List of usage examples for org.bouncycastle.asn1.x509 X509Extensions NameConstraints
ASN1ObjectIdentifier NameConstraints
To view the source code for org.bouncycastle.asn1.x509 X509Extensions NameConstraints.
Click Source Link
From source file:com.integralblue.httpresponsecache.compat.java.security.TestKeyStore.java
License:Apache License
private static X509Certificate createCertificate(PublicKey publicKey, PrivateKey privateKey, X500Principal subject, X500Principal issuer, int keyUsage, boolean ca, List<GeneralName> subjectAltNames, Vector<GeneralSubtree> permittedNameConstraints, Vector<GeneralSubtree> excludedNameConstraints) throws Exception { // Note that there is no way to programmatically make a // Certificate using java.* or javax.* APIs. The // CertificateFactory interface assumes you want to read // in a stream of bytes, typically the X.509 factory would // allow ASN.1 DER encoded bytes and optionally some PEM // formats. Here we use Bouncy Castle's // X509V3CertificateGenerator and related classes. long millisPerDay = 24 * 60 * 60 * 1000; long now = System.currentTimeMillis(); Date start = new Date(now - millisPerDay); Date end = new Date(now + millisPerDay); BigInteger serial = BigInteger.valueOf(1); String keyAlgorithm = privateKey.getAlgorithm(); String signatureAlgorithm;/*from ww w .j ava 2 s .c o m*/ if (keyAlgorithm.equals("RSA")) { signatureAlgorithm = "sha1WithRSA"; } else if (keyAlgorithm.equals("DSA")) { signatureAlgorithm = "sha1WithDSA"; } else if (keyAlgorithm.equals("EC")) { signatureAlgorithm = "sha1WithECDSA"; } else if (keyAlgorithm.equals("EC_RSA")) { signatureAlgorithm = "sha1WithRSA"; } else { throw new IllegalArgumentException("Unknown key algorithm " + keyAlgorithm); } X509V3CertificateGenerator x509cg = new X509V3CertificateGenerator(); x509cg.setSubjectDN(subject); x509cg.setIssuerDN(issuer); x509cg.setNotBefore(start); x509cg.setNotAfter(end); x509cg.setPublicKey(publicKey); x509cg.setSignatureAlgorithm(signatureAlgorithm); x509cg.setSerialNumber(serial); if (keyUsage != 0) { x509cg.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(keyUsage)); } if (ca) { x509cg.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); } for (GeneralName subjectAltName : subjectAltNames) { x509cg.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(subjectAltName).getEncoded()); } if (!permittedNameConstraints.isEmpty() || !excludedNameConstraints.isEmpty()) { x509cg.addExtension(X509Extensions.NameConstraints, true, new NameConstraints(permittedNameConstraints, excludedNameConstraints)); } if (privateKey instanceof ECPrivateKey) { /* * bouncycastle needs its own ECPrivateKey implementation */ KeyFactory kf = KeyFactory.getInstance(keyAlgorithm, "BC"); PKCS8EncodedKeySpec ks = new PKCS8EncodedKeySpec(privateKey.getEncoded()); privateKey = kf.generatePrivate(ks); } X509Certificate x509c = x509cg.generateX509Certificate(privateKey); if (StandardNames.IS_RI) { /* * The RI can't handle the BC EC signature algorithm * string of "ECDSA", since it expects "...WITHEC...", * so convert from BC to RI X509Certificate * implementation via bytes. */ CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream bais = new ByteArrayInputStream(x509c.getEncoded()); Certificate c = cf.generateCertificate(bais); x509c = (X509Certificate) c; } return x509c; }
From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java
License:Apache License
/** * Set Name Constraints (RFC3280 4.2.1.11) */// w ww.j a v a 2s .com protected void setNameConstraints() { // FIXME: add constraints inherited from parent? if (!permittedNames.isEmpty() || !excludedNames.isEmpty()) { // convert permitted names. Vector<org.bouncycastle.asn1.x509.GeneralSubtree> permitted = new Vector<org.bouncycastle.asn1.x509.GeneralSubtree>(); for (int i = 0; i < permittedNames.size(); i++) { GeneralSubtree g = permittedNames.get(i); GeneralName name = new GeneralName(new X500Name(g.getName().getName())); permitted.add(new org.bouncycastle.asn1.x509.GeneralSubtree(name, g.getMin(), g.getMax())); } // convert excluded names. Vector<org.bouncycastle.asn1.x509.GeneralSubtree> excluded = new Vector<org.bouncycastle.asn1.x509.GeneralSubtree>(); for (int i = 0; i < excludedNames.size(); i++) { GeneralSubtree g = excludedNames.get(i); GeneralName name = new GeneralName(new X500Name(g.getName().getName())); excluded.add(new org.bouncycastle.asn1.x509.GeneralSubtree(name, g.getMin(), g.getMax())); } generator.addExtension(X509Extensions.NameConstraints, false, new NameConstraints(permitted, excluded)); } }
From source file:gov.nih.nci.cacis.nav.ValidateSignedMail.java
License:BSD License
private static TrustAnchor getTrustAnchor(X509Certificate cert) throws IOException { if (cert != null) { final byte[] ncBytes = cert.getExtensionValue(X509Extensions.NameConstraints.getId()); if (ncBytes != null) { final ASN1Encodable extValue = X509ExtensionUtil.fromExtensionValue(ncBytes); return new TrustAnchor(cert, extValue.getDEREncoded()); }// w ww .j ava 2 s.co m return new TrustAnchor(cert, null); } return null; }
From source file:org.mailster.core.crypto.CertificateUtilities.java
License:Open Source License
protected static TrustAnchor loadTrustAnchor(String trustCertFileName) throws Exception { X509Certificate cert = CertificateUtilities.loadCertificate(trustCertFileName); if (cert != null) { byte[] ncBytes = cert.getExtensionValue(X509Extensions.NameConstraints.getId()); if (ncBytes != null) { ASN1Encodable extValue = X509ExtensionUtil.fromExtensionValue(ncBytes); return new TrustAnchor(cert, extValue.getDEREncoded()); }/*from w ww .j a va 2 s . c om*/ return new TrustAnchor(cert, null); } return null; }
From source file:org.qipki.crypto.x509.X509ExtensionsReaderImpl.java
License:Open Source License
@Override public NameConstraints getNameConstraints(X509Certificate cert) { try {/* www .j a v a 2 s. co m*/ byte[] value = cert.getExtensionValue(X509Extensions.NameConstraints.getId()); if (value == null) { return null; } return new NameConstraints((ASN1Sequence) ASN1Object.fromByteArray(value)); } catch (IOException ex) { throw new CryptoFailure("Unable to extract NameConstraints from X509Certificate extensions", ex); } }