Examples with Extensions com.github.zhenwei.core.asn1.x509.Extensions used on opensource projects

Search in sources :

Example 41 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project athenz by yahoo.

the class Crypto method extractX509CSRSANField.

private static List<String> extractX509CSRSANField(PKCS10CertificationRequest certReq, int tagNo) {
    List<String> values = new ArrayList<>();
    Attribute[] attributes = certReq.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
    for (Attribute attribute : attributes) {
        for (ASN1Encodable value : attribute.getAttributeValues()) {
            Extensions extensions = Extensions.getInstance(value);
            GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
            // /CLOVER:OFF
            if (gns == null) {
                continue;
            }
            // /CLOVER:ON
            for (GeneralName name : gns.getNames()) {
                if (name.getTagNo() == tagNo) {
                    values.add(((DERIA5String) name.getName()).getString());
                }
            }
        }
    }
    return values;
}
Also used : GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) Attribute(org.bouncycastle.asn1.pkcs.Attribute) GeneralName(org.bouncycastle.asn1.x509.GeneralName) Extensions(org.bouncycastle.asn1.x509.Extensions)

Example 42 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project qpid-broker-j by apache.

the class TlsResourceBuilder method createCertificate.

private static X509Certificate createCertificate(final KeyPair keyPair, final KeyCertificatePair ca, final String dn, final ValidityPeriod validityPeriod, final Extension... extensions) throws CertificateException {
    try {
        final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(ca.getCertificate(), generateSerialNumber(), new Date(validityPeriod.getFrom().toEpochMilli()), new Date(validityPeriod.getTo().toEpochMilli()), new X500Name(RFC4519Style.INSTANCE, dn), keyPair.getPublic());
        builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
        for (Extension e : extensions) {
            builder.addExtension(e);
        }
        return buildX509Certificate(builder, ca.getPrivateKey());
    } catch (OperatorException | IOException e) {
        throw new CertificateException(e);
    }
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) CertificateException(java.security.cert.CertificateException) X500Name(org.bouncycastle.asn1.x500.X500Name) IOException(java.io.IOException) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) Date(java.util.Date) OperatorException(org.bouncycastle.operator.OperatorException)

Example 43 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project keystore-explorer by kaikramer.

the class Pkcs10Util method generateCsr.

/**
 * Create a PKCS #10 certificate signing request (CSR) using the supplied
 * certificate, private key and signature algorithm.
 *
 * @param cert
 *            The certificate
 * @param privateKey
 *            The private key
 * @param signatureType
 *            Signature
 * @param challenge
 *            Challenge, optional, pass null if not required
 * @param unstructuredName
 *            An optional company name, pass null if not required
 * @param useExtensions
 *            Use extensions from cert for extensionRequest attribute?
 * @throws CryptoException
 *             If there was a problem generating the CSR
 * @return The CSR
 */
public static PKCS10CertificationRequest generateCsr(X509Certificate cert, PrivateKey privateKey, SignatureType signatureType, String challenge, String unstructuredName, boolean useExtensions, Provider provider) throws CryptoException {
    try {
        JcaPKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(cert.getSubjectX500Principal(), cert.getPublicKey());
        // add challenge attribute
        if (challenge != null) {
            // PKCS#9 2.0: SHOULD use UTF8String encoding
            csrBuilder.addAttribute(pkcs_9_at_challengePassword, new DERUTF8String(challenge));
        }
        if (unstructuredName != null) {
            csrBuilder.addAttribute(pkcs_9_at_unstructuredName, new DERUTF8String(unstructuredName));
        }
        if (useExtensions) {
            // add extensionRequest attribute with all extensions from the certificate
            Certificate certificate = Certificate.getInstance(cert.getEncoded());
            Extensions extensions = certificate.getTBSCertificate().getExtensions();
            if (extensions != null) {
                csrBuilder.addAttribute(pkcs_9_at_extensionRequest, extensions.toASN1Primitive());
            }
        }
        // fall back to bouncy castle provider if given provider does not support the requested algorithm
        if (provider != null && provider.getService("Signature", signatureType.jce()) == null) {
            provider = new BouncyCastleProvider();
        }
        ContentSigner contentSigner = null;
        if (provider == null) {
            contentSigner = new JcaContentSignerBuilder(signatureType.jce()).build(privateKey);
        } else {
            contentSigner = new JcaContentSignerBuilder(signatureType.jce()).setProvider(provider).build(privateKey);
        }
        PKCS10CertificationRequest csr = csrBuilder.build(contentSigner);
        if (!verifyCsr(csr)) {
            throw new CryptoException(res.getString("NoVerifyGenPkcs10Csr.exception.message"));
        }
        return csr;
    } catch (CertificateEncodingException e) {
        throw new CryptoException(res.getString("NoGeneratePkcs10Csr.exception.message"), e);
    } catch (OperatorCreationException e) {
        throw new CryptoException(res.getString("NoGeneratePkcs10Csr.exception.message"), e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) JcaPKCS10CertificationRequest(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) CertificateEncodingException(java.security.cert.CertificateEncodingException) Extensions(org.bouncycastle.asn1.x509.Extensions) CryptoException(org.kse.crypto.CryptoException) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 44 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.

the class X509SelfSignedCertBuilder method generateCertificate.

