List of usage examples for org.bouncycastle.asn1.x509 GeneralName dNSName
int dNSName
To view the source code for org.bouncycastle.asn1.x509 GeneralName dNSName.
Click Source Link
From source file:org.apache.cloudstack.utils.security.CertUtilsTest.java
License:Apache License
@Test public void testGenerateCertificate() throws Exception { final KeyPair clientKeyPair = CertUtils.generateRandomKeyPair(1024); final List<String> domainNames = Arrays.asList("domain1.com", "www.2.domain2.com", "3.domain3.com"); final List<String> addressList = Arrays.asList("1.2.3.4", "192.168.1.1", "2a02:120b:2c16:f6d0:d9df:8ebc:e44a:f181"); final X509Certificate clientCert = CertUtils.generateV3Certificate(caCertificate, caKeyPair, clientKeyPair.getPublic(), "CN=domain.example", "SHA256WithRSAEncryption", 10, domainNames, addressList);/* ww w. j a va 2s .co m*/ clientCert.verify(caKeyPair.getPublic()); Assert.assertEquals(clientCert.getIssuerDN(), caCertificate.getIssuerDN()); Assert.assertEquals(clientCert.getSigAlgName(), "SHA256WITHRSA"); Assert.assertArrayEquals(clientCert.getPublicKey().getEncoded(), clientKeyPair.getPublic().getEncoded()); Assert.assertNotNull(clientCert.getSubjectAlternativeNames()); for (final List<?> altNames : clientCert.getSubjectAlternativeNames()) { Assert.assertTrue(altNames.size() == 2); final Object first = altNames.get(0); final Object second = altNames.get(1); if (first instanceof Integer && ((Integer) first) == GeneralName.iPAddress) { Assert.assertTrue(addressList.contains((String) second)); } if (first instanceof Integer && ((Integer) first) == GeneralName.dNSName) { Assert.assertTrue(domainNames.contains((String) second)); } } }
From source file:org.apache.kerby.pkix.EndEntityGenerator.java
License:Apache License
/** * Generate certificate.//from w w w. j ava 2 s . c o m * * @param issuerCert * @param issuerPrivateKey * @param publicKey * @param dn * @param validityDays * @param friendlyName * @return The certificate. * @throws InvalidKeyException * @throws SecurityException * @throws SignatureException * @throws NoSuchAlgorithmException * @throws DataLengthException * @throws CertificateException */ public static X509Certificate generate(X509Certificate issuerCert, PrivateKey issuerPrivateKey, PublicKey publicKey, String dn, int validityDays, String friendlyName) throws InvalidKeyException, SecurityException, SignatureException, NoSuchAlgorithmException, DataLengthException, CertificateException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); // Set certificate attributes. certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(issuerCert)); certGen.setSubjectDN(new X509Principal(dn)); certGen.setNotBefore(new Date()); Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.DAY_OF_YEAR, validityDays); certGen.setNotAfter(expiry.getTime()); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())))); // MAY set BasicConstraints=false or not at all. certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)); ASN1EncodableVector keyPurposeVector = new ASN1EncodableVector(); keyPurposeVector.add(KeyPurposeId.id_kp_smartcardlogon); //keyPurposeVector.add( KeyPurposeId.id_kp_serverAuth ); DERSequence keyPurposeOids = new DERSequence(keyPurposeVector); // If critical, will throw unsupported EKU. certGen.addExtension(X509Extensions.ExtendedKeyUsage, false, keyPurposeOids); ASN1EncodableVector pkinitSanVector = new ASN1EncodableVector(); pkinitSanVector.add(ID_PKINIT_SAN); pkinitSanVector.add(new DERTaggedObject(0, new DERSequence())); DERSequence pkinitSan = new DERSequence(pkinitSanVector); String dnsName = "localhost"; GeneralName name1 = new GeneralName(GeneralName.otherName, pkinitSan); GeneralName name2 = new GeneralName(GeneralName.dNSName, dnsName); GeneralNamesBuilder genNamesBuilder = new GeneralNamesBuilder(); genNamesBuilder.addName(name1); genNamesBuilder.addName(name2); GeneralNames sanGeneralNames = genNamesBuilder.build(); certGen.addExtension(X509Extensions.SubjectAlternativeName, true, sanGeneralNames); /* * The KDC MAY require the presence of an Extended Key Usage (EKU) KeyPurposeId * [RFC3280] id-pkinit-KPClientAuth in the extensions field of the client's * X.509 certificate. */ /* * The digitalSignature key