List of usage examples for org.bouncycastle.asn1.x509 GeneralName GeneralName
public GeneralName(X500Name dirName)
From source file:eu.europa.ec.markt.dss.DSSUtils.java
License:Open Source License
/** * @param certificate//from w w w. j ava 2 s. co m * @return */ public static IssuerSerial getIssuerSerial(final X509Certificate certificate) { final X500Name issuerX500Name = DSSUtils.getX509CertificateHolder(certificate).getIssuer(); final GeneralName generalName = new GeneralName(issuerX500Name); final GeneralNames generalNames = new GeneralNames(generalName); final BigInteger serialNumber = certificate.getSerialNumber(); final IssuerSerial issuerSerial = new IssuerSerial(generalNames, serialNumber); return issuerSerial; }
From source file:eu.europa.ec.markt.dss.validation102853.ocsp.SKOnlineOCSPSource.java
License:GNU General Public License
private byte[] buildOCSPRequest(final X509Certificate signCert, final X509Certificate issuerCert, Extension nonceExtension) throws DSSException { try {/*w w w. ja v a2 s. co m*/ final CertificateID certId = DSSRevocationUtils.getOCSPCertificateID(signCert, issuerCert); final OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); ocspReqBuilder.addRequest(certId); ocspReqBuilder.setRequestExtensions(new Extensions(nonceExtension)); if (configuration.hasToBeOCSPRequestSigned()) { JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA1withRSA"); if (!configuration.isOCSPSigningConfigurationAvailable()) { throw new ConfigurationException( "Configuration needed for OCSP request signing is not complete."); } SignatureToken ocspSigner = new PKCS12SignatureToken( configuration.getOCSPAccessCertificateFileName(), configuration.getOCSPAccessCertificatePassword()); ContentSigner contentSigner = signerBuilder.build(ocspSigner.getPrivateKey()); X509Certificate ocspSignerCert = ocspSigner.getCertificate(); X509CertificateHolder[] chain = { new X509CertificateHolder(ocspSignerCert.getEncoded()) }; GeneralName generalName = new GeneralName( new JcaX509CertificateHolder(ocspSignerCert).getSubject()); ocspReqBuilder.setRequestorName(generalName); return ocspReqBuilder.build(contentSigner, chain).getEncoded(); } return ocspReqBuilder.build().getEncoded(); } catch (Exception e) { throw new DSSException(e); } }
From source file:eu.europa.esig.dss.DSSASN1Utils.java
License:Open Source License
/** * This method returns a new IssuerSerial based on the certificate token * * @param certToken/*from w ww .j ava 2s . c om*/ * the certificate token * @return a IssuerSerial */ public static IssuerSerial getIssuerSerial(final CertificateToken certToken) { final X500Name issuerX500Name = getX509CertificateHolder(certToken).getIssuer(); final GeneralName generalName = new GeneralName(issuerX500Name); final GeneralNames generalNames = new GeneralNames(generalName); final BigInteger serialNumber = certToken.getCertificate().getSerialNumber(); final IssuerSerial issuerSerial = new IssuerSerial(generalNames, serialNumber); return issuerSerial; }
From source file:eu.optimis.ics.BrokerVPNCredentials.CACredentials.java
License:Open Source License
public X509CertificateHolder genCACertificate(KeyPair CAKP) throws CertIOException, NoSuchAlgorithmException { BigInteger serial = BigInteger.valueOf(42); Date notBefore = new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30); Date notAfter = new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365)); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(CAKP.getPublic().getEncoded()); // Same issuer and subject for the self-signed CA certificate X500Name issuer = new X500Name( "C=UK, ST=Suffolk, L=Ipswich, O=BT, OU=R&T, CN=CloudShadow, Name=Ali, emailAddress=ali.sajjad@bt.com"); X500Name subject = new X500Name( "C=UK, ST=Suffolk, L=Ipswich, O=BT, OU=R&T, CN=CloudShadow, Name=Ali, emailAddress=ali.sajjad@bt.com"); X509v3CertificateBuilder v3CertBuilder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKeyInfo);// www . ja va2s. c o m GeneralNames gNames = new GeneralNames(new GeneralName(issuer)); v3CertBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKeyInfo)); v3CertBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(publicKeyInfo, gNames, serial)); v3CertBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); ContentSigner sigGen = null; try { sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(CAKP.getPrivate()); } catch (OperatorCreationException e) { e.printStackTrace(); } return v3CertBuilder.build(sigGen); }
From source file:eu.optimis.ics.Credentials.CACredentials.java
License:Open Source License
protected X509CertificateHolder genCACertificate(KeyPair CAKP) { BigInteger serial = BigInteger.valueOf(new SecureRandom().nextLong()).abs(); Date notBefore = new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30); Date notAfter = new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365)); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(CAKP.getPublic().getEncoded()); // Same issuer and subject for the self-signed CA certificate X500Name issuer = new X500Name( "C=UK, ST=Suffolk, L=Ipswich, O=BT, OU=R&T, CN=CloudShadow, Name=Ali, emailAddress=ali.sajjad@bt.com"); X500Name subject = new X500Name( "C=UK, ST=Suffolk, L=Ipswich, O=BT, OU=R&T, CN=CloudShadow, Name=Ali, emailAddress=ali.sajjad@bt.com"); X509v3CertificateBuilder v3CertBuilder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKeyInfo);/*from w w w.j a v a2s . com*/ GeneralNames gNames = new GeneralNames(new GeneralName(issuer)); v3CertBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(publicKeyInfo)); v3CertBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(publicKeyInfo, gNames, serial)); v3CertBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); ContentSigner sigGen = null; try { sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(CAKP.getPrivate()); } catch (OperatorCreationException e) { e.printStackTrace(); } return v3CertBuilder.build(sigGen); }
From source file:it.trento.comune.j4sign.cms.ExternalSignatureSignerInfoGenerator.java
License:Open Source License
/** * Builds the SignerCertificateV2 attribute according to RFC2634(Enhanced * Security Services (ESS)) + RFC5035(ESS Update: AddingCertID Algorithm * Agility).<br>/*from www . ja v a2 s. c om*/ * This signed attribute is mandatory for CAdES-BES (ETSI TS 101 733) * compliancy. * * @param sigProvider * the provider to use for digest calculation. * @return the SignerCertificateV2 attribute calculated from to the current * certificate and digest algorithm. * @throws NoSuchAlgorithmException * @throws NoSuchProviderException * @throws CertificateEncodingException * @throws IOException */ private Attribute buildSigningCertificateV2Attribute(String sigProvider) throws NoSuchAlgorithmException, NoSuchProviderException, CertificateEncodingException, IOException { X509Certificate cert = this.getCertificate(); MessageDigest dig = MessageDigest.getInstance(this.getDigestAlgOID(), sigProvider); byte[] certHash = dig.digest(cert.getEncoded()); // ricavo issuerandserialnumber (ID) del certificato // byte[] encodedCert = this.cert.getEncoded(); // ASN1InputStream ais = new ASN1InputStream(encodedCert); // DERObject derObj = ais.readObject(); // ASN1Sequence asn1Seq = (ASN1Sequence) derObj; // ais.close(); // X509CertificateStructure x509CStructure = new // X509CertificateStructure( // asn1Seq); // X509Name x509Name = x509CStructure.getIssuer(); // DERInteger serialNum = x509CStructure.getSerialNumber(); // GeneralName generalName = new GeneralName(x509Name); // GeneralNames generalNames = new GeneralNames(generalName); // ROB: more directly JcaX509CertificateHolder holder = new JcaX509CertificateHolder(cert); X500Name x500name = holder.getIssuer(); GeneralName generalName = new GeneralName(x500name); GeneralNames generalNames = new GeneralNames(generalName); DERInteger serialNum = new DERInteger(holder.getSerialNumber()); IssuerSerial issuerserial = new IssuerSerial(generalNames, serialNum); // --- ESSCertIDv2 essCert = new ESSCertIDv2(new AlgorithmIdentifier(getDigestAlgOID()), certHash, issuerserial); // ESSCertIDv2 essCert = new ESSCertIDv2(new AlgorithmIdentifier( // getDigestAlgOID()), certHash); SigningCertificateV2 scv2 = new SigningCertificateV2(new ESSCertIDv2[] { essCert }); return new Attribute(PKCSObjectIdentifiers.id_aa_signingCertificateV2, new DERSet(scv2)); }
From source file:mitm.common.security.certificate.impl.StandardX509CertificateBuilder.java
License:Open Source License
protected AuthorityKeyIdentifier getAuthorityKeyIdentifier(X509Certificate issuerCertificate) throws CertificateParsingException, IOException { X509CertificateInspector inspector = new X509CertificateInspector(issuerCertificate); /*/*from w w w . ja va 2s.c o m*/ * We must add the issuer of the issuer certificate! not the subject of the issuer certificate * The subject / serial number is already contained in the certificate to be issued. The * issuer of the issuer is added to identify multiple paths if an intermediate can be signed * by multiple ca's */ GeneralNames names = new GeneralNames(new GeneralName(inspector.getIssuerX500Name())); AuthorityKeyIdentifier authorityKeyIdentifier; byte[] subjectKeyIdentifier = inspector.getSubjectKeyIdentifier(); if (subjectKeyIdentifier != null) { authorityKeyIdentifier = new AuthorityKeyIdentifier(subjectKeyIdentifier, names, issuerCertificate.getSerialNumber()); } else { authorityKeyIdentifier = new AuthorityKeyIdentifier(names, issuerCertificate.getSerialNumber()); } return authorityKeyIdentifier; }
From source file:org.cesecore.util.CertTools.java
License:Open Source License
/** * Checks that the given SubjectDN / SAN satisfies the Name Constraints of the given issuer (if there are any). * This method checks the Name Constraints in the given issuer only. A complete implementation of * name constraints should check the whole certificate chain. * //from w ww . j a v a 2 s. c o m * @param issuer Issuing CA. * @param subjectDNName Subject DN to check. Optional. * @param subjectAltName Subject Alternative Name to check. Optional. * @throws CertificateExtensionException */ public static void checkNameConstraints(X509Certificate issuer, X500Name subjectDNName, GeneralNames subjectAltName) throws IllegalNameException { final byte[] ncbytes = issuer.getExtensionValue(Extension.nameConstraints.getId()); final ASN1OctetString ncstr = (ncbytes != null ? DEROctetString.getInstance(ncbytes) : null); final ASN1Sequence ncseq = (ncbytes != null ? DERSequence.getInstance(ncstr.getOctets()) : null); final NameConstraints nc = (ncseq != null ? NameConstraints.getInstance(ncseq) : null); if (nc != null) { if (subjectDNName != null) { // Skip check for root CAs final X500Name issuerDNName = X500Name.getInstance(issuer.getSubjectX500Principal().getEncoded()); if (issuerDNName.equals(subjectDNName)) { return; } } final PKIXNameConstraintValidator validator = new PKIXNameConstraintValidator(); GeneralSubtree[] permitted = nc.getPermittedSubtrees(); GeneralSubtree[] excluded = nc.getExcludedSubtrees(); if (permitted != null) { validator.intersectPermittedSubtree(permitted); } if (excluded != null) { for (GeneralSubtree subtree : excluded) { validator.addExcludedSubtree(subtree); } } if (subjectDNName != null) { GeneralName dngn = new GeneralName(subjectDNName); try { validator.checkPermitted(dngn); validator.checkExcluded(dngn); } catch (PKIXNameConstraintValidatorException e) { final String dnStr = subjectDNName.toString(); final boolean isLdapOrder = dnHasMultipleComponents(dnStr) && !isDNReversed(dnStr); if (isLdapOrder) { final String msg = intres.getLocalizedMessage("nameconstraints.x500dnorderrequired"); throw new IllegalNameException(msg); } else { final String msg = intres.getLocalizedMessage("nameconstraints.forbiddensubjectdn", subjectDNName); throw new IllegalNameException(msg, e); } } } if (subjectAltName != null) { for (GeneralName sangn : subjectAltName.getNames()) { try { validator.checkPermitted(sangn); validator.checkExcluded(sangn); } catch (PKIXNameConstraintValidatorException e) { final String msg = intres.getLocalizedMessage("nameconstraints.forbiddensubjectaltname", sangn); throw new IllegalNameException(msg, e); } } } } }
From source file:org.cryptable.pki.communication.PKICMPMessages.java
License:Open Source License
private byte[] createProtectedPKIMessage(PKIBody pkiBody) throws CMPException, OperatorCreationException, IOException, CertificateEncodingException, PKICMPMessageException { senderNonce = new byte[64]; pkiKeyStore.getSecureRandom().nextBytes(senderNonce); if (transactionId == null) { transactionId = new byte[64]; pkiKeyStore.getSecureRandom().nextBytes(transactionId); }/* w ww . j av a 2 s . co m*/ ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSAEncryption") .setProvider(pkiKeyStore.getProvider()).build(pkiKeyStore.getSenderPrivateKey()); ProtectedPKIMessage message = new ProtectedPKIMessageBuilder( new GeneralName(JcaX500NameUtil.getSubject(pkiKeyStore.getSenderCertificate())), new GeneralName(JcaX500NameUtil.getSubject(pkiKeyStore.getRecipientCertificate()))) .setMessageTime(new Date()).setSenderNonce(senderNonce).setTransactionID(transactionId) .addCMPCertificate( new X509CertificateHolder(pkiKeyStore.getSenderCertificate().getEncoded())) .setBody(pkiBody).build(signer); return message.toASN1Structure().getEncoded(); }
From source file:org.cryptable.pki.communication.PKICMPMessagesTest.java
License:Open Source License
private byte[] createProtectedPKIMessage(byte[] senderNonce, byte[] transactionId, PKIBody pkiBody) throws CMPException, OperatorCreationException, IOException, CertificateEncodingException, PKICMPMessageException {// www . j a v a2 s . c o m byte[] recipientNonce = new byte[64]; pkiKeyStoreCA.getSecureRandom().nextBytes(recipientNonce); ContentSigner signer = new JcaContentSignerBuilder("SHA1WithRSAEncryption") .setProvider(pkiKeyStoreCA.getProvider()).build(pkiKeyStoreCA.getSenderPrivateKey()); ProtectedPKIMessage message = new ProtectedPKIMessageBuilder( new GeneralName(JcaX500NameUtil.getSubject(pkiKeyStoreCA.getSenderCertificate())), new GeneralName(JcaX500NameUtil.getSubject(pkiKeyStoreCA.getRecipientCertificate()))) .setMessageTime(new Date()).setSenderNonce(recipientNonce).setRecipNonce(senderNonce) .setTransactionID(transactionId) .addCMPCertificate( new X509CertificateHolder(pkiKeyStoreCA.getSenderCertificate().getEncoded())) .setBody(pkiBody).build(signer); return message.toASN1Structure().getEncoded(); }