List of usage examples for org.bouncycastle.cert.jcajce JcaX509v3CertificateBuilder addExtension
public X509v3CertificateBuilder addExtension(ASN1ObjectIdentifier oid, boolean isCritical, ASN1Encodable value) throws CertIOException
From source file:co.runrightfast.core.security.cert.SelfSignedX509V3CertRequest.java
License:Apache License
public X509v3CertificateBuilder x509v3CertificateBuilder() { final JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder( x509V3CertRequest.getIssuerPrincipal(), x509V3CertRequest.getSerialNumber(), Date.from(x509V3CertRequest.getNotBefore()), Date.from(x509V3CertRequest.getNotAfter()), x509V3CertRequest.getSubjectPrincipal(), x509V3CertRequest.getSubjectPublicKey()); x509V3CertRequest.getExtensions().stream().forEach(ext -> { try {//from w w w . j ava 2 s.c o m builder.addExtension(ext.getOid(), ext.isCritical(), ext.getValue()); } catch (final CertIOException ex) { throw new ApplicationException(String.format("Failed to add extenstion: %s", ext), ex); } }); return builder; }
From source file:co.runrightfast.core.security.cert.X509V3CertRequest.java
License:Apache License
public X509v3CertificateBuilder x509v3CertificateBuilder() { final JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerPrincipal, serialNumber, Date.from(notBefore), Date.from(notAfter), subjectPrincipal, subjectPublicKey); extensions.stream().forEach(ext -> { try {//from w ww. ja v a2 s . c om builder.addExtension(ext.getOid(), ext.isCritical(), ext.getValue()); } catch (final CertIOException ex) { throw new ApplicationException(String.format("Failed to add extenstion: %s", ext), ex); } }); return builder; }
From source file:com.github.spyhunter99.simplejks.CertGenBouncy.java
public static java.security.cert.Certificate selfSign(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException { Provider bcProvider = new BouncyCastleProvider(); Security.addProvider(bcProvider); long now = System.currentTimeMillis(); Date startDate = new Date(now); X500Name dnName = new X500Name(subjectDN); BigInteger certSerialNumber = new BigInteger(Long.toString(now)); // <-- Using the current timestamp as the certificate serial number Calendar calendar = Calendar.getInstance(); calendar.setTime(startDate);/* w ww .jav a 2s. c om*/ calendar.add(Calendar.YEAR, 30); // <-- 1 Yr validity Date endDate = calendar.getTime(); String signatureAlgorithm = "SHA256WithRSA"; // <-- Use appropriate signature algorithm based on your keyPair algorithm. ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate()); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic()); // Extensions -------------------------- // Basic Constraints BasicConstraints basicConstraints = new BasicConstraints(true); // <-- true for CA, false for EndEntity certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints); // Basic Constraints is usually marked as critical. ASN1Encodable[] subjectAlternativeNames = new ASN1Encodable[] { new GeneralName(GeneralName.dNSName, "server"), new GeneralName(GeneralName.dNSName, "server.mydomain.com") }; DERSequence subjectAlternativeNamesExtension = new DERSequence(subjectAlternativeNames); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAlternativeNamesExtension); // ------------------------------------- return new JcaX509CertificateConverter().setProvider(bcProvider) .getCertificate(certBuilder.build(contentSigner)); }
From source file:com.rcn.service.CertificateService.java
License:Open Source License
public String generateCert(String certName, String password, int validDays, Optional<String> caPem, String caPassword, boolean generateCaCert, Optional<String> pkc10Request) { try {// w ww . j ava2s . com Optional<Tuple<KeyPair, X509Certificate>> caTuple = caPem.map(c -> fromPem(c, caPassword)); Optional<KeyPair> ca = caTuple.map(a -> a.getX()); Optional<KeyPair> optKeyPair = Optional.ofNullable(pkc10Request.isPresent() ? null : generateKey()); PublicKey publicKey = pkc10Request.map(this::fromPkcs10).orElseGet(() -> optKeyPair.get().getPublic()); Date now = new Date(); Calendar tenYears = Calendar.getInstance(); tenYears.add(Calendar.DATE, validDays); X500Principal x500Principal = new X500Principal(certName); BigInteger serial = rndBigInt(new BigInteger("8180385048")); //max value for SN X500Principal issuer = caTuple.map(a -> a.getY().getSubjectX500Principal()) .orElseGet(() -> x500Principal); JcaX509v3CertificateBuilder v3CertGen = new JcaX509v3CertificateBuilder(issuer, serial, now, new Date(tenYears.getTimeInMillis()), x500Principal, publicKey); v3CertGen.