Example 31 with ExtendedKeyUsage
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project xipki by xipki.
the class EnrollCertAction method execute0.
@Override
protected Object execute0() throws Exception {
if (caName != null) {
caName = caName.toLowerCase();
}
CertTemplateBuilder certTemplateBuilder = new CertTemplateBuilder();
ConcurrentContentSigner signer = getSigner(new SignatureAlgoControl(rsaMgf1, dsaPlain, gm));
X509CertificateHolder ssCert = signer.getBcCertificate();
X500Name x500Subject = new X500Name(subject);
certTemplateBuilder.setSubject(x500Subject);
certTemplateBuilder.setPublicKey(ssCert.getSubjectPublicKeyInfo());
if (StringUtil.isNotBlank(notBeforeS) || StringUtil.isNotBlank(notAfterS)) {
Time notBefore = StringUtil.isNotBlank(notBeforeS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(notBeforeS)) : null;
Time notAfter = StringUtil.isNotBlank(notAfterS) ? new Time(DateUtil.parseUtcTimeyyyyMMddhhmmss(notAfterS)) : null;
OptionalValidity validity = new OptionalValidity(notBefore, notAfter);
certTemplateBuilder.setValidity(validity);
}
if (needExtensionTypes == null) {
needExtensionTypes = new LinkedList<>();
}
// SubjectAltNames
List<Extension> extensions = new LinkedList<>();
if (isNotEmpty(subjectAltNames)) {
extensions.add(X509Util.createExtnSubjectAltName(subjectAltNames, false));
needExtensionTypes.add(Extension.subjectAlternativeName.getId());
}
// SubjectInfoAccess
if (isNotEmpty(subjectInfoAccesses)) {
extensions.add(X509Util.createExtnSubjectInfoAccess(subjectInfoAccesses, false));
needExtensionTypes.add(Extension.subjectInfoAccess.getId());
}
// Keyusage
if (isNotEmpty(keyusages)) {
Set<KeyUsage> usages = new HashSet<>();
for (String usage : keyusages) {
usages.add(KeyUsage.getKeyUsage(usage));
}
org.bouncycastle.asn1.x509.KeyUsage extValue = X509Util.createKeyUsage(usages);
ASN1ObjectIdentifier extType = Extension.keyUsage;
extensions.add(new Extension(extType, false, extValue.getEncoded()));
needExtensionTypes.add(extType.getId());
}
// ExtendedKeyusage
if (isNotEmpty(extkeyusages)) {
ExtendedKeyUsage extValue = X509Util.createExtendedUsage(textToAsn1ObjectIdentifers(extkeyusages));
ASN1ObjectIdentifier extType = Extension.extendedKeyUsage;
extensions.add(new Extension(extType, false, extValue.getEncoded()));
needExtensionTypes.add(extType.getId());
}
// QcEuLimitValue
if (isNotEmpty(qcEuLimits)) {
ASN1EncodableVector vec = new ASN1EncodableVector();
for (String m : qcEuLimits) {
StringTokenizer st = new StringTokenizer(m, ":");
try {
String currencyS = st.nextToken();
String amountS = st.nextToken();
String exponentS = st.nextToken();
Iso4217CurrencyCode currency;
try {
int intValue = Integer.parseInt(currencyS);
currency = new Iso4217CurrencyCode(intValue);
} catch (NumberFormatException ex) {
currency = new Iso4217CurrencyCode(currencyS);
}
int amount = Integer.parseInt(amountS);
int exponent = Integer.parseInt(exponentS);
MonetaryValue monterayValue = new MonetaryValue(currency, amount, exponent);
QCStatement statment = new QCStatement(ObjectIdentifiers.id_etsi_qcs_QcLimitValue, monterayValue);
vec.add(statment);
} catch (Exception ex) {
throw new Exception("invalid qc-eu-limit '" + m + "'");
}
}
ASN1ObjectIdentifier extType = Extension.qCStatements;
ASN1Sequence extValue = new DERSequence(vec);
extensions.add(new Extension(extType, false, extValue.getEncoded()));
needExtensionTypes.add(extType.getId());
}
// biometricInfo
if (biometricType != null && biometricHashAlgo != null && biometricFile != null) {
