Search in sources :

Example 31 with KeyUsage

use of com.github.zhenwei.core.asn1.x509.KeyUsage in project keystore-explorer by kaikramer.

the class DSelectStandardExtensionTemplate method addKeyUsage.

private void addKeyUsage(X509ExtensionSet extensionSet, int usage) throws IOException {
    KeyUsage ku = new KeyUsage(usage);
    byte[] kuEncoded = X509Ext.wrapInOctetString(ku.getEncoded());
    extensionSet.addExtension(X509ExtensionType.KEY_USAGE.oid(), true, kuEncoded);
}
Also used : ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)

Example 32 with KeyUsage

use of com.github.zhenwei.core.asn1.x509.KeyUsage in project keystore-explorer by kaikramer.

the class X509Ext method getKeyUsageStringValue.

private static String getKeyUsageStringValue(byte[] value) throws IOException {
    // @formatter:off
    /*
		 * KeyUsage ::= BIT STRING { digitalSignature (0), nonRepudiation (1),
		 * keyEncipherment (2), dataEncipherment (3), keyAgreement (4),
		 * keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) }
		 */
    // @formatter:on
    ASN1BitString keyUsage = ASN1BitString.getInstance(ASN1Primitive.fromByteArray(value));
    int keyUsages = keyUsage.intValue();
    StringBuilder sb = new StringBuilder();
    if (hasKeyUsage(keyUsages, KeyUsage.digitalSignature)) {
        sb.append(res.getString("DigitalSignatureKeyUsage"));
        sb.append(NEWLINE);
    }
    if (hasKeyUsage(keyUsages, KeyUsage.nonRepudiation)) {
        sb.append(res.getString("NonRepudiationKeyUsage"));
        sb.append(NEWLINE);
    }
    if (hasKeyUsage(keyUsages, KeyUsage.keyEncipherment)) {
        sb.append(res.getString("KeyEnciphermentKeyUsage"));
        sb.append(NEWLINE);
    }
    if (hasKeyUsage(keyUsages, KeyUsage.dataEncipherment)) {
        sb.append(res.getString("DataEnciphermentKeyUsage"));
        sb.append(NEWLINE);
    }
    if (hasKeyUsage(keyUsages, KeyUsage.keyAgreement)) {
        sb.append(res.getString("KeyAgreementKeyUsage"));
        sb.append(NEWLINE);
    }
    if (hasKeyUsage(keyUsages, KeyUsage.keyCertSign)) {
        sb.append(res.getString("KeyCertSignKeyUsage"));
        sb.append(NEWLINE);
    }
    if (hasKeyUsage(keyUsages, KeyUsage.cRLSign)) {
        sb.append(res.getString("CrlSignKeyUsage"));
        sb.append(NEWLINE);
    }
    if (hasKeyUsage(keyUsages, KeyUsage.encipherOnly)) {
        sb.append(res.getString("EncipherOnlyKeyUsage"));
        sb.append(NEWLINE);
    }
    if (hasKeyUsage(keyUsages, KeyUsage.decipherOnly)) {
        sb.append(res.getString("DecipherOnlyKeyUsage"));
        sb.append(NEWLINE);
    }
    return sb.toString();
}
Also used : ASN1BitString(org.bouncycastle.asn1.ASN1BitString) IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)

Example 33 with KeyUsage

use of com.github.zhenwei.core.asn1.x509.KeyUsage in project zookeeper by apache.

the class QuorumSSLTest method buildEndEntityCert.

