List of usage examples for org.bouncycastle.cert.jcajce JcaX500NameUtil getIssuer
public static X500Name getIssuer(X509Certificate certificate)
From source file:net.solarnetwork.pki.bc.BCCertificateService.java
License:Open Source License
@Override public X509Certificate signCertificate(String csrPEM, X509Certificate caCert, PrivateKey privateKey) throws CertificateException { if (!csrPEM.matches("(?is)^\\s*-----BEGIN.*")) { // let's throw in the guards csrPEM = "-----BEGIN CERTIFICATE REQUEST-----\n" + csrPEM + "\n-----END CERTIFICATE REQUEST-----\n"; }/* w w w. j a v a 2 s . co m*/ PemReader reader = null; try { reader = new PemReader(new StringReader(csrPEM)); PemObject pemObj = reader.readPemObject(); log.debug("Parsed PEM type {}", pemObj.getType()); PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemObj.getContent()); Date now = new Date(); Date expire = new Date(now.getTime() + (1000L * 60L * 60L * 24L * certificateExpireDays)); X509v3CertificateBuilder builder = new X509v3CertificateBuilder(JcaX500NameUtil.getIssuer(caCert), new BigInteger(String.valueOf(counter.incrementAndGet())), now, expire, csr.getSubject(), csr.getSubjectPublicKeyInfo()); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); ContentSigner signer; DefaultDigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder(); try { DigestCalculatorProvider digestCalcProvider = new JcaDigestCalculatorProviderBuilder() .setProvider(new BouncyCastleProvider()).build(); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils( digestCalcProvider.get(digestAlgFinder.find("SHA-256"))); builder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); builder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(csr.getSubjectPublicKeyInfo())); builder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)); signer = signerBuilder.build(privateKey); } catch (OperatorException e) { log.error("Error signing CSR {}", csr.getSubject(), e); throw new CertificateException("Error signing CSR" + csr.getSubject() + ": " + e.getMessage()); } catch (CertificateEncodingException e) { log.error("Error signing CSR {}", csr.getSubject().toString(), e); throw new CertificateException("Error signing CSR" + csr.getSubject() + ": " + e.getMessage()); } X509CertificateHolder holder = builder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); try { return converter.getCertificate(holder); } catch (java.security.cert.CertificateException e) { throw new CertificateException("Error creating certificate", e); } } catch (IOException e) { throw new CertificateException("Error signing CSR", e); } finally { if (reader != null) { try { reader.close(); } catch (IOException e2) { log.warn("IOException closing PemReader", e2); } } } }
From source file:org.cryptable.pki.communication.PKICMPMessagesTest.java
License:Open Source License
private byte[] createRevocationRespons1(byte[] senderNonce, byte[] transactionId) throws CRLException, CMPException, CertificateEncodingException, OperatorCreationException, PKICMPMessageException, IOException { RevRepContentBuilder revRepContentBuilder = new RevRepContentBuilder(); revRepContentBuilder.add(new PKIStatusInfo(PKIStatus.granted), new CertId(new GeneralName(JcaX500NameUtil.getIssuer(pki.getRevokedCert())), pki.getRevokedCert().getSerialNumber())); revRepContentBuilder.addCrl(new JcaX509CRLHolder(pki.getX509CRL()).toASN1Structure()); PKIBody pkiBody = new PKIBody(PKIBody.TYPE_REVOCATION_REP, revRepContentBuilder.build()); return createProtectedPKIMessage(senderNonce, transactionId, pkiBody); }
From source file:org.cryptable.pki.util.GeneratePKI.java
License:Open Source License
/** * we generate a certificate signed by our CA's intermediate certficate * @throws OperatorCreationException/* w ww. j av a2 s . com*/ * @throws CertificateException */ private static Certificate createCert(String distinguishedNmae, PublicKey pubKey, PrivateKey privKey, X509Certificate caCert, BigInteger serNum) throws OperatorCreationException, CertificateException { // Signer of the certificate ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BC) .build(privKey); // Builder of the certificate X509v3CertificateBuilder v3CertBuilder = new JcaX509v3CertificateBuilder( // signers name JcaX500NameUtil.getIssuer(caCert), // Serial Number serNum, // Not Before new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30), // Not After new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30)), // subjects name - the same as we are self signed. new X500Name(distinguishedNmae), // Public key of the certificate pubKey); return new JcaX509CertificateConverter().setProvider(BC).getCertificate(v3CertBuilder.build(sigGen)); }
