Example 51 with X500Name
use of com.github.zhenwei.core.asn1.x500.X500Name in project carapaceproxy by diennea.
the class CertificatesTestUtils method generateSampleChain.
public static Certificate[] generateSampleChain(KeyPair endUserKeypair, boolean expired) throws Exception {
Security.addProvider(new BouncyCastleProvider());
// Create self signed Root CA certificate
KeyPair rootCAKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// issuer authority
new X500Name("CN=rootCA"), // serial number of certificate
BigInteger.valueOf(new Random().nextInt()), // start of validity
new Date(), // end of certificate validity
new Date(), // subject name of certificate
new X500Name("CN=rootCA"), rootCAKeyPair.getPublic());
// public key of certificate
// Key usage restrictions
builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign));
builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
// Root certificate
X509Certificate rootCA = new JcaX509CertificateConverter().getCertificate(builder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(// private key of signing authority , here it is self signed
rootCAKeyPair.getPrivate())));
// Create Intermediate CA cert signed by Root CA
KeyPair intermedCAKeyPair = createKeyPair(DEFAULT_KEYPAIRS_SIZE);
builder = new JcaX509v3CertificateBuilder(// here rootCA is issuer authority
rootCA, BigInteger.valueOf(new Random().nextInt()), new Date(), new Date(), new X500Name("CN=IntermedCA"), intermedCAKeyPair.getPublic());
// Key usage restrictions
builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign));
builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
// Intermediate certificate
X509Certificate intermediateCA = new JcaX509CertificateConverter().getCertificate(builder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(// private key of signing authority , here it is signed by rootCA
rootCAKeyPair.getPrivate())));
// create end user cert signed by Intermediate CA
// yesterday/tomorrow
int offset = 1000 * 60 * 60 * 24;
Date expiringDate = new Date(System.currentTimeMillis() + (expired ? -offset : +offset));
builder = new JcaX509v3CertificateBuilder(// here intermedCA is issuer authority
intermediateCA, BigInteger.valueOf(new Random().nextInt()), new Date(System.currentTimeMillis() - offset), expiringDate, new X500Name("CN=endUserCert"), endUserKeypair.getPublic());
// Key usage restrictions
builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
// End-user certificate
X509Certificate endUserCert = new JcaX509CertificateConverter().getCertificate(builder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(// private key of signing authority , here it is signed by intermedCA
intermedCAKeyPair.getPrivate())));
return new X509Certificate[] { endUserCert, intermediateCA, rootCA };
}
Also used :
KeyPair(java.security.KeyPair)
KeyPairUtils.createKeyPair(org.shredzone.acme4j.util.KeyPairUtils.createKeyPair)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
Random(java.util.Random)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 52 with X500Name
use of com.github.zhenwei.core.asn1.x500.X500Name in project documentproduction by qld-gov-au.
the class OcspHelper method verifyOcspResponse.
/**
* Verifies the status and the response itself (including nonce), but not the signature.
*
* @param ocspResponse to be verified
* @throws OCSPException
* @throws RevokedCertificateException
* @throws IOException if the default security provider can't be instantiated
*/
private void verifyOcspResponse(OCSPResp ocspResponse) throws OCSPException, RevokedCertificateException, IOException {
verifyRespStatus(ocspResponse);
BasicOCSPResp basicResponse = (BasicOCSPResp) ocspResponse.getResponseObject();
if (basicResponse != null) {
ResponderID responderID = basicResponse.getResponderId().toASN1Primitive();
// https://tools.ietf.org/html/rfc6960#section-4.2.2.3
// The basic response type contains:
// (...)
// either the name of the responder or a hash of the responder's
// public key as the ResponderID
// (...)
// The responder MAY include certificates in the certs field of
// BasicOCSPResponse that help the OCSP client verify the responder's
// signature.
