List of usage examples for org.bouncycastle.cert X509CertificateHolder getSerialNumber
public BigInteger getSerialNumber()
From source file:AAModulePackage.ACHelper.java
/** * Checks to see if the X.509 ID Certificate "Owns" the AC. * @param ac - X.509 Attribute Certificate * @param associatedCert - "Owner's" ID Certificate. * @return - True if the ID Cert "owns" the AC, False otherwise. *///from www. ja v a 2s . c o m public static boolean checkAssociatedCertificate(X509AttributeCertificateHolder ac, X509CertificateHolder associatedCert) { BigInteger acSerial = ac.getHolder().getSerialNumber(); if (acSerial.equals(associatedCert.getSerialNumber())) { return true; } return false; }
From source file:edu.nps.moves.mmowgli.CACManager.java
License:Open Source License
private static void parseCert(String cert, CACData data) { cert = cert.replace(' ', '\r'); cert = cert.replace("BEGIN\rCERTIFICATE", "BEGIN CERTIFICATE"); cert = cert.replace("END\rCERTIFICATE", "END CERTIFICATE"); PEMParser pr = new PEMParser(new StringReader(cert)); try {/* w w w . jav a 2s . c o m*/ Object o = pr.readObject(); pr.close(); if (o instanceof X509CertificateHolder) { X509CertificateHolder x509 = (X509CertificateHolder) o; X500Name x500name = x509.getSubject(); RDN cnRdns[] = x500name.getRDNs(BCStyle.CN); String cn = IETFUtils.valueToString(cnRdns[0].getFirst().getValue()); parseCN(cn, data); GeneralNames gns = GeneralNames.fromExtensions(x509.getExtensions(), Extension.subjectAlternativeName); if (gns != null) { GeneralName[] subjectAltNames = gns.getNames(); for (GeneralName gn : subjectAltNames) { if (gn.getTagNo() == GeneralName.rfc822Name) { // check for email String s = DERIA5String.getInstance(gn.getName()).getString(); if (s.contains("@")) { data.userEmail = s; break; } } } } // Create the unique card identifier (issuer+serial) which when hashed goes into the database for quick login String uniqueCertId = x509.getIssuer().toString() + " " + x509.getSerialNumber().toString(); MessageDigest md = MessageDigest.getInstance("SHA-256"); md.update(uniqueCertId.getBytes("UTF-8")); // or UTF-16 byte[] digest = md.digest(); data.cacId = Hex.encodeHexString(digest); /* Alternatively, this will do a salted hash, but the output is not the same for the same input; better security * but the login performance would be bad since the user list has to be polled instead of indexed try { data.cacId = PasswordHash.createHash(uniqueCertId); } catch(Exception ex) { MSysOut.println(MmowgliConstants.SYSTEM_LOGS,"Program error, could not create CAC hash; auto-login disabled"); data.cacId = null; } System.out.println("data cacId: "+data.cacId); */ } } catch (IOException | NoSuchAlgorithmException ex) { MSysOut.println(MmowgliConstants.SYSTEM_LOGS, ex.getClass().getSimpleName() + ": Program error, could not parse CAC"); data.cacId = null; data.isCACPresent = false; } // Some informational stuff /* this gives same info as the x509 methods below RDN rdns[] = x500name.getRDNs(); for(RDN rdn : rdns) { AttributeTypeAndValue[] tandV = rdn.getTypesAndValues(); for(AttributeTypeAndValue tv : tandV) { System.out.println(tv.getType()); System.out.println(IETFUtils.valueToString(tv.getType())); System.out.println(tv.getValue()); System.out.println(IETFUtils.valueToString(tv.getValue())); } } */ /* System.out.println("X509 version: "+x509.getVersionNumber()); System.out.println("X509 Serial num: "+x509.getSerialNumber()); System.out.println("X509 Sig algo: "+x509.getSignatureAlgorithm().getAlgorithm().toASN1Primitive()); System.out.println("X509 Issuer: "+x509.getIssuer()); System.out.println("X509 Not before: "+x509.getNotBefore()); System.out.println("X509 Not after: "+x509.getNotAfter()); System.out.println("X509 Subject: "+x509.getSubject()); System.out.println("X509 Subject Public Key Info: "+x509.getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm()); */ /* System.out.println("CriticalExtensionOIDs: "); Set<?