List of usage examples for org.bouncycastle.asn1.x509 GeneralNamesBuilder addName
public GeneralNamesBuilder addName(GeneralName name)
From source file:org.apache.kerby.pkix.EndEntityGenerator.java
License:Apache License
/** * Generate certificate./*from www .ja v a 2 s . c om*/ * * @param issuerCert * @param issuerPrivateKey * @param publicKey * @param dn * @param validityDays * @param friendlyName * @return The certificate. * @throws InvalidKeyException * @throws SecurityException * @throws SignatureException * @throws NoSuchAlgorithmException * @throws DataLengthException * @throws CertificateException */ public static X509Certificate generate(X509Certificate issuerCert, PrivateKey issuerPrivateKey, PublicKey publicKey, String dn, int validityDays, String friendlyName) throws InvalidKeyException, SecurityException, SignatureException, NoSuchAlgorithmException, DataLengthException, CertificateException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); // Set certificate attributes. certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(issuerCert)); certGen.setSubjectDN(new X509Principal(dn)); certGen.setNotBefore(new Date()); Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.DAY_OF_YEAR, validityDays); certGen.setNotAfter(expiry.getTime()); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())))); // MAY set BasicConstraints=false or not at all. certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCert)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)); ASN1EncodableVector keyPurposeVector = new ASN1EncodableVector(); keyPurposeVector.add(KeyPurposeId.id_kp_smartcardlogon); //keyPurposeVector.add( KeyPurposeId.id_kp_serverAuth ); DERSequence keyPurposeOids = new DERSequence(keyPurposeVector); // If critical, will throw unsupported EKU. certGen.addExtension(X509Extensions.ExtendedKeyUsage, false, keyPurposeOids); ASN1EncodableVector pkinitSanVector = new ASN1EncodableVector(); pkinitSanVector.add(ID_PKINIT_SAN); pkinitSanVector.add(new DERTaggedObject(0, new DERSequence())); DERSequence pkinitSan = new DERSequence(pkinitSanVector); String dnsName = "localhost"; GeneralName name1 = new GeneralName(GeneralName.otherName, pkinitSan); GeneralName name2 = new GeneralName(GeneralName.dNSName, dnsName); GeneralNamesBuilder genNamesBuilder = new GeneralNamesBuilder(); genNamesBuilder.addName(name1); genNamesBuilder.addName(name2); GeneralNames sanGeneralNames = genNamesBuilder.build(); certGen.addExtension(X509Extensions.SubjectAlternativeName, true, sanGeneralNames); /* * The KDC MAY require the presence of an Extended Key Usage (EKU) KeyPurposeId * [RFC3280] id-pkinit-KPClientAuth in the extensions field of the client's * X.509 certificate. */ /* * The digitalSignature key usage bit [RFC3280] MUST be asserted when the * intended purpose of the client's X.509 certificate is restricted with * the id-pkinit-KPClientAuth EKU. */ /* * KDCs implementing this requirement SHOULD also accept the EKU KeyPurposeId * id-ms-kp-sc-logon (1.3.6.1.4.1.311.20.2.2) as meeting the requirement, as * there are a large number of X.509 client certificates deployed for use * with PKINIT that have this EKU. */ // KDC /* * In addition, unless the client can otherwise verify that the public key * used to verify the KDC's signature is bound to the KDC of the target realm, * the KDC's X.509 certificate MUST contain a Subject Alternative Name extension * [RFC3280] carrying an AnotherName whose type-id is id-pkinit-san (as defined * in Section 3.2.2) and whose value is a KRB5PrincipalName that matches the * name of the TGS of the target realm (as defined in Section 7.3 of [RFC4120]). */ /* * Unless the client knows by some other means that the KDC certificate is * intended for a Kerberos KDC, the client MUST require that the KDC certificate * contains the EKU KeyPurposeId [RFC3280] id-pkinit-KPKdc. */ /* * The digitalSignature key usage bit [RFC3280] MUST be asserted when the * intended purpose of the KDC's X.509 certificate is restricted with the * id-pkinit-KPKdc EKU. */ /* * If the KDC certificate contains the Kerberos TGS name encoded as an id-pkinit-san * SAN, this certificate is certified by the issuing CA as a KDC certificate, * therefore the id-pkinit-KPKdc EKU is not required. */ /* * KDC