TypeOfBiometricData objBiometricType = StringUtil.isNumber(biometricType) ? new TypeOfBiometricData(Integer.parseInt(biometricType)) : new TypeOfBiometricData(new ASN1ObjectIdentifier(biometricType));
ASN1ObjectIdentifier objBiometricHashAlgo = AlgorithmUtil.getHashAlg(biometricHashAlgo);
byte[] biometricBytes = IoUtil.read(biometricFile);
MessageDigest md = MessageDigest.getInstance(objBiometricHashAlgo.getId());
md.reset();
byte[] biometricDataHash = md.digest(biometricBytes);
DERIA5String sourceDataUri = null;
if (biometricUri != null) {
sourceDataUri = new DERIA5String(biometricUri);
}
BiometricData biometricData = new BiometricData(objBiometricType, new AlgorithmIdentifier(objBiometricHashAlgo), new DEROctetString(biometricDataHash), sourceDataUri);
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(biometricData);
ASN1ObjectIdentifier extType = Extension.biometricInfo;
ASN1Sequence extValue = new DERSequence(vec);
extensions.add(new Extension(extType, false, extValue.getEncoded()));
needExtensionTypes.add(extType.getId());
} else if (biometricType == null && biometricHashAlgo == null && biometricFile == null) {
// Do nothing
} else {
throw new Exception("either all of biometric triples (type, hash algo, file)" + " must be set or none of them should be set");
}
if (isNotEmpty(needExtensionTypes) || isNotEmpty(wantExtensionTypes)) {
ExtensionExistence ee = new ExtensionExistence(textToAsn1ObjectIdentifers(needExtensionTypes), textToAsn1ObjectIdentifers(wantExtensionTypes));
extensions.add(new Extension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions, false, ee.toASN1Primitive().getEncoded()));
}
if (isNotEmpty(extensions)) {
Extensions asn1Extensions = new Extensions(extensions.toArray(new Extension[0]));
certTemplateBuilder.setExtensions(asn1Extensions);
}
CertRequest certReq = new CertRequest(1, certTemplateBuilder.build(), null);
ProofOfPossessionSigningKeyBuilder popoBuilder = new ProofOfPossessionSigningKeyBuilder(certReq);
ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
POPOSigningKey popoSk;
try {
popoSk = popoBuilder.build(signer0.value());
} finally {
signer.requiteSigner(signer0);
}
ProofOfPossession popo = new ProofOfPossession(popoSk);
EnrollCertRequestEntry reqEntry = new EnrollCertRequestEntry("id-1", profile, certReq, popo);
EnrollCertRequest request = new EnrollCertRequest(EnrollCertRequest.Type.CERT_REQ);
request.addRequestEntry(reqEntry);
RequestResponseDebug debug = getRequestResponseDebug();
EnrollCertResult result;
try {
result = caClient.requestCerts(caName, request, debug);
} finally {
saveRequestResponse(debug);
}
X509Certificate cert = null;
if (result != null) {
String id = result.getAllIds().iterator().next();
CertOrError certOrError = result.getCertOrError(id);
cert = (X509Certificate) certOrError.getCertificate();
}
if (cert == null) {
throw new CmdFailure("no certificate received from the server");
}
File certFile = new File(outputFile);
saveVerbose("saved certificate to file", certFile, cert.getEncoded());
return null;
}
Also used :
TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData)
BiometricData(org.bouncycastle.asn1.x509.qualified.BiometricData)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
KeyUsage(org.xipki.security.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DERSequence(org.bouncycastle.asn1.DERSequence)
EnrollCertRequestEntry(org.xipki.ca.client.api.dto.EnrollCertRequestEntry)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
MessageDigest(java.security.MessageDigest)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
TypeOfBiometricData(org.bouncycastle.asn1.x509.qualified.TypeOfBiometricData)