> set = x509.getCriticalExtensionOIDs(); Iterator<?> itr = set.iterator(); while(itr.hasNext()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)itr.next(); System.out.println(oid.toString()+" : "+x509.getExtension(oid).getParsedValue()); } System.out.println("NonCriticalExtensionOIDs: "); set = x509.getNonCriticalExtensionOIDs(); itr = set.iterator(); while(itr.hasNext()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)itr.next(); System.out.println(oid.toString()+" : "+x509.getExtension(oid).getParsedValue()); } System.out.println("Other api: getExtensionOIDs"); List<?> lis = x509.getExtensionOIDs(); itr = lis.iterator(); while(itr.hasNext()) { ASN1ObjectIdentifier oid = (ASN1ObjectIdentifier)itr.next(); System.out.println(oid.toString()+" : "+x509.getExtension(oid).getParsedValue()); } System.out.println("From the extensions \"block\""); Extensions exts = x509.getExtensions(); ASN1ObjectIdentifier[] ids = exts.getExtensionOIDs(); for(ASN1ObjectIdentifier oid : ids) { org.bouncycastle.asn1.x509.Extension ext = exts.getExtension(oid); System.out.println(oid.toString()+": "+IETFUtils.valueToString(ext.getParsedValue())); } // */ }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
private X509Certificate makeRootCert(KeyPair kp) throws InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, NoSuchAlgorithmException, ParseException, OperatorCreationException, CertificateException { // Load real root certificate X509CertificateHolder real = getRealCert("/resources/sk-root.pem"); // Use values from real certificate // TODO/FIXME: GeneralizedTime instead of UTCTime for root JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), real.getSerialNumber(), real.getNotBefore(), real.getNotAfter(), real.getSubject(), kp.getPublic()); @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions verbatim for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); }//from www. ja va 2 s . co m // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(kp.getPrivate()); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
private X509Certificate makeEsteidCert(KeyPair esteid, KeyPair root) throws InvalidKeyException, IllegalStateException, NoSuchProviderException, SignatureException, IOException, NoSuchAlgorithmException, ParseException, OperatorCreationException, CertificateException { // Load current root certificate X509CertificateHolder real = getRealCert("/resources/sk-esteid.pem"); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), real.getSerialNumber(), real.getNotBefore(), real.getNotAfter(), real.getSubject(), esteid.getPublic());/*from w ww . j av a 2 s . com*/ // Basic constraints @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); } // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(root.getPrivate()); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:esteidhacker.FakeEstEIDCA.java
License:Open Source License
public X509Certificate generateUserCertificate(RSAPublicKey pubkey, boolean signature, String firstname, String lastname, String idcode, String email) throws InvalidKeyException, ParseException, IOException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, CertificateException, OperatorCreationException { Date startDate = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2015-01-01"); Date endDate = new SimpleDateFormat("yyyy-MM-dd", Locale.ENGLISH).parse("2015-12-31"); String template = "C=EE,O=ESTEID,OU=%s,CN=%s\\,%s\\,%s,SURNAME=%s,GIVENNAME=%s,SERIALNUMBER=%s"; // Normalize. lastname = lastname.toUpperCase();//ww w. j av a2 s.c om firstname = firstname.toUpperCase(); idcode = idcode.toUpperCase(); email = email.toLowerCase(); String subject = String.format(template, (signature ? "digital signature" : "authentication"), lastname, firstname, idcode, lastname, firstname, idcode); byte[] serialBytes = new byte[16]; SecureRandom rnd = SecureRandom.getInstance("SHA1PRNG"); rnd.nextBytes(serialBytes); serialBytes[0] &= 0x7F; // Can't be negative BigInteger serial = new BigInteger(serialBytes); X509CertificateHolder real; if (signature) { real = getRealCert("/resources/sk-sign.pem"); } else { real = getRealCert("/resources/sk-auth.pem"); } serial = real.getSerialNumber(); System.out.println("Generating from subject: " + real.getSubject()); System.out.println("Generating subject: " + new X500Name(subject).toString()); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(real.getIssuer(), serial, startDate, endDate, new X500Name(subject), pubkey); @SuppressWarnings("unchecked") List<ASN1ObjectIdentifier> list = real.getExtensionOIDs(); // Copy all extensions, except altName for (ASN1ObjectIdentifier extoid : list) { Extension ext = real.getExtension(extoid); if (ext.getExtnId().equals(Extension.subjectAlternativeName)) { // altName must be changed builder.addExtension(ext.getExtnId(), ext.isCritical(), new GeneralNames(new GeneralName(GeneralName.rfc822Name, email))); } else { builder.copyAndAddExtension(ext.getExtnId(), ext.isCritical(), real); } } // Generate cert ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(esteidKey); X509CertificateHolder cert = builder.build(sigGen); return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(cert); }
From source file:org.apache.jmeter.assertions.SMIMEAssertion.java
License:Apache License
private static AssertionResult verifySignature(SMIMEAssertionTestElement testElement, SMIMESignedParser s, String name) throws CMSException { AssertionResult res = new AssertionResult(name); try {/*w w w. j av a2 s .c o m*/ Store certs = s.getCertificates(); SignerInformationStore signers = s.getSignerInfos(); Iterator<?> signerIt = signers.getSigners().iterator(); if (signerIt.hasNext()) { SignerInformation signer = (SignerInformation) signerIt.next(); Iterator<?> certIt = certs.getMatches(signer.getSID()).iterator(); if (certIt.hasNext()) { // the signer certificate X509CertificateHolder cert = (X509CertificateHolder) certIt.next(); if (testElement.isVerifySignature()) { SignerInformationVerifier verifier = null; try { verifier = new JcaSimpleSignerInfoVerifierBuilder().setProvider("BC").build(cert); } catch (OperatorCreationException e) { log.error("Can't create a provider", e); } if (verifier == null || !signer.verify(verifier)) { res.setFailure(true); res.setFailureMessage("Signature is invalid"); } } if (testElement.isSignerCheckConstraints()) { StringBuilder failureMessage = new StringBuilder(); String serial = testElement.getSignerSerial(); if (!JOrphanUtils.isBlank(serial)) { BigInteger serialNbr = readSerialNumber(serial); if (!serialNbr.equals(cert.getSerialNumber())) { res.setFailure(true); failureMessage.append("Serial number ").append(serialNbr) .append(" does not match serial from signer certificate: ") .append(cert.getSerialNumber()).append("\n"); } } String email = testElement.getSignerEmail(); if (!JOrphanUtils.isBlank(email)) { List<String> emailFromCert = getEmailFromCert(cert); if (!emailFromCert.contains(email)) { res.setFailure(true); failureMessage.append("Email address \"").append(email) .append("\" not present in signer certificate\n"); } } String subject = testElement.getSignerDn(); if (subject.length() > 0) { final