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(getSubjectPublicKeyInfo(publicKey))); ca.ifPresent(caKey -> v3CertGen.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(getSubjectPublicKeyInfo(caKey.getPublic())))); if (generateCaCert) { addCaExtension(v3CertGen); } else { addRegularExtension(Optional.empty(), v3CertGen); } KeyPair caKey = ca.orElseGet( () -> optKeyPair.orElseThrow(() -> new SecurityException("no private key for self-sign cert"))); X509Certificate certificate = new JcaX509CertificateConverter() .setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(v3CertGen.build(new JcaContentSignerBuilder("SHA256WithRSAEncryption") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(caKey.getPrivate()))); String certPem = toPem(certificate, Optional.empty()); String keyPem = optKeyPair .map(k -> toPem(k, Optional.ofNullable(password.length() > 0 ? password : null))).orElse(""); return String.format("%s%s", certPem, keyPem); } catch (Exception e) { throw new SecurityException(e); } }
From source file:com.rcn.service.CertificateService.java
License:Open Source License
private void addCaExtension(JcaX509v3CertificateBuilder v3CertGen) { v3CertGen.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); v3CertGen.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign)); ASN1EncodableVector intPolicies = new ASN1EncodableVector(); intPolicies.add(new PolicyInformation(new DERObjectIdentifier(ANY_POLICY))); v3CertGen.addExtension(X509Extension.certificatePolicies, false, new DERSequence(intPolicies)); }
From source file:com.rcn.service.CertificateService.java
License:Open Source License
private void addRegularExtension(Optional<GeneralNames> generalNames, JcaX509v3CertificateBuilder v3CertGen) { v3CertGen.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); Vector<KeyPurposeId> authTypes = new Vector<>(); authTypes.add(KeyPurposeId.id_kp_clientAuth); authTypes.add(KeyPurposeId.id_kp_serverAuth); v3CertGen.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(authTypes)); generalNames.ifPresent(n -> v3CertGen.addExtension(X509Extension.subjectAlternativeName, false, n)); }
From source file:com.zotoh.crypto.Crypto.java
License:Open Source License
private Tuple createSSV3Cert(Provider pv, KeyPair keyPair, Date start, Date end, String dnStr, Certificate issuer, PrivateKey issuerKey, int keyLength, String algo) throws InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, NoSuchProviderException, GeneralSecurityException { X500Principal subject = new X500Principal(dnStr); PrivateKey prv = keyPair.getPrivate(); PublicKey pub = keyPair.getPublic(); X509Certificate cert, top = (X509Certificate) issuer; JcaX509v3CertificateBuilder bdr = new JcaX509v3CertificateBuilder(top, getNextSerialNumber(), start, end, subject, pub);/*from ww w.ja v a2 s .c o m*/ ContentSigner cs; try { cs = new JcaContentSignerBuilder(algo).setProvider(pv).build(issuerKey); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } bdr.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(top)); bdr.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pub)); cert = new JcaX509CertificateConverter().setProvider(pv).getCertificate(bdr.build(cs)); cert.checkValidity(new Date()); cert.verify(top.getPublicKey()); return new Tuple(cert, prv); }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