usage bit [RFC3280] MUST be asserted when the * intended purpose of the client's X.509 certificate is restricted with * the id-pkinit-KPClientAuth EKU. */ /* * KDCs implementing this requirement SHOULD also accept the EKU KeyPurposeId * id-ms-kp-sc-logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as * there are a large number of X.509 client certificates deployed for use * with PKINIT that have this EKU. */ // KDC /* * In addition, unless the client can otherwise verify that the public key * used to verify the KDC's signature is bound to the KDC of the target realm, * the KDC's X.509 certificate MUST contain a Subject Alternative Name extension * [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as defined * in Section 3.2.2) and whose value is a KRB5PrincipalName that matches the * name of the TGS of the target realm (as defined in Section 7.3 of [RFC4120]). */ /* * Unless the client knows by some other means that the KDC certificate is * intended for a Kerberos KDC, the client MUST require that the KDC certificate * contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc. */ /* * The digitalSignature key usage bit [RFC3280] MUST be asserted when the * intended purpose of the KDC's X.509 certificate is restricted with the * id-pkinit-KPKdc EKU. */ /* * If the KDC certificate contains the Kerberos TGS name encoded as an id-pkinit-san * SAN, this certificate is certified by the issuing CA as a KDC certificate, * therefore the id-pkinit-KPKdc EKU is not required. */ /* * KDC certificates issued by Windows 2000 Enterprise CAs contain a dNSName * SAN with the DNS name of the host running the KDC, and the id-kp-serverAuth * EKU [RFC3280]. */ /* * KDC certificates issued by Windows 2003 Enterprise CAs contain a dNSName * SAN with the DNS name of the host running the KDC, the id-kp-serverAuth * EKU, and the id-ms-kp-sc-logon EKU. */ /* * RFC: KDC certificates with id-pkinit-san SAN as specified in this RFC. * * MS: dNSName SAN containing the domain name of the KDC * id-pkinit-KPKdc EKU * id-kp-serverAuth EKU. */ /* * Client certificates accepted by Windows 2000 and Windows 2003 Server KDCs * must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3) SAN and * the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN contains a * UTF8-encoded string whose value is that of the Directory Service attribute * UserPrincipalName of the client account object, and the purpose of including * the id-ms-san-sc-logon-upn SAN in the client certificate is to validate * the client mapping (in other words, the client's public key is bound to * the account that has this UserPrincipalName value). */ X509Certificate cert = certGen.generate(issuerPrivateKey); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName)); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())))); return cert; }
From source file:org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneTest.java
License:Apache License
@Test public void testStaticHostnameNoSan() throws Exception { String hostname = "static.nifi.apache.org"; runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", hostname); X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM); Certificate[] certificateChain = loadCertificateChain(hostname, x509Certificate); X509Certificate clientCert = (X509Certificate) certificateChain[0]; Collection<List<?>> clientSaNames = clientCert.getSubjectAlternativeNames(); // Must have one san that matches assertEquals(1, clientSaNames.size()); List<?> firstSan = clientSaNames.toArray(new List<?>[0])[0]; assertEquals(GeneralName.dNSName, firstSan.get(0)); assertEquals(hostname, firstSan.get(1)); }
From source file:org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneTest.java
License:Apache License
@Test public void testStaticHostnameStaticSan() throws Exception { String hostname = "static.nifi.apache.org"; String san = "alternative.nifi.apache.org"; runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", hostname, "--subjectAlternativeName", san); X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM); Certificate[] certificateChain = loadCertificateChain(hostname, x509Certificate); X509Certificate clientCert = (X509Certificate) certificateChain[0]; Collection<List<?>> clientSaNames = clientCert.getSubjectAlternativeNames(); // Must have two sans, and one san that matches assertEquals(2, clientSaNames.size()); List<?> explicitSan = clientSaNames.toArray(new List<?>[0])[1]; assertEquals(GeneralName.dNSName, explicitSan.get(0)); assertEquals(san, explicitSan.get(1)); }
