List of usage examples for org.bouncycastle.pkcs PKCS10CertificationRequest getSubject
public X500Name getSubject()
From source file:net.solarnetwork.pki.bc.BCCertificateService.java
License:Open Source License
@Override public X509Certificate signCertificate(String csrPEM, X509Certificate caCert, PrivateKey privateKey) throws CertificateException { if (!csrPEM.matches("(?is)^\\s*-----BEGIN.*")) { // let's throw in the guards csrPEM = "-----BEGIN CERTIFICATE REQUEST-----\n" + csrPEM + "\n-----END CERTIFICATE REQUEST-----\n"; }/*from w w w . ja v a2s .c o m*/ PemReader reader = null; try { reader = new PemReader(new StringReader(csrPEM)); PemObject pemObj = reader.readPemObject(); log.debug("Parsed PEM type {}", pemObj.getType()); PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemObj.getContent()); Date now = new Date(); Date expire = new Date(now.getTime() + (1000L * 60L * 60L * 24L * certificateExpireDays)); X509v3CertificateBuilder builder = new X509v3CertificateBuilder(JcaX500NameUtil.getIssuer(caCert), new BigInteger(String.valueOf(counter.incrementAndGet())), now, expire, csr.getSubject(), csr.getSubjectPublicKeyInfo()); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); ContentSigner signer; DefaultDigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder(); try { DigestCalculatorProvider digestCalcProvider = new JcaDigestCalculatorProviderBuilder() .setProvider(new BouncyCastleProvider()).build(); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils( digestCalcProvider.get(digestAlgFinder.find("SHA-256"))); builder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); builder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(csr.getSubjectPublicKeyInfo())); builder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)); signer = signerBuilder.build(privateKey); } catch (OperatorException e) { log.error("Error signing CSR {}", csr.getSubject(), e); throw new CertificateException("Error signing CSR" + csr.getSubject() + ": " + e.getMessage()); } catch (CertificateEncodingException e) { log.error("Error signing CSR {}", csr.getSubject().toString(), e); throw new CertificateException("Error signing CSR" + csr.getSubject() + ": " + e.getMessage()); } X509CertificateHolder holder = builder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); try { return converter.getCertificate(holder); } catch (java.security.cert.CertificateException e) { throw new CertificateException("Error creating certificate", e); } } catch (IOException e) { throw new CertificateException("Error signing CSR", e); } finally { if (reader != null) { try { reader.close(); } catch (IOException e2) { log.warn("IOException closing PemReader", e2); } } } }
From source file:org.apache.hadoop.yarn.server.resourcemanager.security.MockX509SecurityHandler.java
License:Apache License
@Override public X509SecurityManagerMaterial generateMaterial(X509MaterialParameter materialParameter) throws Exception { ApplicationId appId = materialParameter.getApplicationId(); String appUser = materialParameter.getAppUser(); Integer cryptoMaterialVersion = materialParameter.getCryptoMaterialVersion(); KeyPair keyPair = generateKeyPair(); PKCS10CertificationRequest csr = generateCSR(appId, appUser, keyPair, cryptoMaterialVersion); assertEquals(appUser, HopsUtil.extractCNFromSubject(csr.getSubject().toString())); assertEquals(appId.toString(), HopsUtil.extractOFromSubject(csr.getSubject().toString())); assertEquals(String.valueOf(cryptoMaterialVersion), HopsUtil.extractOUFromSubject(csr.getSubject().toString())); // Sign CSR//from ww w . j av a 2s . co m CertificateBundle certificateBundle = sendCSRAndGetSigned(csr); certificateBundle.getCertificate().checkValidity(); long expiration = certificateBundle.getCertificate().getNotAfter().getTime(); long epochNow = DateUtils.localDateTime2UnixEpoch(DateUtils.getNow()); assertTrue(expiration >= epochNow); assertNotNull(certificateBundle.getIssuer()); RMAppSecurityActions actor = getRmAppSecurityActions(); if (actor instanceof TestingRMAppSecurityActions) { X509Certificate caCert = ((TestingRMAppSecurityActions) actor).getCaCert(); certificateBundle.getCertificate().verify(caCert.getPublicKey(), "BC"); } certificateBundle.getCertificate().verify(certificateBundle.getIssuer().getPublicKey(), "BC"); KeyStoresWrapper appKeystores = createApplicationStores(certificateBundle, keyPair.getPrivate(), appUser, appId); X509Certificate extractedCert = (X509Certificate) appKeystores.getKeystore().getCertificate(appUser); byte[] rawKeystore = appKeystores.getRawKeyStore(TYPE.KEYSTORE); assertNotNull(rawKeystore); assertNotEquals(0, rawKeystore.length); File keystoreFile = Paths.get(systemTMP, appUser + "-" + appId.toString() + "_kstore.jks").toFile(); // Keystore should have been deleted assertFalse(keystoreFile.exists()); char[] keyStorePassword = appKeystores.getKeyStorePassword(); assertNotNull(keyStorePassword); assertNotEquals(0, keyStorePassword.length); byte[] rawTrustStore = appKeystores.getRawKeyStore(TYPE.TRUSTSTORE); File trustStoreFile = Paths.get(systemTMP, appUser + "-" + appId.toString() + "_tstore.jks").toFile(); // Truststore should have been deleted assertFalse(trustStoreFile.exists()); char[] trustStorePassword = appKeystores.getTrustStorePassword(); assertNotNull(trustStorePassword); assertNotEquals(0, trustStorePassword.length); verifyContentOfAppTrustStore(rawTrustStore, trustStorePassword, appUser, appId); if (actor instanceof TestingRMAppSecurityActions) { X509Certificate caCert = ((TestingRMAppSecurityActions) actor).getCaCert(); extractedCert.verify(caCert.getPublicKey(), "BC"); } assertEquals(appUser, HopsUtil.extractCNFromSubject(extractedCert.getSubjectX500Principal().getName())); assertEquals(appId.toString(), HopsUtil.extractOFromSubject(extractedCert.getSubjectX500Principal().getName())); assertEquals(String.valueOf(cryptoMaterialVersion), HopsUtil.extractOUFromSubject(extractedCert.getSubjectX500Principal().getName())); return new X509SecurityManagerMaterial(appId, rawKeystore, appKeystores.getKeyStorePassword(), rawTrustStore, appKeystores.getTrustStorePassword(), expiration); }
From source file:org.apache.hadoop.yarn.server.resourcemanager.security.TestingRMAppSecurityActions.java
License:Apache License
@Override public X509SecurityHandler.CertificateBundle sign(PKCS10CertificationRequest csr) throws URISyntaxException, IOException, GeneralSecurityException { JcaPKCS10CertificationRequest jcaRequest = new JcaPKCS10CertificationRequest(csr); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(caCert, BigInteger.valueOf(System.currentTimeMillis()), new Date(), new Date(System.currentTimeMillis() + 50000), csr.getSubject(), jcaRequest.getPublicKey()); JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); certBuilder/*from ww w . jav a 2 s .com*/ .addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(caCert)) .addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(jcaRequest.getPublicKey())) .addExtension(Extension.basicConstraints, true, new BasicConstraints(false)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); X509Certificate certificate = new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certBuilder.build(sigGen)); return new X509SecurityHandler.CertificateBundle(certificate, caCert); }
From source file:org.cesecore.certificates.ca.X509CATest.java
License:Open Source License
@SuppressWarnings("unchecked") private void doTestX509CABasicOperations(String algName) throws Exception { final CryptoToken cryptoToken = getNewCryptoToken(); final X509CA x509ca = createTestCA(cryptoToken, CADN); Certificate cacert = x509ca.getCACertificate(); // Start by creating a PKCS7 byte[] p7 = x509ca.createPKCS7(cryptoToken, cacert, true); assertNotNull(p7);/*from w w w.jav a 2 s .c o m*/ CMSSignedData s = new CMSSignedData(p7); Store certstore = s.getCertificates(); Collection<X509CertificateHolder> certs = certstore.getMatches(null); assertEquals(2, certs.size()); p7 = x509ca.createPKCS7(cryptoToken, cacert, false); assertNotNull(p7); s = new CMSSignedData(p7); certstore = s.getCertificates(); certs = certstore.getMatches(null); assertEquals(1, certs.size()); // Create a certificate request (will be pkcs10) byte[] req = x509ca.createRequest(cryptoToken, null, algName, cacert, CATokenConstants.CAKEYPURPOSE_CERTSIGN); PKCS10CertificationRequest p10 = new PKCS10CertificationRequest(req); assertNotNull(p10); String dn = p10.getSubject().toString(); assertEquals(CADN, dn); // Make a request with some pkcs11 attributes as well Collection<ASN1Encodable> attributes = new ArrayList<ASN1Encodable>(); // Add a subject alternative name ASN1EncodableVector altnameattr = new ASN1EncodableVector(); altnameattr.add(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); GeneralNames san = CertTools.getGeneralNamesFromAltName("dNSName=foobar.bar.com"); ExtensionsGenerator extgen = new ExtensionsGenerator(); extgen.addExtension(Extension.subjectAlternativeName, false, san); Extensions exts = extgen.generate(); altnameattr.add(new DERSet(exts)); // Add a challenge password as well ASN1EncodableVector pwdattr = new ASN1EncodableVector(); pwdattr.add(PKCSObjectIdentifiers.pkcs_9_at_challengePassword); ASN1EncodableVector pwdvalues = new ASN1EncodableVector(); pwdvalues.add(new DERUTF8String("foobar123")); pwdattr.add(new DERSet(pwdvalues)); attributes.add(new DERSequence(altnameattr)); attributes.add(new DERSequence(pwdattr)); // create the p10 req = x509ca.createRequest(cryptoToken, attributes, algName, cacert, CATokenConstants.CAKEYPURPOSE_CERTSIGN); p10 = new PKCS10CertificationRequest(req); assertNotNull(p10); dn = p10.getSubject().toString(); assertEquals(CADN, dn); Attribute[] attrs = p10.getAttributes(); assertEquals(2, attrs.length); PKCS10RequestMessage p10msg = new PKCS10RequestMessage(new JcaPKCS10CertificationRequest(p10)); assertEquals("foobar123", p10msg.getPassword()); assertEquals("dNSName=foobar.bar.com", p10msg.getRequestAltNames()); try { x509ca.createAuthCertSignRequest(cryptoToken, p10.getEncoded()); } catch (UnsupportedOperationException e) { // Expected for a X509 CA } // Generate a client certificate and check that it was generated correctly EndEntityInformation user = new EndEntityInformation("username", "CN=User", 666, "rfc822Name=user@user.com", "user@user.com", new EndEntityType(EndEntityTypes.ENDUSER), 0, 0, EndEntityConstants.TOKEN_USERGEN, 0, null); KeyPair keypair = genTestKeyPair(algName); CertificateProfile cp = new CertificateProfile(CertificateProfileConstants.CERTPROFILE_FIXED_ENDUSER); cp.addCertificatePolicy(new CertificatePolicy("1.1.1.2", null, null)); cp.setUseCertificatePolicies(true); Certificate usercert = x509ca.generateCertificate(cryptoToken, user, keypair.getPublic(), 0, null, 10L, cp, "00000"); assertNotNull(usercert); assertEquals("CN=User", CertTools.getSubjectDN(usercert)); assertEquals(CADN, CertTools.getIssuerDN(usercert)); assertEquals(getTestKeyPairAlgName(algName).toUpperCase(), AlgorithmTools.getCertSignatureAlgorithmNameAsString(usercert).toUpperCase()); assertEquals(new String(CertTools.getSubjectKeyId(cacert)), new String(CertTools.getAuthorityKeyId(usercert))); assertEquals("user@user.com", CertTools.getEMailAddress(usercert)); assertEquals("rfc822name=user@user.com", CertTools.getSubjectAlternativeName(usercert)); assertNull(CertTools.getUPNAltName(usercert)); assertFalse(CertTools.isSelfSigned(usercert)); usercert.verify(cryptoToken .getPublicKey(x509ca.getCAToken().getAliasFromPurpose(CATokenConstants.CAKEYPURPOSE_CERTSIGN))); usercert.verify(x509ca.getCACertificate().getPublicKey()); assertTrue(CertTools.isCA(x509ca.getCACertificate())); assertFalse(CertTools.isCA(usercert)); assertEquals("1.1.1.2", CertTools.getCertificatePolicyId(usercert, 0)); X509Certificate cert = (X509Certificate) usercert; boolean[] ku = cert.getKeyUsage(); assertTrue(ku[0]); assertTrue(ku[1]); assertTrue(ku[2]); assertFalse(ku[3]); assertFalse(ku[4]); assertFalse(ku[5]); assertFalse(ku[6]); assertFalse(ku[7]); int bcku = CertTools.sunKeyUsageToBC(ku); assertEquals(X509KeyUsage.digitalSignature | X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment, bcku); // Create a CRL Collection<RevokedCertInfo> revcerts = new ArrayList<RevokedCertInfo>(); X509CRLHolder crl = x509ca.generateCRL(cryptoToken, revcerts, 1); assertNotNull(crl); X509CRL xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); assertEquals(CADN, CertTools.getIssuerDN(xcrl)); Set<?> set = xcrl.getRevokedCertificates(); assertNull(set); BigInteger num = CrlExtensions.getCrlNumber(xcrl); assertEquals(1, num.intValue()); BigInteger deltanum = CrlExtensions.getDeltaCRLIndicator(xcrl); assertEquals(-1, deltanum.intValue()); // Revoke some cert Date revDate = new Date(); revcerts.add(new RevokedCertInfo(CertTools.getFingerprintAsString(usercert).getBytes(), CertTools.getSerialNumber(usercert).toByteArray(), revDate.getTime(), RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, CertTools.getNotAfter(usercert).getTime())); crl = x509ca.generateCRL(cryptoToken, revcerts, 2); assertNotNull(crl); xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); set = xcrl.getRevokedCertificates(); assertEquals(1, set.size()); num = CrlExtensions.getCrlNumber(xcrl); assertEquals(2, num.intValue()); X509CRLEntry entry = (X509CRLEntry) set.iterator().next(); assertEquals(CertTools.getSerialNumber(usercert).toString(), entry.getSerialNumber().toString()); assertEquals(revDate.toString(), entry.getRevocationDate().toString()); // Getting the revocation reason is a pita... byte[] extval = entry.getExtensionValue(Extension.reasonCode.getId()); ASN1InputStream aIn = new ASN1InputStream(new ByteArrayInputStream(extval)); ASN1OctetString octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); ASN1Primitive obj = aIn.readObject(); CRLReason reason = CRLReason.getInstance((ASN1Enumerated) obj); assertEquals("CRLReason: certificateHold", reason.toString()); //DEROctetString ostr = (DEROctetString)obj; // Create a delta CRL revcerts = new ArrayList<RevokedCertInfo>(); crl = x509ca.generateDeltaCRL(cryptoToken, revcerts, 3, 2); assertNotNull(crl); xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); assertEquals(CADN, CertTools.getIssuerDN(xcrl)); set = xcrl.getRevokedCertificates(); assertNull(set); num = CrlExtensions.getCrlNumber(xcrl); assertEquals(3, num.intValue()); deltanum = CrlExtensions.getDeltaCRLIndicator(xcrl); assertEquals(2, deltanum.intValue()); revcerts.add(new RevokedCertInfo(CertTools.getFingerprintAsString(usercert).getBytes(), CertTools.getSerialNumber(usercert).toByteArray(), revDate.getTime(), RevokedCertInfo.REVOCATION_REASON_CERTIFICATEHOLD, CertTools.getNotAfter(usercert).getTime())); crl = x509ca.generateDeltaCRL(cryptoToken, revcerts, 4, 3); assertNotNull(crl); xcrl = CertTools.getCRLfromByteArray(crl.getEncoded()); deltanum = CrlExtensions.getDeltaCRLIndicator(xcrl); assertEquals(3, deltanum.intValue()); set = xcrl.getRevokedCertificates(); assertEquals(1, set.size()); entry = (X509CRLEntry) set.iterator().next(); assertEquals(CertTools.getSerialNumber(usercert).toString(), entry.getSerialNumber().toString()); assertEquals(revDate.toString(), entry.getRevocationDate().toString()); // Getting the revocation reason is a pita... extval = entry.getExtensionValue(Extension.reasonCode.getId()); aIn = new ASN1InputStream(new ByteArrayInputStream(extval)); octs = (ASN1OctetString) aIn.readObject(); aIn = new ASN1InputStream(new ByteArrayInputStream(octs.getOctets())); obj = aIn.readObject(); reason = CRLReason.getInstance((ASN1Enumerated) obj); assertEquals("CRLReason: certificateHold", reason.toString()); }