HashSet(java.util.HashSet)
RequestResponseDebug(org.xipki.common.RequestResponseDebug)
ProofOfPossession(org.bouncycastle.asn1.crmf.ProofOfPossession)
LinkedList(java.util.LinkedList)
X509Certificate(java.security.cert.X509Certificate)
OptionalValidity(org.bouncycastle.asn1.crmf.OptionalValidity)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ProofOfPossessionSigningKeyBuilder(org.bouncycastle.cert.crmf.ProofOfPossessionSigningKeyBuilder)
File(java.io.File)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
QCStatement(org.bouncycastle.asn1.x509.qualified.QCStatement)
EnrollCertRequest(org.xipki.ca.client.api.dto.EnrollCertRequest)
Time(org.bouncycastle.asn1.x509.Time)
Extensions(org.bouncycastle.asn1.x509.Extensions)
Iso4217CurrencyCode(org.bouncycastle.asn1.x509.qualified.Iso4217CurrencyCode)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
CertTemplateBuilder(org.bouncycastle.asn1.crmf.CertTemplateBuilder)
CmdFailure(org.xipki.console.karaf.CmdFailure)
EnrollCertResult(org.xipki.ca.client.api.EnrollCertResult)
POPOSigningKey(org.bouncycastle.asn1.crmf.POPOSigningKey)
MonetaryValue(org.bouncycastle.asn1.x509.qualified.MonetaryValue)
ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner)
CertOrError(org.xipki.ca.client.api.CertOrError)
ObjectCreationException(org.xipki.common.ObjectCreationException)
InvalidOidOrNameException(org.xipki.security.exception.InvalidOidOrNameException)
Extension(org.bouncycastle.asn1.x509.Extension)
StringTokenizer(java.util.StringTokenizer)
ConcurrentContentSigner(org.xipki.security.ConcurrentContentSigner)
ExtensionExistence(org.xipki.security.ExtensionExistence)
EnrollCertRequest(org.xipki.ca.client.api.dto.EnrollCertRequest)
CertRequest(org.bouncycastle.asn1.crmf.CertRequest)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
SignatureAlgoControl(org.xipki.security.SignatureAlgoControl)
Example 32 with ExtendedKeyUsage
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project xipki by xipki.
the class ExtensionsChecker method getExensionTypes.
// getExpectedExtValue
private Set<ASN1ObjectIdentifier> getExensionTypes(Certificate cert, X509IssuerInfo issuerInfo, Extensions requestedExtensions) {
Set<ASN1ObjectIdentifier> types = new HashSet<>();
// profile required extension types
Map<ASN1ObjectIdentifier, ExtensionControl> extensionControls = certProfile.getExtensionControls();
for (ASN1ObjectIdentifier oid : extensionControls.keySet()) {
if (extensionControls.get(oid).isRequired()) {
types.add(oid);
}
}
Set<ASN1ObjectIdentifier> wantedExtensionTypes = new HashSet<>();
if (requestedExtensions != null) {
Extension reqExtension = requestedExtensions.getExtension(ObjectIdentifiers.id_xipki_ext_cmpRequestExtensions);
if (reqExtension != null) {
ExtensionExistence ee = ExtensionExistence.getInstance(reqExtension.getParsedValue());
types.addAll(ee.getNeedExtensions());
wantedExtensionTypes.addAll(ee.getWantExtensions());
}
}
if (CollectionUtil.isEmpty(wantedExtensionTypes)) {
return types;
}
// wanted extension types
// Authority key identifier
ASN1ObjectIdentifier type = Extension.authorityKeyIdentifier;
if (wantedExtensionTypes.contains(type)) {
types.add(type);
}
// Subject key identifier
type = Extension.subjectKeyIdentifier;
if (wantedExtensionTypes.contains(type)) {
types.add(type);
}
// KeyUsage
type = Extension.keyUsage;
if (wantedExtensionTypes.contains(type)) {
boolean required = false;
if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) {
required = true;
}
if (!required) {
Set<KeyUsageControl> requiredKeyusage = getKeyusage(true);
