List of usage examples for org.bouncycastle.x509 X509V3CertificateGenerator setNotAfter
public void setNotAfter(Date date)
From source file:io.aos.crypto.spl07.Utils.java
License:Apache License
/** * Generate a sample V3 certificate to use as an intermediate CA certificate *///w w w . j a v a2 s . c o m public static X509Certificate generateIntermediateCert(PublicKey intKey, PrivateKey caKey, X509Certificate caCert) throws Exception { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(1)); certGen.setIssuerDN(caCert.getSubjectX500Principal()); certGen.setNotBefore(new Date(System.currentTimeMillis())); certGen.setNotAfter(new Date(System.currentTimeMillis() + VALIDITY_PERIOD)); certGen.setSubjectDN(new X500Principal("CN=Test Intermediate Certificate")); certGen.setPublicKey(intKey); certGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(intKey)); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); return certGen.generateX509Certificate(caKey, "BC"); }
From source file:io.aos.crypto.spl07.Utils.java
License:Apache License
/** * Generate a sample V3 certificate to use as an end entity certificate *//* ww w . j a v a 2 s .c o m*/ public static X509Certificate generateEndEntityCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert) throws Exception { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(1)); certGen.setIssuerDN(caCert.getSubjectX500Principal()); certGen.setNotBefore(new Date(System.currentTimeMillis())); certGen.setNotAfter(new Date(System.currentTimeMillis() + VALIDITY_PERIOD)); certGen.setSubjectDN(new X500Principal("CN=Test End Certificate")); certGen.setPublicKey(entityKey); certGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey)); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); return certGen.generateX509Certificate(caKey, "BC"); }
From source file:io.aos.crypto.spl08.CertReqSolution.java
License:Apache License
public static void main(String... args) throws Exception { // create the CA certificates X500PrivateCredential rootCredential = Utils.createRootCredential(); X500PrivateCredential interCredential = Utils.createIntermediateCredential(rootCredential.getPrivateKey(), rootCredential.getCertificate()); // parse the request PEMReader pRd = new PEMReader(new InputStreamReader(new FileInputStream("pkcs10.req"))); PKCS10CertificationRequest request = (PKCS10CertificationRequest) pRd.readObject(); // get our validation certificate X509Certificate caCert = interCredential.getCertificate(); X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(caCert.getSubjectX500Principal()); certGen.setNotBefore(new Date(System.currentTimeMillis())); certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000)); certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject()); certGen.setPublicKey(request.getPublicKey("BC")); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); // provide some basic extensions and mark the certificate as appropriate for signing and encipherment certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC"))); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); // create the chain List chain = Arrays//from w w w .j a v a2s. com .asList(new Certificate[] { certGen.generateX509Certificate(interCredential.getPrivateKey(), "BC"), interCredential.getCertificate(), rootCredential.getCertificate() }); // create the CertPath CertificateFactory fact = CertificateFactory.getInstance("X.509", "BC"); CertPath path = fact.generateCertPath(chain); // write it out FileOutputStream fOut = new FileOutputStream("pkcs7.pth"); fOut.write(path.getEncoded("PKCS7")); fOut.close(); }
From source file:krypto.KryptoService.java
License:Apache License
