use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project keystore-explorer by kaikramer.
the class DSelectStandardExtensionTemplate method addExtKeyUsage.
private void addExtKeyUsage(X509ExtensionSet extensionSet, String ekuOid) throws IOException {
ExtendedKeyUsage eku = new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.getInstance(new ASN1ObjectIdentifier(ekuOid)) });
byte[] ekuEncoded = X509Ext.wrapInOctetString(eku.getEncoded());
extensionSet.addExtension(X509ExtensionType.EXTENDED_KEY_USAGE.oid(), false, ekuEncoded);
}
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project keystore-explorer by kaikramer.
the class DExtendedKeyUsage method okPressed.
private void okPressed() {
if (!jcbTlsWebServerAuthentication.isSelected() && !jcbTlsWebClientAuthentication.isSelected() && !jcbCodeSigning.isSelected() && !jcbEmailProtection.isSelected() && !jcbIpSecurityEndSystem.isSelected() && !jcbIpSecurityTunnelTermination.isSelected() && !jcbIpSecurityUser.isSelected() && !jcbTimeStamping.isSelected() && !jcbOcspStamping.isSelected() && !jcbDocumentSigning.isSelected() && !jcbAdobePDFSigning.isSelected() && !jcbTslSigning.isSelected() && !jcbEncryptedFileSystem.isSelected() && !jcbAnyExtendedKeyUsage.isSelected() && !jcbSmartcardLogon.isSelected() && !jcbCustomExtKeyUsage.isSelected()) {
JOptionPane.showMessageDialog(this, res.getString("DExtendedKeyUsage.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE);
return;
}
ArrayList<KeyPurposeId> keyPurposeIds = new ArrayList<>();
if (jcbTlsWebServerAuthentication.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(SERVER_AUTH.oid())));
}
if (jcbTlsWebClientAuthentication.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(CLIENT_AUTH.oid())));
}
if (jcbCodeSigning.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(CODE_SIGNING.oid())));
}
if (jcbDocumentSigning.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(DOCUMENT_SIGNING.oid())));
}
if (jcbAdobePDFSigning.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(ADOBE_PDF_SIGNING.oid())));
}
if (jcbTslSigning.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(TSL_SIGNING.oid())));
}
if (jcbEmailProtection.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(EMAIL_PROTECTION.oid())));
}
if (jcbEncryptedFileSystem.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(ENCRYPTED_FILE_SYSTEM.oid())));
}
if (jcbIpSecurityEndSystem.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(IPSEC_END_SYSTEM.oid())));
}
if (jcbIpSecurityTunnelTermination.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(IPSEC_TUNNEL.oid())));
}
if (jcbIpSecurityUser.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(IPSEC_USER.oid())));
}
if (jcbTimeStamping.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(TIME_STAMPING.oid())));
}
if (jcbOcspStamping.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(OCSP_SIGNING.oid())));
}
if (jcbSmartcardLogon.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(SMARTCARD_LOGON.oid())));
}
if (jcbAnyExtendedKeyUsage.isSelected()) {
keyPurposeIds.add(KeyPurposeId.getInstance(new ASN1ObjectIdentifier(ANY_EXTENDED_KEY_USAGE.oid())));
}
if (jcbCustomExtKeyUsage.isSelected()) {
for (ASN1ObjectIdentifier customExcKeyUsageOid : customExtKeyUsagesOids) {
keyPurposeIds.add(KeyPurposeId.getInstance(customExcKeyUsageOid));
}
}
ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(keyPurposeIds.toArray(new KeyPurposeId[keyPurposeIds.size()]));
try {
value = extendedKeyUsage.getEncoded(ASN1Encoding.DER);
} catch (IOException e) {
DError.displayError(this, e);
return;
}
closeDialog();
}
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project xipki by xipki.
the class CertprofileValidator method validateCABForumBR.
