Search in sources :

Example 86 with X500Name

use of com.github.zhenwei.core.asn1.x500.X500Name in project acme4j by shred.

the class CSRBuilderTest method csrTest.

/**
 * Checks if the CSR contains the right parameters.
 * <p>
 * This is not supposed to be a Bouncy Castle test. If the
 * {@link PKCS10CertificationRequest} contains the right parameters, we assume that
 * Bouncy Castle encodes it properly.
 */
private void csrTest(PKCS10CertificationRequest csr) {
    X500Name name = csr.getSubject();
    try (AutoCloseableSoftAssertions softly = new AutoCloseableSoftAssertions()) {
        softly.assertThat(name.getRDNs(BCStyle.CN)).as("CN").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("abc.de");
        softly.assertThat(name.getRDNs(BCStyle.C)).as("C").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("XX");
        softly.assertThat(name.getRDNs(BCStyle.L)).as("L").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testville");
        softly.assertThat(name.getRDNs(BCStyle.O)).as("O").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testing Co");
        softly.assertThat(name.getRDNs(BCStyle.OU)).as("OU").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testunit");
        softly.assertThat(name.getRDNs(BCStyle.ST)).as("ST").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("ABC");
    }
    Attribute[] attr = csr.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
    assertThat(attr).hasSize(1);
    ASN1Encodable[] extensions = attr[0].getAttrValues().toArray();
    assertThat(extensions).hasSize(1);
    GeneralNames names = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName);
    assertThat(names.getNames()).filteredOn(gn -> gn.getTagNo() == GeneralName.dNSName).extracting(gn -> ASN1IA5String.getInstance(gn.getName()).getString()).containsExactlyInAnyOrder("abc.de", "fg.hi", "jklm.no", "pqr.st", "uv.wx", "y.z", "*.wild.card", "ide1.nt", "ide2.nt", "ide3.nt");
    assertThat(names.getNames()).filteredOn(gn -> gn.getTagNo() == GeneralName.iPAddress).extracting(gn -> getIP(gn.getName()).getHostAddress()).containsExactlyInAnyOrder("192.168.0.1", "192.168.0.2", "10.0.0.1", "10.0.0.2", "fd00:0:0:0:0:0:0:1", "fd00:0:0:0:0:0:0:2", "192.168.5.5", "192.168.5.6", "192.168.5.7");
}
Also used : Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows) KeyPair(java.security.KeyPair) Arrays(java.util.Arrays) PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) ByteArrayOutputStream(java.io.ByteArrayOutputStream) Identifier(org.shredzone.acme4j.Identifier) PKCSObjectIdentifiers(org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers) Extension(org.bouncycastle.asn1.x509.Extension) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) Security(java.security.Security) DEROctetString(org.bouncycastle.asn1.DEROctetString) BCStyle(org.bouncycastle.asn1.x500.style.BCStyle) InetAddress(java.net.InetAddress) X500Name(org.bouncycastle.asn1.x500.X500Name) BeforeAll(org.junit.jupiter.api.BeforeAll) Assertions.assertThatExceptionOfType(org.assertj.core.api.Assertions.assertThatExceptionOfType) ASN1IA5String(org.bouncycastle.asn1.ASN1IA5String) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) AutoCloseableSoftAssertions(org.assertj.core.api.AutoCloseableSoftAssertions) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) PEMParser(org.bouncycastle.openssl.PEMParser) StringWriter(java.io.StringWriter) IOException(java.io.IOException) UnknownHostException(java.net.UnknownHostException) StandardCharsets(java.nio.charset.StandardCharsets) Extensions(org.bouncycastle.asn1.x509.Extensions) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Test(org.junit.jupiter.api.Test) GeneralName(org.bouncycastle.asn1.x509.GeneralName) StringReader(java.io.StringReader) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) Attribute(org.bouncycastle.asn1.pkcs.Attribute) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) Attribute(org.bouncycastle.asn1.pkcs.Attribute) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) AutoCloseableSoftAssertions(org.assertj.core.api.AutoCloseableSoftAssertions)

Example 87 with X500Name

use of com.github.zhenwei.core.asn1.x500.X500Name in project acme4j by shred.

the class SMIMECSRBuilderTest method smimeCsrTest.