/** * Erzeugt ein x509 v3-Zertifikat, das 1 Tag lang gltig ist. * @return//from ww w . j a va2s . c om * @throws Exception */ public static X509Certificate generateCertificate(String algorithm) { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); KeyPair pair = null; try { pair = generateKeyPair(algorithm, 1024); } catch (Exception e) { try { pair = generateKeyPair(algorithm, 512); } catch (Exception e2) { System.out.println(e2.getMessage()); } } long day = 24 * 60 * 60 * 1000; // 1 Tag gltig certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X509Name(new X500Principal("CN=Test Certificate").getName())); certGen.setNotBefore(new Date(System.currentTimeMillis() - 500000)); certGen.setNotAfter(new Date(System.currentTimeMillis() + day)); certGen.setSubjectDN(new X509Name(new X500Principal("CN=Test Certificate").getName())); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); X509Certificate cert = null; try { cert = certGen.generate(pair.getPrivate(), "BC"); } catch (CertificateEncodingException e) { System.out.println("CertificateEncodingException"); } catch (InvalidKeyException e2) { System.out.println("InvalidKeyException: " + e2.getMessage()); } catch (Exception e3) { // do nothing } return cert; }
From source file:libcore.net.ssl.SslContextBuilder.java
License:Apache License
/** * Generates a certificate for {@code hostName} containing {@code keyPair}'s * public key, signed by {@code keyPair}'s private key. */// w w w . j av a2 s .co m @SuppressWarnings("deprecation") // use the old Bouncy Castle APIs to reduce dependencies. private X509Certificate selfSignedCertificate(KeyPair keyPair) throws GeneralSecurityException { X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); X500Principal issuer = new X500Principal("CN=" + hostName); X500Principal subject = new X500Principal("CN=" + hostName); generator.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); generator.setIssuerDN(issuer); generator.setNotBefore(new Date(notBefore)); generator.setNotAfter(new Date(notAfter)); generator.setSubjectDN(subject); generator.setPublicKey(keyPair.getPublic()); generator.setSignatureAlgorithm("SHA256WithRSAEncryption"); return generator.generateX509Certificate(keyPair.getPrivate(), "BC"); }
From source file:lt.bsprendimai.ddesk.servlets.CertGenerator.java
License:Apache License
/** * Processes requests for both HTTP <code>GET</code> and <code>POST</code> methods. * * @param request/* ww w . j a va 2s .c o m*/ * servlet request * @param response * servlet response */ @SuppressWarnings("unchecked") protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { UserHandler uh = (UserHandler) request.getSession().getAttribute("userHandler"); ClientAccessor ca = (ClientAccessor) request.getSession().getAttribute("clientAccessor"); if (uh == null || !uh.isLoggedIn() || uh.getUser().getCompany() != 0 || uh.getUser().getLoginLevel() != 0) { response.sendRedirect(request.getContextPath()); return; } if (request.getParameter("X509Principal.PWD") == null) { request.setAttribute("T", ca.getPerson().getName()); request.setAttribute("USER", ca.getPerson().getLoginCode()); request.setAttribute("EMAIL", ca.getPerson().getEmail()); RequestDispatcher rd = request.getRequestDispatcher("/intranet/generation.jsp"); rd.forward(request, response); return; } Security.addProvider(new BouncyCastleProvider()); Hashtable attrs = new Hashtable(); Vector order = new Vector(); InputStreamReader rd = new InputStreamReader(CertGenerator.class.getResourceAsStream("/desk.pem")); PEMReader reader = new PEMReader(rd); Object oo = (KeyPair) reader.readObject(); KeyPair myKey = (KeyPair) oo; reader.close(); rd = new InputStreamReader(CertGenerator.class.getResourceAsStream("/desk.crt")); reader = new PEMReader(rd); X509Certificate root = (X509Certificate) reader.readObject(); reader.close(); KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", "BC"); kpg.initialize(1024); KeyPair kp = kpg.generateKeyPair(); PublicKey users = kp.getPublic(); String issuer = root.getSubjectDN().getName(); attrs.put(X509Principal.T, request.getParameter("X509Principal.T")); attrs.put(X509Principal.C, request.getParameter("X509Principal.C")); attrs.put(X509Principal.O, request.getParameter("X509Principal.O")); attrs.put(X509Principal.OU, request.getParameter("X509Principal.OU")); attrs.put(X509Principal.L, request.getParameter("X509Principal.L")); attrs.put(X509Principal.CN, request.getParameter("X509Principal.CN")); attrs.put(X509Principal.EmailAddress, request.getParameter("X509Principal.EmailAddress")); order.addElement(X509Principal.T); order.addElement(X509Principal.C); order.addElement(X509Principal.O); order.addElement(X509Principal.OU); order.addElement(X509Principal.L); order.addElement(X509Principal.CN); order.addElement(X509Principal.EmailAddress); X509Principal