Search in sources :

Example 46 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project zaproxy by zaproxy.

the class SslCertificateUtils method createRootCA.

/**
 * Creates a new Root CA certificate and returns private and public key as {@link KeyStore}. The
 * {@link KeyStore#getDefaultType()} is used.
 *
 * @return
 * @throws NoSuchAlgorithmException If no providers are found for 'RSA' key pair generator or
 *     'SHA1PRNG' Secure random number generator
 * @throws IllegalStateException in case of errors during assembling {@link KeyStore}
 */
public static final KeyStore createRootCA() throws NoSuchAlgorithmException {
    final Date startDate = Calendar.getInstance().getTime();
    final Date expireDate = new Date(startDate.getTime() + DEFAULT_VALIDITY_IN_MS);
    final KeyPairGenerator g = KeyPairGenerator.getInstance("RSA");
    g.initialize(2048, SecureRandom.getInstance("SHA1PRNG"));
    final KeyPair keypair = g.genKeyPair();
    final PrivateKey privKey = keypair.getPrivate();
    final PublicKey pubKey = keypair.getPublic();
    Security.addProvider(new BouncyCastleProvider());
    Random rnd = new Random();
    // using the hash code of the user's name and home path, keeps anonymity
    // but also gives user a chance to distinguish between each other
    X500NameBuilder namebld = new X500NameBuilder(BCStyle.INSTANCE);
    namebld.addRDN(BCStyle.CN, "OWASP Zed Attack Proxy Root CA");
    namebld.addRDN(BCStyle.L, Integer.toHexString(System.getProperty("user.name").hashCode()) + Integer.toHexString(System.getProperty("user.home").hashCode()));
    namebld.addRDN(BCStyle.O, "OWASP Root CA");
    namebld.addRDN(BCStyle.OU, "OWASP ZAP Root CA");
    namebld.addRDN(BCStyle.C, "xx");
    X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(namebld.build(), BigInteger.valueOf(rnd.nextInt()), startDate, expireDate, namebld.build(), pubKey);
    KeyStore ks = null;
    try {
        certGen.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(pubKey.getEncoded()));
        certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
        certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign));
        KeyPurposeId[] eku = { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage };
        certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(eku));
        final ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(privKey);
        final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen));
        ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null, null);
        ks.setKeyEntry(org.parosproxy.paros.security.SslCertificateService.ZAPROXY_JKS_ALIAS, privKey, org.parosproxy.paros.security.SslCertificateService.PASSPHRASE, new Certificate[] { cert });
    } catch (final Exception e) {
        throw new IllegalStateException("Errors during assembling root CA.", e);
    }
    return ks;
}
Also used : KeyPair(java.security.KeyPair) RSAPrivateKey(java.security.interfaces.RSAPrivateKey) PrivateKey(java.security.PrivateKey) X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder) KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) PublicKey(java.security.PublicKey) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) KeyPairGenerator(java.security.KeyPairGenerator) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) KeyStore(java.security.KeyStore) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) Random(java.util.Random) SecureRandom(java.security.SecureRandom) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 47 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project MOPP-Android by open-eid.

the class Certificate method create.

public static Certificate create(ByteString data) throws IOException {
    X509CertificateHolder certificate = new X509CertificateHolder(data.toByteArray());
    Extensions extensions = certificate.getExtensions();
    CertificatePolicies certificatePolicies = CertificatePolicies.fromExtensions(extensions);
    EIDType type = EIDType.parse(certificatePolicies);
    RDN[] rdNs = certificate.getSubject().getRDNs(ASN1ObjectIdentifier.getInstance(BCStyle.CN));
    String commonName = rdNs[0].getFirst().getValue().toString().trim();
    RDN[] rdSNNs = certificate.getSubject().getRDNs(ASN1ObjectIdentifier.getInstance(BCStyle.SURNAME));
    RDN[] rdGNNs = certificate.getSubject().getRDNs(ASN1ObjectIdentifier.getInstance(BCStyle.GIVENNAME));
    RDN[] rdSERIALNs = certificate.getSubject().getRDNs(ASN1ObjectIdentifier.getInstance(BCStyle.SERIALNUMBER));
    // http://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.01.01_60/en_31941201v010101p.pdf
    final List<String> types = Arrays.asList("PAS", "IDC", "PNO", "TAX", "TIN");
    String serialNR = rdSERIALNs.length == 0 ? "" : rdSERIALNs[0].getFirst().getValue().toString().trim();
    if (serialNR.length() > 6 && (types.contains(serialNR.substring(0, 3)) || serialNR.charAt(2) == ':') && serialNR.charAt(5) == '-')
        serialNR = serialNR.substring(6);
    String friendlyName = rdSNNs.length == 0 || rdGNNs.length == 0 ? commonName : rdSNNs[0].getFirst().getValue().toString().trim() + "," + rdGNNs[0].getFirst().getValue().toString().trim() + "," + serialNR;
    Instant notAfter = Instant.ofEpochMilli(certificate.getNotAfter().getTime());
    boolean ellipticCurve = certificate.getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm().equals(X9ObjectIdentifiers.id_ecPublicKey);
    KeyUsage keyUsage = KeyUsage.fromExtensions(extensions);
    ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.fromExtensions(extensions);
    if (extendedKeyUsage == null) {
        extendedKeyUsage = new ExtendedKeyUsage(new KeyPurposeId[] {});
    }
    return new AutoValue_Certificate(type, commonName, friendlyName, notAfter, ellipticCurve, keyUsage, extendedKeyUsage, data);
}
Also used : KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) Instant(java.time.Instant) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ByteString(okio.ByteString) Extensions(org.bouncycastle.asn1.x509.Extensions) CertificatePolicies(org.bouncycastle.asn1.x509.CertificatePolicies) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) RDN(org.bouncycastle.asn1.x500.RDN) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)

