List of usage examples for org.bouncycastle.operator.jcajce JcaContentSignerBuilder JcaContentSignerBuilder
public JcaContentSignerBuilder(String signatureAlgorithm)
From source file:org.cryptable.pki.util.GeneratePKI.java
License:Open Source License
/** * we generate an revoked certificate signed by our CA's intermediate certficate * @throws OperatorCreationException//from www .j a v a 2s . c o m * @throws CertificateException */ private static X509CRL createCRL(PrivateKey privKey, X509Certificate caCert, BigInteger serNum) throws OperatorCreationException, CRLException { // Signer of the certificate ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(BC) .build(privKey); // Builder of the certificate X509v2CRLBuilder jcaX509v2CRLBuilder = new JcaX509v2CRLBuilder(caCert.getSubjectX500Principal(), new Date(System.currentTimeMillis() - (1000L * 60 * 60))).addCRLEntry(serNum, new Date(System.currentTimeMillis() - (1000L * 60 * 60)), ReasonFlags.keyCompromise); return new JcaX509CRLConverter().setProvider("BC").getCRL(jcaX509v2CRLBuilder.build(sigGen)); }
From source file:org.cryptoworkshop.ximix.node.crypto.key.BLSKeyManager.java
License:Apache License
private X509CertificateHolder createCertificate(String keyID, int sequenceNo, PrivateKey privKey) throws GeneralSecurityException, OperatorCreationException, IOException { String name = "C=AU, O=Ximix Network Node, OU=" + nodeContext.getName(); ///* w ww.ja va 2 s.co m*/ // create the certificate - version 3 // X509v3CertificateBuilder v3CertBuilder = new X509v3CertificateBuilder(new X500Name(name), BigInteger.valueOf(1), new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30), new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365)), new X500Name(name), this.fetchPublicKey(keyID)); // we use keyUsage extension to distinguish between signing and encryption keys if (signingKeys.contains(keyID)) { v3CertBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); } else { v3CertBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.dataEncipherment)); } v3CertBuilder.addExtension(XimixObjectIdentifiers.ximixShareIdExtension, true, new ASN1Integer(sequenceNo)); return v3CertBuilder.build(new JcaContentSignerBuilder("SHA256withECDSA").setProvider("BC").build(privKey)); }
From source file:org.digidoc4j.impl.bdoc.ocsp.SKOnlineOCSPSource.java
License:GNU General Public License
private byte[] buildOCSPRequest(final CertificateToken signCert, final CertificateToken issuerCert, Extension nonceExtension) throws DSSException { try {/*from ww w . jav a 2 s .co m*/ logger.debug("Building OCSP request"); final CertificateID certId = DSSRevocationUtils.getOCSPCertificateID(signCert, issuerCert); final OCSPReqBuilder ocspReqBuilder = new OCSPReqBuilder(); ocspReqBuilder.addRequest(certId); ocspReqBuilder.setRequestExtensions(new Extensions(nonceExtension)); if (configuration.hasToBeOCSPRequestSigned()) { logger.info("Using signed OCSP request"); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA1withRSA"); if (!configuration.isOCSPSigningConfigurationAvailable()) { throw new ConfigurationException( "Configuration needed for OCSP request signing is not complete."); } DSSPrivateKeyEntry keyEntry = getOCSPAccessCertificatePrivateKey(); PrivateKey privateKey = ((KSPrivateKeyEntry) keyEntry).getPrivateKey(); X509Certificate ocspSignerCert = keyEntry.getCertificate().getCertificate(); ContentSigner contentSigner = signerBuilder.build(privateKey); X509CertificateHolder[] chain = { new X509CertificateHolder(ocspSignerCert.getEncoded()) }; GeneralName generalName = new GeneralName( new JcaX509CertificateHolder(ocspSignerCert).getSubject()); ocspReqBuilder.setRequestorName(generalName); return ocspReqBuilder.build(contentSigner, chain).getEncoded(); } return ocspReqBuilder.build().getEncoded(); } catch (Exception e) { throw new DSSException(e); } }
From source file:org.dihedron.crypto.operations.sign.pkcs7.PKCS7Signer.java
License:Open Source License
/** * Constructor./*from w ww .ja v a2 s .co m*/ * * @param alias * the alias of the certificate to be used for signing. * @param keyring * the key ring containing the private key used for signing. * @param provider * the security provider backing up the key ring functionalities. * @param algorithm * the digest and encryption algorithm combination used to create the * signature. * @throws CryptoException * if any among alias, key ring and provider is null. * @throws KeyStoreException * @throws CertificateEncodingException * @throws CertificateNotYetValidException * @throws CertificateExpiredException */ public PKCS7Signer(String alias, KeyRing keyring, Provider provider, SignatureAlgorithm algorithm) throws CryptoException, KeyStoreException, CertificateEncodingException, CertificateNotYetValidException, CertificateExpiredException { super(alias, keyring, provider); logger.debug("creating PKCS#7 signer with '{}' signature algorithm", algorithm); try { logger.info("signing with alias '{}'", alias); // retrieve key and certificate Key key = keyring.getPrivateKey(alias); X509Certificate x509certificate = (X509Certificate) keyring.getCertificate(alias); // this may throw a CertificateExpiredException or CertificateNotYetValidException x509certificate.checkValidity(); logger.info("certificate is valid at current date"); // TODO: check CRL logger.info("certificate is active at current date (CRL check successful)"); // prepare the certificates store List<Certificate> certificates = new ArrayList<>(); certificates.add(x509certificate); Store store = new JcaCertStore(certificates); logger.info("certificate store is ready"); ContentSigner signer = new JcaContentSignerBuilder(algorithm.toBouncyCastleCode()) .setProvider((provider instanceof AutoCloseableProvider) ? ((AutoCloseableProvider) provider).getWrappedProvider() : provider) .build((PrivateKey) key); DigestCalculatorProvider digest = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build(); SignerInfoGenerator signerinfo = new SignerInfoGeneratorBuilder(digest).setDirectSignature(false) // include signed attributes; if true it signs data only .setSignedAttributeGenerator( new PKCS7AttributeTableGenerator(algorithm.getDigestAlgorithm(), x509certificate)) // this generates the attributes that will be signed along with the data .build(signer, new JcaX509CertificateHolder(x509certificate)); // and then we build the generator logger.info("signer info generator is ready"); generator = new CMSSignedDataStreamGenerator(); generator.addSignerInfoGenerator(signerinfo); generator.addCertificates(store); //generator.addCRLs(crlStore); logger.debug("signed data stream generator for PKCS#7 is ready"); } catch (OperatorCreationException e) { logger.error("error creating operator", e); throw new CryptoException("error creating signing operator (BouncyCastle)", e); } catch (CertificateEncodingException e) { logger.error("invalid certificate encoding", e); throw e; } catch (CertificateExpiredException e) { logger.error("expired certificate", e); throw e; } catch (CertificateNotYetValidException e) { logger.error("certificate is not yet valid (may still need to be activated?)", e); throw e; } catch (CMSException e) { logger.error("error adding certificates to signature generator", e); throw new CryptoException("CMS error", e); } }
From source file:org.dihedron.crypto.operations.sign.pkcs7.PKCS7SigningStream.java
License:Open Source License
/** * Constructor./*from w ww.j a va 2 s. com*/ * * @param output * the output stream to which data will be eventually written. * @param configurator * the output signing stream configurator. * @throws CryptoException * if any of the input parameters is null. * @throws CertificateNotYetValidException * @throws CertificateExpiredException * @throws GeneralSecurityException */ public PKCS7SigningStream(OutputStream output, SigningStreamConfigurator configurator) throws CryptoException, CertificateExpiredException, CertificateNotYetValidException, CertificateEncodingException, GeneralSecurityException { super(output, configurator); logger.info( "creating PKCS#7 signing filter output stream with '{}' signature algorithm, using certificate alias '{}'", configurator.getAlgorithm(), configurator.getAlias()); try { logger.info("signing with alias '{}'", configurator.getAlias()); // retrieve key, certificate and provider (for simplicity) Key key = configurator.getPrivateKey(); X509Certificate x509certificate = configurator.getCertificate(); Provider provider = configurator.getProvider(); SignatureAlgorithm algorithm = configurator.getAlgorithm(); // prepare the certificates store List<Certificate> certificates = new ArrayList<>(); certificates.add(x509certificate); Store store = new JcaCertStore(certificates); logger.info("certificate store is ready"); ContentSigner signer = new JcaContentSignerBuilder(algorithm.toBouncyCastleCode()) .setProvider((provider instanceof AutoCloseableProvider) ? ((AutoCloseableProvider) provider).getWrappedProvider() : provider) .build((PrivateKey) key); DigestCalculatorProvider digest = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build(); SignerInfoGenerator signerinfo = new SignerInfoGeneratorBuilder(digest).setDirectSignature(false) // include signed attributes; if true it signs data only .setSignedAttributeGenerator( new PKCS7AttributeTableGenerator(algorithm.getDigestAlgorithm(), x509certificate)) // this generates the attributes that will be signed along with the data .build(signer, new JcaX509CertificateHolder(x509certificate)); // and then we build the generator logger.info("signer info generator is ready"); generator = new CMSSignedDataStreamGenerator(); generator.addSignerInfoGenerator(signerinfo); generator.addCertificates(store); //generator.addCRLs(crlStore); logger.debug("signed data stream generator for PKCS#7 is ready"); stream = generator.open(output, configurator.isEncapsulateData()); } catch (OperatorCreationException e) { logger.error("error creating operator", e); throw new CryptoException("error creating signing operator (BouncyCastle)", e); } catch (CertificateEncodingException e) { logger.error("invalid certificate encoding", e); throw e; } catch (CMSException e) { logger.error("error adding certificates to signature generator", e); throw new CryptoException("CMS error", e); } catch (IOException e) { logger.error("error establishing signature generator wrapper around output stream", e); throw new CryptoException("Error establishing signature generator wrapper around output stream", e); } }
From source file:org.eclipse.andmore.android.certmanager.packaging.sign.SignatureBlockFile.java
License:Apache License
/** * Writes this file to an output stream/*from w ww .jav a2s . c o m*/ * * @param outputStream * the output stream to write the file * @throws IOException * if an I/O error occurs during the signing process * @throws SignException * if a processing error occurs during the signing process * @throws KeyStoreManagerException * @throws KeyStoreException * @throws UnrecoverableKeyException * @throws NoSuchAlgorithmException * @throws InvalidKeyException * @throws CertificateEncodingException * @throws OperatorCreationException * @throws CMSException */ public void write(OutputStream outputStream) throws IOException, SignException, UnrecoverableKeyException, KeyStoreException, KeyStoreManagerException, NoSuchAlgorithmException, InvalidKeyException, CertificateEncodingException, OperatorCreationException, CMSException { // get certificate from entry X509Certificate[] certChain = { keystoreEntry.getX509Certificate() }; if (certChain.length > 0) { X509Certificate publicKey = certChain[0]; PrivateKey privateKey = keystoreEntry.getPrivateKey(keyEntryPassword); String blockalgorithm = getBlockAlgorithm(); if (!blockalgorithm.equalsIgnoreCase(ISignConstants.DSA) && !blockalgorithm.equalsIgnoreCase(ISignConstants.RSA)) { AndmoreLogger.error(SignatureBlockFile.class, "Signing block algorithm not supported. Key algorithm must be DSA or RSA"); throw new SignException("Signing block algorithm not supported"); } String signatureAlgorithm = ISignConstants.SHA1 + ISignConstants.ALGORITHM_CONNECTOR + blockalgorithm; Security.addProvider(new BouncyCastleProvider()); ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>(); certList.add(publicKey); JcaCertStore certs = new JcaCertStore(certList); ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(privateKey); CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); generator.addSignerInfoGenerator( new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()) .setDirectSignature(true).build(signer, publicKey)); generator.addCertificates(certs); ByteArrayOutputStream baos = new ByteArrayOutputStream(); signatureFile.write(baos); CMSTypedData cmsdata = new CMSProcessableByteArray(baos.toByteArray()); CMSSignedData signeddata = generator.generate(cmsdata, false); ASN1InputStream asn1 = new ASN1InputStream(signeddata.getEncoded()); DEROutputStream dos = new DEROutputStream(outputStream); dos.writeObject(asn1.readObject()); dos.flush(); dos.close(); asn1.close(); } AndmoreLogger.info(SignatureBlockFile.class, "Created signature block file"); }
From source file:org.eclipse.milo.opcua.stack.core.util.CertificateUtil.java
License:Open Source License
/** * Generate a {@link PKCS10CertificationRequest} for the provided {@code certificate} and {@code keyPair}. * * @param keyPair the {@link KeyPair} for {@code certificate}. * @param certificate the {@link X509Certificate} to request signing for. * @return a {@link PKCS10CertificationRequest}. * @throws Exception if creating the signing request fails for any reason. *//* w ww .j a v a 2 s . c o m*/ public static PKCS10CertificationRequest generateCsr(KeyPair keyPair, X509Certificate certificate) throws Exception { PKCS10CertificationRequestBuilder builder = new JcaPKCS10CertificationRequestBuilder( certificate.getSubjectX500Principal(), certificate.getPublicKey()); GeneralNames subjectAltNames = new GeneralNames( getSubjectAltNames(certificate).toArray(new GeneralName[0])); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(certificate.getSigAlgName()); ContentSigner signer = signerBuilder.build(keyPair.getPrivate()); return builder.build(signer); }
From source file:org.eclipse.milo.opcua.stack.core.util.CertificateUtil.java
