Search in sources :

Example 41 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project keystore-explorer by kaikramer.

the class DSelectStandardExtensionTemplate method addExtKeyUsage.

private void addExtKeyUsage(X509ExtensionSet extensionSet, String ekuOid) throws IOException {
    ExtendedKeyUsage eku = new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.getInstance(new ASN1ObjectIdentifier(ekuOid)) });
    byte[] ekuEncoded = X509Ext.wrapInOctetString(eku.getEncoded());
    extensionSet.addExtension(X509ExtensionType.EXTENDED_KEY_USAGE.oid(), false, ekuEncoded);
}
Also used : ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 42 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project keystore-explorer by kaikramer.

the class DExtendedKeyUsage method okPressed.

private void okPressed() {
    if (!jcbTlsWebServerAuthentication.isSelected() && !jcbTlsWebClientAuthentication.isSelected() && !jcbCodeSigning.isSelected() && !jcbEmailProtection.isSelected() && !jcbIpSecurityEndSystem.isSelected() && !jcbIpSecurityTunnelTermination.isSelected() && !jcbIpSecurityUser.isSelected() && !jcbTimeStamping.isSelected() && !jcbOcspStamping.isSelected() && !jcbDocumentSigning.isSelected() && !jcbAdobePDFSigning.isSelected() && !jcbTslSigning.isSelected() && !jcbEncryptedFileSystem.isSelected() && !jcbAnyExtendedKeyUsage.isSelected() && !jcbSmartcardLogon.isSelected() && !jcbCustomExtKeyUsage.isSelected()) {
        JOptionPane.showMessageDialog(this, res.getString("DExtendedKeyUsage.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE);
        return;
    }
    ArrayList<KeyPurposeId> keyPurposeIds = new ArrayList<>();
    if (jcbTlsWebServerAuthentication.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(SERVER_AUTH.oid())));
    }
    if (jcbTlsWebClientAuthentication.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(CLIENT_AUTH.oid())));
    }
    if (jcbCodeSigning.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(CODE_SIGNING.oid())));
    }
    if (jcbDocumentSigning.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(DOCUMENT_SIGNING.oid())));
    }
    if (jcbAdobePDFSigning.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(ADOBE_PDF_SIGNING.oid())));
    }
    if (jcbTslSigning.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(TSL_SIGNING.oid())));
    }
    if (jcbEmailProtection.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(EMAIL_PROTECTION.oid())));
    }
    if (jcbEncryptedFileSystem.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(ENCRYPTED_FILE_SYSTEM.oid())));
    }
    if (jcbIpSecurityEndSystem.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(IPSEC_END_SYSTEM.oid())));
    }
    if (jcbIpSecurityTunnelTermination.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(IPSEC_TUNNEL.oid())));
    }
    if (jcbIpSecurityUser.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(IPSEC_USER.oid())));
    }
    if (jcbTimeStamping.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(TIME_STAMPING.oid())));
    }
    if (jcbOcspStamping.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(OCSP_SIGNING.oid())));
    }
    if (jcbSmartcardLogon.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(SMARTCARD_LOGON.oid())));
    }
    if (jcbAnyExtendedKeyUsage.isSelected()) {
        keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(ANY_EXTENDED_KEY_USAGE.oid())));
    }
    if (jcbCustomExtKeyUsage.isSelected()) {
        for (ASN1ObjectIdentifier customExcKeyUsageOid : customExtKeyUsagesOids) {
            keyPurposeIds.add(KeyPurposeId.getInstance(customExcKeyUsageOid));
        }
    }
    ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(keyPurposeIds.toArray(new KeyPurposeId[keyPurposeIds.size()]));
    try {
        value = extendedKeyUsage.getEncoded(ASN1Encoding.DER);
    } catch (IOException e) {
        DError.displayError(this, e);
        return;
    }
    closeDialog();
}
Also used : KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) ArrayList(java.util.ArrayList) IOException(java.io.IOException) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 43 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project xipki by xipki.

the class CertprofileValidator method validateCABForumBR.

// method validate
private static void validateCABForumBR(Certprofile certprofile, StringBuilder msg) {
    // Subject only one entries in a RDN is allowed
    SubjectControl subjectCtl = certprofile.getSubjectControl();
    if (CollectionUtil.isNotEmpty(subjectCtl.getGroups())) {
        msg.append("multiple AttributeAndTypes in one RDN is not permitted, ");
    }
    for (ASN1ObjectIdentifier m : subjectCtl.getTypes()) {
        RdnControl ctl = subjectCtl.getControl(m);
        if (ctl.getMaxOccurs() > 1) {
            msg.append("multiple RDNs of the same type are not permitted, ");
        }
    }
    CertLevel certLevel = certprofile.getCertLevel();
    // validity
    if (certLevel == CertLevel.EndEntity) {
        Validity validity = certprofile.getValidity();
        if (validity.compareTo(maxCabEeValidity) > 0) {
            msg.append("validity exceeds the maximal validity of subscriber certificate, ");
        }
    }
    // Signature/hash algorithm
    List<SignAlgo> sigAlgos = certprofile.getSignatureAlgorithms();
    if (sigAlgos == null) {
        msg.append("signature algorithms not defined, ");
    } else {
        List<HashAlgo> allowedHashAlgos = Arrays.asList(HashAlgo.SHA256, HashAlgo.SHA384, HashAlgo.SHA512);
        for (SignAlgo signAlgo : sigAlgos) {
            HashAlgo hashAlgo = signAlgo.getHashAlgo();
            if (!allowedHashAlgos.contains(hashAlgo)) {
                msg.append("unpermitted hash algorithm ").append(hashAlgo).append(", ");
            }
        }
    }
    // Public Key
    Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = certprofile.getKeyAlgorithms();
    if (CollectionUtil.isEmpty(keyAlgorithms)) {
        msg.append("keyAlgorithms is not configured, ");
    } else {
        for (Entry<ASN1ObjectIdentifier, KeyParametersOption> entry : keyAlgorithms.entrySet()) {
            ASN1ObjectIdentifier m = entry.getKey();
            KeyParametersOption opt = entry.getValue();
            if (m.equals(PKCSObjectIdentifiers.rsaEncryption)) {
                if (opt instanceof RSAParametersOption) {
                    if (((RSAParametersOption) opt).allowsModulusLength(2048 - 1)) {
                        msg.append("minimum RSA modulus size 2048 bit not satisfied, ");
                    }
                } else {
                    msg.append("unpermitted RSA modulus are configured, ");
                }
            } else if (m.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
                if (opt instanceof ECParamatersOption) {
                    Set<ASN1ObjectIdentifier> curveOids = new HashSet<>(((ECParamatersOption) opt).getCurveOids());
                    curveOids.remove(SECObjectIdentifiers.secp256r1);
                    curveOids.remove(SECObjectIdentifiers.secp384r1);
                    curveOids.remove(SECObjectIdentifiers.secp521r1);
                    if (!curveOids.isEmpty()) {
                        msg.append("EC curves ").append(curveOids).append(" are not permitted, ");
                    }
                } else {
                    msg.append("unpermitted EC curves are configured, ");
                }
            } else if (m.equals(X9ObjectIdentifiers.id_dsa)) {
                if (opt instanceof DSAParametersOption) {
                    DSAParametersOption dsaOpt = (DSAParametersOption) opt;
                    if (dsaOpt.allowsPlength(2048 - 1)) {
                        msg.append("minimum L (2048) not satisfied, ");
                    }
                    if (dsaOpt.allowsQlength(224 - 1)) {
                        msg.append("minimum N (224) not satisfied, ");
                    }
                } else {
                    msg.append("unpermitted DSA (p,q) are configured, ");
                }
            } else {
                msg.append("keyAlgorithm ").append(m.getId()).append(" is not permitted, ");
            }
        }
    }
    // CRLDistributionPoints
    if (certLevel != CertLevel.RootCA) {
        CrlDistributionPointsControl crlDpControl = certprofile.getCrlDpControl();
        if (crlDpControl != null) {
            Set<String> protocols = crlDpControl.getProtocols();
            if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
                msg.append("CRLDistributionPoints allows protocol other than http, ");
            }
        }
        // FreshestCRLDistributionPoints
        CrlDistributionPointsControl freshestCrlControl = certprofile.getFreshestCrlControl();
        if (freshestCrlControl != null) {
            Set<String> protocols = freshestCrlControl.getProtocols();
            if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
                msg.append("FreshestCRL allows protocol other than http, ");
            }
        }
        // AuthorityInfoAccess*
        AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
        if (aiaControl != null) {
            if (!aiaControl.isIncludesOcsp()) {
                msg.append("access method id-ad-ocsp is not configured, ");
            } else {
                Set<String> protocols = aiaControl.getOcspProtocols();
                if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
                    msg.append("AIA OCSP allows protocol other than http, ");
                }
            }
            if (!aiaControl.isIncludesCaIssuers()) {
                msg.append("access method id-ad-caIssuers is not configured, ");
            } else {
                Set<String> protocols = aiaControl.getCaIssuersProtocols();
                if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
                    msg.append("AIA CAIssuers allows protocol other than http, ");
                }
            }
        }
    }
    // Certificate Policies
    if (certLevel == CertLevel.SubCA || certLevel == CertLevel.EndEntity) {
        CertificatePolicies certPolicyValue = certprofile.getCertificatePolicies();
        if (certPolicyValue == null) {
            msg.append("CertificatePolicies is not configured, ");
        }
    }
    // KeyUsage
    Set<KeyUsageControl> usages = certprofile.getKeyUsage();
    if (certLevel == CertLevel.RootCA || certLevel == CertLevel.SubCA) {
        if (!containsKeyusage(usages, KeyUsage.cRLSign)) {
            msg.append("RootCA profile does contain keyUsage ").append(KeyUsage.cRLSign).append(", ");
        }
    } else if (certLevel == CertLevel.EndEntity) {
        if (containsKeyusage(usages, KeyUsage.cRLSign)) {
            msg.append("EndEntity profile must not contain keyUsage ").append(KeyUsage.cRLSign).append(", ");
        }
    }
    // ExtendedKeyUsage
    Set<ExtKeyUsageControl> ekuControls = certprofile.getExtendedKeyUsages();
    if (certLevel == CertLevel.EndEntity) {
        // ekuControls could not be null here.
        boolean xkuTlsServerRequired = false;
        boolean xkuTlsClientRequired = false;
        for (ExtKeyUsageControl m : ekuControls) {
            ASN1ObjectIdentifier oid = m.getExtKeyUsage();
            if (m.isRequired()) {
                if (XKU.id_kp_serverAuth.equals(oid)) {
                    xkuTlsServerRequired = true;
                } else if (XKU.id_kp_clientAuth.equals(oid)) {
                    xkuTlsClientRequired = true;
                }
            }
            if (!(XKU.id_kp_serverAuth.equals(oid) || XKU.id_kp_clientAuth.equals(oid) || XKU.id_kp_emailProtection.equals(oid))) {
                msg.append("extendedKeyUsage ").append(oid.getId()).append(" is not permitted, ");
            }
        }
        if (!(xkuTlsClientRequired | xkuTlsServerRequired)) {
            msg.append("none of ").append(XKU.id_kp_clientAuth).append(" and ").append(XKU.id_kp_serverAuth).append(" is not configured, ");
        }
    } else {
        if (ekuControls != null) {
            for (ExtKeyUsageControl m : ekuControls) {
                if (m.getExtKeyUsage().equals(XKU.id_kp_anyExtendedKeyUsage)) {
                    msg.append(XKU.id_kp_clientAuth).append(" is not allowed, ");
                }
            }
        }
    }
}
Also used : RSAParametersOption(org.xipki.ca.api.profile.KeyParametersOption.RSAParametersOption) ECParamatersOption(org.xipki.ca.api.profile.KeyParametersOption.ECParamatersOption) DSAParametersOption(org.xipki.ca.api.profile.KeyParametersOption.DSAParametersOption) Validity(org.xipki.util.Validity) KeyParametersOption(org.xipki.ca.api.profile.KeyParametersOption) CertificatePolicies(org.bouncycastle.asn1.x509.CertificatePolicies) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 44 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project candlepin by candlepin.

the class JSSPKIUtilityTest method testCreateX509Certificate.

@Test
public void testCreateX509Certificate() throws Exception {
    JSSPKIUtility pki = this.buildJSSPKIUtility();
    Date start = new Date();
    Date end = Date.from(LocalDate.now().plusDays(365).atStartOfDay(ZoneId.systemDefault()).toInstant());
    X509Certificate cert = pki.createX509Certificate("cn=candlepinproject.org", null, null, start, end, subjectKeyPair, BigInteger.valueOf(1999L), "altName");
    assertEquals("SHA256withRSA", cert.getSigAlgName());
    assertEquals("1999", cert.getSerialNumber().toString());
    X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
    Extensions bcExtensions = holder.getExtensions();
    // KeyUsage extension incorrect
    assertTrue(KeyUsage.fromExtensions(bcExtensions).hasUsages(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment));
    // ExtendedKeyUsage extension incorrect
    assertTrue(ExtendedKeyUsage.fromExtensions(bcExtensions).hasKeyPurposeId(KeyPurposeId.id_kp_clientAuth));
    // Basic constraints incorrectly identify this cert as a CA
    assertFalse(BasicConstraints.fromExtensions(bcExtensions).isCA());
    NetscapeCertType expected = new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime);
    NetscapeCertType actual = new NetscapeCertType((DERBitString) bcExtensions.getExtension(MiscObjectIdentifiers.netscapeCertType).getParsedValue());
    assertArrayEquals(new JcaX509ExtensionUtils().createSubjectKeyIdentifier(subjectKeyPair.getPublic()).getEncoded(), SubjectKeyIdentifier.fromExtensions(bcExtensions).getEncoded());
    CertificateReader reader = injector.getInstance(CertificateReader.class);
    PrivateKey key = reader.getCaKey();
    KeyFactory kf = KeyFactory.getInstance("RSA");
    RSAPrivateCrtKeySpec ks = kf.getKeySpec(key, RSAPrivateCrtKeySpec.class);
    RSAPublicKeySpec pubKs = new RSAPublicKeySpec(ks.getModulus(), ks.getPublicExponent());
    PublicKey pubKey = kf.generatePublic(pubKs);
    assertArrayEquals(new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(pubKey).getEncoded(), AuthorityKeyIdentifier.fromExtensions(bcExtensions).getEncoded());
    assertEquals(expected, actual);
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) RSAPrivateCrtKeySpec(java.security.spec.RSAPrivateCrtKeySpec) PrivateKey(java.security.PrivateKey) RSAPublicKey(java.security.interfaces.RSAPublicKey) PublicKey(java.security.PublicKey) RSAPublicKeySpec(java.security.spec.RSAPublicKeySpec) Extensions(org.bouncycastle.asn1.x509.Extensions) Date(java.util.Date) LocalDate(java.time.LocalDate) X509Certificate(java.security.cert.X509Certificate) NetscapeCertType(org.bouncycastle.asn1.misc.NetscapeCertType) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) KeyFactory(java.security.KeyFactory) CertificateReader(org.candlepin.pki.CertificateReader) Test(org.junit.jupiter.api.Test)

Example 45 with ExtendedKeyUsage

use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project zaproxy by zaproxy.

the class SslCertificateServiceImpl method createCertForHost.

@Override
public KeyStore createCertForHost(CertData certData) throws NoSuchAlgorithmException, InvalidKeyException, CertificateException, NoSuchProviderException, SignatureException, KeyStoreException, IOException, UnrecoverableKeyException {
    if (this.caCert == null || this.caPrivKey == null || this.caPubKey == null) {
        throw new MissingRootCertificateException(this.getClass() + " wasn't initialized! Got to options 'Dynamic SSL Certs' and create one.");
    }
    CertData.Name[] certDataNames = certData.getSubjectAlternativeNames();
    GeneralName[] subjectAlternativeNames = new GeneralName[certDataNames.length];
    for (int i = 0; i < certDataNames.length; i++) {
        CertData.Name certDataName = certDataNames[i];
        subjectAlternativeNames[i] = new GeneralName(certDataName.getType(), certDataName.getValue());
    }
    if (certData.getCommonName() == null && subjectAlternativeNames.length == 0) {
        throw new IllegalArgumentException("commonName is null and no subjectAlternativeNames are specified");
    }
    final KeyPair mykp = this.createKeyPair();
    final PrivateKey privKey = mykp.getPrivate();
    final PublicKey pubKey = mykp.getPublic();
    X500NameBuilder namebld = new X500NameBuilder(BCStyle.INSTANCE);
    if (certData.getCommonName() != null) {
        namebld.addRDN(BCStyle.CN, certData.getCommonName());
    }
    namebld.addRDN(BCStyle.OU, "Zed Attack Proxy Project");
    namebld.addRDN(BCStyle.O, "OWASP");
    namebld.addRDN(BCStyle.C, "xx");
    namebld.addRDN(BCStyle.EmailAddress, "zaproxy-develop@googlegroups.com");
    long currentTime = System.currentTimeMillis();
    X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(new X509CertificateHolder(caCert.getEncoded()).getSubject(), BigInteger.valueOf(serial.getAndIncrement()), new Date(currentTime - Duration.ofDays(SITE_CERTIFICATE_START_ADJUSTMENT).toMillis()), new Date(currentTime + Duration.ofDays(SITE_CERTIFICATE_END_VALIDITY_PERIOD).toMillis()), namebld.build(), pubKey);
    certGen.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(pubKey.getEncoded()));
    certGen.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
    certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_serverAuth }));
    if (subjectAlternativeNames.length > 0) {
        certGen.addExtension(Extension.subjectAlternativeName, certData.isSubjectAlternativeNameIsCritical(), new GeneralNames(subjectAlternativeNames));
    }
    ContentSigner sigGen;
    try {
        sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(caPrivKey);
    } catch (OperatorCreationException e) {
        throw new CertificateException(e);
    }
    final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen));
    cert.checkValidity(new Date());
    cert.verify(caPubKey);
    final KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(null, null);
    final Certificate[] chain = new Certificate[2];
    chain[1] = this.caCert;
    chain[0] = cert;
    ks.setKeyEntry(ZAPROXY_JKS_ALIAS, privKey, PASSPHRASE, chain);
    return ks;
}
Also used : RSAPrivateKey(java.security.interfaces.RSAPrivateKey) PrivateKey(java.security.PrivateKey) X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) CertificateException(java.security.cert.CertificateException) GeneralName(org.bouncycastle.asn1.x509.GeneralName) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyPair(java.security.KeyPair) KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) PublicKey(java.security.PublicKey) ContentSigner(org.bouncycastle.operator.ContentSigner) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) KeyStore(java.security.KeyStore) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Aggregations

ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)35 KeyPurposeId (org.bouncycastle.asn1.x509.KeyPurposeId)24 KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)21 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)19 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)19 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)18 X500Name (org.bouncycastle.asn1.x500.X500Name)17 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)17 ContentSigner (org.bouncycastle.operator.ContentSigner)17 Date (java.util.Date)16 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)14 X509Certificate (java.security.cert.X509Certificate)13 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)12 DEROctetString (org.bouncycastle.asn1.DEROctetString)11 Extension (org.bouncycastle.asn1.x509.Extension)11 GeneralName (org.bouncycastle.asn1.x509.GeneralName)11 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)10 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)9 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)9 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8