public X509Certificate buildEndEntityCert(KeyPair keyPair, X509Certificate caCert, PrivateKey caPrivateKey, String hostname, String ipAddress, String crlPath, Integer ocspPort) throws Exception {
    X509CertificateHolder holder = new JcaX509CertificateHolder(caCert);
    ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(caPrivateKey);
    List<GeneralName> generalNames = new ArrayList<>();
    if (hostname != null) {
        generalNames.add(new GeneralName(GeneralName.dNSName, hostname));
    }
    if (ipAddress != null) {
        generalNames.add(new GeneralName(GeneralName.iPAddress, ipAddress));
    }
    SubjectPublicKeyInfo entityKeyInfo = SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(PublicKeyFactory.createKey(keyPair.getPublic().getEncoded()));
    X509ExtensionUtils extensionUtils = new BcX509ExtensionUtils();
    JcaX509v3CertificateBuilder jcaX509v3CertificateBuilder = new JcaX509v3CertificateBuilder(holder.getSubject(), new BigInteger(128, new Random()), certStartTime, certEndTime, new X500Name("CN=Test End Entity Certificate"), keyPair.getPublic());
    X509v3CertificateBuilder certificateBuilder = jcaX509v3CertificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(holder)).addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(entityKeyInfo)).addExtension(Extension.basicConstraints, true, new BasicConstraints(false)).addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
    if (!generalNames.isEmpty()) {
        certificateBuilder.addExtension(Extension.subjectAlternativeName, true, new GeneralNames(generalNames.toArray(new GeneralName[] {})));
    }
    if (crlPath != null) {
        DistributionPointName distPointOne = new DistributionPointName(new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, "file://" + crlPath)));
        certificateBuilder.addExtension(Extension.cRLDistributionPoints, false, new CRLDistPoint(new DistributionPoint[] { new DistributionPoint(distPointOne, null, null) }));
    }
    if (ocspPort != null) {
        certificateBuilder.addExtension(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(X509ObjectIdentifiers.ocspAccessMethod, new GeneralName(GeneralName.uniformResourceIdentifier, "http://" + hostname + ":" + ocspPort)));
    }
    return new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(signer));
}
Also used : AuthorityInformationAccess(org.bouncycastle.asn1.x509.AuthorityInformationAccess) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) ArrayList(java.util.ArrayList) DistributionPointName(org.bouncycastle.asn1.x509.DistributionPointName) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) Random(java.util.Random) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) BigInteger(java.math.BigInteger) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BcX509ExtensionUtils(org.bouncycastle.cert.bc.BcX509ExtensionUtils) DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint) JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) X509ExtensionUtils(org.bouncycastle.cert.X509ExtensionUtils) BcX509ExtensionUtils(org.bouncycastle.cert.bc.BcX509ExtensionUtils) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)

Example 34 with KeyUsage

use of com.github.zhenwei.core.asn1.x509.KeyUsage in project zookeeper by apache.

the class X509TestHelpers method newCert.

/**
 * Using the private key of the given CA key pair and the Subject of the given CA cert as the Issuer, issues a
 * new cert with the given subject and public key. The returned certificate, combined with the private key half
 * of the <code>certPublicKey</code>, should be used as the key store.
 * @param caCert the certificate of the CA that's doing the signing.
 * @param caKeyPair the key pair of the CA. The private key will be used to sign. The public key must match the
 *                  public key in the <code>caCert</code>.
 * @param certSubject the subject field of the new cert being issued.
 * @param certPublicKey the public key of the new cert being issued.
 * @param expirationMillis the expiration of the cert being issued, in milliseconds from now.
 * @return a new certificate signed by the CA's private key.
 * @throws IOException
 * @throws OperatorCreationException
 * @throws GeneralSecurityException
 */
public static X509Certificate newCert(X509Certificate caCert, KeyPair caKeyPair, X500Name certSubject, PublicKey certPublicKey, long expirationMillis) throws IOException, OperatorCreationException, GeneralSecurityException {
    if (!caKeyPair.getPublic().equals(caCert.getPublicKey())) {
        throw new IllegalArgumentException("CA private key does not match the public key in the CA cert");
    }
    Date now = new Date();
    X509v3CertificateBuilder builder = initCertBuilder(new X500Name(caCert.getIssuerDN().getName()), now, new Date(now.getTime() + expirationMillis), certSubject, certPublicKey);
    // not a CA
    builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
    builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
    builder.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth }));
    builder.addExtension(Extension.subjectAlternativeName, false, getLocalhostSubjectAltNames());
    return buildAndSignCertificate(caKeyPair.getPrivate(), builder);
}
Also used : KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) Date(java.util.Date)

Example 35 with KeyUsage

use of com.github.zhenwei.core.asn1.x509.KeyUsage in project spring-cloud-config by spring-cloud.

the class KeyTool method createCert.

public X509Certificate createCert(PublicKey publicKey, PrivateKey privateKey, String issuer, String subject) throws Exception {
    JcaX509v3CertificateBuilder builder = certBuilder(publicKey, issuer, subject);
    builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
    builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
    GeneralName[] names = new GeneralName[] { new GeneralName(GeneralName.dNSName, "localhost") };
    builder.addExtension(Extension.subjectAlternativeName, false, GeneralNames.getInstance(new DERSequence(names)));
    return signCert(builder, privateKey);
}
Also used : DERSequence(org.bouncycastle.asn1.DERSequence) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Aggregations

KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)49 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)40 X500Name (org.bouncycastle.asn1.x500.X500Name)33 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)30 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)30 X509Certificate (java.security.cert.X509Certificate)29 Date (java.util.Date)29 ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)29 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)27 ContentSigner (org.bouncycastle.operator.ContentSigner)24 BigInteger (java.math.BigInteger)23 GeneralName (org.bouncycastle.asn1.x509.GeneralName)21 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)21 IOException (java.io.IOException)20 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)19 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)16 HashSet (java.util.HashSet)15 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)15 KeyPurposeId (org.bouncycastle.asn1.x509.KeyPurposeId)15 Extension (org.bouncycastle.asn1.x509.Extension)14