List of usage examples for org.bouncycastle.operator.jcajce JcaContentSignerBuilder JcaContentSignerBuilder
public JcaContentSignerBuilder(String signatureAlgorithm)
From source file:fi.aalto.cs.drumbeat.CertificateCommons.java
License:Open Source License
public static X509Certificate signCertificate(X509v3CertificateBuilder certificateBuilder, PrivateKey signedWithPrivateKey) throws OperatorCreationException, CertificateException { ContentSigner signer = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER_NAME) .build(signedWithPrivateKey); return new JcaX509CertificateConverter().setProvider(PROVIDER_NAME) .getCertificate(certificateBuilder.build(signer)); }
From source file:fixture.pdfboxeg.CreateSignatureBase.java
License:Apache License
/** * SignatureInterface implementation./*from www . jav a2 s.c om*/ * * This method will be called from inside of the pdfbox and create the PKCS #7 signature. * The given InputStream contains the bytes that are given by the byte range. * * This method is for internal use only. * * Use your favorite cryptographic library to implement PKCS #7 signature creation. * * @throws IOException */ @Override public byte[] sign(InputStream content) throws IOException { //TODO this method should be private try { List<Certificate> certList = new ArrayList<>(); certList.add(certificate); Store certs = new JcaCertStore(certList); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); org.bouncycastle.asn1.x509.Certificate cert = org.bouncycastle.asn1.x509.Certificate .getInstance(ASN1Primitive.fromByteArray(certificate.getEncoded())); ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA256WithRSA").build(privateKey); gen.addSignerInfoGenerator( new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()) .build(sha1Signer, new X509CertificateHolder(cert))); gen.addCertificates(certs); CMSProcessableInputStream msg = new CMSProcessableInputStream(content); CMSSignedData signedData = gen.generate(msg, false); if (tsaClient != null) { signedData = signTimeStamps(signedData); } return signedData.getEncoded(); } catch (GeneralSecurityException | CMSException | TSPException | OperatorCreationException e) { throw new IOException(e); } }
From source file:fr.insalyon.creatis.vip.core.server.business.proxy.ProxyClient.java
License:Open Source License
/** * Retrieves credentials from the MyProxy server. *//*w w w.java2 s .c om*/ private void getCredentials() throws Exception { KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA"); keyPair = keyGenerator.generateKeyPair(); X500Principal subject = new X500Principal("CN=irrelevant"); ContentSigner signGen = new JcaContentSignerBuilder("SHA1withRSA").build(keyPair.getPrivate()); PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic()); PKCS10CertificationRequest cert = builder.build(signGen); socketOut.write(cert.getEncoded()); socketOut.write(0x00); socketOut.flush(); int numCertificates = this.socketIn.read(); if (numCertificates == -1) { throw new Exception("connection aborted"); } else if (numCertificates == 0 || numCertificates < 0) { throw new Exception("bad number of certificates sent by server: " + numCertificates); } CertificateFactory certFactory = CertificateFactory.getInstance("X.509"); certificateChain = certFactory.generateCertificates(this.socketIn); }
From source file:id.govca.detachedsignature.CMSController.java
/** * Method to digitally sign a binary content in PKCS7 format. * Return the CMSSignedData object of a binary content * * @param content the binary content to be signed * @param pkcc the PrivateKey_CertChain object * @return/*from w w w. ja v a2s. c o m*/ */ public CMSSignedData CMSGenerator(byte[] content, PrivateKey_CertChain pkcc) { Security.addProvider(new BouncyCastleProvider()); try { //Sign Signature signature = Signature.getInstance("SHA256WithRSA", "BC"); signature.initSign(pkcc.getPriv_key()); signature.update(content); byte[] signed = signature.sign(); System.out.format("%-32s%s\n", "Signature of digest of content", Hex.toHexString(signed)); //Digest of Signature MessageDigest digest = MessageDigest.getInstance("SHA-256"); byte[] hash = digest.digest(signed); System.out.format("%-32s%s\n", "Digest of Signature", Hex.toHexString(hash)); //Build CMS X509Certificate cert = pkcc.getSingle_cert(); List certList = new ArrayList(); CMSTypedData msg = new CMSProcessableByteArray(signed); System.out.format("%-32s%s\n", "Length of Certificate Chain", pkcc.getChain().length); certList.addAll(Arrays.asList(pkcc.getChain())); Store certs = new JcaCertStore(certList); CMSSignedDataGenerator gen = new CMSSignedDataGenerator(); ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC") .build(pkcc.getPriv_key()); gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().setProvider("BC").build()).build(sha1Signer, cert)); gen.addCertificates(certs); CMSSignedData sigData = gen.generate(msg, true); return sigData; } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException | SignatureException | CertificateEncodingException | OperatorCreationException | CMSException ex) { Logger.getLogger(CMSController.class.getName()).log(Level.SEVERE, null, ex); } return null; }
From source file:infn.eToken.TokenUtils.java
License:Apache License
private static KeyPair_Cert createProxyCertificate(int keybit, Boolean rfc, int lifetime, String CN_label, X509Certificate tokenCert, java.security.PrivateKey tokenKey) { KeyPair_Cert result = null;//from w w w. j a va 2 s .c o m Provider bc = null; try { Date lastDate = new Date(); String proxyDN = ""; String issuerDN = ""; // Generate the new KeyPair bc = new org.bouncycastle.jce.provider.BouncyCastleProvider(); Security.insertProviderAt(bc, 1); java.security.KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", bc); SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); kpGen.initialize(keybit, secureRandom); java.security.KeyPair pair = kpGen.generateKeyPair(); // Initialize the SerialNumber of the certificate. Random rand = new Random(); //BigInteger serialNum = new BigInteger(20, rand); // Express the validity in milliseconds long validity = lifetime * 60 * 60 * 1000; if (rfc) { // RFC-3280-compliant OID log.debug("[1] Creating RFC-3280-complaint proxy with [ " + keybit + " ] keybit"); issuerDN = tokenCert.getSubjectX500Principal().getName(); log.debug("issuerDN = " + issuerDN); // Create the distinguished name (DN) of the proxy certificate. // This DN is the issuer's DN with an extra "CN=" part, which // value is a random integer. // In the RFC2253 the "CN=" part comes at the beginning. String delegDN = String.valueOf(Math.abs(rand.nextInt())); if (!CN_label.isEmpty() && (!CN_label.equals("eToken:Empty"))) { //RFC 3820 compliant impersonation proxy! log.debug("Adding additional CN label to generate Per-User Sub-Proxy"); proxyDN = "CN=" + CN_label + "," + issuerDN; //proxyDN = "CN=" + delegDN + "," + "CN=" + CN_label + "," + issuerDN; } else proxyDN = "CN=" + delegDN + "," + issuerDN; log.debug("Creating a RFC3280-compliant OID self-signed certificate for: "); log.debug(proxyDN); } else { // Proxy draft (pre-RFC) compliant impersonation proxy // Create the distinguished name (DN) of the proxy certificate. // This DN is the issuer's DN with an extra "CN=proxy" part. // In the pre-RFC the "C/N=proxy" part comes at the beginning. issuerDN = tokenCert.getSubjectX500Principal().getName(); log.debug("issuerDN = " + issuerDN); //Proxy draft (pre-RFC) compliant impersonation proxy proxyDN = "CN=proxy" + "," + issuerDN; log.debug("[1] Creating a fully legacy Globus proxy with [ " + keybit + " ] keybit"); log.debug("DN =" + proxyDN); // Set the subject distinguished name. // The subject describes the entity associated with the public key. //certGen.setSubjectDN(new X500Principal(proxyDN)); log.debug("SubjectDN = " + new X500Principal(proxyDN).getName()); } // Generate self-signed certificate //X500Principal principal = new X500Principal(issuerDN); // Generate self-signed certificate X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(tokenCert.getSubjectX500Principal(), //principal, tokenCert.getSerialNumber(), new Date(lastDate.getTime()), new Date(lastDate.getTime() + validity), new X500Principal(proxyDN), pair.getPublic()); // Add KeyUsage extension(s) to the plain proxy log.debug(""); log.debug("[2] Adding 'KeyUsage extension(s)' to the plain proxy... "); certGen.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)); if (rfc) { ProxyPolicy policy = new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID); String oid = ProxyCertInfoExtension.RFC_EXTENSION_OID; ProxyCertInfoExtension extValue = new ProxyCertInfoExtension(Integer.MAX_VALUE, policy); log.debug("[2'] Adding 'X509v3 extension(s)' to the RFC proxy... "); certGen.addExtension(new ASN1ObjectIdentifier(oid), true, extValue); } else { /*certGen.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign)); Vector eku = new Vector(5, 1); eku.add(KeyPurposeId.id_kp_serverAuth); eku.add(KeyPurposeId.id_kp_clientAuth); eku.add(KeyPurposeId.anyExtendedKeyUsage); certGen.