List of usage examples for org.bouncycastle.cert.jcajce JcaX509v3CertificateBuilder build
public X509CertificateHolder build(ContentSigner signer)
From source file:CAModulePackage.CertificateHelper.java
/** * This method generates a new X.509 Identity Certificate. * This should only really be used for generating a new certificate * for a part of this system (CA's Cert/AA's Cert). For a client, we would * have them generate and send over a Certificate Signing Request. * @param subjectKey - The soon-to-be-holder's Public Key * @param issuerKey - The singing entity's Private Key * @param issuer - Common Name of the signing entity * @param subject - Common Name of the subject (soon-to-be-holder) * @return - New X.509 Identity Certificate. * @throws OperatorCreationException //from w w w . j av a2 s . c om */ public static X509CertificateHolder generateCertificate(PublicKey subjectKey, PrivateKey issuerKey, String issuer, String subject) throws OperatorCreationException { //So I am unable to verify that the certificate is valid on my Mac, but the one's //generated by Amanda's app are also "untrusted" through terminal ssl... Date startDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000); Date endDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000); //Chose to use the JcaBuilder because they use the public key not the PublicKeyInfo... //Although, looking at the specs, it doesn't look like the default publickeyinfo is too bad to make... //TODO: Consider switching to the normal certBuidler. JcaX509v3CertificateBuilder b = new JcaX509v3CertificateBuilder(new X500Name(issuer), BigInteger.valueOf(System.currentTimeMillis()), startDate, endDate, new X500Name(subject), //I believe this field is incorrect TODO:Revise. subjectKey); X509CertificateHolder cert = b .build(new JcaContentSignerBuilder("SHA256withRSAEncryption").setProvider("BC").build(issuerKey)); return cert; }
From source file:CAModulePackage.CertificateHelper.java
/** * Generate a new X.509 Certificate based on the input Certificate Signing * Request./*w w w.ja v a 2 s. c o m*/ * This is the primary method that should be used for granting a user * credentials on this system. * @param csr - Input Certificate Signing Request * @param issuer - Name of the Issuing Entity * @param issuerPriv - Private Key of the Issuing Entity. * @return X.509 Identity Certificate authenticating the user to this system */ public static X509CertificateHolder signCSR(PKCS10CertificationRequest csr, String issuer, PrivateKey issuerPriv) { Date startDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000); Date endDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000); PublicKey pub = null; try { pub = KeyFactory.getInstance("RSA") .generatePublic(new X509EncodedKeySpec(csr.getSubjectPublicKeyInfo().getEncoded())); } catch (InvalidKeySpecException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(new X500Name(issuer), BigInteger.valueOf(System.currentTimeMillis()), startDate, endDate, csr.getSubject(), pub); X509CertificateHolder newCert = null; try { newCert = builder.build( new JcaContentSignerBuilder("SHA256withRSAEncryption").setProvider("BC").build(issuerPriv)); } catch (OperatorCreationException e) { e.printStackTrace(); } return newCert; }
From source file:com.aqnote.shared.cryptology.cert.CertificateChainDemo.java
License:Open Source License
public boolean generateX509Certificate(String userCertPath) { try {//from w w w.ja v a2 s .c o m FileInputStream in = new FileInputStream(keyStorePath); KeyStore ks = KeyStore.getInstance("JKS"); ks.load(in, keyStorePasswd.toCharArray()); in.close(); // Get CA private key. PrivateKey caPrivateKey = (PrivateKey) ks.getKey(caName, caPasswd.toCharArray()); System.out.println("\nCA private key:\n" + caPrivateKey); // Get CA DN. Certificate c = ks.getCertificate(caName); X509Certificate t = (X509Certificate) c; String caDN = t.getIssuerDN().toString(); // CN:???? OU:???? O:?? L:? C:? System.out.println("\nCA DN:\n" + caDN); KeyPair KPair = RSAKeyPairGenDemo.getRSAKeyPair(1024); System.out.println("\nuser private key:\n" + KPair.getPrivate()); System.out.println("\nuser public key:\n" + KPair.getPublic()); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(new X500Name(caDN), BigInteger.valueOf(1), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365)), new X500Name(userDN), KPair.getPublic()); X509CertificateHolder certHolder = certBuilder.build(new