Example 31 with GeneralName
use of com.android.org.bouncycastle.asn1.x509.GeneralName in project jdk8u_jdk by JetBrains.
the class X509CertSelectorTest method testSubjectAltName.
/*
* Tests matching on the subject alternative name extension contained in the
* certificate.
*/
private void testSubjectAltName() throws IOException {
System.out.println("X.509 Certificate Match on subjectAltName");
// bad match
X509CertSelector selector = new X509CertSelector();
GeneralNameInterface dnsName = new DNSName("foo.com");
DerOutputStream tmp = new DerOutputStream();
dnsName.encode(tmp);
selector.addSubjectAlternativeName(2, tmp.toByteArray());
checkMatch(selector, cert, false);
// good match
DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.17"));
byte[] encoded = in.getOctetString();
SubjectAlternativeNameExtension ext = new SubjectAlternativeNameExtension(false, encoded);
GeneralNames names = (GeneralNames) ext.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
GeneralName name = (GeneralName) names.get(0);
selector.setSubjectAlternativeNames(null);
DerOutputStream tmp2 = new DerOutputStream();
name.getName().encode(tmp2);
selector.addSubjectAlternativeName(name.getType(), tmp2.toByteArray());
checkMatch(selector, cert, true);
// good match 2 (matches at least one)
selector.setMatchAllSubjectAltNames(false);
selector.addSubjectAlternativeName(2, "foo.com");
checkMatch(selector, cert, true);
}
Also used :
GeneralNameInterface(sun.security.x509.GeneralNameInterface)
GeneralNames(sun.security.x509.GeneralNames)
DerOutputStream(sun.security.util.DerOutputStream)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
X509CertSelector(java.security.cert.X509CertSelector)
DerInputStream(sun.security.util.DerInputStream)
GeneralName(sun.security.x509.GeneralName)
DNSName(sun.security.x509.DNSName)
Example 32 with GeneralName
use of com.android.org.bouncycastle.asn1.x509.GeneralName in project athenz by yahoo.
the class ZTSClient method getAWSLambdaServiceCertificate.
/**
* For AWS Lambda functions generate a new private key, request a
* x.509 certificate based on the requested CSR and return both to
* the client in order to establish tls connections with other
* Athenz enabled services.
* @param domainName name of the domain
* @param serviceName name of the service
* @param account AWS account name that the function runs in
* @param provider name of the provider service for AWS Lambda
* @return AWSLambdaIdentity with private key and certificate
*/
public AWSLambdaIdentity getAWSLambdaServiceCertificate(String domainName, String serviceName, String account, String provider) {
if (domainName == null || serviceName == null) {
throw new IllegalArgumentException("Domain and Service must be specified");
}
if (account == null || provider == null) {
throw new IllegalArgumentException("AWS Account and Provider must be specified");
}
if (x509CsrDomain == null) {
throw new IllegalArgumentException("X509 CSR Domain must be specified");
}
// first we're going to generate a private key for the request
AWSLambdaIdentity lambdaIdentity = new AWSLambdaIdentity();
try {
lambdaIdentity.setPrivateKey(Crypto.generateRSAPrivateKey(2048));
} catch (CryptoException ex) {
throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
}
// we need to generate an csr with an instance register object
InstanceRegisterInformation info = new InstanceRegisterInformation();
info.setDomain(domainName.toLowerCase());
info.setService(serviceName.toLowerCase());
info.setProvider(provider.toLowerCase());
final String athenzService = info.getDomain() + "." + info.getService();
// generate our dn which will be based on our service name
StringBuilder dnBuilder = new StringBuilder(128);
dnBuilder.append("cn=");
dnBuilder.append(athenzService);
if (x509CsrDn != null) {
dnBuilder.append(',');
dnBuilder.append(x509CsrDn);
}
// now let's generate our dsnName field based on our principal's details
StringBuilder hostBuilder = new StringBuilder(128);
hostBuilder.append(info.getService());
hostBuilder.append('.');
hostBuilder.append(info.getDomain().replace('.', '-'));
hostBuilder.append('.');
hostBuilder.append(x509CsrDomain);
StringBuilder instanceHostBuilder = new StringBuilder(128);
instanceHostBuilder.append("lambda-");
instanceHostBuilder.append(account);
instanceHostBuilder.append('-');
instanceHostBuilder.append(info.getService());
instanceHostBuilder.append(".instanceid.athenz.");
instanceHostBuilder.append(x509CsrDomain);
GeneralName[] sanArray = new GeneralName[2];
sanArray[0] = new GeneralName(GeneralName.dNSName, new DERIA5String(hostBuilder.toString()));
sanArray[1] = new GeneralName(GeneralName.dNSName, new DERIA5String(instanceHostBuilder.toString()));
try {
info.setCsr(Crypto.generateX509CSR(lambdaIdentity.getPrivateKey(), dnBuilder.toString(), sanArray));
} catch (OperatorCreationException | IOException ex) {
throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
}
// finally obtain attestation data for lambda
info.setAttestationData(getAWSLambdaAttestationData(athenzService, account));
// request the x.509 certificate from zts server
Map<String, List<String>> responseHeaders = new HashMap<>();
InstanceIdentity identity = postInstanceRegisterInformation(info, responseHeaders);
try {
lambdaIdentity.setX509Certificate(Crypto.loadX509Certificate(identity.getX509Certificate()));
} catch (CryptoException ex) {
throw new ZTSClientException(ZTSClientException.BAD_REQUEST, ex.getMessage());
}
return lambdaIdentity;
}
Also used :
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
HashMap(java.util.HashMap)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
IOException(java.io.IOException)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
List(java.util.List)
ArrayList(java.util.ArrayList)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
CryptoException(com.yahoo.athenz.auth.util.CryptoException)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
Example 33 with GeneralName
use of com.android.org.bouncycastle.asn1.x509.GeneralName in project athenz by yahoo.
