use of com.google.cloud.security.privateca.v1.KeyUsage in project axelor-open-suite by axelor.
the class X509Generator method generate.
/**
* Returns an <code>X509Certificate</code> from a given <code>KeyPair</code> and limit dates
* validations
*
* @param keypair the given key pair
* @param issuer the certificate issuer
* @param notBefore the begin validity date
* @param notAfter the end validity date
* @param keyusage the certificate key usage
* @return the X509 certificate
* @throws GeneralSecurityException
* @throws IOException
*/
public X509Certificate generate(KeyPair keypair, String issuer, Date notBefore, Date notAfter, int keyusage, boolean useX509ExtensionsBasicConstraints, boolean useX509ExtensionsSubjectKeyIdentifier, boolean useX509ExtensionsAuthorityKeyIdentifier, boolean useX509ExtensionsExtendedKeyUsage) throws GeneralSecurityException, IOException {
X509V3CertificateGenerator generator;
BigInteger serial;
X509Certificate certificate;
ASN1EncodableVector vector;
serial = BigInteger.valueOf(generateSerial());
generator = new X509V3CertificateGenerator();
generator.setSerialNumber(serial);
generator.setIssuerDN(new X509Principal(issuer));
generator.setNotBefore(notBefore);
generator.setNotAfter(notAfter);
generator.setSubjectDN(new X509Principal(issuer));
generator.setPublicKey(keypair.getPublic());
generator.setSignatureAlgorithm(X509Constants.SIGNATURE_ALGORITHM);
if (useX509ExtensionsBasicConstraints) {
generator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true));
}
if (useX509ExtensionsSubjectKeyIdentifier) {
generator.addExtension(X509Extensions.SubjectKeyIdentifier, false, getSubjectKeyIdentifier(keypair.getPublic()));
}
if (useX509ExtensionsAuthorityKeyIdentifier) {
generator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, getAuthorityKeyIdentifier(keypair.getPublic(), issuer, serial));
}
if (useX509ExtensionsExtendedKeyUsage) {
vector = new ASN1EncodableVector();
vector.add(KeyPurposeId.id_kp_emailProtection);
generator.addExtension(X509Extensions.ExtendedKeyUsage, false, ExtendedKeyUsage.getInstance(new DERSequence(vector)));
}
switch(keyusage) {
case X509Constants.SIGNATURE_KEY_USAGE:
generator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.nonRepudiation));
break;
case X509Constants.AUTHENTICATION_KEY_USAGE:
generator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
break;
case X509Constants.ENCRYPTION_KEY_USAGE:
generator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.keyAgreement));
break;
default:
generator.addExtension(X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature));
break;
}
certificate = generator.generate(keypair.getPrivate(), "BC", new SecureRandom());
certificate.checkValidity(new Date());
certificate.verify(keypair.getPublic());
return certificate;
}
use of com.google.cloud.security.privateca.v1.KeyUsage in project SAMLRaider by CompassSecurity.
the class BurpCertificateBuilder method generateX509Certificate.
/**
* Creates a X.509v3 Certificate. The values of "this" object are used for
* the building process.