From source file:org.ejbca.batchenrollmentgui.BatchEnrollmentGUIView.java
License:Open Source License
private void addRequest(final InputStream inStream, final File inFile) throws CertificateException { final ByteArrayOutputStream bout = new ByteArrayOutputStream(); BufferedInputStream in = null; try {/* w ww.j a v a2 s.com*/ in = new BufferedInputStream(inStream); int b; while ((b = in.read()) != -1) { bout.write(b); } final byte[] bytes = bout.toByteArray(); CMSSignedData signedData = null; try { signedData = new CMSSignedData(bytes); } catch (Exception ex) { LOG.debug("Not parsed as CMS: " + ex.getMessage()); } final byte[] requestBytes; final Request request = new Request(); if (signedData == null) { requestBytes = bytes; } else { final CMSValidationResult result = validateCMS(signedData, getTrustedCerts()); requestBytes = result.getContent(); request.setSignerChain(result.getSignerChain()); } // Parse PKCS10 and fill in requested DN PKCS10CertificationRequest pkcs10 = getPkcs10Request(requestBytes); request.setRequestedDN(pkcs10.getSubject().toString()); request.setInFile(inFile); request.setOutFile(new File(inFile.getParentFile(), suggestOutFile(inFile.getName()))); request.setRequestBytes(requestBytes); // Try to match beginning of filename with a user for (UserDataVOWS user : endEntities) { if (inFile.getName().toLowerCase(Locale.ENGLISH) .contains(user.getUsername().toLowerCase(Locale.ENGLISH))) { request.setEndEntity(findEndEntity(user.getUsername())); break; } } requests.add(request); jTable1.revalidate(); jTable1Changed(new TableModelEvent(jTable1.getModel(), requests.size() - 1, requests.size() - 1, TableModelEvent.ALL_COLUMNS, TableModelEvent.INSERT)); } catch (IOException ex) { JOptionPane.showMessageDialog(getFrame(), "Problem reading file:\n" + ex.getMessage(), "Add request", JOptionPane.ERROR_MESSAGE); } catch (IllegalArgumentException ex) { JOptionPane.showMessageDialog(getFrame(), "Problem parsing request:\n" + ex.getMessage(), "Add request", JOptionPane.ERROR_MESSAGE); } finally { if (in != null) { try { in.close(); } catch (IOException ex) { LOG.error("Error closing input file", ex); } } } }
From source file:org.ejbca.ra.EnrollMakeNewRequestBean.java
License:Open Source License
public void uploadCsr() { //If PROVIDED BY USER key generation is selected, try fill Subject DN fields from CSR (Overwrite the fields set by previous CSR upload if any) if (getSelectedKeyPairGenerationEnum() != null && KeyPairGeneration.PROVIDED_BY_USER.equals(getSelectedKeyPairGenerationEnum()) && algorithmFromCsr != null) { final PKCS10CertificationRequest pkcs10CertificateRequest = CertTools .getCertificateRequestFromPem(getCertificateRequest()); if (pkcs10CertificateRequest.getSubject() != null) { populateRequestFields(false, pkcs10CertificateRequest.getSubject().toString(), getSubjectDn().getFieldInstances()); getSubjectDn().update();//from w w w . j ava 2 s . c om } final Extension sanExtension = CertTools.getExtension(pkcs10CertificateRequest, Extension.subjectAlternativeName.getId()); if (sanExtension != null) { populateRequestFields(true, CertTools.getAltNameStringFromExtension(sanExtension), getSubjectAlternativeName().getFieldInstances()); getSubjectAlternativeName().update(); } // Don't make the effort to populate Subject Directory Attribute fields. Too little real world use for that. } }
From source file:org.elasticsearch.xpack.core.ssl.CertificateGenerateToolTests.java
License:Open Source License
public void testGeneratingCsr() throws Exception { Path tempDir = initTempDir(); Path outputFile = tempDir.resolve("out.zip"); Path instanceFile = writeInstancesTo(tempDir.resolve("instances.yml")); Collection<CertificateInformation> certInfos = CertificateGenerateTool.parseFile(instanceFile); assertEquals(4, certInfos.size());// ww w.jav a 2 s . c om assertFalse(Files.exists(outputFile)); CertificateGenerateTool.generateAndWriteCsrs(outputFile, certInfos, randomFrom(1024, 2048)); assertTrue(Files.exists(outputFile)); Set<PosixFilePermission> perms = Files.getPosixFilePermissions(outputFile); assertTrue(perms.toString(), perms.contains(PosixFilePermission.OWNER_READ)); assertTrue(perms.toString(), perms.contains(PosixFilePermission.OWNER_WRITE)); assertEquals(perms.toString(), 2, perms.size()); FileSystem fileSystem = FileSystems.newFileSystem(new URI("jar:" + outputFile.toUri()), Collections.emptyMap()); Path zipRoot = fileSystem.getPath("/"); assertFalse(Files.exists(zipRoot.resolve("ca"))); for (CertificateInformation certInfo : certInfos) { String filename = certInfo.name.filename; assertTrue(Files.exists(zipRoot.resolve(filename))); final Path csr = zipRoot.resolve(filename + "/" + filename + ".csr"); assertTrue(Files.exists(csr)); assertTrue(Files.exists(zipRoot.resolve(filename + "/" + filename + ".key"))); PKCS10CertificationRequest request = readCertificateRequest(csr); assertEquals(certInfo.name.x500Principal.getName(), request.getSubject().toString()); Attribute[] extensionsReq = request.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); if (certInfo.ipAddresses.size() > 0 || certInfo.dnsNames.size() > 0) { assertEquals(1, extensionsReq.length); Extensions extensions = Extensions.getInstance(extensionsReq[0].getAttributeValues()[0]); GeneralNames subjAltNames = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName); assertSubjAltNames(subjAltNames, certInfo); } else { assertEquals(0, extensionsReq.length); } } }
From source file:org.elasticsearch.xpack.core.ssl.CertificateToolTests.java
License:Open Source License
public void testGeneratingCsr() throws Exception { Path tempDir = initTempDir(); Path outputFile = tempDir.resolve("out.zip"); Path instanceFile = writeInstancesTo(tempDir.resolve("instances.yml")); Collection<CertificateInformation> certInfos = CertificateTool.parseFile(instanceFile); assertEquals(4, certInfos.size());/*w w w.java2 s . c o m*/ assertFalse(Files.exists(outputFile)); int keySize = randomFrom(1024, 2048); new CertificateTool.SigningRequestCommand().generateAndWriteCsrs(outputFile, keySize, certInfos); assertTrue(Files.exists(outputFile)); Set<PosixFilePermission> perms = Files.getPosixFilePermissions(outputFile); assertTrue(perms.toString(), perms.contains(PosixFilePermission.OWNER_READ)); assertTrue(perms.toString(), perms.contains(PosixFilePermission.OWNER_WRITE)); assertEquals(perms.toString(), 2, perms.size()); FileSystem fileSystem = FileSystems.newFileSystem(new URI("jar:" + outputFile.toUri()), Collections.emptyMap()); Path zipRoot = fileSystem.getPath("/"); assertFalse(Files.exists(zipRoot.resolve("ca"))); for (CertificateInformation certInfo : certInfos) { String filename = certInfo.name.filename; assertTrue(Files.exists(zipRoot.resolve(filename))); final Path csr = zipRoot.resolve(filename + "/" + filename + ".csr"); assertTrue(Files.exists(csr)); assertTrue(Files.exists(zipRoot.resolve(filename + "/" + filename + ".key"))); PKCS10CertificationRequest request = readCertificateRequest(csr); assertEquals(certInfo.name.x500Principal.getName(), request.getSubject().toString()); Attribute[] extensionsReq = request.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest); if (certInfo.ipAddresses.size() > 0 || certInfo.dnsNames.size() > 0) { assertEquals(1, extensionsReq.length); Extensions extensions = Extensions.getInstance(extensionsReq[0].getAttributeValues()[0]); GeneralNames subjAltNames = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName); assertSubjAltNames(subjAltNames, certInfo); } else { assertEquals(0, extensionsReq.length); } } }
From source file:org.jscep.client.Client.java
License:Open Source License
/** * Sends a CSR to the SCEP server for enrolling in a PKI. * <p>// w ww. j a v a 2 s. c o m * This method enrols the provider <tt>CertificationRequest</tt> into the * PKI represented by the SCEP server. * * @param identity * the identity of the client. * @param key * the private key to sign the SCEP request. * @param csr * the CSR to enrol. * @param profile * the SCEP server profile. * @return the certificate store returned by the server. * @throws ClientException * if any client error occurs. * @throws TransactionException * if there is a problem with the SCEP transaction. * @see CertStoreInspector */ public EnrollmentResponse enrol(final X509Certificate identity, final PrivateKey key, final PKCS10CertificationRequest csr, final String profile) throws ClientException, TransactionException { LOGGER.debug("Enrolling certificate with CA"); if (isSelfSigned(identity)) { LOGGER.debug("Certificate is self-signed"); X500Name csrSubject = csr.getSubject(); X500Name idSubject = X500Utils.toX500Name(identity.getSubjectX500Principal()); if (!csrSubject.equals(idSubject)) { LOGGER.error( "The self-signed certificate MUST use the same subject name as in the PKCS#10 request."); } } // TRANSACTIONAL // Certificate enrollment final Transport transport = createTransport(profile); PkiMessageEncoder encoder = getEncoder(identity, key, profile); PkiMessageDecoder decoder = getDecoder(identity, key, profile); final EnrollmentTransaction trans = new EnrollmentTransaction(transport, encoder, decoder, csr); try { MessageDigest digest = getCaCapabilities(profile).getStrongestMessageDigest(); byte[] hash = digest.digest(csr.getEncoded()); LOGGER.debug("{} PKCS#10 Fingerprint: [{}]", digest.getAlgorithm(), new String(Hex.encodeHex(hash))); } catch (IOException e) { LOGGER.error("Error getting encoded CSR", e); } return send(trans); }
From source file:org.kse.gui.actions.SignCsrAction.java
License:Open Source License
/** * Do action./*from www.j av a 2 s.c o m*/ */ @Override protected void doAction() { FileOutputStream fos = null; File caReplyFile = null; try { KeyStoreHistory history = kseFrame.getActiveKeyStoreHistory(); KeyStoreState currentState = history.getCurrentState(); String alias = kseFrame.getSelectedEntryAlias(); Password password = getEntryPassword(alias, currentState); if (password == null) { return; } KeyStore keyStore = currentState.getKeyStore(); PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, password.toCharArray()); Certificate[] certs = keyStore.getCertificateChain(alias); KeyPairType keyPairType = KeyPairUtil.getKeyPairType(privateKey); File csrFile = chooseCsrFile(); if (csrFile == null) { return; } PKCS10CertificationRequest pkcs10Csr = null; Spkac spkacCsr = null; try { CryptoFileType fileType = CryptoFileUtil.detectFileType(new FileInputStream(csrFile)); if (fileType == CryptoFileType.PKCS10_CSR) { pkcs10Csr = Pkcs10Util.loadCsr(new FileInputStream(csrFile)); if (!Pkcs10Util.verifyCsr(pkcs10Csr)) { JOptionPane.showMessageDialog(frame, res.getString("SignCsrAction.NoVerifyPkcs10Csr.message"), res.getString("SignCsrAction.SignCsr.Title"), JOptionPane.WARNING_MESSAGE); return; } } else