Java tutorial
/*********************************************************************** * * $CVSHeader$ * * This file is part of WebScarab, an Open Web Application Security * Project utility. For details, please see http://www.owasp.org/ * * Copyright (c) 2011 Frank Cornelis <info@frankcornelis.be> * 2013 Peter Wu <lekensteyn@gmail.com> * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * Getting Source * ============== * * Source for this application is maintained at Sourceforge.net, a * repository for free software projects. * * For details, please see http://www.sourceforge.net/projects/owasp * */ package org.owasp.webscarab.util; import java.io.ByteArrayInputStream; import java.io.IOException; import java.math.BigInteger; import java.security.GeneralSecurityException; import java.security.PrivateKey; import java.security.PublicKey; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Date; import javax.security.auth.x500.X500Principal; import org.bouncycastle.asn1.misc.MiscObjectIdentifiers; import org.bouncycastle.asn1.misc.NetscapeCertType; import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.ExtendedKeyUsage; import org.bouncycastle.asn1.x509.KeyPurposeId; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.asn1.x509.SubjectKeyIdentifier; import org.bouncycastle.asn1.x509.X509Extension; import org.bouncycastle.cert.CertIOException; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; import org.bouncycastle.operator.OperatorCreationException; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; public class SunCertificateUtils { private static final String SIGALG = "SHA1withRSA"; public static X509Certificate sign(X500Principal subject, PublicKey pubKey, X500Principal issuer, PublicKey caPubKey, PrivateKey caKey, Date begin, Date ends, BigInteger serialNo, X509Certificate baseCrt) throws GeneralSecurityException, CertIOException, OperatorCreationException, IOException { if (baseCrt != null) { subject = baseCrt.getSubjectX500Principal(); } JcaX509v3CertificateBuilder certificateBuilder; certificateBuilder = new JcaX509v3CertificateBuilder(issuer, serialNo, begin, ends, subject, pubKey); if (subject.equals(issuer)) { certificateBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(5)); } else { JcaX509ExtensionUtils jxeu = new JcaX509ExtensionUtils(); if (baseCrt != null) { byte[] sans = baseCrt.getExtensionValue(X509Extension.subjectAlternativeName.getId()); if (sans != null) { certificateBuilder.copyAndAddExtension(X509Extension.subjectAlternativeName, true, baseCrt); } } SubjectKeyIdentifier subjectKeyIdentifier = jxeu.createSubjectKeyIdentifier(pubKey); certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, subjectKeyIdentifier); AuthorityKeyIdentifier authorityKeyIdentifier = jxeu.createAuthorityKeyIdentifier(caPubKey); certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); certificateBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(false)); NetscapeCertType netscapeCertType = new NetscapeCertType( NetscapeCertType.sslClient | NetscapeCertType.sslServer); certificateBuilder.addExtension(MiscObjectIdentifiers.netscapeCertType, false, netscapeCertType); KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment); certificateBuilder.addExtension(X509Extension.keyUsage, true, keyUsage); ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage( new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }); certificateBuilder.addExtension(X509Extension.extendedKeyUsage, false, extendedKeyUsage); } JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(SIGALG); X509CertificateHolder holder = certificateBuilder.build(signerBuilder.build(caKey)); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); X509Certificate certificate; certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(holder.getEncoded())); return certificate; } }