*
* @param privateKey
* which signes the certificates
* @return certificate object
* @throws CertificateEncodingException
* @throws InvalidKeyException
* @throws IllegalStateException
* @throws NoSuchAlgorithmException
* @throws SignatureException
* @throws IOException
*/
private X509Certificate generateX509Certificate(PrivateKey privateKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, IOException {
if (version != 3) {
throw new UnsupportedOperationException("Not implemented yet.");
}
certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.setSerialNumber(serial);
certificateGenerator.setIssuerDN(this.issuer);
certificateGenerator.setNotBefore(notBefore);
certificateGenerator.setNotAfter(notAfter);
certificateGenerator.setSubjectDN(subject);
certificateGenerator.setSignatureAlgorithm(signatureAlgorithm);
certificateGenerator.setPublicKey(publicKey);
if (hasBasicConstraints) {
if (isCA && hasNoPathLimit) {
certificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
} else if (isCA && !hasNoPathLimit) {
certificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(pathLimit));
} else {
certificateGenerator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
}
}
if (keyUsage.size() > 0) {
int allKeyUsages = 0;
for (int i : keyUsage) {
allKeyUsages |= i;
}
certificateGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(allKeyUsages));
}
if (extendedKeyUsage.size() > 0) {
ASN1EncodableVector allExtendedKeyUsages = new ASN1EncodableVector();
for (KeyPurposeId i : extendedKeyUsage) {
allExtendedKeyUsages.add(i);
}
certificateGenerator.addExtension(X509Extensions.ExtendedKeyUsage, false, new DERSequence(allExtendedKeyUsages));
}
if (subjectAlternativeName.size() > 0) {
GeneralNames generalNames = new GeneralNames(subjectAlternativeName.toArray(new GeneralName[subjectAlternativeName.size()]));
certificateGenerator.addExtension(X509Extensions.SubjectAlternativeName, true, generalNames);
}
if (setSubjectKeyIdentifier == true) {
JcaX509ExtensionUtils j = new JcaX509ExtensionUtils();
certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, j.createSubjectKeyIdentifier(publicKey));
}
if (!subjectKeyIdentifier.isEmpty() && setSubjectKeyIdentifier == false) {
byte[] ski = CertificateHelper.hexStringToByteArray(subjectKeyIdentifier);
SubjectKeyIdentifier aKI = new SubjectKeyIdentifier(ski);
certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, true, aKI);
}
if (issuerAlternativeName.size() > 0) {
GeneralNames generalNames = new GeneralNames(issuerAlternativeName.toArray(new GeneralName[issuerAlternativeName.size()]));
certificateGenerator.addExtension(X509Extensions.IssuerAlternativeName, true, generalNames);
}
if (setAuthorityKeyIdentifier == true && issuerCertificate != null) {
JcaX509ExtensionUtils j = new JcaX509ExtensionUtils();
certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, true, j.createAuthorityKeyIdentifier(issuerCertificate));
}
if (!authorityKeyIdentifier.isEmpty() && setAuthorityKeyIdentifier == false) {
byte[] aki = CertificateHelper.hexStringToByteArray(authorityKeyIdentifier);
AuthorityKeyIdentifier aKI = new AuthorityKeyIdentifier(aki);
certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, true, aKI);
}
for (BurpCertificateExtension e : burpCertificateExtensions) {
// http://bouncycastle.sourcearchive.com/documentation/1.43/classorg_1_1bouncycastle_1_1x509_1_1X509V3CertificateGenerator_fd5118a4eaa4870e5fbf6efc02f10c00.html#fd5118a4eaa4870e5fbf6efc02f10c00
// Finally!!!
ASN1Encodable extension = X509ExtensionUtil.fromExtensionValue(e.getExtensionValue());
certificateGenerator.addExtension(e.getOid(), e.isCritical(), extension);
}
return certificateGenerator.generate(privateKey);
}
use of com.google.cloud.security.privateca.v1.KeyUsage in project nifi-registry by apache.
the class CertificateUtils method generateIssuedCertificate.
/**
* Generates an issued {@link X509Certificate} from the given issuer certificate and {@link KeyPair}
*
* @param dn the distinguished name to use
* @param publicKey the public key to issue the certificate to
* @param extensions extensions extracted from the CSR
* @param issuer the issuer's certificate
* @param issuerKeyPair the issuer's keypair
* @param signingAlgorithm the signing algorithm to use
* @param days the number of days it should be valid for
* @return an issued {@link X509Certificate} from the given issuer certificate and {@link KeyPair}
* @throws CertificateException if there is an error issuing the certificate
*/
public static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, Extensions extensions, X509Certificate issuer, KeyPair issuerKeyPair, String signingAlgorithm, int days) throws CertificateException {
try {
ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(issuerKeyPair.getPrivate());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
Date startDate = new Date();
Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(days));
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(issuer.getSubjectX500Principal().getName())), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo);
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey));
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerKeyPair.getPublic()));
// Set certificate extensions
// (1) digitalSignature extension
certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation));
certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
// (2) extendedKeyUsage extension
certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
// (3) subjectAlternativeName
if (extensions != null && extensions.getExtension(Extension.subjectAlternativeName) != null) {
certBuilder.addExtension(Extension.subjectAlternativeName, false, extensions.getExtensionParsedValue(Extension.subjectAlternativeName));
}
X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder);
} catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) {
throw new CertificateException(e);
}
}
use of com.google.cloud.security.privateca.v1.KeyUsage in project nifi-registry by apache.
