List of usage examples for org.bouncycastle.x509 X509V3CertificateGenerator X509V3CertificateGenerator
public X509V3CertificateGenerator()
From source file:com.kixeye.chassis.transport.shared.JettyConnectorRegistry.java
License:Apache License
/** * Register to listen to HTTPS.//from w w w.ja v a2 s.c om * * @param server * @param address * @throws Exception */ public static void registerHttpsConnector(Server server, InetSocketAddress address, boolean selfSigned, boolean mutualSsl, String keyStorePath, String keyStoreData, String keyStorePassword, String keyManagerPassword, String trustStorePath, String trustStoreData, String trustStorePassword, String[] excludedCipherSuites) throws Exception { // SSL Context Factory SslContextFactory sslContextFactory = new SslContextFactory(); if (selfSigned) { char[] passwordChars = UUID.randomUUID().toString().toCharArray(); KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, passwordChars); KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); keyPairGenerator.initialize(1024); KeyPair keyPair = keyPairGenerator.generateKeyPair(); X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); v3CertGen.setSerialNumber(BigInteger.valueOf(new SecureRandom().nextInt()).abs()); v3CertGen.setIssuerDN(new X509Principal("CN=" + "kixeye.com" + ", OU=None, O=None L=None, C=None")); v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30)); v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10))); v3CertGen.setSubjectDN(new X509Principal("CN=" + "kixeye.com" + ", OU=None, O=None L=None, C=None")); v3CertGen.setPublicKey(keyPair.getPublic()); v3CertGen.setSignatureAlgorithm("MD5WithRSAEncryption"); X509Certificate privateKeyCertificate = v3CertGen.generateX509Certificate(keyPair.getPrivate()); keyStore.setKeyEntry("selfSigned", keyPair.getPrivate(), passwordChars, new java.security.cert.Certificate[] { privateKeyCertificate }); ByteArrayOutputStream keyStoreBaos = new ByteArrayOutputStream(); keyStore.store(keyStoreBaos, passwordChars); keyStoreData = new String(Hex.encode(keyStoreBaos.toByteArray()), Charsets.UTF_8); keyStorePassword = new String(passwordChars); keyManagerPassword = keyStorePassword; sslContextFactory.setTrustAll(true); } KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); if (StringUtils.isNotBlank(keyStoreData)) { keyStore.load(new ByteArrayInputStream(Hex.decode(keyStoreData)), keyStorePassword.toCharArray()); } else if (StringUtils.isNotBlank(keyStorePath)) { try (InputStream inputStream = new DefaultResourceLoader().getResource(keyStorePath).getInputStream()) { keyStore.load(inputStream, keyStorePassword.toCharArray()); } } sslContextFactory.setKeyStore(keyStore); sslContextFactory.setKeyStorePassword(keyStorePassword); if (StringUtils.isBlank(keyManagerPassword)) { keyManagerPassword = keyStorePassword; } sslContextFactory.setKeyManagerPassword(keyManagerPassword); KeyStore trustStore = null; if (StringUtils.isNotBlank(trustStoreData)) { trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(new ByteArrayInputStream(Hex.decode(trustStoreData)), trustStorePassword.toCharArray()); } else if (StringUtils.isNotBlank(trustStorePath)) { trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); try (InputStream inputStream = new DefaultResourceLoader().getResource(trustStorePath) .getInputStream()) { trustStore.load(inputStream, trustStorePassword.toCharArray()); } } if (trustStore != null) { sslContextFactory.setTrustStore(trustStore); sslContextFactory.setTrustStorePassword(trustStorePassword); } sslContextFactory.setNeedClientAuth(mutualSsl); sslContextFactory.setExcludeCipherSuites(excludedCipherSuites); // SSL Connector ServerConnector connector = new ServerConnector(server, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.toString()), new HttpConnectionFactory()); connector.setHost(address.getHostName()); connector.setPort(address.getPort()); server.addConnector(connector); }
From source file:com.nokia.tools.vct.internal.common.secure.core.KeyStoreManager.java
License:Open Source License