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(eku));*/ } // -------------------------------------------------------- // Generate the Proxy Certificate // -------------------------------------------------------- try { ContentSigner sigGen = new JcaContentSignerBuilder(tokenCert.getSigAlgName()) //new JcaContentSignerBuilder("sha1WithRSAEncryption") //.setProvider(bc) .build(tokenKey); X509CertificateHolder certHolder = certGen.build(sigGen); log.debug("[3] Generate the plain proxy ... "); X509Certificate cert = new JcaX509CertificateConverter().setProvider(bc).getCertificate(certHolder); cert.checkValidity(new Date()); result = new KeyPair_Cert(pair.getPublic(), pair.getPrivate(), cert); } catch (Exception e) { log.error(e.getMessage()); } } catch (Exception e) { log.error(e.getMessage()); } finally { Security.removeProvider(bc.getName()); } return result; }
From source file:io.kodokojo.commons.utils.ssl.SSLUtils.java
License:Open Source License
private static X509Certificate verifyCertificate(PrivateKey caPrivateKey, PublicKey caPublicKey, JcaX509v3CertificateBuilder certificateBuilder) throws OperatorCreationException, CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException { ContentSigner signer = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER_NAME) .build(caPrivateKey);/*from w w w . j a v a 2 s . c o m*/ X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER_NAME) .getCertificate(certificateBuilder.build(signer)); cert.checkValidity(new Date()); cert.verify(caPublicKey); return cert; }
From source file:io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator.java
License:Apache License
static String[] generate(String fqdn, KeyPair keypair, SecureRandom random) throws Exception { PrivateKey key = keypair.getPrivate(); // Prepare the information required for generating an X.509 certificate. X500Name owner = new X500Name("CN=" + fqdn); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(owner, new BigInteger(64, random), NOT_BEFORE, NOT_AFTER, owner, keypair.getPublic()); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(key); X509CertificateHolder certHolder = builder.build(signer); X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder); cert.verify(keypair.getPublic());// www . j a va2 s . c o m return newSelfSignedCertificate(fqdn, key, cert); }
From source file:io.spikex.core.Main.java
License:Apache License
private void createKeyStore(final YamlDocument conf) { YamlDocument confKeyStore = conf.getDocument(CONF_KEY_KEYSTORE); boolean generate = confKeyStore.getValue(CONF_KEY_GENERATE, DEF_GENERATE_KEYSTORE); if (generate) { Path keyStorePath = Paths .get(confKeyStore.getValue(CONF_KEY_PATH, m_confPath.resolve(DEF_KEYSTORE_PATH).toString())) .toAbsolutePath().normalize(); if (!Files.exists(keyStorePath)) { Provider bcProvider = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME); if (bcProvider == null) { Security.addProvider(new BouncyCastleProvider()); }/*from w ww. java2 s .c o m*/ String password = confKeyStore.getValue(CONF_KEY_PASSWORD, DEF_KEYSTORE_PASSWORD); String hostFqdn = confKeyStore.getValue(CONF_KEY_HOST_FQDN, HostOs.hostName()); List<String> subjAltNames = confKeyStore.getValue(CONF_KEY_SUBJECT_ALT_NAME, new ArrayList()); try (FileOutputStream out = new FileOutputStream(keyStorePath.toFile())) { m_logger.info("Generating keystore: {}", keyStorePath); KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA", BouncyCastleProvider.PROVIDER_NAME); SecureRandom rnd = new SecureRandom(); generator.initialize(2048, rnd); KeyPair pair = generator.generateKeyPair(); // DN X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE); nameBuilder.addRDN(BCStyle.C, System.getProperty("user.country.format", "NU")); nameBuilder.addRDN(BCStyle.OU, "Self-signed test certificate"); nameBuilder.addRDN(BCStyle.OU, "For testing purposes only"); nameBuilder.addRDN(BCStyle.O, "Spike.x"); nameBuilder.addRDN(BCStyle.CN, hostFqdn); long oneDay = 24 * 60 * 60 * 1000; Date notBefore = new Date(System.currentTimeMillis() - oneDay); // Yesterday Date notAfter = new Date(System.currentTimeMillis() + (oneDay * 3 * 365)); // 3 years BigInteger serialNum = BigInteger.valueOf(rnd.nextLong()); X509v3CertificateBuilder x509v3Builder = new JcaX509v3CertificateBuilder(nameBuilder.build(), serialNum, notBefore, notAfter, nameBuilder.build(), pair.getPublic()); // // Extensions // x509v3Builder.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); x509v3Builder.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); x509v3Builder.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); GeneralName[] dnsNames = new GeneralName[subjAltNames.size()]; for (int i = 0; i < subjAltNames.size(); i++) { String name = subjAltNames.get(i); m_logger.info("Adding subject alt name: {}", name); dnsNames[i] = new GeneralName(GeneralName.dNSName, name); } x509v3Builder.