List of usage examples for org.bouncycastle.asn1.x509 X509Extensions KeyUsage
ASN1ObjectIdentifier KeyUsage
To view the source code for org.bouncycastle.asn1.x509 X509Extensions KeyUsage.
Click Source Link
From source file:org.votingsystem.signature.util.CertUtils.java
License:Open Source License
/** * Generate V3 certificate for root CA Authority *///from w w w.j a va 2 s .c om public static X509Certificate generateV3RootCert(KeyPair pair, Date dateBegin, Date dateFinish, String strSubjectDN) throws Exception { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); log.info("strSubjectDN: " + strSubjectDN); X509Principal x509Principal = new X509Principal(strSubjectDN); certGen.setSerialNumber(KeyGeneratorVS.INSTANCE.getSerno()); certGen.setIssuerDN(x509Principal); certGen.setNotBefore(dateBegin); certGen.setNotAfter(dateFinish); log.info("dateBegin: " + dateBegin.toString() + " - dateFinish: " + dateFinish.toString()); certGen.setSubjectDN(x509Principal); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm(ContextVS.CERT_GENERATION_SIG_ALGORITHM); //The following fragment shows how to create one which indicates that //the certificate containing it is a CA and that only one certificate can follow in the certificate path. certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true, 0)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pair.getPublic())); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign)); return certGen.generate(pair.getPrivate(), ContextVS.PROVIDER); }
From source file:org.votingsystem.signature.util.CertUtils.java
License:Open Source License
/** * Generate V3 certificate for TimeStamp signing *//*w w w . j a v a 2s .c o m*/ public static X509Certificate generateTimeStampingCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert, long begin, long period, String endEntitySubjectDN) throws Exception { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert)); certGen.setNotBefore(new Date(begin)); certGen.setNotAfter(new Date(begin + period)); certGen.setSubjectDN(new X500Principal(endEntitySubjectDN)); certGen.setPublicKey(entityKey); certGen.setSignatureAlgorithm(ContextVS.CERT_GENERATION_SIG_ALGORITHM); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey)); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(new DERSequence(KeyPurposeId.id_kp_timeStamping))); return certGen.generate(caKey, ContextVS.PROVIDER); }
From source file:org.votingsystem.signature.util.CertUtils.java
License:Open Source License
/** * Generate V3 Certificate from CSR/* w w w . ja v a2 s .c om*/ */ public static X509Certificate generateV3EndEntityCertFromCsr(PKCS10CertificationRequest csr, PrivateKey caKey, X509Certificate caCert, Date dateBegin, Date dateFinish, String strSubjectDN, DERTaggedObject... certExtensions) throws Exception { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); PublicKey requestPublicKey = csr.getPublicKey(); X509Principal x509Principal = new X509Principal(strSubjectDN); certGen.setSerialNumber(KeyGeneratorVS.INSTANCE.getSerno()); log.info("generateV3EndEntityCertFromCsr - SubjectX500Principal(): " + caCert.getSubjectX500Principal()); certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert)); certGen.setNotBefore(dateBegin); certGen.setNotAfter(dateFinish); certGen.setSubjectDN(x509Principal); certGen.setPublicKey(requestPublicKey); certGen.setSignatureAlgorithm(ContextVS.CERT_GENERATION_SIG_ALGORITHM); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(requestPublicKey)); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));//Certificado final certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); ASN1Set attributes = csr.getCertificationRequestInfo().getAttributes(); if (attributes != null) { for (int i = 0; i != attributes.size(); i++) { if (attributes.getObjectAt(i) instanceof DERTaggedObject) { DERTaggedObject taggedObject = (DERTaggedObject) attributes.getObjectAt(i); ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier( ContextVS.VOTING_SYSTEM_BASE_OID + taggedObject.getTagNo()); certGen.addExtension(oid, true, taggedObject); } else { Attribute attr = Attribute.getInstance(attributes.getObjectAt(i)); if (attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) { X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0)); Enumeration e = extensions.oids(); while (e.hasMoreElements()) { DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement(); X509Extension ext = extensions.getExtension(oid); certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets()); } } } } } if (certExtensions != null) { for (DERTaggedObject taggedObject : certExtensions) { if (taggedObject != null) { ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier( ContextVS.VOTING_SYSTEM_BASE_OID + taggedObject.getTagNo()); certGen.addExtension(oid, true, taggedObject); } log.log(Level.FINE, "null taggedObject"); } } X509Certificate cert = certGen.generate(caKey, ContextVS.PROVIDER); cert.verify(caCert.getPublicKey()); return cert; }
From source file:org.xwiki.crypto.x509.internal.X509Keymaker.java
License:Open Source License
