List of usage examples for org.bouncycastle.asn1.x509 GeneralName GeneralName
public GeneralName(int tag, String name)
From source file:com.bettertls.nameconstraints.CertificateGenerator.java
License:Apache License
private void generateCertificatesWithNames(KeyStore rootCa, String commonName, String dnsSan, String ipSan) throws Exception { GeneralNames sans = null;/*from ww w .j av a 2s.com*/ if (dnsSan != null || ipSan != null) { List<GeneralName> generalNames = new ArrayList<>(); if (dnsSan != null) { generalNames.add(new GeneralName(GeneralName.dNSName, dnsSan)); } if (ipSan != null) { generalNames.add(new GeneralName(GeneralName.iPAddress, ipSan)); } sans = new GeneralNames(generalNames.toArray(new GeneralName[generalNames.size()])); } for (String ncIpWhitelist : new String[] { null, ipSubtree, invalidIpSubtree }) { for (String ncDnsWhitelist : new String[] { null, hostSubtree, invalidHostSubtree }) { List<GeneralSubtree> permittedWhitelist = new ArrayList<>(); if (ncIpWhitelist != null) { permittedWhitelist .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, ncIpWhitelist))); } if (ncDnsWhitelist != null) { permittedWhitelist .add(new GeneralSubtree(new GeneralName(GeneralName.dNSName, ncDnsWhitelist))); } for (String ncIpBlacklist : new String[] { null, ipSubtree, invalidIpSubtree }) { for (String ncDnsBlacklist : new String[] { null, hostSubtree, invalidHostSubtree }) { List<GeneralSubtree> permittedBlacklist = new ArrayList<>(); if (ncIpBlacklist != null) { permittedBlacklist .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, ncIpBlacklist))); } if (ncDnsBlacklist != null) { permittedBlacklist .add(new GeneralSubtree(new GeneralName(GeneralName.dNSName, ncDnsBlacklist))); } NameConstraints nameConstraints = null; if (permittedWhitelist.size() != 0 || permittedBlacklist.size() != 0) { nameConstraints = new NameConstraints( permittedWhitelist.size() == 0 ? null : permittedWhitelist .toArray(new GeneralSubtree[permittedWhitelist.size()]), permittedBlacklist.size() == 0 ? null : permittedBlacklist .toArray(new GeneralSubtree[permittedBlacklist.size()])); } System.out.println("Generating certificate " + nextCertId + "..."); writeCertificateSet(makeTree(nextCertId, rootCa, nameConstraints, commonName, sans), outputDir, Integer.toString(nextCertId)); // Build a manifest JSON entry for the certificate JSONArray manifestSans = new JSONArray(); if (dnsSan != null) { manifestSans.put(dnsSan); } if (ipSan != null) { manifestSans.put(ipSan); } JSONObject manifestNcs = new JSONObject(); JSONArray manifestNcWhitelist = new JSONArray(); if (ncDnsWhitelist != null) { manifestNcWhitelist.put(ncDnsWhitelist); } if (ncIpWhitelist != null) { manifestNcWhitelist.put(ncIpWhitelist); } JSONArray manifestNcBlacklist = new JSONArray(); if (ncDnsBlacklist != null) { manifestNcBlacklist.put(ncDnsBlacklist); } if (ncIpBlacklist != null) { manifestNcBlacklist.put(ncIpBlacklist); } manifestNcs.put("whitelist", manifestNcWhitelist); manifestNcs.put("blacklist", manifestNcBlacklist); certManifest.put(new JSONObject().put("id", nextCertId).put("commonName", commonName) .put("sans", manifestSans).put("nameConstraints", manifestNcs)); nextCertId += 1; } } } } }
From source file:com.example.androidtest.SslUtil.java
License:Open Source License
/** * Generates a new, self-signed X509 V3 certificate for a KeyPair. * /*from w w w.j av a2 s . c om*/ * @param pair the {@link KeyPair} to be used * @param name X.500 distinguished name * @param notBefore not valid before this date * @param notAfter not valid after this date * @param serialNumber serial number * @return the new certificate * @throws GeneralSecurityException on error generating the certificate */ @SuppressWarnings("deprecation") public static X509Certificate generateX509V3Certificate(KeyPair pair, String name, Date notBefore, Date notAfter, BigInteger serialNumber) throws GeneralSecurityException { java.security.Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); X509Name dnName = new X509Name(name); certGen.setSerialNumber(serialNumber); certGen.setIssuerDN(dnName); certGen.setSubjectDN(dnName); // note: same as issuer certGen.setNotBefore(notBefore); certGen.setNotAfter(notAfter); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); // For self-signed certificates, OpenSSL 0.9.6 has specific requirements // about certificate and extension content. Quoting the `man verify`: // // In OpenSSL 0.9.6 and later all certificates whose subject name matches // the issuer name of the current certificate are subject to further // tests. The relevant authority key identifier components of the current // certificate (if present) must match the subject key identifier (if // present) and issuer and serial number of the candidate issuer, in // addition the keyUsage extension of the candidate issuer (if present) // must permit certificate signing. // // In the code that follows, // - the KeyUsage extension permits cert signing (KeyUsage.keyCertSign); // - the Authority Key Identifier extension is added, matching the // subject key identifier, and using the issuer, and serial number. certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.keyCertSign)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); AuthorityKeyIdentifier authIdentifier = createAuthorityKeyIdentifier(pair.getPublic(), dnName, serialNumber); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, true, authIdentifier); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, true, new SubjectKeyIdentifierStructure(pair.getPublic())); certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "googletv@test.test"))); // This method is deprecated, but Android Eclair does not provide the // generate() methods. X509Certificate cert = certGen.generateX509Certificate(pair.getPrivate(), "BC"); return cert; }
From source file:com.foilen.smalltools.crypt.bouncycastle.cert.RSACertificate.java
License:Open Source License
/** * Sign the {@link #setKeysForSigning(AsymmetricKeys)} with itself and put it in certificateHolder. * * @param certificateDetails/*from ww w . ja va2s .c om*/ * some information to store in the certificate * @return this */ public RSACertificate selfSign(CertificateDetails certificateDetails) { AssertTools.assertNotNull(keysForSigning, "The keysForSigning is not set"); AssertTools.assertNull(certificateHolder, "The certificate already exists"); try { RSAKeyDetails keyDetails = rsaCrypt.retrieveKeyDetails(keysForSigning); PrivateKey privKey = keyDetails.getJcaPrivateKey(); PublicKey publicKey = keyDetails.getJcaPublicKey(); ContentSigner sigGen = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(privKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); Date startDate = certificateDetails.getStartDate(); Date endDate = certificateDetails.getEndDate(); BigInteger serial = certificateDetails.getSerial(); // Common Name X500Name issuer = new X500Name("CN=" + certificateDetails.getCommonName()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(issuer, serial, startDate, endDate, issuer, subPubKeyInfo); // Subject Alternative Names (DNS) if (!CollectionsTools.isNullOrEmpty(certificateDetails.getSanDns())) { GeneralName[] altNames = new GeneralName[certificateDetails.getSanDns().size()]; int i = 0; for (String sanDns : certificateDetails.getSanDns()) { altNames[i++] = new GeneralName(GeneralName.dNSName, sanDns); } GeneralNames subjectAltNames = new GeneralNames(altNames); certificateBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); } certificateHolder = certificateBuilder.build(sigGen); return this; } catch (Exception e) { throw new SmallToolsException("Problem signing the key", e); } }
From source file:com.foilen.smalltools.crypt.bouncycastle.cert.RSACertificate.java
License:Open Source License
/** * Sign another public key./* ww w . j av a 2 s . co m*/ * * @param publicKeyToSign * the public key to sign * @param certificateDetails * some information to store in the certificate * @return the new certificate */ public RSACertificate signPublicKey(AsymmetricKeys publicKeyToSign, CertificateDetails certificateDetails) { try { PrivateKey privKey = rsaCrypt.retrieveKeyDetails(keysForSigning).getJcaPrivateKey(); PublicKey publicKey = rsaCrypt.retrieveKeyDetails(publicKeyToSign).getJcaPublicKey(); ContentSigner sigGen = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(privKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); Date startDate = certificateDetails.getStartDate(); Date endDate = certificateDetails.getEndDate(); BigInteger serial = certificateDetails.getSerial(); X500Name issuer = new X500Name("CN=" + getCommonName()); X500Name subject = new X500Name("CN=" + certificateDetails.getCommonName()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(issuer, serial, startDate, endDate, subject, subPubKeyInfo); // Subject Alternative Names (DNS) if (!CollectionsTools.isNullOrEmpty(certificateDetails.getSanDns())) { GeneralName[] altNames = new GeneralName[certificateDetails.getSanDns().size()]; int i = 0; for (String sanDns : certificateDetails.getSanDns()) { altNames[i++] = new GeneralName(GeneralName.dNSName, sanDns); } GeneralNames subjectAltNames = new GeneralNames(altNames); certificateBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); } X509CertificateHolder newCert = certificateBuilder.build(sigGen); return new RSACertificate(newCert, publicKeyToSign); } catch (Exception e) { throw new SmallToolsException("Problem signing the key", e); } }
