List of usage examples for org.bouncycastle.asn1.x509 X509Extensions X509Extensions
public X509Extensions(Vector objectIDs, Vector values)
From source file:io.aos.crypto.spl07.OCSPResponderExample.java
License:Apache License
public static OCSPResp generateOCSPResponse(OCSPReq request, PrivateKey responderKey, PublicKey pubKey, CertificateID revokedID) throws NoSuchProviderException, OCSPException { BasicOCSPRespGenerator basicRespGen = new BasicOCSPRespGenerator(pubKey); X509Extensions reqExtensions = request.getRequestExtensions(); if (reqExtensions != null) { X509Extension ext = reqExtensions.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (ext != null) { Vector oids = new Vector(); Vector values = new Vector(); oids.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); values.add(ext);//from w w w . ja v a 2s. com basicRespGen.setResponseExtensions(new X509Extensions(oids, values)); } } Req[] requests = request.getRequestList(); for (int i = 0; i != requests.length; i++) { CertificateID certID = requests[i].getCertID(); // this would normally be a lot more general! if (certID.equals(revokedID)) { basicRespGen.addResponse(certID, new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn)); } else { basicRespGen.addResponse(certID, CertificateStatus.GOOD); } } BasicOCSPResp basicResp = basicRespGen.generate("SHA256WithRSA", responderKey, null, new Date(), "BC"); OCSPRespGenerator respGen = new OCSPRespGenerator(); return respGen.generate(OCSPRespGenerator.SUCCESSFUL, basicResp); }
From source file:net.sf.dsig.verify.OCSPHelper.java
License:Apache License
/** * Check with OCSP protocol whether a certificate is valid * //from ww w . jav a 2 s .co m * @param certificate an {@link X509Certificate} object * @return true if the certificate is valid; false otherwise * @throws NetworkAccessException when any network access issues occur * @throws VerificationException when an OCSP related error occurs */ public boolean isValid(X509Certificate certificate) throws NetworkAccessException, VerificationException { PostMethod post = null; try { CertificateID cid = new CertificateID(CertificateID.HASH_SHA1, caCertificate, certificate.getSerialNumber()); OCSPReqGenerator gen = new OCSPReqGenerator(); gen.addRequest(cid); // Nonce BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis()); Vector oids = new Vector(); Vector values = new Vector(); oids.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); values.add(new X509Extension(false, new DEROctetString(nonce.toByteArray()))); values.add(new X509Extension(false, new DEROctetString(new BigInteger("041063FAB2B54CF1ED014F9DF7C70AACE575", 16).toByteArray()))); gen.setRequestExtensions(new X509Extensions(oids, values)); // Requestor name - not really required, but added for completeness // gen.setRequestorName( // new GeneralName( // new X509Name( // certificate.getSubjectX500Principal().getName()))); logger.debug("Generating OCSP request" + "; serialNumber=" + certificate.getSerialNumber().toString(16) + ", nonce=" + nonce.toString(16) + ", caCertificate.subjectName=" + caCertificate.getSubjectX500Principal().getName()); // TODO Need to call the generate(...) method, that signs the // request. Which means, need to have a keypair for that, too OCSPReq req = gen.generate(); // First try finding the OCSP access location in the X.509 certificate String uriAsString = getOCSPAccessLocationUri(certificate); // If not found, try falling back to the default if (uriAsString == null) { uriAsString = defaultOcspAccessLocation; } // If still null, bail out if (uriAsString == null) { throw new ConfigurationException( "OCSP AccessLocation not found on certificate, and no default set"); } HostConfiguration config = getHostConfiguration(); post = new PostMethod(uriAsString); post.setRequestHeader("Content-Type", "application/ocsp-request"); post.setRequestHeader("Accept", "application/ocsp-response"); post.setRequestEntity(new ByteArrayRequestEntity(req.getEncoded())); getHttpClient().executeMethod(config, post); logger.debug("HTTP POST executed" + "; authorityInfoAccessUri=" + uriAsString + ", statusLine=" + post.getStatusLine()); if (post.getStatusCode() != HttpStatus.SC_OK) { throw new NetworkAccessException("HTTP GET failed; statusLine=" + post.getStatusLine()); } byte[] responseBodyBytes = post.getResponseBody(); OCSPResp ocspRes = new OCSPResp(responseBodyBytes); if (ocspRes.getStatus() != OCSPResponseStatus.SUCCESSFUL) { // One possible exception is the use of a wrong CA certificate throw new ConfigurationException("OCSP request failed; possibly wrong issuer/user certificate" + "; status=" + ocspRes.getStatus()); } BasicOCSPResp res = (BasicOCSPResp) ocspRes.getResponseObject(); SingleResp[] responses = res.getResponses(); SingleResp response = responses[0]; CertificateStatus status = (CertificateStatus) response.getCertStatus(); // Normal OCSP protocol allows a null status return status == null || status == CertificateStatus.GOOD; } catch (IOException e) { throw new NetworkAccessException("I/O error occured", e); } catch (OCSPException e) { throw new VerificationException("Error while following OCSP protocol", e); } finally { if (post != null) { post.releaseConnection(); } } }
From source file:org.apache.synapse.transport.certificatevalidation.ocsp.OCSPVerifier.java
License:Apache License
/** * This method generates an OCSP Request to be sent to an OCSP endpoint. * * @param issuerCert is the Certificate of the Issuer of the peer certificate we are interested in. * @param serialNumber of the peer certificate. * @return generated OCSP request.//from w w w . ja va 2s . c o m * @throws CertificateVerificationException * */ private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws CertificateVerificationException { //TODO: Have to check if this is OK with synapse implementation. //Add provider BC Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); try { // CertID structure is used to uniquely identify certificates that are the subject of // an OCSP request or response and has an ASN.1 definition. CertID structure is defined in RFC 2560 CertificateID id = new CertificateID(CertificateID.HASH_SHA1, issuerCert, serialNumber); // basic request generation with nonce OCSPReqGenerator generator = new OCSPReqGenerator(); generator.addRequest(id); // create details for nonce extension. The nonce extension is used to bind // a request to a response to prevent replay attacks. As the name implies, // the nonce value is something that the client should only use once within a reasonably small period. BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis()); Vector<ASN1ObjectIdentifier> objectIdentifiers = new Vector<ASN1ObjectIdentifier>(); Vector<X509Extension> values = new Vector<X509Extension>(); //to create the request Extension objectIdentifiers.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); values.add(new X509Extension(false, new DEROctetString(nonce.toByteArray()))); generator.setRequestExtensions(new X509Extensions(objectIdentifiers, values)); return generator.generate(); } catch (OCSPException e) { throw new CertificateVerificationException("Cannot generate OSCP Request with the given certificate", e); } }
From source file:org.apache.synapse.transport.certificatevalidation.OCSPVerifierTest.java
License:Apache License
/** * This makes the corresponding OCSP response to the OCSP request which is sent to the fake CA. If the request * has a certificateID which is marked as revoked by the CA, the OCSP response will say that the certificate * which is referred to by the request, is revoked. * * @param request the OCSP request which asks if the certificate is revoked. * @param caPrivateKey privateKey of the fake CA. * @param caPublicKey publicKey of the fake CA * @param revokedID the ID at fake CA which is checked against the certificateId in the request. * @return the created OCSP response by the fake CA. * @throws NoSuchProviderException/*from w w w.ja v a 2s . c o m*/ * @throws OCSPException */ private OCSPResp generateOCSPResponse(OCSPReq request, PrivateKey caPrivateKey, PublicKey caPublicKey, CertificateID revokedID) throws NoSuchProviderException, OCSPException { BasicOCSPRespGenerator basicOCSPRespGenerator = new BasicOCSPRespGenerator(caPublicKey); X509Extensions requestExtensions = request.getRequestExtensions(); if (requestExtensions != null) { X509Extension extension = requestExtensions.getExtension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); if (extension != null) { Vector<ASN1ObjectIdentifier> oids = new Vector<ASN1ObjectIdentifier>(); Vector<X509Extension> values = new Vector<X509Extension>(); oids.