Example usage for org.bouncycastle.asn1.x509 X509Extensions NameConstraints

List of usage examples for org.bouncycastle.asn1.x509 X509Extensions NameConstraints

  1. HOME
  2. Java
  3. org.bouncycastle
  4. org.bouncycastle.asn1.x509.*
  5. X509Extensions
  6. NameConstraints

Introduction

In this page you can find the example usage for org.bouncycastle.asn1.x509 X509Extensions NameConstraints.

Prototype

ASN1ObjectIdentifier NameConstraints

To view the source code for org.bouncycastle.asn1.x509 X509Extensions NameConstraints.

Click Source Link

Document

Name Constraints

Usage

From source file:com.integralblue.httpresponsecache.compat.java.security.TestKeyStore.java

License:Apache License

private static X509Certificate createCertificate(PublicKey publicKey, PrivateKey privateKey,
        X500Principal subject, X500Principal issuer, int keyUsage, boolean ca,
        List<GeneralName> subjectAltNames, Vector<GeneralSubtree> permittedNameConstraints,
        Vector<GeneralSubtree> excludedNameConstraints) throws Exception {
    // Note that there is no way to programmatically make a
    // Certificate using java.* or javax.* APIs. The
    // CertificateFactory interface assumes you want to read
    // in a stream of bytes, typically the X.509 factory would
    // allow ASN.1 DER encoded bytes and optionally some PEM
    // formats. Here we use Bouncy Castle's
    // X509V3CertificateGenerator and related classes.

    long millisPerDay = 24 * 60 * 60 * 1000;
    long now = System.currentTimeMillis();
    Date start = new Date(now - millisPerDay);
    Date end = new Date(now + millisPerDay);
    BigInteger serial = BigInteger.valueOf(1);

    String keyAlgorithm = privateKey.getAlgorithm();
    String signatureAlgorithm;/*from ww  w .j ava  2  s  .c o m*/
    if (keyAlgorithm.equals("RSA")) {
        signatureAlgorithm = "sha1WithRSA";
    } else if (keyAlgorithm.equals("DSA")) {
        signatureAlgorithm = "sha1WithDSA";
    } else if (keyAlgorithm.equals("EC")) {
        signatureAlgorithm = "sha1WithECDSA";
    } else if (keyAlgorithm.equals("EC_RSA")) {
        signatureAlgorithm = "sha1WithRSA";
    } else {
        throw new IllegalArgumentException("Unknown key algorithm " + keyAlgorithm);
    }

    X509V3CertificateGenerator x509cg = new X509V3CertificateGenerator();
    x509cg.setSubjectDN(subject);
    x509cg.setIssuerDN(issuer);
    x509cg.setNotBefore(start);
    x509cg.setNotAfter(end);
    x509cg.setPublicKey(publicKey);
    x509cg.setSignatureAlgorithm(signatureAlgorithm);
    x509cg.setSerialNumber(serial);
    if (keyUsage != 0) {
        x509cg.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(keyUsage));
    }
    if (ca) {
        x509cg.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
    }
    for (GeneralName subjectAltName : subjectAltNames) {
        x509cg.addExtension(X509Extensions.SubjectAlternativeName, false,
                new GeneralNames(subjectAltName).getEncoded());
    }
    if (!permittedNameConstraints.isEmpty() || !excludedNameConstraints.isEmpty()) {
        x509cg.addExtension(X509Extensions.NameConstraints, true,
                new NameConstraints(permittedNameConstraints, excludedNameConstraints));
    }

    if (privateKey instanceof ECPrivateKey) {
        /*
         * bouncycastle needs its own ECPrivateKey implementation
         */
        KeyFactory kf = KeyFactory.getInstance(keyAlgorithm, "BC");
        PKCS8EncodedKeySpec ks = new PKCS8EncodedKeySpec(privateKey.getEncoded());
        privateKey = kf.generatePrivate(ks);
    }
    X509Certificate x509c = x509cg.generateX509Certificate(privateKey);
    if (StandardNames.IS_RI) {
        /*
         * The RI can't handle the BC EC signature algorithm
         * string of "ECDSA", since it expects "...WITHEC...",
         * so convert from BC to RI X509Certificate
         * implementation via bytes.
         */
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        ByteArrayInputStream bais = new ByteArrayInputStream(x509c.getEncoded());
        Certificate c = cf.generateCertificate(bais);
        x509c = (X509Certificate) c;
    }
    return x509c;
}

From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java

License:Apache License

/**
 * Set Name Constraints (RFC3280 4.2.1.11)
 */// w  ww.j a v a 2s .com
protected void setNameConstraints() {
    // FIXME: add constraints inherited from parent?
    if (!permittedNames.isEmpty() || !excludedNames.isEmpty()) {

        // convert permitted names.
        Vector<org.bouncycastle.asn1.x509.GeneralSubtree> permitted = new Vector<org.bouncycastle.asn1.x509.GeneralSubtree>();
        for (int i = 0; i < permittedNames.size(); i++) {
            GeneralSubtree g = permittedNames.get(i);
            GeneralName name = new GeneralName(new X500Name(g.getName().getName()));
            permitted.add(new org.bouncycastle.asn1.x509.GeneralSubtree(name, g.getMin(), g.getMax()));
        }

        // convert excluded names.
        Vector<org.bouncycastle.asn1.x509.GeneralSubtree> excluded = new Vector<org.bouncycastle.asn1.x509.GeneralSubtree>();
        for (int i = 0; i < excludedNames.size(); i++) {
            GeneralSubtree g = excludedNames.get(i);
            GeneralName name = new GeneralName(new X500Name(g.getName().getName()));
            excluded.add(new org.bouncycastle.asn1.x509.GeneralSubtree(name, g.getMin(), g.getMax()));
        }
        generator.addExtension(X509Extensions.NameConstraints, false, new NameConstraints(permitted, excluded));
    }
}

From source file:gov.nih.nci.cacis.nav.ValidateSignedMail.java

License:BSD License

private static TrustAnchor getTrustAnchor(X509Certificate cert) throws IOException {
    if (cert != null) {
        final byte[] ncBytes = cert.getExtensionValue(X509Extensions.NameConstraints.getId());

        if (ncBytes != null) {
            final ASN1Encodable extValue = X509ExtensionUtil.fromExtensionValue(ncBytes);
            return new TrustAnchor(cert, extValue.getDEREncoded());
        }//  w  ww  .j  ava 2  s.co  m
        return new TrustAnchor(cert, null);
    }
    return null;
}

From source file:org.mailster.core.crypto.CertificateUtilities.java

License:Open Source License

protected static TrustAnchor loadTrustAnchor(String trustCertFileName) throws Exception {
    X509Certificate cert = CertificateUtilities.loadCertificate(trustCertFileName);

    if (cert != null) {
        byte[] ncBytes = cert.getExtensionValue(X509Extensions.NameConstraints.getId());

        if (ncBytes != null) {
            ASN1Encodable extValue = X509ExtensionUtil.fromExtensionValue(ncBytes);
            return new TrustAnchor(cert, extValue.getDEREncoded());
        }/*from  w ww .j  a va  2 s .  c om*/

        return new TrustAnchor(cert, null);
    }

    return null;
}

From source file:org.qipki.crypto.x509.X509ExtensionsReaderImpl.java

License:Open Source License

@Override
public NameConstraints getNameConstraints(X509Certificate cert) {
    try {/* www .j a v a 2 s.  co m*/
        byte[] value = cert.getExtensionValue(X509Extensions.NameConstraints.getId());
        if (value == null) {
            return null;
        }
        return new NameConstraints((ASN1Sequence) ASN1Object.fromByteArray(value));
    } catch (IOException ex) {
        throw new CryptoFailure("Unable to extract NameConstraints from X509Certificate extensions", ex);
    }
}