List of usage examples for org.bouncycastle.asn1.x509 GeneralName GeneralName
public GeneralName(int tag, String name)
From source file:net.link.util.common.KeyUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, PrivateKey issuerPrivateKey, @Nullable X509Certificate issuerCert, DateTime notBefore, DateTime notAfter, String inSignatureAlgorithm, boolean caCert, boolean timeStampingPurpose, @Nullable URI ocspUri) {//w ww. ja v a2 s .c om try { String signatureAlgorithm = inSignatureAlgorithm; if (null == signatureAlgorithm) signatureAlgorithm = String.format("SHA1With%s", issuerPrivateKey.getAlgorithm()); X509Principal issuerDN; if (null != issuerCert) issuerDN = new X509Principal(issuerCert.getSubjectX500Principal().toString()); else issuerDN = new X509Principal(subjectDn); // new bc 2.0 API X509Principal subject = new X509Principal(subjectDn); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); BigInteger serialNumber = new BigInteger(SERIALNUMBER_NUM_BITS, new SecureRandom()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder( X500Name.getInstance(issuerDN.toASN1Primitive()), serialNumber, notBefore.toDate(), notAfter.toDate(), X500Name.getInstance(subject.toASN1Primitive()), publicKeyInfo); // prepare signer ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey); certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; if (null != issuerCert) issuerPublicKey = issuerCert.getPublicKey(); else issuerPublicKey = subjectPublicKey; certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); certificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(caCert)); if (timeStampingPurpose) certificateBuilder.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri.toString()); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateBuilder.addExtension(X509Extension.authorityInfoAccess, false, authorityInformationAccess); } // build return new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certificateBuilder.build(signer)); } catch (CertificateException e) { throw new InternalInconsistencyException("X.509 is not supported.", e); } catch (OperatorCreationException e) { throw new InternalInconsistencyException(e); } catch (CertIOException e) { throw new InternalInconsistencyException(e); } }
From source file:net.link.util.test.pkix.PkiTestUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, PrivateKey issuerPrivateKey, @Nullable X509Certificate issuerCert, DateTime notBefore, DateTime notAfter, @Nullable String signatureAlgorithm, boolean includeAuthorityKeyIdentifier, boolean caCert, boolean timeStampingPurpose, @Nullable URI ocspUri) throws IOException, CertificateException, OperatorCreationException { String finalSignatureAlgorithm = signatureAlgorithm; if (null == signatureAlgorithm) finalSignatureAlgorithm = "SHA512WithRSAEncryption"; X509Principal issuerDN;// w ww .ja v a 2 s. c om if (null != issuerCert) issuerDN = new X509Principal(issuerCert.getSubjectX500Principal().toString()); else issuerDN = new X509Principal(subjectDn); // new bc 2.0 API X509Principal subject = new X509Principal(subjectDn); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); BigInteger serialNumber = new BigInteger(SERIALNUMBER_NUM_BITS, new SecureRandom()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder( X500Name.getInstance(issuerDN.toASN1Primitive()), serialNumber, notBefore.toDate(), notAfter.toDate(), X500Name.getInstance(subject.toASN1Primitive()), publicKeyInfo); // prepare signer ContentSigner signer = new JcaContentSignerBuilder(finalSignatureAlgorithm).build(issuerPrivateKey); // add extensions certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; if (null != issuerCert) issuerPublicKey = issuerCert.getPublicKey(); else issuerPublicKey = subjectPublicKey; if (includeAuthorityKeyIdentifier) certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); certificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(caCert)); if (timeStampingPurpose) certificateBuilder.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(ocspUri.toString())); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateBuilder.addExtension(X509Extension.authorityInfoAccess, false, authorityInformationAccess); } // build return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateBuilder.build(signer)); }
