Example 91 with KeyUsage
use of com.github.zhenwei.core.asn1.x509.KeyUsage in project nifi-registry by apache.
the class CertificateUtils method generateSelfSignedX509Certificate.
/**
* Generates a self-signed {@link X509Certificate} suitable for use as a Certificate Authority.
*
* @param keyPair the {@link KeyPair} to generate the {@link X509Certificate} for
* @param dn the distinguished name to user for the {@link X509Certificate}
* @param signingAlgorithm the signing algorithm to use for the {@link X509Certificate}
* @param certificateDurationDays the duration in days for which the {@link X509Certificate} should be valid
* @return a self-signed {@link X509Certificate} suitable for use as a Certificate Authority
* @throws CertificateException if there is an generating the new certificate
*/
public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) throws CertificateException {
try {
ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
Date startDate = new Date();
Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(certificateDurationDays));
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(dn)), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo);
// Set certificate extensions
// (1) digitalSignature extension
certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation | KeyUsage.cRLSign | KeyUsage.keyCertSign));
certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic()));
// (2) extendedKeyUsage extension
certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
// Sign the certificate
X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder);
} catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) {
throw new CertificateException(e);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
CertIOException(org.bouncycastle.cert.CertIOException)
Date(java.util.Date)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
Example 92 with KeyUsage
use of com.github.zhenwei.core.asn1.x509.KeyUsage in project ozone by apache.
the class SelfSignedCertificate method generateCertificate.
private X509CertificateHolder generateCertificate(boolean isCA) throws OperatorCreationException, IOException {
// For the Root Certificate we form the name from Subject, SCM ID and
// Cluster ID.
String dnName = String.format(getNameFormat(), subject, scmID, clusterID);
X500Name name = new X500Name(dnName);
byte[] encoded = key.getPublic().getEncoded();
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(encoded);
ContentSigner contentSigner = new JcaContentSignerBuilder(config.getSignatureAlgo()).setProvider(config.getProvider()).build(key.getPrivate());
// Please note: Since this is a root certificate we use "ONE" as the
// serial number. Also note that skip enforcing locale or UTC. We are
// trying to operate at the Days level, hence Time zone is also skipped for
// now.
BigInteger serial = BigInteger.ONE;
if (!isCA) {
serial = new BigInteger(Long.toString(Time.monotonicNow()));
}
ZoneOffset zoneOffset = beginDate.atStartOfDay(ZoneOffset.systemDefault()).getOffset();
// Valid from the Start of the day when we generate this Certificate.
Date validFrom = Date.from(beginDate.atTime(LocalTime.MIN).toInstant(zoneOffset));
// Valid till end day finishes.
Date validTill = Date.from(endDate.atTime(LocalTime.MAX).toInstant(zoneOffset));
X509v3CertificateBuilder builder = new X509v3CertificateBuilder(name, serial, validFrom, validTill, name, publicKeyInfo);
if (isCA) {
builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
int keyUsageFlag = KeyUsage.keyCertSign | KeyUsage.cRLSign;
KeyUsage keyUsage = new KeyUsage(keyUsageFlag);
builder.addExtension(Extension.keyUsage, true, keyUsage);
if (altNames != null && altNames.size() >= 1) {
builder.addExtension(new Extension(Extension.subjectAlternativeName, false, new GeneralNames(altNames.toArray(new GeneralName[altNames.size()])).getEncoded()));
}
}
return builder.build(contentSigner);
}
Also used :
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
DERUTF8String(org.bouncycastle.asn1.DERUTF8String)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
LocalDate(java.time.LocalDate)
ZoneOffset(java.time.ZoneOffset)
Extension(org.bouncycastle.asn1.x509.Extension)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
BigInteger(java.math.BigInteger)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Aggregations
KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)49
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)40
X500Name (org.bouncycastle.asn1.x500.X500Name)33
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)30
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)30
X509Certificate (java.security.cert.X509Certificate)29
Date (java.util.Date)29
ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)29
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)27
ContentSigner (org.bouncycastle.operator.ContentSigner)24
BigInteger (java.math.BigInteger)23
GeneralName (org.bouncycastle.asn1.x509.GeneralName)21
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)21
IOException (java.io.IOException)20
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)19
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)16
HashSet (java.util.HashSet)15
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)15
KeyPurposeId (org.bouncycastle.asn1.x509.KeyPurposeId)15
Extension (org.bouncycastle.asn1.x509.Extension)14
