Search in sources :

Example 1 with KeyUsage

use of com.google.cloud.security.privateca.v1.KeyUsage in project identity-credential by google.

the class CertificateGenerator method generateCertificate.

static X509Certificate generateCertificate(DataMaterial data, CertificateMaterial certMaterial, KeyMaterial keyMaterial) throws CertIOException, CertificateException, OperatorCreationException {
    Provider bcProvider = new BouncyCastleProvider();
    Security.addProvider(bcProvider);
    Optional<X509Certificate> issuerCert = keyMaterial.issuerCertificate();
    X500Name subjectDN = new X500Name(data.subjectDN());
    // doesn't work, get's reordered
    // issuerCert.isPresent() ? new X500Name(issuerCert.get().getSubjectX500Principal().getName()) : subjectDN;
    X500Name issuerDN = new X500Name(data.issuerDN());
    ContentSigner contentSigner = new JcaContentSignerBuilder(keyMaterial.signingAlgorithm()).build(keyMaterial.signingKey());
    JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, certMaterial.serialNumber(), certMaterial.startDate(), certMaterial.endDate(), subjectDN, keyMaterial.publicKey());
    // Extensions --------------------------
    JcaX509ExtensionUtils jcaX509ExtensionUtils;
    try {
        jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
    } catch (NoSuchAlgorithmException e) {
        throw new RuntimeException(e);
    }
    if (issuerCert.isPresent()) {
        try {
            // adds 3 more fields, not present in other cert
            // AuthorityKeyIdentifier authorityKeyIdentifier = jcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerCert.get());
            AuthorityKeyIdentifier authorityKeyIdentifier = jcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerCert.get().getPublicKey());
            certBuilder.addExtension(Extension.authorityKeyIdentifier, NOT_CRITICAL, authorityKeyIdentifier);
        } catch (IOException e) {
            // CertificateEncodingException |
            throw new RuntimeException(e);
        }
    }
    SubjectKeyIdentifier subjectKeyIdentifier = jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyMaterial.publicKey());
    certBuilder.addExtension(Extension.subjectKeyIdentifier, NOT_CRITICAL, subjectKeyIdentifier);
    KeyUsage keyUsage = new KeyUsage(certMaterial.keyUsage());
    certBuilder.addExtension(Extension.keyUsage, CRITICAL, keyUsage);
    // IssuerAlternativeName
    Optional<String> issuerAlternativeName = data.issuerAlternativeName();
    if (issuerAlternativeName.isPresent()) {
        GeneralNames issuerAltName = new GeneralNames(new GeneralName(GeneralName.uniformResourceIdentifier, issuerAlternativeName.get()));
        certBuilder.addExtension(Extension.issuerAlternativeName, NOT_CRITICAL, issuerAltName);
    }
    // Basic Constraints
    int pathLengthConstraint = certMaterial.pathLengthConstraint();
    if (pathLengthConstraint != CertificateMaterial.PATHLENGTH_NOT_A_CA) {
        // TODO doesn't work for certificate chains != 2 in size
        BasicConstraints basicConstraints = new BasicConstraints(pathLengthConstraint);
        certBuilder.addExtension(Extension.basicConstraints, CRITICAL, basicConstraints);
    }
    Optional<String> extendedKeyUsage = certMaterial.extendedKeyUsage();
    if (extendedKeyUsage.isPresent()) {
        KeyPurposeId keyPurpose = KeyPurposeId.getInstance(new ASN1ObjectIdentifier(extendedKeyUsage.get()));
        ExtendedKeyUsage extKeyUsage = new ExtendedKeyUsage(new KeyPurposeId[] { keyPurpose });
        certBuilder.addExtension(Extension.extendedKeyUsage, CRITICAL, extKeyUsage);
    }
    // DEBUG setProvider(bcProvider) removed before getCertificate
    return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) ContentSigner(org.bouncycastle.operator.ContentSigner) IOException(java.io.IOException) CertIOException(org.bouncycastle.cert.CertIOException) SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier) X509Certificate(java.security.cert.X509Certificate) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) Provider(java.security.Provider) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Example 2 with KeyUsage

use of com.google.cloud.security.privateca.v1.KeyUsage in project daikon by Talend.

