List of usage examples for org.bouncycastle.asn1.x509 GeneralSubtree GeneralSubtree
public GeneralSubtree(GeneralName base, BigInteger minimum, BigInteger maximum)
From source file:eu.emi.security.authn.x509.helpers.proxy.ProxyAddressRestrictionData.java
License:Open Source License
/** * Adds a new permitted IP addressSpace to the data structure. * //from w w w . ja v a 2s .co m * @param address The address space to add to the allowed ip address * space. Example of the format: 192.168.0.0/16. Which * equals a 192.168.0.0 with a net mask 255.255.0.0. A * single IP address can be defined as * xxx.xxx.xxx.xxx/32. <br> It is also possible to provide IPv6 * addresses. * See <a href="http://www.ietf.org/rfc/rfc4632.txt"> RFC4632.</a> */ public void addPermittedIPAddressWithNetmask(String address) { permittedGeneralSubtrees .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, address), null, null)); }
From source file:eu.emi.security.authn.x509.helpers.proxy.ProxyAddressRestrictionData.java
License:Open Source License
/** * Adds a new excluded IP addressSpace to the data structure. * //from w w w .jav a 2s . c om * @param address The address space to add to the allowed ip address * space. Example of the format: 192.168.0.0/16. Which * equals a 192.168.0.0 with a net mask 255.255.0.0. A * single IP address can be defined as * xxx.xxx.xxx.xxx/32. <br> It is also possible to provide IPv6 * addresses. See <a href="http://www.ietf.org/rfc/rfc4632.txt"> RFC4632.</a> */ public void addExcludedIPAddressWithNetmask(String address) { excludedGeneralSubtrees .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, address), null, null)); }
From source file:net.sf.keystore_explorer.gui.crypto.generalsubtree.DGeneralSubtreeChooser.java
License:Open Source License
private void okPressed() { GeneralName base = jgnBase.getGeneralName(); if (base == null) { JOptionPane.showMessageDialog(this, res.getString("DGeneralSubtreeChooser.BaseValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return;//from w ww . jav a 2 s . c o m } int minimum = -1; String minimumStr = jtfMinimum.getText().trim(); if (minimumStr.length() == 0) { JOptionPane.showMessageDialog(this, res.getString("DGeneralSubtreeChooser.MinimumValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } if (minimumStr.length() > 0) { try { minimum = Integer.parseInt(minimumStr); } catch (NumberFormatException ex) { JOptionPane.showMessageDialog(this, res.getString("DGeneralSubtreeChooser.InvalidMinimumValue.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } if (minimum < 0) { JOptionPane.showMessageDialog(this, res.getString("DGeneralSubtreeChooser.InvalidMinimumValue.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } } int maximum = -1; String maximumStr = jtfMaximum.getText().trim(); if (maximumStr.length() > 0) { try { maximum = Integer.parseInt(maximumStr); } catch (NumberFormatException ex) { JOptionPane.showMessageDialog(this, res.getString("DGeneralSubtreeChooser.InvalidMaximumValue.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } if (maximum < 0) { JOptionPane.showMessageDialog(this, res.getString("DGeneralSubtreeChooser.InvalidMaximumValue.message"), getTitle(), JOptionPane.WARNING_MESSAGE); return; } } BigInteger asn1Minimum = (minimum != -1) ? BigInteger.valueOf(minimum) : null; BigInteger asn1Maximum = (maximum != -1) ? BigInteger.valueOf(maximum) : null; generalSubtree = new GeneralSubtree(base, asn1Minimum, asn1Maximum); closeDialog(); }
From source file:org.glite.security.util.proxy.ProxyRestrictionData.java
License:Apache License
/** * Adds a new permitted IP addressSpace to the data structure. * //from w w w . j a v a 2 s . c o m * @param address The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. * Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as * xxx.xxx.xxx.xxx/32. <br> * See <a href="http://www.ietf.org/rfc/rfc4632.txt"> RFC 4632.</a> The restriction is of the format used * for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses. */ public void addPermittedIPAddressWithNetmask(String address) { m_permittedGeneralSubtrees .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, address), null, null)); }