From source file:net.maritimecloud.identityregistry.utils.CertificateUtil.java
License:Apache License
/** * Builds and signs a certificate. The certificate will be build on the given subject-public-key and signed with * the given issuer-private-key. The issuer and subject will be identified in the strings provided. * * @return A signed X509Certificate//from ww w.jav a 2 s .co m * @throws Exception */ public X509Certificate buildAndSignCert(BigInteger serialNumber, PrivateKey signerPrivateKey, PublicKey signerPublicKey, PublicKey subjectPublicKey, X500Name issuer, X500Name subject, Map<String, String> customAttrs, String type) throws Exception { // Dates are converted to GMT/UTC inside the cert builder Calendar cal = Calendar.getInstance(); Date now = cal.getTime(); Date expire = new GregorianCalendar(CERT_EXPIRE_YEAR, 0, 1).getTime(); X509v3CertificateBuilder certV3Bldr = new JcaX509v3CertificateBuilder(issuer, serialNumber, now, // Valid from now... expire, // until CERT_EXPIRE_YEAR subject, subjectPublicKey); JcaX509ExtensionUtils extensionUtil = new JcaX509ExtensionUtils(); // Create certificate extensions if ("ROOTCA".equals(type)) { certV3Bldr = certV3Bldr.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)) .addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment | X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign)); } else if ("INTERMEDIATE".equals(type)) { certV3Bldr = certV3Bldr.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)) .addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment | X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign)); } else { // Subject Alternative Name GeneralName[] genNames = null; if (customAttrs != null && !customAttrs.isEmpty()) { genNames = new GeneralName[customAttrs.size()]; Iterator<Map.Entry<String, String>> it = customAttrs.entrySet().iterator(); int idx = 0; while (it.hasNext()) { Map.Entry<String, String> pair = it.next(); //genNames[idx] = new GeneralName(GeneralName.otherName, new DERUTF8String(pair.getKey() + ";" + pair.getValue())); DERSequence othernameSequence = new DERSequence( new ASN1Encodable[] { new ASN1ObjectIdentifier(pair.getKey()), new DERTaggedObject(true, 0, new DERUTF8String(pair.getValue())) }); genNames[idx] = new GeneralName(GeneralName.otherName, othernameSequence); idx++; } } if (genNames != null) { certV3Bldr = certV3Bldr.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(genNames)); } } // Basic extension setup certV3Bldr = certV3Bldr .addExtension(Extension.authorityKeyIdentifier, false, extensionUtil.createAuthorityKeyIdentifier(signerPublicKey)) .addExtension(Extension.subjectKeyIdentifier, false, extensionUtil.createSubjectKeyIdentifier(subjectPublicKey)); // CRL Distribution Points DistributionPointName distPointOne = new DistributionPointName( new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, CRL_URL))); DistributionPoint[] distPoints = new DistributionPoint[1]; distPoints[0] = new DistributionPoint(distPointOne, null, null); certV3Bldr.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(distPoints)); // OCSP endpoint GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, OCSP_URL); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certV3Bldr.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); // Create the key signer JcaContentSignerBuilder builder = new JcaContentSignerBuilder(SIGNER_ALGORITHM); builder.setProvider(BC_PROVIDER_NAME); ContentSigner signer = builder.build(signerPrivateKey); return new JcaX509CertificateConverter().setProvider(BC_PROVIDER_NAME) .getCertificate(certV3Bldr.build(signer)); }
From source file:net.maritimecloud.pki.CertificateBuilder.java
License:Apache License