if (CollectionUtil.isNonEmpty(requiredKeyusage)) {
required = true;
}
}
if (required) {
types.add(type);
}
}
// CertificatePolicies
type = Extension.certificatePolicies;
if (wantedExtensionTypes.contains(type)) {
if (certificatePolicies != null) {
types.add(type);
}
}
// Policy Mappings
type = Extension.policyMappings;
if (wantedExtensionTypes.contains(type)) {
if (policyMappings != null) {
types.add(type);
}
}
// SubjectAltNames
type = Extension.subjectAlternativeName;
if (wantedExtensionTypes.contains(type)) {
if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) {
types.add(type);
}
}
// IssuerAltName
type = Extension.issuerAlternativeName;
if (wantedExtensionTypes.contains(type)) {
if (cert.getTBSCertificate().getExtensions().getExtension(Extension.subjectAlternativeName) != null) {
types.add(type);
}
}
// BasicConstraints
type = Extension.basicConstraints;
if (wantedExtensionTypes.contains(type)) {
types.add(type);
}
// Name Constraints
type = Extension.nameConstraints;
if (wantedExtensionTypes.contains(type)) {
if (nameConstraints != null) {
types.add(type);
}
}
// PolicyConstrains
type = Extension.policyConstraints;
if (wantedExtensionTypes.contains(type)) {
if (policyConstraints != null) {
types.add(type);
}
}
// ExtendedKeyUsage
type = Extension.extendedKeyUsage;
if (wantedExtensionTypes.contains(type)) {
boolean required = false;
if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) {
required = true;
}
if (!required) {
Set<ExtKeyUsageControl> requiredExtKeyusage = getExtKeyusage(true);
if (CollectionUtil.isNonEmpty(requiredExtKeyusage)) {
required = true;
}
}
if (required) {
types.add(type);
}
}
// CRLDistributionPoints
type = Extension.cRLDistributionPoints;
if (wantedExtensionTypes.contains(type)) {
if (issuerInfo.getCrlUrls() != null) {
types.add(type);
}
}
// Inhibit anyPolicy
type = Extension.inhibitAnyPolicy;
if (wantedExtensionTypes.contains(type)) {
if (inhibitAnyPolicy != null) {
types.add(type);
}
}
// FreshestCRL
type = Extension.freshestCRL;
if (wantedExtensionTypes.contains(type)) {
if (issuerInfo.getDeltaCrlUrls() != null) {
types.add(type);
}
}
// AuthorityInfoAccess
type = Extension.authorityInfoAccess;
if (wantedExtensionTypes.contains(type)) {
if (issuerInfo.getOcspUrls() != null) {
types.add(type);
}
}
// SubjectInfoAccess
type = Extension.subjectInfoAccess;
if (wantedExtensionTypes.contains(type)) {
if (requestedExtensions != null && requestedExtensions.getExtension(type) != null) {
types.add(type);
}
}
// Admission
type = ObjectIdentifiers.id_extension_admission;
if (wantedExtensionTypes.contains(type)) {
if (certProfile.getAdmission() != null) {
types.add(type);
}
}
// ocsp-nocheck
type = ObjectIdentifiers.id_extension_pkix_ocsp_nocheck;
if (wantedExtensionTypes.contains(type)) {
types.add(type);
}
wantedExtensionTypes.removeAll(types);
for (ASN1ObjectIdentifier oid : wantedExtensionTypes) {
if (requestedExtensions != null && requestedExtensions.getExtension(oid) != null) {
if (constantExtensions.containsKey(oid)) {
types.add(oid);
}
}
}
return types;
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
ExtensionExistence(org.xipki.security.ExtensionExistence)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
ExtensionControl(org.xipki.ca.api.profile.ExtensionControl)
KeyUsageControl(org.xipki.ca.api.profile.x509.KeyUsageControl)
ExtKeyUsageControl(org.xipki.ca.api.profile.x509.ExtKeyUsageControl)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
HashSet(java.util.HashSet)
Example 33 with ExtendedKeyUsage
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project xipki by xipki.
