Example usage for org.bouncycastle.openssl.jcajce JcaPEMWriter writeObject

List of usage examples for org.bouncycastle.openssl.jcajce JcaPEMWriter writeObject

  1. HOME
  2. Java
  3. org.bouncycastle
  4. org.bouncycastle.openssl.jcajce.*
  5. JcaPEMWriter
  6. writeObject

Introduction

In this page you can find the example usage for org.bouncycastle.openssl.jcajce JcaPEMWriter writeObject.

Prototype

public void writeObject(Object obj, PEMEncryptor encryptor) throws IOException

Source Link

Usage

From source file:com.gitblit.utils.X509Utils.java

License:Apache License

/**
 * Creates a new client certificate PKCS#12 and PEM store.  Any existing
 * stores are destroyed.//w w w.jav  a2s .  c om
 *
 * @param clientMetadata a container for dynamic parameters needed for generation
 * @param caKeystoreFile
 * @param caKeystorePassword
 * @param targetFolder
 * @return
 */
public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey,
        X509Certificate caCert, File targetFolder) {
    try {
        KeyPair pair = newKeyPair();

        X500Name userDN = buildDistinguishedName(clientMetadata);
        X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());

        // create a new certificate signed by the Gitblit CA certificate
        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN,
                BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore,
                clientMetadata.notAfter, userDN, pair.getPublic());

        JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
        certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false,
                extUtils.createSubjectKeyIdentifier(pair.getPublic()));
        certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
        certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false,
                extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
        certBuilder.addExtension(X509Extension.keyUsage, true,
                new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature));
        if (!StringUtils.isEmpty(clientMetadata.emailAddress)) {
            GeneralNames subjectAltName = new GeneralNames(
                    new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress));
            certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
        }

        ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC)
                .build(caPrivateKey);

        X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC)
                .getCertificate(certBuilder.build(signer));
        PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate();
        bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
                extUtils.createSubjectKeyIdentifier(pair.getPublic()));

        // confirm the validity of the user certificate
        userCert.checkValidity();
        userCert.verify(caCert.getPublicKey());
        userCert.getIssuerDN().equals(caCert.getSubjectDN());

        // verify user certificate chain
        verifyChain(userCert, caCert);

        targetFolder.mkdirs();

        // save certificate, stamped with unique name
        String date = new SimpleDateFormat("yyyyMMdd").format(new Date());
        String id = date;
        File certFile = new File(targetFolder, id + ".cer");
        int count = 0;
        while (certFile.exists()) {
            id = date + "_" + Character.toString((char) (0x61 + count));
            certFile = new File(targetFolder, id + ".cer");
            count++;
        }

        // save user private key, user certificate and CA certificate to a PKCS#12 store
        File p12File = new File(targetFolder, clientMetadata.commonName + ".p12");
        if (p12File.exists()) {
            p12File.delete();
        }
        KeyStore userStore = openKeyStore(p12File, clientMetadata.password);
        userStore.setKeyEntry(
                MessageFormat.format("Gitblit ({0}) {1} {2}", clientMetadata.serverHostname,
                        clientMetadata.userDisplayname, id),
                pair.getPrivate(), null, new Certificate[] { userCert });
        userStore.setCertificateEntry(
                MessageFormat.format("Gitblit ({0}) Certificate Authority", clientMetadata.serverHostname),
                caCert);
        saveKeyStore(p12File, userStore, clientMetadata.password);

        // save user private key, user certificate, and CA certificate to a PEM store
        File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem");
        if (pemFile.exists()) {
            pemFile.delete();
        }
        JcePEMEncryptorBuilder builder = new JcePEMEncryptorBuilder("DES-EDE3-CBC");
        builder.setSecureRandom(new SecureRandom());
        PEMEncryptor pemEncryptor = builder.build(clientMetadata.password.toCharArray());
        JcaPEMWriter pemWriter = new JcaPEMWriter(new FileWriter(pemFile));
        pemWriter.writeObject(pair.getPrivate(), pemEncryptor);
        pemWriter.writeObject(userCert);
        pemWriter.writeObject(caCert);
        pemWriter.flush();
        pemWriter.close();

        // save certificate after successfully creating the key stores
        saveCertificate(userCert, certFile);

        // update serial number in metadata object
        clientMetadata.serialNumber = userCert.getSerialNumber().toString();

        return userCert;
    } catch (Throwable t) {
        throw new RuntimeException("Failed to generate client certificate!", t);
    }
}