the class CertificateUtils method generateSelfSignedX509Certificate.
/**
* Generates a self-signed {@link X509Certificate} suitable for use as a Certificate Authority.
*
* @param keyPair the {@link KeyPair} to generate the {@link X509Certificate} for
* @param dn the distinguished name to user for the {@link X509Certificate}
* @param signingAlgorithm the signing algorithm to use for the {@link X509Certificate}
* @param certificateDurationDays the duration in days for which the {@link X509Certificate} should be valid
* @return a self-signed {@link X509Certificate} suitable for use as a Certificate Authority
* @throws CertificateException if there is an generating the new certificate
*/
public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) throws CertificateException {
try {
ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
Date startDate = new Date();
Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(certificateDurationDays));
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(dn)), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo);
// Set certificate extensions
// (1) digitalSignature extension
certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation | KeyUsage.cRLSign | KeyUsage.keyCertSign));
certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic()));
// (2) extendedKeyUsage extension
certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
// Sign the certificate
X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder);
} catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) {
throw new CertificateException(e);
}
}
use of com.google.cloud.security.privateca.v1.KeyUsage in project ozone by apache.
the class SelfSignedCertificate method generateCertificate.
private X509CertificateHolder generateCertificate(boolean isCA) throws OperatorCreationException, IOException {
// For the Root Certificate we form the name from Subject, SCM ID and
// Cluster ID.
String dnName = String.format(getNameFormat(), subject, scmID, clusterID);
X500Name name = new X500Name(dnName);
byte[] encoded = key.getPublic().getEncoded();
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(encoded);
ContentSigner contentSigner = new JcaContentSignerBuilder(config.getSignatureAlgo()).setProvider(config.getProvider()).build(key.getPrivate());
// Please note: Since this is a root certificate we use "ONE" as the
// serial number. Also note that skip enforcing locale or UTC. We are
// trying to operate at the Days level, hence Time zone is also skipped for
// now.
BigInteger serial = BigInteger.ONE;
if (!isCA) {
serial = new BigInteger(Long.toString(Time.monotonicNow()));
}
ZoneOffset zoneOffset = beginDate.atStartOfDay(ZoneOffset.systemDefault()).getOffset();
// Valid from the Start of the day when we generate this Certificate.
Date validFrom = Date.from(beginDate.atTime(LocalTime.MIN).toInstant(zoneOffset));
// Valid till end day finishes.
Date validTill = Date.from(endDate.atTime(LocalTime.MAX).toInstant(zoneOffset));
X509v3CertificateBuilder builder = new X509v3CertificateBuilder(name, serial, validFrom, validTill, name, publicKeyInfo);
if (isCA) {
builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
int keyUsageFlag = KeyUsage.keyCertSign | KeyUsage.cRLSign;
KeyUsage keyUsage = new KeyUsage(keyUsageFlag);
builder.addExtension(Extension.keyUsage, true, keyUsage);
if (altNames != null && altNames.size() >= 1) {
builder.addExtension(new Extension(Extension.subjectAlternativeName, false, new GeneralNames(altNames.toArray(new GeneralName[altNames.size()])).getEncoded()));
}
}
return builder.build(contentSigner);
}
Aggregations