/** * Create a new X509 client certificate. * * @param forCert the public key which will be embedded in the certificate, whoever has the matching private key * "owns" the certificate. * @param toSignWith the private key in this pair will be used to sign the certificate. * @param daysOfValidity number of days the cert should be valid for. * @param nonRepudiable this should only be true if the private key is not stored on the server. * @param webId the URI to put as the alternative name (for FOAFSSL webId compatibility) * @param userName a String representation of the name of the user getting the certificate. * @return a new X509 certificate./* w w w . ja va 2s . c om*/ * @throws GeneralSecurityException if something goes wrong. */ public synchronized X509Certificate makeClientCertificate(final PublicKey forCert, final KeyPair toSignWith, final int daysOfValidity, final boolean nonRepudiable, final String webId, final String userName) throws GeneralSecurityException { try { // the UID (same for issuer since this certificate confers no authority) final X509Name dName = new X509Name("UID=" + userName); this.prepareGenericCertificate(forCert, daysOfValidity, dName, dName); // Not a CA certGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); // Client cert certGenerator.addExtension(MiscObjectIdentifiers.netscapeCertType, false, new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime)); // Key Usage extension. int keyUsage = KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement; if (nonRepudiable) { keyUsage |= KeyUsage.nonRepudiation; } certGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(keyUsage)); // Set the authority key identifier to be the CA key which we are using. certGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(toSignWith.getPublic())); // FOAFSSL compatibility. final GeneralNames subjectAltNames = new GeneralNames( new GeneralName(GeneralName.uniformResourceIdentifier, webId)); certGenerator.addExtension(X509Extensions.SubjectAlternativeName, true, subjectAltNames); return this.generate(toSignWith); } finally { // Clean up after ourselves so that it is more difficult to try to extract private keys from the heap. this.certGenerator.reset(); } }
From source file:org.xwiki.crypto.x509.internal.X509Keymaker.java
License:Open Source License
/** * Create a new self signed X509 certificate authority certificate. * * @param keyPair the public key will appear in the certificate and the private key will be used to sign it. * @param daysOfValidity number of days the cert should be valid for. * @param commonName what to put in the common name field, this field will identify this certificate authority * in the list on the user's browser. * @return a new X509 certificate authority. * @throws GeneralSecurityException if something goes wrong. *//*w w w . j a v a2 s . co m*/ public synchronized X509Certificate makeCertificateAuthority(final KeyPair keyPair, final int daysOfValidity, final String commonName) throws GeneralSecurityException { try { final X509Name name = new X509Name(new Vector<DERObjectIdentifier>() { { this.add(X509Name.O); this.add(X509Name.CN); } }, new Vector<String>() { { this.add(X509Keymaker.CA_ORGANIZATION_NAME); this.add(commonName); } }); this.prepareGenericCertificate(keyPair.getPublic(), daysOfValidity, name, name); // This authority can't sign other CA's. certGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0)); // Allow certificate signing only. certGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.keyCertSign)); // Adds the subject key identifier extension. Self singed so uses it's own key. certGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.getPublic())); return this.generate(keyPair); } finally { // Clean up after ourselves so that it is more difficult to try to extract private keys from the heap. this.certGenerator.reset(); } }
From source file:test.be.fedict.eid.applet.PkiTestUtils.java
License:Open Source License
static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException { String signatureAlgorithm = "SHA1withRSA"; X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.reset();//from ww w .j a va2 s . c o m certificateGenerator.setPublicKey(subjectPublicKey); certificateGenerator.setSignatureAlgorithm(signatureAlgorithm); certificateGenerator.setNotBefore(notBefore.toDate()); certificateGenerator.setNotAfter(notAfter.toDate()); X509Principal issuerDN; if (null != issuerCertificate) { issuerDN = new X509Principal(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerDN = new X509Principal(subjectDn); } certificateGenerator.setIssuerDN(issuerDN); certificateGenerator.setSubjectDN(new X509Principal(subjectDn)); certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom())); certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; issuerPublicKey = subjectPublicKey; certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); if (caFlag) { if (-1 == pathLength) { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); } else { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(pathLength)); } } if (null != crlUri) { GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); GeneralNames gns = new GeneralNames(new DERSequence(gn)); DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPoint distp = new DistributionPoint(dpn, null, null); certificateGenerator.addExtension(X509Extensions.CRLDistributionPoints, false, new DERSequence(distp)); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(X509Extensions.AuthorityInfoAccess.getId(), false, authorityInformationAccess); } if (null != keyUsage) { certificateGenerator.addExtension(X509Extensions.KeyUsage, true, keyUsage); } X509Certificate certificate; certificate = certificateGenerator.generate(issuerPrivateKey); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(certificate.getEncoded())); return certificate; }
From source file:test.integ.be.fedict.trust.util.TestUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, PrivateKey issuerPrivateKey, X509Certificate issuerCert, DateTime notBefore, DateTime notAfter, String signatureAlgorithm, boolean includeAuthorityKeyIdentifier, boolean caCert, boolean timeStampingPurpose, String ocspUri, String crlUri, KeyUsage keyUsage, BigInteger serialNumber) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException { String finalSignatureAlgorithm = signatureAlgorithm; if (null == signatureAlgorithm) { finalSignatureAlgorithm = "SHA512WithRSAEncryption"; }// ww w . j a va 2s . com X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.reset(); certificateGenerator.setPublicKey(subjectPublicKey); certificateGenerator.setSignatureAlgorithm(finalSignatureAlgorithm); certificateGenerator.setNotBefore(notBefore.toDate()); certificateGenerator.setNotAfter(notAfter.toDate()); X509Principal issuerDN; if (null != issuerCert) { issuerDN = new X509Principal(issuerCert.getSubjectX500Principal().getName()); } else { issuerDN = new X509Principal(subjectDn); } certificateGenerator.setIssuerDN(issuerDN); certificateGenerator.setSubjectDN(new X509Principal(subjectDn)); certificateGenerator.setSerialNumber(serialNumber); certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; if (null != issuerCert) { issuerPublicKey = issuerCert.getPublicKey(); } else { issuerPublicKey = subjectPublicKey; } if (includeAuthorityKeyIdentifier) { certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); } certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(caCert)); if (timeStampingPurpose) { certificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(X509Extensions.AuthorityInfoAccess.getId(), false, authorityInformationAccess); } if (null != crlUri) { GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); GeneralNames gns = new GeneralNames(gn); DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPoint distp = new DistributionPoint(dpn, null, null); certificateGenerator.addExtension(X509Extensions.CRLDistributionPoints, false, new DERSequence(distp)); } if (null != keyUsage) { certificateGenerator.addExtension(X509Extensions.KeyUsage, true, keyUsage); } return certificateGenerator.generate(issuerPrivateKey); // /* // * Make sure the default certificate provider is active. // */ // CertificateFactory certificateFactory = CertificateFactory // .getInstance("X.509"); // certificate = (X509Certificate) certificateFactory // .generateCertificate(new ByteArrayInputStream(certificate // .getEncoded())); // // return certificate; }
From source file:test.unit.be.fedict.eid.dss.spi.utils.PkiTestUtils.java
License:Open Source License
static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage, boolean tsa) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException { String signatureAlgorithm = "SHA1withRSA"; X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.reset();/*from ww w.j a v a 2 s. co m*/ certificateGenerator.setPublicKey(subjectPublicKey); certificateGenerator.setSignatureAlgorithm(signatureAlgorithm); certificateGenerator.setNotBefore(notBefore.toDate()); certificateGenerator.setNotAfter(notAfter.toDate()); X509Principal issuerDN; if (null != issuerCertificate) { issuerDN = new X509Principal(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerDN = new X509Principal(subjectDn); } certificateGenerator.setIssuerDN(issuerDN); certificateGenerator.setSubjectDN(new X509Principal(subjectDn)); certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom())); certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; issuerPublicKey = subjectPublicKey; certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); if (caFlag) { if (-1 == pathLength) { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); } else { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(pathLength)); } } if (null != crlUri) { GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); //GeneralNames gns = new GeneralNames(new DERSequence(gn)); //DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPointName dpn = new DistributionPointName(0, gn); DistributionPoint distp = new DistributionPoint(dpn, null, null); certificateGenerator.addExtension(X509Extensions.CRLDistributionPoints, false, new DERSequence(distp)); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(X509Extensions.AuthorityInfoAccess.getId(), false, authorityInformationAccess); } if (null != keyUsage) { certificateGenerator.addExtension(X509Extensions.KeyUsage, true, keyUsage); } if (tsa) { certificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); } X509Certificate certificate; certificate = certificateGenerator.generate(issuerPrivateKey); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(certificate.getEncoded())); return certificate; }
