Search in sources :

Example 1 with SubjectKeyIdentifierExtension

use of android.sun.security.x509.SubjectKeyIdentifierExtension in project AppManager by MuntashirAkon.

the class KeyStoreUtils method generateCert.

@NonNull
private static X509Certificate generateCert(PrivateKey privateKey, PublicKey publicKey, @NonNull String formattedSubject, long expiryDate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidKeyException, IOException {
    String algorithmName = "SHA512withRSA";
    CertificateExtensions certificateExtensions = new CertificateExtensions();
    certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
    X500Name x500Name = new X500Name(formattedSubject);
    Date notBefore = new Date();
    Date notAfter = new Date(expiryDate);
    certificateExtensions.set("PrivateKeyUsage", new PrivateKeyUsageExtension(notBefore, notAfter));
    CertificateValidity certificateValidity = new CertificateValidity(notBefore, notAfter);
    X509CertInfo x509CertInfo = new X509CertInfo();
    x509CertInfo.set("version", new CertificateVersion(2));
    x509CertInfo.set("serialNumber", new CertificateSerialNumber(new Random().nextInt() & Integer.MAX_VALUE));
    x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(algorithmName)));
    x509CertInfo.set("subject", new CertificateSubjectName(x500Name));
    x509CertInfo.set("key", new CertificateX509Key(publicKey));
    x509CertInfo.set("validity", certificateValidity);
    x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
    x509CertInfo.set("extensions", certificateExtensions);
    X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
    x509CertImpl.sign(privateKey, algorithmName);
    return x509CertImpl;
}
Also used : CertificateSubjectName(android.sun.security.x509.CertificateSubjectName) KeyIdentifier(android.sun.security.x509.KeyIdentifier) X509CertInfo(android.sun.security.x509.X509CertInfo) CertificateIssuerName(android.sun.security.x509.CertificateIssuerName) CertificateVersion(android.sun.security.x509.CertificateVersion) CertificateExtensions(android.sun.security.x509.CertificateExtensions) CertificateValidity(android.sun.security.x509.CertificateValidity) X500Name(android.sun.security.x509.X500Name) CertificateX509Key(android.sun.security.x509.CertificateX509Key) Date(java.util.Date) SubjectKeyIdentifierExtension(android.sun.security.x509.SubjectKeyIdentifierExtension) CertificateSerialNumber(android.sun.security.x509.CertificateSerialNumber) Random(java.util.Random) SecureRandom(java.security.SecureRandom) X509CertImpl(android.sun.security.x509.X509CertImpl) CertificateAlgorithmId(android.sun.security.x509.CertificateAlgorithmId) PrivateKeyUsageExtension(android.sun.security.x509.PrivateKeyUsageExtension) NonNull(androidx.annotation.NonNull)

Example 2 with SubjectKeyIdentifierExtension

use of android.sun.security.x509.SubjectKeyIdentifierExtension in project coprhd-controller by CoprHD.

the class KeyCertificatePairGenerator method generateCertificate.

/**
 * Create a self-signed X.509 Certificate
 *
 * @param pair the KeyPair
 */
private X509Certificate generateCertificate(KeyPair pair) throws GeneralSecurityException, IOException {
    PublicKey pubKey = loadPublicKeyFromBytes(pair.getPublic().getEncoded());
    PrivateKey privkey = pair.getPrivate();
    X509CertInfo info = new X509CertInfo();
    Date from = getNotBefore();
    Date to = new Date(from.getTime() + valuesHolder.getCertificateValidityInDays() * 86400000L);
    CertificateValidity interval = new CertificateValidity(from, to);
    BigInteger sn = new BigInteger(64, new SecureRandom());
    X500Name owner = new X500Name(String.format(CERTIFICATE_COMMON_NAME_FORMAT, valuesHolder.getCertificateCommonName()));
    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, owner);
    info.set(X509CertInfo.ISSUER, owner);
    info.set(X509CertInfo.KEY, new CertificateX509Key(pubKey));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId keyAlgo = AlgorithmId.get(KeyCertificateAlgorithmValuesHolder.DEFAULT_KEY_ALGORITHM);
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(keyAlgo));
    AlgorithmId signingAlgo = AlgorithmId.get(valuesHolder.getSigningAlgorithm());
    info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, signingAlgo);
    // add extensions
    CertificateExtensions ext = new CertificateExtensions();
    ext.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(pubKey).getIdentifier()));
    // CA public key is the same as our public key (self signed)
    ext.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(pubKey), null, null));
    ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(subjectAltNames()));
    info.set(X509CertInfo.EXTENSIONS, ext);
    X509CertImpl cert = new X509CertImpl(info);
    cert.sign(privkey, valuesHolder.getSigningAlgorithm());
    return cert;
}
Also used : RSAPrivateKey(java.security.interfaces.RSAPrivateKey) PrivateKey(java.security.PrivateKey) KeyIdentifier(sun.security.x509.KeyIdentifier) X509CertInfo(sun.security.x509.X509CertInfo) PublicKey(java.security.PublicKey) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) SecureRandom(java.security.SecureRandom) CertificateVersion(sun.security.x509.CertificateVersion) CertificateValidity(sun.security.x509.CertificateValidity) CertificateExtensions(sun.security.x509.CertificateExtensions) X500Name(sun.security.x509.X500Name) CertificateX509Key(sun.security.x509.CertificateX509Key) Date(java.util.Date) CertificateSerialNumber(sun.security.x509.CertificateSerialNumber) SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension) AlgorithmId(sun.security.x509.AlgorithmId) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId) X509CertImpl(sun.security.x509.X509CertImpl) BigInteger(java.math.BigInteger) AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId)

Example 3 with SubjectKeyIdentifierExtension

use of android.sun.security.x509.SubjectKeyIdentifierExtension in project candlepin by candlepin.

the class JSSPKIUtility method buildStandardExtensions.

/**
 * Add boilerplate extensions required by RFC 5280.
 * @param certExtensions a CertificateExtensions object to modify
 * @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
 * @param providedExtensions A Set of provided extensions that will be added to the certificate.  In some
 * cases (hosted mode) access to the information in those extensions is required for creating the
 * subjectKeyIdentifier.
 *
 * @return a modified version of the certExtensions parameter
 * @throws IOException in case of encoding failures
 */
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
    /* The RFC states that KeyUsage SHOULD be marked as critical.  In previous Candlepin code we were
         * not marking it critical but this constructor will.  I do not believe there should be any
         * compatibility issues, but I am noting it just in case. */
    KeyUsageExtension keyUsage = new KeyUsageExtension();
    keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
    keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
    keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
    certExtensions.add(keyUsage);
    // Not critical by default
    ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
    /* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
         * See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth.  This OID
         * denotes that a certificate is meant for client authentication over TLS */
    extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
    certExtensions.add(extendedKeyUsage);
    // Not critical for non-CA certs.  -1 pathLen means it won't be encoded.
    BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
    certExtensions.add(basicConstraints);
    try {
        /* Not critical by default.  I am extremely dubious that we actually need this extension
             * but I'm keeping it because our old cert creation code added it. */
        NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
        netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
        netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
        certExtensions.add(netscapeCertType);
    } catch (CertificateException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    try {
        /* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
             * The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
             * octet string).  Therefore, we need to unpack the KeyIdentifier. */
        byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
        OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
        // Required to be non-critical
        SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
        certExtensions.add(ski);
        // Not critical by default
        AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
        certExtensions.add(aki);
        // Not critical by default and should *not* be critical since the subject field isn't empty
        if (alternateName != null) {
            SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
            GeneralName[] akiName = new GeneralName[2];
            akiName[0] = new GeneralName(new X500Name(dn));
            akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
            GeneralNames generalNames = new GeneralNames(akiName);
            altNames.setGeneralNames(generalNames);
            certExtensions.add(altNames);
        }
    } catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    return certExtensions;
}
Also used : ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension) NSCertTypeExtension(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension) SubjectAlternativeNameExtension(org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) X500Name(org.mozilla.jss.netscape.security.x509.X500Name) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SubjectKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension) InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) BasicConstraintsExtension(org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) GeneralNames(org.mozilla.jss.netscape.security.x509.GeneralNames) GeneralNamesException(org.mozilla.jss.netscape.security.x509.GeneralNamesException) AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension) GeneralName(org.mozilla.jss.netscape.security.x509.GeneralName) KeyUsageExtension(org.mozilla.jss.netscape.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Example 4 with SubjectKeyIdentifierExtension

use of android.sun.security.x509.SubjectKeyIdentifierExtension in project jdk8u_jdk by JetBrains.

the class Vertex method certToString.

