List of usage examples for org.bouncycastle.operator.jcajce JcaContentSignerBuilder JcaContentSignerBuilder
public JcaContentSignerBuilder(String signatureAlgorithm)
From source file:org.apache.nifi.web.security.x509.ocsp.OcspCertificateValidatorTest.java
License:Apache License
/** * Generates a certificate with a specific public key signed by the issuer key. * * @param dn the subject DN//ww w . java 2s . c o m * @param publicKey the subject public key * @param issuerDn the issuer DN * @param issuerKey the issuer private key * @return the certificate * @throws IOException if an exception occurs * @throws NoSuchAlgorithmException if an exception occurs * @throws CertificateException if an exception occurs * @throws NoSuchProviderException if an exception occurs * @throws SignatureException if an exception occurs * @throws InvalidKeyException if an exception occurs * @throws OperatorCreationException if an exception occurs */ private static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, String issuerDn, PrivateKey issuerKey) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException { ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER) .build(issuerKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); Date startDate = new Date(YESTERDAY); Date endDate = new Date(ONE_YEAR_FROM_NOW); X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(new X500Name(issuerDn), BigInteger.valueOf(System.currentTimeMillis()), startDate, endDate, new X500Name(dn), subPubKeyInfo); X509CertificateHolder certificateHolder = v3CertGen.build(sigGen); return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certificateHolder); }
From source file:org.apache.openejb.client.HttpsConnectionTest.java
License:Apache License
private File createKeyStore() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {// w ww . j a v a2s .com dropKeyStore(); File keyStore = new File(STORE_PATH); keyStore.getParentFile().mkdirs(); try (final FileOutputStream fos = new FileOutputStream(keyStore)) { final KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA"); keyGenerator.initialize(1024); final KeyPair pair = keyGenerator.generateKeyPair(); final boolean addBc = Security.getProvider("BC") == null; if (addBc) { Security.addProvider(new BouncyCastleProvider()); } try { final X509v1CertificateBuilder x509v1CertificateBuilder = new JcaX509v1CertificateBuilder( new X500Name("cn=" + SERVER), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - TimeUnit.DAYS.toMillis(1)), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)), new X500Name("cn=" + SERVER), pair.getPublic()); final X509CertificateHolder certHldr = x509v1CertificateBuilder.build( new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(pair.getPrivate())); final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certHldr); final KeyStore ks = KeyStore.getInstance("JKS"); ks.load(null, STORE_PWD.toCharArray()); ks.setKeyEntry(SERVER, pair.getPrivate(), STORE_PWD.toCharArray(), new Certificate[] { cert }); ks.store(fos, STORE_PWD.toCharArray()); } finally { if (addBc) { Security.removeProvider("BC"); } } } catch (final Exception e) { Assert.fail(e.getMessage()); } return keyStore; }
From source file:org.apache.poi.poifs.crypt.PkiTestUtils.java
License:Apache License
static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, Date notBefore, Date notAfter, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean caFlag, int pathLength, String crlUri, String ocspUri, KeyUsage keyUsage) throws IOException, OperatorCreationException, CertificateException { String signatureAlgorithm = "SHA1withRSA"; X500Name issuerName;// ww w . ja v a 2 s. c o m if (issuerCertificate != null) { issuerName = new X509CertificateHolder(issuerCertificate.getEncoded()).getIssuer(); } else { issuerName = new X500Name(subjectDn); } RSAPublicKey rsaPubKey = (RSAPublicKey) subjectPublicKey; RSAKeyParameters rsaSpec = new RSAKeyParameters(false, rsaPubKey.getModulus(), rsaPubKey.getPublicExponent()); SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(rsaSpec); DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build() .get(CertificateID.HASH_SHA1); X509v3CertificateBuilder certificateGenerator = new X509v3CertificateBuilder(issuerName, new BigInteger(128, new SecureRandom()), notBefore, notAfter, new X500Name(subjectDn), subjectPublicKeyInfo); X509ExtensionUtils exUtils = new X509ExtensionUtils(digestCalc); SubjectKeyIdentifier subKeyId = exUtils.createSubjectKeyIdentifier(subjectPublicKeyInfo); AuthorityKeyIdentifier autKeyId = (issuerCertificate != null) ? exUtils.createAuthorityKeyIdentifier(new X509CertificateHolder(issuerCertificate.getEncoded())) : exUtils.createAuthorityKeyIdentifier(subjectPublicKeyInfo); certificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subKeyId); certificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, autKeyId); if (caFlag) { BasicConstraints bc; if (-1 == pathLength) { bc = new BasicConstraints(true); } else { bc = new BasicConstraints(pathLength); } certificateGenerator.addExtension(Extension.basicConstraints, false, bc); } if (null != crlUri) { int uri = GeneralName.uniformResourceIdentifier; DERIA5String crlUriDer = new DERIA5String(crlUri); GeneralName gn = new GeneralName(uri, crlUriDer); DERSequence gnDer = new DERSequence(gn); GeneralNames gns = GeneralNames.getInstance(gnDer); DistributionPointName dpn = new DistributionPointName(0, gns); DistributionPoint distp = new DistributionPoint(dpn, null, null); DERSequence distpDer = new DERSequence(distp); certificateGenerator.addExtension(Extension.cRLDistributionPoints, false, distpDer); } if (null != ocspUri) { int uri = GeneralName.uniformResourceIdentifier; GeneralName ocspName = new GeneralName(uri, ocspUri); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateGenerator.addExtension(Extension.authorityInfoAccess, false, authorityInformationAccess); } if (null != keyUsage) { certificateGenerator.addExtension(Extension.keyUsage, true, keyUsage); } JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); signerBuilder.setProvider("BC"); X509CertificateHolder certHolder = certificateGenerator.build(signerBuilder.build(issuerPrivateKey)); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ // CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); // certificate = (X509Certificate) certificateFactory // .generateCertificate(new ByteArrayInputStream(certificate // .getEncoded())); return new JcaX509CertificateConverter().getCertificate(certHolder); }
From source file:org.apache.poi.poifs.crypt.PkiTestUtils.java
License:Apache License
public static X509CRL generateCrl(X509Certificate issuer, PrivateKey issuerPrivateKey) throws CertificateEncodingException, IOException, CRLException, OperatorCreationException { X509CertificateHolder holder = new X509CertificateHolder(issuer.getEncoded()); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(holder.getIssuer(), new Date()); crlBuilder.setNextUpdate(new Date(new Date().getTime() + 100000)); JcaContentSignerBuilder contentBuilder = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC"); CRLNumber crlNumber = new CRLNumber(new BigInteger("1234")); crlBuilder.addExtension(Extension.cRLNumber, false, crlNumber); X509CRLHolder x509Crl = crlBuilder.build(contentBuilder.build(issuerPrivateKey)); return new JcaX509CRLConverter().setProvider("BC").getCRL(x509Crl); }
From source file:org.apache.poi.poifs.crypt.PkiTestUtils.java
License:Apache License
public static OCSPResp createOcspResp(X509Certificate certificate, boolean revoked, X509Certificate issuerCertificate, X509Certificate ocspResponderCertificate, PrivateKey ocspResponderPrivateKey, String signatureAlgorithm, long nonceTimeinMillis) throws Exception { DigestCalculator digestCalc = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build() .get(CertificateID.HASH_SHA1); X509CertificateHolder issuerHolder = new X509CertificateHolder(issuerCertificate.getEncoded()); CertificateID certId = new CertificateID(digestCalc, issuerHolder, certificate.getSerialNumber()); // request/*from w ww. ja va 2 s .co m*/ //create a nonce to avoid replay attack BigInteger nonce = BigInteger.valueOf(nonceTimeinMillis); DEROctetString nonceDer = new DEROctetString(nonce.toByteArray()); Extension ext = new Extension(OCSPObjectIdentifiers.id_pkix_ocsp_nonce, true, nonceDer); Extensions exts = new Extensions(ext); OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); ocspReqBuilder.addRequest(certId); ocspReqBuilder.setRequestExtensions(exts); OCSPReq ocspReq = ocspReqBuilder.build(); SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo(CertificateID.HASH_SHA1, ocspResponderCertificate.getPublicKey().getEncoded()); BasicOCSPRespBuilder basicOCSPRespBuilder = new BasicOCSPRespBuilder(keyInfo, digestCalc); basicOCSPRespBuilder.setResponseExtensions(exts); // request processing Req[] requestList = ocspReq.getRequestList(); for (Req ocspRequest : requestList) { CertificateID certificateID = ocspRequest.getCertID(); CertificateStatus certificateStatus = CertificateStatus.GOOD; if (revoked) { certificateStatus = new RevokedStatus(new Date(), CRLReason.privilegeWithdrawn); } basicOCSPRespBuilder.addResponse(certificateID, certificateStatus); } // basic response generation X509CertificateHolder[] chain = null; if (!ocspResponderCertificate.equals(issuerCertificate)) { // TODO: HorribleProxy can't convert array input params yet chain = new X509CertificateHolder[] { new X509CertificateHolder(ocspResponderCertificate.getEncoded()), issuerHolder }; } ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(ocspResponderPrivateKey); BasicOCSPResp basicOCSPResp = basicOCSPRespBuilder.build(contentSigner, chain, new Date(nonceTimeinMillis)); OCSPRespBuilder ocspRespBuilder = new OCSPRespBuilder(); OCSPResp ocspResp = ocspRespBuilder.build(OCSPRespBuilder.SUCCESSFUL, basicOCSPResp); return ocspResp; }
From source file:org.apache.ranger.authorization.kafka.authorizer.KafkaRangerAuthorizerTest.java
License:Apache License
private static String createAndStoreKey(String subjectName, String issuerName, BigInteger serial, String keystorePassword, String keystoreAlias, String keyPassword, KeyStore trustStore) throws Exception { // Create KeyPair KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(2048, new SecureRandom()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Date currentDate = new Date(); Date expiryDate = new Date(currentDate.getTime() + 365L * 24L * 60L * 60L * 1000L); // Create X509Certificate X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( new X500Name(RFC4519Style.INSTANCE, issuerName), serial, currentDate, expiryDate, new X500Name(RFC4519Style.INSTANCE, subjectName), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certBuilder.build(contentSigner)); // Store Private Key + Certificate in Keystore KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(null, keystorePassword.toCharArray()); keystore.setKeyEntry(keystoreAlias, keyPair.getPrivate(), keyPassword.toCharArray(), new Certificate[] { certificate }); File keystoreFile = File.createTempFile("kafkakeystore", ".jks"); keystore.store(new FileOutputStream(keystoreFile), keystorePassword.toCharArray()); // Now store the Certificate in the truststore trustStore.setCertificateEntry(keystoreAlias, certificate); return keystoreFile.getPath(); }
From source file:org.apache.ranger.authorization.kafka.authorizer.KafkaTestUtils.java
License:Apache License
public static String createAndStoreKey(String subjectName, String issuerName, BigInteger serial, String keystorePassword, String keystoreAlias, String keyPassword, KeyStore trustStore) throws Exception { // Create KeyPair KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(2048, new SecureRandom()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Date currentDate = new Date(); Date expiryDate = new Date(currentDate.getTime() + 365L * 24L * 60L * 60L * 1000L); // Create X509Certificate X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( new X500Name(RFC4519Style.INSTANCE, issuerName), serial, currentDate, expiryDate, new X500Name(RFC4519Style.INSTANCE, subjectName), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certBuilder.build(contentSigner)); // Store Private Key + Certificate in Keystore KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(null, keystorePassword.toCharArray()); keystore.setKeyEntry(keystoreAlias, keyPair.getPrivate(), keyPassword.toCharArray(), new Certificate[] { certificate }); File keystoreFile = File.createTempFile("kafkakeystore", ".jks"); try (OutputStream output = new FileOutputStream(keystoreFile)) { keystore.store(output, keystorePassword.toCharArray()); }//w w w . ja v a 2s . com // Now store the Certificate in the truststore trustStore.setCertificateEntry(keystoreAlias, certificate); return keystoreFile.getPath(); }
From source file:org.apache.syncope.fit.core.SAML2ITCase.java
License:Apache License
private static void createKeystores() throws Exception { // Create KeyPair KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(1024, new SecureRandom()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); Date currentDate = new Date(); Date expiryDate = new Date(currentDate.getTime() + 365L * 24L * 60L * 60L * 1000L); // Create X509Certificate String issuerName = "CN=Issuer"; String subjectName = "CN=Subject"; BigInteger serial = new BigInteger("123456"); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( new X500Name(RFC4519Style.INSTANCE, issuerName), serial, currentDate, expiryDate, new X500Name(RFC4519Style.INSTANCE, subjectName), SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certBuilder.build(contentSigner)); // Store Private Key + Certificate in Keystore KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(null, "security".toCharArray()); keystore.setKeyEntry("subject", keyPair.getPrivate(), "security".toCharArray(), new Certificate[] { certificate }); File keystoreFile = File.createTempFile("samlkeystore", ".jks"); try (OutputStream output = Files.newOutputStream(keystoreFile.toPath())) { keystore.store(output, "security".toCharArray()); }// ww w .j a v a 2 s . c om keystorePath = keystoreFile.toPath(); // Now store the Certificate in the truststore KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, "security".toCharArray()); trustStore.setCertificateEntry("subject", certificate); File truststoreFile = File.createTempFile("samltruststore", ".jks"); try (OutputStream output = Files.newOutputStream(truststoreFile.toPath())) { trustStore.store(output, "security".toCharArray()); } truststorePath = truststoreFile.toPath(); }