// method validate
private static void validateCABForumBR(Certprofile certprofile, StringBuilder msg) {
// Subject only one entries in a RDN is allowed
SubjectControl subjectCtl = certprofile.getSubjectControl();
if (CollectionUtil.isNotEmpty(subjectCtl.getGroups())) {
msg.append("multiple AttributeAndTypes in one RDN is not permitted, ");
}
for (ASN1ObjectIdentifier m : subjectCtl.getTypes()) {
RdnControl ctl = subjectCtl.getControl(m);
if (ctl.getMaxOccurs() > 1) {
msg.append("multiple RDNs of the same type are not permitted, ");
}
}
CertLevel certLevel = certprofile.getCertLevel();
// validity
if (certLevel == CertLevel.EndEntity) {
Validity validity = certprofile.getValidity();
if (validity.compareTo(maxCabEeValidity) > 0) {
msg.append("validity exceeds the maximal validity of subscriber certificate, ");
}
}
// Signature/hash algorithm
List<SignAlgo> sigAlgos = certprofile.getSignatureAlgorithms();
if (sigAlgos == null) {
msg.append("signature algorithms not defined, ");
} else {
List<HashAlgo> allowedHashAlgos = Arrays.asList(HashAlgo.SHA256, HashAlgo.SHA384, HashAlgo.SHA512);
for (SignAlgo signAlgo : sigAlgos) {
HashAlgo hashAlgo = signAlgo.getHashAlgo();
if (!allowedHashAlgos.contains(hashAlgo)) {
msg.append("unpermitted hash algorithm ").append(hashAlgo).append(", ");
}
}
}
// Public Key
Map<ASN1ObjectIdentifier, KeyParametersOption> keyAlgorithms = certprofile.getKeyAlgorithms();
if (CollectionUtil.isEmpty(keyAlgorithms)) {
msg.append("keyAlgorithms is not configured, ");
} else {
for (Entry<ASN1ObjectIdentifier, KeyParametersOption> entry : keyAlgorithms.entrySet()) {
ASN1ObjectIdentifier m = entry.getKey();
KeyParametersOption opt = entry.getValue();
if (m.equals(PKCSObjectIdentifiers.rsaEncryption)) {
if (opt instanceof RSAParametersOption) {
if (((RSAParametersOption) opt).allowsModulusLength(2048 - 1)) {
msg.append("minimum RSA modulus size 2048 bit not satisfied, ");
}
} else {
msg.append("unpermitted RSA modulus are configured, ");
}
} else if (m.equals(X9ObjectIdentifiers.id_ecPublicKey)) {
if (opt instanceof ECParamatersOption) {
Set<ASN1ObjectIdentifier> curveOids = new HashSet<>(((ECParamatersOption) opt).getCurveOids());
curveOids.remove(SECObjectIdentifiers.secp256r1);
curveOids.remove(SECObjectIdentifiers.secp384r1);
curveOids.remove(SECObjectIdentifiers.secp521r1);
if (!curveOids.isEmpty()) {
msg.append("EC curves ").append(curveOids).append(" are not permitted, ");
}
} else {
msg.append("unpermitted EC curves are configured, ");
}
} else if (m.equals(X9ObjectIdentifiers.id_dsa)) {
if (opt instanceof DSAParametersOption) {
DSAParametersOption dsaOpt = (DSAParametersOption) opt;
if (dsaOpt.allowsPlength(2048 - 1)) {
msg.append("minimum L (2048) not satisfied, ");
}
if (dsaOpt.allowsQlength(224 - 1)) {
msg.append("minimum N (224) not satisfied, ");
}
} else {
msg.append("unpermitted DSA (p,q) are configured, ");
}
} else {
msg.append("keyAlgorithm ").append(m.getId()).append(" is not permitted, ");
}
}
}
// CRLDistributionPoints
if (certLevel != CertLevel.RootCA) {
CrlDistributionPointsControl crlDpControl = certprofile.getCrlDpControl();
if (crlDpControl != null) {
Set<String> protocols = crlDpControl.getProtocols();
if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
msg.append("CRLDistributionPoints allows protocol other than http, ");
}
}
// FreshestCRLDistributionPoints
CrlDistributionPointsControl freshestCrlControl = certprofile.getFreshestCrlControl();
if (freshestCrlControl != null) {
Set<String> protocols = freshestCrlControl.getProtocols();
if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
msg.append("FreshestCRL allows protocol other than http, ");
}
}
// AuthorityInfoAccess*
AuthorityInfoAccessControl aiaControl = certprofile.getAiaControl();
if (aiaControl != null) {
if (!aiaControl.isIncludesOcsp()) {
msg.append("access method id-ad-ocsp is not configured, ");
} else {
Set<String> protocols = aiaControl.getOcspProtocols();
if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
msg.append("AIA OCSP allows protocol other than http, ");
}
}
if (!aiaControl.isIncludesCaIssuers()) {
msg.append("access method id-ad-caIssuers is not configured, ");
} else {
Set<String> protocols = aiaControl.getCaIssuersProtocols();