X500Name name = responderID.getName();
if (name != null) {
findResponderCertificateByName(basicResponse, name);
} else {
byte[] keyHash = responderID.getKeyHash();
if (keyHash != null) {
findResponderCertificateByKeyHash(basicResponse, keyHash);
} else {
throw new OCSPException("OCSP: basic response must provide name or key hash");
}
}
if (ocspResponderCertificate == null) {
throw new OCSPException("OCSP: certificate for responder " + name + " not found");
}
try {
SigUtils.checkResponderCertificateUsage(ocspResponderCertificate);
} catch (CertificateParsingException ex) {
// unlikely to happen because the certificate existed as an object
LOG.error(ex.getMessage(), ex);
}
checkOcspSignature(ocspResponderCertificate, basicResponse);
boolean nonceChecked = checkNonce(basicResponse);
SingleResp[] responses = basicResponse.getResponses();
if (responses.length != 1) {
throw new OCSPException("OCSP: Received " + responses.length + " responses instead of 1!");
}
SingleResp resp = responses[0];
Object status = resp.getCertStatus();
if (!nonceChecked) {
// https://tools.ietf.org/html/rfc5019
// fall back to validating the OCSPResponse based on time
checkOcspResponseFresh(resp);
}
if (status instanceof RevokedStatus) {
RevokedStatus revokedStatus = (RevokedStatus) status;
if (revokedStatus.getRevocationTime().compareTo(signDate) <= 0) {
throw new RevokedCertificateException("OCSP: Certificate is revoked since " + revokedStatus.getRevocationTime(), revokedStatus.getRevocationTime());
}
LOG.info("The certificate was revoked after signing by OCSP " + ocspUrl + " on " + revokedStatus.getRevocationTime());
} else if (status != CertificateStatus.GOOD) {
throw new OCSPException("OCSP: Status of Cert is unknown");
}
}
}
Also used :
CertificateParsingException(java.security.cert.CertificateParsingException)
RevokedStatus(org.bouncycastle.cert.ocsp.RevokedStatus)
RevokedCertificateException(org.apache.pdfbox.examples.signature.cert.RevokedCertificateException)
OCSPException(org.bouncycastle.cert.ocsp.OCSPException)
BasicOCSPResp(org.bouncycastle.cert.ocsp.BasicOCSPResp)
ResponderID(org.bouncycastle.asn1.ocsp.ResponderID)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SingleResp(org.bouncycastle.cert.ocsp.SingleResp)
Example 53 with X500Name
use of com.github.zhenwei.core.asn1.x500.X500Name in project documentproduction by qld-gov-au.
the class SigningServiceTest method setUpKeys.
private static void setUpKeys() throws Exception {
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA", "BC");
KeyPair keyPair = keyGen.generateKeyPair();
X500Name x500Name = new X500Name("CN=test");
SubjectPublicKeyInfo pubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
final X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(x500Name, new BigInteger(10, new SecureRandom()), new Date(), new LocalDateTime().plusDays(1).toDate(), x500Name, pubKeyInfo);
contentSigner = new JcaContentSignerBuilder("SHA256WithRSA").build(keyPair.getPrivate());
certificate = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(certificateBuilder.build(contentSigner));
}
Also used :
LocalDateTime(org.joda.time.LocalDateTime)
KeyPair(java.security.KeyPair)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
BigInteger(java.math.BigInteger)
SecureRandom(java.security.SecureRandom)
KeyPairGenerator(java.security.KeyPairGenerator)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 54 with X500Name
use of com.github.zhenwei.core.asn1.x500.X500Name in project dgc-gateway by eu-digital-green-certificates.
the class CertificateTestUtils method generateCertificate.
public static X509Certificate generateCertificate(KeyPair keyPair, String country, String commonName, Date validFrom, Date validTo) throws Exception {
X500Name subject = new X500NameBuilder().addRDN(X509ObjectIdentifiers.countryName, country).addRDN(X509ObjectIdentifiers.commonName, commonName).build();
BigInteger certSerial = new BigInteger(Long.toString(System.currentTimeMillis()));
ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256withECDSA").build(keyPair.getPrivate());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(subject, certSerial, validFrom, validTo, subject, keyPair.getPublic());
BasicConstraints basicConstraints = new BasicConstraints(false);
certBuilder.addExtension(Extension.basicConstraints, true, basicConstraints);
return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
}
Also used :
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
BigInteger(java.math.BigInteger)
X500Name(org.bouncycastle.asn1.x500.X500Name)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 55 with X500Name
use of com.github.zhenwei.core.asn1.x500.X500Name in project dgc-gateway by eu-digital-green-certificates.
the class CertificateTestUtils method generateCertificate.
public static X509Certificate generateCertificate(KeyPair keyPair, String country, String commonName, Date validFrom, Date validTo, X509Certificate ca, PrivateKey caKey) throws Exception {
X500Name subject = new X500NameBuilder().addRDN(X509ObjectIdentifiers.countryName, country).addRDN(X509ObjectIdentifiers.commonName, commonName).build();
X500Name issuer = new X509CertificateHolder(ca.getEncoded()).getSubject();
BigInteger certSerial = new BigInteger(Long.toString(System.currentTimeMillis()));
ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256withECDSA").build(caKey);
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuer, certSerial, validFrom, validTo, subject, keyPair.getPublic());
BasicConstraints basicConstraints = new BasicConstraints(false);
certBuilder.addExtension(Extension.basicConstraints, true, basicConstraints);
return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
}
Also used :
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
BigInteger(java.math.BigInteger)
X500Name(org.bouncycastle.asn1.x500.X500Name)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Aggregations
X500Name (org.bouncycastle.asn1.x500.X500Name)510
X509Certificate (java.security.cert.X509Certificate)183
BigInteger (java.math.BigInteger)175
Date (java.util.Date)169
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)158
ContentSigner (org.bouncycastle.operator.ContentSigner)149
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)145
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)127
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)127
IOException (java.io.IOException)108
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)100
RDN (org.bouncycastle.asn1.x500.RDN)94
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)93
KeyPair (java.security.KeyPair)79
X500Name (sun.security.x509.X500Name)68
PrivateKey (java.security.PrivateKey)64
CertificateException (java.security.cert.CertificateException)64
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)59
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)55
GeneralName (org.bouncycastle.asn1.x509.GeneralName)55