// method generateSelfSigned
private static X509Certificate generateCertificate(ConcurrentContentSigner signer, IdentifiedX509Certprofile certprofile, CertificationRequest csr, BigInteger serialNumber, SubjectPublicKeyInfo publicKeyInfo, List<String> caCertUris, List<String> ocspUris, List<String> crlUris, List<String> deltaCrlUris, ConfPairs extraControl) throws OperationException {
    SubjectPublicKeyInfo tmpPublicKeyInfo;
    try {
        tmpPublicKeyInfo = X509Util.toRfc3279Style(publicKeyInfo);
    } catch (InvalidKeySpecException ex) {
        LOG.warn("SecurityUtil.toRfc3279Style", ex);
        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
    }
    try {
        certprofile.checkPublicKey(tmpPublicKeyInfo);
    } catch (BadCertTemplateException ex) {
        LOG.warn("certprofile.checkPublicKey", ex);
        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
    }
    X500Name requestedSubject = csr.getCertificationRequestInfo().getSubject();
    SubjectInfo subjectInfo;
    // subject
    try {
        subjectInfo = certprofile.getSubject(requestedSubject);
    } catch (CertprofileException ex) {
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, "exception in cert profile " + certprofile.getIdent());
    } catch (BadCertTemplateException ex) {
        LOG.warn("certprofile.getSubject", ex);
        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
    }
    Date notBefore = certprofile.getNotBefore(null);
    if (notBefore == null) {
        notBefore = new Date();
    }
    CertValidity validity = certprofile.getValidity();
    if (validity == null) {
        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, "no validity specified in the profile " + certprofile.getIdent());
    }
    Date notAfter = validity.add(notBefore);
    X500Name grantedSubject = subjectInfo.getGrantedSubject();
    X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(grantedSubject, serialNumber, notBefore, notAfter, grantedSubject, tmpPublicKeyInfo);
    PublicCaInfo publicCaInfo = new PublicCaInfo(grantedSubject, serialNumber, null, null, caCertUris, ocspUris, crlUris, deltaCrlUris, extraControl);
    Extensions extensions = null;
    ASN1Set attrs = csr.getCertificationRequestInfo().getAttributes();
    for (int i = 0; i < attrs.size(); i++) {
        Attribute attr = Attribute.getInstance(attrs.getObjectAt(i));
        if (PKCSObjectIdentifiers.pkcs_9_at_extensionRequest.equals(attr.getAttrType())) {
            extensions = Extensions.getInstance(attr.getAttributeValues()[0]);
        }
    }
    try {
        addExtensions(certBuilder, certprofile, requestedSubject, grantedSubject, extensions, tmpPublicKeyInfo, publicCaInfo, notBefore, notAfter);
        ConcurrentBagEntrySigner signer0 = signer.borrowSigner();
        X509CertificateHolder certHolder;
        try {
            certHolder = certBuilder.build(signer0.value());
        } finally {
            signer.requiteSigner(signer0);
        }
        Certificate bcCert = certHolder.toASN1Structure();
        return X509Util.parseCert(bcCert.getEncoded());
    } catch (BadCertTemplateException ex) {
        throw new OperationException(ErrorCode.BAD_CERT_TEMPLATE, ex);
    } catch (NoIdleSignerException | CertificateException | IOException | CertprofileException ex) {
        throw new OperationException(ErrorCode.SYSTEM_FAILURE, ex);
    }
}
Also used : CertValidity(org.xipki.ca.api.profile.CertValidity) Attribute(org.bouncycastle.asn1.pkcs.Attribute) SubjectInfo(org.xipki.ca.api.profile.x509.SubjectInfo) CertificateException(java.security.cert.CertificateException) X500Name(org.bouncycastle.asn1.x500.X500Name) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) PublicCaInfo(org.xipki.ca.api.PublicCaInfo) ConcurrentBagEntrySigner(org.xipki.security.ConcurrentBagEntrySigner) Date(java.util.Date) ASN1Set(org.bouncycastle.asn1.ASN1Set) CertprofileException(org.xipki.ca.api.profile.CertprofileException) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) BadCertTemplateException(org.xipki.ca.api.BadCertTemplateException) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) NoIdleSignerException(org.xipki.security.exception.NoIdleSignerException) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) OperationException(org.xipki.ca.api.OperationException) X509Certificate(java.security.cert.X509Certificate) Certificate(org.bouncycastle.asn1.x509.Certificate)

Example 45 with Extensions

use of com.github.zhenwei.core.asn1.x509.Extensions in project xipki by xipki.

the class X509CaCmpResponderImpl method cmpUnRevokeRemoveCertificates.