the class ExtensionsChecker method getExtKeyUsage.
private static Set<String> getExtKeyUsage(byte[] extensionValue) {
Set<String> usages = new HashSet<>();
org.bouncycastle.asn1.x509.ExtendedKeyUsage reqKeyUsage = org.bouncycastle.asn1.x509.ExtendedKeyUsage.getInstance(extensionValue);
for (KeyPurposeId usage : reqKeyUsage.getUsages()) {
usages.add(usage.getId());
}
return usages;
}
Also used :
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
DERPrintableString(org.bouncycastle.asn1.DERPrintableString)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
ASN1String(org.bouncycastle.asn1.ASN1String)
DirectoryString(org.bouncycastle.asn1.x500.DirectoryString)
QaDirectoryString(org.xipki.ca.qa.internal.QaDirectoryString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
DERT61String(org.bouncycastle.asn1.DERT61String)
HashSet(java.util.HashSet)
Example 34 with ExtendedKeyUsage
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project photon-model by vmware.
the class CertificateUtil method getServerExtensions.
private static List<ExtensionHolder> getServerExtensions(X509Certificate issuerCertificate) throws CertificateEncodingException, NoSuchAlgorithmException, IOException {
List<ExtensionHolder> extensions = new ArrayList<>();
// SSO forces us to allow data encipherment
extensions.add(new ExtensionHolder(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)));
extensions.add(new ExtensionHolder(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)));
Extension authorityKeyExtension = new Extension(Extension.authorityKeyIdentifier, false, new DEROctetString(new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerCertificate)));
extensions.add(new ExtensionHolder(authorityKeyExtension.getExtnId(), authorityKeyExtension.isCritical(), authorityKeyExtension.getParsedValue()));
return extensions;
}
Also used :
Extension(org.bouncycastle.asn1.x509.Extension)
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
ArrayList(java.util.ArrayList)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
Example 35 with ExtendedKeyUsage
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project dcos-commons by mesosphere.
the class TLSArtifactsGenerator method generateCSR.
@SuppressWarnings("checkstyle:ThrowsCount")
private static byte[] generateCSR(KeyPair keyPair, CertificateNamesGenerator certificateNamesGenerator) throws IOException, OperatorCreationException {
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
extensionsGenerator.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
extensionsGenerator.addExtension(Extension.subjectAlternativeName, true, certificateNamesGenerator.getSANs());
PKCS10CertificationRequest csr = new JcaPKCS10CertificationRequestBuilder(certificateNamesGenerator.getSubject(), keyPair.getPublic()).addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate()).build(new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate()));
return PEMUtils.toPEM(csr);
}
Also used :
PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest)
JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder)
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
ExtensionsGenerator(org.bouncycastle.asn1.x509.ExtensionsGenerator)
Aggregations
ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)35
KeyPurposeId (org.bouncycastle.asn1.x509.KeyPurposeId)24
KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)21
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)19
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)19
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)18
X500Name (org.bouncycastle.asn1.x500.X500Name)17
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)17
ContentSigner (org.bouncycastle.operator.ContentSigner)17
Date (java.util.Date)16
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)14
X509Certificate (java.security.cert.X509Certificate)13
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)12
DEROctetString (org.bouncycastle.asn1.DEROctetString)11
Extension (org.bouncycastle.asn1.x509.Extension)11
GeneralName (org.bouncycastle.asn1.x509.GeneralName)11
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)10
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)9
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)9
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8