public X509Certificate createCertificate(KeyPair keys, int years, Map<String, String> fields) throws CoreException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setNotBefore(new GregorianCalendar(Locale.getDefault()).getTime()); GregorianCalendar gregorianCalendar = new GregorianCalendar(); gregorianCalendar.add(Calendar.YEAR, 1); certGen.setNotAfter(gregorianCalendar.getTime()); certGen.setPublicKey(keys.getPublic()); StringBuffer userInformation = new StringBuffer(); UUID uuid = UUID.randomUUID(); ByteBuffer bb = ByteBuffer.allocate(17); bb.put((byte) 0); bb.putLong(uuid.getMostSignificantBits()); bb.putLong(uuid.getLeastSignificantBits()); BigInteger bigInteger = new BigInteger(bb.array()); userInformation.append("SERIALNUMBER=").append(bigInteger.toString()); for (Map.Entry<String, String> field : fields.entrySet()) { userInformation.append(','); userInformation.append(field.getKey()); userInformation.append('='); userInformation.append(escapeRFC2253(field.getValue())); }/*from ww w. j a v a2 s.c o m*/ X500Principal principal = new X500Principal(userInformation.toString()); certGen.setIssuerDN(principal); certGen.setSubjectDN(principal); certGen.setSignatureAlgorithm(SIGNATURE_SHA1_RSA); X509Certificate certificate; try { certificate = certGen.generate(keys.getPrivate()); } catch (Exception ex) { IStatus status = new Status(IStatus.ERROR, SecurityCorePlugin.PLUGIN_ID, "Failed to generate certificate", ex); SecurityCorePlugin.getDefault().getLog().log(status); throw new CoreException(status); } return certificate; }
From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java
License:Apache License
/** * @see com.otterca.repository.util.X509CertificateBuilder#build(java.security * .PrivateKey)// w w w . j a v a 2s. c o m */ @Override public X509Certificate build(PrivateKey pkey) throws InvalidKeyException, NoSuchAlgorithmException, SignatureException, CertificateEncodingException, CertificateParsingException, KeyStoreException { // validate everything going into the certificate. Standard validations // are quick, issuer validations may require significant resources. validator.validate(); generator = new X509V3CertificateGenerator(); // set the mandatory properties generator.setSerialNumber(serialNumber); generator.setIssuerDN((issuer == null) ? issuerDN : new X509Principal(issuer.getIssuerDN().getName())); generator.setSubjectDN(subjectDN); generator.setNotBefore(notBefore); generator.setNotAfter(notAfter); generator.setPublicKey(pubkey); generator.setSignatureAlgorithm(SIGNATURE_ALGORITHM); // can this certificate be used to sign more certificates? // make sure pathLengthConstraint is always lower than issuer's. setBasicConstraint(); setSKID(); setAKID(); setSubjectAlternativeName(); setIssuerAlternativeName(); setExtendedKeyUsage(); setInhibitAnyPolicy(); setPrivateKeyUsagePeriod(); setNameConstraints(); setAuthorityInfoAccess(); setSubjectInfoAccess(); // set/clear key usage flag. if (keyUsage != null) { if (basicConstraint) { keyUsage = new KeyUsage(keyUsage.intValue() | KeyUsage.keyCertSign); } else { keyUsage = new KeyUsage(keyUsage.intValue() & (Integer.MAX_VALUE ^ KeyUsage.keyCertSign)); } } else if (basicConstraint) { keyUsage = new KeyUsage(KeyUsage.keyCertSign); } // add mandatory key usage constraints. if (keyUsage != null) { generator.addExtension(X509Extensions.KeyUsage, true, keyUsage); } // establish any extensions. for (X509ExtensionGenerator extGenerator : extensionGenerators) { try { byte[] extensionBytes = extGenerator.getExtension(new X500Principal(subjectDN.getEncoded()), issuer); if (extensionBytes != null) { X509Extensions exts = X509Extensions.getInstance(DLSequence.fromByteArray(extensionBytes)); ASN1Encodable asn1 = exts.getExtension(X509Extensions.CertificatePolicies).getParsedValue(); DERObjectIdentifier objectIdentifier = new DERObjectIdentifier( extGenerator.getObjectIdentifier()); generator.addExtension(objectIdentifier, extGenerator.isCritical(), asn1); } } catch (IOException e) { log.info("X509Extension extraction threw IOException! " + e.getMessage()); // throw an exception if this is an error in a critical // extension. Otherwise // will continue to build the certificate and count on the // caller's verification // process. if (extGenerator.isCritical()) { X509CertificateBuilderException ex = new X509CertificateBuilderException(); ex.addError(ErrorType.OTHER_ERROR, e.getMessage()); throw ex; } } } X509Certificate cert = generator.generate(pkey); return cert; }
From source file:com.peterphi.std.crypto.keygen.CaHelper.java
License:Open Source License
/** * @param certificatePublicKey//from ww w . j a v a 2s.c o m * @param caPrivateKey * @param issuer * @param subject * * @return */ public static X509Certificate generateClientCertificate(PublicKey certificatePublicKey, PrivateKey caPrivateKey, X509Name issuer, X509Name subject) throws Exception { X509Certificate cert = null; X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setIssuerDN(issuer); setNotBeforeNotAfter(gen, 10); // validity from 48 hours in the past until 10 years in the future gen.setSubjectDN(subject); gen.setPublicKey(certificatePublicKey); gen.setSignatureAlgorithm(getSignatureAlgorithm()); gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); gen = addClientExtensions(gen); cert = gen.generate(caPrivateKey, "BC"); return cert; }
From source file:com.peterphi.std.crypto.keygen.CaHelper.java
License:Open Source License
/** * @param certificatePublicKey//ww w . java 2 s .c o m * @param caPrivateKey * @param issuer * @param subject * * @return */ public static X509Certificate generateServerCertificate(PublicKey certificatePublicKey, PrivateKey caPrivateKey, X509Name issuer, X509Name subject) throws Exception { X509Certificate cert = null; X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setIssuerDN(issuer); gen.setSubjectDN(subject); setNotBeforeNotAfter(gen, 10); // validity from 48 hours in the past until 10 years in the future gen.setPublicKey(certificatePublicKey); gen.setSignatureAlgorithm(getSignatureAlgorithm()); gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); gen = addSSLServerExtensions(gen); cert = gen.generate(caPrivateKey, "BC"); return cert; }
From source file:com.peterphi.std.crypto.keygen.CaHelper.java
License:Open Source License
/** * @param kp/* www.ja va 2s. c om*/ * @param issuer * @param subject * * @return */ public static X509Certificate generateCaCertificate(final String friendlyName, final KeyPair kp, final BigInteger serial, final X509Name issuer, final X509Name subject) throws Exception { X509Certificate cert = null; X509V3CertificateGenerator gen = new X509V3CertificateGenerator(); gen.setIssuerDN(issuer); setNotBeforeNotAfter(gen, 20); // The CA certificate is valid for 20 years gen.setSubjectDN(subject); gen.setPublicKey(kp.getPublic()); gen.setSignatureAlgorithm(getSignatureAlgorithm()); if (serial != null) gen.setSerialNumber(serial); else gen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); gen = addCaExtensions(gen, kp.getPublic()); // gen.addExtension(X509Extensions.SubjectKeyIdentifier, false, // new SubjectKeyIdentifierStructure(kp.getPublic())); cert = gen.generate(kp.getPrivate(), "BC"); cert.checkValidity(); cert.verify(kp.getPublic(), "BC"); if (friendlyName != null) { PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) cert; bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(friendlyName)); } return cert; }
From source file:com.qut.middleware.crypto.impl.CryptoProcessorImpl.java
License:Apache License
private X509Certificate generateV3Certificate(KeyPair pair, String certSubjectDN, Calendar before, Calendar expiry) throws CryptoException { X509V3CertificateGenerator cert = new X509V3CertificateGenerator(); /* Set the certificate serial number to a random number */ Random rand = new Random(); rand.setSeed(System.currentTimeMillis()); /* Generates a number between 0 and 2^32 as the serial */ BigInteger serial = BigInteger.valueOf(rand.nextInt(Integer.MAX_VALUE)); logger.info("Setting X509 Cert Serial to: " + serial); cert.setSerialNumber(serial);/*from w w w. j a v a 2 s . c om*/ /* Set the certificate issuer */ cert.setIssuerDN(new X500Principal(this.certIssuerDN)); /* Set the start of valid period. */ cert.setNotBefore(before.getTime()); /* Set the certificate expiry date. */ cert.setNotAfter(expiry.getTime()); /* Set the subject */ cert.setSubjectDN(new X500Principal(certSubjectDN)); cert.setPublicKey(pair.getPublic()); /* Signature algorithm, this may need to be changed if not all hosts have SHA256 and RSA implementations */ cert.setSignatureAlgorithm("SHA512withRSA"); cert.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); /* Only for signing */ cert.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign)); cert.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); /* Set a contact email address for the issuer */ cert.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, this.certIssuerEmail))); logger.debug("Generating X509Certificate for key pair: " + pair); try { /* Use the BouncyCastle provider to actually generate the X509Certificate now */ return cert.generateX509Certificate(pair.getPrivate(), "BC"); } catch (InvalidKeyException e) { this.logger.error("InvalidKeyException thrown, " + e.getLocalizedMessage()); this.logger.debug(e.toString()); throw new CryptoException(e.getLocalizedMessage(), e); } catch (NoSuchProviderException e) { this.logger.error("NoSuchProviderException thrown, " + e.getLocalizedMessage()); this.logger.debug(e.toString()); throw new CryptoException(e.getLocalizedMessage(), e); } catch (SecurityException e) { this.logger.error("SecurityException thrown, " + e.getLocalizedMessage()); this.logger.debug(e.toString()); throw new CryptoException(e.getLocalizedMessage(), e); } catch (SignatureException e) { this.logger.error("SignatureException thrown, " + e.getLocalizedMessage()); this.logger.debug(e.toString()); throw new CryptoException(e.getLocalizedMessage(), e); } }
From source file:com.raphfrk.bukkit.eventlink.SSLUtils.java
