Example usage for org.bouncycastle.cert.bc BcX509ExtensionUtils createSubjectKeyIdentifier

List of usage examples for org.bouncycastle.cert.bc BcX509ExtensionUtils createSubjectKeyIdentifier

  1. HOME
  2. Java
  3. org.bouncycastle
  4. org.bouncycastle.cert.bc.*
  5. BcX509ExtensionUtils
  6. createSubjectKeyIdentifier

Introduction

In this page you can find the example usage for org.bouncycastle.cert.bc BcX509ExtensionUtils createSubjectKeyIdentifier.

Prototype

public SubjectKeyIdentifier createSubjectKeyIdentifier(AsymmetricKeyParameter publicKey) throws IOException

Source Link

Document

Return a RFC 3280 type 1 key identifier.

Usage

From source file:eu.betaas.taas.securitymanager.common.certificate.utils.PKCS12Utils.java

License:Apache License

/**
 * A method to create PKCS12 file that stores the certificates.
 * @param pfxOut: the output of pkcs12 file (in OutputStream) 
 * @param key: private key that is associated with the credential
 * @param chain: chain of certificates (within the credential)
 * @param keyPasswd: key password/*www.ja  v a  2  s . c  om*/
 * @throws Exception
 */
public static void createPKCS12FileBc(OutputStream pfxOut, AsymmetricKeyParameter key,
        X509CertificateHolder[] chain, char[] keyPasswd) throws Exception {

    OutputEncryptor encOut = new BcPKCS12PBEOutputEncryptorBuilder(
            PKCSObjectIdentifiers.pbeWithSHAAnd3_KeyTripleDES_CBC, new CBCBlockCipher(new DESedeEngine()))
                    .build(keyPasswd);

    PKCS12SafeBagBuilder taCertBagBuilder = null;
    PKCS12SafeBagBuilder caCertBagBuilder = null;
    PKCS12SafeBagBuilder eeCertBagBuilder = null;
    SubjectKeyIdentifier pubKeyId = null;

    // identify the type of certificate from the given certificate chain
    for (int i = 0; i < chain.length; i++) {
        Extensions exs = chain[i].getExtensions();
        if (exs != null) {
            KeyUsage ku = KeyUsage.fromExtensions(exs);
            if (ku.toString().equals("KeyUsage: 0x" + Integer.toHexString(128 | 32))) {
                // end entity certificate
                eeCertBagBuilder = new PKCS12SafeBagBuilder(chain[i]);
                BcX509ExtensionUtils extUtils = new BcX509ExtensionUtils();
                eeCertBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute,
                        new DERBMPString("Eric's Key"));
                pubKeyId = extUtils.createSubjectKeyIdentifier(chain[i].getSubjectPublicKeyInfo());
                eeCertBagBuilder.addBagAttribute(PKCS12SafeBag.localKeyIdAttribute, pubKeyId);
            } else if (ku.toString().equals("KeyUsage: 0x" + Integer.toHexString(128 | 4 | 2))) {
                // intermediate certificate
                caCertBagBuilder = new PKCS12SafeBagBuilder(chain[i]);
                caCertBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute,
                        new DERBMPString("BETaaS Intermediate Certificate"));
            }
        } else {
            // root certificate
            taCertBagBuilder = new PKCS12SafeBagBuilder(chain[i]);
            taCertBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute,
                    new DERBMPString("BETaaS Primary Certificate"));
        }
    }

    //    PKCS12SafeBagBuilder taCertBagBuilder = new PKCS12SafeBagBuilder(chain[2]);

    //    PKCS12SafeBagBuilder caCertBagBuilder = new PKCS12SafeBagBuilder(chain[1]);

    //    PKCS12SafeBagBuilder eeCertBagBuilder = new PKCS12SafeBagBuilder(chain[0]);

    // the ECPrivateKey, consists of the key itself and the ECParams
    BigInteger dPriv = ((ECPrivateKeyParameters) key).getD();
    X9ECParameters ecParams = new X9ECParameters(((ECKeyParameters) key).getParameters().getCurve(),
            ((ECKeyParameters) key).getParameters().getG(), ((ECKeyParameters) key).getParameters().getN(),
            ((ECKeyParameters) key).getParameters().getH(), ((ECKeyParameters) key).getParameters().getSeed());
    ECPrivateKey privParams = new ECPrivateKey(dPriv, ecParams);

    // include the ecParams
    AlgorithmIdentifier sigAlg = new AlgorithmIdentifier(X9ObjectIdentifiers.id_ecPublicKey, ecParams);

    //    PrivateKeyInfo keyInfo = PrivateKeyInfoFactory.createPrivateKeyInfo(key);

    PKCS12SafeBagBuilder keyBagBuilder = new PKCS12SafeBagBuilder(new PrivateKeyInfo(sigAlg, privParams),
            encOut);

    keyBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute, new DERBMPString("Eric's Key"));
    if (pubKeyId != null)
        keyBagBuilder.addBagAttribute(PKCS12SafeBag.localKeyIdAttribute, pubKeyId);