X500Name certPrincipal = cert.getSubject(); log.debug("DN from cert: " + certPrincipal.toString()); X500Name principal = new X500Name(subject); log.debug("DN from assertion: " + principal.toString()); if (!principal.equals(certPrincipal)) { res.setFailure(true); failureMessage.append("Distinguished name of signer certificate does not match \"") .append(subject).append("\"\n"); } } String issuer = testElement.getIssuerDn(); if (issuer.length() > 0) { final X500Name issuerX500Name = cert.getIssuer(); log.debug("IssuerDN from cert: " + issuerX500Name.toString()); X500Name principal = new X500Name(issuer); log.debug("IssuerDN from assertion: " + principal); if (!principal.equals(issuerX500Name)) { res.setFailure(true); failureMessage .append("Issuer distinguished name of signer certificate does not match \"") .append(subject).append("\"\n"); } } if (failureMessage.length() > 0) { res.setFailureMessage(failureMessage.toString()); } } if (testElement.isSignerCheckByFile()) { CertificateFactory cf = CertificateFactory.getInstance("X.509"); X509CertificateHolder certFromFile; InputStream inStream = null; try { inStream = new BufferedInputStream( new FileInputStream(testElement.getSignerCertFile())); certFromFile = new JcaX509CertificateHolder( (X509Certificate) cf.generateCertificate(inStream)); } finally { IOUtils.closeQuietly(inStream); } if (!certFromFile.equals(cert)) { res.setFailure(true); res.setFailureMessage("Signer certificate does not match certificate " + testElement.getSignerCertFile()); } } } else { res.setFailure(true); res.setFailureMessage("No signer certificate found in signature"); } } // TODO support multiple signers if (signerIt.hasNext()) { log.warn("SMIME message contains multiple signers! Checking multiple signers is not supported."); } } catch (GeneralSecurityException e) { log.error(e.getMessage(), e); res.setError(true); res.setFailureMessage(e.getMessage()); } catch (FileNotFoundException e) { res.setFailure(true); res.setFailureMessage("certificate file not found: " + e.getMessage()); } return res; }
From source file:org.apache.poi.poifs.crypt.dsig.services.TSPTimeStampService.java
License:Apache License
@SuppressWarnings("unchecked") public byte[] timeStamp(byte[] data, RevocationData revocationData) throws Exception { // digest the message MessageDigest messageDigest = CryptoFunctions.getMessageDigest(signatureConfig.getTspDigestAlgo()); byte[] digest = messageDigest.digest(data); // generate the TSP request BigInteger nonce = new BigInteger(128, new SecureRandom()); TimeStampRequestGenerator requestGenerator = new TimeStampRequestGenerator(); requestGenerator.setCertReq(true);//from ww w .j a v a2 s .c o m String requestPolicy = signatureConfig.getTspRequestPolicy(); if (requestPolicy != null) { requestGenerator.setReqPolicy(new ASN1ObjectIdentifier(requestPolicy)); } ASN1ObjectIdentifier digestAlgoOid = mapDigestAlgoToOID(signatureConfig.getTspDigestAlgo()); TimeStampRequest request = requestGenerator.generate(digestAlgoOid, digest, nonce); byte[] encodedRequest = request.getEncoded(); // create the HTTP POST request Proxy proxy = Proxy.NO_PROXY; if (signatureConfig.getProxyUrl() != null) { URL proxyUrl = new URL(signatureConfig.getProxyUrl()); String host = proxyUrl.getHost(); int port = proxyUrl.getPort(); proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(host, (port == -1 ? 