List of usage examples for org.bouncycastle.operator.jcajce JcaContentSignerBuilder JcaContentSignerBuilder
public JcaContentSignerBuilder(String signatureAlgorithm)
From source file:org.teknux.jettybootstrap.keystore.JettyKeystore.java
License:Apache License
private static Certificate generateCertificate(KeyPair keyPair, String domainName, String signatureAlgorithm, String rdnOuValue, String rdnOValue, int dateNotBeforeNumberOfDays, int dateNotAfterNumberOfDays) throws JettyKeystoreException { X500NameBuilder issuerX500Namebuilder = new X500NameBuilder(BCStyle.INSTANCE); if (rdnOuValue != null) { issuerX500Namebuilder.addRDN(BCStyle.OU, rdnOuValue); }/*www . j a v a2 s .c o m*/ if (rdnOValue != null) { issuerX500Namebuilder.addRDN(BCStyle.O, rdnOValue); } X500Name issuer = issuerX500Namebuilder.addRDN(BCStyle.CN, domainName).build(); BigInteger serial = BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())); Date dateNotBefore = new Date(System.currentTimeMillis() - (dateNotBeforeNumberOfDays * DAY_IN_MILLIS)); Date dateNotAfter = new Date(System.currentTimeMillis() + (dateNotAfterNumberOfDays * DAY_IN_MILLIS)); X500NameBuilder subjectX500Namebuilder = new X500NameBuilder(BCStyle.INSTANCE); if (rdnOuValue != null) { subjectX500Namebuilder.addRDN(BCStyle.OU, rdnOuValue); } if (rdnOValue != null) { subjectX500Namebuilder.addRDN(BCStyle.O, rdnOValue); } X500Name subject = subjectX500Namebuilder.addRDN(BCStyle.CN, domainName).build(); SubjectPublicKeyInfo publicKeyInfo = new SubjectPublicKeyInfo( ASN1Sequence.getInstance(keyPair.getPublic().getEncoded())); X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(issuer, serial, dateNotBefore, dateNotAfter, subject, publicKeyInfo); Provider provider = new BouncyCastleProvider(); try { ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).setProvider(provider) .build(keyPair.getPrivate()); return new JcaX509CertificateConverter().setProvider(provider) .getCertificate(x509v3CertificateBuilder.build(signer)); } catch (OperatorCreationException | CertificateException e) { throw new JettyKeystoreException(JettyKeystoreException.ERROR_CREATE_CERTIFICATE, "Can not generate certificate", e); } }
From source file:org.texai.x509.X509Utils.java
License:Open Source License
/** Generates an intermediate CA certificate, that is to be used to sign end-use certificates. * * @param myPublicKey the public key for this certificate * @param issuerPrivateKey the issuer's private key * @param issuerCertificate the issuer's certificate, which is either the root CA certificate or another intermediate * CA certificate//from ww w.j av a 2 s . c o m * @param pathLengthConstraint the maximum number of CA certificates that may follow this certificate in a certification * path. (Note: One end-entity certificate will follow the final CA certificate in the path. The last certificate in a path * is considered an end-entity certificate, whether the subject of the certificate is a CA or not.) * @return an intermediate CA certificate * * @throws CertificateParsingException when the certificate cannot be parsed * @throws CertificateEncodingException when the certificate cannot be encoded * @throws NoSuchProviderException when an invalid provider is given * @throws NoSuchAlgorithmException when an invalid algorithm is given * @throws SignatureException when the an invalid signature is present * @throws InvalidKeyException when the given key is invalid * @throws IOException if an input/output error occurs while processing the serial number file */ public static X509Certificate generateIntermediateX509Certificate(final PublicKey myPublicKey, final PrivateKey issuerPrivateKey, final X509Certificate issuerCertificate, int pathLengthConstraint) throws CertificateParsingException, CertificateEncodingException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, IOException { //Preconditions assert myPublicKey != null : "myPublicKey must not be null"; assert issuerPrivateKey != null : "issuerPrivateKey must not be null"; assert issuerCertificate != null : "issuerCertificate must not be null"; //final X500Name issuer = new X500Name(issuerCertificate.getSubjectX500Principal().getName()); final X500Name issuer = new X500Name( StringUtils.reverseCommaDelimitedString(issuerCertificate.getSubjectX500Principal().getName())); final UUID intermediateUUID = UUID.randomUUID(); // provide items to X500Principal in reverse order final X500Principal x500Principal = new X500Principal( "UID=" + intermediateUUID + ", DC=IntermediateCertificate, CN=texai.org"); final X500Name subject = new X500Name(x500Principal.getName()); SubjectPublicKeyInfo publicKeyInfo = new SubjectPublicKeyInfo( ASN1Sequence.getInstance(myPublicKey.getEncoded())); final X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(issuer, getNextSerialNumber(), // serial new Date(System.currentTimeMillis() - 10000L), // notBefore, new Date(System.currentTimeMillis() + VALIDITY_PERIOD), // notAfter, subject, publicKeyInfo); // see http://www.ietf.org/rfc/rfc3280.txt // see http://stackoverflow.com/questions/20175447/creating-certificates-for-ssl-communication final JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); // Add authority key identifier x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, // isCritical jcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerCertificate)); // Add subject key identifier x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, // isCritical jcaX509ExtensionUtils.createSubjectKeyIdentifier(myPublicKey)); // add basic constraints x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, // isCritical new BasicConstraints(pathLengthConstraint)); // is a CA certificate with specified certification path length // add key usage final KeyUsage keyUsage = new KeyUsage( // the keyCertSign bit indicates that the subject public key may be used for verifying a signature on // certificates KeyUsage.keyCertSign | // the cRLSign indicates that the subject public key may be used for verifying a signature on revocation // information KeyUsage.cRLSign); x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, // isCritical keyUsage); X509Certificate x509Certificate; try { final ContentSigner contentSigner = new JcaContentSignerBuilder(DIGITAL_SIGNATURE_ALGORITHM) .setProvider(BOUNCY_CASTLE_PROVIDER).build(issuerPrivateKey); final X509CertificateHolder x509CertificateHolder = x509v3CertificateBuilder.build(contentSigner); final JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter(); x509Certificate = makeCanonicalX509Certificate( jcaX509CertificateConverter.getCertificate(x509CertificateHolder)); } catch (CertificateException | OperatorCreationException ex) { throw new TexaiException(ex); } //Postconditions try { x509Certificate.checkValidity(); x509Certificate.verify(issuerCertificate.getPublicKey()); } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException | SignatureException ex) { throw new TexaiException(ex); } return x509Certificate; }
From source file:org.texai.x509.X509Utils.java
License:Open Source License
/** Generates a signed end-use certificate that cannot be used to sign other certificates, but can be used for authentication * and for message signing./*w w w . j a v a 2 s .co m*/ * * @param myPublicKey the public key for this certificate * @param issuerPrivateKey the issuer's private key * @param issuerCertificate the issuer's certificate * @param uid the subject UID * @param domainComponent the domain component, e.g. TexaiLauncher or NodeRuntime * @return a signed end-use certificate * * @throws CertificateParsingException when the certificate cannot be parsed * @throws CertificateEncodingException when the certificate cannot be encoded * @throws NoSuchProviderException when an invalid provider is given * @throws NoSuchAlgorithmException when an invalid algorithm is given * @throws SignatureException when the an invalid signature is present * @throws InvalidKeyException when the given key is invalid * @throws IOException if an input/output error occurs while processing the serial number file */ public static X509Certificate generateX509Certificate(final PublicKey myPublicKey, final PrivateKey issuerPrivateKey, final X509Certificate issuerCertificate, final UUID uid, final String domainComponent) throws CertificateParsingException, CertificateEncodingException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, IOException { //Preconditions assert myPublicKey != null : "myPublicKey must not be null"; assert issuerPrivateKey != null : "issuerPrivateKey must not be null"; assert issuerCertificate != null : "issuerCertificate must not be null"; assert uid != null : "uid must not be null"; final String x500PrincipalString; // provide items to X500Principal in reverse order if (domainComponent == null || domainComponent.isEmpty()) { x500PrincipalString = "UID=" + uid + ", CN=texai.org"; } else { x500PrincipalString = "UID=" + uid + ", DC=" + domainComponent + " ,CN=texai.org"; } final X500Principal x500Principal = new X500Principal(x500PrincipalString); LOGGER.info("issuer: " + issuerCertificate.getIssuerX500Principal().getName()); final X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder( new X500Name(StringUtils .reverseCommaDelimitedString(issuerCertificate.getSubjectX500Principal().getName())), // issuer, getNextSerialNumber(), // serial new Date(System.currentTimeMillis() - 10000L), // notBefore, new Date(System.currentTimeMillis() + VALIDITY_PERIOD), // notAfter, new X500Name(x500Principal.getName()), // subject, new SubjectPublicKeyInfo(ASN1Sequence.getInstance(myPublicKey.getEncoded()))); // publicKeyInfo // see http://www.ietf.org/rfc/rfc3280.txt // see http://stackoverflow.com/questions/20175447/creating-certificates-for-ssl-communication final JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); // Add authority key identifier x509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, // isCritical jcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerCertificate)); // Add subject key identifier x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, // isCritical jcaX509ExtensionUtils.createSubjectKeyIdentifier(myPublicKey)); // add basic constraints x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, // isCritical new BasicConstraints(false)); // is not a CA certificate // add key usage final KeyUsage keyUsage = new KeyUsage( // the digitalSignature usage indicates that the subject public key may be used with a digital signature // mechanism to support security services other than non-repudiation, certificate signing, or revocation // information signing KeyUsage.digitalSignature | // the nonRepudiation usage indicates that the subject public key may be used to verify digital signatures // used to provide a non-repudiation service which protects against the signing entity falsely denying some // action, excluding certificate or CRL signing KeyUsage.nonRepudiation | // the keyEncipherment usage indicates that the subject public key may be used for key transport, e.g. the // exchange of efficient symmetric keys in SSL KeyUsage.keyEncipherment | // the dataEncipherment usage indicates that the subject public key may be used for enciphering user data, // other than cryptographic keys KeyUsage.dataEncipherment | // the keyAgreement usage indicates that the subject public key may be used for key agreement, e.g. when a // Diffie-Hellman key is to be used for key management KeyUsage.keyAgreement | // the keyCertSign bit indicates that the subject public key may be used for verifying a signature on // certificates KeyUsage.keyCertSign | // the cRLSign indicates that the subject public key may be used for verifying a signature on revocation // information KeyUsage.cRLSign | // see http://www.docjar.com/html/api/sun/security/validator/EndEntityChecker.java.html - bit 0 needs to set for SSL // client authorization KeyUsage.encipherOnly); x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, // isCritical keyUsage); X509Certificate x509Certificate; try { final ContentSigner contentSigner = new JcaContentSignerBuilder(DIGITAL_SIGNATURE_ALGORITHM) .setProvider(BOUNCY_CASTLE_PROVIDER).build(issuerPrivateKey); final X509CertificateHolder x509CertificateHolder = x509v3CertificateBuilder.build(contentSigner); final JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter(); x509Certificate = makeCanonicalX509Certificate( jcaX509CertificateConverter.getCertificate(x509CertificateHolder)); } catch (CertificateException | OperatorCreationException ex) { throw new TexaiException(ex); } //Postconditions try { x509Certificate.checkValidity(); x509Certificate.verify(issuerCertificate.getPublicKey()); } catch (CertificateException | NoSuchAlgorithmException | InvalidKeyException | NoSuchProviderException | SignatureException ex) { throw new TexaiException(ex); } assert x509Certificate.getKeyUsage()[0] : "must have digital signature key usage"; return x509Certificate; }
From source file:org.texai.x509.X509Utils.java
License:Open Source License
/** Generates a self-signed certificate to use as a CA root certificate. * * @param keyPair the root public/private key pair * @return a self-signed CA root certificate * * @throws CertificateEncodingException when the certificate cannot be encoded * @throws NoSuchProviderException when an invalid provider is given * @throws NoSuchAlgorithmException when an invalid algorithm is given * @throws SignatureException when the an invalid signature is present * @throws InvalidKeyException when the given key is invalid * @throws IOException if an input/output error occurs while processing the serial number file *//*from w w w . j a v a 2s. c o m*/ protected static X509Certificate generateRootX509Certificate(final KeyPair keyPair) throws CertificateEncodingException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, IOException { //Preconditions assert keyPair != null : "keyPair must not be null"; final UUID rootUUID = UUID.randomUUID(); // provide items to X500Principal in reverse order final X500Principal rootX500Principal = new X500Principal( "UID=" + rootUUID + ", O=Texai Certification Authority, CN=texai.org"); final X500Name subject = new X500Name(rootX500Principal.getName()); final X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder( new X500Name(rootX500Principal.getName()), // issuer, getNextSerialNumber(), // serial new Date(System.currentTimeMillis() - 10000L), // notBefore, new Date(System.currentTimeMillis() + VALIDITY_PERIOD), // notAfter, subject, new SubjectPublicKeyInfo(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded()))); // publicKeyInfo // see http://www.ietf.org/rfc/rfc3280.txt // see http://stackoverflow.com/questions/20175447/creating-certificates-for-ssl-communication final JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); // Add subject key identifier x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, // isCritical jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyPair.getPublic())); // add basic constraints x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, // isCritical new BasicConstraints(true)); // is a CA certificate with an unlimited certification path length final KeyUsage keyUsage = new KeyUsage( // the keyCertSign bit indicates that the subject public key may be used for verifying a signature on // certificates KeyUsage.keyCertSign | // the cRLSign indicates that the subject public key may be used for verifying a signature on revocation // information KeyUsage.cRLSign); // add key usage x509v3CertificateBuilder.addExtension(Extension.keyUsage, true, // isCritical keyUsage); X509Certificate rootX509Certificate; try { final ContentSigner contentSigner = new JcaContentSignerBuilder(DIGITAL_SIGNATURE_ALGORITHM) .setProvider(BOUNCY_CASTLE_PROVIDER).build(keyPair.getPrivate()); final X509CertificateHolder x509CertificateHolder = x509v3CertificateBuilder.build(contentSigner); final JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter(); rootX509Certificate = jcaX509CertificateConverter.getCertificate(x509CertificateHolder); } catch (CertificateException | OperatorCreationException ex) { throw new TexaiException(ex); } //Postconditions try { rootX509Certificate.checkValidity(); rootX509Certificate.verify(keyPair.getPublic()); return rootX509Certificate; } catch (InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException ex) { throw new TexaiException(ex); } }
From source file:org.usrz.libs.crypto.cert.X509CertificateBuilder.java
License:Apache License
/** * Build the final {@link X509Certificate} instance. *///from ww w.ja v a 2 s . c o m public X509Certificate build() { if (subject == null) throw new IllegalStateException("Subject not specified"); if (issuer == null) throw new IllegalStateException("Issuer not specified"); if (serial == null) throw new IllegalStateException("Serial not specified"); if (!notAfter.after(notBefore)) throw new IllegalStateException("Date \"not-after\" before or equal to \"not-before\""); if (issuerPrivateKey == null) throw new IllegalStateException("Issuer private key not specified"); if (subjectPublicKey == null) throw new IllegalStateException("Sobject public key not specified"); /* Standard subject public key and X500 names */ final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(subjectPublicKey.getEncoded()); final X500Name subjectName = X500Name.getInstance(subject.getEncoded()); final X500Name issuerName = X500Name.getInstance(issuer.getEncoded()); /* Derive the issuer public key from the private one if needed/possible */ if ((issuerPublicKey == null) && (issuerPrivateKey instanceof RSAPrivateCrtKey)) try { final RSAPrivateCrtKey key = (RSAPrivateCrtKey) issuerPrivateKey; final RSAPublicKeySpec spec = new RSAPublicKeySpec(key.getModulus(), key.getPublicExponent()); issuerPublicKey = KeyFactory.getInstance("RSA").generatePublic(spec); } catch (InvalidKeySpecException | NoSuchAlgorithmException exception) { Logger.getLogger(this.getClass().getName()).log(Level.FINE, "Unable to generate public key from private", exception); } final X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(issuerName, serial, notBefore, notAfter, subjectName, subjectPublicKeyInfo); try { final JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils(); /* Are we a certificate authority? */ certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(Mode.AUTHORITY.equals(mode))); /* Add our subject key identifier */ certificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(subjectPublicKeyInfo)); /* Do we have Standard key usages? */ if (!standardKeyUsage.isEmpty()) certificateBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(StandardKeyUsage.combine(standardKeyUsage))); /* Do we have extended key usages? */ if (!extendedKeyUsage.isEmpty()) certificateBuilder.addExtension(Extension.extendedKeyUsage, false, ExtendedKeyUsage.combine(extendedKeyUsage)); /* Add our authority key identifer */ if (issuerPublicKey != null) { final SubjectPublicKeyInfo authorityPublicKeyInfo = SubjectPublicKeyInfo .getInstance(issuerPublicKey.getEncoded()); certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(authorityPublicKeyInfo)); } /* Add our alternative names */ if (!alternativeNames.isEmpty()) { final GeneralName[] names = alternativeNames.toArray(new GeneralName[alternativeNames.size()]); certificateBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(names)); } /* Add CRL distribution points */ if (!crlDistributionPoints.isEmpty()) { final DistributionPoint[] distributionPoints = new DistributionPoint[crlDistributionPoints.size()]; int position = 0; for (GeneralName generalName : crlDistributionPoints) { final DistributionPointName distributionPointName = new DistributionPointName( new GeneralNames(generalName)); distributionPoints[position++] = new DistributionPoint(distributionPointName, null, null); } final CRLDistPoint crlDistributionPoint = new CRLDistPoint(distributionPoints); certificateBuilder.addExtension(Extension.cRLDistributionPoints, false, crlDistributionPoint); } } catch (CertIOException | NoSuchAlgorithmException exception) { throw new IllegalStateException("Exception adding extensions", exception); } try { final CertificateFactory factory = CertificateFactory.getInstance("X.509"); final String signatureAlgorithm = CryptoUtils.getSignatureAlgorithm(issuerPrivateKey, hash); final ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey); final X509CertificateHolder certificateHolder = certificateBuilder.build(signer); return (X509Certificate) factory .generateCertificate(new ByteArrayInputStream(certificateHolder.getEncoded())); } catch (OperatorCreationException exception) { throw new IllegalStateException("Unable to create certificate signature", exception); } catch (IOException exception) { throw new IllegalStateException("Unable to generate certificate data", exception); } catch (CertificateException exception) { throw new IllegalStateException("Unable to generate certificate", exception); } }
From source file:org.usrz.libs.crypto.utils.PKCS7.java
License:Apache License
/** * Prepare a detached <code>PKCS7</code> signature. * * @param privateKey The private key to use for signing * @param certificate The certificate associated with the private key. * @param authorities An optional list of certificate authorities to include. * @param data The {@linkplain Hash hashing algorithm} to use for signing. * @param data The binary data to sign.//from w w w. j av a 2 s. co m * @return The <code>PKCS7</code> as a byte array. * @throws SignatureException If there was a problem generating the signature. */ public static byte[] sign(final PrivateKey privateKey, final X509Certificate certificate, final List<X509Certificate> authorities, final Hash hash, final byte[] data) throws SignatureException { try { final String signatureAlgorithm = CryptoUtils.getSignatureAlgorithm(privateKey, hash); final ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(privateKey); final CMSSignedDataGenerator generator = new CMSSignedDataGenerator(); generator.addSignerInfoGenerator( new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()) .setSignedAttributeGenerator(new DefaultSignedAttributeTableGenerator()) .build(signer, certificate)); final Set<Certificate> certificates = new HashSet<>(); if (authorities != null) { for (Certificate authority : authorities) certificates.add(authority); } certificates.add(certificate); generator.addCertificates(new JcaCertStore(certificates)); final CMSTypedData cmsData = new CMSProcessableByteArray(data); final CMSSignedData signeddata = generator.generate(cmsData, false); return signeddata.getEncoded(); } catch (Exception exception) { throw new SignatureException("Signature could not be generated", exception); } }
From source file:org.votingsystem.signature.util.TimeStampResponseGenerator.java
License:Open Source License
public TimeStampResponseGenerator(InputStream requestInputStream, SignatureData signingData, Date timeStampDate) throws ExceptionVS, OperatorCreationException, CertificateEncodingException, TSPException { TimeStampRequest timeStampRequest;//from ww w. j a v a 2 s. c om try { timeStampRequest = new TimeStampRequest(requestInputStream); } catch (Exception ex) { throw new ExceptionVS("request null"); } this.statusStrings = new ASN1EncodableVector(); serialNumber = KeyGeneratorVS.INSTANCE.getSerno(); log.info("getTimeStampResponse - serialNumber: " + serialNumber + " - CertReq: " + timeStampRequest.getCertReq()); JcaSignerInfoGeneratorBuilder infoGeneratorBuilder = new JcaSignerInfoGeneratorBuilder( new JcaDigestCalculatorProviderBuilder().setProvider(ContextVS.PROVIDER).build()); tokenGenerator = new TimeStampTokenGenerator( infoGeneratorBuilder.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM) .setProvider(ContextVS.PROVIDER).build(signingData.getSigningKey()), signingData.getSigningCert()), new ASN1ObjectIdentifier(DEFAULT_TSA_POLICY_OID)); tokenGenerator.setAccuracyMicros(ACCURACYMICROS); tokenGenerator.setAccuracyMillis(ACCURACYMILLIS); tokenGenerator.setAccuracySeconds(ACCURACYSECONDS); tokenGenerator.setOrdering(ORDERING); tokenGenerator.addCertificates(signingData.getCerts()); token = tokenGenerator.generate(timeStampRequest, serialNumber, timeStampDate); }
From source file:org.wildfly.extension.elytron.TlsTestCase.java
License:Apache License
private static X509CRLHolder createCRL() throws Exception { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); SelfSignedX509CertificateAndSigningKey muneraSelfSignedX509CertificateAndSigningKey = SelfSignedX509CertificateAndSigningKey .builder().setDn(MUNERASOFT_DN).setKeyAlgorithmName("RSA") .setSignatureAlgorithmName("SHA256withRSA") .addExtension(false, "BasicConstraints", "CA:true,pathlen:2147483647").build(); X509Certificate muneraCertificate = muneraSelfSignedX509CertificateAndSigningKey.getSelfSignedCertificate(); Calendar calendar = Calendar.getInstance(); Date currentDate = calendar.getTime(); calendar.add(Calendar.YEAR, 1); Date nextYear = calendar.getTime(); calendar.add(Calendar.YEAR, -1); calendar.add(Calendar.SECOND, -30); Date revokeDate = calendar.getTime(); X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(new X500Name(MUNERASOFT_DN.getName()), currentDate); crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(muneraCertificate.getPublicKey())); crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.valueOf(4110))); crlBuilder.addCRLEntry(new BigInteger("1005"), revokeDate, CRLReason.unspecified); crlBuilder.addCRLEntry(new BigInteger("1006"), revokeDate, CRLReason.unspecified); return crlBuilder.setNextUpdate(nextYear).build(new JcaContentSignerBuilder("SHA256withRSA") .setProvider("BC").build(muneraSelfSignedX509CertificateAndSigningKey.getSigningKey())); }
From source file:org.wildfly.security.ssl.SSLAuthenticationTest.java
License:Open Source License
private static void createKeyStores(File ladybirdFile, File scarabFile, File dungFile, File fireflyFile, File beetlesFile, File trustFile, File shortwingedFile, File roveFile, File caBlankPemCrl, File icaBlankPemCrl, File blankBlankPemCrl, File fireflyRevokedPemCrl, File icaRevokedPemCrl) throws Exception { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); X500Principal issuerDN = new X500Principal( "CN=Elytron CA, ST=Elytron, C=UK, EMAILADDRESS=elytron@wildfly.org, O=Root Certificate Authority"); X500Principal intermediateIssuerDN = new X500Principal( "CN=Elytron ICA, ST=Elytron, C=UK, O=Intermediate Certificate Authority"); X500Principal ladybirdDN = new X500Principal("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Ladybird"); X500Principal scarabDN = new X500Principal("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Scarab"); X500Principal dungDN = new X500Principal("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Dung"); X500Principal fireflyDN = new X500Principal("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Firefly"); X500Principal roveDN = new X500Principal("OU=Elytron, O=Elytron, C=UK, ST=Elytron, CN=Rove"); KeyStore ladybirdKeyStore = loadKeyStore(); KeyStore scarabKeyStore = loadKeyStore(); KeyStore dungKeyStore = loadKeyStore(); KeyStore fireflyKeyStore = loadKeyStore(); KeyStore beetlesKeyStore = loadKeyStore(); KeyStore trustStore = loadKeyStore(); KeyStore shortwingedKeyStore = loadKeyStore(); KeyStore roveKeyStore = loadKeyStore(); // Generates the issuer certificate and adds it to the keystores SelfSignedX509CertificateAndSigningKey issuerSelfSignedX509CertificateAndSigningKey = SelfSignedX509CertificateAndSigningKey .builder().setDn(issuerDN).setKeyAlgorithmName("RSA").setSignatureAlgorithmName("SHA1withRSA") .addExtension(false, "BasicConstraints", "CA:true,pathlen:2147483647").build(); X509Certificate issuerCertificate = issuerSelfSignedX509CertificateAndSigningKey.getSelfSignedCertificate(); ladybirdKeyStore.setCertificateEntry("ca", issuerCertificate); scarabKeyStore.setCertificateEntry("ca", issuerCertificate); dungKeyStore.setCertificateEntry("ca", issuerCertificate); fireflyKeyStore.setCertificateEntry("ca", issuerCertificate); trustStore.setCertificateEntry("mykey", issuerCertificate); // Generates the intermediate issuer certificate KeyPair intermediateIssuerKeys = keyPairGenerator.generateKeyPair(); PrivateKey intermediateIssuerSigningKey = intermediateIssuerKeys.getPrivate(); PublicKey intermediateIssuerPublicKey = intermediateIssuerKeys.getPublic(); X509Certificate intermediateIssuerCertificate = new X509CertificateBuilder().setIssuerDn(issuerDN) .setSubjectDn(intermediateIssuerDN).setSignatureAlgorithmName("SHA1withRSA") .setSigningKey(issuerSelfSignedX509CertificateAndSigningKey.getSigningKey()) .setPublicKey(intermediateIssuerPublicKey).setSerialNumber(new BigInteger("6")) .addExtension(new BasicConstraintsExtension(false, true, 0)).build(); // Generates certificate and keystore for Ladybird KeyPair ladybirdKeys = keyPairGenerator.generateKeyPair(); PrivateKey ladybirdSigningKey = ladybirdKeys.getPrivate(); PublicKey ladybirdPublicKey = ladybirdKeys.getPublic(); X509Certificate ladybirdCertificate = new X509CertificateBuilder().setIssuerDn(issuerDN) .setSubjectDn(ladybirdDN).setSignatureAlgorithmName("SHA1withRSA") .setSigningKey(issuerSelfSignedX509CertificateAndSigningKey.getSigningKey()) .setPublicKey(ladybirdPublicKey).setSerialNumber(new BigInteger("3")) .addExtension(new BasicConstraintsExtension(false, false, -1)).build(); ladybirdKeyStore.setKeyEntry("ladybird", ladybirdSigningKey, PASSWORD, new X509Certificate[] { ladybirdCertificate, issuerCertificate }); // Generates certificate and keystore for Scarab KeyPair scarabKeys = keyPairGenerator.generateKeyPair(); PrivateKey scarabSigningKey = scarabKeys.getPrivate(); PublicKey scarabPublicKey = scarabKeys.getPublic(); X509Certificate scarabCertificate = new X509CertificateBuilder().setIssuerDn(issuerDN) .setSubjectDn(scarabDN).setSignatureAlgorithmName("SHA1withRSA") .setSigningKey(issuerSelfSignedX509CertificateAndSigningKey.getSigningKey()) .setPublicKey(scarabPublicKey).setSerialNumber(new BigInteger("4")) .addExtension(new BasicConstraintsExtension(false, false, -1)).build(); scarabKeyStore.setKeyEntry("scarab", scarabSigningKey, PASSWORD, new X509Certificate[] { scarabCertificate, issuerCertificate }); // Generates certificate and keystore for Dung KeyPair dungKeys = keyPairGenerator.generateKeyPair(); PrivateKey dungSigningKey = dungKeys.getPrivate(); PublicKey dungPublicKey = dungKeys.getPublic(); X509Certificate dungCertificate = new X509CertificateBuilder().setIssuerDn(issuerDN).setSubjectDn(dungDN) .setSignatureAlgorithmName("SHA1withRSA") .setSigningKey(issuerSelfSignedX509CertificateAndSigningKey.getSigningKey()) .setPublicKey(dungPublicKey).setSerialNumber(new BigInteger("2")) .addExtension(new BasicConstraintsExtension(false, false, -1)).build(); dungKeyStore.setKeyEntry("dung", dungSigningKey, PASSWORD, new X509Certificate[] { dungCertificate, issuerCertificate }); // Generates certificate and keystore for Firefly KeyPair fireflyKeys = keyPairGenerator.generateKeyPair(); PrivateKey fireflySigningKey = fireflyKeys.getPrivate(); PublicKey fireflyPublicKey = fireflyKeys.getPublic(); X509Certificate fireflyCertificate = new X509CertificateBuilder().setIssuerDn(issuerDN) .setSubjectDn(fireflyDN).setSignatureAlgorithmName("SHA1withRSA") .setSigningKey(issuerSelfSignedX509CertificateAndSigningKey.getSigningKey()) .setPublicKey(fireflyPublicKey).setSerialNumber(new BigInteger("1")) .addExtension(new BasicConstraintsExtension(false, false, -1)).build(); fireflyKeyStore.setKeyEntry("firefly", fireflySigningKey, PASSWORD, new X509Certificate[] { fireflyCertificate, issuerCertificate }); // Generates certificate and keystore for Rove KeyPair roveKeys = keyPairGenerator.generateKeyPair(); PrivateKey roveSigningKey = roveKeys.getPrivate(); PublicKey rovePublicKey = roveKeys.getPublic(); X509Certificate roveCertificate = new X509CertificateBuilder().setIssuerDn(intermediateIssuerDN) .setSubjectDn(roveDN).setSignatureAlgorithmName("SHA256withRSA") .setSigningKey(intermediateIssuerSigningKey).setPublicKey(rovePublicKey) .setSerialNumber(new BigInteger("100")) .addExtension(new BasicConstraintsExtension(false, false, -1)).build(); roveKeyStore.setKeyEntry("rove", roveSigningKey, PASSWORD, new X509Certificate[] { roveCertificate, intermediateIssuerCertificate, issuerCertificate }); // Adds trusted certs for beetles beetlesKeyStore.setCertificateEntry("ladybird", ladybirdCertificate); beetlesKeyStore.setCertificateEntry("scarab", scarabCertificate); beetlesKeyStore.setCertificateEntry("dung", dungCertificate); beetlesKeyStore.setCertificateEntry("firefly", fireflyCertificate); // Adds trusted cert for shortwinged shortwingedKeyStore.setCertificateEntry("rove", roveCertificate); // Used for all CRLs Calendar calendar = Calendar.getInstance(); Date currentDate = calendar.getTime(); calendar.add(Calendar.YEAR, 1); Date nextYear = calendar.getTime(); calendar.add(Calendar.YEAR, -1); calendar.add(Calendar.SECOND, -30); Date revokeDate = calendar.getTime(); // Creates the CRL for ca/crl/blank.pem X509v2CRLBuilder caBlankCrlBuilder = new X509v2CRLBuilder( convertSunStyleToBCStyle(intermediateIssuerCertificate.getIssuerDN()), currentDate); X509CRLHolder caBlankCrlHolder = caBlankCrlBuilder.setNextUpdate(nextYear) .build(new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(issuerSelfSignedX509CertificateAndSigningKey.getSigningKey())); // Creates the CRL for ica/crl/blank.pem X509v2CRLBuilder icaBlankCrlBuilder = new X509v2CRLBuilder(convertSunStyleToBCStyle(intermediateIssuerDN), currentDate);//from w w w . j ava 2 s. c om X509CRLHolder icaBlankCrlHolder = icaBlankCrlBuilder.setNextUpdate(nextYear).build( new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(intermediateIssuerSigningKey)); // Creates the CRL for firefly-revoked.pem X509v2CRLBuilder fireflyRevokedCrlBuilder = new X509v2CRLBuilder( convertSunStyleToBCStyle(issuerCertificate.getSubjectDN()), currentDate); fireflyRevokedCrlBuilder.addCRLEntry(new BigInteger("1"), revokeDate, CRLReason.unspecified); X509CRLHolder fireflyRevokedCrlHolder = fireflyRevokedCrlBuilder.setNextUpdate(nextYear) .build(new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(issuerSelfSignedX509CertificateAndSigningKey.getSigningKey())); // Creates the CRL for ica-revoked.pem X509v2CRLBuilder icaRevokedCrlBuilder = new X509v2CRLBuilder( convertSunStyleToBCStyle(issuerCertificate.getSubjectDN()), currentDate); icaRevokedCrlBuilder.addCRLEntry(new BigInteger("6"), revokeDate, CRLReason.unspecified); X509CRLHolder icaRevokedCrlHolder = icaRevokedCrlBuilder.setNextUpdate(nextYear) .build(new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(issuerSelfSignedX509CertificateAndSigningKey.getSigningKey())); // Create the temporary files createTemporaryKeyStoreFile(ladybirdKeyStore, ladybirdFile, PASSWORD); createTemporaryKeyStoreFile(scarabKeyStore, scarabFile, PASSWORD); createTemporaryKeyStoreFile(dungKeyStore, dungFile, PASSWORD); createTemporaryKeyStoreFile(fireflyKeyStore, fireflyFile, PASSWORD); createTemporaryKeyStoreFile(beetlesKeyStore, beetlesFile, PASSWORD); createTemporaryKeyStoreFile(trustStore, trustFile, PASSWORD); createTemporaryKeyStoreFile(shortwingedKeyStore, shortwingedFile, PASSWORD); createTemporaryKeyStoreFile(roveKeyStore, roveFile, PASSWORD); PemWriter caBlankCrlOutput = new PemWriter(new OutputStreamWriter(new FileOutputStream(caBlankPemCrl))); PemWriter icaBlankCrlOutput = new PemWriter(new OutputStreamWriter(new FileOutputStream(icaBlankPemCrl))); PemWriter blankBlankCrlOutput = new PemWriter( new OutputStreamWriter(new FileOutputStream(blankBlankPemCrl))); PemWriter fireflyRevokedCrlOutput = new PemWriter( new OutputStreamWriter(new FileOutputStream(fireflyRevokedPemCrl))); PemWriter icaRevokedCrlOutput = new PemWriter( new OutputStreamWriter(new FileOutputStream(icaRevokedPemCrl))); caBlankCrlOutput.writeObject(new MiscPEMGenerator(caBlankCrlHolder)); icaBlankCrlOutput.writeObject(new MiscPEMGenerator(icaBlankCrlHolder)); blankBlankCrlOutput.writeObject(new MiscPEMGenerator(icaBlankCrlHolder)); blankBlankCrlOutput.writeObject(new MiscPEMGenerator(caBlankCrlHolder)); fireflyRevokedCrlOutput.writeObject(new MiscPEMGenerator(fireflyRevokedCrlHolder)); icaRevokedCrlOutput.writeObject(new MiscPEMGenerator(icaRevokedCrlHolder)); caBlankCrlOutput.close(); icaBlankCrlOutput.close(); blankBlankCrlOutput.close(); fireflyRevokedCrlOutput.close(); icaRevokedCrlOutput.close(); }
From source file:org.wso2.carbon.certificate.mgt.core.impl.CertificateGenerator.java
License:Open Source License
public X509Certificate generateX509Certificate() throws KeystoreException { CommonUtil commonUtil = new CommonUtil(); Date validityBeginDate = commonUtil.getValidityStartDate(); Date validityEndDate = commonUtil.getValidityEndDate(); Security.addProvider(new BouncyCastleProvider()); try {//w ww . j a v a 2 s.c o m KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance( CertificateManagementConstants.RSA, CertificateManagementConstants.PROVIDER); keyPairGenerator.initialize(CertificateManagementConstants.RSA_KEY_LENGTH, new SecureRandom()); KeyPair pair = keyPairGenerator.generateKeyPair(); X500Principal principal = new X500Principal(CertificateManagementConstants.DEFAULT_PRINCIPAL); X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder( principal, CommonUtil.generateSerialNumber(), validityBeginDate, validityEndDate, principal, pair.getPublic()); ContentSigner contentSigner = new JcaContentSignerBuilder(CertificateManagementConstants.SHA256_RSA) .setProvider(CertificateManagementConstants.PROVIDER).build( pair.getPrivate()); X509Certificate certificate = new JcaX509CertificateConverter() .setProvider(CertificateManagementConstants.PROVIDER).getCertificate( certificateBuilder.build(contentSigner)); // cert.checkValidity(); certificate.verify(certificate.getPublicKey()); List<org.wso2.carbon.certificate.mgt.core.bean.Certificate> certificates = new ArrayList<>(); org.wso2.carbon.certificate.mgt.core.bean.Certificate certificateToStore = new org.wso2.carbon.certificate.mgt.core.bean.Certificate(); certificateToStore.setTenantId(PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantId()); certificateToStore.setCertificate(certificate); certificates.add(certificateToStore); saveCertInKeyStore(certificates); return certificate; } catch (NoSuchAlgorithmException e) { String errorMsg = "No such algorithm found when generating certificate"; throw new KeystoreException(errorMsg, e); } catch (NoSuchProviderException e) { String errorMsg = "No such provider found when generating certificate"; throw new KeystoreException(errorMsg, e); } catch (OperatorCreationException e) { String errorMsg = "Issue in operator creation when generating certificate"; throw new KeystoreException(errorMsg, e); } catch (CertificateExpiredException e) { String errorMsg = "Certificate expired after generating certificate"; throw new KeystoreException(errorMsg, e); } catch (CertificateNotYetValidException e) { String errorMsg = "Certificate not yet valid when generating certificate"; throw new KeystoreException(errorMsg, e); } catch (CertificateException e) { String errorMsg = "Certificate issue occurred when generating certificate"; throw new KeystoreException(errorMsg, e); } catch (InvalidKeyException e) { String errorMsg = "Invalid key used when generating certificate"; throw new KeystoreException(errorMsg, e); } catch (SignatureException e) { String errorMsg = "Signature related issue occurred when generating certificate"; throw new KeystoreException(errorMsg, e); } }