    PKCS12PfxPduBuilder builder = new PKCS12PfxPduBuilder();

    builder.addData(keyBagBuilder.build());

    // no need to insert SHA1Digest() because it is the default Digest algorithm
    // check each of the certbagbuilder
    if (caCertBagBuilder != null && taCertBagBuilder != null && eeCertBagBuilder != null) {
        // include all types of certificate in the file --> root own's credential
        builder.addEncryptedData(
                new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC,
                        new CBCBlockCipher(new RC2Engine())).build(keyPasswd),
                new PKCS12SafeBag[] { eeCertBagBuilder.build(), caCertBagBuilder.build(),
                        taCertBagBuilder.build() });
    } else if (caCertBagBuilder != null && taCertBagBuilder != null && eeCertBagBuilder == null) {
        // only root and intermediate --> signer credential
        builder.addEncryptedData(
                new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC,
                        new CBCBlockCipher(new RC2Engine())).build(keyPasswd),
                new PKCS12SafeBag[] { caCertBagBuilder.build(), taCertBagBuilder.build() });
    } else if (caCertBagBuilder == null && taCertBagBuilder == null) {
        // only end entity --> e.g. application, user, etc
        builder.addEncryptedData(
                new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC,
                        new CBCBlockCipher(new RC2Engine())).build(keyPasswd),
                new PKCS12SafeBag[] { eeCertBagBuilder.build() });
    } else if (caCertBagBuilder != null && taCertBagBuilder == null && eeCertBagBuilder != null) {
        // only intermediate and end entity --> common GW certificate
        builder.addEncryptedData(
                new BcPKCS12PBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC,
                        new CBCBlockCipher(new RC2Engine())).build(keyPasswd),
                new PKCS12SafeBag[] { eeCertBagBuilder.build(), caCertBagBuilder.build() });
    }

    //    PKCS12PfxPdu pfx = builder.build(new BcPKCS12MacCalculatorBuilder(
    //          new SHA256Digest(), 
    //          new AlgorithmIdentifier(NISTObjectIdentifiers.id_sha256)), keyPasswd);
    PKCS12PfxPdu pfx = builder.build(new BcPKCS12MacCalculatorBuilder(), keyPasswd);
    // make sure we don't include indefinite length encoding
    pfxOut.write(pfx.getEncoded(ASN1Encoding.DL));

    pfxOut.close();
}

From source file:uk.ac.cam.gpe21.droidssl.mitm.crypto.cert.CertificateGenerator.java

License:Apache License

public X509CertificateHolder generate(String cn, String[] sans) {
    try {//from w w w .  j  a va 2s .c  o m
        /* basic certificate structure */
        //serial = serial.add(BigInteger.ONE);
        // TODO: temporary workaround as reusing serial numbers makes Firefox complain
        serial = new BigInteger(Long.toString(System.currentTimeMillis()));

        Calendar notBefore = new GregorianCalendar(UTC);
        notBefore.add(Calendar.HOUR, -1);

        Calendar notAfter = new GregorianCalendar(UTC);
        notAfter.add(Calendar.HOUR, 24);

        X500Name subject = new X500NameBuilder().addRDN(BCStyle.CN, cn).build();

        BcX509ExtensionUtils utils = new BcX509ExtensionUtils();
        X509v3CertificateBuilder builder = new BcX509v3CertificateBuilder(ca.getCertificate(), serial,
                notBefore.getTime(), notAfter.getTime(), subject, keyPair.getPublic());

        /* subjectAlernativeName extension */
        if (sans.length > 0) {
            GeneralName[] names = new GeneralName[sans.length];
            for (int i = 0; i < names.length; i++) {
                names[i] = new GeneralName(GeneralName.dNSName, sans[i]);
            }
            builder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(names));
        }

        /* basicConstraints extension */
        builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));

        /* subjectKeyIdentifier extension */
        builder.addExtension(Extension.subjectKeyIdentifier, false,
                utils.createSubjectKeyIdentifier(keyPair.getPublic()));

        /* authorityKeyIdentifier extension */
        builder.addExtension(Extension.authorityKeyIdentifier, false,
                utils.createAuthorityKeyIdentifier(ca.getPublicKey()));

        /* keyUsage extension */
        int usage = KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.keyAgreement;
        builder.addExtension(Extension.keyUsage, true, new KeyUsage(usage));

        /* extendedKeyUsage extension */
        KeyPurposeId[] usages = { KeyPurposeId.id_kp_serverAuth };
        builder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(usages));

        /* create the signer */
        AlgorithmIdentifier signatureAlgorithm = new DefaultSignatureAlgorithmIdentifierFinder()
                .find("SHA1withRSA");
        AlgorithmIdentifier digestAlgorithm = new DefaultDigestAlgorithmIdentifierFinder()
                .find(signatureAlgorithm);
        ContentSigner signer = new BcRSAContentSignerBuilder(signatureAlgorithm, digestAlgorithm)
                .build(ca.getPrivateKey());

        /* build and sign the certificate */
        return builder.build(signer);
    } catch (IOException | OperatorCreationException ex) {
        throw new CertificateGenerationException(ex);
    }
}