List of usage examples for org.bouncycastle.pkcs PKCS10CertificationRequest getEncoded
public byte[] getEncoded() throws IOException
From source file:net.solarnetwork.pki.bc.BCCertificateService.java
License:Open Source License
@Override public String generatePKCS10CertificateRequestString(X509Certificate cert, PrivateKey privateKey) throws CertificateException { X509CertificateHolder holder;/*w w w . jav a 2s. c om*/ try { holder = new JcaX509CertificateHolder(cert); } catch (CertificateEncodingException e) { throw new CertificateException("Error creating CSR", e); } PKCS10CertificationRequestBuilder builder = new PKCS10CertificationRequestBuilder(holder.getSubject(), holder.getSubjectPublicKeyInfo()); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); ContentSigner signer; try { signer = signerBuilder.build(privateKey); } catch (OperatorCreationException e) { throw new CertificateException("Error signing certificate request", e); } PKCS10CertificationRequest csr = builder.build(signer); StringWriter writer = new StringWriter(); PemWriter pemWriter = new PemWriter(writer); try { pemWriter.writeObject(new PemObject("CERTIFICATE REQUEST", csr.getEncoded())); } catch (IOException e) { throw new CertificateException("Error signing certificate", e); } finally { try { pemWriter.flush(); pemWriter.close(); writer.close(); } catch (IOException e) { // ignore this } } return writer.toString(); }
From source file:org.apache.airavata.gfac.bes.utils.MyProxyLogon.java
License:Apache License
/** * Retrieves credentials from the MyProxy server. *///from w w w.ja v a 2s . c o m public void getCredentials() throws IOException, GeneralSecurityException { KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance(keyAlg); keyGenerator.initialize(keySize); keypair = keyGenerator.genKeyPair(); Security.addProvider(new BouncyCastleProvider()); PKCS10CertificationRequest pkcs10 = null; try { pkcs10 = generateCertificationRequest(DN, keypair); } catch (Exception ex) { throw new GeneralSecurityException(ex); } getCredentials(pkcs10.getEncoded()); }
From source file:org.apache.airavata.gfac.impl.task.utils.bes.MyProxyLogon.java
License:Apache License
/** * Retrieves credentials from the MyProxy server. *//*from ww w.ja v a 2s. co m*/ public void getCredentials() throws IOException, GeneralSecurityException { KeyPairGenerator keyGenerator = KeyPairGenerator.getInstance(keyAlg); keyGenerator.initialize(keySize); keypair = keyGenerator.genKeyPair(); Security.addProvider(new BouncyCastleProvider()); org.bouncycastle.pkcs.PKCS10CertificationRequest pkcs10 = null; try { pkcs10 = generateCertificationRequest(DN, keypair); } catch (Exception ex) { throw new GeneralSecurityException(ex); } getCredentials(pkcs10.getEncoded()); }
From source file:org.cesecore.certificates.ca.X509CA.java
License:Open Source License
/** * @see CA#createRequest(Collection, String, Certificate, int) *///from ww w .j a v a2 s .co m @Override public byte[] createRequest(CryptoToken cryptoToken, Collection<ASN1Encodable> attributes, String signAlg, Certificate cacert, int signatureKeyPurpose) throws CryptoTokenOfflineException { log.trace( ">createRequest: " + signAlg + ", " + CertTools.getSubjectDN(cacert) + ", " + signatureKeyPurpose); ASN1Set attrset = new DERSet(); if (attributes != null) { log.debug("Adding attributes in the request"); Iterator<ASN1Encodable> iter = attributes.iterator(); ASN1EncodableVector vec = new ASN1EncodableVector(); while (iter.hasNext()) { ASN1Encodable o = (ASN1Encodable) iter.next(); vec.add(o); } attrset = new DERSet(vec); } final X500NameStyle nameStyle; if (getUsePrintableStringSubjectDN()) { nameStyle = PrintableStringNameStyle.INSTANCE; } else { nameStyle = CeSecoreNameStyle.INSTANCE; } X500Name x509dn = CertTools.stringToBcX500Name(getSubjectDN(), nameStyle, getUseLdapDNOrder()); PKCS10CertificationRequest req; try { final CAToken catoken = getCAToken(); final String alias = catoken.getAliasFromPurpose(signatureKeyPurpose); final KeyPair keyPair = new KeyPair(cryptoToken.getPublicKey(alias), cryptoToken.getPrivateKey(alias)); req = CertTools.genPKCS10CertificationRequest(signAlg, x509dn, keyPair.getPublic(), attrset, keyPair.getPrivate(), cryptoToken.getSignProviderName()); log.trace("<createRequest"); return req.getEncoded(); } catch (CryptoTokenOfflineException e) { // NOPMD, since we catch wide below throw e; } catch (Exception e) { throw new RuntimeException(e); } }
From source file:org.cesecore.certificates.ca.X509CATest.java
License:Open Source License
@SuppressWarnings("unchecked") private void doTestX509CABasicOperations(String algName) throws Exception { final CryptoToken cryptoToken = getNewCryptoToken(); final X509CA x509ca = createTestCA(cryptoToken, CADN); Certificate cacert = x509ca.getCACertificate(); // Start by creating a PKCS7 byte[] p7 = x509ca.createPKCS7(cryptoToken, cacert, true); assertNotNull(p7);// w w w . j a v a2 s. com CMSSignedData s = new CMSSignedData(p7); Store certstore = s.getCertificates(); Collection<X509CertificateHolder> certs = certstore.getMatches(null); assertEquals(2, certs.size()); p7 = x509ca.createPKCS7(cryptoToken, cacert, false); assertNotNull(p7); s = new CMSSignedData(p7); certstore = s.getCertificates(); certs = certstore.getMatches(null); assertEquals(1, certs.size()); // Create a certificate request (will be pkcs10) byte[] req = x509ca.createRequest(cryptoToken, null, algName, cacert, CATokenConstants.CAKEYPURPOSE_CERTSIGN); PKCS10CertificationRequest p10 = new PKCS10CertificationRequest(req); assertNotNull(p10); String dn = p10.getSubject().toString(); assertEquals(CADN, dn); // Make a request with some pkcs11 attributes as well Collection<ASN1Encodable> attributes = new ArrayList<ASN1Encodable>(); // Add a subject alternative name ASN1EncodableVector altnameattr = new ASN1EncodableVector(); altnameattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); GeneralNames san = CertTools.getGeneralNamesFromAltName("dNSName=foobar.bar.com"); ExtensionsGenerator extgen = new ExtensionsGenerator(); extgen.addExtension(Extension.subjectAlternativeName, false, san); Extensions exts = extgen.generate(); altnameattr.add(new DERSet(exts)); // Add a challenge password as well ASN1EncodableVector pwdattr = new ASN1EncodableVector(); pwdattr.add(PKCSObjectIdentifiers.pkcs_9_at_challengePassword); ASN1EncodableVector pwdvalues = new ASN1EncodableVector(); pwdvalues.add(new DERUTF8String("foobar123")); pwdattr.add(new DERSet(pwdvalues)); attributes.add(new DERSequence(altnameattr)); attributes.add(new DERSequence(pwdattr)); // create the p10 req = x509ca.createRequest(cryptoToken, attributes, algName, cacert, CATokenConstants.CAKEYPURPOSE_CERTSIGN); p10 = new PKCS10CertificationRequest(req); assertNotNull(p10); dn = p10.getSubject().toString(); assertEquals(CADN, dn); Attribute[] attrs = p10.getAttributes(); assertEquals(2, attrs.length); PKCS10RequestMessage p10msg = new PKCS10RequestMessage(new JcaPKCS10CertificationRequest(p10)); assertEquals("foobar123", p10msg.getPassword()); assertEquals("dNSName=foobar.bar.com", p10msg.getRequestAltNames()); try { x509ca.createAuthCertSignRequest(cryptoToken, p10.getEncoded()); } catch (UnsupportedOperationException e) { // Expected for a X509 CA } // Generate a client certificate and check that it was generated correctly EndEntityInformation user = new EndEntityInformation("username", "CN=User", 666, "rfc822Name=user@user.com", "user@user.com", new EndEntityType(EndEntityTypes.ENDUSER), 0, 0, EndEntityConstants.TOKEN_USERGEN, 0, null); KeyPair keypair = genTestKeyPair(algName); CertificateProfile cp = new CertificateProfile(CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); cp.addCertificatePolicy(new CertificatePolicy("1.1.1.2", null, null)); cp.setUseCertificatePolicies(true); Certificate usercert = x509ca.generateCertificate(cryptoToken, user, keypair.getPublic(), 0, null, 10L, cp, "00000"); assertNotNull(usercert); assertEquals("CN=User", CertTools.getSubjectDN(usercert)); assertEquals(CADN, CertTools.getIssuerDN(usercert)); assertEquals(getTestKeyPairAlgName(algName).toUpperCase(), AlgorithmTools.getCertSignatureAlgorithmNameAsString(usercert).toUpperCase()); assertEquals(new String(CertTools.getSubjectKeyId(cacert)), new String(CertTools.getAuthorityKeyId(usercert))); assertEquals("user@user.com", CertTools.getEMailAddress(usercert)); assertEquals("rfc822name=user@user.com", CertTools.getSubjectAlternativeName(usercert)); assertNull(CertTools.getUPNAltName(usercert)); assertFalse(CertTools.isSelfSigned(usercert)); usercert.verify(cryptoToken .getPublicKey(x509ca.getCAToken().getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN))); usercert.verify(x509ca.getCACertificate().getPublicKey()); assertTrue(CertTools.isCA(x509ca.getCACertificate())); assertFalse(CertTools.isCA(usercert)); assertEquals("1.1.1.2", CertTools.getCertificatePolicyId(usercert, 0)); X509Certificate cert = (X509Certificate) usercert; boolean[] ku = cert.getKeyUsage(); assertTrue(ku[0]); assertTrue(ku[1]); assertTrue(ku[2]); assertFalse(ku[3]); assertFalse(ku[4]); assertFalse(ku[5]); assertFalse(ku[6]); assertFalse(ku[7]); int bcku = CertTools.sunKeyUsageToBC(ku); assertEquals(X509KeyUsage.digitalSignature | X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment, bcku); // Create a CRL Collection<RevokedCertInfo> revcerts = new ArrayList<RevokedCertInfo>(); X509CRLHolder crl = x509ca.generateCRL(cryptoToken, revcerts, 1); assertNotNull(crl); X509CRL xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); assertEquals(CADN, CertTools.getIssuerDN(xcrl)); Set<?> set = xcrl.getRevokedCertificates(); assertNull(set); BigInteger num = CrlExtensions.getCrlNumber(xcrl); assertEquals(1, num.intValue()); BigInteger deltanum = CrlExtensions.getDeltaCRLIndicator(xcrl); assertEquals(-1, deltanum.intValue()); // Revoke some cert Date revDate = new Date(); revcerts.add(new RevokedCertInfo(CertTools.getFingerprintAsString(usercert).getBytes(), CertTools.getSerialNumber(usercert).toByteArray(), revDate.getTime(), RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, CertTools.getNotAfter(usercert).getTime())); crl = x509ca.generateCRL(cryptoToken, revcerts, 2); assertNotNull(crl); xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); set = xcrl.getRevokedCertificates(); assertEquals(1, set.size()); num = CrlExtensions.getCrlNumber(xcrl); assertEquals(2, num.intValue()); X509CRLEntry entry = (X509CRLEntry) set.iterator().next(); assertEquals(CertTools.getSerialNumber(usercert).toString(), entry.getSerialNumber().toString()); assertEquals(revDate.toString(), entry.getRevocationDate().toString()); // Getting the revocation reason is a pita... byte[] extval = entry.getExtensionValue(Extension.reasonCode.getId()); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(extval)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); ASN1Primitive obj = aIn.readObject(); CRLReason reason = CRLReason.getInstance((ASN1Enumerated) obj); assertEquals("CRLReason: certificateHold", reason.toString()); //DEROctetString ostr = (DEROctetString)obj; // Create a delta CRL revcerts = new ArrayList<RevokedCertInfo>(); crl = x509ca.generateDeltaCRL(cryptoToken, revcerts, 3, 2); assertNotNull(crl); xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); assertEquals(CADN, CertTools.getIssuerDN(xcrl)); set = xcrl.getRevokedCertificates(); assertNull(set); num = CrlExtensions.getCrlNumber(xcrl); assertEquals(3, num.intValue()); deltanum = CrlExtensions.getDeltaCRLIndicator(xcrl); assertEquals(2, deltanum.intValue()); revcerts.add(new RevokedCertInfo(CertTools.getFingerprintAsString(usercert).getBytes(), CertTools.getSerialNumber(usercert).toByteArray(), revDate.getTime(), RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, CertTools.getNotAfter(usercert).getTime())); crl = x509ca.generateDeltaCRL(cryptoToken, revcerts, 4, 3); assertNotNull(crl); xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); deltanum = CrlExtensions.getDeltaCRLIndicator(xcrl); assertEquals(3, deltanum.intValue()); set = xcrl.getRevokedCertificates(); assertEquals(1, set.size()); entry = (X509CRLEntry) set.iterator().next(); assertEquals(CertTools.getSerialNumber(usercert).toString(), entry.getSerialNumber().toString()); assertEquals(revDate.toString(), entry.getRevocationDate().toString()); // Getting the revocation reason is a pita... extval = entry.getExtensionValue(Extension.reasonCode.getId()); aIn = new ASN1InputStream(new ByteArrayInputStream(extval)); octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); obj = aIn.readObject(); reason = CRLReason.getInstance((ASN1Enumerated) obj); assertEquals("CRLReason: certificateHold", reason.toString()); }
From source file:org.cesecore.certificates.certificate.request.RequestMessageTest.java
License:Open Source License
@Test public void test01Pkcs10RequestMessage() throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, IOException, OperatorCreationException { PKCS10CertificationRequest basicpkcs10 = createP10("CN=Test,OU=foo"); PKCS10RequestMessage msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); String username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test,OU=foo", msg.getRequestDN()); assertEquals("dNSName=foo1.bar.com", msg.getRequestAltNames()); // Same message by try decoding byte array msg = new PKCS10RequestMessage(basicpkcs10.getEncoded()); username = msg.getUsername();//w w w. j a v a2 s . c o m assertEquals("Test", username); assertEquals("CN=Test,OU=foo", msg.getRequestDN()); assertEquals("foo123", msg.getPassword()); // Check public key PublicKey pk = msg.getRequestPublicKey(); KeyTools.testKey(keyPair.getPrivate(), pk, "BC"); PKCS10RequestMessage msgempty = new PKCS10RequestMessage(); assertNull(msgempty.getRequestPublicKey()); // Verify POP assertTrue(msg.verify()); assertTrue(msg.verify(pk)); try { KeyPair otherkeys = KeyTools.genKeys("512", "RSA"); assertFalse(msg.verify(otherkeys.getPublic())); } catch (InvalidAlgorithmParameterException e) { assertTrue("Should not throw", false); } // Try different DNs and DN oids X500Name dn = new X500Name("C=SE, O=Foo, CN=Test Testsson"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("C=SE,O=Foo,CN=Test Testsson", msg.getRequestDN()); assertEquals(null, msg.getRequestAltNames()); assertEquals(null, msg.getPassword()); dn = new X500Name("C=SE, O=Foo, CN=Test Testsson"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA256WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("C=SE,O=Foo,CN=Test Testsson", msg.getRequestDN()); assertEquals(null, msg.getRequestAltNames()); assertEquals(null, msg.getPassword()); // oid for unstructuredName, will be handles specially by EJBCA dn = new X500Name("CN=Test + 1.2.840.113549.1.9.2=AttrValue1"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test,unstructuredName=AttrValue1", msg.getRequestDN()); dn = new X500Name("CN=Test + 1.2.840.113549.1.9.2=AttrValue1 AttrValue2"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test,unstructuredName=AttrValue1 AttrValue2", msg.getRequestDN()); dn = new X500Name("CN=Test+1.2.840.113549.1.9.2=AttrValue1"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test,unstructuredName=AttrValue1", msg.getRequestDN()); dn = new X500Name("CN=Test+1.2.840.113549.1.9.2=AttrValue1 AttrValue2"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test,unstructuredName=AttrValue1 AttrValue2", msg.getRequestDN()); // Completely unknown oid dn = new X500Name("CN=Test + 1.2.840.113549.1.9.3=AttrValue1"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test+1.2.840.113549.1.9.3=AttrValue1", msg.getRequestDN()); dn = new X500Name("CN=Test + 1.2.840.113549.1.9.3=AttrValue1 AttrValue2"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test+1.2.840.113549.1.9.3=AttrValue1 AttrValue2", msg.getRequestDN()); dn = new X500Name("CN=Test+1.2.840.113549.1.9.3=AttrValue1"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test+1.2.840.113549.1.9.3=AttrValue1", msg.getRequestDN()); dn = new X500Name("CN=Test+1.2.840.113549.1.9.3=AttrValue1 AttrValue2"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); assertEquals("CN=Test+1.2.840.113549.1.9.3=AttrValue1 AttrValue2", msg.getRequestDN()); dn = new X500Name("1.2.840.113549.1.9.3=AttrValue1 AttrValue2+CN=Test"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); dn = new X500Name("1.2.840.113549.1.9.3=AttrValue1 AttrValue2+CN=Test+O=abc"); basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); dn = new X500Name("1.2.840.113549.1.9.3=AttrValue1\\+\\= AttrValue2+CN=Test+O=abc"); // very strange, but should still be valid basicpkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", dn, keyPair.getPublic(), new DERSet(), keyPair.getPrivate(), null); msg = new PKCS10RequestMessage(basicpkcs10.toASN1Structure().getEncoded()); username = msg.getUsername(); assertEquals("Test", username); }
From source file:org.cesecore.keys.util.KeyStoreTools.java
License:Open Source License
/** Generates a certificate request (CSR) in PKCS#10 format and writes to file * @param alias for the key to be used//w w w . ja va 2 s . co m * @param dn the DN to be used. If null the 'CN=alias' will be used * @param explicitEccParameters false should be default and will use NamedCurve encoding of ECC public keys (IETF recommendation), use true to include all parameters explicitly (ICAO ePassport requirement). * @throws Exception */ public void generateCertReq(String alias, String sDN, boolean explicitEccParameters) throws Exception { PublicKey publicKey = getCertificate(alias).getPublicKey(); final PrivateKey privateKey = getPrivateKey(alias); if (log.isDebugEnabled()) { log.debug("alias: " + alias + " SHA1 of public key: " + CertTools.getFingerprintAsString(publicKey.getEncoded())); } String sigAlg = (String) AlgorithmTools.getSignatureAlgorithms(publicKey).iterator().next(); if (sigAlg == null) { sigAlg = "SHA1WithRSA"; } if (sigAlg.contains("ECDSA") && explicitEccParameters) { log.info("Using explicit parameter encoding for ECC key."); publicKey = ECKeyUtil.publicToExplicitParameters(publicKey, "BC"); } else { log.info("Using named curve parameter encoding for ECC key."); } X500Name sDNName = sDN != null ? new X500Name(sDN) : new X500Name("CN=" + alias); final PKCS10CertificationRequest certReq = CertTools.genPKCS10CertificationRequest(sigAlg, sDNName, publicKey, new DERSet(), privateKey, this.keyStore.getProvider().getName()); ContentVerifierProvider verifier = CertTools.genContentVerifierProvider(publicKey); if (!certReq.isSignatureValid(verifier)) { String msg = intres.getLocalizedMessage("token.errorcertreqverify", alias); throw new Exception(msg); } String filename = alias + ".pem"; final Writer writer = new FileWriter(filename); writer.write(CertTools.BEGIN_CERTIFICATE_REQUEST + "\n"); writer.write(new String(Base64.encode(certReq.getEncoded()))); writer.write("\n" + CertTools.END_CERTIFICATE_REQUEST + "\n"); writer.close(); log.info("Wrote csr to file: " + filename); }
From source file:org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.java
License:Open Source License
@Override public ResponseMessage processRequest(AuthenticationToken admin, CAInfo cainfo, RequestMessage requestmessage) throws CAExistsException, CADoesntExistsException, AuthorizationDeniedException, CryptoTokenOfflineException {//from w w w . j av a 2 s . co m final CA ca; Collection<Certificate> certchain = null; CertificateResponseMessage returnval = null; int caid = cainfo.getCAId(); // check authorization if (!accessSession.isAuthorizedNoLogging(admin, StandardRules.ROLE_ROOT.resource())) { String msg = intres.getLocalizedMessage("caadmin.notauthorizedtocertresp", cainfo.getName()); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); auditSession.log(EventTypes.ACCESS_CONTROL, EventStatus.FAILURE, ModuleTypes.CA, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, null, details); throw new AuthorizationDeniedException(msg); } // Check that CA doesn't already exists CAData oldcadata = null; if (caid >= 0 && caid <= CAInfo.SPECIALCAIDBORDER) { String msg = intres.getLocalizedMessage("caadmin.errorcaexists", cainfo.getName()); log.info(msg); throw new CAExistsException(msg); } oldcadata = CAData.findById(entityManager, Integer.valueOf(caid)); // If it did not exist with a certain DN (caid) perhaps a CA with the // same CA name exists? if (oldcadata == null) { oldcadata = CAData.findByName(entityManager, cainfo.getName()); } boolean processinternalca = false; if (oldcadata != null) { // If we find an already existing CA, there is a good chance that we // should throw an exception // Saying that the CA already exists. // However, if we have the same DN, and give the same name, we // simply assume that the admin actually wants // to treat an internal CA as an external CA, perhaps there is // different HSMs connected for root CA and sub CA? if (log.isDebugEnabled()) { log.debug("Old castatus=" + oldcadata.getStatus() + ", oldcaid=" + oldcadata.getCaId().intValue() + ", caid=" + cainfo.getCAId() + ", oldcaname=" + oldcadata.getName() + ", name=" + cainfo.getName()); } if (((oldcadata.getStatus() == CAConstants.CA_WAITING_CERTIFICATE_RESPONSE) || (oldcadata.getStatus() == CAConstants.CA_ACTIVE) || (oldcadata.getStatus() == CAConstants.CA_EXTERNAL)) && (oldcadata.getCaId().intValue() == cainfo.getCAId()) && (oldcadata.getName().equals(cainfo.getName()))) { // Yes, we have all the same DN, CAName and the old CA is either // waiting for a certificate response or is active // (new CA or active CA that we want to renew) // or it is an external CA that we want to issue a new // certificate to processinternalca = true; if (oldcadata.getStatus() == CAConstants.CA_EXTERNAL) { log.debug("Renewing an external CA."); } else { log.debug("Processing an internal CA, as an external."); } } else { String msg = intres.getLocalizedMessage("caadmin.errorcaexists", cainfo.getName()); log.info(msg); throw new CAExistsException(msg); } } // get signing CA if (cainfo.getSignedBy() > CAInfo.SPECIALCAIDBORDER || cainfo.getSignedBy() < 0) { try { final CA signca = caSession.getCAForEdit(admin, Integer.valueOf(cainfo.getSignedBy())); try { // Check that the signer is valid assertSignerValidity(admin, signca); // Get public key from request PublicKey publickey = requestmessage.getRequestPublicKey(); // Create cacertificate Certificate cacertificate = null; EndEntityInformation cadata = makeEndEntityInformation(cainfo); // We can pass the PKCS10 request message as extra // parameters if (requestmessage instanceof PKCS10RequestMessage) { ExtendedInformation extInfo = new ExtendedInformation(); PKCS10CertificationRequest pkcs10 = ((PKCS10RequestMessage) requestmessage) .getCertificationRequest(); extInfo.setCustomData(ExtendedInformationFields.CUSTOM_PKCS10, new String(Base64.encode(pkcs10.getEncoded()))); cadata.setExtendedinformation(extInfo); } CertificateProfile certprofile = certificateProfileSession .getCertificateProfile(cainfo.getCertificateProfileId()); String sequence = null; byte[] ki = requestmessage.getRequestKeyInfo(); if ((ki != null) && (ki.length > 0)) { sequence = new String(ki); } final CryptoToken signCryptoToken = cryptoTokenSession .getCryptoToken(signca.getCAToken().getCryptoTokenId()); cacertificate = signca.generateCertificate(signCryptoToken, cadata, publickey, -1, null, cainfo.getValidity(), certprofile, sequence); // X509ResponseMessage works for both X509 CAs and CVC CAs, should really be called CertificateResponsMessage returnval = new X509ResponseMessage(); returnval.setCertificate(cacertificate); // Build Certificate Chain Collection<Certificate> rootcachain = signca.getCertificateChain(); certchain = new ArrayList<Certificate>(); certchain.add(cacertificate); certchain.addAll(rootcachain); if (!processinternalca) { // If this is an internal CA, we don't create it and set // a NULL token, since the CA is already created if (cainfo instanceof X509CAInfo) { log.info("Creating a X509 CA (process request)"); ca = new X509CA((X509CAInfo) cainfo); } else if (cainfo instanceof CVCCAInfo) { // CVC CA is a special type of CA for EAC electronic // passports log.info("Creating a CVC CA (process request)"); CVCCAInfo cvccainfo = (CVCCAInfo) cainfo; // Create CVCCA ca = CvcCA.getInstance(cvccainfo); } else { ca = null; } ca.setCertificateChain(certchain); CAToken token = new CAToken(ca.getCAId(), new NullCryptoToken().getProperties()); ca.setCAToken(token); // set status to active entityManager.persist( new CAData(cainfo.getSubjectDN(), cainfo.getName(), CAConstants.CA_EXTERNAL, ca)); // cadatahome.create(cainfo.getSubjectDN(), cainfo.getName(), SecConst.CA_EXTERNAL, ca); } else { if (oldcadata.getStatus() == CAConstants.CA_EXTERNAL) { // If it is an external CA we will not import the // certificate later on here, so we want to // update the CA in this instance with the new // certificate so it is visible ca = caSession.getCAForEdit(admin, oldcadata.getCaId());//getCAFromDatabase(oldcadata.getCaId()); ca.setCertificateChain(certchain); if (log.isDebugEnabled()) { log.debug("Storing new certificate chain for external CA " + cainfo.getName() + ", CA token type: " + ca.getCAToken().getClass().getName()); } caSession.editCA(admin, ca, true); } else { // If it is an internal CA so we are "simulating" // signing a real external CA we don't do anything // because that CA is waiting to import a // certificate if (log.isDebugEnabled()) { log.debug( "Not storing new certificate chain or updating CA for internal CA, simulating external: " + cainfo.getName()); } ca = null; } } // Publish CA certificates. publishCACertificate(admin, certchain, signca.getCRLPublishers(), ca != null ? ca.getSubjectDN() : null); // External CAs will not have any CRLs in this system, so we don't have to try to publish any CRLs } catch (CryptoTokenOfflineException e) { String msg = intres.getLocalizedMessage("caadmin.errorprocess", cainfo.getName()); log.error(msg, e); throw e; } } catch (Exception e) { String msg = intres.getLocalizedMessage("caadmin.errorprocess", cainfo.getName()); log.error(msg, e); throw new EJBException(e); } } if (certchain != null) { String msg = intres.getLocalizedMessage("caadmin.processedca", cainfo.getName()); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); auditSession.log(EventTypes.CA_EDITING, EventStatus.SUCCESS, ModuleTypes.CA, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, null, details); } else { String msg = intres.getLocalizedMessage("caadmin.errorprocess", cainfo.getName()); Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("msg", msg); auditSession.log(EventTypes.CA_EDITING, EventStatus.FAILURE, ModuleTypes.CA, ServiceTypes.CORE, admin.toString(), String.valueOf(caid), null, null, details); } return returnval; }
From source file:org.ejbca.core.protocol.ws.CertificateExtensionTest.java
License:Open Source License
private X509Certificate getMyCertificate() throws GeneralSecurityException, AuthorizationDeniedException_Exception, CADoesntExistsException_Exception, NotFoundException_Exception, CesecoreException_Exception, IOException, OperatorCreationException { final KeyPair keys = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA); final PKCS10CertificationRequest pkcs10 = CertTools.genPKCS10CertificationRequest("SHA1WithRSA", CertTools.stringToBcX500Name("CN=NOUSED"), keys.getPublic(), new DERSet(), keys.getPrivate(), null); final CertificateResponse certenv; try {/*ww w . j ava2s. c o m*/ certenv = this.ejbcaraws.pkcs10Request(TEST_USER, PASSWORD, new String(Base64.encode(pkcs10.getEncoded())), null, CertificateHelper.RESPONSETYPE_CERTIFICATE); } catch (EjbcaException_Exception e) { return null; } catch (SOAPFaultException e) { return null; } assertNotNull(certenv); assertTrue(certenv.getResponseType().equals(CertificateHelper.RESPONSETYPE_CERTIFICATE)); return (X509Certificate) CertificateHelper.getCertificate(certenv.getData()); }
From source file:org.ejbca.core.protocol.ws.client.gen.TokenCertificateRequestWS.java
License:Open Source License
public TokenCertificateRequestWS(String name, String certificateProfileName, String validityIdDays, PKCS10CertificationRequest pkcs10) throws IOException { super();//from ww w. j a va 2 s . c o m type = HardTokenConstants.REQUESTTYPE_PKCS10_REQUEST; cAName = name; this.validityIdDays = validityIdDays; this.certificateProfileName = certificateProfileName; this.pkcs10Data = pkcs10.getEncoded(); }