JcaContentSignerBuilder(ALG_SIG_SHA256_RSA) .setProvider(JCE_PROVIDER).build(KPair.getPrivate())); X509Certificate cert = new JcaX509CertificateConverter().setProvider(JCE_PROVIDER) .getCertificate(certHolder); cert.checkValidity(new Date()); cert.verify(KPair.getPublic()); ((PKCS12BagAttributeCarrier) cert).setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString("x509 cert")); FileOutputStream out = new FileOutputStream(userCertPath); out.write(cert.getEncoded()); out.close(); // Add user entry into keystore ks.setCertificateEntry(userAlias, cert); out = new FileOutputStream(keyStorePath); ks.store(out, caPasswd.toCharArray()); out.close(); } catch (Exception e) { e.printStackTrace(); } return true; }
From source file:com.github.spyhunter99.simplejks.CertGenBouncy.java
public static java.security.cert.Certificate selfSign(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException { Provider bcProvider = new BouncyCastleProvider(); Security.addProvider(bcProvider); long now = System.currentTimeMillis(); Date startDate = new Date(now); X500Name dnName = new X500Name(subjectDN); BigInteger certSerialNumber = new BigInteger(Long.toString(now)); // <-- Using the current timestamp as the certificate serial number Calendar calendar = Calendar.getInstance(); calendar.setTime(startDate);/*from ww w. jav a 2s.co m*/ calendar.add(Calendar.YEAR, 30); // <-- 1 Yr validity Date endDate = calendar.getTime(); String signatureAlgorithm = "SHA256WithRSA"; // <-- Use appropriate signature algorithm based on your keyPair algorithm. ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate()); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic()); // Extensions -------------------------- // Basic Constraints BasicConstraints basicConstraints = new BasicConstraints(true); // <-- true for CA, false for EndEntity certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints); // Basic Constraints is usually marked as critical. ASN1Encodable[] subjectAlternativeNames = new ASN1Encodable[] { new GeneralName(GeneralName.dNSName, "server"), new GeneralName(GeneralName.dNSName, "server.mydomain.com") }; DERSequence subjectAlternativeNamesExtension = new DERSequence(subjectAlternativeNames); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAlternativeNamesExtension); // ------------------------------------- return new JcaX509CertificateConverter().setProvider(bcProvider) .getCertificate(certBuilder.build(contentSigner)); }
From source file:com.rcn.service.CertificateService.java
License:Open Source License
public String generateCert(String certName, String password, int validDays, Optional<String> caPem, String caPassword, boolean generateCaCert, Optional<String> pkc10Request) { try {/* ww w. ja v a 2s.c o m*/ Optional<Tuple<KeyPair, X509Certificate>> caTuple = caPem.map(c -> fromPem(c, caPassword)); Optional<KeyPair> ca = caTuple.map(a -> a.getX()); Optional<KeyPair> optKeyPair = Optional.ofNullable(pkc10Request.isPresent() ? null : generateKey()); PublicKey publicKey = pkc10Request.map(this::fromPkcs10).orElseGet(() -> optKeyPair.get().getPublic()); Date now = new Date(); Calendar tenYears = Calendar.getInstance(); tenYears.add(Calendar.DATE, validDays); X500Principal x500Principal = new X500Principal(certName); BigInteger serial = rndBigInt(new BigInteger("8180385048")); //max value for SN X500Principal issuer = caTuple.map(a -> a.getY().getSubjectX500Principal()) .orElseGet(() -> x500Principal); JcaX509v3CertificateBuilder v3CertGen = new JcaX509v3CertificateBuilder(issuer, serial, now, new Date(tenYears.getTimeInMillis()), x500Principal, publicKey); v3CertGen.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(getSubjectPublicKeyInfo(publicKey))); ca.ifPresent(caKey -> v3CertGen.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifier(getSubjectPublicKeyInfo(caKey.getPublic())))); if (generateCaCert) { addCaExtension(v3CertGen); } else { addRegularExtension(Optional.empty(), v3CertGen); } KeyPair caKey = ca.orElseGet( () -> optKeyPair.orElseThrow(() -> new SecurityException("no private key for self-sign cert"))); X509Certificate certificate = new JcaX509CertificateConverter() .setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(v3CertGen.build(new JcaContentSignerBuilder("SHA256WithRSAEncryption") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(caKey.getPrivate()))); String certPem = toPem(certificate, Optional.empty()); String keyPem = optKeyPair .map(k -> toPem(k, Optional.ofNullable(password.length() > 0 ? password : null))).orElse(""); return String.format("%s%s", certPem, keyPem); } catch (Exception e) { throw new SecurityException(e); } }