subjectDn = new X509Principal(order, attrs); Session sess = SessionHolder.currentSession().getSess(); CertificateEntry ce = new CertificateEntry(); ce.setCert(""); ce.setMd5Key(""); ce.setName(subjectDn.getName()); ce.setPerson(null); ce.setValid(false); sess.save(ce); sess.flush(); X509V3CertificateGenerator v3c = new X509V3CertificateGenerator(); v3c.reset(); v3c.setSerialNumber(BigInteger.valueOf(ce.getId())); v3c.setIssuerDN(new X509Principal(issuer)); v3c.setNotBefore(new Date()); v3c.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30))); v3c.setSubjectDN(subjectDn); v3c.setPublicKey(users); v3c.setSignatureAlgorithm("MD5WithRSAEncryption"); // // add the extensions // v3c.addExtension(MiscObjectIdentifiers.netscapeCertType, false, new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.objectSigning)); X509Certificate cert = v3c.generate(myKey.getPrivate(), "BC"); cert.getSignature(); cert.checkValidity(new Date()); cert.verify(myKey.getPublic()); KeyStore store = KeyStore.getInstance("PKCS12", "BC"); store.load(null, null); store.setKeyEntry(request.getParameter("X509Principal.T"), kp.getPrivate(), null, new Certificate[] { cert, root }); StringWriter sr = new StringWriter(); sr.write("-----BEGIN CERTIFICATE-----\n"); sr.write(new String(Base64.encode(cert.getEncoded()))); sr.write("\n"); sr.write("-----END CERTIFICATE-----"); byte[] pwdMD5 = Hex.encode(MessageDigest.getInstance("MD5").digest(cert.getEncoded())); String code = new String(pwdMD5); if (code.length() < 32) { for (int i = (32 - code.length()); i > 0; i--) { code = "0" + code; } } List<CertificateEntry> lce = (List<CertificateEntry>) sess .createQuery("FROM " + CertificateEntry.class.getName() + " WHERE person = ? AND valid = true ") .setInteger(0, ca.getPersonId()).list(); for (CertificateEntry cea : lce) { ce.setValid(false); sess.update(cea); sess.flush(); } ce.setCert(sr.toString().trim()); ce.setMd5Key(code.trim()); ce.setPerson(ca.getPersonId()); ce.setValid(true); sess.update(ce); sess.flush(); SessionHolder.closeSession(); System.out.println("Writing certificate"); response.setContentType("application/pkcs-12"); response.setHeader("Content-disposition", "inline;filename=" + request.getParameter("X509Principal.T").trim() + ".p12"); OutputStream out = response.getOutputStream(); store.store(out, request.getParameter("X509Principal.PWD").trim().toCharArray()); out.close(); } catch (Exception ex) { try { SessionHolder.endSession(); } catch (Exception ejx) { } ex.printStackTrace(); response.setContentType("text/html;charset=UTF-8"); PrintWriter out = response.getWriter(); out.println("<html>"); out.println("<head>"); out.println("<title>Error</title>"); out.println("</head>"); out.println("<body>"); out.println("<h1>Error: "); out.println(ex.getMessage()); out.println("</h1>"); out.println("<br/>"); out.println("</body>"); out.println("</html>"); out.close(); } }
From source file:net.java.bd.tools.security.OnlineKeytool.java
License:Open Source License
/** * Creates a self signed certificate using the public key * from the "online.crt" file. See BD-ROM specification part 3.2, * version 2.2 Annex DD.// www . j av a 2 s.c o m * The certificate fields other than the key pair do not matter. * The certificate is just a place holder in the keystore. * The private key is created from the BDA binary file. * <p> * @throws java.lang.Exception */ public void createSelfSignedCert() throws Exception { DataInputStream dis = new DataInputStream(new FileInputStream(crtFile)); String typeIndicator = SecurityUtil.readISO646String(dis, 4); if (!typeIndicator.equals("OCRT")) { throw new RuntimeException("Invalid TypeIndicator: " + typeIndicator + " in " + crtFile); } String versionNo = SecurityUtil.readISO646String(dis, 4); if (!versionNo.equals("0200")) { throw new RuntimeException("Invalid Version No:" + versionNo + " in " + crtFile); } // reserved bytes dis.skipBytes(32); int certVerNo = dis.readInt(); if (certVerNo != 0) { throw new RuntimeException("Invalid Certificate Version No:" + certVerNo); } int contentOwnerId = dis.readInt(); if (debug) { System.out.println("Content owner ID:" + contentOwnerId); } // reserved bytes dis.skipBytes(32); String contentOwnerName = SecurityUtil.readISO646String(dis, 256); if (debug) { System.out.println("Content owner Name:" + contentOwnerName); } String dn = "cn=" + contentOwnerName; // used in cert // read the public key modulus 'n' byte[] buf = new byte[256]; int read = dis.read(buf); if (read == -1) { throw new IOException("Reached end of file before finished reading the file:" + crtFile); } BigInteger modulus = new BigInteger(1, buf); /*HexDumpEncoder hexDump = null; if (debug) { System.out.println("public modulus:"); hexDump = new HexDumpEncoder(); System.out.println(hexDump.encodeBuffer(modulus.toByteArray())); }*/ BigInteger exponent = BigInteger.valueOf(65537); RSAPublicKeySpec spec = new RSAPublicKeySpec(modulus, exponent); KeyFactory factory = KeyFactory.getInstance("RSA"); PublicKey publicKey = factory.generatePublic(spec); // create a self signed cert for importing into the keystore. X509V3CertificateGenerator cg = new X509V3CertificateGenerator(); cg.reset(); Calendar calendar = Calendar.getInstance(); calendar.set(0000, 1, 1); Date validFrom = calendar.getTime(); calendar.clear(); calendar.set(9999, 1, 1); Date validTo = calendar.getTime(); cg.setNotBefore(validFrom); cg.setNotAfter(validTo); cg.setPublicKey(publicKey); cg.setSignatureAlgorithm("SHA1WITHRSA"); cg.setSubjectDN(new X509Name(dn)); cg.setIssuerDN(new X509Name(dn)); SecureRandom prng = SecureRandom.getInstance("SHA1PRNG"); BigInteger serNo = new BigInteger(32, prng); cg.setSerialNumber(serNo); this.cert = cg.generate(this.privateKey); // read the BDA signature; not currently used //int read = dis.read(buf); //if (read == -1) { // throw new IOException("Reached end of file before finished reading the file:" + // crtFile); //} dis.close(); }
From source file:net.java.bd.tools.security.SecurityUtil.java
License:Open Source License
private void generateSelfSignedCertificate(String issuer, String alias, String keyPassword, boolean isRootCert) throws Exception { Date validFrom, validTo;//from ww w . ja v a 2 s . c om // For forcing GeneralizedTime DER encoding, with Bouncy Castle Provider // make the range before 1950 and after 2050. The BD-J spec recommends // using the default validity period used below Calendar calendar = Calendar.getInstance(); calendar.set(0000, 1, 1); validFrom = calendar.getTime(); calendar.clear(); calendar.set(9999, 1, 1); validTo = calendar.getTime(); // Generate a new keypair for this certificate KeyPair keyPair = generateKeyPair(); X509V3CertificateGenerator cg = new X509V3CertificateGenerator(); cg.reset(); X509Name name = new X509Name(issuer, new X509BDJEntryConverter()); // Generate Serial Number SecureRandom prng = SecureRandom.getInstance("SHA1PRNG"); BigInteger serNo = new BigInteger(32, prng); cg.setSerialNumber(serNo); if (!isRootCert) { appCertSerNo = serNo; } cg.setIssuerDN(name); cg.setNotBefore(validFrom); cg.setNotAfter(validTo); cg.setSubjectDN(name); cg.setPublicKey(keyPair.getPublic()); cg.setSignatureAlgorithm("SHA1WITHRSA"); if (isRootCert) { // Need to add root cert extensions. if (isBindingUnitCert) { // This certificate is used only for signing cg.addExtension(X509Extensions.KeyUsage.getId(), true, new X509KeyUsage(X509KeyUsage.digitalSignature)); } else { int usage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign; cg.addExtension(X509Extensions.KeyUsage.getId(), true, new X509KeyUsage(usage)); } cg.addExtension(X509Extensions.IssuerAlternativeName.getId(), false, getRfc822Name(altName)); cg.addExtension(X509Extensions.BasicConstraints.getId(), true, new BasicConstraints(true)); } // For an app cert, most of the extensions will be added when generating // a certificate in response to the certificate request file. cg.addExtension(X509Extensions.SubjectAlternativeName.getId(), false, getRfc822Name(altName)); Certificate cert = cg.generate(keyPair.getPrivate()); store.setKeyEntry(alias, keyPair.getPrivate(), keyPassword.toCharArray(), new Certificate[] { cert }); FileOutputStream fos = new FileOutputStream(keystoreFile); store.store(fos, keystorePassword.toCharArray()); fos.close(); }
From source file:net.java.bd.tools.security.SecurityUtil.java
License:Open Source License
void issueCert(String csrfile, String certfile, String alias, String keypass) throws Exception { PKCS10CertificationRequest csr = new PKCS10CertificationRequest(convertFromBASE64(csrfile)); String subject = csr.getCertificationRequestInfo().getSubject().toString(); // Generate the app certificate X509V3CertificateGenerator cg = new X509V3CertificateGenerator(); cg.reset();/* w w w.j a va 2 s . com*/ X509Certificate rootCert = (X509Certificate) store.getCertificate(alias); if (rootCert == null) { System.out .println("ERROR: Aborting application certificate creation." + " No root certificate to sign."); cleanup(); // removes the self signed certificate from the keystore System.exit(1); } cg.setIssuerDN(new X509Name(true, rootCert.getSubjectDN().getName(), new X509BDJEntryConverter())); cg.setSubjectDN(new X509Name(subject, new X509BDJEntryConverter())); cg.setNotBefore(rootCert.getNotBefore()); cg.setNotAfter(rootCert.getNotAfter()); cg.setPublicKey(csr.getPublicKey()); cg.setSerialNumber(appCertSerNo); // BD-J mandates using SHA1WithRSA as a signature Algorithm cg.setSignatureAlgorithm("SHA1WITHRSA"); cg.addExtension(X509Extensions.KeyUsage.getId(), true, new X509KeyUsage(X509KeyUsage.digitalSignature)); // FIXME: Ideally this should be pulled out from the original app cert's // extension. Email on X500Name is not encoded with UTF8String. cg.addExtension(X509Extensions.SubjectAlternativeName.getId(), false, getRfc822Name(altName)); // Assuming that the root certificate was generated using our tool, // the certificate should have IssuerAlternativeNames as an extension. if (rootCert.getIssuerAlternativeNames() == null) { System.out.println("ERROR: the root certificate must have an alternate name"); System.exit(1); } List issuerName = (List) rootCert.getIssuerAlternativeNames().iterator().next(); cg.addExtension(X509Extensions.IssuerAlternativeName.getId(), false, getRfc822Name((String) issuerName.get(1))); PrivateKey privateKey = (PrivateKey) store.getKey(alias, keypass.toCharArray()); X509Certificate cert = cg.generate(privateKey); // Now, write leaf certificate System.out.println("Writing cert to " + certfile + "."); FileOutputStream str = new FileOutputStream(certfile); str.write(cert.getEncoded()); str.close(); }
From source file:net.jmhertlein.core.crypto.Certs.java
License:Open Source License
/** * Generates an X509 certificate/*from w w w. j a v a2 s. com*/ * * Valid for 1000 years from 1 second ago, signed with SHA512withECDSA * @param authorityPrivateKey private key of the certificate authority * @param certPubKey pubkey that the certificate will use * @param serialNumber serial number of the certificate * @param commonName common name of the subject of this certificate * @return a new X509 Certificate * @throws SignatureException * @throws InvalidKeyException */ public static Certificate newCertificate(PrivateKey authorityPrivateKey, PublicKey certPubKey, long serialNumber, String commonName) throws SignatureException, InvalidKeyException { X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setPublicKey(certPubKey); //pubkey of cert we're making gen.setSignatureAlgorithm("SHA512withECDSA"); gen.setSerialNumber(BigInteger.valueOf(Math.abs(serialNumber))); gen.setIssuerDN(new X500Principal("CN=" + commonName)); gen.setNotBefore(new Date(System.currentTimeMillis() - 1000L)); gen.setNotAfter(new Date(System.currentTimeMillis() + 1000 * 365 * 24 * 60 * 60 * 1000)); //tfw cert valid for 10x longer than I'll be alive gen.setSubjectDN(new X500Principal("CN=" + commonName)); try { return gen.generate(authorityPrivateKey); //ca's private key } catch (CertificateEncodingException | IllegalStateException | NoSuchAlgorithmException ex) { Logger.getLogger(Certs.class.getName()).log(Level.SEVERE, null, ex); return null; } }