From source file:test.unit.be.fedict.eid.tsl.TrustTestUtils.java
License:Open Source License
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException { String signatureAlgorithm = "SHA1withRSA"; X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.reset();/*from w ww. j av a2s .c o m*/ certificateGenerator.setPublicKey(subjectPublicKey); certificateGenerator.setSignatureAlgorithm(signatureAlgorithm); certificateGenerator.setNotBefore(notBefore.toDate()); certificateGenerator.setNotAfter(notAfter.toDate()); X509Principal issuerDN; if (null != issuerCertificate) { issuerDN = new X509Principal(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerDN = new X509Principal(subjectDn); } certificateGenerator.setIssuerDN(issuerDN); certificateGenerator.setSubjectDN(new X509Principal(subjectDn)); certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom())); certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; issuerPublicKey = subjectPublicKey; certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); if (caFlag) { if (-1 == pathLength) { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); } else { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(pathLength)); } } if (null != crlUri) { GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); GeneralNames gns = new GeneralNames(new DERSequence(gn)); DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPoint distp = new DistributionPoint(dpn, null, null); certificateGenerator.addExtension(X509Extensions.CRLDistributionPoints, false, new DERSequence(distp)); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(X509Extensions.AuthorityInfoAccess.getId(), false, authorityInformationAccess); } if (null != keyUsage) { certificateGenerator.addExtension(X509Extensions.KeyUsage, true, keyUsage); } X509Certificate certificate; certificate = certificateGenerator.generate(issuerPrivateKey); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(certificate.getEncoded())); return certificate; }
From source file:test.unit.be.fedict.trust.TrustTestUtils.java
License:Open Source License
@SuppressWarnings("deprecation") public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, DateTime notBefore, DateTime notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage, String signatureAlgorithm, boolean tsa, boolean includeSKID, boolean includeAKID, PublicKey akidPublicKey, String certificatePolicy, Boolean qcCompliance, boolean ocspResponder) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException { X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.reset();// w ww . jav a 2 s . c o m certificateGenerator.setPublicKey(subjectPublicKey); certificateGenerator.setSignatureAlgorithm(signatureAlgorithm); certificateGenerator.setNotBefore(notBefore.toDate()); certificateGenerator.setNotAfter(notAfter.toDate()); X509Principal issuerDN; if (null != issuerCertificate) { issuerDN = new X509Principal(issuerCertificate.getSubjectX500Principal().toString()); } else { issuerDN = new X509Principal(subjectDn); } certificateGenerator.setIssuerDN(issuerDN); certificateGenerator.setSubjectDN(new X509Principal(subjectDn)); certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom())); if (includeSKID) { certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); } if (includeAKID) { PublicKey issuerPublicKey; if (null != akidPublicKey) { issuerPublicKey = akidPublicKey; } else if (null != issuerCertificate) { issuerPublicKey = issuerCertificate.getPublicKey(); } else { issuerPublicKey = subjectPublicKey; } certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); } if (caFlag) { if (-1 == pathLength) { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); } else { certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(pathLength)); } } if (null != crlUri) { GeneralName gn = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(crlUri)); GeneralNames gns = new GeneralNames(gn); DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPoint distp = new DistributionPoint(dpn, null, null); certificateGenerator.addExtension(X509Extensions.CRLDistributionPoints, false, new DERSequence(distp)); } if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(X509Extensions.AuthorityInfoAccess.getId(), false, authorityInformationAccess); } if (null != keyUsage) { certificateGenerator.addExtension(X509Extensions.KeyUsage, true, keyUsage); } if (null != qcCompliance) { ASN1EncodableVector vec = new ASN1EncodableVector(); if (qcCompliance) { vec.add(new QCStatement(QCStatement.id_etsi_qcs_QcCompliance)); } else { vec.add(new QCStatement(QCStatement.id_etsi_qcs_RetentionPeriod)); } certificateGenerator.addExtension(X509Extensions.QCStatements, true, new DERSequence(vec)); } if (tsa) { certificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); } if (ocspResponder) { certificateGenerator.addExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, new DERNull()); certificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning)); } X509Certificate certificate; certificate = certificateGenerator.generate(issuerPrivateKey); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(certificate.getEncoded())); return certificate; }