List of usage examples for org.bouncycastle.pkcs PKCS10CertificationRequest getSubjectPublicKeyInfo
public SubjectPublicKeyInfo getSubjectPublicKeyInfo()
From source file:be.neutrinet.ispng.vpn.api.VPNClientCertificate.java
@Put public Representation storeCSR(Representation csrstream) { if (!getRequestAttributes().containsKey("client")) { return clientError("MALFORMED_REQUEST", Status.CLIENT_ERROR_BAD_REQUEST); }/*w w w .j a v a2s. co m*/ StreamRepresentation sr = (StreamRepresentation) csrstream; // Do all kinds of security checks try { Client client = Clients.dao.queryForId(getAttribute("client").toString()); PEMParser parser = new PEMParser(sr.getReader()); PKCS10CertificationRequest csr = (PKCS10CertificationRequest) parser.readObject(); SubjectPublicKeyInfo pkInfo = csr.getSubjectPublicKeyInfo(); RSAKeyParameters rsa = (RSAKeyParameters) PublicKeyFactory.createKey(pkInfo); // This makes the NSA work harder on their quantum computer // Require 4096 bit key // http://stackoverflow.com/a/20622933 if (!(rsa.getModulus().bitLength() > 2048)) { ClientError err = new ClientError("ILLEGAL_KEY_SIZE"); return new JacksonRepresentation(err); } X500Name subject = X500Name.getInstance(csr.getSubject()); RDN[] rdns = subject.getRDNs(BCStyle.CN); if (rdns == null || rdns.length == 0) { return clientError("NO_CSR_CN", Status.CLIENT_ERROR_BAD_REQUEST); } String CN = IETFUtils.valueToString(rdns[0].getFirst().getValue()); if (CN == null || CN.isEmpty()) { return clientError("INVALID_CSR_CN", Status.CLIENT_ERROR_BAD_REQUEST); } if (getQueryValue("rekey") != null && Boolean.parseBoolean(getQueryValue("rekey"))) { if (!getRequestAttributes().containsKey("cert")) { return clientError("MALFORMED_REQUEST", Status.CLIENT_ERROR_BAD_REQUEST); } Certificate old = Certificates.dao.queryForId(getAttribute("cert")); if (old == null) return clientError("MALFORMED_REQUEST", Status.CLIENT_ERROR_BAD_REQUEST); old.revocationDate = new Date(); if (old.get() == null) { // this can happen when the old certificate is no longer present on the system // in which case the rekey has to go through } else if (pkInfo.getPublicKeyData().getString() .equals(old.get().getSubjectPublicKeyInfo().getPublicKeyData().getString())) { return clientError("REKEY_USING_SAME_KEY", Status.CLIENT_ERROR_NOT_ACCEPTABLE); } Certificates.dao.update(old); } for (Certificate existingCert : Certificates.dao.queryForEq("client_id", client)) { if (existingCert.revocationDate.getTime() > System.currentTimeMillis()) { return clientError("ANOTHER_CLIENT_CERT_ACTIVE", Status.CLIENT_ERROR_NOT_ACCEPTABLE); } } // couple CN to client client.commonName = CN; Clients.dao.update(client); String caStorePath = VPN.cfg.getProperty("ca.storeDir", "ca"); File dir = new File(caStorePath); if (!dir.isDirectory()) { dir.mkdirs(); } Certificate cert = new Certificate(); cert.client = client; Certificates.dao.create(cert); FileWriter fw = new FileWriter(caStorePath + "/" + cert.id + ".csr"); PEMWriter pw = new PEMWriter(fw); pw.writeObject(csr); pw.flush(); return new JacksonRepresentation<>(cert); } catch (Exception ex) { Logger.getLogger(getClass()).error("Failed to validate CSR and/or sign CSR", ex); } return DEFAULT_ERROR; }
From source file:beta01.CreateCertByCsr.java
public CreateCertByCsr() throws Exception { //read p12/*from w w w.j a va2 s. c om*/ KeyStore pkcs12Store = KeyStore.getInstance("PKCS12", "BC"); pkcs12Store.load(new FileInputStream("D:\\rootPrivateKey.p12"), "pass".toCharArray()); //read root key pair and certificate PrivateKey privateKey = null; PublicKey publicKey = null; X509Certificate rootCert = null; for (Enumeration en = pkcs12Store.aliases(); en.hasMoreElements();) { String alias = (String) en.nextElement(); if (pkcs12Store.isCertificateEntry(alias)) { rootCert = (X509Certificate) pkcs12Store.getCertificate(alias); Certificate cert = pkcs12Store.getCertificate(alias); publicKey = cert.getPublicKey(); } else if (pkcs12Store.isKeyEntry(alias)) { privateKey = (PrivateKey) pkcs12Store.getKey(alias, "pass".toCharArray()); } } //read CSR String fileName = "CSR_DSA"; FileReader fileReader = new FileReader("D:\\" + fileName + ".p10"); PemReader pemReader = new PemReader(fileReader); PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemReader.readPemObject().getContent()); //create certf JcaX509CertificateHolder holder = new JcaX509CertificateHolder(rootCert); X509v3CertificateBuilder certBuilder; certBuilder = new X509v3CertificateBuilder(holder.getSubject(), BigInteger.valueOf(System.currentTimeMillis()), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + 7 * 24 * 60 * 60 * 1000), csr.getSubject(), csr.getSubjectPublicKeyInfo()); certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature)); SignatureAlgorithmIdentifierFinder algFinder = new DefaultSignatureAlgorithmIdentifierFinder(); AlgorithmIdentifier sigAlg = algFinder.find("SHA512withRSA"); AlgorithmIdentifier digAlg = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlg); //RSAPrivateKey rsa = (RSAPrivateKey) privateKey; //AsymmetricCipherKeyPair ss =new AsymmetricCipherKeyPair // RSAKeyParameters rsaP = new RSAPrivateCrtKeyParameters(rsa.getModulus(), rsa.getPublicExponent(), // rsa.getPrivateExponent(), rsa., BigInteger.ONE, BigInteger.ONE, BigInteger.ONE, BigInteger.ONE); //ContentSigner signer = new BcRSAContentSignerBuilder(sigAlg, digAlg).build((AsymmetricKeyParameter) privateKey); // AsymmetricCipherKeyPair sd = new AsymmetricCipherKeyPair(null, null) ContentSigner signer = new JcaContentSignerBuilder("SHA512withRSA").setProvider("BC").build(privateKey); X509CertificateHolder holder2 = certBuilder.build(signer); new SimpleGenCert().converToPem(holder2, fileName); }
From source file:CAModulePackage.CertificateHelper.java
/** * Generate a new X.509 Certificate based on the input Certificate Signing * Request./* ww w . jav a 2 s . c om*/ * This is the primary method that should be used for granting a user * credentials on this system. * @param csr - Input Certificate Signing Request * @param issuer - Name of the Issuing Entity * @param issuerPriv - Private Key of the Issuing Entity. * @return X.509 Identity Certificate authenticating the user to this system */ public static X509CertificateHolder signCSR(PKCS10CertificationRequest csr, String issuer, PrivateKey issuerPriv) { Date startDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000); Date endDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000); PublicKey pub = null; try { pub = KeyFactory.getInstance("RSA") .generatePublic(new X509EncodedKeySpec(csr.getSubjectPublicKeyInfo().getEncoded())); } catch (InvalidKeySpecException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(new X500Name(issuer), BigInteger.valueOf(System.currentTimeMillis()), startDate, endDate, csr.getSubject(), pub); X509CertificateHolder newCert = null; try { newCert = builder.build( new JcaContentSignerBuilder("SHA256withRSAEncryption").setProvider("BC").build(issuerPriv)); } catch (OperatorCreationException e) { e.printStackTrace(); } return newCert; }
From source file:com.aqnote.shared.cryptology.cert.gen.CertGenerator.java
License:Open Source License
public X509Certificate signCert(PKCS10CertificationRequest pkcs10CSR, X500Name issuer, KeyPair pKeyPair) throws Exception { SubjectPublicKeyInfo pkInfo = pkcs10CSR.getSubjectPublicKeyInfo(); RSAKeyParameters rsa = (RSAKeyParameters) PublicKeyFactory.createKey(pkInfo); RSAPublicKeySpec rsaSpec = new RSAPublicKeySpec(rsa.getModulus(), rsa.getExponent()); KeyFactory kf = KeyFactory.getInstance(ALG_RSA); PublicKey publicKey = kf.generatePublic(rsaSpec); SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo(ASN1Sequence.getInstance(publicKey.getEncoded())); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuer, BigInteger.valueOf(System.currentTimeMillis()), new Date(System.currentTimeMillis() - DateConstant.ONE_DAY), new Date(System.currentTimeMillis() + DateConstant.ONE_YEAR), pkcs10CSR.getSubject(), keyInfo); ContentSigner signer = new JcaContentSignerBuilder(ALG_SIG_SHA256_RSA).setProvider(JCE_PROVIDER) .build(pKeyPair.getPrivate()); X509Certificate signedCert = new JcaX509CertificateConverter().setProvider(JCE_PROVIDER) .getCertificate(certBuilder.build(signer)); signedCert.verify(pKeyPair.getPublic()); return signedCert; }
From source file:com.yahoo.athenz.auth.util.Crypto.java
License:Apache License
public static String extractX509CSRPublicKey(PKCS10CertificationRequest certReq) { JcaPEMKeyConverter pemConverter = new JcaPEMKeyConverter(); PublicKey publicKey = null;/*from w w w. j a v a 2s . c o m*/ try { publicKey = pemConverter.getPublicKey(certReq.getSubjectPublicKeyInfo()); } catch (PEMException ex) { LOG.error("extractX509CSRPublicKey: unable to get public key: {}", ex.getMessage()); return null; } return convertToPEMFormat(publicKey); }
From source file:craterdog.security.RsaCertificateManager.java
License:Open Source License
