List of usage examples for org.bouncycastle.x509 X509V3CertificateGenerator setNotAfter
public void setNotAfter(Date date)
From source file:com.kixeye.chassis.transport.shared.JettyConnectorRegistry.java
License:Apache License
/** * Register to listen to HTTPS./* w ww . j av a 2 s. co m*/ * * @param server * @param address * @throws Exception */ public static void registerHttpsConnector(Server server, InetSocketAddress address, boolean selfSigned, boolean mutualSsl, String keyStorePath, String keyStoreData, String keyStorePassword, String keyManagerPassword, String trustStorePath, String trustStoreData, String trustStorePassword, String[] excludedCipherSuites) throws Exception { // SSL Context Factory SslContextFactory sslContextFactory = new SslContextFactory(); if (selfSigned) { char[] passwordChars = UUID.randomUUID().toString().toCharArray(); KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, passwordChars); KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(1024); KeyPair keyPair = keyPairGenerator.generateKeyPair(); X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); v3CertGen.setSerialNumber(BigInteger.valueOf(new SecureRandom().nextInt()).abs()); v3CertGen.setIssuerDN(new X509Principal("CN=" + "kixeye.com" + ", OU=None, O=None L=None, C=None")); v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10))); v3CertGen.setSubjectDN(new X509Principal("CN=" + "kixeye.com" + ", OU=None, O=None L=None, C=None")); v3CertGen.setPublicKey(keyPair.getPublic()); v3CertGen.setSignatureAlgorithm("MD5WithRSAEncryption"); X509Certificate privateKeyCertificate = v3CertGen.generateX509Certificate(keyPair.getPrivate()); keyStore.setKeyEntry("selfSigned", keyPair.getPrivate(), passwordChars, new java.security.cert.Certificate[] { privateKeyCertificate }); ByteArrayOutputStream keyStoreBaos = new ByteArrayOutputStream(); keyStore.store(keyStoreBaos, passwordChars); keyStoreData = new String(Hex.encode(keyStoreBaos.toByteArray()), Charsets.UTF_8); keyStorePassword = new String(passwordChars); keyManagerPassword = keyStorePassword; sslContextFactory.setTrustAll(true); } KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); if (StringUtils.isNotBlank(keyStoreData)) { keyStore.load(new ByteArrayInputStream(Hex.decode(keyStoreData)), keyStorePassword.toCharArray()); } else if (StringUtils.isNotBlank(keyStorePath)) { try (InputStream inputStream = new DefaultResourceLoader().getResource(keyStorePath).getInputStream()) { keyStore.load(inputStream, keyStorePassword.toCharArray()); } } sslContextFactory.setKeyStore(keyStore); sslContextFactory.setKeyStorePassword(keyStorePassword); if (StringUtils.isBlank(keyManagerPassword)) { keyManagerPassword = keyStorePassword; } sslContextFactory.setKeyManagerPassword(keyManagerPassword); KeyStore trustStore = null; if (StringUtils.isNotBlank(trustStoreData)) { trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(new ByteArrayInputStream(Hex.decode(trustStoreData)), trustStorePassword.toCharArray()); } else if (StringUtils.isNotBlank(trustStorePath)) { trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); try (InputStream inputStream = new DefaultResourceLoader().getResource(trustStorePath) .getInputStream()) { trustStore.load(inputStream, trustStorePassword.toCharArray()); } } if (trustStore != null) { sslContextFactory.setTrustStore(trustStore); sslContextFactory.setTrustStorePassword(trustStorePassword); } sslContextFactory.setNeedClientAuth(mutualSsl); sslContextFactory.setExcludeCipherSuites(excludedCipherSuites); // SSL Connector ServerConnector connector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.toString()), new HttpConnectionFactory()); connector.setHost(address.getHostName()); connector.setPort(address.getPort()); server.addConnector(connector); }
From source file:com.nokia.tools.vct.internal.common.secure.core.KeyStoreManager.java
License:Open Source License
public X509Certificate createCertificate(KeyPair keys, int years, Map<String, String> fields) throws CoreException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setNotBefore(new GregorianCalendar(Locale.getDefault()).getTime()); GregorianCalendar gregorianCalendar = new GregorianCalendar(); gregorianCalendar.add(Calendar.YEAR, 1); certGen.setNotAfter(gregorianCalendar.getTime()); certGen.setPublicKey(keys.getPublic()); StringBuffer userInformation = new StringBuffer(); UUID uuid = UUID.randomUUID(); ByteBuffer bb = ByteBuffer.allocate(17); bb.put((byte) 0); bb.putLong(uuid.getMostSignificantBits()); bb.putLong(uuid.getLeastSignificantBits()); BigInteger bigInteger = new BigInteger(bb.array()); userInformation.append("SERIALNUMBER=").append(bigInteger.toString()); for (Map.Entry<String, String> field : fields.entrySet()) { userInformation.append(','); userInformation.append(field.getKey()); userInformation.append('='); userInformation.append(escapeRFC2253(field.getValue())); }/*from www.ja v a2 s . c o m*/ X500Principal principal = new X500Principal(userInformation.toString()); certGen.setIssuerDN(principal); certGen.setSubjectDN(principal); certGen.setSignatureAlgorithm(SIGNATURE_SHA1_RSA); X509Certificate certificate; try { certificate = certGen.generate(keys.getPrivate()); } catch (Exception ex) { IStatus status = new Status(IStatus.ERROR, SecurityCorePlugin.PLUGIN_ID, "Failed to generate certificate", ex); SecurityCorePlugin.getDefault().getLog().log(status); throw new CoreException(status); } return certificate; }
From source file:com.peterphi.std.crypto.keygen.CaHelper.java
License:Open Source License
private static void setNotBeforeNotAfter(final X509V3CertificateGenerator gen, final int validForYears) { // Make sure the timezone is UTC (non-UTC timezones seem to cause PureTLS some problems, which causes globus problems) Calendar now = Calendar.getInstance(TimeZone.getTimeZone("UTC")); now.setTimeZone(TimeZone.getTimeZone("UTC")); // Set Not Before to be 48 hours in the past now.add(Calendar.HOUR, -48);/*from ww w .ja v a 2 s. c om*/ gen.setNotBefore(now.getTime()); // Set Not After to be 10 years after that now.add(Calendar.YEAR, validForYears); gen.setNotAfter(now.getTime()); }
From source file:com.qut.middleware.crypto.impl.CryptoProcessorImpl.java
License:Apache License
private X509Certificate generateV3Certificate(KeyPair pair, String certSubjectDN, Calendar before, Calendar expiry) throws CryptoException { X509V3CertificateGenerator cert = new X509V3CertificateGenerator(); /* Set the certificate serial number to a random number */ Random rand = new Random(); rand.setSeed(System.currentTimeMillis()); /* Generates a number between 0 and 2^32 as the serial */ BigInteger serial = BigInteger.valueOf(rand.nextInt(Integer.MAX_VALUE)); logger.info("Setting X509 Cert Serial to: " + serial); cert.setSerialNumber(serial);//from w w w. java 2s . c o m /* Set the certificate issuer */ cert.setIssuerDN(new X500Principal(this.certIssuerDN)); /* Set the start of valid period. */ cert.setNotBefore(before.getTime()); /* Set the certificate expiry date. */ cert.setNotAfter(expiry.getTime()); /* Set the subject */ cert.setSubjectDN(new X500Principal(certSubjectDN)); cert.setPublicKey(pair.getPublic()); /* Signature algorithm, this may need to be changed if not all hosts have SHA256 and RSA implementations */ cert.setSignatureAlgorithm("SHA512withRSA"); cert.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); /* Only for signing */ cert.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); cert.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); /* Set a contact email address for the issuer */ cert.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, this.certIssuerEmail))); logger.debug("Generating X509Certificate for key pair: " + pair); try { /* Use the BouncyCastle provider to actually generate the X509Certificate now */ return cert.generateX509Certificate(pair.getPrivate(), "BC"); } catch (InvalidKeyException e) { this.logger.error("InvalidKeyException thrown, " + e.getLocalizedMessage()); this.logger.debug(e.toString()); throw new CryptoException(e.getLocalizedMessage(), e); } catch (NoSuchProviderException e) { this.logger.error("NoSuchProviderException thrown, " + e.getLocalizedMessage()); this.logger.debug(e.toString()); throw new CryptoException(e.getLocalizedMessage(), e); } catch (SecurityException e) { this.logger.error("SecurityException thrown, " + e.getLocalizedMessage()); this.logger.debug(e.toString()); throw new CryptoException(e.getLocalizedMessage(), e); } catch (SignatureException e) { this.logger.error("SignatureException thrown, " + e.getLocalizedMessage()); this.logger.debug(e.toString()); throw new CryptoException(e.getLocalizedMessage(), e); } }
From source file:com.raphfrk.bukkit.eventlink.SSLUtils.java
License:Open Source License