License:Open Source License
/** * Generate a {@link PKCS10CertificationRequest}. * * @param keyPair the {@link KeyPair} containing Public and Private keys. * @param subject the subject name {@link X500Name}. * @param sanUri the URI to request in the SAN. * @param sanDnsNames the DNS names to request in the SAN. * @param sanIpAddresses the IP addresses to request in the SAN. * @param signatureAlgorithm the signature algorithm to use when generating the signature to validate the * certificate. * @return a {@link PKCS10CertificationRequest}. * @throws Exception if creating the signing request fails for any reason. *//*w ww . j av a2s. c o m*/ public static PKCS10CertificationRequest generateCsr(KeyPair keyPair, X500Name subject, String sanUri, List<String> sanDnsNames, List<String> sanIpAddresses, String signatureAlgorithm) throws Exception { PKCS10CertificationRequestBuilder builder = new PKCS10CertificationRequestBuilder(subject, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded())); List<GeneralName> generalNames = new ArrayList<>(); generalNames.add(new GeneralName(SUBJECT_ALT_NAME_URI, sanUri)); sanDnsNames.stream().map(n -> new GeneralName(SUBJECT_ALT_NAME_DNS_NAME, n)).forEach(generalNames::add); sanIpAddresses.stream().map(n -> new GeneralName(SUBJECT_ALT_NAME_IP_ADDRESS, n)) .forEach(generalNames::add); ExtensionsGenerator extGen = new ExtensionsGenerator(); extGen.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(generalNames.toArray(new GeneralName[0]))); builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate()); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); ContentSigner signer = signerBuilder.build(keyPair.getPrivate()); return builder.build(signer); }
From source file:org.eclipse.milo.opcua.stack.core.util.CertificateValidationUtilTest.java
License:Open Source License
private X509CRL generateCrl(X509Certificate ca, PrivateKey caPrivateKey, X509Certificate... revoked) throws Exception { X509v2CRLBuilder builder = new X509v2CRLBuilder(new X500Name(ca.getSubjectDN().getName()), new Date()); for (X509Certificate certificate : revoked) { builder.addCRLEntry(certificate.getSerialNumber(), new Date(), CRLReason.privilegeWithdrawn); }/* w w w . j a v a 2 s . co m*/ JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder("SHA256WithRSAEncryption"); contentSignerBuilder.setProvider("BC"); X509CRLHolder crlHolder = builder.build(contentSignerBuilder.build(caPrivateKey)); JcaX509CRLConverter converter = new JcaX509CRLConverter(); converter.setProvider("BC"); return converter.getCRL(crlHolder); }
From source file:org.eclipse.milo.opcua.stack.core.util.SelfSignedCertificateGenerator.java
License:Open Source License
public X509Certificate generateSelfSigned(KeyPair keyPair, Date notBefore, Date notAfter, @Nullable String commonName, @Nullable String organization, @Nullable String organizationalUnit, @Nullable String localityName, @Nullable String stateName, @Nullable String countryCode, @Nullable String applicationUri, List<String> dnsNames, List<String> ipAddresses, String signatureAlgorithm) throws Exception { X500NameBuilder nameBuilder = new X500NameBuilder(); if (commonName != null) { nameBuilder.addRDN(BCStyle.CN, commonName); }//from w ww .jav a 2 s.c om if (organization != null) { nameBuilder.addRDN(BCStyle.O, organization); } if (organizationalUnit != null) { nameBuilder.addRDN(BCStyle.OU, organizationalUnit); } if (localityName != null) { nameBuilder.addRDN(BCStyle.L, localityName); } if (stateName != null) { nameBuilder.addRDN(BCStyle.ST, stateName); } if (countryCode != null) { nameBuilder.addRDN(BCStyle.C, countryCode); } X500Name name = nameBuilder.build(); // Using the current timestamp as the certificate serial number BigInteger certSerialNumber = new BigInteger(Long.toString(System.currentTimeMillis())); SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(keyPair.getPublic().getEncoded()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(name, certSerialNumber, notBefore, notAfter, name, subjectPublicKeyInfo); BasicConstraints basicConstraints = new BasicConstraints(true); // Authority Key Identifier addAuthorityKeyIdentifier(certificateBuilder, keyPair); // Basic Constraints addBasicConstraints(certificateBuilder, basicConstraints); // Key Usage addKeyUsage(certificateBuilder); // Extended Key Usage addExtendedKeyUsage(certificateBuilder); // Subject Alternative Name addSubjectAlternativeNames(certificateBuilder, keyPair, applicationUri, dnsNames, ipAddresses); ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm) .setProvider(new BouncyCastleProvider()).build(keyPair.getPrivate()); X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner); return new JcaX509CertificateConverter().getCertificate(certificateHolder); }