From source file:org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneTest.java
License:Apache License
@Test public void testDynamicHostnameStaticSan() throws Exception { String nodeNames = "node[1-2].nifi.apache.org"; String san = "alternative.nifi.apache.org"; runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", nodeNames, "--subjectAlternativeName", san); X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM); Stream<InstanceIdentifier> hostIds = InstanceIdentifier .createIdentifiers(Arrays.stream(new String[] { nodeNames })); for (InstanceIdentifier hostInstance : (Iterable<InstanceIdentifier>) hostIds::iterator) { Certificate[] certificateChain = loadCertificateChain(hostInstance.getHostname(), x509Certificate); X509Certificate clientCert = (X509Certificate) certificateChain[0]; Collection<List<?>> clientSaNames = clientCert.getSubjectAlternativeNames(); // Must have two sans, and one san that matches assertEquals(2, clientSaNames.size()); List<?> explicitSan = clientSaNames.toArray(new List<?>[0])[1]; assertEquals(GeneralName.dNSName, explicitSan.get(0)); assertEquals(san, explicitSan.get(1)); }/*from ww w. ja va 2s .co m*/ }
From source file:org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneTest.java
License:Apache License
@Test public void testDynamicHostnameDynamicSansSameRange() throws Exception { String nodeNames = "node[1-2].nifi.apache.org"; String saNames = "alternative[1-2].nifi.apache.org"; runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", nodeNames, "--subjectAlternativeName", saNames); X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM); Stream<InstanceIdentifier> hostIds = InstanceIdentifier .createIdentifiers(Arrays.stream(new String[] { nodeNames })); Stream<InstanceIdentifier> sansIds = InstanceIdentifier .createIdentifiers(Arrays.stream(new String[] { saNames })); String[] nodeHosts = hostIds.map(InstanceIdentifier::getHostname).toArray(String[]::new); String[] sanHosts = sansIds.map(InstanceIdentifier::getHostname).toArray(String[]::new); assertEquals(nodeHosts.length, sanHosts.length); for (int i = 0; i < nodeHosts.length; i++) { String host = nodeHosts[i]; String san = sanHosts[i]; Certificate[] certificateChain = loadCertificateChain(host, x509Certificate); X509Certificate clientCert = (X509Certificate) certificateChain[0]; Collection<List<?>> clientSaNames = clientCert.getSubjectAlternativeNames(); // Must have two sans, and both must match assertEquals(2, clientSaNames.size()); List<?> hostSan = clientSaNames.toArray(new List<?>[0])[0]; assertEquals(GeneralName.dNSName, hostSan.get(0)); assertEquals(host, hostSan.get(1)); List<?> altSan = clientSaNames.toArray(new List<?>[0])[1]; assertEquals(GeneralName.dNSName, altSan.get(0)); assertEquals(san, altSan.get(1)); }//from w w w . j av a2s. c o m }
From source file:org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneTest.java
License:Apache License
@Test public void testDynamicHostnameDynamicSansSameRangeDiffValues() throws Exception { String nodeNames = "node[1-2].nifi.apache.org"; String saNames = "alternative[3-4].nifi.apache.org"; runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", nodeNames, "--subjectAlternativeName", saNames); X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM); Stream<InstanceIdentifier> hostIds = InstanceIdentifier .createIdentifiers(Arrays.stream(new String[] { nodeNames })); Stream<InstanceIdentifier> sansIds = InstanceIdentifier .createIdentifiers(Arrays.stream(new String[] { saNames })); String[] nodeHosts = hostIds.map(InstanceIdentifier::getHostname).toArray(String[]::new); String[] sanHosts = sansIds.map(InstanceIdentifier::getHostname).toArray(String[]::new); assertEquals(nodeHosts.length, sanHosts.length); for (int i = 0; i < nodeHosts.length; i++) { String host = nodeHosts[i]; String san = sanHosts[i]; Certificate[] certificateChain = loadCertificateChain(host, x509Certificate); X509Certificate clientCert = (X509Certificate) certificateChain[0]; Collection<List<?>> clientSaNames = clientCert.getSubjectAlternativeNames(); // Must have two sans, and both must match assertEquals(2, clientSaNames.size()); List<?> hostSan = clientSaNames.toArray(new List<?>[0])[0]; assertEquals(GeneralName.dNSName, hostSan.get(0)); assertEquals(host, hostSan.get(1)); List<?> altSan = clientSaNames.toArray(new List<?>[0])[1]; assertEquals(GeneralName.dNSName, altSan.get(0)); assertEquals(san, altSan.get(1)); }//from ww w . j ava2 s. c o m }
