use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project zaproxy by zaproxy.
the class SslCertificateUtils method createRootCA.
/**
* Creates a new Root CA certificate and returns private and public key as {@link KeyStore}. The
* {@link KeyStore#getDefaultType()} is used.
*
* @return
* @throws NoSuchAlgorithmException If no providers are found for 'RSA' key pair generator or
* 'SHA1PRNG' Secure random number generator
* @throws IllegalStateException in case of errors during assembling {@link KeyStore}
*/
public static final KeyStore createRootCA() throws NoSuchAlgorithmException {
final Date startDate = Calendar.getInstance().getTime();
final Date expireDate = new Date(startDate.getTime() + DEFAULT_VALIDITY_IN_MS);
final KeyPairGenerator g = KeyPairGenerator.getInstance("RSA");
g.initialize(2048, SecureRandom.getInstance("SHA1PRNG"));
final KeyPair keypair = g.genKeyPair();
final PrivateKey privKey = keypair.getPrivate();
final PublicKey pubKey = keypair.getPublic();
Security.addProvider(new BouncyCastleProvider());
Random rnd = new Random();
// using the hash code of the user's name and home path, keeps anonymity
// but also gives user a chance to distinguish between each other
X500NameBuilder namebld = new X500NameBuilder(BCStyle.INSTANCE);
namebld.addRDN(BCStyle.CN, "OWASP Zed Attack Proxy Root CA");
namebld.addRDN(BCStyle.L, Integer.toHexString(System.getProperty("user.name").hashCode()) + Integer.toHexString(System.getProperty("user.home").hashCode()));
namebld.addRDN(BCStyle.O, "OWASP Root CA");
namebld.addRDN(BCStyle.OU, "OWASP ZAP Root CA");
namebld.addRDN(BCStyle.C, "xx");
X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(namebld.build(), BigInteger.valueOf(rnd.nextInt()), startDate, expireDate, namebld.build(), pubKey);
KeyStore ks = null;
try {
certGen.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(pubKey.getEncoded()));
certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign));
KeyPurposeId[] eku = { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage };
certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(eku));
final ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(privKey);
final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen));
ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
ks.setKeyEntry(org.parosproxy.paros.security.SslCertificateService.ZAPROXY_JKS_ALIAS, privKey, org.parosproxy.paros.security.SslCertificateService.PASSPHRASE, new Certificate[] { cert });
} catch (final Exception e) {
throw new IllegalStateException("Errors during assembling root CA.", e);
}
return ks;
}
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project MOPP-Android by open-eid.
the class Certificate method create.
public static Certificate create(ByteString data) throws IOException {
X509CertificateHolder certificate = new X509CertificateHolder(data.toByteArray());
Extensions extensions = certificate.getExtensions();
CertificatePolicies certificatePolicies = CertificatePolicies.fromExtensions(extensions);
EIDType type = EIDType.parse(certificatePolicies);
RDN[] rdNs = certificate.getSubject().getRDNs(ASN1ObjectIdentifier.getInstance(BCStyle.CN));
String commonName = rdNs[0].getFirst().getValue().toString().trim();
RDN[] rdSNNs = certificate.getSubject().getRDNs(ASN1ObjectIdentifier.getInstance(BCStyle.SURNAME));
RDN[] rdGNNs = certificate.getSubject().getRDNs(ASN1ObjectIdentifier.getInstance(BCStyle.GIVENNAME));
RDN[] rdSERIALNs = certificate.getSubject().getRDNs(ASN1ObjectIdentifier.getInstance(BCStyle.SERIALNUMBER));
// http://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.01.01_60/en_31941201v010101p.pdf
final List<String> types = Arrays.asList("PAS", "IDC", "PNO", "TAX", "TIN");
String serialNR = rdSERIALNs.length == 0 ? "" : rdSERIALNs[0].getFirst().getValue().toString().trim();
if (serialNR.length() > 6 && (types.contains(serialNR.substring(0, 3)) || serialNR.charAt(2) == ':') && serialNR.charAt(5) == '-')
serialNR = serialNR.substring(6);
String friendlyName = rdSNNs.length == 0 || rdGNNs.length == 0 ? commonName : rdSNNs[0].getFirst().getValue().toString().trim() + "," + rdGNNs[0].getFirst().getValue().toString().trim() + "," + serialNR;
Instant notAfter = Instant.ofEpochMilli(certificate.getNotAfter().getTime());
boolean ellipticCurve = certificate.getSubjectPublicKeyInfo().getAlgorithm().getAlgorithm().equals(X9ObjectIdentifiers.id_ecPublicKey);
KeyUsage keyUsage = KeyUsage.fromExtensions(extensions);
ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.fromExtensions(extensions);
if (extendedKeyUsage == null) {
extendedKeyUsage = new ExtendedKeyUsage(new KeyPurposeId[] {});
}
return new AutoValue_Certificate(type, commonName, friendlyName, notAfter, ellipticCurve, keyUsage, extendedKeyUsage, data);
}
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project ozone by apache.
the class TestDefaultProfile method getKeyUsageExtension.
/**
* Returns a extension with Extended Key usage.
* @param purposeId - Usage that we want to encode.
* @param critical - makes the extension critical.
* @return Extensions.
*/
private Extensions getKeyUsageExtension(KeyPurposeId purposeId, boolean critical) throws IOException {
ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(purposeId);
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(Extension.extendedKeyUsage, critical, extendedKeyUsage);
return extensionsGenerator.generate();
}
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project LinLong-Java by zhenwei1108.
the class JcaJceUtils method validateServerCertUsage.
public static void validateServerCertUsage(X509Certificate x509Certificate) throws CertificateException {
try {
X509CertificateHolder cert = new X509CertificateHolder(x509Certificate.getEncoded());
KeyUsage keyUsage = KeyUsage.fromExtensions(cert.getExtensions());
if (keyUsage != null) {
if (keyUsage.hasUsages(KeyUsage.keyCertSign)) {
throw new CertificateException("Key usage must not contain keyCertSign");
}
if (!(keyUsage.hasUsages(KeyUsage.digitalSignature) || keyUsage.hasUsages(KeyUsage.keyEncipherment))) {
throw new CertificateException("Key usage must be none, digitalSignature or keyEncipherment");
}
}
//
// Check extended key usage.
//
ExtendedKeyUsage extendedKeyUsage = ExtendedKeyUsage.fromExtensions(cert.getExtensions());
if (extendedKeyUsage != null) {
if (!(extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_serverAuth) || extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_msSGC) || extendedKeyUsage.hasKeyPurposeId(KeyPurposeId.id_kp_nsSGC))) {
throw new CertificateException("Certificate extended key usage must include serverAuth, msSGC or nsSGC");
}
}
} catch (CertificateException c) {
throw c;
} catch (Exception e) {
throw new CertificateException(e.getMessage(), e);
}
}
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project xwiki-commons by xwiki.
the class BcExtensionUtils method getExtendedKeyUsage.
/**
* Convert a set of extended key usages to Bouncy Castle extended key usage.
*
* @param usages the set of authorized usages.
* @return a bit mask
*/
public static ExtendedKeyUsage getExtendedKeyUsage(Set<String> usages) {
KeyPurposeId[] keyUsages = new KeyPurposeId[usages.size()];
int i = 0;
for (String usage : usages) {
keyUsages[i++] = KeyPurposeId.getInstance(new ASN1ObjectIdentifier(usage));
}
return new ExtendedKeyUsage(keyUsages);
}
Aggregations