the class CertificateGenerater method createRootCA.

private void createRootCA(String alias, String fileName) throws Exception {
    List<Extension> exts = new ArrayList<>();
    KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyCertSign);
    Extension extension = new Extension(Extension.keyUsage, true, new DEROctetString(keyUsage));
    exts.add(extension);
    // Missing ekeyOid = new ObjectIdentifier("2.5.29.19"); from the old code here
    ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(KeyPurposeId.id_kp_codeSigning);
    extension = new Extension(Extension.extendedKeyUsage, false, new DEROctetString(extendedKeyUsage));
    exts.add(extension);
    KeyPair keyPair = genKey();
    BigInteger serialNumber = new BigInteger(64, secureRandom);
    Date from = new Date();
    Date to = new Date(from.getTime() + 365L * 24 * 3600 * 1000);
    X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(new X500Principal(dName), serialNumber, from, to, new X500Principal(dName), keyPair.getPublic());
    for (Extension e : exts) {
        certificateBuilder.addExtension(e);
    }
    certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
    ContentSigner signer = new JcaContentSignerBuilder(sigAlgName).build(keyPair.getPrivate());
    X509Certificate cert = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(certificateBuilder.build(signer));
    X509Certificate[] certs = { cert };
    String[] aliasNames = { alias };
    saveJks(aliasNames, keyPair.getPrivate(), rootJKSKeyPass, certs, fileName);
}
Also used : KeyPair(java.security.KeyPair) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ArrayList(java.util.ArrayList) ContentSigner(org.bouncycastle.operator.ContentSigner) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) DEROctetString(org.bouncycastle.asn1.DEROctetString) DEROctetString(org.bouncycastle.asn1.DEROctetString) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) Extension(org.bouncycastle.asn1.x509.Extension) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) BigInteger(java.math.BigInteger) X500Principal(javax.security.auth.x500.X500Principal) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 3 with KeyUsage

use of com.google.cloud.security.privateca.v1.KeyUsage in project daikon by Talend.

the class CertificateGenerater method createSignJks.

private void createSignJks(Date from, Date to, String storePath, boolean useRootJks) throws Exception {
    List<Extension> exts = new ArrayList<>();
    KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment);
    Extension extension = new Extension(Extension.keyUsage, true, new DEROctetString(keyUsage));
    exts.add(extension);
    ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(KeyPurposeId.id_kp_codeSigning);
    extension = new Extension(Extension.extendedKeyUsage, false, new DEROctetString(extendedKeyUsage));
    exts.add(extension);
    signCert(useRootJks, subJKSKeyPass, from, to, exts, storePath, true);
}
Also used : Extension(org.bouncycastle.asn1.x509.Extension) ArrayList(java.util.ArrayList) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) DEROctetString(org.bouncycastle.asn1.DEROctetString)

Example 4 with KeyUsage

use of com.google.cloud.security.privateca.v1.KeyUsage in project carapaceproxy by diennea.

the class CertificatesTestUtils method generateSampleChain.