From source file:org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneTest.java
License:Apache License
@Test public void testDynamicHostnameDynamicSansSameRangeReverseOrder() throws Exception { String nodeNames = "node[1-2].nifi.apache.org"; String saNames = "alternative[2-1].nifi.apache.org"; runAndAssertExitCode(ExitCode.SUCCESS, "-o", tempDir.getAbsolutePath(), "-n", nodeNames, "--subjectAlternativeName", saNames); X509Certificate x509Certificate = checkLoadCertPrivateKey(TlsConfig.DEFAULT_KEY_PAIR_ALGORITHM); Stream<InstanceIdentifier> hostIds = InstanceIdentifier .createIdentifiers(Arrays.stream(new String[] { nodeNames })); Stream<InstanceIdentifier> sansIds = InstanceIdentifier .createIdentifiers(Arrays.stream(new String[] { saNames })); String[] nodeHosts = hostIds.map(InstanceIdentifier::getHostname).toArray(String[]::new); String[] sanHosts = sansIds.map(InstanceIdentifier::getHostname).toArray(String[]::new); assertTrue(nodeHosts.length > 0); assertEquals(nodeHosts.length, sanHosts.length); for (int i = 0; i < nodeHosts.length; i++) { String host = nodeHosts[i]; String san = sanHosts[i]; Certificate[] certificateChain = loadCertificateChain(host, x509Certificate); X509Certificate clientCert = (X509Certificate) certificateChain[0]; Collection<List<?>> clientSaNames = clientCert.getSubjectAlternativeNames(); // Must have sans + cn assertEquals(2, clientSaNames.size()); List<?> hostSan = clientSaNames.toArray(new List<?>[0])[0]; assertEquals(GeneralName.dNSName, hostSan.get(0)); assertEquals(host, hostSan.get(1)); List<?> altSan = clientSaNames.toArray(new List<?>[0])[1]; assertEquals(GeneralName.dNSName, altSan.get(0)); assertEquals(san, altSan.get(1)); }//from w w w . j a v a 2 s .c om }
From source file:org.apache.nifi.toolkit.tls.util.TlsHelper.java
License:Apache License
public static Extensions createDomainAlternativeNamesExtensions(String domainAlternativeNames, String requestedDn) throws IOException { List<GeneralName> namesList = new ArrayList<>(); try {// w w w . j a v a2 s . c o m final String cn = IETFUtils .valueToString(new X500Name(requestedDn).getRDNs(BCStyle.CN)[0].getFirst().getValue()); namesList.add(new GeneralName(GeneralName.dNSName, cn)); } catch (Exception e) { throw new IOException("Failed to extract CN from request DN: " + requestedDn, e); } if (StringUtils.isNotBlank(domainAlternativeNames)) { for (String alternativeName : domainAlternativeNames.split(",")) { namesList.add(new GeneralName(GeneralName.dNSName, alternativeName)); } } GeneralNames subjectAltNames = new GeneralNames(namesList.toArray(new GeneralName[] {})); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); return extGen.generate(); }
From source file:org.apache.nifi.toolkit.tls.util.TlsHelperTest.java
License:Apache License
private List<String> extractSanFromCsr(JcaPKCS10CertificationRequest csr) { List<String> sans = new ArrayList<>(); Attribute[] certAttributes = csr.getAttributes(); for (Attribute attribute : certAttributes) { if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) { Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0)); GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName); GeneralName[] names = gns.getNames(); for (GeneralName name : names) { logger.info("Type: " + name.getTagNo() + " | Name: " + name.getName()); String title = ""; if (name.getTagNo() == GeneralName.dNSName) { title = "DNS"; } else if (name.getTagNo() == GeneralName.iPAddress) { title = "IP Address"; // name.toASN1Primitive(); } else if (name.getTagNo() == GeneralName.otherName) { title = "Other Name"; }/*from ww w .j a v a 2 s. co m*/ sans.add(title + ": " + name.getName()); } } } return sans; }