certificates issued by Windows 2000 Enterprise CAs contain a dNSName * SAN with the DNS name of the host running the KDC, and the id-kp-serverAuth * EKU [RFC3280]. */ /* * KDC certificates issued by Windows 2003 Enterprise CAs contain a dNSName * SAN with the DNS name of the host running the KDC, the id-kp-serverAuth * EKU, and the id-ms-kp-sc-logon EKU. */ /* * RFC: KDC certificates with id-pkinit-san SAN as specified in this RFC. * * MS: dNSName SAN containing the domain name of the KDC * id-pkinit-KPKdc EKU * id-kp-serverAuth EKU. */ /* * Client certificates accepted by Windows 2000 and Windows 2003 Server KDCs * must contain an id-ms-san-sc-logon-upn (1.3.6.1.4.1.311.20.2.3) SAN and * the id-ms-kp-sc-logon EKU. The id-ms-san-sc-logon-upn SAN contains a * UTF8-encoded string whose value is that of the Directory Service attribute * UserPrincipalName of the client account object, and the purpose of including * the id-ms-san-sc-logon-upn SAN in the client certificate is to validate * the client mapping (in other words, the client's public key is bound to * the account that has this UserPrincipalName value). */ X509Certificate cert = certGen.generate(issuerPrivateKey); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName)); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifier(getDigest(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded())))); return cert; }
From source file:org.codice.ddf.security.certificate.generator.CertificateCommandTest.java
License:Open Source License
/** * Expected SAN general name is now a function of the CN, since a SAN representing the CN is now * required./*from www. ja v a 2 s .c o m*/ */ private static byte[] expectedSanGeneralName(String alias, boolean withAdditionalSans) { try { GeneralNamesBuilder builder = new GeneralNamesBuilder() .addName(new GeneralName(GeneralName.dNSName, alias)); if (withAdditionalSans) { builder.addName(new GeneralName(GeneralName.iPAddress, IP_FROM_SAN)) .addName(new GeneralName(GeneralName.dNSName, DNS_FROM_SAN)); } return builder.build().getEncoded(ASN1Encoding.DER); } catch (IOException e) { throw new IllegalStateException(e); } }
From source file:org.cryptacular.util.CertUtil.java
License:Open Source License
/** * Gets all subject alternative names of the given type(s) on the given cert. * * @param cert X.509 certificate to examine. * @param types One or more subject alternative name types to fetch. * * @return List of subject alternative names of the matching type(s) or null * if none found.//from www . j av a 2s .c o m */ public static GeneralNames subjectAltNames(final X509Certificate cert, final GeneralNameType... types) { final GeneralNamesBuilder builder = new GeneralNamesBuilder(); final GeneralNames altNames = subjectAltNames(cert); if (altNames != null) { for (GeneralName name : altNames.getNames()) { for (GeneralNameType type : types) { if (type.ordinal() == name.getTagNo()) { builder.addName(name); } } } } final GeneralNames names = builder.build(); if (names.getNames().length == 0) { return null; } return names; }
From source file:org.opensaml.xml.security.x509.tls.MockX509Certificate.java
License:Open Source License
/** * Constructor./*from w ww. ja v a2 s . com*/ * * @param subjectX500Principal */ public MockX509Certificate(X500Principal subject, Collection<List<?>> subjAlts) { super(); subjectX500Principal = subject; subjectAltNames = subjAlts; extensions = new HashMap<String, byte[]>(); // Add proper DER-encoded alt names extension based on subjAlts values, so works with code that extracts // subject alt names via extensions parsing. if (subjAlts != null && subjAlts.size() > 0) { GeneralNamesBuilder generalNamesBuilder = new GeneralNamesBuilder(); for (List<?> subjAlt : subjAlts) { Integer type = (Integer) subjAlt.get(0); String value = (String) subjAlt.get(1); GeneralName generalName = new GeneralName(type, value); generalNamesBuilder.addName(generalName); } GeneralNames generalNames = generalNamesBuilder.build(); try { Extension ext = new Extension(Extension.subjectAlternativeName, false, generalNames.getEncoded()); extensions.put(ext.getExtnId().getId(), ext.getExtnValue().getEncoded("DER")); } catch (IOException e) { throw new RuntimeException("Problem building subject alt names extension", e); } } }