List of usage examples for org.bouncycastle.operator.jcajce JcaContentSignerBuilder JcaContentSignerBuilder
public JcaContentSignerBuilder(String signatureAlgorithm)
From source file:com.yahoo.athenz.auth.util.Crypto.java
License:Apache License
public static X509Certificate generateX509Certificate(PKCS10CertificationRequest certReq, PrivateKey caPrivateKey, X500Name issuer, int validityTimeout, boolean basicConstraints) { // set validity for the given number of minutes from now Date notBefore = new Date(); Calendar cal = Calendar.getInstance(); cal.setTime(notBefore);//ww w .j av a2 s. c o m cal.add(Calendar.MINUTE, validityTimeout); Date notAfter = cal.getTime(); // Generate self-signed certificate X509Certificate cert = null; try { JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = new JcaPKCS10CertificationRequest( certReq); PublicKey publicKey = jcaPKCS10CertificationRequest.getPublicKey(); X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(issuer, BigInteger.valueOf(System.currentTimeMillis()), notBefore, notAfter, certReq.getSubject(), publicKey) .addExtension(Extension.basicConstraints, false, new BasicConstraints(basicConstraints)) .addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.keyEncipherment)) .addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth })); // see if we have the dns/rfc822/ip address extensions specified in the csr ArrayList<GeneralName> altNames = new ArrayList<>(); Attribute[] certAttributes = jcaPKCS10CertificationRequest .getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); if (certAttributes != null && certAttributes.length > 0) { for (Attribute attribute : certAttributes) { Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0)); GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName); if (gns == null) { continue; } GeneralName[] names = gns.getNames(); for (int i = 0; i < names.length; i++) { switch (names[i].getTagNo()) { case GeneralName.dNSName: case GeneralName.iPAddress: case GeneralName.rfc822Name: altNames.add(names[i]); break; } } } if (!altNames.isEmpty()) { caBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(altNames.toArray(new GeneralName[altNames.size()]))); } } String signatureAlgorithm = getSignatureAlgorithm(caPrivateKey.getAlgorithm(), SHA256); ContentSigner caSigner = new JcaContentSignerBuilder(signatureAlgorithm).setProvider(BC_PROVIDER) .build(caPrivateKey); JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC_PROVIDER); cert = converter.getCertificate(caBuilder.build(caSigner)); } catch (CertificateException ex) { LOG.error("generateX509Certificate: Caught CertificateException when generating certificate: " + ex.getMessage()); throw new CryptoException(ex); } catch (OperatorCreationException ex) { LOG.error( "generateX509Certificate: Caught OperatorCreationException when creating JcaContentSignerBuilder: " + ex.getMessage()); throw new CryptoException(ex); } catch (InvalidKeyException ex) { LOG.error("generateX509Certificate: Caught InvalidKeySpecException, invalid key spec is being used: " + ex.getMessage()); throw new CryptoException(ex); } catch (NoSuchAlgorithmException ex) { LOG.error( "generateX509Certificate: Caught NoSuchAlgorithmException, check to make sure the algorithm is supported by the provider: " + ex.getMessage()); throw new CryptoException(ex); } catch (Exception ex) { LOG.error("generateX509Certificate: unable to generate X509 Certificate: " + ex.getMessage()); throw new CryptoException("Unable to generate X509 Certificate"); } return cert; }
From source file:com.zotoh.crypto.Crypto.java
License:Open Source License
/** * From the given PKCS12 file, generate a corresponding PKCS7 file. * /*from ww w .j a v a 2s. com*/ * @param p12File * @param password * @param fileOut * @throws KeyStoreException * @throws NoSuchAlgorithmException * @throws UnrecoverableEntryException * @throws CertificateException * @throws IOException * @throws InvalidAlgorithmParameterException * @throws CertStoreException * @throws GeneralSecurityException */ public void exportPKCS7(File p12File, String password, File fileOut) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableEntryException, CertificateException, IOException, InvalidAlgorithmParameterException, CertStoreException, GeneralSecurityException { tstObjArg("pkcs7 output file", fileOut); tstObjArg("pkcs12 file", p12File); tstObjArg("password", password); KeyStore.PrivateKeyEntry key = loadPKCS12Key(p12File, password); Certificate[] cc = key.getCertificateChain(); List<Certificate> cl = CoreUte.asList(true, cc); DigestCalculatorProvider cp; try { cp = new JcaDigestCalculatorProviderBuilder().setProvider(getProvider()).build(); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } JcaSignerInfoGeneratorBuilder bdr = new JcaSignerInfoGeneratorBuilder(cp); // "SHA1withRSA" ContentSigner cs; try { cs = new JcaContentSignerBuilder(CMSSignedDataGenerator.DIGEST_SHA512).setProvider(getProvider()) .build(key.getPrivateKey()); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); try { gen.addSignerInfoGenerator(bdr.build(cs, (X509Certificate) cc[0])); gen.addCertificates(new JcaCertStore(cl)); byte[] bits = gen.generate(CMSSignedDataGenerator.DATA, new CMSProcessableByteArray("Hello".getBytes()), false, getProvider(), false).getEncoded(); writeFile(fileOut, bits); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } catch (CMSException e) { throw new GeneralSecurityException(e); } }