// method cmpEnrollCert
private PKIBody cmpUnRevokeRemoveCertificates(PKIMessage request, PKIHeaderBuilder respHeader, CmpControl cmpControl, PKIHeader reqHeader, PKIBody reqBody, CmpRequestorInfo requestor, String msgId, AuditEvent event) {
    Integer requiredPermission = null;
    boolean allRevdetailsOfSameType = true;
    RevReqContent rr = RevReqContent.getInstance(reqBody.getContent());
    RevDetails[] revContent = rr.toRevDetailsArray();
    int len = revContent.length;
    for (int i = 0; i < len; i++) {
        RevDetails revDetails = revContent[i];
        Extensions crlDetails = revDetails.getCrlEntryDetails();
        int reasonCode = CrlReason.UNSPECIFIED.getCode();
        if (crlDetails != null) {
            ASN1ObjectIdentifier extId = Extension.reasonCode;
            ASN1Encodable extValue = crlDetails.getExtensionParsedValue(extId);
            if (extValue != null) {
                reasonCode = ASN1Enumerated.getInstance(extValue).getValue().intValue();
            }
        }
        if (reasonCode == XiSecurityConstants.CMP_CRL_REASON_REMOVE) {
            if (requiredPermission == null) {
                event.addEventType(CaAuditConstants.TYPE_CMP_rr_remove);
                requiredPermission = PermissionConstants.REMOVE_CERT;
            } else if (requiredPermission != PermissionConstants.REMOVE_CERT) {
                allRevdetailsOfSameType = false;
                break;
            }
        } else if (reasonCode == CrlReason.REMOVE_FROM_CRL.getCode()) {
            if (requiredPermission == null) {
                event.addEventType(CaAuditConstants.TYPE_CMP_rr_unrevoke);
                requiredPermission = PermissionConstants.UNREVOKE_CERT;
            } else if (requiredPermission != PermissionConstants.UNREVOKE_CERT) {
                allRevdetailsOfSameType = false;
                break;
            }
        } else {
            if (requiredPermission == null) {
                event.addEventType(CaAuditConstants.TYPE_CMP_rr_revoke);
                requiredPermission = PermissionConstants.REVOKE_CERT;
            } else if (requiredPermission != PermissionConstants.REVOKE_CERT) {
                allRevdetailsOfSameType = false;
                break;
            }
        }
    }
    if (!allRevdetailsOfSameType) {
        ErrorMsgContent emc = new ErrorMsgContent(new PKIStatusInfo(PKIStatus.rejection, new PKIFreeText("not all revDetails are of the same type"), new PKIFailureInfo(PKIFailureInfo.badRequest)));
        return new PKIBody(PKIBody.TYPE_ERROR, emc);
    } else {
        try {
            checkPermission(requestor, requiredPermission);
        } catch (InsuffientPermissionException ex) {
            event.setStatus(AuditStatus.FAILED);
            event.addEventData(CaAuditConstants.NAME_message, "NOT_PERMITTED");
            return buildErrorMsgPkiBody(PKIStatus.rejection, PKIFailureInfo.notAuthorized, null);
        }
        return unRevokeRemoveCertificates(request, rr, requiredPermission, cmpControl, msgId);
    }
}
Also used : PKIBody(org.bouncycastle.asn1.cmp.PKIBody) PKIStatusInfo(org.bouncycastle.asn1.cmp.PKIStatusInfo) InsuffientPermissionException(org.xipki.ca.api.InsuffientPermissionException) Extensions(org.bouncycastle.asn1.x509.Extensions) RevReqContent(org.bouncycastle.asn1.cmp.RevReqContent) PKIFreeText(org.bouncycastle.asn1.cmp.PKIFreeText) ASN1Integer(org.bouncycastle.asn1.ASN1Integer) BigInteger(java.math.BigInteger) PKIFailureInfo(org.bouncycastle.asn1.cmp.PKIFailureInfo) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) ErrorMsgContent(org.bouncycastle.asn1.cmp.ErrorMsgContent) RevDetails(org.bouncycastle.asn1.cmp.RevDetails) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

Extensions (org.bouncycastle.asn1.x509.Extensions)113 Extension (org.bouncycastle.asn1.x509.Extension)89 IOException (java.io.IOException)72 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)67 Enumeration (java.util.Enumeration)57 HashSet (java.util.HashSet)49 DEROctetString (org.bouncycastle.asn1.DEROctetString)49 X500Name (org.bouncycastle.asn1.x500.X500Name)46 BigInteger (java.math.BigInteger)45 Set (java.util.Set)36 X509Certificate (java.security.cert.X509Certificate)35 Date (java.util.Date)35 GeneralName (org.bouncycastle.asn1.x509.GeneralName)35 ContentSigner (org.bouncycastle.operator.ContentSigner)32 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)29 ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)28 ArrayList (java.util.ArrayList)28 CertificateException (java.security.cert.CertificateException)27 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)27 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)27
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial