List of usage examples for org.bouncycastle.asn1.x509 GeneralName GeneralName
public GeneralName(int tag, String name)
From source file:org.ccnx.ccn.impl.security.crypto.util.AuthorityKeyIdentifier.java
License:Open Source License
public void setIssuerName(URI uri) { GeneralName name = new GeneralName(GeneralName.uniformResourceIdentifier, uri.toString()); this._issuerName = new GeneralNames(name); // clone? }
From source file:org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.java
License:Open Source License
/** * Both adds the server authentication OID to the EKU * extension, and adds the DNS name to the subject alt name * extension (not marked critical). (Combines addServerAuthenticationEKU and * addDNSNameSubjectAltName).// w ww .j a va2s. co m * @param serverDNSName the DNS name of the server. */ public void setServerAuthenticationUsage(String serverDNSName) { GeneralName name = new GeneralName(GeneralName.dNSName, serverDNSName); _subjectAltNames.add(name); _ekus.add(id_kp_serverAuth); }
From source file:org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.java
License:Open Source License
/** * Both adds the secure email OID to the EKU * extension, and adds the email address to the subject alt name * extension (not marked critical). (Combines addSecureEmailEKU and addEmailSubjectAltName). * @param subjectEmailAddress the email address of the subject. *//*from ww w . j av a2s .c o m*/ public void setSecureEmailUsage(String subjectEmailAddress) { GeneralName name = new GeneralName(GeneralName.rfc822Name, subjectEmailAddress); _subjectAltNames.add(name); _ekus.add(id_kp_emailProtection); }
From source file:org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.java
License:Open Source License
/** * Adds ip address to subjectAltName and IPSec usage to EKU * @param ipAddress string form of the IP address. Assumed to be in either * IPv4 form, "n.n.n.n", with 0<=n<256, orIPv6 form, * "n.n.n.n.n.n.n.n", where the n's are the HEXADECIMAL form of the * 16-bit address components.//from w w w. j ava 2s .c o m **/ public void setIPSecUsage(String ipAddress) { GeneralName name = new GeneralName(GeneralName.iPAddress, ipAddress); _subjectAltNames.add(name); _ekus.add(id_kp_ipsec); }
From source file:org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.java
License:Open Source License
public void addSubjectAltName(URI subjectURI) { GeneralName name = new GeneralName(GeneralName.uniformResourceIdentifier, subjectURI.toString()); _subjectAltNames.add(name); }
From source file:org.cesecore.certificates.ca.X509CA.java
License:Open Source License
/** * Generate a CRL or a deltaCRL/*from w ww.j a v a 2 s . com*/ * * @param certs * list of revoked certificates * @param crlnumber * CRLNumber for this CRL * @param isDeltaCRL * true if we should generate a DeltaCRL * @param basecrlnumber * caseCRLNumber for a delta CRL, use 0 for full CRLs * @param certProfile * certificate profile for CRL Distribution point in the CRL, or null * @return CRL * @throws CryptoTokenOfflineException * @throws IllegalCryptoTokenException * @throws IOException * @throws SignatureException * @throws NoSuchProviderException * @throws InvalidKeyException * @throws CRLException * @throws NoSuchAlgorithmException */ private X509CRLHolder generateCRL(CryptoToken cryptoToken, Collection<RevokedCertInfo> certs, long crlPeriod, int crlnumber, boolean isDeltaCRL, int basecrlnumber) throws CryptoTokenOfflineException, IllegalCryptoTokenException, IOException, SignatureException, NoSuchProviderException, InvalidKeyException, CRLException, NoSuchAlgorithmException { final String sigAlg = getCAInfo().getCAToken().getSignatureAlgorithm(); if (log.isDebugEnabled()) { log.debug("generateCRL(" + certs.size() + ", " + crlPeriod + ", " + crlnumber + ", " + isDeltaCRL + ", " + basecrlnumber); } // Make DNs final X509Certificate cacert = (X509Certificate) getCACertificate(); final X500Name issuer; if (cacert == null) { // This is an initial root CA, since no CA-certificate exists // (I don't think we can ever get here!!!) final X500NameStyle nameStyle; if (getUsePrintableStringSubjectDN()) { nameStyle = PrintableStringNameStyle.INSTANCE; } else { nameStyle = CeSecoreNameStyle.INSTANCE; } issuer = CertTools.stringToBcX500Name(getSubjectDN(), nameStyle, getUseLdapDNOrder()); } else { issuer = X500Name.getInstance(cacert.getSubjectX500Principal().getEncoded()); } final Date thisUpdate = new Date(); final Date nextUpdate = new Date(); nextUpdate.setTime(nextUpdate.getTime() + crlPeriod); final X509v2CRLBuilder crlgen = new X509v2CRLBuilder(issuer, thisUpdate); crlgen.setNextUpdate(nextUpdate); if (certs != null) { if (log.isDebugEnabled()) { log.debug("Adding " + certs.size() + " revoked certificates to CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } final Iterator<RevokedCertInfo> it = certs.iterator(); while (it.hasNext()) { final RevokedCertInfo certinfo = (RevokedCertInfo) it.next(); crlgen.addCRLEntry(certinfo.getUserCertificate(), certinfo.getRevocationDate(), certinfo.getReason()); } if (log.isDebugEnabled()) { log.debug("Finished adding " + certs.size() + " revoked certificates to CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } } // Authority key identifier if (getUseAuthorityKeyIdentifier() == true) { byte[] caSkid = (cacert != null ? CertTools.getSubjectKeyId(cacert) : null); if (caSkid != null) { // Use subject key id from CA certificate AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(caSkid); crlgen.addExtension(Extension.authorityKeyIdentifier, getAuthorityKeyIdentifierCritical(), aki); } else { // Generate from SHA1 of public key ASN1InputStream asn1InputStream = new ASN1InputStream(new ByteArrayInputStream(cryptoToken .getPublicKey(getCAToken().getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CRLSIGN)) .getEncoded())); try { SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo( (ASN1Sequence) asn1InputStream.readObject()); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); crlgen.addExtension(Extension.authorityKeyIdentifier, getAuthorityKeyIdentifierCritical(), aki); } finally { asn1InputStream.close(); } } } // Authority Information Access final ASN1EncodableVector accessList = new ASN1EncodableVector(); if (getAuthorityInformationAccess() != null) { for (String url : getAuthorityInformationAccess()) { if (StringUtils.isNotEmpty(url)) { GeneralName accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_caIssuers, accessLocation)); } } } if (accessList.size() > 0) { AuthorityInformationAccess authorityInformationAccess = AuthorityInformationAccess .getInstance(new DERSequence(accessList)); // "This CRL extension MUST NOT be marked critical." according to rfc4325 crlgen.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } // CRLNumber extension if (getUseCRLNumber() == true) { CRLNumber crlnum = new CRLNumber(BigInteger.valueOf(crlnumber)); crlgen.addExtension(Extension.cRLNumber, this.getCRLNumberCritical(), crlnum); } if (isDeltaCRL) { // DeltaCRLIndicator extension CRLNumber basecrlnum = new CRLNumber(BigInteger.valueOf(basecrlnumber)); crlgen.addExtension(Extension.deltaCRLIndicator, true, basecrlnum); } // CRL Distribution point URI and Freshest CRL DP if (getUseCrlDistributionPointOnCrl()) { String crldistpoint = getDefaultCRLDistPoint(); List<DistributionPoint> distpoints = generateDistributionPoints(crldistpoint); if (distpoints.size() > 0) { IssuingDistributionPoint idp = new IssuingDistributionPoint( distpoints.get(0).getDistributionPoint(), false, false, null, false, false); // According to the RFC, IDP must be a critical extension. // Nonetheless, at the moment, Mozilla is not able to correctly // handle the IDP extension and discards the CRL if it is critical. crlgen.addExtension(Extension.issuingDistributionPoint, getCrlDistributionPointOnCrlCritical(), idp); } if (!isDeltaCRL) { String crlFreshestDP = getCADefinedFreshestCRL(); List<DistributionPoint> freshestDistPoints = generateDistributionPoints(crlFreshestDP); if (freshestDistPoints.size() > 0) { CRLDistPoint ext = new CRLDistPoint((DistributionPoint[]) freshestDistPoints .toArray(new DistributionPoint[freshestDistPoints.size()])); // According to the RFC, the Freshest CRL extension on a // CRL must not be marked as critical. Therefore it is // hardcoded as not critical and is independent of // getCrlDistributionPointOnCrlCritical(). crlgen.addExtension(Extension.freshestCRL, false, ext); } } } final