From source file:com.zotoh.crypto.Crypto.java
License:Open Source License
private Tuple createSSV1Cert(Provider pv, KeyPair keyPair, Date start, Date end, String dnStr, int keyLength, String algo) throws InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, NoSuchProviderException, GeneralSecurityException { // generate self-signed cert X500Principal dnName = new X500Principal(dnStr); PrivateKey prv = keyPair.getPrivate(); PublicKey pub = keyPair.getPublic(); X509Certificate cert;/*from ww w.j av a 2 s. c om*/ // self signed-> issuer is self JcaX509v1CertificateBuilder bdr = new JcaX509v1CertificateBuilder(dnName, getNextSerialNumber(), start, end, dnName, pub); ContentSigner cs; try { cs = new JcaContentSignerBuilder(algo).setProvider(pv).build(prv); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } cert = new JcaX509CertificateConverter().setProvider(pv).getCertificate(bdr.build(cs)); cert.checkValidity(new Date()); cert.verify(pub); return new Tuple(cert, prv); }
From source file:com.zotoh.crypto.Crypto.java
License:Open Source License
private Tuple createSSV3Cert(Provider pv, KeyPair keyPair, Date start, Date end, String dnStr, Certificate issuer, PrivateKey issuerKey, int keyLength, String algo) throws InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException, NoSuchProviderException, GeneralSecurityException { X500Principal subject = new X500Principal(dnStr); PrivateKey prv = keyPair.getPrivate(); PublicKey pub = keyPair.getPublic(); X509Certificate cert, top = (X509Certificate) issuer; JcaX509v3CertificateBuilder bdr = new JcaX509v3CertificateBuilder(top, getNextSerialNumber(), start, end, subject, pub);// w ww . j a va 2 s . c o m ContentSigner cs; try { cs = new JcaContentSignerBuilder(algo).setProvider(pv).build(issuerKey); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } bdr.addExtension(X509Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(top)); bdr.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pub)); cert = new JcaX509CertificateConverter().setProvider(pv).getCertificate(bdr.build(cs)); cert.checkValidity(new Date()); cert.verify(top.getPublicKey()); return new Tuple(cert, prv); }
From source file:com.zotoh.crypto.CryptoUte.java
License:Open Source License
/** * @param key//from ww w . j a v a 2 s. com * @param certs * @param algo * @param data * @return * @throws NoSuchAlgorithmException * @throws InvalidAlgorithmParameterException * @throws CertStoreException * @throws IOException * @throws CertificateEncodingException * @throws GeneralSecurityException */ public static byte[] pkcsDigSig(PrivateKey key, Certificate[] certs, SigningAlgo algo, StreamData data) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, CertStoreException, IOException, CertificateEncodingException, GeneralSecurityException { tstObjArg("input-content", data); tstObjArg("private-key", key); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); Provider prov = Crypto.getInstance().getProvider(); List<Certificate> lst = asList(true, certs); CMSTypedData cms; X509Certificate cert = (X509Certificate) lst.get(0); try { ContentSigner cs = new JcaContentSignerBuilder(algo.toString()).setProvider(prov).build(key); JcaSignerInfoGeneratorBuilder bdr = new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().setProvider(prov).build()); bdr.setDirectSignature(true); gen.addSignerInfoGenerator(bdr.build(cs, cert)); gen.addCertificates(new JcaCertStore(lst)); if (data.isDiskFile()) { cms = new CMSProcessableFile(data.getFileRef()); } else { cms = new CMSProcessableByteArray(data.getBytes()); } return gen.generate(cms, false).getEncoded(); } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } catch (CMSException e) { throw new GeneralSecurityException(e); } }
From source file:com.zotoh.crypto.CryptoUte.java
License:Open Source License