if (protocols == null || protocols.size() != 1 || !protocols.contains("http")) {
msg.append("AIA CAIssuers allows protocol other than http, ");
}
}
}
}
// Certificate Policies
if (certLevel == CertLevel.SubCA || certLevel == CertLevel.EndEntity) {
CertificatePolicies certPolicyValue = certprofile.getCertificatePolicies();
if (certPolicyValue == null) {
msg.append("CertificatePolicies is not configured, ");
}
}
// KeyUsage
Set<KeyUsageControl> usages = certprofile.getKeyUsage();
if (certLevel == CertLevel.RootCA || certLevel == CertLevel.SubCA) {
if (!containsKeyusage(usages, KeyUsage.cRLSign)) {
msg.append("RootCA profile does contain keyUsage ").append(KeyUsage.cRLSign).append(", ");
}
} else if (certLevel == CertLevel.EndEntity) {
if (containsKeyusage(usages, KeyUsage.cRLSign)) {
msg.append("EndEntity profile must not contain keyUsage ").append(KeyUsage.cRLSign).append(", ");
}
}
// ExtendedKeyUsage
Set<ExtKeyUsageControl> ekuControls = certprofile.getExtendedKeyUsages();
if (certLevel == CertLevel.EndEntity) {
// ekuControls could not be null here.
boolean xkuTlsServerRequired = false;
boolean xkuTlsClientRequired = false;
for (ExtKeyUsageControl m : ekuControls) {
ASN1ObjectIdentifier oid = m.getExtKeyUsage();
if (m.isRequired()) {
if (XKU.id_kp_serverAuth.equals(oid)) {
xkuTlsServerRequired = true;
} else if (XKU.id_kp_clientAuth.equals(oid)) {
xkuTlsClientRequired = true;
}
}
if (!(XKU.id_kp_serverAuth.equals(oid) || XKU.id_kp_clientAuth.equals(oid) || XKU.id_kp_emailProtection.equals(oid))) {
msg.append("extendedKeyUsage ").append(oid.getId()).append(" is not permitted, ");
}
}
if (!(xkuTlsClientRequired | xkuTlsServerRequired)) {
msg.append("none of ").append(XKU.id_kp_clientAuth).append(" and ").append(XKU.id_kp_serverAuth).append(" is not configured, ");
}
} else {
if (ekuControls != null) {
for (ExtKeyUsageControl m : ekuControls) {
if (m.getExtKeyUsage().equals(XKU.id_kp_anyExtendedKeyUsage)) {
msg.append(XKU.id_kp_clientAuth).append(" is not allowed, ");
}
}
}
}
}
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project candlepin by candlepin.
the class JSSPKIUtilityTest method testCreateX509Certificate.
@Test
public void testCreateX509Certificate() throws Exception {
JSSPKIUtility pki = this.buildJSSPKIUtility();
Date start = new Date();
Date end = Date.from(LocalDate.now().plusDays(365).atStartOfDay(ZoneId.systemDefault()).toInstant());
X509Certificate cert = pki.createX509Certificate("cn=candlepinproject.org", null, null, start, end, subjectKeyPair, BigInteger.valueOf(1999L), "altName");
assertEquals("SHA256withRSA", cert.getSigAlgName());
assertEquals("1999", cert.getSerialNumber().toString());
X509CertificateHolder holder = new X509CertificateHolder(cert.getEncoded());
Extensions bcExtensions = holder.getExtensions();
// KeyUsage extension incorrect
assertTrue(KeyUsage.fromExtensions(bcExtensions).hasUsages(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment));
// ExtendedKeyUsage extension incorrect
assertTrue(ExtendedKeyUsage.fromExtensions(bcExtensions).hasKeyPurposeId(KeyPurposeId.id_kp_clientAuth));
// Basic constraints incorrectly identify this cert as a CA
assertFalse(BasicConstraints.fromExtensions(bcExtensions).isCA());
NetscapeCertType expected = new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime);
NetscapeCertType actual = new NetscapeCertType((DERBitString) bcExtensions.getExtension(MiscObjectIdentifiers.netscapeCertType).getParsedValue());
assertArrayEquals(new JcaX509ExtensionUtils().createSubjectKeyIdentifier(subjectKeyPair.getPublic()).getEncoded(), SubjectKeyIdentifier.fromExtensions(bcExtensions).getEncoded());
CertificateReader reader = injector.getInstance(CertificateReader.class);
PrivateKey key = reader.getCaKey();
KeyFactory kf = KeyFactory.getInstance("RSA");
RSAPrivateCrtKeySpec ks = kf.getKeySpec(key, RSAPrivateCrtKeySpec.class);
RSAPublicKeySpec pubKs = new RSAPublicKeySpec(ks.getModulus(), ks.getPublicExponent());
PublicKey pubKey = kf.generatePublic(pubKs);
assertArrayEquals(new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(pubKey).getEncoded(), AuthorityKeyIdentifier.fromExtensions(bcExtensions).getEncoded());
assertEquals(expected, actual);
}
use of com.github.zhenwei.core.asn1.x509.ExtendedKeyUsage in project zaproxy by zaproxy.