From source file:org.cryptable.pki.util.GeneratePKI.java
License:Open Source License
/** * we generate an expired certificate signed by our CA's intermediate certficate * @throws OperatorCreationException//from ww w . ja v a 2s . com * @throws CertificateException */ private static Certificate createExpiredCert(String distinguishedNmae, PublicKey pubKey, PrivateKey privKey, X509Certificate caCert, BigInteger serNum) throws OperatorCreationException, CertificateException { // Signer of the certificate ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BC) .build(privKey); // Builder of the certificate X509v3CertificateBuilder v3CertBuilder = new JcaX509v3CertificateBuilder( // signers name JcaX500NameUtil.getIssuer(caCert), // Serial Number serNum, // Not Before new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30), // Not After new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24)), // subjects name - the same as we are self signed. new X500Name(distinguishedNmae), // Public key of the certificate pubKey); return new JcaX509CertificateConverter().setProvider(BC).getCertificate(v3CertBuilder.build(sigGen)); }
From source file:org.cryptable.pki.util.GeneratePKI.java
License:Open Source License
/** * we generate a not yet valid certificate signed by our CA's intermediate certficate * @throws OperatorCreationException//ww w . j a v a 2s . c o m * @throws CertificateException */ private static Certificate createNotYetValidCert(String distinguishedNmae, PublicKey pubKey, PrivateKey privKey, X509Certificate caCert, BigInteger serNum) throws OperatorCreationException, CertificateException { // Signer of the certificate ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BC) .build(privKey); // Builder of the certificate X509v3CertificateBuilder v3CertBuilder = new JcaX509v3CertificateBuilder( // signers name JcaX500NameUtil.getIssuer(caCert), // Serial Number serNum, // Not Before new Date(System.currentTimeMillis() + 1000L * 60 * 60 * 24), // Not After new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30)), // subjects name - the same as we are self signed. new X500Name(distinguishedNmae), // Public key of the certificate pubKey); return new JcaX509CertificateConverter().setProvider(BC).getCertificate(v3CertBuilder.build(sigGen)); }
From source file:org.signserver.module.mrtdsodsigner.jmrtd.SODFile.java
License:Open Source License
private static SignerInfo createSignerInfo(String digestAlgorithm, String digestEncryptionAlgorithm, ASN1Encodable digestEncryptionAlgorithmParams, byte[] content, byte[] encryptedDigest, X509Certificate docSigningCertificate) throws NoSuchAlgorithmException, CertificateEncodingException { /* Get the issuer name (CN, O, OU, C) from the cert and put it in a SignerIdentifier struct. */ BigInteger serial = ((X509Certificate) docSigningCertificate).getSerialNumber(); IssuerAndSerialNumber iasn = new IssuerAndSerialNumber(JcaX500NameUtil.getIssuer(docSigningCertificate), serial);//from w ww .jav a2s . c om SignerIdentifier sid = new SignerIdentifier(iasn); AlgorithmIdentifier digestAlgorithmObject = new AlgorithmIdentifier(lookupOIDByMnemonic(digestAlgorithm)); final AlgorithmIdentifier digestEncryptionAlgorithmObject; if (digestEncryptionAlgorithmParams == null) { digestEncryptionAlgorithmObject = new AlgorithmIdentifier( lookupOIDByMnemonic(digestEncryptionAlgorithm)); } else { digestEncryptionAlgorithmObject = new AlgorithmIdentifier( lookupOIDByMnemonic(digestEncryptionAlgorithm), digestEncryptionAlgorithmParams); } ASN1Set authenticatedAttributes = createAuthenticatedAttributes(digestAlgorithm, content); // struct containing the hash of content ASN1OctetString encryptedDigestObject = new DEROctetString(encryptedDigest); // this is the signature ASN1Set unAuthenticatedAttributes = null; // should be empty set? return new SignerInfo(sid, digestAlgorithmObject, authenticatedAttributes, digestEncryptionAlgorithmObject, encryptedDigestObject, unAuthenticatedAttributes); }
From source file:org.signserver.module.mrtdsodsigner.MRTDSODSigner.java
License:Open Source License