/**
 * Checks if the S/MIME CSR contains the right parameters.
 * <p>
 * This is not supposed to be a Bouncy Castle test. If the
 * {@link PKCS10CertificationRequest} contains the right parameters, we assume that
 * Bouncy Castle encodes it properly.
 */
private void smimeCsrTest(PKCS10CertificationRequest csr) {
    X500Name name = csr.getSubject();
    try (AutoCloseableSoftAssertions softly = new AutoCloseableSoftAssertions()) {
        softly.assertThat(name.getRDNs(BCStyle.CN)).as("CN").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("mail@example.com");
        softly.assertThat(name.getRDNs(BCStyle.C)).as("C").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("XX");
        softly.assertThat(name.getRDNs(BCStyle.L)).as("L").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testville");
        softly.assertThat(name.getRDNs(BCStyle.O)).as("O").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testing Co");
        softly.assertThat(name.getRDNs(BCStyle.OU)).as("OU").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testunit");
        softly.assertThat(name.getRDNs(BCStyle.ST)).as("ST").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("ABC");
    }
    Attribute[] attr = csr.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
    assertThat(attr).hasSize(1);
    ASN1Encodable[] extensions = attr[0].getAttrValues().toArray();
    assertThat(extensions).hasSize(1);
    GeneralNames names = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName);
    assertThat(names.getNames()).filteredOn(gn -> gn.getTagNo() == GeneralName.rfc822Name).extracting(gn -> DERIA5String.getInstance(gn.getName()).getString()).containsExactlyInAnyOrder("mail@example.com", "info@example.com", "sales@example.com", "shop@example.com", "support@example.com", "help@example.com");
}
Also used : Assertions.assertThrows(org.junit.jupiter.api.Assertions.assertThrows) KeyPair(java.security.KeyPair) Arrays(java.util.Arrays) PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) ByteArrayOutputStream(java.io.ByteArrayOutputStream) PKCSObjectIdentifiers(org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers) Extension(org.bouncycastle.asn1.x509.Extension) Assertions.assertThat(org.assertj.core.api.Assertions.assertThat) Security(java.security.Security) DERBitString(org.bouncycastle.asn1.DERBitString) AddressException(jakarta.mail.internet.AddressException) BCStyle(org.bouncycastle.asn1.x500.style.BCStyle) InternetAddress(jakarta.mail.internet.InternetAddress) X500Name(org.bouncycastle.asn1.x500.X500Name) BeforeAll(org.junit.jupiter.api.BeforeAll) AutoCloseableSoftAssertions(org.assertj.core.api.AutoCloseableSoftAssertions) DERIA5String(org.bouncycastle.asn1.DERIA5String) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) UTF_8(java.nio.charset.StandardCharsets.UTF_8) PEMParser(org.bouncycastle.openssl.PEMParser) StringWriter(java.io.StringWriter) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Test(org.junit.jupiter.api.Test) GeneralName(org.bouncycastle.asn1.x509.GeneralName) StringReader(java.io.StringReader) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) Attribute(org.bouncycastle.asn1.pkcs.Attribute) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) KeyPairUtils(org.shredzone.acme4j.util.KeyPairUtils) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) Attribute(org.bouncycastle.asn1.pkcs.Attribute) X500Name(org.bouncycastle.asn1.x500.X500Name) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) AutoCloseableSoftAssertions(org.assertj.core.api.AutoCloseableSoftAssertions)

Example 88 with X500Name

use of com.github.zhenwei.core.asn1.x500.X500Name in project snikket-android by snikket-im.

the class XmppDomainVerifier method getCommonNames.

private static List<String> getCommonNames(X509Certificate certificate) {
    List<String> domains = new ArrayList<>();
    try {
        X500Name x500name = new JcaX509CertificateHolder(certificate).getSubject();
        RDN[] rdns = x500name.getRDNs(BCStyle.CN);
        for (int i = 0; i < rdns.length; ++i) {
            domains.add(IETFUtils.valueToString(x500name.getRDNs(BCStyle.CN)[i].getFirst().getValue()));
        }
        return domains;
    } catch (CertificateEncodingException e) {
        return domains;
    }
}
Also used : ArrayList(java.util.ArrayList) CertificateEncodingException(java.security.cert.CertificateEncodingException) DERIA5String(org.bouncycastle.asn1.DERIA5String) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) X500Name(org.bouncycastle.asn1.x500.X500Name) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) RDN(org.bouncycastle.asn1.x500.RDN)

Example 89 with X500Name

use of com.github.zhenwei.core.asn1.x500.X500Name in project credhub by cloudfoundry.

the class CertificateGeneratorTest method whenCAExists_andItIsAIntermediateCA_aValidChildCertificateIsGenerated.

@Test
public void whenCAExists_andItIsAIntermediateCA_aValidChildCertificateIsGenerated() throws Exception {
    final KeyPair childCertificateKeyPair = setupKeyPair();
    final X500Name intermediateCaDn = new X500Name("O=foo,ST=bar,C=intermediate");
    final KeyPair intermediateCaKeyPair = fakeKeyPairGenerator.generate();
    final X509CertificateHolder intermediateCaCertificateHolder = makeCert(intermediateCaKeyPair, rootCaKeyPair.getPrivate(), rootCaDn, intermediateCaDn, true);
    final X509Certificate intermediateX509Certificate = new JcaX509CertificateConverter().setProvider(BouncyCastleFipsProvider.PROVIDER_NAME).getCertificate(intermediateCaCertificateHolder);
    final CertificateCredentialValue intermediateCa = new CertificateCredentialValue(null, CertificateFormatter.pemOf(intermediateX509Certificate), CertificateFormatter.pemOf(intermediateCaKeyPair.getPrivate()), null, true, false, false, false);
    when(certificateAuthorityService.findActiveVersion("/my-ca-name")).thenReturn(intermediateCa);
    when(keyGenerator.generateKeyPair(anyInt())).thenReturn(childCertificateKeyPair);
    final X509CertificateHolder childCertificateHolder = generateChildCertificateSignedByCa(childCertificateKeyPair, intermediateCaKeyPair.getPrivate(), intermediateCaDn);
    childX509Certificate = new JcaX509CertificateConverter().setProvider(BouncyCastleFipsProvider.PROVIDER_NAME).getCertificate(childCertificateHolder);
    when(signedCertificateGenerator.getSignedByIssuer(childCertificateKeyPair, inputParameters, intermediateX509Certificate, intermediateCaKeyPair.getPrivate())).thenReturn(childX509Certificate);
    final CertificateCredentialValue certificateSignedByIntermediate = subject.generateCredential(inputParameters);
    assertThat(certificateSignedByIntermediate.getCa(), equalTo(intermediateCa.getCertificate()));
    assertThat(certificateSignedByIntermediate.getPrivateKey(), equalTo(CertificateFormatter.pemOf(childCertificateKeyPair.getPrivate())));
    assertThat(certificateSignedByIntermediate.getCertificate(), equalTo(CertificateFormatter.pemOf(childX509Certificate)));
    verify(keyGenerator, times(1)).generateKeyPair(2048);
}
Also used : KeyPair(java.security.KeyPair) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) CertificateCredentialValue(org.cloudfoundry.credhub.credential.CertificateCredentialValue) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 90 with X500Name

use of com.github.zhenwei.core.asn1.x500.X500Name in project mockserver by mock-server.

the class BCKeyAndCertificateFactory method createCASignedCert.

/**
 * Create a server certificate for the given domain and subject alternative names, signed by the given Certificate Authority.
 */
private X509Certificate createCASignedCert(PublicKey publicKey, X509Certificate certificateAuthorityCert, PrivateKey certificateAuthorityPrivateKey, PublicKey certificateAuthorityPublicKey, String domain, Set<String> subjectAlternativeNameDomains, Set<String> subjectAlternativeNameIps) throws Exception {
    // signers name
    X500Name issuer = new X509CertificateHolder(certificateAuthorityCert.getEncoded()).getSubject();
    // subjects name - the same as we are self signed.
    X500Name subject = new X500Name("CN=" + domain + ", O=MockServer, L=London, ST=England, C=UK");
    // serial
    BigInteger serial = BigInteger.valueOf(new Random().nextInt(Integer.MAX_VALUE));
    // create the certificate - version 3
    X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serial, NOT_BEFORE, NOT_AFTER, subject, publicKey);
    builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey));
    builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
    // subject alternative name
    List<ASN1Encodable> subjectAlternativeNames = new ArrayList<>();
    if (subjectAlternativeNameDomains != null) {
        subjectAlternativeNames.add(new GeneralName(GeneralName.dNSName, domain));
        for (String subjectAlternativeNameDomain : subjectAlternativeNameDomains) {
            subjectAlternativeNames.add(new GeneralName(GeneralName.dNSName, subjectAlternativeNameDomain));
        }
    }
    if (subjectAlternativeNameIps != null) {
        for (String subjectAlternativeNameIp : subjectAlternativeNameIps) {
            if (IPAddress.isValidIPv6WithNetmask(subjectAlternativeNameIp) || IPAddress.isValidIPv6(subjectAlternativeNameIp) || IPAddress.isValidIPv4WithNetmask(subjectAlternativeNameIp) || IPAddress.isValidIPv4(subjectAlternativeNameIp)) {
                subjectAlternativeNames.add(new GeneralName(GeneralName.iPAddress, subjectAlternativeNameIp));
            }
        }
    }
    if (subjectAlternativeNames.size() > 0) {
        DERSequence subjectAlternativeNamesExtension = new DERSequence(subjectAlternativeNames.toArray(new ASN1Encodable[0]));
        builder.addExtension(Extension.subjectAlternativeName, false, subjectAlternativeNamesExtension);
    }
    X509Certificate signedX509Certificate = signCertificate(builder, certificateAuthorityPrivateKey);
    // validate
    signedX509Certificate.checkValidity(new Date());
    signedX509Certificate.verify(certificateAuthorityPublicKey);
    return signedX509Certificate;
}
Also used : X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) BigInteger(java.math.BigInteger)

Aggregations

X500Name (org.bouncycastle.asn1.x500.X500Name)510 X509Certificate (java.security.cert.X509Certificate)183 BigInteger (java.math.BigInteger)175 Date (java.util.Date)169 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)158 ContentSigner (org.bouncycastle.operator.ContentSigner)149 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)145 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)127 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)127 IOException (java.io.IOException)108 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)100 RDN (org.bouncycastle.asn1.x500.RDN)94 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)93 KeyPair (java.security.KeyPair)79 X500Name (sun.security.x509.X500Name)68 PrivateKey (java.security.PrivateKey)64 CertificateException (java.security.cert.CertificateException)64 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)59 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)55 GeneralName (org.bouncycastle.asn1.x509.GeneralName)55