License:Open Source License
static boolean generateCertificateFile(File file, int keySize, String password, String algorithm, String certificateAlgorithm, String certificateName, boolean forceWrite) { KeyPair keyPair;/*w w w . java 2 s . c o m*/ X509Certificate cert; X509V3CertificateGenerator certGen = null; String providerName = "BC"; if (Security.getProvider(providerName) == null) { Security.addProvider(new BouncyCastleProvider()); if (Security.getProvider(providerName) == null) { EventLink.logger.log("Crypt libray (" + providerName + ") provider not installed"); return false; } } try { KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(algorithm); synchronized (randomLock) { keyPairGenerator.initialize(keySize, random); } keyPair = KeyPairGenerator.getInstance(algorithm).generateKeyPair(); certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X500Principal(certificateName)); certGen.setNotBefore(new Date(System.currentTimeMillis() - 10000)); certGen.setNotAfter(new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000)); certGen.setSubjectDN(new X500Principal(certificateName)); certGen.setPublicKey(keyPair.getPublic()); certGen.setSignatureAlgorithm(certificateAlgorithm); cert = certGen.generate(keyPair.getPrivate(), "BC"); } catch (IllegalArgumentException iae) { EventLink.logger.log("Unable to find provider (BC)"); iae.printStackTrace(); if (certGen != null) { Iterator itr = certGen.getSignatureAlgNames(); while (itr.hasNext()) { System.out.println("Algorithm: " + itr.next()); } } return false; } catch (NoSuchProviderException nspe) { EventLink.logger.log("Unable to find provider (BC)"); nspe.printStackTrace(); return false; } catch (NoSuchAlgorithmException nsa) { EventLink.logger.log("Unable to implement algorithm (" + certificateAlgorithm + ")"); if (certGen != null) { Iterator<String> itr = certGen.getSignatureAlgNames(); while (itr.hasNext()) { String algName = itr.next(); System.out.println("Algorithm: " + algName + " " + (algName.equals(certificateAlgorithm))); } } nsa.printStackTrace(); return false; } catch (InvalidKeyException ike) { EventLink.logger.log("Unable to generate key"); ike.printStackTrace(); return false; } catch (SignatureException se) { EventLink.logger.log("Signature error"); se.printStackTrace(); return false; } catch (CertificateEncodingException cee) { EventLink.logger.log("Encoding error"); cee.printStackTrace(); return false; } return createKeyFile(file, password, keyPair, cert, forceWrite); }
From source file:com.squareup.okhttp.internal.SslContextBuilder.java
License:Apache License
/** * Generates a certificate for {@code hostName} containing {@code keyPair}'s * public key, signed by {@code keyPair}'s private key. *///from w w w . ja v a 2s.c o m @SuppressWarnings("deprecation") // use the old Bouncy Castle APIs to reduce dependencies. public X509Certificate selfSignedCertificate(KeyPair keyPair, String serialNumber) throws GeneralSecurityException { X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); X500Principal issuer = new X500Principal("CN=" + hostName); X500Principal subject = new X500Principal("CN=" + hostName); generator.setSerialNumber(new BigInteger(serialNumber)); generator.setIssuerDN(issuer); generator.setNotBefore(new Date(notBefore)); generator.setNotAfter(new Date(notAfter)); generator.setSubjectDN(subject); generator.setPublicKey(keyPair.getPublic()); generator.setSignatureAlgorithm("SHA256WithRSAEncryption"); return generator.generateX509Certificate(keyPair.getPrivate(), "BC"); }
From source file:com.streamreduce.util.CAGenerator.java
License:Apache License
public static X509Certificate generateCACert(KeyPair keyPair) throws Exception { Date startDate = new Date(System.currentTimeMillis()); // time from which certificate is valid Calendar expiry = Calendar.getInstance(); expiry.add(Calendar.DAY_OF_YEAR, 1000 * 365); Date expiryDate = expiry.getTime(); // time after which certificate is not valid BigInteger serialNumber = new BigInteger(Long.toString(System.currentTimeMillis())); // serial number for certificate X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); X500Principal dnName = new X500Principal("CN=Nodeable Client"); certGen.setSerialNumber(serialNumber); certGen.setIssuerDN(dnName);/*from w w w .j av a 2s . co m*/ certGen.setNotBefore(startDate); certGen.setNotAfter(expiryDate); certGen.setSubjectDN(dnName); certGen.setPublicKey(keyPair.getPublic()); certGen.setSignatureAlgorithm("MD5withRSA"); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(keyPair.getPublic())); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.getPublic())); return certGen.generate(keyPair.getPrivate()); // note: private key of CA }