static boolean generateCertificateFile(File file, int keySize, String password, String algorithm, String certificateAlgorithm, String certificateName, boolean forceWrite) { KeyPair keyPair;/*from w w w . j a v a 2s . c o m*/ X509Certificate cert; X509V3CertificateGenerator certGen = null; String providerName = "BC"; if (Security.getProvider(providerName) == null) { Security.addProvider(new BouncyCastleProvider()); if (Security.getProvider(providerName) == null) { EventLink.logger.log("Crypt libray (" + providerName + ") provider not installed"); return false; } } try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(algorithm); synchronized (randomLock) { keyPairGenerator.initialize(keySize, random); } keyPair = KeyPairGenerator.getInstance(algorithm).generateKeyPair(); certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X500Principal(certificateName)); certGen.setNotBefore(new Date(System.currentTimeMillis() - 10000)); certGen.setNotAfter(new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000)); certGen.setSubjectDN(new X500Principal(certificateName)); certGen.setPublicKey(keyPair.getPublic()); certGen.setSignatureAlgorithm(certificateAlgorithm); cert = certGen.generate(keyPair.getPrivate(), "BC"); } catch (IllegalArgumentException iae) { EventLink.logger.log("Unable to find provider (BC)"); iae.printStackTrace(); if (certGen != null) { Iterator itr = certGen.getSignatureAlgNames(); while (itr.hasNext()) { System.out.println("Algorithm: " + itr.next()); } } return false; } catch (NoSuchProviderException nspe) { EventLink.logger.log("Unable to find provider (BC)"); nspe.printStackTrace(); return false; } catch (NoSuchAlgorithmException nsa) { EventLink.logger.log("Unable to implement algorithm (" + certificateAlgorithm + ")"); if (certGen != null) { Iterator<String> itr = certGen.getSignatureAlgNames(); while (itr.hasNext()) { String algName = itr.next(); System.out.println("Algorithm: " + algName + " " + (algName.equals(certificateAlgorithm))); } } nsa.printStackTrace(); return false; } catch (InvalidKeyException ike) { EventLink.logger.log("Unable to generate key"); ike.printStackTrace(); return false; } catch (SignatureException se) { EventLink.logger.log("Signature error"); se.printStackTrace(); return false; } catch (CertificateEncodingException cee) { EventLink.logger.log("Encoding error"); cee.printStackTrace(); return false; } return createKeyFile(file, password, keyPair, cert, forceWrite); }
From source file:com.squareup.okhttp.internal.SslContextBuilder.java
License:Apache License
/** * Generates a certificate for {@code hostName} containing {@code keyPair}'s * public key, signed by {@code keyPair}'s private key. *///from w ww . java 2 s . c o m @SuppressWarnings("deprecation") // use the old Bouncy Castle APIs to reduce dependencies. public X509Certificate selfSignedCertificate(KeyPair keyPair, String serialNumber) throws GeneralSecurityException { X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); X500Principal issuer = new X500Principal("CN=" + hostName); X500Principal subject = new X500Principal("CN=" + hostName); generator.setSerialNumber(new BigInteger(serialNumber)); generator.setIssuerDN(issuer); generator.setNotBefore(new Date(notBefore)); generator.setNotAfter(new Date(notAfter)); generator.setSubjectDN(subject); generator.setPublicKey(keyPair.getPublic()); generator.setSignatureAlgorithm("SHA256WithRSAEncryption"); return generator.generateX509Certificate(keyPair.getPrivate(), "BC"); }
From source file:com.streamreduce.util.CAGenerator.java
License:Apache License
public static X509Certificate generateCACert(KeyPair keyPair) throws Exception { Date startDate = new Date(System.currentTimeMillis()); // time from which certificate is valid Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.DAY_OF_YEAR, 1000 * 365); Date expiryDate = expiry.getTime(); // time after which certificate is not valid BigInteger serialNumber = new BigInteger(Long.toString(System.currentTimeMillis())); // serial number for certificate X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); X500Principal dnName = new X500Principal("CN=Nodeable Client"); certGen.setSerialNumber(serialNumber); certGen.setIssuerDN(dnName);/*from w w w. j av a2s. c o m*/ certGen.setNotBefore(startDate); certGen.setNotAfter(expiryDate); certGen.setSubjectDN(dnName); certGen.setPublicKey(keyPair.getPublic()); certGen.setSignatureAlgorithm("MD5withRSA"); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.getPublic())); return certGen.generate(keyPair.getPrivate()); // note: private key of CA }
From source file:com.trsst.Command.java
License:Apache License