if (fileType == CryptoFileType.SPKAC_CSR) { spkacCsr = new Spkac(new FileInputStream(csrFile)); if (!spkacCsr.verify()) { JOptionPane.showMessageDialog(frame, res.getString("SignCsrAction.NoVerifySpkacCsr.message"), res.getString("SignCsrAction.SignCsr.Title"), JOptionPane.WARNING_MESSAGE); return; } } else { JOptionPane.showMessageDialog(frame, MessageFormat.format(res.getString("SignCsrAction.FileNotRecognisedType.message"), csrFile), res.getString("SignCsrAction.SignCsr.Title"), JOptionPane.WARNING_MESSAGE); return; } } catch (FileNotFoundException ex) { JOptionPane.showMessageDialog(frame, MessageFormat.format(res.getString("SignCsrAction.NotFile.message"), csrFile), res.getString("SignCsrAction.SignCsr.Title"), JOptionPane.WARNING_MESSAGE); return; } catch (Exception ex) { String problemStr = MessageFormat.format(res.getString("SignCsrAction.NoOpenCsr.Problem"), csrFile.getName()); String[] causes = new String[] { res.getString("SignCsrAction.NotCsr.Cause"), res.getString("SignCsrAction.CorruptedCsr.Cause") }; Problem problem = new Problem(problemStr, causes, ex); DProblem dProblem = new DProblem(frame, res.getString("SignCsrAction.ProblemOpeningCsr.Title"), problem); dProblem.setLocationRelativeTo(frame); dProblem.setVisible(true); return; } X509Certificate[] signingChain = X509CertUtil .orderX509CertChain(X509CertUtil.convertCertificates(certs)); X509Certificate signingCert = signingChain[0]; PublicKey publicKey = null; X500Name subject = null; DSignCsr dSignCsr = null; Provider provider = history.getExplicitProvider(); if (pkcs10Csr != null) { publicKey = new JcaPKCS10CertificationRequest(pkcs10Csr).getPublicKey(); subject = pkcs10Csr.getSubject(); dSignCsr = new DSignCsr(frame, pkcs10Csr, csrFile, privateKey, keyPairType, signingCert, provider); } else { publicKey = spkacCsr.getPublicKey(); subject = spkacCsr.getSubject().getName(); dSignCsr = new DSignCsr(frame, spkacCsr, csrFile, privateKey, keyPairType, signingCert, provider); } dSignCsr.setLocationRelativeTo(frame); dSignCsr.setVisible(true); X509CertificateVersion version = dSignCsr.getVersion(); SignatureType signatureType = dSignCsr.getSignatureType(); Date validityStart = dSignCsr.getValidityStart(); Date validityEnd = dSignCsr.getValidityEnd(); BigInteger serialNumber = dSignCsr.getSerialNumber(); caReplyFile = dSignCsr.getCaReplyFile(); X509ExtensionSet extensions = dSignCsr.getExtensions(); if (version == null) { return; } X500Name issuer = X500NameUtils.x500PrincipalToX500Name(signingCert.getSubjectX500Principal()); // CA Reply is a cert with subject from CSR and issuer from signing cert's subject X509CertificateGenerator generator = new X509CertificateGenerator(version); X509Certificate caReplyCert = generator.generate(subject, issuer, validityStart, validityEnd, publicKey, privateKey, signatureType, serialNumber, extensions, provider); X509Certificate[] caReplyChain = new X509Certificate[signingChain.length + 1]; caReplyChain[0] = caReplyCert; // Add all of the signing chain to the reply System.arraycopy(signingChain, 0, caReplyChain, 1, signingChain.length); byte[] caCertEncoded = X509CertUtil.getCertsEncodedPkcs7(caReplyChain); fos = new FileOutputStream(caReplyFile); fos.write(caCertEncoded); } catch (FileNotFoundException ex) { JOptionPane.showMessageDialog(frame, MessageFormat.format(res.getString("SignJarAction.NoWriteFile.message"), caReplyFile), res.getString("SignCsrAction.SignCsr.Title"), JOptionPane.WARNING_MESSAGE); return; } catch (Exception ex) { DError.displayError(frame, ex); return; } finally { IOUtils.closeQuietly(fos); } JOptionPane.showMessageDialog(frame, res.getString("SignCsrAction.SignCsrSuccessful.message"), res.getString("SignCsrAction.SignCsr.Title"), JOptionPane.INFORMATION_MESSAGE); }