From source file:org.glite.security.util.proxy.ProxyRestrictionData.java
License:Apache License
/** * Adds a new excluded IP addressSpace to the data structure. * //from w ww . j a v a 2 s . c om * @param address The address space to add to the allowed ip address space. Example of the format: 192.168.0.0/16. * Which equals a 192.168.0.0 with a net mask 255.255.0.0. A single IP address can be defined as * xxx.xxx.xxx.xxx/32. <br> * See <a href="http://www.ietf.org/rfc/rfc4632.txt"> RFC 4632.</a> The restriction is of the format used * for NameConstraints, meaning GeneralName with 8 octets for ipv4 and 32 octets for ipv6 addresses. */ public void addExcludedIPAddressWithNetmask(String address) { m_excludedGeneralSubtrees .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, address), null, null)); }
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
/** * Create the credentials of a ZoneAdministrator. * //from w ww .j ava 2s . c o m * The ZoneAdministrator credentials are long validity. * * @param req * @return * @throws CryptoCertificateException */ public static PKIXCredential createZoneAdministratorCredential(ZoneAdministrationCredentialSpecifier req) throws CryptoCertificateException { KeyPair kp = null; try { kp = req.getKeyAlgorithm().generateNewKeyPair(); } catch (CryptoException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_KEYPAIR_GENERATION, e); } PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); X500NameBuilder subjectBuilder = new X500NameBuilder(); if (StringUtils.hasText(req.getCountry())) { subjectBuilder.addRDN(BCStyle.C, req.getCountry()); } if (StringUtils.hasText(req.getLocation())) { subjectBuilder.addRDN(BCStyle.L, req.getLocation()); } if (StringUtils.hasText(req.getOrg())) { subjectBuilder.addRDN(BCStyle.O, req.getOrg()); } if (StringUtils.hasText(req.getOrgUnit())) { if (TDMX_DOMAIN_CA_OU.equals(req.getOrgUnit())) { throw new CryptoCertificateException(CertificateResultCode.ERROR_INVALID_OU); } subjectBuilder.addRDN(BCStyle.OU, req.getOrgUnit()); } if (StringUtils.hasText(req.getEmailAddress())) { subjectBuilder.addRDN(BCStyle.E, req.getEmailAddress()); } if (StringUtils.hasText(req.getTelephoneNumber())) { subjectBuilder.addRDN(BCStyle.TELEPHONE_NUMBER, req.getTelephoneNumber()); } if (StringUtils.hasText(req.getCn())) { subjectBuilder.addRDN(BCStyle.CN, req.getCn()); } X500Name subject = subjectBuilder.build(); X500Name issuer = subject; JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, new BigInteger("1"), req.getNotBefore().getTime(), req.getNotAfter().getTime(), subject, publicKey); try { BasicConstraints cA = new BasicConstraints(1); certBuilder.addExtension(Extension.basicConstraints, true, cA); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(publicKey)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); KeyUsage ku = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign); certBuilder.addExtension(Extension.keyUsage, false, ku); // RFC5280 http://tools.ietf.org/html/rfc5280#section-4.2.1.10 // The CA has a CN which is not part of the name constraint - but we can constrain // any domain certificate issued to be limited to some OU under the O. X500NameBuilder subjectConstraintBuilder = new X500NameBuilder(); if (StringUtils.hasText(req.getCountry())) { subjectConstraintBuilder.addRDN(BCStyle.C, req.getCountry()); } if (StringUtils.hasText(req.getLocation())) { subjectConstraintBuilder.addRDN(BCStyle.L, req.getLocation()); } if (StringUtils.hasText(req.getOrg())) { subjectConstraintBuilder.addRDN(BCStyle.O, req.getOrg()); } if (StringUtils.hasText(req.getOrgUnit())) { subjectConstraintBuilder.addRDN(BCStyle.OU, req.getOrgUnit()); } subjectConstraintBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); X500Name nameConstraint = subjectConstraintBuilder.build(); GeneralName