List of usage examples for org.bouncycastle.cert.jcajce JcaX509v3CertificateBuilder copyAndAddExtension
public JcaX509v3CertificateBuilder copyAndAddExtension(ASN1ObjectIdentifier oid, boolean critical, X509Certificate certificate) throws CertificateEncodingException
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
private X509Certificate makeRootCert(KeyPair kp) throws InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, NoSuchAlgorithmException, ParseException, OperatorCreationException, CertificateException { // Load real root certificate X509CertificateHolder real = getRealCert("/resources/sk-root.pem"); // Use values from real certificate // TODO/FIXME: GeneralizedTime instead of UTCTime for root JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), real.getSerialNumber(), real.getNotBefore(), real.getNotAfter(), real.getSubject(), kp.getPublic()); @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions verbatim for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); }/*w w w. ja v a 2s. c om*/ // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(kp.getPrivate()); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
private X509Certificate makeEsteidCert(KeyPair esteid, KeyPair root) throws InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, NoSuchAlgorithmException, ParseException, OperatorCreationException, CertificateException { // Load current root certificate X509CertificateHolder real = getRealCert("/resources/sk-esteid.pem"); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), real.getSerialNumber(), real.getNotBefore(), real.getNotAfter(), real.getSubject(), esteid.getPublic());/* ww w .ja v a 2 s. c o m*/ // Basic constraints @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); } // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(root.getPrivate()); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
public X509Certificate cloneUserCertificate(RSAPublicKey pubkey, X509Certificate cert) throws OperatorCreationException, CertificateException, IOException { X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded()); // Clone everything JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(holder.getIssuer(), cert.getSerialNumber(), cert.getNotBefore(), cert.getNotAfter(), holder.getSubject(), pubkey); @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = holder.getExtensionOIDs(); // Copy all extensions for (ASN1ObjectIdentifier extoid : list) { Extension ext = holder.getExtension(extoid); builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), holder); }//w ww. j a v a 2s . co m // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(esteidKey); X509CertificateHolder newcert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(newcert); }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
public X509Certificate generateUserCertificate(RSAPublicKey pubkey, boolean signature, String firstname, String lastname, String idcode, String email) throws InvalidKeyException, ParseException, IOException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException { Date startDate = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2015-01-01"); Date endDate = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2015-12-31"); String template = "C=EE,O=ESTEID,OU=%s,CN=%s\\,%s\\,%s,SURNAME=%s,GIVENNAME=%s,SERIALNUMBER=%s"; // Normalize. lastname = lastname.toUpperCase();/*from w w w. java2s .c o m*/ firstname = firstname.toUpperCase(); idcode = idcode.toUpperCase(); email = email.toLowerCase(); String subject = String.format(template, (signature ? "digital signature" : "authentication"), lastname, firstname, idcode, lastname, firstname, idcode); byte[] serialBytes = new byte[16]; SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG"); rnd.nextBytes(serialBytes); serialBytes[0] &= 0x7F; // Can't be negative BigInteger serial = new BigInteger(serialBytes); X509CertificateHolder real; if (signature) { real = getRealCert("/resources/sk-sign.pem"); } else { real = getRealCert("/resources/sk-auth.pem"); } serial = real.getSerialNumber(); System.out.println("Generating from subject: " + real.getSubject()); System.out.println("Generating subject: " + new X500Name(subject).toString()); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), serial, startDate, endDate, new X500Name(subject), pubkey); @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions, except altName for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); if (ext.getExtnId().equals(Extension.subjectAlternativeName)) { // altName must be changed builder.addExtension(ext.getExtnId(), ext.isCritical(), new GeneralNames(new GeneralName(GeneralName.rfc822Name, email))); } else { builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); } } // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(esteidKey); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:org.owasp.webscarab.util.SunCertificateUtils.java
License:Open Source License
public static X509Certificate sign(X500Principal subject, PublicKey pubKey, X500Principal issuer, PublicKey caPubKey, PrivateKey caKey, Date begin, Date ends, BigInteger serialNo, X509Certificate baseCrt)//from w w w. j av a 2 s . c o m throws GeneralSecurityException, CertIOException, OperatorCreationException, IOException { if (baseCrt != null) { subject = baseCrt.getSubjectX500Principal(); } JcaX509v3CertificateBuilder certificateBuilder; certificateBuilder = new JcaX509v3CertificateBuilder(issuer, serialNo, begin, ends, subject, pubKey); if (subject.equals(issuer)) { certificateBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(5)); } else { JcaX509ExtensionUtils jxeu = new JcaX509ExtensionUtils(); if (baseCrt != null) { byte[] sans = baseCrt.getExtensionValue(X509Extension.subjectAlternativeName.getId()); if (sans != null) { certificateBuilder.copyAndAddExtension(X509Extension.subjectAlternativeName, true, baseCrt); } } SubjectKeyIdentifier subjectKeyIdentifier = jxeu.createSubjectKeyIdentifier(pubKey); certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, subjectKeyIdentifier); AuthorityKeyIdentifier authorityKeyIdentifier = jxeu.createAuthorityKeyIdentifier(caPubKey); certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); certificateBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false)); NetscapeCertType netscapeCertType = new NetscapeCertType( NetscapeCertType.sslClient | NetscapeCertType.sslServer); certificateBuilder.addExtension(MiscObjectIdentifiers.netscapeCertType, false, netscapeCertType); KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment); certificateBuilder.addExtension(X509Extension.keyUsage, true, keyUsage); ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage( new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }); certificateBuilder.addExtension(X509Extension.extendedKeyUsage, false, extendedKeyUsage); } JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(SIGALG); X509CertificateHolder holder = certificateBuilder.build(signerBuilder.build(caKey)); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate; certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(holder.getEncoded())); return certificate; }