/** * This method signs a certificate signing request (CSR) using the specified certificate * authority (CA). This is a convenience method that really should be part of the * <code>CertificateManagement</code> interface except that it depends on a Bouncy Castle * class in the signature. The java security framework does not have a similar class so it * has been left out of the interface./* w w w . j a v a2 s .c o m*/ * * @param caPrivateKey The private key for the certificate authority. * @param caCertificate The certificate containing the public key for the certificate authority. * @param request The certificate signing request (CSR) to be signed. * @param serialNumber The serial number for the new certificate. * @param lifetime How long the certificate should be valid. * * @return The newly signed certificate. */ public X509Certificate signCertificateRequest(PrivateKey caPrivateKey, X509Certificate caCertificate, PKCS10CertificationRequest request, BigInteger serialNumber, long lifetime) { try { logger.entry(); logger.debug("Extract public key and subject from the CSR..."); PublicKey publicKey = new JcaPEMKeyConverter().getPublicKey(request.getSubjectPublicKeyInfo()); String subject = request.getSubject().toString(); logger.debug("Generate and sign the certificate..."); X509Certificate result = createCertificate(caPrivateKey, caCertificate, publicKey, subject, serialNumber, lifetime); logger.exit(); return result; } catch (PEMException e) { RuntimeException exception = new RuntimeException( "An unexpected exception occurred while attempting to sign a certificate.", e); throw logger.throwing(exception); } }
From source file:eu.betaas.taas.securitymanager.certificate.service.impl.GWStarCertificateExtService.java
License:Apache License
public ArrayOfCertificate issueGwCertificate(byte[] gwCertReq) { log.info("Start creating a certificate for new joining GW..."); // decode the gwCertReq back to PKCS10CertificationRequest PKCS10CertificationRequest certReq = null; try {/*from w w w.ja v a2s .c om*/ certReq = new PKCS10CertificationRequest(gwCertReq); } catch (IOException e) { log.error("Error decoding the PKCS10CertificationRequest: " + e.getMessage()); e.printStackTrace(); } // retrieve the public key of the requesting GW SubjectPublicKeyInfo subPubKeyInfo = certReq.getSubjectPublicKeyInfo(); ECPublicKeyParameters ecKeyParams = null; try { ecKeyParams = (ECPublicKeyParameters) PublicKeyFactory.createKey(subPubKeyInfo); } catch (IOException e) { log.error("Error creating ECPublicKeyParameters from SubjectPublicKeyInfo: " + e.getMessage()); e.printStackTrace(); } String ufn = null; // parsing the UFN from the PKCS10CertificationRequest object ASN1Encodable[] ext = certReq.toASN1Structure().getCertificationRequestInfo().getAttributes().toArray(); for (int i = 0; i < ext.length; i++) { Enumeration en1 = ((DERSequence) ext[i]).getObjects(); while (en1.hasMoreElements()) { Object den1 = en1.nextElement(); if (den1 instanceof DERSet) { Enumeration en2 = ((DERSet) den1).getObjects(); while (en2.hasMoreElements()) { Object den2 = en2.nextElement(); if (den2 instanceof DERSequence) { Enumeration en3 = ((DERSequence) den2).getObjects(); while (en3.hasMoreElements()) { Object den3 = en3.nextElement(); if (den3 instanceof DERSequence) { Enumeration en4 = ((DERSequence) den3).getObjects(); while (en4.hasMoreElements()) { Object den4 = en4.nextElement(); if (den4 instanceof DEROctetString) { byte[] octets = ((DEROctetString) den4).getOctets(); byte[] ocs = new byte[octets.length - 4]; for (int j = 0; j < ocs.length; j++) { ocs[j] = octets[j + 4]; } InputStream is = new ByteArrayInputStream(ocs); ufn = getStringFromInputStream(is); } } } } } } } } } ArrayOfCertificate certs = null; try { certs = GWCertificateUtilsBc.createGwCredentials(certReq.getSubject(), "intermediate", "end", ecKeyParams, ufn, certPath); } catch (Exception e) { log.error("Error generating Certificate for GW: " + e.getMessage()); e.printStackTrace(); } log.info("Certificate for new joining GW has been created..."); return certs; }
From source file:eu.optimis.ics.BrokerVPNCredentials.BrokerCA.java
License:Open Source License