snc = new GeneralName(GeneralName.directoryName, nameConstraint); GeneralSubtree snSubtree = new GeneralSubtree(snc, new BigInteger("0"), null); NameConstraints nc = new NameConstraints(new GeneralSubtree[] { snSubtree }, null); certBuilder.addExtension(Extension.nameConstraints, true, nc); certBuilder.addExtension(TdmxZoneInfo.tdmxZoneInfo, false, req.getZoneInfo()); ContentSigner signer = SignatureAlgorithm.getContentSigner(privateKey, req.getSignatureAlgorithm()); byte[] certBytes = certBuilder.build(signer).getEncoded(); PKIXCertificate c = CertificateIOUtils.decodeX509(certBytes); return new PKIXCredential(c, privateKey); } catch (CertIOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (NoSuchAlgorithmException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (IOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } }
From source file:org.tdmx.client.crypto.certificate.CredentialUtils.java
License:Open Source License
/** * Create the credentials of a DomainAdministrator. * /* w ww . jav a2s . co m*/ * @param req * @return * @throws CryptoCertificateException */ public static PKIXCredential createDomainAdministratorCredential(DomainAdministrationCredentialSpecifier req) throws CryptoCertificateException { KeyPair kp = null; try { kp = req.getKeyAlgorithm().generateNewKeyPair(); } catch (CryptoException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_KEYPAIR_GENERATION, e); } PublicKey publicKey = kp.getPublic(); PrivateKey privateKey = kp.getPrivate(); PKIXCredential issuerCredential = req.getZoneAdministratorCredential(); PKIXCertificate issuerPublicCert = issuerCredential.getPublicCert(); PublicKey issuerPublicKey = issuerPublicCert.getCertificate().getPublicKey(); PrivateKey issuerPrivateKey = issuerCredential.getPrivateKey(); X500NameBuilder subjectBuilder = new X500NameBuilder(); if (StringUtils.hasText(issuerPublicCert.getCountry())) { subjectBuilder.addRDN(BCStyle.C, issuerPublicCert.getCountry()); } if (StringUtils.hasText(issuerPublicCert.getLocation())) { subjectBuilder.addRDN(BCStyle.L, issuerPublicCert.getLocation()); } if (StringUtils.hasText(issuerPublicCert.getOrganization())) { subjectBuilder.addRDN(BCStyle.O, issuerPublicCert.getOrganization()); } if (StringUtils.hasText(issuerPublicCert.getOrgUnit())) { subjectBuilder.addRDN(BCStyle.OU, issuerPublicCert.getOrgUnit()); } subjectBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); subjectBuilder.addRDN(BCStyle.CN, req.getDomainName()); X500Name subject = subjectBuilder.build(); X500Name issuer = issuerPublicCert.getSubjectName(); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, new BigInteger("1"), req.getNotBefore().getTime(), req.getNotAfter().getTime(), subject, publicKey); try { BasicConstraints cA = new BasicConstraints(0); certBuilder.addExtension(Extension.basicConstraints, true, cA); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(issuerPublicKey)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); KeyUsage ku = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign); certBuilder.addExtension(Extension.keyUsage, false, ku); // RFC5280 http://tools.ietf.org/html/rfc5280#section-4.2.1.10 // The CA has a CN which is not part of the name constraint - but we can constrain // any domain certificate issued to be limited to some OU under the O. X500NameBuilder subjectConstraintBuilder = new X500NameBuilder(); if (StringUtils.hasText(issuerPublicCert.getCountry())) { subjectConstraintBuilder.addRDN(BCStyle.C, issuerPublicCert.getCountry()); } if (StringUtils.hasText(issuerPublicCert.getLocation())) { subjectConstraintBuilder.addRDN(BCStyle.L, issuerPublicCert.getLocation()); } if (StringUtils.hasText(issuerPublicCert.getOrganization())) { subjectConstraintBuilder.addRDN(BCStyle.O, issuerPublicCert.getOrganization()); } if (StringUtils.hasText(issuerPublicCert.getOrgUnit())) { subjectConstraintBuilder.addRDN(BCStyle.OU, issuerPublicCert.getOrgUnit()); } subjectConstraintBuilder.addRDN(BCStyle.OU, TDMX_DOMAIN_CA_OU); subjectConstraintBuilder.addRDN(BCStyle.OU, req.getDomainName()); X500Name nameConstraint = subjectConstraintBuilder.build(); GeneralName snc = new GeneralName(GeneralName.directoryName, nameConstraint); GeneralSubtree snSubtree = new GeneralSubtree(snc, new BigInteger("0"), null); NameConstraints nc = new NameConstraints(new GeneralSubtree[] { snSubtree }, null); certBuilder.addExtension(Extension.nameConstraints, true, nc); certBuilder.addExtension(TdmxZoneInfo.tdmxZoneInfo, false, issuerPublicCert.getTdmxZoneInfo()); ContentSigner signer = SignatureAlgorithm.getContentSigner(issuerPrivateKey, req.getSignatureAlgorithm()); byte[] certBytes = certBuilder.build(signer).getEncoded(); PKIXCertificate c = CertificateIOUtils.decodeX509(certBytes); return new PKIXCredential(c, issuerCredential.getCertificateChain(), privateKey); } catch (CertIOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (NoSuchAlgorithmException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } catch (IOException e) { throw new CryptoCertificateException(CertificateResultCode.ERROR_CA_CERT_GENERATION, e); } }
From source file:org.xipki.ca.certprofile.XmlX509CertprofileUtil.java
License:Open Source License
private static GeneralSubtree buildGeneralSubtree(final GeneralSubtreeBaseType type) throws CertprofileException { GeneralName base = null;//from www . j a va 2 s .co m if (type.getDirectoryName() != null) { base = new GeneralName(X509Util.reverse(new X500Name(type.getDirectoryName()))); } else if (type.getDNSName() != null) { base = new GeneralName(GeneralName.dNSName, type.getDNSName()); } else if (type.getIpAddress() != null) { base = new GeneralName(GeneralName.iPAddress, type.getIpAddress()); } else if (type.getRfc822Name() != null) { base = new GeneralName(GeneralName.rfc822Name, type.getRfc822Name()); } else if (type.getUri() != null) { base = new GeneralName(GeneralName.uniformResourceIdentifier, type.getUri()); } else { throw new RuntimeException("should not reach here, unknown child of GeneralSubtreeBaseType"); } Integer i = type.getMinimum(); if (i != null && i < 0) { throw new CertprofileException("negative minimum is not allowed: " + i); } BigInteger minimum = (i == null) ? null : BigInteger.valueOf(i.intValue()); i = type.getMaximum(); if (i != null && i < 0) { throw new CertprofileException("negative maximum is not allowed: " + i); } BigInteger maximum = (i == null) ? null : BigInteger.valueOf(i.intValue()); return new GeneralSubtree(base, minimum, maximum); }
From source file:org.xipki.pki.ca.certprofile.XmlX509CertprofileUtil.java
License:Open Source License
private static GeneralSubtree buildGeneralSubtree(final GeneralSubtreeBaseType type) throws CertprofileException { ParamUtil.requireNonNull("type", type); GeneralName base = null;//from w w w. j a v a2 s .c o m if (type.getDirectoryName() != null) { base = new GeneralName(X509Util.reverse(new X500Name(type.getDirectoryName()))); } else if (type.getDnsName() != null) { base = new GeneralName(GeneralName.dNSName, type.getDnsName()); } else if (type.getIpAddress() != null) { base = new GeneralName(GeneralName.iPAddress, type.getIpAddress()); } else if (type.getRfc822Name() != null) { base = new GeneralName(GeneralName.rfc822Name, type.getRfc822Name()); } else if (type.getUri() != null) { base = new GeneralName(GeneralName.uniformResourceIdentifier, type.getUri()); } else { throw new RuntimeException("should not reach here, unknown child of GeneralSubtreeBaseType"); } Integer min = type.getMinimum(); if (min != null && min < 0) { throw new CertprofileException("negative minimum is not allowed: " + min); } BigInteger minimum = (min == null) ? null : BigInteger.valueOf(min.intValue()); Integer max = type.getMaximum(); if (max != null && max < 0) { throw new CertprofileException("negative maximum is not allowed: " + max); } BigInteger maximum = (max == null) ? null : BigInteger.valueOf(max.intValue()); return new GeneralSubtree(base, minimum, maximum); }