private X509Certificate findIssuerCert(Collection<Certificate> chain, X509Certificate sodCert) { X509Certificate result = null; final X500Name issuer = JcaX500NameUtil.getIssuer(sodCert); if (log.isDebugEnabled()) { final StringBuilder buff = new StringBuilder(); buff.append("Looking for "); buff.append(issuer);/*w w w . ja v a 2 s . c om*/ log.debug(buff.toString()); } for (Certificate cert : chain) { if (cert instanceof X509Certificate) { final X509Certificate x509 = (X509Certificate) cert; final X500Name subject = JcaX500NameUtil.getSubject(x509); if (issuer.equals(subject)) { result = (X509Certificate) cert; if (log.isDebugEnabled()) { log.debug("Found issuer"); } break; } else { if (log.isDebugEnabled()) { final StringBuilder buff = new StringBuilder(); buff.append(issuer); buff.append("!="); buff.append(subject); log.debug(buff.toString()); } } } } return result; }
From source file:org.signserver.module.mrtdsodsigner.MRTDSODSignerUnitTest.java
License:Open Source License
/** * Tests that the order of the issuer DN in the SignerInfo is the same as in * the certificate. Tests with a certificate in "LDAP DN order" * (the default in EJBCA).//www . j a va 2 s.c om * @throws Exception in case of error. */ public void test07DNOrder() throws Exception { // DG1, DG2 and default values Map<Integer, byte[]> dataGroups1 = new LinkedHashMap<Integer, byte[]>(); dataGroups1.put(1, digestHelper("Dummy Value 1".getBytes(), "SHA1")); dataGroups1.put(2, digestHelper("Dummy Value 2".getBytes(), "SHA1")); SODFile sod = signHelper(WORKER11, 12, dataGroups1, false, "SHA1", "SHA1withRSAandMGF1"); // System.out.println("SOD Issuer: " // + sod.getIssuerX500Principal().getName()); // System.out.println("CER Issuer: " + sod.getDocSigningCertificate() // .getIssuerX500Principal().getName()); // System.out.println("Object: " + ASN1Dump.dumpAsString( // new ASN1InputStream(new ByteArrayInputStream( // sod.getEncoded())).readObject(), true)); // The real asn.1 order in the cert is CN=DemoCSCA1, C=SE assertEquals("C=SE,CN=DemoCSCA1", sod.getIssuerX500Principal().getName()); assertEquals("C=SE,CN=DemoCSCA1", sod.getDocSigningCertificate().getIssuerX500Principal().getName()); assertEquals("CN=DemoCSCA1,C=SE", JcaX500NameUtil.getIssuer(sod.getDocSigningCertificate()).toString()); // Make sure it matches in all ways assertEquals("DN should match", sod.getIssuerX500Principal().getName(), sod.getDocSigningCertificate().getIssuerX500Principal().getName()); assertTrue("DN should match", sod.getIssuerX500Principal().equals(sod.getDocSigningCertificate().getIssuerX500Principal())); // The DER encoding should be the same Arrays.equals(sod.getIssuerX500Principal().getEncoded(), sod.getDocSigningCertificate().getEncoded()); }
From source file:org.signserver.module.mrtdsodsigner.MRTDSODSignerUnitTest.java
License:Open Source License
/** * Tests that the order of the issuer DN in the SignerInfo is the same as in * the certificate. Tests with a certificate not in "LDAP DN order". * @throws Exception in case of error./*from w ww . j a v a 2 s . c om*/ */ public void test07DNOrderReversed() throws Exception { // DG1, DG2 and default values Map<Integer, byte[]> dataGroups1 = new LinkedHashMap<Integer, byte[]>(); dataGroups1.put(1, digestHelper("Dummy Value 1".getBytes(), "SHA1")); dataGroups1.put(2, digestHelper("Dummy Value 2".getBytes(), "SHA1")); SODFile sod = signHelper(WORKER16, 12, dataGroups1, false, "SHA1", "SHA1withRSAandMGF1"); // System.out.println("SOD Issuer: " // + sod.getIssuerX500Principal().getName()); // System.out.println("CER Issuer: " + sod.getDocSigningCertificate() // .getIssuerX500Principal().getName()); // System.out.println("Object reversed: " + ASN1Dump.dumpAsString( // new ASN1InputStream(new ByteArrayInputStream( // sod.getEncoded())).readObject(), true)); // The real asn.1 order in the cert is C=SE,O=Reversed Org,CN=ReversedCA2 assertEquals("CN=ReversedCA2,O=Reversed Org,C=SE", sod.getIssuerX500Principal().getName()); assertEquals("CN=ReversedCA2,O=Reversed Org,C=SE", sod.getDocSigningCertificate().getIssuerX500Principal().getName()); assertEquals("C=SE,O=Reversed Org,CN=ReversedCA2", JcaX500NameUtil.getIssuer(sod.getDocSigningCertificate()).toString()); // Make sure it matches in all ways assertEquals("DN should match", sod.getIssuerX500Principal().getName(), sod.getDocSigningCertificate().getIssuerX500Principal().getName()); assertTrue("DN should match", sod.getIssuerX500Principal().equals(sod.getDocSigningCertificate().getIssuerX500Principal())); // The DER encoding should be the same Arrays.equals(sod.getIssuerX500Principal().getEncoded(), sod.getDocSigningCertificate().getEncoded()); }