From source file:org.apache.tomee.embedded.SslTomEETest.java
License:Apache License
@Test public void test() throws Exception { final File keystore = new File("target/keystore"); { // generate keystore/trustore if (keystore.exists()) { Files.delete(keystore); }// ww w. j a v a2 s .c om keystore.getParentFile().mkdirs(); try (final FileOutputStream fos = new FileOutputStream(keystore)) { final KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance("RSA"); keyGenerator.initialize(1024); final KeyPair pair = keyGenerator.generateKeyPair(); final boolean addBc = Security.getProvider("BC") == null; if (addBc) { Security.addProvider(new BouncyCastleProvider()); } try { final X509v1CertificateBuilder x509v1CertificateBuilder = new JcaX509v1CertificateBuilder( new X500Name("cn=serveralias"), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - TimeUnit.DAYS.toMillis(1)), new Date(System.currentTimeMillis() + TimeUnit.DAYS.toMillis(1)), new X500Name("cn=serveralias"), pair.getPublic()); final X509CertificateHolder certHldr = x509v1CertificateBuilder.build( new JcaContentSignerBuilder("SHA1WithRSA").setProvider("BC").build(pair.getPrivate())); final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certHldr); final KeyStore ks = KeyStore.getInstance("JKS"); ks.load(null, "changeit".toCharArray()); ks.setKeyEntry("serveralias", pair.getPrivate(), "changeit".toCharArray(), new Certificate[] { cert }); ks.store(fos, "changeit".toCharArray()); } finally { if (addBc) { Security.removeProvider("BC"); } } } catch (final Exception e) { Assert.fail(e.getMessage()); } } final Configuration configuration = new Configuration(); configuration.setSsl(true); configuration.setKeystoreFile(keystore.getAbsolutePath()); configuration.setKeystorePass("changeit"); configuration.setKeyAlias("serveralias"); final Container container = new Container(); container.setup(configuration); container.start(); Connector[] connectors = container.getTomcat().getService().findConnectors(); for (Connector conn : connectors) { if (conn.getPort() == 8443) { Object propertyObject = conn.getProperty("keystoreFile"); assertNotNull(propertyObject); assertEquals(keystore.getAbsolutePath(), propertyObject.toString()); } } try { assertEquals(8443, ManagementFactory.getPlatformMBeanServer() .getAttribute(new ObjectName("Tomcat:type=ProtocolHandler,port=8443"), "port")); } finally { container.stop(); } // ensure it is not always started configuration.setSsl(false); container.setup(configuration); container.start(); try { assertFalse(ManagementFactory.getPlatformMBeanServer() .isRegistered(new ObjectName("Tomcat:type=ProtocolHandler,port=8443"))); } finally { container.close(); } }
From source file:org.apache.zookeeper.common.ZKTrustManagerTest.java
License:Apache License
private X509Certificate[] createSelfSignedCertifcateChain(String ipAddress, String hostname) throws Exception { X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE); nameBuilder.addRDN(BCStyle.CN, "NOT_LOCALHOST"); Date notBefore = new Date(); Calendar cal = Calendar.getInstance(); cal.setTime(notBefore);// w w w.j a va2 s. c o m cal.add(Calendar.YEAR, 1); Date notAfter = cal.getTime(); BigInteger serialNumber = new BigInteger(128, new Random()); X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(nameBuilder.build(), serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic()) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); List<GeneralName> generalNames = new ArrayList<>(); if (ipAddress != null) { generalNames.add(new GeneralName(GeneralName.iPAddress, ipAddress)); } if (hostname != null) { generalNames.add(new GeneralName(GeneralName.dNSName, hostname)); } if (!generalNames.isEmpty()) { certificateBuilder.addExtension(Extension.subjectAlternativeName, true, new GeneralNames(generalNames.toArray(new GeneralName[] {}))); } ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); return new X509Certificate[] { new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner)) }; }