private static SMIMESignedGenerator makeSignerGentor(PrivateKey key, Certificate[] certs, SigningAlgo algo) throws CertStoreException, NoSuchAlgorithmException, InvalidAlgorithmParameterException, GeneralSecurityException, CertificateEncodingException { SMIMESignedGenerator gen = new SMIMESignedGenerator("base64"); List<Certificate> lst = asList(true, certs); ASN1EncodableVector signedAttrs = new ASN1EncodableVector(); SMIMECapabilityVector caps = new SMIMECapabilityVector(); caps.addCapability(SMIMECapability.dES_EDE3_CBC); caps.addCapability(SMIMECapability.rC2_CBC, 128); caps.addCapability(SMIMECapability.dES_CBC); signedAttrs.add(new SMIMECapabilitiesAttribute(caps)); X509Certificate x0 = (X509Certificate) certs[0]; X509Certificate issuer = x0;//from w ww .ja va2 s. c o m X500Principal issuerDN; if (certs.length > 1) { issuer = (X509Certificate) certs[1]; } issuerDN = issuer.getSubjectX500Principal(); x0 = (X509Certificate) certs[0]; // // add an encryption key preference for encrypted responses - // normally this would be different from the signing certificate... // IssuerAndSerialNumber issAndSer = new IssuerAndSerialNumber(X500Name.getInstance(issuerDN.getEncoded()), x0.getSerialNumber()); Provider prov = Crypto.getInstance().getProvider(); signedAttrs.add(new SMIMEEncryptionKeyPreferenceAttribute(issAndSer)); try { JcaSignerInfoGeneratorBuilder bdr = new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().setProvider(prov).build()); bdr.setDirectSignature(true); ContentSigner cs = new JcaContentSignerBuilder(algo.toString()).setProvider(prov).build(key); bdr.setSignedAttributeGenerator( new DefaultSignedAttributeTableGenerator(new AttributeTable(signedAttrs))); gen.addSignerInfoGenerator(bdr.build(cs, x0)); gen.addCertificates(new JcaCertStore(lst)); return gen; } catch (OperatorCreationException e) { throw new GeneralSecurityException(e); } }
From source file:Controllers.OCSPController.java
License:Apache License
/** * Method to do OCSP response to client. * * @param requestBytes//from w w w . ja va2 s . com * @param mode * * @return * * @throws NotImplementedException */ private byte[] processOcspRequest(byte[] requestBytes, OCSP_PROCESS_MODE mode) throws NotImplementedException { try { // get request info OCSPReq ocspRequest = new OCSPReq(requestBytes); X509CertificateHolder[] requestCerts = ocspRequest.getCerts(); Req[] requestList = ocspRequest.getRequestList(); // setup response BasicOCSPRespBuilder responseBuilder = new BasicOCSPRespBuilder( new RespID(x509CertificateHolder.getSubject())); LOG.info("OCSP request version: " + ocspRequest.getVersionNumber() + ", Requester name: " + ocspRequest.getRequestorName() + ", is signed: " + ocspRequest.isSigned() + ", has extensions: " + ocspRequest.hasExtensions() + ", number of additional certificates: " + requestCerts.length + ", number of certificate ids to verify: " + requestList.length); int ocspResult = OCSPRespBuilder.SUCCESSFUL; switch (mode) { case AUTO: LOG.error("Auto OCSP server is not implemented in this version."); throw new NotImplementedException(); case GOOD: LOG.warn("Mocked mode, server will always return Good ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); CertificateStatus certificateStatus = CertificateStatus.GOOD; Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; case REVOKED: LOG.warn("Mocked mode, server will always return REVOKED ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); Calendar cal = new GregorianCalendar(); cal.add(Calendar.DAY_OF_MONTH, -7);//Set revoked 7 days ago. CertificateStatus certificateStatus = new RevokedStatus(cal.getTime(), 16); Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; case UNKNOWN: LOG.warn("Mocked mode, server will always return Known ocsp response"); for (Req req : requestList) { CertificateID certId = req.getCertID(); String serialNumber = "0x" + certId.getSerialNumber().toString(16); LOG.debug(String.format("Processing request for cert serial number:[%s]", serialNumber)); CertificateStatus certificateStatus = new UnknownStatus(); Calendar thisUpdate = new GregorianCalendar(); Date now = thisUpdate.getTime(); thisUpdate.add(Calendar.DAY_OF_MONTH, 7); Date nexUpdate = thisUpdate.getTime(); responseBuilder.addResponse(certId, certificateStatus, now, nexUpdate, null); } break; } // process nonce Extension extNonce = ocspRequest.getExtension(new ASN1ObjectIdentifier("1.3.6.1.5.5.7.48.1.2")); if (extNonce != null) { LOG.debug("Nonce is present in the request"); responseBuilder.setResponseExtensions(new Extensions(extNonce)); } else { LOG.info("Nonce is not present in the request"); if (bRequireNonce) { LOG.info("Nonce is required, fail the request"); ocspResult = OCSPRespBuilder.UNAUTHORIZED; } } X509CertificateHolder[] chain = { x509CertificateHolder }; ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(privateKey); BasicOCSPResp ocspResponse = responseBuilder.build(signer, chain, Calendar.getInstance().getTime()); OCSPRespBuilder ocspResponseBuilder = new OCSPRespBuilder(); byte[] encoded = ocspResponseBuilder.build(ocspResult, ocspResponse).getEncoded(); LOG.info("Sending OCSP response to client, size: " + encoded.length); return encoded; } catch (Exception e) { LOG.error("Exception during processing OCSP request: " + e.getMessage()); e.printStackTrace(); } return null; }
From source file:craterdog.security.RsaCertificateManager.java
License:Open Source License
@Override public X509Certificate createCertificateAuthority(PrivateKey privateKey, PublicKey publicKey, String subjectString, BigInteger serialNumber, long lifetime) { try {/*ww w.j a v a 2s .c o m*/ logger.entry(); logger.debug("Initializing the certificate generator..."); Date startDate = new Date(); Date expiryDate = new Date(startDate.getTime() + lifetime); X500Principal issuer = new X500Principal(subjectString); X500Principal subject = new X500Principal(subjectString); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serialNumber, startDate, expiryDate, subject, publicKey); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); builder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(publicKey)); builder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); // adds CA:TRUE extension builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); ContentSigner signer = new JcaContentSignerBuilder(ASYMMETRIC_SIGNATURE_ALGORITHM) .setProvider(PROVIDER_NAME).build(privateKey); X509Certificate result = new JcaX509CertificateConverter().setProvider(PROVIDER_NAME) .getCertificate(builder.build(signer)); result.checkValidity(new Date()); result.verify(result.getPublicKey()); logger.exit(); return result; } catch (CertIOException | CertificateException | InvalidKeyException | OperatorCreationException | NoSuchProviderException | NoSuchAlgorithmException | SignatureException e) { RuntimeException exception = new RuntimeException( "An unexpected exception occurred while attempting to generate a new certificate authority.", e); throw logger.throwing(exception); } }
From source file:craterdog.security.RsaCertificateManager.java
License:Open Source License
/** * This method creates a new certificate signing request (CSR) using the specified key pair * and subject string. This is a convenience method that really should be part of the * <code>CertificateManagement</code> interface except that it depends on a Bouncy Castle * class in the signature. The java security framework does not have a similar class so it * has been left out of the interface.//from w w w . j a v a2 s .c om * * @param privateKey The private key to be used to sign the request. * @param publicKey The corresponding public key that is to be wrapped in the new certificate. * @param subjectString The subject string to be included in the generated certificate. * * @return The newly created CSR. */ public PKCS10CertificationRequest createSigningRequest(PrivateKey privateKey, PublicKey publicKey, String subjectString) { try { logger.entry(); logger.debug("Creating the CSR..."); X500Principal subject = new X500Principal(subjectString); ContentSigner signer = new JcaContentSignerBuilder(ASYMMETRIC_SIGNATURE_ALGORITHM).build(privateKey); PKCS10CertificationRequest result = new JcaPKCS10CertificationRequestBuilder(subject, publicKey) .setLeaveOffEmptyAttributes(true).build(signer); logger.exit(); return result; } catch (OperatorCreationException e) { RuntimeException exception = new RuntimeException( "An unexpected exception occurred while attempting to generate a new certificate signing request.", e); throw logger.throwing(exception); } }
From source file:craterdog.security.RsaCertificateManager.java
License:Open Source License
@Override public X509Certificate createCertificate(PrivateKey caPrivateKey, X509Certificate caCertificate, PublicKey publicKey, String subjectString, BigInteger serialNumber, long lifetime) { try {//from ww w .ja va2s . co m logger.entry(); logger.debug("Initializing the certificate generator..."); Date startDate = new Date(); Date expiryDate = new Date(startDate.getTime() + lifetime); X509Certificate issuer = caCertificate; X500Principal subject = new X500Principal(subjectString); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serialNumber, startDate, expiryDate, subject, publicKey); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); builder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCertificate)); builder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); ContentSigner signer = new JcaContentSignerBuilder(ASYMMETRIC_SIGNATURE_ALGORITHM) .setProvider(PROVIDER_NAME).build(caPrivateKey); X509Certificate result = new JcaX509CertificateConverter().setProvider(PROVIDER_NAME) .getCertificate(builder.build(signer)); result.checkValidity(new Date()); result.verify(caCertificate.getPublicKey()); logger.exit(); return result; } catch (CertIOException | OperatorCreationException | CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException | SignatureException e) { RuntimeException exception = new RuntimeException( "An unexpected exception occurred while attempting to generate a new certificate.", e); throw logger.throwing(exception); } }