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(dnsNames)); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .setProvider(BouncyCastleProvider.PROVIDER_NAME).build(pair.getPrivate()); X509Certificate cert = new JcaX509CertificateConverter() .setProvider(BouncyCastleProvider.PROVIDER_NAME) .getCertificate(x509v3Builder.build(signer)); // Validate cert.checkValidity(new Date()); cert.verify(cert.getPublicKey()); // Save in keystore KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null); ks.setKeyEntry(hostFqdn, pair.getPrivate(), password.toCharArray(), new Certificate[] { cert }); m_logger.info("Created self-signed certificate: {}", hostFqdn); ks.store(out, password.toCharArray()); } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | NoSuchProviderException | OperatorCreationException | InvalidKeyException | SignatureException e) { throw new RuntimeException("Failed to create keystore: " + keyStorePath, e); } } } }
From source file:it.zero11.acme.utils.X509Utils.java
License:Apache License
public static PKCS10CertificationRequest generateCSR(String[] commonNames, KeyPair pair) throws OperatorCreationException, IOException { X500NameBuilder namebuilder = new X500NameBuilder(X500Name.getDefaultStyle()); namebuilder.addRDN(BCStyle.CN, commonNames[0]); List<GeneralName> subjectAltNames = new ArrayList<>(commonNames.length); for (String cn : commonNames) subjectAltNames.add(new GeneralName(GeneralName.dNSName, cn)); GeneralNames subjectAltName = new GeneralNames(subjectAltNames.toArray(new GeneralName[0])); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltName.toASN1Primitive()); PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(namebuilder.build(), pair.getPublic());//from w ww .j a v a2 s . c om p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); JcaContentSignerBuilder csBuilder = new JcaContentSignerBuilder("SHA256withRSA"); ContentSigner signer = csBuilder.build(pair.getPrivate()); PKCS10CertificationRequest request = p10Builder.build(signer); return request; }
From source file:KerberosAPI.Certificate.java
public static X509Certificate createSelfSignedCert(KeyPair kp) { Security.addProvider(new BouncyCastleProvider()); System.out.print("Cration d'un Certificat auto-sign : "); X509Certificate x509Cert = null; try {// w w w . j av a 2s.c o m String subject = "SC"; KeyPair keyPair = kp; String issuerName = "SC"; //Issuer le meme que le subject BigInteger serialNumber = BigInteger.ONE; Calendar cal = Calendar.getInstance(); Date notBefore = cal.getTime(); cal.add(Calendar.YEAR, 1); Date notAfter = cal.getTime(); JcaX509v3CertificateBuilder builder = null; X500Name subjectFormated = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.CN, subject).build(); X500Name issuerFormated = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.CN, issuerName).build(); builder = new JcaX509v3CertificateBuilder(issuerFormated, serialNumber, notBefore, notAfter, subjectFormated, keyPair.getPublic()); ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(keyPair.getPrivate());//our own key //------------------------- Extensions ------------------------ builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(1)); SubjectKeyIdentifier subjectKeyIdentifier = new JcaX509ExtensionUtils() .createSubjectKeyIdentifier(keyPair.getPublic()); builder.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyIdentifier); KeyUsage keyUsage = new KeyUsage(KeyUsage.keyCertSign); builder.addExtension(Extension.keyUsage, true, keyUsage); ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(KeyPurposeId.anyExtendedKeyUsage); builder.addExtension(Extension.extendedKeyUsage, false, extendedKeyUsage); X509CertificateHolder holder = builder.build(contentSigner); //cration du certificat java.security.cert.Certificate certificate = java.security.cert.CertificateFactory.getInstance("X.509") .generateCertificate(new ByteArrayInputStream(holder.getEncoded())); //transformation au format X509 CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream bais = new ByteArrayInputStream(certificate.getEncoded()); x509Cert = (X509Certificate) cf.generateCertificate(bais); if (x509Cert != null) { System.out.println("OK"); return x509Cert; } //return (X509Certificate) java.security.cert.CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(holder.getEncoded())); } catch (Exception e) { System.out.println("Echec de cration du certificat auto-sign : " + e); } return null; }