the class SslCertificateServiceImpl method createCertForHost.
@Override
public KeyStore createCertForHost(CertData certData) throws NoSuchAlgorithmException, InvalidKeyException, CertificateException, NoSuchProviderException, SignatureException, KeyStoreException, IOException, UnrecoverableKeyException {
if (this.caCert == null || this.caPrivKey == null || this.caPubKey == null) {
throw new MissingRootCertificateException(this.getClass() + " wasn't initialized! Got to options 'Dynamic SSL Certs' and create one.");
}
CertData.Name[] certDataNames = certData.getSubjectAlternativeNames();
GeneralName[] subjectAlternativeNames = new GeneralName[certDataNames.length];
for (int i = 0; i < certDataNames.length; i++) {
CertData.Name certDataName = certDataNames[i];
subjectAlternativeNames[i] = new GeneralName(certDataName.getType(), certDataName.getValue());
}
if (certData.getCommonName() == null && subjectAlternativeNames.length == 0) {
throw new IllegalArgumentException("commonName is null and no subjectAlternativeNames are specified");
}
final KeyPair mykp = this.createKeyPair();
final PrivateKey privKey = mykp.getPrivate();
final PublicKey pubKey = mykp.getPublic();
X500NameBuilder namebld = new X500NameBuilder(BCStyle.INSTANCE);
if (certData.getCommonName() != null) {
namebld.addRDN(BCStyle.CN, certData.getCommonName());
}
namebld.addRDN(BCStyle.OU, "Zed Attack Proxy Project");
namebld.addRDN(BCStyle.O, "OWASP");
namebld.addRDN(BCStyle.C, "xx");
namebld.addRDN(BCStyle.EmailAddress, "zaproxy-develop@googlegroups.com");
long currentTime = System.currentTimeMillis();
X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(new X509CertificateHolder(caCert.getEncoded()).getSubject(), BigInteger.valueOf(serial.getAndIncrement()), new Date(currentTime - Duration.ofDays(SITE_CERTIFICATE_START_ADJUSTMENT).toMillis()), new Date(currentTime + Duration.ofDays(SITE_CERTIFICATE_END_VALIDITY_PERIOD).toMillis()), namebld.build(), pubKey);
certGen.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(pubKey.getEncoded()));
certGen.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_serverAuth }));
if (subjectAlternativeNames.length > 0) {
certGen.addExtension(Extension.subjectAlternativeName, certData.isSubjectAlternativeNameIsCritical(), new GeneralNames(subjectAlternativeNames));
}
ContentSigner sigGen;
try {
sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(caPrivKey);
} catch (OperatorCreationException e) {
throw new CertificateException(e);
}
final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen));
cert.checkValidity(new Date());
cert.verify(caPubKey);
final KeyStore ks = KeyStore.getInstance("JKS");
ks.load(null, null);
final Certificate[] chain = new Certificate[2];
chain[1] = this.caCert;
chain[0] = cert;
ks.setKeyEntry(ZAPROXY_JKS_ALIAS, privKey, PASSPHRASE, chain);
return ks;
}
Aggregations