Example 1 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project solarnetwork-node by SolarNetwork.
the class PKITestUtils method generateNewCACert.
public static X509Certificate generateNewCACert(PublicKey publicKey, String subject, X509Certificate issuer, PrivateKey issuerKey, String caDN) throws Exception {
final X500Name issuerDn = (issuer == null ? new X500Name(subject) : JcaX500NameUtil.getSubject(issuer));
final X500Name subjectDn = new X500Name(subject);
final BigInteger serial = getNextSerialNumber();
final Date notBefore = new Date();
final Date notAfter = new Date(System.currentTimeMillis() + 1000L * 60L * 60L);
JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerDn, serial, notBefore, notAfter, subjectDn, publicKey);
// add "CA" extension
BasicConstraints basicConstraints;
if (issuer == null) {
basicConstraints = new BasicConstraints(true);
} else {
int issuerPathLength = issuer.getBasicConstraints();
basicConstraints = new BasicConstraints(issuerPathLength - 1);
}
builder.addExtension(X509Extension.basicConstraints, true, basicConstraints);
// add subjectKeyIdentifier
JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils();
SubjectKeyIdentifier ski = utils.createSubjectKeyIdentifier(publicKey);
builder.addExtension(X509Extension.subjectKeyIdentifier, false, ski);
// add authorityKeyIdentifier
GeneralNames issuerName = new GeneralNames(new GeneralName(GeneralName.directoryName, caDN));
AuthorityKeyIdentifier aki = utils.createAuthorityKeyIdentifier(publicKey);
aki = new AuthorityKeyIdentifier(aki.getKeyIdentifier(), issuerName, serial);
builder.addExtension(X509Extension.authorityKeyIdentifier, false, aki);
// add keyUsage
X509KeyUsage keyUsage = new X509KeyUsage(X509KeyUsage.cRLSign | X509KeyUsage.digitalSignature | X509KeyUsage.keyCertSign | X509KeyUsage.nonRepudiation);
builder.addExtension(X509Extension.keyUsage, true, keyUsage);
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256WithRSA");
ContentSigner signer = signerBuilder.build(issuerKey);
X509CertificateHolder holder = builder.build(signer);
JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
return converter.getCertificate(holder);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
X500Name(org.bouncycastle.asn1.x500.X500Name)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
Date(java.util.Date)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
X509KeyUsage(org.bouncycastle.jce.X509KeyUsage)
Example 2 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project ca3sCore by kuehne-trustable-de.
the class CertificateUtilIntTest method testAKIandSKIGeneration.
@Test
public void testAKIandSKIGeneration() throws GeneralSecurityException {
X509Certificate x509Cert = CryptoUtil.convertPemToCertificate(testCert);
assertNotNull(x509Cert);
JcaX509ExtensionUtils util = new JcaX509ExtensionUtils();
SubjectKeyIdentifier ski = util.createSubjectKeyIdentifier(x509Cert.getPublicKey());
String b46Ski = Base64.encodeBase64String(ski.getKeyIdentifier());
assertNotNull(b46Ski);
AuthorityKeyIdentifier aki = util.createAuthorityKeyIdentifier(x509Cert.getPublicKey());
String b46Aki = Base64.encodeBase64String(aki.getKeyIdentifier());
assertNotNull(b46Aki);
assertEquals(b46Ski, b46Aki);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.jupiter.api.Test)
SpringBootTest(org.springframework.boot.test.context.SpringBootTest)
Example 3 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project modules by assimbly.
the class CertificatesUtil method createSubjectKeyId.
/**
* Creates the hash value of the public key.
*
* @param publicKey of the certificate
*
* @return SubjectKeyIdentifier hash
*
* @throws OperatorCreationException
*/
private static SubjectKeyIdentifier createSubjectKeyId(final PublicKey publicKey) throws OperatorCreationException {
final SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
final DigestCalculator digCalc = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
return new X509ExtensionUtils(digCalc).createSubjectKeyIdentifier(publicKeyInfo);
}
Also used :
BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
X509ExtensionUtils(org.bouncycastle.cert.X509ExtensionUtils)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Example 4 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project identity-credential by google.
the class CertificateGenerator method generateCertificate.
static X509Certificate generateCertificate(DataMaterial data, CertificateMaterial certMaterial, KeyMaterial keyMaterial) throws CertIOException, CertificateException, OperatorCreationException {
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
Optional<X509Certificate> issuerCert = keyMaterial.issuerCertificate();
X500Name subjectDN = new X500Name(data.subjectDN());
// doesn't work, get's reordered
// issuerCert.isPresent() ? new X500Name(issuerCert.get().getSubjectX500Principal().getName()) : subjectDN;
X500Name issuerDN = new X500Name(data.issuerDN());
ContentSigner contentSigner = new JcaContentSignerBuilder(keyMaterial.signingAlgorithm()).build(keyMaterial.signingKey());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, certMaterial.serialNumber(), certMaterial.startDate(), certMaterial.endDate(), subjectDN, keyMaterial.publicKey());
// Extensions --------------------------
JcaX509ExtensionUtils jcaX509ExtensionUtils;
try {
jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
if (issuerCert.isPresent()) {
try {
// adds 3 more fields, not present in other cert
// AuthorityKeyIdentifier authorityKeyIdentifier = jcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerCert.get());
AuthorityKeyIdentifier authorityKeyIdentifier = jcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerCert.get().getPublicKey());
certBuilder.addExtension(Extension.authorityKeyIdentifier, NOT_CRITICAL, authorityKeyIdentifier);
} catch (IOException e) {
// CertificateEncodingException |
throw new RuntimeException(e);
}
}
SubjectKeyIdentifier subjectKeyIdentifier = jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyMaterial.publicKey());
certBuilder.addExtension(Extension.subjectKeyIdentifier, NOT_CRITICAL, subjectKeyIdentifier);
KeyUsage keyUsage = new KeyUsage(certMaterial.keyUsage());
certBuilder.addExtension(Extension.keyUsage, CRITICAL, keyUsage);
// IssuerAlternativeName
Optional<String> issuerAlternativeName = data.issuerAlternativeName();
if (issuerAlternativeName.isPresent()) {
GeneralNames issuerAltName = new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, issuerAlternativeName.get()));
certBuilder.addExtension(Extension.issuerAlternativeName, NOT_CRITICAL, issuerAltName);
}
// Basic Constraints
int pathLengthConstraint = certMaterial.pathLengthConstraint();
if (pathLengthConstraint != CertificateMaterial.PATHLENGTH_NOT_A_CA) {
// TODO doesn't work for certificate chains != 2 in size
BasicConstraints basicConstraints = new BasicConstraints(pathLengthConstraint);
certBuilder.addExtension(Extension.basicConstraints, CRITICAL, basicConstraints);
}
Optional<String> extendedKeyUsage = certMaterial.extendedKeyUsage();
if (extendedKeyUsage.isPresent()) {
KeyPurposeId keyPurpose = KeyPurposeId.getInstance(new ASN1ObjectIdentifier(extendedKeyUsage.get()));
ExtendedKeyUsage extKeyUsage = new ExtendedKeyUsage(new KeyPurposeId[] { keyPurpose });
certBuilder.addExtension(Extension.extendedKeyUsage, CRITICAL, extKeyUsage);
}
// DEBUG setProvider(bcProvider) removed before getCertificate
return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
X500Name(org.bouncycastle.asn1.x500.X500Name)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
ContentSigner(org.bouncycastle.operator.ContentSigner)
IOException(java.io.IOException)
CertIOException(org.bouncycastle.cert.CertIOException)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
X509Certificate(java.security.cert.X509Certificate)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Provider(java.security.Provider)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 5 with SubjectKeyIdentifier
use of com.github.zhenwei.core.asn1.x509.SubjectKeyIdentifier in project axelor-open-suite by axelor.
the class X509Generator method getSubjectKeyIdentifier.
/**
* Returns the <code>SubjectKeyIdentifier</code> corresponding to a given <code>PublicKey</code>
*
* @param publicKey the given public key
* @return the subject key identifier
* @throws IOException
* @throws NoSuchAlgorithmException
*/
private SubjectKeyIdentifier getSubjectKeyIdentifier(PublicKey publicKey) throws IOException, NoSuchAlgorithmException {
InputStream input;
SubjectPublicKeyInfo keyInfo;
input = new ByteArrayInputStream(publicKey.getEncoded());
try (final ASN1InputStream is = new ASN1InputStream(input)) {
keyInfo = SubjectPublicKeyInfo.getInstance((ASN1Sequence) is.readObject());
}
final JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
return jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyInfo);
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Aggregations
SubjectKeyIdentifier (org.bouncycastle.asn1.x509.SubjectKeyIdentifier)34
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)17
X509Certificate (java.security.cert.X509Certificate)14
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)14
IOException (java.io.IOException)12
X500Name (org.bouncycastle.asn1.x500.X500Name)10
GeneralName (org.bouncycastle.asn1.x509.GeneralName)10
ContentSigner (org.bouncycastle.operator.ContentSigner)10
BigInteger (java.math.BigInteger)9
Date (java.util.Date)9
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)9
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)9
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)8
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)8
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)8
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)8
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)7
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)7
ByteArrayInputStream (java.io.ByteArrayInputStream)6
CertificateException (java.security.cert.CertificateException)6