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Creates a new SSL certificate signed by the CA private key and stored in * keyStore./*from w w w. j a v a2 s . c o m*/ * * @param sslMetadata * @param caPrivateKey * @param caCert * @param targetStoreFile * @param x509log */ public static X509Certificate newSSLCertificate(X509Metadata sslMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetStoreFile, X509Log x509log) { try { KeyPair pair = newKeyPair(); X500Name webDN = buildDistinguishedName(sslMetadata); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), sslMetadata.notBefore, sslMetadata.notAfter, webDN, pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); // support alternateSubjectNames for SSL certificates List<GeneralName> altNames = new ArrayList<GeneralName>(); if (HttpUtils.isIpAddress(sslMetadata.commonName)) { altNames.add(new GeneralName(GeneralName.iPAddress, sslMetadata.commonName)); } if (altNames.size() > 0) { GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName[altNames.size()])); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(caSigner)); cert.checkValidity(new Date()); cert.verify(caCert.getPublicKey()); // Save to keystore KeyStore serverStore = openKeyStore(targetStoreFile, sslMetadata.password); serverStore.setKeyEntry(sslMetadata.commonName, pair.getPrivate(), sslMetadata.password.toCharArray(), new Certificate[] { cert, caCert }); saveKeyStore(targetStoreFile, serverStore, sslMetadata.password); x509log.log(MessageFormat.format("New SSL certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getSubjectDN().getName())); // update serial number in metadata object sslMetadata.serialNumber = cert.getSerialNumber().toString(); return cert; } catch (Throwable t) { throw new RuntimeException("Failed to generate SSL certificate!", t); } }
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Creates a new client certificate PKCS#12 and PEM store. Any existing * stores are destroyed.//from w ww . j a v a2 s. co m * * @param clientMetadata a container for dynamic parameters needed for generation * @param caKeystoreFile * @param caKeystorePassword * @param targetFolder * @return */ public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) { try { KeyPair pair = newKeyPair(); X500Name userDN = buildDistinguishedName(clientMetadata); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); // create a new certificate signed by the Gitblit CA certificate X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore, clientMetadata.notAfter, userDN, pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); if (!StringUtils.isEmpty(clientMetadata.emailAddress)) { GeneralNames subjectAltName = new GeneralNames( new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(signer)); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate(); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pair.getPublic())); // confirm the validity of the user certificate userCert.checkValidity(); userCert.verify(caCert.getPublicKey()); userCert.getIssuerDN().equals(caCert.getSubjectDN()); // verify user certificate chain verifyChain(userCert, caCert); targetFolder.mkdirs(); // save certificate, stamped with unique name String date = new SimpleDateFormat("yyyyMMdd").format(new Date()); String id = date; File certFile = new File(targetFolder, id + ".cer"); int count = 0; while (certFile.exists()) { id = date + "_" + Character.toString((char) (0x61 + count)); certFile = new File(targetFolder, id + ".cer"); count++; } // save user private key, user certificate and CA certificate to a PKCS#12 store File p12File = new File(targetFolder, clientMetadata.commonName + ".p12"); if (p12File.exists()) { p12File.delete(); } KeyStore userStore = openKeyStore(p12File, clientMetadata.password); userStore.setKeyEntry( MessageFormat.format("Gitblit ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate[] { userCert }); userStore.setCertificateEntry( MessageFormat.format("Gitblit ({0}) Certificate Authority", clientMetadata.serverHostname), caCert); saveKeyStore(p12File, userStore, clientMetadata.password); // save user private key, user certificate, and CA certificate to a PEM store File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem"); if (pemFile.exists()) { pemFile.delete(); } JcePEMEncryptorBuilder builder = new JcePEMEncryptorBuilder("DES-EDE3-CBC"); builder.setSecureRandom(new SecureRandom()); PEMEncryptor pemEncryptor = builder.build(clientMetadata.password.toCharArray()); JcaPEMWriter pemWriter = new JcaPEMWriter(new FileWriter(pemFile)); pemWriter.writeObject(pair.getPrivate(), pemEncryptor); pemWriter.writeObject(userCert); pemWriter.writeObject(caCert); pemWriter.flush(); pemWriter.close(); // save certificate after successfully creating the key stores saveCertificate(userCert, certFile); // update serial number in metadata object clientMetadata.serialNumber = userCert.getSerialNumber().toString(); return userCert; } catch (Throwable t) { throw new RuntimeException("Failed to generate client certificate!", t); } }
From source file:com.github.spyhunter99.simplejks.CertGenBouncy.java
public static java.security.cert.Certificate selfSign(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException { Provider bcProvider = new BouncyCastleProvider(); Security.addProvider(bcProvider); long now = System.currentTimeMillis(); Date startDate = new Date(now); X500Name dnName = new X500Name(subjectDN); BigInteger certSerialNumber = new BigInteger(Long.toString(now)); // <-- Using the current timestamp as the certificate serial number Calendar calendar = Calendar.getInstance(); calendar.setTime(startDate);/* ww w. j av a2 s . c om*/ calendar.add(Calendar.YEAR, 30); // <-- 1 Yr validity Date endDate = calendar.getTime(); String signatureAlgorithm = "SHA256WithRSA"; // <-- Use appropriate signature algorithm based on your keyPair algorithm. ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate()); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic()); // Extensions -------------------------- // Basic Constraints BasicConstraints basicConstraints = new BasicConstraints(true); // <-- true for CA, false for EndEntity certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints); // Basic Constraints is usually marked as critical. ASN1Encodable[] subjectAlternativeNames = new ASN1Encodable[] { new GeneralName(GeneralName.dNSName, "server"), new GeneralName(GeneralName.dNSName, "server.mydomain.com") }; DERSequence subjectAlternativeNamesExtension = new DERSequence(subjectAlternativeNames); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAlternativeNamesExtension); // ------------------------------------- return new JcaX509CertificateConverter().setProvider(bcProvider) .getCertificate(certBuilder.build(contentSigner)); }
From source file:com.intirix.cloudpasswordmanager.services.ssl.CertPinningServiceImplUnitSpec.java
License:Apache License
public static X509Certificate generateV3Certificate(KeyPair pair) throws InvalidKeyException, NoSuchProviderException, SignatureException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X500Principal("CN=Test Certificate")); certGen.setNotBefore(new Date(System.currentTimeMillis() - 10000)); certGen.setNotAfter(new Date(System.currentTimeMillis() + 10000)); certGen.setSubjectDN(new X500Principal("CN=Test Certificate")); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); return certGen.generateX509Certificate(pair.getPrivate(), "BC"); }
From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java
License:Apache License
/** * @see com.otterca.repository.util.X509CertificateBuilder#setEmailAddresses(java.lang.String) *///from w w w.ja v a2 s .c o m @Override public X509CertificateBuilder setEmailAddresses(String... emailAddresses) { for (String address : emailAddresses) { subjectNames.add(new GeneralName(GeneralName.rfc822Name, address)); } return this; }
From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java
License:Apache License
/** * @see com.otterca.repository.util.X509CertificateBuilder#setDnsNames(java.lang * .String)// w w w. j a v a 2s .c o m */ @Override public X509CertificateBuilder setDnsNames(String... dnsNames) { for (String name : dnsNames) { subjectNames.add(new GeneralName(GeneralName.dNSName, name)); } return this; }