the class CryptoTest method testX509CSRrequest.
@Test(dataProvider = "x500Principal")
public void testX509CSRrequest(String x500Principal, boolean badRequest) throws Exception {
PublicKey publicKey = Crypto.loadPublicKey(rsaPublicKey);
PrivateKey privateKey = Crypto.loadPrivateKey(rsaPrivateKey);
String certRequest = null;
GeneralName otherName1 = new GeneralName(GeneralName.otherName, new DERIA5String("role1"));
GeneralName otherName2 = new GeneralName(GeneralName.otherName, new DERIA5String("role2"));
GeneralName[] sanArray = new GeneralName[] { otherName1, otherName2 };
try {
certRequest = Crypto.generateX509CSR(privateKey, publicKey, x500Principal, sanArray);
} catch (Exception e) {
if (!badRequest) {
fail("Should not have failed to create csr");
}
}
if (!badRequest) {
// Now validate the csr
Crypto.getPKCS10CertRequest(certRequest);
}
}
Also used :
PrivateKey(java.security.PrivateKey)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
PublicKey(java.security.PublicKey)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
IOException(java.io.IOException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CryptoException(com.yahoo.athenz.auth.util.CryptoException)
Test(org.testng.annotations.Test)
Example 34 with GeneralName
use of com.android.org.bouncycastle.asn1.x509.GeneralName in project athenz by yahoo.
the class Crypto method extractX509CSREmail.
public static String extractX509CSREmail(PKCS10CertificationRequest certReq) {
String rfc822 = null;
Attribute[] attributes = certReq.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
for (Attribute attribute : attributes) {
for (ASN1Encodable value : attribute.getAttributeValues()) {
Extensions extensions = Extensions.getInstance(value);
GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
for (GeneralName name : gns.getNames()) {
if (name.getTagNo() == GeneralName.rfc822Name) {
rfc822 = (((DERIA5String) name.getName()).getString());
break;
}
}
}
}
return rfc822;
}
Also used :
DERIA5String(org.bouncycastle.asn1.DERIA5String)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Extensions(org.bouncycastle.asn1.x509.Extensions)
Example 35 with GeneralName
use of com.android.org.bouncycastle.asn1.x509.GeneralName in project athenz by yahoo.
the class Crypto method extractX509CSRDnsNames.
public static List<String> extractX509CSRDnsNames(PKCS10CertificationRequest certReq) {
List<String> dnsNames = new ArrayList<>();
Attribute[] attributes = certReq.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
for (Attribute attribute : attributes) {
for (ASN1Encodable value : attribute.getAttributeValues()) {
Extensions extensions = Extensions.getInstance(value);
GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
for (GeneralName name : gns.getNames()) {
if (name.getTagNo() == GeneralName.dNSName) {
dnsNames.add(((DERIA5String) name.getName()).getString());
}
}
}
}
return dnsNames;
}
Also used :
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
ArrayList(java.util.ArrayList)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Extensions(org.bouncycastle.asn1.x509.Extensions)
Aggregations
GeneralName (org.bouncycastle.asn1.x509.GeneralName)50
IOException (java.io.IOException)34
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)29
ArrayList (java.util.ArrayList)27
List (java.util.List)19
DERIA5String (org.bouncycastle.asn1.DERIA5String)19
GeneralName (org.apache.harmony.security.x509.GeneralName)18
X509Certificate (java.security.cert.X509Certificate)17
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)16
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)15
Date (java.util.Date)12
X500Name (org.bouncycastle.asn1.x500.X500Name)10
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)10
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)10
GeneralName (sun.security.x509.GeneralName)10
GeneralSecurityException (java.security.GeneralSecurityException)9
CertPathValidatorException (java.security.cert.CertPathValidatorException)9
Enumeration (java.util.Enumeration)9
X500Principal (javax.security.auth.x500.X500Principal)9
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)9