X509CRLHolder crl; if (log.isDebugEnabled()) { log.debug("Signing CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } final String alias = getCAToken().getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CRLSIGN); try { final ContentSigner signer = new BufferingContentSigner(new JcaContentSignerBuilder(sigAlg) .setProvider(cryptoToken.getSignProviderName()).build(cryptoToken.getPrivateKey(alias)), 20480); crl = crlgen.build(signer); } catch (OperatorCreationException e) { // Very fatal error throw new RuntimeException("Can not create Jca content signer: ", e); } if (log.isDebugEnabled()) { log.debug("Finished signing CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } // Verify using the CA certificate before returning // If we can not verify the issued CRL using the CA certificate we don't want to issue this CRL // because something is wrong... final PublicKey verifyKey; if (cacert != null) { verifyKey = cacert.getPublicKey(); if (log.isTraceEnabled()) { log.trace("Got the verify key from the CA certificate."); } } else { verifyKey = cryptoToken.getPublicKey(alias); if (log.isTraceEnabled()) { log.trace("Got the verify key from the CA token."); } } try { final ContentVerifierProvider verifier = new JcaContentVerifierProviderBuilder().build(verifyKey); if (!crl.isSignatureValid(verifier)) { throw new SignatureException("Error verifying CRL to be returned."); } } catch (OperatorCreationException e) { // Very fatal error throw new RuntimeException("Can not create Jca content signer: ", e); } catch (CertException e) { throw new SignatureException(e.getMessage(), e); } if (log.isDebugEnabled()) { log.debug("Returning CRL. Free memory=" + Runtime.getRuntime().freeMemory()); } return crl; }
From source file:org.cesecore.certificates.ca.X509CA.java
License:Open Source License
/** * Generate a list of Distribution points. * /*from w ww . j a v a 2s .com*/ * @param distPoints * distribution points as String in semi column (';') separated format. * @return list of distribution points. */ private List<DistributionPoint> generateDistributionPoints(String distPoints) { if (distPoints == null) { distPoints = ""; } // Multiple CDPs are separated with the ';' sign Iterator<String> it = StringTools.splitURIs(distPoints).iterator(); ArrayList<DistributionPoint> result = new ArrayList<DistributionPoint>(); while (it.hasNext()) { String uri = (String) it.next(); GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uri)); if (log.isDebugEnabled()) { log.debug("Added CRL distpoint: " + uri); } ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); GeneralNames gns = GeneralNames.getInstance(new DERSequence(vec)); DistributionPointName dpn = new DistributionPointName(0, gns); result.add(new DistributionPoint(dpn, null, null)); } return result; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.AuthorityInformationAccess.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { final ASN1EncodableVector accessList = new ASN1EncodableVector(); GeneralName accessLocation;/*ww w. j ava 2 s. c o m*/ String url; // caIssuers final List<String> caIssuers = certProfile.getCaIssuers(); if (caIssuers != null) { for (final Iterator<String> it = caIssuers.iterator(); it.hasNext();) { url = it.next(); if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_caIssuers, accessLocation)); } } } // ocsp url final X509CA x509ca = (X509CA) ca; url = certProfile.getOCSPServiceLocatorURI(); if (certProfile.getUseDefaultOCSPServiceLocator()) { url = x509ca.getDefaultOCSPServiceLocator(); } if (StringUtils.isNotEmpty(url)) { accessLocation = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(url)); accessList.add(new AccessDescription(AccessDescription.id_ad_ocsp, accessLocation)); } org.bouncycastle.asn1.x509.AuthorityInformationAccess ret = null; if (accessList.size() > 0) { ret = org.bouncycastle.asn1.x509.AuthorityInformationAccess.getInstance(new DERSequence(accessList)); } if (ret == null) { log.error("AuthorityInformationAccess is used, but nor caIssuers not Ocsp url are defined!"); } return ret; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.CrlDistributionPoints.