/**
     * Return string representation of this vertex's
     * certificate information.
     *
     * @returns String representation of certificate info
     */
public String certToString() {
    StringBuilder sb = new StringBuilder();
    X509CertImpl x509Cert = null;
    try {
        x509Cert = X509CertImpl.toImpl(cert);
    } catch (CertificateException ce) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            ce.printStackTrace();
        }
        return sb.toString();
    }
    sb.append("Issuer:     ").append(x509Cert.getIssuerX500Principal()).append("\n");
    sb.append("Subject:    ").append(x509Cert.getSubjectX500Principal()).append("\n");
    sb.append("SerialNum:  ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
    sb.append("Expires:    ").append(x509Cert.getNotAfter().toString()).append("\n");
    boolean[] iUID = x509Cert.getIssuerUniqueID();
    if (iUID != null) {
        sb.append("IssuerUID:  ");
        for (boolean b : iUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    boolean[] sUID = x509Cert.getSubjectUniqueID();
    if (sUID != null) {
        sb.append("SubjectUID: ");
        for (boolean b : sUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    try {
        SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
        if (sKeyID != null) {
            KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
            sb.append("SubjKeyID:  ").append(keyID.toString());
        }
        AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
        if (aKeyID != null) {
            KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
            sb.append("AuthKeyID:  ").append(keyID.toString());
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            e.printStackTrace();
        }
    }
    return sb.toString();
}
Also used : SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension) KeyIdentifier(sun.security.x509.KeyIdentifier) X509CertImpl(sun.security.x509.X509CertImpl) AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException)

Example 5 with SubjectKeyIdentifierExtension

use of android.sun.security.x509.SubjectKeyIdentifierExtension in project Bytecoder by mirkosertic.

the class Vertex method certToString.

/**
 * Return string representation of this vertex's
 * certificate information.
 *
 * @return String representation of certificate info
 */
public String certToString() {
    StringBuilder sb = new StringBuilder();
    X509CertImpl x509Cert = null;
    try {
        x509Cert = X509CertImpl.toImpl(cert);
    } catch (CertificateException ce) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            ce.printStackTrace();
        }
        return sb.toString();
    }
    sb.append("Issuer:     ").append(x509Cert.getIssuerX500Principal()).append("\n");
    sb.append("Subject:    ").append(x509Cert.getSubjectX500Principal()).append("\n");
    sb.append("SerialNum:  ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
    sb.append("Expires:    ").append(x509Cert.getNotAfter().toString()).append("\n");
    boolean[] iUID = x509Cert.getIssuerUniqueID();
    if (iUID != null) {
        sb.append("IssuerUID:  ");
        for (boolean b : iUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    boolean[] sUID = x509Cert.getSubjectUniqueID();
    if (sUID != null) {
        sb.append("SubjectUID: ");
        for (boolean b : sUID) {
            sb.append(b ? 1 : 0);
        }
        sb.append("\n");
    }
    try {
        SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
        if (sKeyID != null) {
            KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
            sb.append("SubjKeyID:  ").append(keyID.toString());
        }
        AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
        if (aKeyID != null) {
            KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
            sb.append("AuthKeyID:  ").append(keyID.toString());
        }
    } catch (IOException e) {
        if (debug != null) {
            debug.println("Vertex.certToString() unexpected exception");
            e.printStackTrace();
        }
    }
    return sb.toString();
}
Also used : SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension) KeyIdentifier(sun.security.x509.KeyIdentifier) X509CertImpl(sun.security.x509.X509CertImpl) AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException)

Aggregations

IOException (java.io.IOException)6 CertificateException (java.security.cert.CertificateException)5 KeyIdentifier (sun.security.x509.KeyIdentifier)5 SubjectKeyIdentifierExtension (sun.security.x509.SubjectKeyIdentifierExtension)5 AuthorityKeyIdentifierExtension (sun.security.x509.AuthorityKeyIdentifierExtension)4 X509CertImpl (sun.security.x509.X509CertImpl)4 BigInteger (java.math.BigInteger)2 SecureRandom (java.security.SecureRandom)2 Date (java.util.Date)2 SubjectKeyIdentifierExtension (org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension)2 AlgorithmId (sun.security.x509.AlgorithmId)2 BasicConstraintsExtension (sun.security.x509.BasicConstraintsExtension)2 CertificateExtensions (sun.security.x509.CertificateExtensions)2 KeyUsageExtension (sun.security.x509.KeyUsageExtension)2 CertificateAlgorithmId (android.sun.security.x509.CertificateAlgorithmId)1 CertificateExtensions (android.sun.security.x509.CertificateExtensions)1 CertificateIssuerName (android.sun.security.x509.CertificateIssuerName)1 CertificateSerialNumber (android.sun.security.x509.CertificateSerialNumber)1 CertificateSubjectName (android.sun.security.x509.CertificateSubjectName)1 CertificateValidity (android.sun.security.x509.CertificateValidity)1