Example 48 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project ozone by apache.

the class TestDefaultProfile method getKeyUsageExtension.

/**
 * Returns a extension with Extended Key usage.
 * @param purposeId - Usage that we want to encode.
 * @param critical -  makes the extension critical.
 * @return Extensions.
 */
private Extensions getKeyUsageExtension(KeyPurposeId purposeId, boolean critical) throws IOException {
    ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(purposeId);
    ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
    extensionsGenerator.addExtension(Extension.extendedKeyUsage, critical, extendedKeyUsage);
    return extensionsGenerator.generate();
}
Also used : ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) ExtensionsGenerator(org.bouncycastle.asn1.x509.ExtensionsGenerator)

Example 49 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project LinLong-Java by zhenwei1108.

the class JcaJceUtils method validateServerCertUsage.

public static void validateServerCertUsage(X509Certificate x509Certificate) throws CertificateException {
    try {
        X509CertificateHolder cert = new X509CertificateHolder(x509Certificate.getEncoded());
        KeyUsage keyUsage = KeyUsage.fromExtensions(cert.getExtensions());
        if (keyUsage != null) {
            if (keyUsage.hasUsages(KeyUsage.keyCertSign)) {
                throw new CertificateException("Key usage must not contain keyCertSign");
            }
            if (!(keyUsage.hasUsages(KeyUsage.digitalSignature) || keyUsage.hasUsages(KeyUsage.keyEncipherment))) {
                throw new CertificateException("Key usage must be none, digitalSignature or keyEncipherment");
            }
        }
        // 
        // Check extended key usage.
        // 
        ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.fromExtensions(cert.getExtensions());
        if (extendedKeyUsage != null) {
            if (!(extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_serverAuth) || extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_msSGC) || extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_nsSGC))) {
                throw new CertificateException("Certificate extended key usage must include serverAuth, msSGC or nsSGC");
            }
        }
    } catch (CertificateException c) {
        throw c;
    } catch (Exception e) {
        throw new CertificateException(e.getMessage(), e);
    }
}
Also used : X509CertificateHolder(com.github.zhenwei.pkix.cert.X509CertificateHolder) ExtendedKeyUsage(com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage) KeyUsage(com.github.zhenwei.core.asn1.x509.KeyUsage) CertificateException(java.security.cert.CertificateException) ExtendedKeyUsage(com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage) KeyStoreException(java.security.KeyStoreException) GeneralSecurityException(java.security.GeneralSecurityException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) NoSuchProviderException(java.security.NoSuchProviderException)

Example 50 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project xwiki-commons by xwiki.

the class BcExtensionUtils method getExtendedKeyUsage.

/**
 * Convert a set of extended key usages to Bouncy Castle extended key usage.
 *
 * @param usages the set of authorized usages.
 * @return a bit mask
 */
public static ExtendedKeyUsage getExtendedKeyUsage(Set<String> usages) {
    KeyPurposeId[] keyUsages = new KeyPurposeId[usages.size()];
    int i = 0;
    for (String usage : usages) {
        keyUsages[i++] = KeyPurposeId.getInstance(new ASN1ObjectIdentifier(usage));
    }
    return new ExtendedKeyUsage(keyUsages);
}
Also used : KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) DERBitString(org.bouncycastle.asn1.DERBitString) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)35 KeyPurposeId (org.bouncycastle.asn1.x509.KeyPurposeId)24 KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)21 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)19 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)19 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)18 X500Name (org.bouncycastle.asn1.x500.X500Name)17 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)17 ContentSigner (org.bouncycastle.operator.ContentSigner)17 Date (java.util.Date)16 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)14 X509Certificate (java.security.cert.X509Certificate)13 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)12 DEROctetString (org.bouncycastle.asn1.DEROctetString)11 Extension (org.bouncycastle.asn1.x509.Extension)11 GeneralName (org.bouncycastle.asn1.x509.GeneralName)11 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)10 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)9 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)9 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8