/** * Builds and signs a certificate. The certificate will be build on the given subject-public-key and signed with * the given issuer-private-key. The issuer and subject will be identified in the strings provided. * * @param serialNumber The serialnumber of the new certificate. * @param signerPrivateKey Private key for signing the certificate * @param signerPublicKey Public key of the signing certificate * @param subjectPublicKey Public key for the new certificate * @param issuer DN of the signing certificate * @param subject DN of the new certificate * @param customAttrs The custom MC attributes to include in the certificate * @param type Type of certificate, can be "ROOT", "INTERMEDIATE" or "ENTITY". * @param ocspUrl OCSP endpoint//from w ww . j a v a2s.c o m * @param crlUrl CRL endpoint - can be null * @return A signed X509Certificate * @throws Exception Throws exception on certificate generation errors. */ public X509Certificate buildAndSignCert(BigInteger serialNumber, PrivateKey signerPrivateKey, PublicKey signerPublicKey, PublicKey subjectPublicKey, X500Name issuer, X500Name subject, Map<String, String> customAttrs, String type, String ocspUrl, String crlUrl) throws Exception { // Dates are converted to GMT/UTC inside the cert builder Calendar cal = Calendar.getInstance(); Date now = cal.getTime(); Date expire = new GregorianCalendar(CERT_EXPIRE_YEAR, 0, 1).getTime(); X509v3CertificateBuilder certV3Bldr = new JcaX509v3CertificateBuilder(issuer, serialNumber, now, // Valid from now... expire, // until CERT_EXPIRE_YEAR subject, subjectPublicKey); JcaX509ExtensionUtils extensionUtil = new JcaX509ExtensionUtils(); // Create certificate extensions if ("ROOTCA".equals(type)) { certV3Bldr = certV3Bldr.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)) .addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment | X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign)); } else if ("INTERMEDIATE".equals(type)) { certV3Bldr = certV3Bldr.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)) .addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment | X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign)); } else { // Subject Alternative Name GeneralName[] genNames = null; if (customAttrs != null && !customAttrs.isEmpty()) { genNames = new GeneralName[customAttrs.size()]; Iterator<Map.Entry<String, String>> it = customAttrs.entrySet().iterator(); int idx = 0; while (it.hasNext()) { Map.Entry<String, String> pair = it.next(); if (PKIConstants.X509_SAN_DNSNAME.equals(pair.getKey())) { genNames[idx] = new GeneralName(GeneralName.dNSName, pair.getValue()); } else { //genNames[idx] = new GeneralName(GeneralName.otherName, new DERUTF8String(pair.getKey() + ";" + pair.getValue())); DERSequence othernameSequence = new DERSequence( new ASN1Encodable[] { new ASN1ObjectIdentifier(pair.getKey()), new DERTaggedObject(true, 0, new DERUTF8String(pair.getValue())) }); genNames[idx] = new GeneralName(GeneralName.otherName, othernameSequence); } idx++; } } if (genNames != null) { certV3Bldr = certV3Bldr.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(genNames)); } } // Basic extension setup certV3Bldr = certV3Bldr .addExtension(Extension.authorityKeyIdentifier, false, extensionUtil.createAuthorityKeyIdentifier(signerPublicKey)) .addExtension(Extension.subjectKeyIdentifier, false, extensionUtil.createSubjectKeyIdentifier(subjectPublicKey)); // CRL Distribution Points DistributionPointName distPointOne = new DistributionPointName( new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, crlUrl))); DistributionPoint[] distPoints = new DistributionPoint[1]; distPoints[0] = new DistributionPoint(distPointOne, null, null); certV3Bldr.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(distPoints)); // OCSP endpoint - is not available for the CAs if (ocspUrl != null) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUrl); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certV3Bldr.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } // Create the key signer JcaContentSignerBuilder builder = new JcaContentSignerBuilder(SIGNER_ALGORITHM); builder.setProvider(BC_PROVIDER_NAME); ContentSigner signer = builder.build(signerPrivateKey); return new JcaX509CertificateConverter().setProvider(BC_PROVIDER_NAME) .getCertificate(certV3Bldr.build(signer)); }
From source file:net.ripe.rpki.commons.crypto.x509cert.X509CertificateBuilderHelper.java
License:BSD License
/** * Generate a single distribution point where the names contains each URI. *///from ww w . j a v a 2 s. c o m private CRLDistPoint convertToCrlDistributionPoint(URI[] uris) { GeneralName[] seq = new GeneralName[uris.length]; for (int i = 0; i < uris.length; ++i) { seq[i] = new GeneralName(GeneralName.uniformResourceIdentifier, uris[i].toString()); } GeneralNames names = new GeneralNames(seq); DistributionPointName distributionPoint = new DistributionPointName(names); DistributionPoint[] dps = { new DistributionPoint(distributionPoint, null, null) }; return new CRLDistPoint(dps); }
From source file:net.ripe.rpki.commons.crypto.x509cert.X509CertificateInformationAccessDescriptor.java
License:BSD License
private AccessDescription toAccessDescription() { return new AccessDescription(getMethod(), new GeneralName(GeneralName.uniformResourceIdentifier, location.toString())); }
From source file:net.sf.keystore_explorer.gui.crypto.generalname.DGeneralNameChooser.java
License:Open Source License
private void okPressed() { try {//w w w . j av a 2s. co m GeneralName newGeneralName = null; if (jrbDirectoryName.isSelected()) { X500Name directoryName = jdnDirectoryName.getDistinguishedName(); if (directoryName == null) { JOptionPane.showMessageDialog(this, res.getString("DGeneralNameChooser.DirectoryNameValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } newGeneralName = new GeneralName(GeneralName.directoryName, directoryName); } else if (jrbDnsName.isSelected()) { String dnsName = jtfDnsName.getText().trim(); if (dnsName.length() == 0) { JOptionPane.showMessageDialog(this, res.getString("DGeneralNameChooser.DnsNameValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } newGeneralName = new GeneralName(GeneralName.dNSName, new DERIA5String(dnsName)); } else if (jrbIpAddress.isSelected()) { String ipAddress = jtfIpAddress.getText().trim(); if (ipAddress.length() == 0) { JOptionPane.showMessageDialog(this, res.getString("DGeneralNameChooser.IpAddressValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } if (!IPAddress.isValid(ipAddress)) { JOptionPane.showMessageDialog(this, res.getString("DGeneralNameChooser.NotAValidIP.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } newGeneralName = new GeneralName(GeneralName.iPAddress, ipAddress); } else if (jrbRegisteredId.isSelected()) { ASN1ObjectIdentifier registeredId = joiRegisteredId.getObjectId(); if (registeredId == null) { JOptionPane.showMessageDialog(this, res.getString("DGeneralNameChooser.RegisteredIdValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } newGeneralName = new GeneralName(GeneralName.registeredID, registeredId); } else if (jrbRfc822Name.isSelected()) { String rfc822Name = jtfRfc822Name.getText().trim(); if (rfc822Name.length() == 0) { JOptionPane.showMessageDialog(this, res.getString("DGeneralNameChooser.Rfc822NameValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } newGeneralName = new GeneralName(GeneralName.rfc822Name, new DERIA5String(rfc822Name)); } else if (jrbUniformResourceIdentifier.isSelected()) { String uniformResourceIdentifier = jtfUniformResourceIdentifier.getText().trim(); if (uniformResourceIdentifier.length() == 0) { JOptionPane.showMessageDialog(this, res.getString("DGeneralNameChooser.UniformResourceIdentifierValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } newGeneralName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uniformResourceIdentifier)); } else if (jrbPrincipalName.isSelected()) { String upnString = jtfPrincipalName.getText().trim(); if (upnString.length() == 0) { JOptionPane.showMessageDialog(this, res.getString("DGeneralNameChooser.PrincipalNameValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } ASN1EncodableVector asn1Vector = new ASN1EncodableVector(); asn1Vector.add(new ASN1ObjectIdentifier(GeneralNameUtil.UPN_OID)); asn1Vector.add(new DERTaggedObject(true, 0, new DERUTF8String(upnString))); newGeneralName = new GeneralName(GeneralName.otherName, new DERSequence(asn1Vector)); } generalName = newGeneralName; } catch (Exception ex) { DError dError = new DError(this, ex); dError.setLocationRelativeTo(this); dError.setVisible(true); return; } closeDialog(); }
From source file:net.sf.keystore_explorer.gui.dialogs.extensions.DAuthorityKeyIdentifier.java
License:Open Source License
@SuppressWarnings("unchecked") private void prepopulateWithAuthorityCertDetails(X500Name authorityCertName, BigInteger authorityCertSerialNumber) { if (authorityCertName != null) { try {/*w w w . j a v a2 s . c o m*/ GeneralName generalName = new GeneralName(GeneralName.directoryName, authorityCertName); GeneralNames generalNames = new GeneralNames(generalName); jgnAuthorityCertIssuer.setGeneralNames(generalNames); } catch (Exception ex) { DError dError = new DError(this, ex); dError.setLocationRelativeTo(this); dError.setVisible(true); return; } } if (authorityCertSerialNumber != null) { jtfAuthorityCertSerialNumber.setText("" + authorityCertSerialNumber.toString()); jtfAuthorityCertSerialNumber.setCaretPosition(0); } }
From source file:net.solarnetwork.node.setup.test.PKITestUtils.java
License:Open Source License
public static X509Certificate generateNewCACert(PublicKey publicKey, String subject, X509Certificate issuer, PrivateKey issuerKey, String caDN) throws Exception { final X500Name issuerDn = (issuer == null ? new X500Name(subject) : JcaX500NameUtil.getSubject(issuer)); final X500Name subjectDn = new X500Name(subject); final BigInteger serial = getNextSerialNumber(); final Date notBefore = new Date(); final Date notAfter = new Date(System.currentTimeMillis() + 1000L * 60L * 60L); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerDn, serial, notBefore, notAfter, subjectDn, publicKey);//from w w w.j a va 2s .c om // add "CA" extension BasicConstraints basicConstraints; if (issuer == null) { basicConstraints = new BasicConstraints(true); } else { int issuerPathLength = issuer.getBasicConstraints(); basicConstraints = new BasicConstraints(issuerPathLength - 1); } builder.addExtension(X509Extension.basicConstraints, true, basicConstraints); // add subjectKeyIdentifier JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils(); SubjectKeyIdentifier ski = utils.createSubjectKeyIdentifier(publicKey); builder.addExtension(X509Extension.subjectKeyIdentifier, false, ski); // add authorityKeyIdentifier GeneralNames issuerName = new GeneralNames(new GeneralName(GeneralName.directoryName, caDN)); AuthorityKeyIdentifier aki = utils.createAuthorityKeyIdentifier(publicKey); aki = new AuthorityKeyIdentifier(aki.getKeyIdentifier(), issuerName, serial); builder.addExtension(X509Extension.authorityKeyIdentifier, false, aki); // add keyUsage X509KeyUsage keyUsage = new X509KeyUsage(X509KeyUsage.cRLSign | X509KeyUsage.digitalSignature | X509KeyUsage.keyCertSign | X509KeyUsage.nonRepudiation); builder.addExtension(X509Extension.keyUsage, true, keyUsage); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256WithRSA"); ContentSigner signer = signerBuilder.build(issuerKey); X509CertificateHolder holder = builder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); return converter.getCertificate(holder); }
From source file:nl.uva.vlet.grid.voms.VOMSAttributeCertificate.java
License:Apache License
public void setHolder(String holderDN, int holderSerialNumber) throws Exception { try {//w w w.ja v a 2 s. com DERSequence holder_name_sequence = DNtoDERSequence(holderDN); IssuerSerial baseCertificateID = new IssuerSerial( new GeneralNames(new GeneralName(4, holder_name_sequence)), new DERInteger(holderSerialNumber)); this.holder = new Holder(baseCertificateID); } catch (Exception e) { throw e; } }