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); values.add(extension); basicOCSPRespGenerator.setResponseExtensions(new X509Extensions(oids, values)); } } Req[] requests = request.getRequestList(); for (Req req : requests) { CertificateID certID = req.getCertID(); if (certID.equals(revokedID)) { RevokedStatus revokedStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn); Date nextUpdate = new Date(new Date().getTime() + TestConstants.NEXT_UPDATE_PERIOD); basicOCSPRespGenerator.addResponse(certID, revokedStatus, nextUpdate, null); } else { basicOCSPRespGenerator.addResponse(certID, CertificateStatus.GOOD); } } BasicOCSPResp basicResp = basicOCSPRespGenerator.generate("SHA256WithRSA", caPrivateKey, null, new Date(), "BC"); OCSPRespGenerator respGen = new OCSPRespGenerator(); return respGen.generate(OCSPRespGenerator.SUCCESSFUL, basicResp); }
From source file:org.apache.synapse.transport.utils.sslcert.ocsp.OCSPVerifier.java
License:Apache License
/** * This method generates an OCSP Request to be sent to an OCSP endpoint. * * @param issuerCert is the Certificate of the Issuer of the peer certificate we are interested in. * @param serialNumber of the peer certificate. * @return generated OCSP request./*from www . j a v a 2s . c o m*/ * @throws CertificateVerificationException */ private OCSPReq generateOCSPRequest(X509Certificate issuerCert, BigInteger serialNumber) throws CertificateVerificationException { //TODO: Have to check if this is OK with synapse implementation. //Add provider BC Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); try { // CertID structure is used to uniquely identify certificates that are the subject of // an OCSP request or response and has an ASN.1 definition. CertID structure is defined // in RFC 2560 CertificateID id = new CertificateID(CertificateID.HASH_SHA1, issuerCert, serialNumber); // basic request generation with nonce OCSPReqGenerator generator = new OCSPReqGenerator(); generator.addRequest(id); // create details for nonce extension. The nonce extension is used to bind // a request to a response to prevent replay attacks. As the name implies, // the nonce value is something that the client should only use once within a reasonably // small period. BigInteger nonce = BigInteger.valueOf(System.currentTimeMillis()); Vector<ASN1ObjectIdentifier> objectIdentifiers = new Vector<ASN1ObjectIdentifier>(); Vector<X509Extension> values = new Vector<X509Extension>(); //to create the request Extension objectIdentifiers.add(OCSPObjectIdentifiers.id_pkix_ocsp_nonce); values.add(new X509Extension(false, new DEROctetString(nonce.toByteArray()))); generator.setRequestExtensions(new X509Extensions(objectIdentifiers, values)); return generator.generate(); } catch (OCSPException e) { throw new CertificateVerificationException( "Cannot generate OCSP Request with the " + "given certificate", e); } }
From source file:org.candlepin.util.X509CRLStreamWriter.java
License:Open Source License
/** * Create an entry to be added to the CRL. * * @param serial// www . j av a 2 s. c o m * @param date * @param reason */ @SuppressWarnings({ "unchecked", "rawtypes" }) public void add(BigInteger serial, Date date, int reason) { if (locked) { throw new IllegalStateException("Cannot add to a locked stream."); } ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERInteger(serial)); v.add(new Time(date)); CRLReason crlReason = new CRLReason(reason); Vector extOids = new Vector(); Vector extValues = new Vector(); extOids.addElement(X509Extension.reasonCode); extValues.addElement(new X509Extension(false, new DEROctetString(crlReason.getDEREncoded()))); v.add(new X509Extensions(extOids, extValues)); newEntries.add(new DERSequence(v)); }
From source file:org.ejbca.core.ejb.ca.sign.SignSessionTest.java
License:Open Source License