public X509Certificate generateUserCertificate(RSAPublicKey pubkey, boolean signature, String firstname, String lastname, String idcode, String email) throws InvalidKeyException, ParseException, IOException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException { Date startDate = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2015-01-01"); Date endDate = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2015-12-31"); String template = "C=EE,O=ESTEID,OU=%s,CN=%s\\,%s\\,%s,SURNAME=%s,GIVENNAME=%s,SERIALNUMBER=%s"; // Normalize. lastname = lastname.toUpperCase();// w w w.j a v a 2 s .c o m firstname = firstname.toUpperCase(); idcode = idcode.toUpperCase(); email = email.toLowerCase(); String subject = String.format(template, (signature ? "digital signature" : "authentication"), lastname, firstname, idcode, lastname, firstname, idcode); byte[] serialBytes = new byte[16]; SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG"); rnd.nextBytes(serialBytes); serialBytes[0] &= 0x7F; // Can't be negative BigInteger serial = new BigInteger(serialBytes); X509CertificateHolder real; if (signature) { real = getRealCert("/resources/sk-sign.pem"); } else { real = getRealCert("/resources/sk-auth.pem"); } serial = real.getSerialNumber(); System.out.println("Generating from subject: " + real.getSubject()); System.out.println("Generating subject: " + new X500Name(subject).toString()); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), serial, startDate, endDate, new X500Name(subject), pubkey); @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions, except altName for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); if (ext.getExtnId().equals(Extension.subjectAlternativeName)) { // altName must be changed builder.addExtension(ext.getExtnId(), ext.isCritical(), new GeneralNames(new GeneralName(GeneralName.rfc822Name, email))); } else { builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); } } // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(esteidKey); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:io.kodokojo.commons.utils.ssl.SSLUtils.java
License:Open Source License
private static JcaX509v3CertificateBuilder addJcaX509Extension(String commonsName, RSAPublicKey publicKey, X509Certificate issuerCertificate, long duration, boolean isCaCertificate) throws NoSuchAlgorithmException, CertIOException { long end = System.currentTimeMillis() + duration; BigInteger serial = BigInteger.valueOf(new SecureRandom(publicKey.getEncoded()).nextLong()); JcaX509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder( new org.bouncycastle.asn1.x500.X500Name(issuerCertificate.getSubjectDN().getName()), serial, new Date(), new Date(end), new org.bouncycastle.asn1.x500.X500Name(COMMON_NAME_ENTRY + commonsName), publicKey);/* www .ja va 2s . c om*/ JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); certificateBuilder.addExtension(subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(publicKey)); certificateBuilder.addExtension(basicConstraints, isCaCertificate, new BasicConstraints(isCaCertificate)); return certificateBuilder; }
From source file:io.kodokojo.commons.utils.ssl.SSLUtils.java
License:Open Source License
public static SSLKeyPair createSelfSignedSSLKeyPair(String commonsName, RSAPrivateKey caPrivateKey, RSAPublicKey caPublicKey) { try {//from w ww.j a va2 s.c om BigInteger serial = BigInteger.valueOf(new Random().nextInt()); long end = System.currentTimeMillis() + DEFAULT_CERTIFICATE_DURATION_VALIDITY; org.bouncycastle.asn1.x500.X500Name commonsX500Name = new org.bouncycastle.asn1.x500.X500Name( COMMON_NAME_ENTRY + commonsName); JcaX509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(commonsX500Name, serial, new Date(), new Date(end), commonsX500Name, caPublicKey); JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); certificateBuilder.addExtension(subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(caPublicKey)); certificateBuilder.addExtension(basicConstraints, true, new BasicConstraints(true)); addASN1AndKeyUsageExtensions(certificateBuilder); X509Certificate cert = verifyCertificate(caPrivateKey, caPublicKey, certificateBuilder); return new SSLKeyPair(caPrivateKey, caPublicKey, new X509Certificate[] { cert }); } catch (NoSuchAlgorithmException | CertIOException | CertificateException | InvalidKeyException | OperatorCreationException | SignatureException | NoSuchProviderException e) { throw new RuntimeException("Unable to generate SSL certificate for " + commonsName, e); } }