public byte[] getSignedCertificateBytes(byte[] sentCSRBytes) { X509CertificateHolder certHolder = null; byte[] result = null; try {/*from w w w .j a v a 2 s .c o m*/ PKCS10CertificationRequest certRequest = new PKCS10CertificationRequest(sentCSRBytes); PEMReader r = new PEMReader(new FileReader(caPath + "ca.crt")); X509Certificate rootCert = (X509Certificate) r.readObject(); r.close(); X500Name subject = certRequest.getSubject(); MessageDigest m = MessageDigest.getInstance("MD5"); m.update(subject.toString().getBytes(), 0, subject.toString().length()); BigInteger serial = new BigInteger(m.digest()); Date notBefore = new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30); Date notAfter = new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365)); SubjectPublicKeyInfo publicKeyInfo = certRequest.getSubjectPublicKeyInfo(); X500Name issuer = new X500Name(rootCert.getSubjectDN().toString()); X509v3CertificateBuilder v3CertBuilder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKeyInfo); v3CertBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKeyInfo)); v3CertBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(rootCert)); v3CertBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); v3CertBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_ipsecEndSystem)); v3CertBuilder.addExtension(X509Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature)); ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC") .build(loadCAPrivateKey(caPath)); certHolder = v3CertBuilder.build(sigGen); result = certHolder.getEncoded(); } catch (Exception e) { e.printStackTrace(); } return result; }
From source file:KerberosAPI.Certificate.java
public static X509Certificate createCertFromCSR(PKCS10CertificationRequest csr, KeyPair kp, X509Certificate xCert) {//w w w. j a v a2 s . com Security.addProvider(new BouncyCastleProvider()); //String subject = subj; //proprietaire de la cl signer KeyPair keyPair = kp; X509Certificate x509CertCSR = null; //System.out.print("Cration d'un Certificat partir d'une CSR : "); try { Security.addProvider(new BouncyCastleProvider()); BigInteger bigInt = new BigInteger(String.valueOf(System.currentTimeMillis())); Calendar cal = Calendar.getInstance(); Date notbefore = cal.getTime(); cal.add(Calendar.YEAR, 2); Date notafter = cal.getTime(); AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA1withRSA"); AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId); AsymmetricKeyParameter parameterCa = PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded()); SubjectPublicKeyInfo keyInfo = csr.getSubjectPublicKeyInfo(); X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder( new X500Name(xCert.getSubjectDN().getName()), bigInt, notbefore, notafter, csr.getSubject(), keyInfo); ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(parameterCa); myCertificateGenerator.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); myCertificateGenerator.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(xCert)); SubjectKeyIdentifier subjectKeyIdentifier = new JcaX509ExtensionUtils() .createSubjectKeyIdentifier(keyInfo); myCertificateGenerator.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyIdentifier); KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.digitalSignature); myCertificateGenerator.addExtension(Extension.keyUsage, true, keyUsage); X509CertificateHolder holder = myCertificateGenerator.build(sigGen); java.security.cert.Certificate certificate = java.security.cert.CertificateFactory.getInstance("X.509") .generateCertificate(new ByteArrayInputStream(holder.getEncoded())); CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream bais = new ByteArrayInputStream(certificate.getEncoded()); x509CertCSR = (X509Certificate) cf.generateCertificate(bais); //cert = (X509Certificate) java.security.cert.CertificateFactory.getInstance("X.509", "BC").generateCertificate(new ByteArrayInputStream(holder.getEncoded())); if (x509CertCSR != null) { //System.out.println("OK"); return x509CertCSR; } } catch (Exception e) { System.err.println("Echec de cration de certificat pour le client avec ce csr: " + e); } return null; }
From source file:net.etfbl.cryptodigitalcertificate.tool.CryptoDCTool.java
private X509v3CertificateBuilder setupCertificateData(X509Certificate cacert, PKCS10CertificationRequest request) throws CertIOException { X500Name issuer = new X500Name(cacert.getSubjectX500Principal().getName()); BigInteger serial = new BigInteger(32, new SecureRandom()); Date from = new Date(); Date to = new Date(System.currentTimeMillis() + (DEFAULT_NUMBER_OF_DAYS * 86400000L)); X509v3CertificateBuilder certgen = new X509v3CertificateBuilder(issuer, serial, from, to, request.getSubject(), request.getSubjectPublicKeyInfo()); ///*from ww w . j av a 2 s . c om*/ // Setup the certificate extensions // // Basic Constraints certgen.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); // Authority Key Identifier SubjectPublicKeyInfo caSubjectPublicKeyInfo = SubjectPublicKeyInfo .getInstance(cacert.getPublicKey().getEncoded()); // Key Usage certgen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.nonRepudiation | KeyUsage.keyEncipherment)); return certgen; }