public static Certificate[] generateSampleChain(KeyPair endUserKeypair, boolean expired) throws Exception {
    Security.addProvider(new BouncyCastleProvider());
    // Create self signed Root CA certificate
    KeyPair rootCAKeyPair = KeyPairUtils.createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// issuer authority
    new X500Name("CN=rootCA"), // serial number of certificate
    BigInteger.valueOf(new Random().nextInt()), // start of validity
    new Date(), // end of certificate validity
    new Date(), // subject name of certificate
    new X500Name("CN=rootCA"), rootCAKeyPair.getPublic());
    // public key of certificate
    // Key usage restrictions
    builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign));
    builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
    // Root certificate
    X509Certificate rootCA = new JcaX509CertificateConverter().getCertificate(builder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(// private key of signing authority , here it is self signed
    rootCAKeyPair.getPrivate())));
    // Create Intermediate CA cert signed by Root CA
    KeyPair intermedCAKeyPair = createKeyPair(DEFAULT_KEYPAIRS_SIZE);
    builder = new JcaX509v3CertificateBuilder(// here rootCA is issuer authority
    rootCA, BigInteger.valueOf(new Random().nextInt()), new Date(), new Date(), new X500Name("CN=IntermedCA"), intermedCAKeyPair.getPublic());
    // Key usage restrictions
    builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign));
    builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
    // Intermediate certificate
    X509Certificate intermediateCA = new JcaX509CertificateConverter().getCertificate(builder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(// private key of signing authority , here it is signed by rootCA
    rootCAKeyPair.getPrivate())));
    // create end user cert signed by Intermediate CA
    // yesterday/tomorrow
    int offset = 1000 * 60 * 60 * 24;
    Date expiringDate = new Date(System.currentTimeMillis() + (expired ? -offset : +offset));
    builder = new JcaX509v3CertificateBuilder(// here intermedCA is issuer authority
    intermediateCA, BigInteger.valueOf(new Random().nextInt()), new Date(System.currentTimeMillis() - offset), expiringDate, new X500Name("CN=endUserCert"), endUserKeypair.getPublic());
    // Key usage restrictions
    builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
    builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
    // End-user certificate
    X509Certificate endUserCert = new JcaX509CertificateConverter().getCertificate(builder.build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(// private key of signing authority , here it is signed by intermedCA
    intermedCAKeyPair.getPrivate())));
    return new X509Certificate[] { endUserCert, intermediateCA, rootCA };
}
Also used : KeyPair(java.security.KeyPair) KeyPairUtils.createKeyPair(org.shredzone.acme4j.util.KeyPairUtils.createKeyPair) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) Random(java.util.Random) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 5 with KeyUsage

use of com.google.cloud.security.privateca.v1.KeyUsage in project koronavilkku-backend by THLfi.

the class FederationGatewaySigningDev method generateDevCertificate.

public X509Certificate generateDevCertificate(KeyPair keyPair, KeyPair trustAnchorKeyPair, X509Certificate trustAnchorCert) throws OperatorCreationException, IOException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException {
    X500Name subject = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.C, "FI").addRDN(BCStyle.CN, "koronavilkku-dev").addRDN(BCStyle.O, "koronavilkku dev").build();
    PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
    JcaContentSignerBuilder csrBuilder = new JcaContentSignerBuilder(DIGEST_ALGORITHM + "RSA").setProvider("BC");
    ContentSigner csrContentSigner = csrBuilder.build(trustAnchorKeyPair.getPrivate());
    PKCS10CertificationRequest csr = p10Builder.build(csrContentSigner);
    X509v3CertificateBuilder issuedCertBuilder = new X509v3CertificateBuilder(new X500Name("CN=" + DEV_TRUST_ANCHOR_ISSUER), new BigInteger(Long.toString(new SecureRandom().nextLong())), Date.from(Instant.now()), Date.from(Instant.now().plus(Duration.ofDays(100))), csr.getSubject(), csr.getSubjectPublicKeyInfo());
    JcaX509ExtensionUtils issuedCertExtUtils = new JcaX509ExtensionUtils();
    issuedCertBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
    issuedCertBuilder.addExtension(Extension.authorityKeyIdentifier, false, issuedCertExtUtils.createAuthorityKeyIdentifier(trustAnchorCert));
    issuedCertBuilder.addExtension(Extension.subjectKeyIdentifier, false, issuedCertExtUtils.createSubjectKeyIdentifier(csr.getSubjectPublicKeyInfo()));
    issuedCertBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature));
    X509CertificateHolder issuedCertHolder = issuedCertBuilder.build(csrContentSigner);
    X509Certificate issuedCert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(issuedCertHolder);
    issuedCert.verify(trustAnchorCert.getPublicKey(), "BC");
    return issuedCert;
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder) JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) PKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder) JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Aggregations

KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)49 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)36 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)27 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)27 ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)25 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)25 Date (java.util.Date)23 X500Name (org.bouncycastle.asn1.x500.X500Name)22 ContentSigner (org.bouncycastle.operator.ContentSigner)22 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)19 X509Certificate (java.security.cert.X509Certificate)18 BigInteger (java.math.BigInteger)14 GeneralName (org.bouncycastle.asn1.x509.GeneralName)14 KeyPurposeId (org.bouncycastle.asn1.x509.KeyPurposeId)14 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)14 JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)14 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)11 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)11 KeyPair (java.security.KeyPair)9 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)8