From source file:com.zotoh.crypto.Crypto.java
License:Open Source License
private Tuple createSSV3Cert(Provider pv, KeyPair keyPair, Date start, Date end, String dnStr, Certificate issuer, PrivateKey issuerKey, int keyLength, String algo) throws InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, NoSuchProviderException, GeneralSecurityException { X500Principal subject = new X500Principal(dnStr); PrivateKey prv = keyPair.getPrivate(); PublicKey pub = keyPair.getPublic(); X509Certificate cert, top = (X509Certificate) issuer; JcaX509v3CertificateBuilder bdr = new JcaX509v3CertificateBuilder(top, getNextSerialNumber(), start, end, subject, pub);/*from ww w.j av a2 s. c o m*/ ContentSigner cs; try { cs = new JcaContentSignerBuilder(algo).setProvider(pv).build(issuerKey); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } bdr.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(top)); bdr.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pub)); cert = new JcaX509CertificateConverter().setProvider(pv).getCertificate(bdr.build(cs)); cert.checkValidity(new Date()); cert.verify(top.getPublicKey()); return new Tuple(cert, prv); }
From source file:ee.ria.xroad.common.util.FISubjectClientIdDecoderTest.java
License:Open Source License
private X509Certificate generateSelfSignedCertificate(String dn, KeyPair pair) throws OperatorCreationException, CertificateException { ContentSigner signer = new JcaContentSignerBuilder(CryptoUtils.SHA256WITHRSA_ID).build(pair.getPrivate()); X500Name name = new X500Name(dn); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(name, BigInteger.ONE, new Date(), new Date(), name, pair.getPublic()); return new JcaX509CertificateConverter().getCertificate(builder.build(signer)); }
From source file:ee.ria.xroad.signer.util.SignerUtil.java
License:Open Source License
/** * Creates a certificate. The certificate is valid for 2 years. * @param commonName the common name attribute * @param keyPair the key pair containing the public key * @param signer the signer of the certificate * @return the certificate// w w w.j ava 2 s .c o m * @throws Exception if an error occurs */ public static X509Certificate createCertificate(String commonName, KeyPair keyPair, ContentSigner signer) throws Exception { Calendar cal = GregorianCalendar.getInstance(); cal.add(Calendar.YEAR, -1); Date notBefore = cal.getTime(); cal.add(Calendar.YEAR, 2); Date notAfter = cal.getTime(); X500Name subject = new X500Name("CN=" + commonName); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(subject, BigInteger.ONE, notBefore, notAfter, subject, keyPair.getPublic()); X509CertificateHolder holder = builder.build(signer); return new JcaX509CertificateConverter().getCertificate(holder); }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
private X509Certificate makeRootCert(KeyPair kp) throws InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, NoSuchAlgorithmException, ParseException, OperatorCreationException, CertificateException { // Load real root certificate X509CertificateHolder real = getRealCert("/resources/sk-root.pem"); // Use values from real certificate // TODO/FIXME: GeneralizedTime instead of UTCTime for root JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), real.getSerialNumber(), real.getNotBefore(), real.getNotAfter(), real.getSubject(), kp.getPublic()); @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions verbatim for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); }// w w w . j a v a 2 s . com // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(kp.getPrivate()); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
private X509Certificate makeEsteidCert(KeyPair esteid, KeyPair root) throws InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, NoSuchAlgorithmException, ParseException, OperatorCreationException, CertificateException { // Load current root certificate X509CertificateHolder real = getRealCert("/resources/sk-esteid.pem"); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), real.getSerialNumber(), real.getNotBefore(), real.getNotAfter(), real.getSubject(), esteid.getPublic());/*from w ww . ja v a 2 s .com*/ // Basic constraints @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); } // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(root.getPrivate()); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }