List of usage examples for org.bouncycastle.asn1.x509 SubjectKeyIdentifier getKeyIdentifier
public byte[] getKeyIdentifier()
From source file:be.fedict.eid.applet.service.signer.time.TSPTimeStampService.java
License:Open Source License
private byte[] getSubjectKeyId(X509Certificate cert) throws IOException { byte[] extvalue = cert.getExtensionValue(X509Extensions.SubjectKeyIdentifier.getId()); if (extvalue == null) { return null; }//w ww. ja v a 2s . c o m ASN1OctetString str = ASN1OctetString .getInstance(new ASN1InputStream(new ByteArrayInputStream(extvalue)).readObject()); SubjectKeyIdentifier keyId = SubjectKeyIdentifier .getInstance(new ASN1InputStream(new ByteArrayInputStream(str.getOctets())).readObject()); return keyId.getKeyIdentifier(); }
From source file:be.fedict.eid.tsl.Tsl2PdfExporter.java
License:Open Source License
private byte[] getSKId(final X509Certificate cert) throws IOException { final byte[] extValue = cert.getExtensionValue(X509Extensions.SubjectKeyIdentifier.getId()); if (extValue != null) { final ASN1OctetString str = ASN1OctetString .getInstance(new ASN1InputStream(new ByteArrayInputStream(extValue)).readObject()); final SubjectKeyIdentifier keyId = SubjectKeyIdentifier .getInstance(new ASN1InputStream(new ByteArrayInputStream(str.getOctets())).readObject()); return keyId.getKeyIdentifier(); } else {//w w w . j a v a 2 s . co m return null; } }
From source file:be.fedict.trust.linker.PublicKeyTrustLinker.java
License:Open Source License
@Override public TrustLinkerResult hasTrustLink(X509Certificate childCertificate, X509Certificate certificate, Date validationDate, RevocationData revocationData, AlgorithmPolicy algorithmPolicy) throws TrustLinkerResultException, Exception { if (false == childCertificate.getIssuerX500Principal().equals(certificate.getSubjectX500Principal())) { LOG.debug("child certificate issuer not the same as the issuer certificate subject"); LOG.debug("child certificate: " + childCertificate.getSubjectX500Principal()); LOG.debug("certificate: " + certificate.getSubjectX500Principal()); LOG.debug("child certificate issuer: " + childCertificate.getIssuerX500Principal()); throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "child certificate issuer not the same as the issuer certificate subject"); }/*from w w w. jav a 2 s .com*/ try { childCertificate.verify(certificate.getPublicKey()); } catch (Exception e) { LOG.debug("verification error: " + e.getMessage(), e); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_SIGNATURE, "verification error: " + e.getMessage()); } algorithmPolicy.checkSignatureAlgorithm(childCertificate.getSigAlgOID(), validationDate); if (true == childCertificate.getNotAfter().after(certificate.getNotAfter())) { LOG.warn("child certificate validity end is after certificate validity end"); LOG.warn("child certificate validity end: " + childCertificate.getNotAfter()); LOG.warn("certificate validity end: " + certificate.getNotAfter()); } if (true == childCertificate.getNotBefore().before(certificate.getNotBefore())) { LOG.warn("child certificate validity begin before certificate validity begin"); LOG.warn("child certificate validity begin: " + childCertificate.getNotBefore()); LOG.warn("certificate validity begin: " + certificate.getNotBefore()); } if (true == validationDate.before(childCertificate.getNotBefore())) { LOG.debug("certificate is not yet valid"); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "certificate is not yet valid"); } if (true == validationDate.after(childCertificate.getNotAfter())) { LOG.debug("certificate already expired"); throw new TrustLinkerResultException(TrustLinkerResultReason.INVALID_VALIDITY_INTERVAL, "certificate already expired"); } if (-1 == certificate.getBasicConstraints()) { LOG.debug("certificate not a CA: " + certificate.getSubjectX500Principal()); /* * http://www.valicert.com/ Root CA has no CA flag set. Actually * this is in violation with 4.2.1.10 Basic Constraints of RFC2459. */ try { certificate.verify(certificate.getPublicKey()); LOG.warn("allowing self-signed Root CA without CA flag set"); } catch (Exception e) { throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "certificate not a CA"); } } if (0 == certificate.getBasicConstraints() && -1 != childCertificate.getBasicConstraints()) { LOG.debug("child should not be a CA"); throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "child should not be a CA"); } /* * SKID/AKID sanity check */ boolean isCa = isCa(certificate); boolean isChildCa = isCa(childCertificate); byte[] subjectKeyIdentifierData = certificate.getExtensionValue(Extension.subjectKeyIdentifier.getId()); byte[] authorityKeyIdentifierData = childCertificate .getExtensionValue(Extension.authorityKeyIdentifier.getId()); if (isCa && null == subjectKeyIdentifierData) { LOG.debug("certificate is CA and MUST contain a Subject Key Identifier"); throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "certificate is CA and MUST contain a Subject Key Identifier"); } if (isChildCa && null == authorityKeyIdentifierData && null != subjectKeyIdentifierData) { LOG.error("child certificate is CA and MUST contain an Authority Key Identifier"); // return new TrustLinkerResult(false, // TrustLinkerResultReason.INVALID_TRUST, // "child certificate is CA and MUST contain an Authority Key Identifier"); } if (null != subjectKeyIdentifierData && null != authorityKeyIdentifierData) { AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier .getInstance(JcaX509ExtensionUtils.parseExtensionValue(authorityKeyIdentifierData)); SubjectKeyIdentifier subjectKeyIdentifier = SubjectKeyIdentifier .getInstance(JcaX509ExtensionUtils.parseExtensionValue(subjectKeyIdentifierData)); if (!Arrays.equals(authorityKeyIdentifier.getKeyIdentifier(), subjectKeyIdentifier.getKeyIdentifier())) { LOG.debug( "certificate's subject key identifier does not match child certificate's authority key identifier"); throw new TrustLinkerResultException(TrustLinkerResultReason.NO_TRUST, "certificate's subject key identifier does not match child certificate's authority key identifier"); } } /* * We don't check pathLenConstraint since this one is only there to * protect the PKI business. */ /* * Keep in mind that this trust linker can never return TRUSTED. */ return TrustLinkerResult.UNDECIDED; }
From source file:com.spotify.helios.client.tls.X509CertificateFactory.java
License:Apache License
private CertificateAndPrivateKey generate(final AgentProxy agentProxy, final Identity identity, final String username) { final UUID uuid = new UUID(); final Calendar calendar = Calendar.getInstance(); final X500Name issuerDN = new X500Name("C=US,O=Spotify,CN=helios-client"); final X500Name subjectDN = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); calendar.add(Calendar.MILLISECOND, -validBeforeMilliseconds); final Date notBefore = calendar.getTime(); calendar.add(Calendar.MILLISECOND, validBeforeMilliseconds + validAfterMilliseconds); final Date notAfter = calendar.getTime(); // Reuse the UUID time as a SN final BigInteger serialNumber = BigInteger.valueOf(uuid.getTime()).abs(); try {/*from ww w . ja va2 s . co m*/ final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC"); keyPairGenerator.initialize(KEY_SIZE, new SecureRandom()); final KeyPair keyPair = keyPairGenerator.generateKeyPair(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDN, serialNumber, notBefore, notAfter, subjectDN, subjectPublicKeyInfo); final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); final SubjectKeyIdentifier keyId = utils.createSubjectKeyIdentifier(subjectPublicKeyInfo); final String keyIdHex = KEY_ID_ENCODING.encode(keyId.getKeyIdentifier()); log.info("generating an X509 certificate for {} with key ID={} and identity={}", username, keyIdHex, identity.getComment()); builder.addExtension(Extension.subjectKeyIdentifier, false, keyId); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(new SshAgentContentSigner(agentProxy, identity)); final X509Certificate certificate = CERTIFICATE_CONVERTER.getCertificate(holder); log.debug("generated certificate:\n{}", asPEMString(certificate)); return new CertificateAndPrivateKey(certificate, keyPair.getPrivate()); } catch (Exception e) { throw Throwables.propagate(e); } }
From source file:com.spotify.sshagenttls.X509CertKeyCreator.java
License:Apache License
@Override public CertKey createCertKey(final String username, final X500Principal x500Principal) { final Calendar calendar = Calendar.getInstance(); final BigInteger serialNumber = BigInteger.valueOf(calendar.getTimeInMillis()).abs(); final X500Name issuerDn = new X500Name(x500Principal.getName(X500Principal.RFC1779)); final X500Name subjectDn = new X500NameBuilder().addRDN(BCStyle.UID, username).build(); calendar.add(Calendar.MILLISECOND, -validBeforeMillis); final Date notBefore = calendar.getTime(); calendar.add(Calendar.MILLISECOND, validBeforeMillis + validAfterMillis); final Date notAfter = calendar.getTime(); try {//from w w w . j a va 2 s .c om final KeyPair keyPair = generateRandomKeyPair(); final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerDn, serialNumber, notBefore, notAfter, subjectDn, subjectPublicKeyInfo); final DigestCalculator digestCalculator = new BcDigestCalculatorProvider() .get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1)); final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator); final SubjectKeyIdentifier keyId = utils.createSubjectKeyIdentifier(subjectPublicKeyInfo); final String keyIdHex = KEY_ID_ENCODING.encode(keyId.getKeyIdentifier()); LOG.info("generating an X.509 certificate for {} with key ID={}", username, keyIdHex); builder.addExtension(Extension.subjectKeyIdentifier, false, keyId); builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo)); builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); final X509CertificateHolder holder = builder.build(contentSigner); final X509Certificate cert = CERT_CONVERTER.getCertificate(holder); LOG.debug("generated certificate:\n{}", Utils.asPemString(cert)); return CertKey.create(cert, keyPair.getPrivate()); } catch (Exception e) { throw new RuntimeException(e); } }
From source file:eu.europa.esig.dss.DSSASN1Utils.java
License:Open Source License
/** * This method returns SKI bytes from certificate. * * @param certificateToken//from ww w . j a v a 2 s. c o m * {@code CertificateToken} * @return ski bytes from the given certificate * @throws DSSException */ public static byte[] getSki(final CertificateToken certificateToken) throws DSSException { try { byte[] sKI = certificateToken.getCertificate() .getExtensionValue(Extension.subjectKeyIdentifier.getId()); ASN1Primitive extension = X509ExtensionUtil.fromExtensionValue(sKI); SubjectKeyIdentifier skiBC = SubjectKeyIdentifier.getInstance(extension); return skiBC.getKeyIdentifier(); } catch (Exception e) { throw new DSSException(e); } }
From source file:mitm.common.security.certificate.X509CertificateInspectorTest.java
License:Open Source License
@Test public void testCalculateSubjectKeyIdentifier() throws Exception { File file = new File("test/resources/testdata/certificates/subjectkeyident.cer"); X509Certificate certificate = TestUtils.loadCertificate(file); X509CertificateInspector inspector = new X509CertificateInspector(certificate); assertEquals("256E864B45E603AF649B577F5CDD63B0850A513E", inspector.getSubjectKeyIdentifierHex()); SubjectKeyIdentifier subjectKeyIdentifier = inspector.calculateSubjectKeyIdentifier(); String skiHex = HexUtils.hexEncode(subjectKeyIdentifier.getKeyIdentifier()); assertEquals("256E864B45E603AF649B577F5CDD63B0850A513E", skiHex); file = new File("test/resources/testdata/certificates/AC_MINEFI_DPMA.cer"); certificate = TestUtils.loadCertificate(file); inspector = new X509CertificateInspector(certificate); subjectKeyIdentifier = inspector.calculateSubjectKeyIdentifier(); skiHex = HexUtils.hexEncode(subjectKeyIdentifier.getKeyIdentifier()); assertEquals(skiHex, inspector.getSubjectKeyIdentifierHex()); }
From source file:net.sf.keystore_explorer.crypto.x509.X509Ext.java
License:Open Source License
private String getSubjectKeyIndentifierStringValue(byte[] value) throws IOException { // @formatter:off /*/*w ww .j av a2s . co m*/ * SubjectKeyIdentifier ::= KeyIdentifier * * KeyIdentifier ::= OCTET STRING */ // @formatter:on StringBuilder sb = new StringBuilder(); SubjectKeyIdentifier subjectKeyIdentifier = SubjectKeyIdentifier.getInstance(value); // Get key identifier from octet string byte[] keyIdentifierBytes = subjectKeyIdentifier.getKeyIdentifier(); sb.append(MessageFormat.format(res.getString("SubjectKeyIdentifier"), HexUtil.getHexString(keyIdentifierBytes))); sb.append(NEWLINE); return sb.toString(); }
From source file:net.sf.keystore_explorer.gui.dialogs.extensions.DSubjectKeyIdentifier.java
License:Open Source License
private void prepopulateWithValue(byte[] value) throws IOException { SubjectKeyIdentifier subjectKeyIdentifier = SubjectKeyIdentifier.getInstance(value); jkiKeyIdentifier.setKeyIdentifier(subjectKeyIdentifier.getKeyIdentifier()); }
From source file:net.sf.portecle.crypto.X509Ext.java
License:Open Source License
/** * Get Subject Key Identifier (2.5.29.14) extension value as a string. * // www . j a v a 2s .c o m * <pre> * SubjectKeyIdentifier ::= KeyIdentifier * KeyIdentifier ::= OCTET STRING * </pre> * * @param bValue The octet string value * @return Extension value as a string * @throws IOException If an I/O problem occurs */ private String getSubjectKeyIdentifierStringValue(byte[] bValue) throws IOException { SubjectKeyIdentifier ski = SubjectKeyIdentifier.getInstance(bValue); byte[] bKeyIdent = ski.getKeyIdentifier(); // Output as a hex string return convertToHexString(bKeyIdent); }