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { String crldistpoint = certProfile.getCRLDistributionPointURI(); String crlissuer = certProfile.getCRLIssuer(); final X509CA x509ca = (X509CA) ca; if (certProfile.getUseDefaultCRLDistributionPoint()) { crldistpoint = x509ca.getDefaultCRLDistPoint(); crlissuer = x509ca.getDefaultCRLIssuer(); }//from w w w.ja va2 s . c o m // Multiple CDPs are separated with the ';' sign final ArrayList<DistributionPointName> dpns = new ArrayList<DistributionPointName>(); if (StringUtils.isNotEmpty(crldistpoint)) { final Iterator<String> it = StringTools.splitURIs(crldistpoint).iterator(); while (it.hasNext()) { // 6 is URI final String uri = (String) it.next(); final GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uri)); if (log.isDebugEnabled()) { log.debug("Added CRL distpoint: " + uri); } final ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); final GeneralNames gns = GeneralNames.getInstance(new DERSequence(vec)); final DistributionPointName dpn = new DistributionPointName(0, gns); dpns.add(dpn); } } // CRL issuer works much like Dist point URI. If separated by ; it is put in the same global distPoint as the URI, // if there is more of one of them, the one with more is put in an own global distPoint. final ArrayList<GeneralNames> issuers = new ArrayList<GeneralNames>(); if (StringUtils.isNotEmpty(crlissuer)) { final StringTokenizer tokenizer = new StringTokenizer(crlissuer, ";", false); while (tokenizer.hasMoreTokens()) { final String issuer = tokenizer.nextToken(); final GeneralName gn = new GeneralName(new X500Name(issuer)); if (log.isDebugEnabled()) { log.debug("Added CRL issuer: " + issuer); } final ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); final GeneralNames gns = GeneralNames.getInstance(new DERSequence(vec)); issuers.add(gns); } } final ArrayList<DistributionPoint> distpoints = new ArrayList<DistributionPoint>(); if ((!issuers.isEmpty()) || (!dpns.isEmpty())) { int i = dpns.size(); if (issuers.size() > i) { i = issuers.size(); } for (int j = 0; j < i; j++) { DistributionPointName dpn = null; GeneralNames issuer = null; if (dpns.size() > j) { dpn = (DistributionPointName) dpns.get(j); } if (issuers.size() > j) { issuer = (GeneralNames) issuers.get(j); } if ((dpn != null) || (issuer != null)) { distpoints.add(new DistributionPoint(dpn, null, issuer)); } } } CRLDistPoint ret = null; if (!distpoints.isEmpty()) { ret = new CRLDistPoint( (DistributionPoint[]) distpoints.toArray(new DistributionPoint[distpoints.size()])); } if (ret == null) { log.error("DrlDistributionPoints missconfigured, no distribution points available."); } return ret; }
From source file:org.cesecore.certificates.certificate.certextensions.standard.FreshestCrl.java
License:Open Source License
@Override public ASN1Encodable getValue(final EndEntityInformation subject, final CA ca, final CertificateProfile certProfile, final PublicKey userPublicKey, final PublicKey caPublicKey, CertificateValidity val) throws CertificateExtensionException { String freshestcrldistpoint = certProfile.getFreshestCRLURI(); final X509CA x509ca = (X509CA) ca; if (certProfile.getUseCADefinedFreshestCRL()) { freshestcrldistpoint = x509ca.getCADefinedFreshestCRL(); }//from w w w . java 2 s. c om // Multiple FCDPs are separated with the ';' sign CRLDistPoint ret = null; if (freshestcrldistpoint != null) { final StringTokenizer tokenizer = new StringTokenizer(freshestcrldistpoint, ";", false); final ArrayList<DistributionPoint> distpoints = new ArrayList<DistributionPoint>(); while (tokenizer.hasMoreTokens()) { final String uri = tokenizer.nextToken(); final GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(uri)); if (log.isDebugEnabled()) { log.debug("Added freshest CRL distpoint: " + uri); } final ASN1EncodableVector vec = new ASN1EncodableVector(); vec.add(gn); final GeneralNames gns = GeneralNames.getInstance(new DERSequence(vec)); final DistributionPointName dpn = new DistributionPointName(0, gns); distpoints.add(new DistributionPoint(dpn, null, null)); } if (!distpoints.isEmpty()) { ret = new CRLDistPoint( (DistributionPoint[]) distpoints.toArray(new DistributionPoint[distpoints.size()])); } } if (ret == null) { log.error("UseFreshestCRL is true, but no URI string defined!"); } return ret; }