80 : port))); } HttpURLConnection huc = (HttpURLConnection) new URL(signatureConfig.getTspUrl()).openConnection(proxy); if (signatureConfig.getTspUser() != null) { String userPassword = signatureConfig.getTspUser() + ":" + signatureConfig.getTspPass(); String encoding = DatatypeConverter .printBase64Binary(userPassword.getBytes(Charset.forName("iso-8859-1"))); huc.setRequestProperty("Authorization", "Basic " + encoding); } huc.setRequestMethod("POST"); huc.setConnectTimeout(20000); huc.setReadTimeout(20000); huc.setDoOutput(true); // also sets method to POST. huc.setRequestProperty("User-Agent", signatureConfig.getUserAgent()); huc.setRequestProperty("Content-Type", signatureConfig.isTspOldProtocol() ? "application/timestamp-request" : "application/timestamp-query"); // "; charset=ISO-8859-1"); OutputStream hucOut = huc.getOutputStream(); hucOut.write(encodedRequest); // invoke TSP service huc.connect(); int statusCode = huc.getResponseCode(); if (statusCode != 200) { LOG.log(POILogger.ERROR, "Error contacting TSP server ", signatureConfig.getTspUrl()); throw new IOException("Error contacting TSP server " + signatureConfig.getTspUrl()); } // HTTP input validation String contentType = huc.getHeaderField("Content-Type"); if (null == contentType) { throw new RuntimeException("missing Content-Type header"); } ByteArrayOutputStream bos = new ByteArrayOutputStream(); IOUtils.copy(huc.getInputStream(), bos); LOG.log(POILogger.DEBUG, "response content: ", bos.toString()); if (!contentType.startsWith(signatureConfig.isTspOldProtocol() ? "application/timestamp-response" : "application/timestamp-reply")) { throw new RuntimeException("invalid Content-Type: " + contentType); } if (bos.size() == 0) { throw new RuntimeException("Content-Length is zero"); } // TSP response parsing and validation TimeStampResponse timeStampResponse = new TimeStampResponse(bos.toByteArray()); timeStampResponse.validate(request); if (0 != timeStampResponse.getStatus()) { LOG.log(POILogger.DEBUG, "status: " + timeStampResponse.getStatus()); LOG.log(POILogger.DEBUG, "status string: " + timeStampResponse.getStatusString()); PKIFailureInfo failInfo = timeStampResponse.getFailInfo(); if (null != failInfo) { LOG.log(POILogger.DEBUG, "fail info int value: " + failInfo.intValue()); if (/*PKIFailureInfo.unacceptedPolicy*/(1 << 8) == failInfo.intValue()) { LOG.log(POILogger.DEBUG, "unaccepted policy"); } } throw new RuntimeException("timestamp response status != 0: " + timeStampResponse.getStatus()); } TimeStampToken timeStampToken = timeStampResponse.getTimeStampToken(); SignerId signerId = timeStampToken.getSID(); BigInteger signerCertSerialNumber = signerId.getSerialNumber(); X500Name signerCertIssuer = signerId.getIssuer(); LOG.log(POILogger.DEBUG, "signer cert serial number: " + signerCertSerialNumber); LOG.log(POILogger.DEBUG, "signer cert issuer: " + signerCertIssuer); // TSP signer certificates retrieval Collection<X509CertificateHolder> certificates = timeStampToken.getCertificates().getMatches(null); X509CertificateHolder signerCert = null; Map<X500Name, X509CertificateHolder> certificateMap = new HashMap<X500Name, X509CertificateHolder>(); for (X509CertificateHolder certificate : certificates) { if (signerCertIssuer.equals(certificate.getIssuer()) && signerCertSerialNumber.equals(certificate.getSerialNumber())) { signerCert = certificate; } certificateMap.put(certificate.getSubject(), certificate); } // TSP signer cert path building if (signerCert == null) { throw new RuntimeException("TSP response token has no signer certificate"); } List<X509Certificate> tspCertificateChain = new ArrayList<X509Certificate>(); JcaX509CertificateConverter x509converter = new JcaX509CertificateConverter(); x509converter.setProvider("BC"); X509CertificateHolder certificate = signerCert; do { LOG.log(POILogger.DEBUG, "adding to certificate chain: " + certificate.getSubject()); tspCertificateChain.add(x509converter.getCertificate(certificate)); if (certificate.getSubject().equals(certificate.getIssuer())) { break; } certificate = certificateMap.get(certificate.getIssuer()); } while (null != certificate); // verify TSP signer signature X509CertificateHolder holder = new X509CertificateHolder(tspCertificateChain.get(0).getEncoded()); DefaultCMSSignatureAlgorithmNameGenerator nameGen = new DefaultCMSSignatureAlgorithmNameGenerator(); DefaultSignatureAlgorithmIdentifierFinder sigAlgoFinder = new DefaultSignatureAlgorithmIdentifierFinder(); DefaultDigestAlgorithmIdentifierFinder hashAlgoFinder = new DefaultDigestAlgorithmIdentifierFinder(); BcDigestCalculatorProvider calculator = new BcDigestCalculatorProvider(); BcRSASignerInfoVerifierBuilder verifierBuilder = new BcRSASignerInfoVerifierBuilder(nameGen, sigAlgoFinder, hashAlgoFinder, calculator); SignerInformationVerifier verifier = verifierBuilder.build(holder); timeStampToken.validate(verifier); // verify TSP signer certificate if (signatureConfig.getTspValidator() != null) { signatureConfig.getTspValidator().validate(tspCertificateChain, revocationData); } LOG.log(POILogger.DEBUG, "time-stamp token time: " + timeStampToken.getTimeStampInfo().getGenTime()); byte[] timestamp = timeStampToken.getEncoded(); return timestamp; }
From source file:org.codice.ddf.security.certificate.generator.CertificateSigningRequestTest.java
License:Open Source License
@Test public void testNewCertificateBuilderWithoutSan() throws Exception { final DateTime start = DateTime.now().minusDays(1); final DateTime end = start.plusYears(100); final KeyPair kp = makeKeyPair(); csr.setSerialNumber(1);/*from w w w .j a va 2s . com*/ csr.setNotBefore(start); csr.setNotAfter(end); csr.setCommonName("A"); csr.setSubjectKeyPair(kp); final X509Certificate issuerCert = mock(X509Certificate.class); doReturn(new X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US")).when(issuerCert) .getSubjectX500Principal(); final JcaX509v3CertificateBuilder builder = csr.newCertificateBuilder(issuerCert); final X509CertificateHolder holder = builder.build(new DemoCertificateAuthority().getContentSigner()); assertThat(holder.getSerialNumber(), equalTo(BigInteger.ONE)); assertThat(holder.getNotBefore(), equalTo(new Time(start.toDate()).getDate())); assertThat(holder.getNotAfter(), equalTo(new Time(end.toDate()).getDate())); assertThat(holder.getSubject().toString(), equalTo("cn=A")); assertThat("Unable to validate public key", holder.getSubjectPublicKeyInfo(), equalTo(SubjectPublicKeyInfo.getInstance(kp.getPublic().getEncoded()))); assertThat("There should be no subject alternative name extension", holder.getExtension(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName), nullValue(org.bouncycastle.asn1.x509.Extension.class)); }
From source file:org.codice.ddf.security.certificate.generator.CertificateSigningRequestTest.java
License:Open Source License
@Test public void testNewCertificateBuilderWithSan() throws Exception { final DateTime start = DateTime.now().minusDays(1); final DateTime end = start.plusYears(100); final KeyPair kp = makeKeyPair(); csr.setSerialNumber(1);/* w ww.j ava2 s .c o m*/ csr.setNotBefore(start); csr.setNotAfter(end); csr.setCommonName("A"); csr.setSubjectKeyPair(kp); csr.addSubjectAlternativeNames("IP:1.2.3.4", "DNS:A"); final X509Certificate issuerCert = mock(X509Certificate.class); doReturn(new X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US")).when(issuerCert) .getSubjectX500Principal(); final JcaX509v3CertificateBuilder builder = csr.newCertificateBuilder(issuerCert); final X509CertificateHolder holder = builder.build(new DemoCertificateAuthority().getContentSigner()); assertThat(holder.getSerialNumber(), equalTo(BigInteger.ONE)); assertThat(holder.getNotBefore(), equalTo(new Time(start.toDate()).getDate())); assertThat(holder.getNotAfter(), equalTo(new Time(end.toDate()).getDate())); assertThat(holder.getSubject().toString(), equalTo("cn=A")); assertThat("Unable to validate public key", holder.getSubjectPublicKeyInfo(), equalTo(SubjectPublicKeyInfo.getInstance(kp.getPublic().getEncoded()))); final org.bouncycastle.asn1.x509.Extension csn = holder .getExtension(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName); assertThat(csn.getParsedValue().toASN1Primitive().getEncoded(ASN1Encoding.DER), equalTo(new GeneralNamesBuilder().addName(new GeneralName(GeneralName.iPAddress, "1.2.3.4")) .addName(new GeneralName(GeneralName.dNSName, "A")).build().getEncoded(ASN1Encoding.DER))); }
From source file:org.cryptable.pki.communication.PKICMPMessages.java
License:Open Source License
/** * Update a certification request with local key generation * * @param certificate to be updated/*w ww . j a va2s . co m*/ * @return return the binary ASN.1 message for a certification request * @throws CertificateEncodingException * @throws CMSException * @throws CRMFException * @throws OperatorCreationException * @throws CMPException * @throws IOException */ public byte[] createKeyUpdateMessageWithLocalKey(X509Certificate certificate, KeyPair keyPair) throws CertificateEncodingException, CMSException, CRMFException, OperatorCreationException, CMPException, IOException, PKICMPMessageException, NoSuchFieldException, IllegalAccessException { JcaCertificateRequestMessageBuilder certReqBuild = new JcaCertificateRequestMessageBuilder(BigInteger.ZERO); X509CertificateHolder x509CertificateHolder = new JcaX509CertificateHolder(certificate); certReqBuild.setSubject(x509CertificateHolder.getSubject()); certReqBuild.setIssuer(x509CertificateHolder.getIssuer()); certReqBuild.setSerialNumber(x509CertificateHolder.getSerialNumber()); if (keyPair != null) { certReqBuild.setPublicKey(keyPair.getPublic()); if (keyPair.getPrivate() != null) { certReqBuild.addControl( new JcaPKIArchiveControlBuilder(keyPair.getPrivate(), x509CertificateHolder.getIssuer()) .addRecipientGenerator( new JceKeyTransRecipientInfoGenerator(pkiKeyStore.getRecipientCertificate()) .setProvider(pkiKeyStore.getProvider())) .build(new JceCMSContentEncryptorBuilder( new ASN1ObjectIdentifier(CMSEnvelopedDataGenerator.DES_EDE3_CBC)) .setProvider(pkiKeyStore.getProvider()).build())); } } else certReqBuild.setPublicKey(x509CertificateHolder.getSubjectPublicKeyInfo()); if (extensions != null) { for (Extension extension : extensions) certReqBuild.addExtension(extension.getExtnId(), extension.isCritical(), extension.getParsedValue()); } else { if (x509CertificateHolder.getExtensions() != null) { for (ASN1ObjectIdentifier oid : x509CertificateHolder.getExtensions().getExtensionOIDs()) { certReqBuild.addExtension(oid, x509CertificateHolder.getExtensions().getExtension(oid).isCritical(), x509CertificateHolder.getExtensions().getExtensionParsedValue(oid)); } } } OptionalValidity tempOptionalValidity; if (optionalValidity != null) { tempOptionalValidity = optionalValidity; } else { tempOptionalValidity = new OptionalValidity(new Time(x509CertificateHolder.getNotBefore()), new Time(x509CertificateHolder.getNotAfter())); } Field field = certReqBuild.getClass().getSuperclass().getDeclaredField("templateBuilder"); field.setAccessible(true); CertTemplateBuilder certTemplateBuilder = (CertTemplateBuilder) field.get(certReqBuild); certTemplateBuilder.setValidity(tempOptionalValidity); CertReqMessages certReqMsgs = new CertReqMessages(certReqBuild.build().toASN1Structure()); return createProtectedPKIMessage(new PKIBody(PKIBody.TYPE_KEY_UPDATE_REQ, certReqMsgs)); }