public void test29TestExtensionOverride() throws Exception { final String altnames = "dNSName=foo1.bar.com,dNSName=foo2.bar.com,dNSName=foo3.bar.com,dNSName=foo4.bar.com,dNSName=foo5.bar.com,dNSName=foo6.bar.com,dNSName=foo7.bar.com,dNSName=foo8.bar.com,dNSName=foo9.bar.com,dNSName=foo10.bar.com,dNSName=foo11.bar.com,dNSName=foo12.bar.com,dNSName=foo13.bar.com,dNSName=foo14.bar.com,dNSName=foo15.bar.com,dNSName=foo16.bar.com,dNSName=foo17.bar.com,dNSName=foo18.bar.com,dNSName=foo19.bar.com,dNSName=foo20.bar.com,dNSName=foo21.bar.com"; // Create a good certificate profile (good enough), using QC statement certificateProfileSession.removeCertificateProfile(admin, "TESTEXTENSIONOVERRIDE"); EndUserCertificateProfile certprof = new EndUserCertificateProfile(); // Default profile does not allow Extension override certprof.setValidity(298);//from ww w. j av a2 s . co m certificateProfileSession.addCertificateProfile(admin, "TESTEXTENSIONOVERRIDE", certprof); int cprofile = certificateProfileSession.getCertificateProfileId(admin, "TESTEXTENSIONOVERRIDE"); // Create a good end entity profile (good enough), allowing multiple UPN // names endEntityProfileSession.removeEndEntityProfile(admin, "TESTEXTENSIONOVERRIDE"); EndEntityProfile profile = new EndEntityProfile(); profile.addField(DnComponents.COUNTRY); profile.addField(DnComponents.COMMONNAME); profile.setValue(EndEntityProfile.AVAILCAS, 0, Integer.toString(SecConst.ALLCAS)); profile.setValue(EndEntityProfile.AVAILCERTPROFILES, 0, Integer.toString(cprofile)); endEntityProfileSession.addEndEntityProfile(admin, "TESTEXTENSIONOVERRIDE", profile); int eeprofile = endEntityProfileSession.getEndEntityProfileId(admin, "TESTEXTENSIONOVERRIDE"); UserDataVO user = new UserDataVO("foo", "C=SE,CN=extoverride", rsacaid, null, "foo@anatom.nu", SecConst.USER_ENDUSER, eeprofile, cprofile, SecConst.TOKEN_SOFT_PEM, 0, null); user.setPassword("foo123"); user.setStatus(UserDataConstants.STATUS_NEW); // Change a user that we know... userAdminSession.changeUser(admin, user, false); // Create a P10 with extensions, in this case altNames with a lot of DNS // names ASN1EncodableVector extensionattr = new ASN1EncodableVector(); extensionattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); // AltNames // String[] namearray = altnames.split(","); GeneralNames san = CertTools.getGeneralNamesFromAltName(altnames); ByteArrayOutputStream extOut = new ByteArrayOutputStream(); DEROutputStream derOut = new DEROutputStream(extOut); try { derOut.writeObject(san); } catch (IOException e) { throw new IllegalArgumentException("error encoding value: " + e); } // Extension request attribute is a set of X509Extensions // ASN1EncodableVector x509extensions = new ASN1EncodableVector(); // An X509Extensions is a sequence of Extension which is a sequence of // {oid, X509Extension} // ASN1EncodableVector extvalue = new ASN1EncodableVector(); Vector<DERObjectIdentifier> oidvec = new Vector<DERObjectIdentifier>(); oidvec.add(X509Extensions.SubjectAlternativeName); Vector<X509Extension> valuevec = new Vector<X509Extension>(); valuevec.add(new X509Extension(false, new DEROctetString(extOut.toByteArray()))); X509Extensions exts = new X509Extensions(oidvec, valuevec); extensionattr.add(new DERSet(exts)); // Complete the Attribute section of the request, the set (Attributes) // contains one sequence (Attribute) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(extensionattr)); DERSet attributes = new DERSet(v); // Create PKCS#10 certificate request PKCS10CertificationRequest req = new PKCS10CertificationRequest("SHA1WithRSA", new X509Name("C=SE,CN=extoverride"), rsakeys.getPublic(), attributes, rsakeys.getPrivate()); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(req); dOut.close(); byte[] p10bytes = bOut.toByteArray(); // FileOutputStream fos = new FileOutputStream("/tmp/foo.der"); // fos.write(p10bytes); // fos.close(); PKCS10RequestMessage p10 = new PKCS10RequestMessage(p10bytes); p10.setUsername("foo"); p10.setPassword("foo123"); // See if the request message works... X509Extensions p10exts = p10.getRequestExtensions(); assertNotNull(p10exts); IResponseMessage resp = signSession.createCertificate(admin, p10, org.ejbca.core.protocol.X509ResponseMessage.class, null); X509Certificate cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be none Collection c = cert.getSubjectAlternativeNames(); assertNull(c); // Change so that we allow override of validity time CertificateProfile prof = certificateProfileSession.getCertificateProfile(admin, cprofile); prof.setAllowExtensionOverride(true); certificateProfileSession.changeCertificateProfile(admin, "TESTEXTENSIONOVERRIDE", prof); userAdminSession.changeUser(admin, user, false); resp = signSession.createCertificate(admin, p10, org.ejbca.core.protocol.X509ResponseMessage.class, null); cert = (X509Certificate) CertTools.getCertfromByteArray(resp.getResponseMessage()); assertNotNull("Failed to create certificate", cert); assertEquals("CN=extoverride,C=SE", cert.getSubjectDN().getName()); // check altNames, should be one altName c = cert.getSubjectAlternativeNames(); assertNotNull(c); assertEquals(21, c.size()); String retAltNames = CertTools.getSubjectAlternativeName(cert); List<String> originalNames = Arrays.asList(altnames.split(",")); List<String> returnNames = Arrays.asList(retAltNames.split(", ")); assertTrue(originalNames.containsAll(returnNames)); }
From source file:org.ejbca.extra.ra.ScepRequestGenerator.java
License:Open Source License
/** Generates a SCEP CertReq. Keys must have been set in the generator for this to succeed * //w w w .j av a 2s . c o m */ public byte[] generateCertReq(String dn, String password, X509Certificate ca) throws NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException, IOException, CMSException, InvalidAlgorithmParameterException, CertStoreException, CertificateEncodingException, IllegalStateException { this.cacert = ca; this.reqdn = dn; // Create challenge password attribute for PKCS10 // Attributes { ATTRIBUTE:IOSet } ::= SET OF Attribute{{ IOSet }} // // Attribute { ATTRIBUTE:IOSet } ::= SEQUENCE { // type ATTRIBUTE.&id({IOSet}), // values SET SIZE(1..MAX) OF ATTRIBUTE.&Type({IOSet}{\@type}) // } ASN1EncodableVector challpwdattr = new ASN1EncodableVector(); // Challenge password attribute challpwdattr.add(PKCSObjectIdentifiers.pkcs_9_at_challengePassword); ASN1EncodableVector pwdvalues = new ASN1EncodableVector(); pwdvalues.add(new DERUTF8String(password)); challpwdattr.add(new DERSet(pwdvalues)); // Requested extensions attribute ASN1EncodableVector extensionattr = new ASN1EncodableVector(); extensionattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); // AltNames GeneralNames san = CertTools.getGeneralNamesFromAltName("dNSName=foo.bar.com,iPAddress=10.0.0.1"); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); try { dOut.writeObject(san); } catch (IOException e) { throw new IllegalArgumentException("error encoding value: " + e); } Vector oidvec = new Vector(); oidvec.add(X509Extensions.SubjectAlternativeName); Vector valuevec = new Vector(); valuevec.add(new X509Extension(false, new DEROctetString(bOut.toByteArray()))); X509Extensions exts = new X509Extensions(oidvec, valuevec); extensionattr.add(new DERSet(exts)); // Complete the Attribute section of the request, the set (Attributes) contains two sequences (Attribute) ASN1EncodableVector v = new ASN1EncodableVector(); v.add(new DERSequence(challpwdattr)); v.add(new DERSequence(extensionattr)); DERSet attributes = new DERSet(v); // Create PKCS#10 certificate request p10request = new PKCS10CertificationRequest("SHA1WithRSA", CertTools.stringToBcX509Name(reqdn), keys.getPublic(), attributes, keys.getPrivate()); // Create self signed cert, validity 1 day cert = CertTools.genSelfCert(reqdn, 24 * 60 * 60 * 1000, null, keys.getPrivate(), keys.getPublic(), AlgorithmConstants.SIGALG_SHA1_WITH_RSA, false); // wrap message in pkcs#7 byte[] msg = wrap(p10request.getEncoded(), "19"); return msg; }
From source file:org.nuxeo.ecm.platform.signature.core.pki.CertServiceImpl.java
License:Open Source License
protected CertificationRequest generateCSR(KeyPair keyPair, UserInfo userInfo) throws CertException { CertificationRequest csr;/* w ww. ja va 2 s . c o m*/ GeneralNames subjectAltName = new GeneralNames( new GeneralName(GeneralName.rfc822Name, userInfo.getUserFields().get(CNField.Email))); Vector<DERObjectIdentifier> objectIdentifiers = new Vector<DERObjectIdentifier>(); Vector<X509Extension> extensionValues = new Vector<X509Extension>(); objectIdentifiers.add(X509Extensions.SubjectAlternativeName); extensionValues.add(new X509Extension(false, new DEROctetString(subjectAltName))); X509Extensions extensions = new X509Extensions(objectIdentifiers, extensionValues); Attribute attribute = new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new DERSet(extensions)); try { csr = new PKCS10CertificationRequest(CERT_SIGNATURE_ALGORITHM, userInfo.getX500Principal(), keyPair.getPublic(), new DERSet(attribute), keyPair.getPrivate()); } catch (InvalidKeyException e) { throw new CertException(e); } catch (NoSuchAlgorithmException e) { throw new CertException(e); } catch (NoSuchProviderException e) { throw new CertException(e); } catch (java.security.SignatureException e) { throw new CertException(e); } catch (Exception e) { throw new CertException(e); } return csr; }
From source file:org.openconcerto.modules.finance.payment.ebics.crypto.X509CertificateGenerator.java
License:Open Source License
/** * This method implements the public one, but offers an additional parameter which is only used * when creating a new CA, namely the export alias to use. * // www.java 2 s .c o m * @param commonName @see #createCertificate(String, int, String, String) * @param validityDays @see #createCertificate(String, int, String, String) * @param exportFile @see #createCertificate(String, int, String, String) * @param exportPassword @see #createCertificate(String, int, String, String) * @param exportAlias If this additional parameter is null, a default value will be used as the * "friendly name" in the PKCS12 file. * @return @see #createCertificate(String, int, String, String) * * @see #X509CertificateGenerator(boolean) */ protected boolean createCertificate(String commonName, int validityDays, String exportFile, String exportPassword, String exportAlias) throws IOException, InvalidKeyException, SecurityException, SignatureException, NoSuchAlgorithmException, DataLengthException, CryptoException, KeyStoreException, CertificateException, InvalidKeySpecException { if (commonName == null || exportFile == null || exportPassword == null || validityDays < 1) { throw new IllegalArgumentException("Can not work with null parameter"); } System.out.println("Generating certificate for distinguished common subject name '" + commonName + "', valid for " + validityDays + " days"); SecureRandom sr = new SecureRandom(); // the JCE representation PublicKey pubKey; PrivateKey privKey; // the BCAPI representation RSAPrivateCrtKeyParameters privateKey = null; System.out.println("Creating RSA keypair"); // generate the keypair for the new certificate RSAKeyPairGenerator gen = new RSAKeyPairGenerator(); // TODO: what are these values?? gen.init(new RSAKeyGenerationParameters(BigInteger.valueOf(0x10001), sr, 1024, 80)); AsymmetricCipherKeyPair keypair = gen.generateKeyPair(); System.out .println("Generated keypair, extracting components and creating public structure for certificate"); RSAKeyParameters publicKey = (RSAKeyParameters) keypair.getPublic(); privateKey = (RSAPrivateCrtKeyParameters) keypair.getPrivate(); // used to get proper encoding for the certificate RSAPublicKeyStructure pkStruct = new RSAPublicKeyStructure(publicKey.getModulus(), publicKey.getExponent()); System.out.println("New public key is '" + new String(Hex.encode(pkStruct.getEncoded())) + ", exponent=" + publicKey.getExponent() + ", modulus=" + publicKey.getModulus()); // TODO: these two lines should go away // JCE format needed for the certificate - because getEncoded() is necessary... pubKey = KeyFactory.getInstance("RSA") .generatePublic(new RSAPublicKeySpec(publicKey.getModulus(), publicKey.getExponent())); // and this one for the KeyStore privKey = KeyFactory.getInstance("RSA") .generatePrivate(new RSAPrivateCrtKeySpec(publicKey.getModulus(), publicKey.getExponent(), privateKey.getExponent(), privateKey.getP(), privateKey.getQ(), privateKey.getDP(), privateKey.getDQ(), privateKey.getQInv())); Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.DAY_OF_YEAR, validityDays); X500Name x509Name = new X500Name("CN=" + commonName); V3TBSCertificateGenerator certGen = new V3TBSCertificateGenerator(); certGen.setSerialNumber(new DERInteger(BigInteger.valueOf(System.currentTimeMillis()))); if (caCert != null) { // Attention: this is a catch! Just using // "new X509Name(caCert.getSubjectDN().getName())" will not work! // I don't know why, because the issuerDN strings look similar with both versions. certGen.setIssuer(PrincipalUtil.getSubjectX509Principal(caCert)); } else { // aha, no CA set, which means that we should create a self-signed certificate (called // from createCA) certGen.setIssuer(x509Name); } certGen.setSubject(x509Name); // TODO GM: DERObjectIdentifier sigOID = PKCSObjectIdentifiers.sha1WithRSAEncryption;// DERObjectIdentifier. // X509Util.getAlgorithmOID(CertificateSignatureAlgorithm); AlgorithmIdentifier sigAlgId = new AlgorithmIdentifier(sigOID, new DERNull()); certGen.setSignature(sigAlgId); // certGen.setSubjectPublicKeyInfo(new SubjectPublicKeyInfo(sigAlgId, // pkStruct.toASN1Object())); // TODO: why does the coding above not work? - make me work without PublicKey class certGen.setSubjectPublicKeyInfo(new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(pubKey.getEncoded())).readObject())); certGen.setStartDate(new Time(new Date(System.currentTimeMillis()))); certGen.setEndDate(new Time(expiry.getTime())); // These X509v3 extensions are not strictly necessary, but be nice and provide them... Hashtable extensions = new Hashtable(); Vector extOrdering = new Vector(); addExtensionHelper(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pubKey), extOrdering, extensions); if (caCert != null) { // again: only if we have set CA addExtensionHelper(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert), extOrdering, extensions); } else { // but if we create a new self-signed cert, set its capability to be a CA // this is a critical extension (true)! addExtensionHelper(X509Extension.basicConstraints, true, new BasicConstraints(0), extOrdering, extensions); } certGen.setExtensions(new X509Extensions(extOrdering, extensions)); System.out.println("Certificate structure generated, creating SHA1 digest"); // attention: hard coded to be SHA1+RSA! SHA1Digest digester = new SHA1Digest(); AsymmetricBlockCipher rsa = new PKCS1Encoding(new RSAEngine()); TBSCertificateStructure tbsCert = certGen.generateTBSCertificate(); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(tbsCert); // and now sign byte[] signature; byte[] certBlock = bOut.toByteArray(); // first create digest System.out.println("Block to sign is '" + new String(Hex.encode(certBlock)) + "'"); digester.update(certBlock, 0, certBlock.length); byte[] hash = new byte[digester.getDigestSize()]; digester.doFinal(hash, 0); // and sign that if (caCert != null) { rsa.init(true, caPrivateKey); } else { // no CA - self sign System.out.println("No CA has been set, creating self-signed certificate as a new CA"); rsa.init(true, privateKey); } DigestInfo dInfo = new DigestInfo(new AlgorithmIdentifier(X509ObjectIdentifiers.id_SHA1, null), hash); byte[] digest = dInfo.getEncoded(ASN1Encodable.DER); signature = rsa.processBlock(digest, 0, digest.length); System.out.println("SHA1/RSA signature of digest is '" + new String(Hex.encode(signature)) + "'"); // and finally construct the certificate structure ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCert); v.add(sigAlgId); v.add(new DERBitString(signature)); X509CertificateObject clientCert = new X509CertificateObject( new X509CertificateStructure(new DERSequence(v))); System.out.println("Verifying certificate for correct signature with CA public key"); /* * if (caCert != null) { clientCert.verify(caCert.getPublicKey()); } else { * clientCert.verify(pubKey); } */ // and export as PKCS12 formatted file along with the private key and the CA certificate System.out.println("Exporting certificate in PKCS12 format"); PKCS12BagAttributeCarrier bagCert = clientCert; // if exportAlias is set, use that, otherwise a default name bagCert.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(exportAlias == null ? CertificateExportFriendlyName : exportAlias)); bagCert.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new SubjectKeyIdentifierStructure(pubKey)); // this does not work as in the example /* * PKCS12BagAttributeCarrier bagKey = (PKCS12BagAttributeCarrier)privKey; * bagKey.setBagAttribute( PKCSObjectIdentifiers.pkcs_9_at_localKeyId, new * SubjectKeyIdentifierStructure(tmpKey)); */ JDKPKCS12KeyStore store; store = new JDKPKCS12KeyStore.BCPKCS12KeyStore(); store.engineLoad(null, null); FileOutputStream fOut = new FileOutputStream(exportFile); X509Certificate[] chain; if (caCert != null) { chain = new X509Certificate[2]; // first the client, then the CA certificate - this is the expected order for a // certificate chain chain[0] = clientCert; chain[1] = caCert; } else { // for a self-signed certificate, there is no chain... chain = new X509Certificate[1]; chain[0] = clientCert; } store.engineSetKeyEntry(exportAlias == null ? KeyExportFriendlyName : exportAlias, privKey, exportPassword.toCharArray(), chain); store.engineStore(fOut, exportPassword.toCharArray()); return true; }