (Exception e) { throw Throwables.propagate(e); } }
From source file:com.wandrell.util.ksgen.BouncyCastleKeyStoreFactory.java
License:Open Source License
/** * Returns a certificate builder./*from w ww . java 2 s.c o m*/ * * @param publicKey * public key for the certificate builder * @param issuer * issuer for the certificate builder * @return a certificate builder * @throws IOException * if any format error occurrs while creating the certificate */ private final X509v3CertificateBuilder getCertificateBuilder(final PublicKey publicKey, final String issuer) throws IOException { final X500Name issuerName; // Issuer name final X500Name subjectName; // Subject name final BigInteger serial; // Serial number final X509v3CertificateBuilder builder; // Certificate builder final Date start; // Certificate start date final Date end; // Certificate end date final KeyUsage usage; // Key usage final ASN1EncodableVector purposes; // Certificate purposes issuerName = new X500Name(issuer); subjectName = issuerName; serial = BigInteger.valueOf(getRandom().nextInt()); // Dates for the certificate start = getOneYearBackDate(); end = getOneHundredYearsFutureDate(); builder = new JcaX509v3CertificateBuilder(issuerName, serial, start, end, subjectName, publicKey); builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); usage = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign); builder.addExtension(Extension.keyUsage, false, usage); purposes = new ASN1EncodableVector(); purposes.add(KeyPurposeId.id_kp_serverAuth); purposes.add(KeyPurposeId.id_kp_clientAuth); purposes.add(KeyPurposeId.anyExtendedKeyUsage); builder.addExtension(Extension.extendedKeyUsage, false, new DERSequence(purposes)); return builder; }