private static final X509Certificate createCertificate(KeyPair keyPair, String algorithm) { org.bouncycastle.x509.X509V3CertificateGenerator certGen = new org.bouncycastle.x509.X509V3CertificateGenerator(); long now = System.currentTimeMillis(); certGen.setSerialNumber(java.math.BigInteger.valueOf(now)); org.bouncycastle.jce.X509Principal subject = new org.bouncycastle.jce.X509Principal( "CN=Trsst Keystore,DC=trsst,DC=com"); certGen.setIssuerDN(subject);/* w w w . j a va2 s . c o m*/ certGen.setSubjectDN(subject); Date fromDate = new java.util.Date(now); certGen.setNotBefore(fromDate); Calendar cal = new java.util.GregorianCalendar(); cal.setTime(fromDate); cal.add(java.util.Calendar.YEAR, 100); Date toDate = cal.getTime(); certGen.setNotAfter(toDate); certGen.setPublicKey(keyPair.getPublic()); certGen.setSignatureAlgorithm(algorithm); certGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions.BasicConstraints, true, new org.bouncycastle.asn1.x509.BasicConstraints(false)); certGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions.KeyUsage, true, new org.bouncycastle.asn1.x509.KeyUsage(org.bouncycastle.asn1.x509.KeyUsage.digitalSignature | org.bouncycastle.asn1.x509.KeyUsage.keyEncipherment | org.bouncycastle.asn1.x509.KeyUsage.keyCertSign | org.bouncycastle.asn1.x509.KeyUsage.cRLSign)); X509Certificate x509 = null; try { x509 = certGen.generateX509Certificate(keyPair.getPrivate()); } catch (InvalidKeyException e) { log.error("Error generating certificate: invalid key", e); } catch (SecurityException e) { log.error("Unexpected error generating certificate", e); } catch (SignatureException e) { log.error("Error generating generating certificate signature", e); } return x509; }
From source file:com.vmware.demo.SamlUtils.java
License:Open Source License
/** * Generate a public x509 cert, based on a key. * * @param key KeyPair used to generate public Cert, private key in KeyPair not exposed. * @param issuer If generating an SSL Cert, issuer needs to match hostname * @return//from ww w .j ava 2 s . c o m * @throws SamlException */ public static X509Certificate generateCert(KeyPair key, String issuer) throws SamlException { X509Certificate binCert; try { X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); // create the certificate - version 3 v3CertGen.reset(); v3CertGen.setSerialNumber(BigInteger.valueOf(1)); v3CertGen.setIssuerDN(new X509Principal(issuer)); v3CertGen.setNotBefore(new Date(System.currentTimeMillis())); v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10))); //10 years v3CertGen.setSubjectDN(new X509Principal(issuer)); v3CertGen.setPublicKey(key.getPublic()); v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); // add the extensions v3CertGen.addExtension(org.bouncycastle.asn1.x509.X509Extensions.BasicConstraints, false, new BasicConstraints(true)); // generate the actual cert binCert = v3CertGen.generate(key.getPrivate()); // check the cert binCert.checkValidity(new Date()); binCert.verify(key.getPublic()); } catch (Exception e) { throw new SamlException("Failed to generate certificate.", e); } return binCert; }
From source file:cybervillains.ca.CertificateCreator.java
License:Open Source License
/** * Creates a typical Certification Authority (CA) certificate. * //from w w w. j a v a 2 s. c om * @throws SecurityException * @throws InvalidKeyException * @throws NoSuchProviderException * @throws NoSuchAlgorithmException * @throws CertificateException */ @SuppressWarnings("deprecation") public static X509Certificate createTypicalMasterCert(final KeyPair keyPair) throws SignatureException, InvalidKeyException, SecurityException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException { X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); X509Principal issuer = new X509Principal( "O=CyberVillians.com,OU=CyberVillians Certification Authority,C=US"); // Create v3CertGen.setSerialNumber(BigInteger.valueOf(1)); v3CertGen.setIssuerDN(issuer); v3CertGen.setSubjectDN(issuer); // Set validity period v3CertGen .setNotBefore(new Date(System.currentTimeMillis() - 12 /* months */ * (1000L * 60 * 60 * 24 * 30))); v3CertGen .setNotAfter(new Date(System.currentTimeMillis() + 240 /* months */ * (1000L * 60 * 60 * 24 * 30))); // Set signature algorithm & public key v3CertGen.setPublicKey(keyPair.getPublic()); v3CertGen.setSignatureAlgorithm(CertificateCreator.SIGN_ALGO); // Add typical extensions for signing cert v3CertGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.getPublic())); v3CertGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0)); v3CertGen.addExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.cRLSign | KeyUsage.keyCertSign)); DERSequence typicalCAExtendedKeyUsages = new DERSequence( new ASN1Encodable[] { new DERObjectIdentifier(ExtendedKeyUsageConstants.serverAuth), new DERObjectIdentifier(ExtendedKeyUsageConstants.OCSPSigning), new DERObjectIdentifier(ExtendedKeyUsageConstants.verisignUnknown) }); v3CertGen.addExtension(X509Extensions.ExtendedKeyUsage, false, typicalCAExtendedKeyUsages); X509Certificate cert = v3CertGen.generate(keyPair.getPrivate(), "BC"); cert.checkValidity(new Date()); cert.verify(keyPair.getPublic()); return cert; }