use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class X509CertificateTestCase method testVerifySignatureUnrecognizedSignatureAlgorithm.
/**
* Tests the behavior of the {@code verifySignature} method with an
* unrecognized signature algorithm.
*
* @throws Exception If an unexpected problem occurs.
*/
@Test(expectedExceptions = { CertException.class })
public void testVerifySignatureUnrecognizedSignatureAlgorithm() throws Exception {
final ObjectPair<X509Certificate, KeyPair> p = X509Certificate.generateSelfSignedCertificate(SignatureAlgorithmIdentifier.SHA_256_WITH_RSA, PublicKeyAlgorithmIdentifier.RSA, 2048, new DN("CN=ldap.example.com,O=Example Corporation,C=US"), System.currentTimeMillis(), System.currentTimeMillis() + TimeUnit.DAYS.toMillis(365L), new SubjectAlternativeNameExtension(false, new GeneralNamesBuilder().addDNSName("ldap.example.com").build()));
final X509Certificate c = p.getFirst();
final X509CertificateExtension[] extensions = new X509CertificateExtension[c.getExtensions().size()];
c.getExtensions().toArray(extensions);
final X509Certificate cert = new X509Certificate(c.getVersion(), c.getSerialNumber(), new OID("1.2.3.4.5.6.7.8"), c.getSignatureAlgorithmParameters(), new ASN1BitString(true, false, true, false, true), c.getIssuerDN(), c.getNotBeforeTime(), c.getNotAfterTime(), c.getSubjectDN(), c.getPublicKeyAlgorithmOID(), null, c.getEncodedPublicKey(), c.getDecodedPublicKey(), c.getIssuerUniqueID(), c.getSubjectUniqueID(), extensions);
cert.verifySignature(null);
}
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class ManageCertificates method doGenerateOrSignCertificateOrCSR.
/**
* Performs the necessary processing for the generate-self-signed-certificate,
* generate-certificate-signing-request, and sign-certificate-signing-request
* subcommands.
*
* @return A result code that indicates whether the processing completed
* successfully.
*/
@NotNull()
private ResultCode doGenerateOrSignCertificateOrCSR() {
// Figure out which subcommand we're processing.
final boolean isGenerateCertificate;
final boolean isGenerateCSR;
final boolean isSignCSR;
final SubCommand selectedSubCommand = globalParser.getSelectedSubCommand();
if (selectedSubCommand.hasName("generate-self-signed-certificate")) {
isGenerateCertificate = true;
isGenerateCSR = false;
isSignCSR = false;
} else if (selectedSubCommand.hasName("generate-certificate-signing-request")) {
isGenerateCertificate = false;
isGenerateCSR = true;
isSignCSR = false;
} else {
Validator.ensureTrue(selectedSubCommand.hasName("sign-certificate-signing-request"));
isGenerateCertificate = false;
isGenerateCSR = false;
isSignCSR = true;
}
// Get the values of a number of configured arguments.
final StringArgument aliasArgument = subCommandParser.getStringArgument("alias");
final String alias = aliasArgument.getValue();
final File keystorePath = getKeystorePath();
final boolean isNewKeystore = (!keystorePath.exists());
DN subjectDN = null;
final DNArgument subjectDNArgument = subCommandParser.getDNArgument("subject-dn");
if ((subjectDNArgument != null) && subjectDNArgument.isPresent()) {
subjectDN = subjectDNArgument.getValue();
}
File inputFile = null;
final FileArgument inputFileArgument = subCommandParser.getFileArgument("input-file");
if ((inputFileArgument != null) && inputFileArgument.isPresent()) {
inputFile = inputFileArgument.getValue();
}
File outputFile = null;
final FileArgument outputFileArgument = subCommandParser.getFileArgument("output-file");
if ((outputFileArgument != null) && outputFileArgument.isPresent()) {
outputFile = outputFileArgument.getValue();
}
boolean outputPEM = true;
final StringArgument outputFormatArgument = subCommandParser.getStringArgument("output-format");
if ((outputFormatArgument != null) && outputFormatArgument.isPresent()) {
final String format = outputFormatArgument.getValue().toLowerCase();
if (format.equals("der") || format.equals("binary") || format.equals("bin")) {
outputPEM = false;
}
}
if ((!outputPEM) && (outputFile == null)) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_NO_FILE_WITH_DER.get());
return ResultCode.PARAM_ERROR;
}
final BooleanArgument replaceExistingCertificateArgument = subCommandParser.getBooleanArgument("replace-existing-certificate");
final boolean replaceExistingCertificate = ((replaceExistingCertificateArgument != null) && replaceExistingCertificateArgument.isPresent());
if (replaceExistingCertificate && (!keystorePath.exists())) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_REPLACE_WITHOUT_KS.get());
return ResultCode.PARAM_ERROR;
}
final BooleanArgument inheritExtensionsArgument = subCommandParser.getBooleanArgument("inherit-extensions");
final boolean inheritExtensions = ((inheritExtensionsArgument != null) && inheritExtensionsArgument.isPresent());
final BooleanArgument includeRequestedExtensionsArgument = subCommandParser.getBooleanArgument("include-requested-extensions");
final boolean includeRequestedExtensions = ((includeRequestedExtensionsArgument != null) && includeRequestedExtensionsArgument.isPresent());
final BooleanArgument noPromptArgument = subCommandParser.getBooleanArgument("no-prompt");
final boolean noPrompt = ((noPromptArgument != null) && noPromptArgument.isPresent());
final BooleanArgument displayKeytoolCommandArgument = subCommandParser.getBooleanArgument("display-keytool-command");
final boolean displayKeytoolCommand = ((displayKeytoolCommandArgument != null) && displayKeytoolCommandArgument.isPresent());
int daysValid = 365;
final IntegerArgument daysValidArgument = subCommandParser.getIntegerArgument("days-valid");
if ((daysValidArgument != null) && daysValidArgument.isPresent()) {
daysValid = daysValidArgument.getValue();
}
Date validityStartTime = null;
final TimestampArgument validityStartTimeArgument = subCommandParser.getTimestampArgument("validity-start-time");
if ((validityStartTimeArgument != null) && validityStartTimeArgument.isPresent()) {
validityStartTime = validityStartTimeArgument.getValue();
}
PublicKeyAlgorithmIdentifier keyAlgorithmIdentifier = null;
String keyAlgorithmName = null;
final StringArgument keyAlgorithmArgument = subCommandParser.getStringArgument("key-algorithm");
if ((keyAlgorithmArgument != null) && keyAlgorithmArgument.isPresent()) {
final String name = keyAlgorithmArgument.getValue();
keyAlgorithmIdentifier = PublicKeyAlgorithmIdentifier.forName(name);
if (keyAlgorithmIdentifier == null) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_UNKNOWN_KEY_ALG.get(name));
return ResultCode.PARAM_ERROR;
} else {
keyAlgorithmName = keyAlgorithmIdentifier.getName();
}
}
Integer keySizeBits = null;
final IntegerArgument keySizeBitsArgument = subCommandParser.getIntegerArgument("key-size-bits");
if ((keySizeBitsArgument != null) && keySizeBitsArgument.isPresent()) {
keySizeBits = keySizeBitsArgument.getValue();
}
if ((keyAlgorithmIdentifier != null) && (keyAlgorithmIdentifier != PublicKeyAlgorithmIdentifier.RSA) && (keySizeBits == null)) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_NO_KEY_SIZE_FOR_NON_RSA_KEY.get());
return ResultCode.PARAM_ERROR;
}
String signatureAlgorithmName = null;
SignatureAlgorithmIdentifier signatureAlgorithmIdentifier = null;
final StringArgument signatureAlgorithmArgument = subCommandParser.getStringArgument("signature-algorithm");
if ((signatureAlgorithmArgument != null) && signatureAlgorithmArgument.isPresent()) {
final String name = signatureAlgorithmArgument.getValue();
signatureAlgorithmIdentifier = SignatureAlgorithmIdentifier.forName(name);
if (signatureAlgorithmIdentifier == null) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_UNKNOWN_SIG_ALG.get(name));
return ResultCode.PARAM_ERROR;
} else {
signatureAlgorithmName = signatureAlgorithmIdentifier.getJavaName();
}
}
if ((keyAlgorithmIdentifier != null) && (keyAlgorithmIdentifier != PublicKeyAlgorithmIdentifier.RSA) && (signatureAlgorithmIdentifier == null)) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_NO_SIG_ALG_FOR_NON_RSA_KEY.get());
return ResultCode.PARAM_ERROR;
}
// Build a subject alternative name extension, if appropriate.
final ArrayList<X509CertificateExtension> extensionList = new ArrayList<>(10);
final GeneralNamesBuilder sanBuilder = new GeneralNamesBuilder();
final LinkedHashSet<String> sanValues = new LinkedHashSet<>(StaticUtils.computeMapCapacity(10));
final StringArgument sanDNSArgument = subCommandParser.getStringArgument("subject-alternative-name-dns");
if ((sanDNSArgument != null) && sanDNSArgument.isPresent()) {
for (final String value : sanDNSArgument.getValues()) {
sanBuilder.addDNSName(value);
sanValues.add("DNS:" + value);
}
}
final StringArgument sanIPArgument = subCommandParser.getStringArgument("subject-alternative-name-ip-address");
if ((sanIPArgument != null) && sanIPArgument.isPresent()) {
for (final String value : sanIPArgument.getValues()) {
try {
sanBuilder.addIPAddress(LDAPConnectionOptions.DEFAULT_NAME_RESOLVER.getByName(value));
sanValues.add("IP:" + value);
} catch (final Exception e) {
// This should never happen.
Debug.debugException(e);
throw new RuntimeException(e);
}
}
}
final StringArgument sanEmailArgument = subCommandParser.getStringArgument("subject-alternative-name-email-address");
if ((sanEmailArgument != null) && sanEmailArgument.isPresent()) {
for (final String value : sanEmailArgument.getValues()) {
sanBuilder.addRFC822Name(value);
sanValues.add("EMAIL:" + value);
}
}
final StringArgument sanURIArgument = subCommandParser.getStringArgument("subject-alternative-name-uri");
if ((sanURIArgument != null) && sanURIArgument.isPresent()) {
for (final String value : sanURIArgument.getValues()) {
sanBuilder.addUniformResourceIdentifier(value);
sanValues.add("URI:" + value);
}
}
final StringArgument sanOIDArgument = subCommandParser.getStringArgument("subject-alternative-name-oid");
if ((sanOIDArgument != null) && sanOIDArgument.isPresent()) {
for (final String value : sanOIDArgument.getValues()) {
sanBuilder.addRegisteredID(new OID(value));
sanValues.add("OID:" + value);
}
}
if (!sanValues.isEmpty()) {
try {
extensionList.add(new SubjectAlternativeNameExtension(false, sanBuilder.build()));
} catch (final Exception e) {
// This should never happen.
Debug.debugException(e);
throw new RuntimeException(e);
}
}
// Build a set of issuer alternative name extension values.
final GeneralNamesBuilder ianBuilder = new GeneralNamesBuilder();
final LinkedHashSet<String> ianValues = new LinkedHashSet<>(StaticUtils.computeMapCapacity(10));
final StringArgument ianDNSArgument = subCommandParser.getStringArgument("issuer-alternative-name-dns");
if ((ianDNSArgument != null) && ianDNSArgument.isPresent()) {
for (final String value : ianDNSArgument.getValues()) {
ianBuilder.addDNSName(value);
ianValues.add("DNS:" + value);
}
}
final StringArgument ianIPArgument = subCommandParser.getStringArgument("issuer-alternative-name-ip-address");
if ((ianIPArgument != null) && ianIPArgument.isPresent()) {
for (final String value : ianIPArgument.getValues()) {
try {
ianBuilder.addIPAddress(LDAPConnectionOptions.DEFAULT_NAME_RESOLVER.getByName(value));
ianValues.add("IP:" + value);
} catch (final Exception e) {
// This should never happen.
Debug.debugException(e);
throw new RuntimeException(e);
}
}
}
final StringArgument ianEmailArgument = subCommandParser.getStringArgument("issuer-alternative-name-email-address");
if ((ianEmailArgument != null) && ianEmailArgument.isPresent()) {
for (final String value : ianEmailArgument.getValues()) {
ianBuilder.addRFC822Name(value);
ianValues.add("EMAIL:" + value);
}
}
final StringArgument ianURIArgument = subCommandParser.getStringArgument("issuer-alternative-name-uri");
if ((ianURIArgument != null) && ianURIArgument.isPresent()) {
for (final String value : ianURIArgument.getValues()) {
ianBuilder.addUniformResourceIdentifier(value);
ianValues.add("URI:" + value);
}
}
final StringArgument ianOIDArgument = subCommandParser.getStringArgument("issuer-alternative-name-oid");
if ((ianOIDArgument != null) && ianOIDArgument.isPresent()) {
for (final String value : ianOIDArgument.getValues()) {
ianBuilder.addRegisteredID(new OID(value));
ianValues.add("OID:" + value);
}
}
if (!ianValues.isEmpty()) {
try {
extensionList.add(new IssuerAlternativeNameExtension(false, ianBuilder.build()));
} catch (final Exception e) {
// This should never happen.
Debug.debugException(e);
throw new RuntimeException(e);
}
}
// Build a basic constraints extension, if appropriate.
BasicConstraintsExtension basicConstraints = null;
final BooleanValueArgument basicConstraintsIsCAArgument = subCommandParser.getBooleanValueArgument("basic-constraints-is-ca");
if ((basicConstraintsIsCAArgument != null) && basicConstraintsIsCAArgument.isPresent()) {
final boolean isCA = basicConstraintsIsCAArgument.getValue();
Integer pathLength = null;
final IntegerArgument pathLengthArgument = subCommandParser.getIntegerArgument("basic-constraints-maximum-path-length");
if ((pathLengthArgument != null) && pathLengthArgument.isPresent()) {
if (isCA) {
pathLength = pathLengthArgument.getValue();
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_BC_PATH_LENGTH_WITHOUT_CA.get());
return ResultCode.PARAM_ERROR;
}
}
basicConstraints = new BasicConstraintsExtension(false, isCA, pathLength);
extensionList.add(basicConstraints);
}
// Build a key usage extension, if appropriate.
KeyUsageExtension keyUsage = null;
final StringArgument keyUsageArgument = subCommandParser.getStringArgument("key-usage");
if ((keyUsageArgument != null) && keyUsageArgument.isPresent()) {
boolean digitalSignature = false;
boolean nonRepudiation = false;
boolean keyEncipherment = false;
boolean dataEncipherment = false;
boolean keyAgreement = false;
boolean keyCertSign = false;
boolean crlSign = false;
boolean encipherOnly = false;
boolean decipherOnly = false;
for (final String value : keyUsageArgument.getValues()) {
if (value.equalsIgnoreCase("digital-signature") || value.equalsIgnoreCase("digitalSignature")) {
digitalSignature = true;
} else if (value.equalsIgnoreCase("non-repudiation") || value.equalsIgnoreCase("nonRepudiation") || value.equalsIgnoreCase("content-commitment") || value.equalsIgnoreCase("contentCommitment")) {
nonRepudiation = true;
} else if (value.equalsIgnoreCase("key-encipherment") || value.equalsIgnoreCase("keyEncipherment")) {
keyEncipherment = true;
} else if (value.equalsIgnoreCase("data-encipherment") || value.equalsIgnoreCase("dataEncipherment")) {
dataEncipherment = true;
} else if (value.equalsIgnoreCase("key-agreement") || value.equalsIgnoreCase("keyAgreement")) {
keyAgreement = true;
} else if (value.equalsIgnoreCase("key-cert-sign") || value.equalsIgnoreCase("keyCertSign")) {
keyCertSign = true;
} else if (value.equalsIgnoreCase("crl-sign") || value.equalsIgnoreCase("crlSign")) {
crlSign = true;
} else if (value.equalsIgnoreCase("encipher-only") || value.equalsIgnoreCase("encipherOnly")) {
encipherOnly = true;
} else if (value.equalsIgnoreCase("decipher-only") || value.equalsIgnoreCase("decipherOnly")) {
decipherOnly = true;
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_INVALID_KEY_USAGE.get(value));
return ResultCode.PARAM_ERROR;
}
}
keyUsage = new KeyUsageExtension(false, digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, crlSign, encipherOnly, decipherOnly);
extensionList.add(keyUsage);
}
// Build an extended key usage extension, if appropriate.
ExtendedKeyUsageExtension extendedKeyUsage = null;
final StringArgument extendedKeyUsageArgument = subCommandParser.getStringArgument("extended-key-usage");
if ((extendedKeyUsageArgument != null) && extendedKeyUsageArgument.isPresent()) {
final List<String> values = extendedKeyUsageArgument.getValues();
final ArrayList<OID> keyPurposeIDs = new ArrayList<>(values.size());
for (final String value : values) {
if (value.equalsIgnoreCase("server-auth") || value.equalsIgnoreCase("serverAuth") || value.equalsIgnoreCase("server-authentication") || value.equalsIgnoreCase("serverAuthentication") || value.equalsIgnoreCase("tls-server-authentication") || value.equalsIgnoreCase("tlsServerAuthentication")) {
keyPurposeIDs.add(ExtendedKeyUsageID.TLS_SERVER_AUTHENTICATION.getOID());
} else if (value.equalsIgnoreCase("client-auth") || value.equalsIgnoreCase("clientAuth") || value.equalsIgnoreCase("client-authentication") || value.equalsIgnoreCase("clientAuthentication") || value.equalsIgnoreCase("tls-client-authentication") || value.equalsIgnoreCase("tlsClientAuthentication")) {
keyPurposeIDs.add(ExtendedKeyUsageID.TLS_CLIENT_AUTHENTICATION.getOID());
} else if (value.equalsIgnoreCase("code-signing") || value.equalsIgnoreCase("codeSigning")) {
keyPurposeIDs.add(ExtendedKeyUsageID.CODE_SIGNING.getOID());
} else if (value.equalsIgnoreCase("email-protection") || value.equalsIgnoreCase("emailProtection")) {
keyPurposeIDs.add(ExtendedKeyUsageID.EMAIL_PROTECTION.getOID());
} else if (value.equalsIgnoreCase("time-stamping") || value.equalsIgnoreCase("timeStamping")) {
keyPurposeIDs.add(ExtendedKeyUsageID.TIME_STAMPING.getOID());
} else if (value.equalsIgnoreCase("ocsp-signing") || value.equalsIgnoreCase("ocspSigning")) {
keyPurposeIDs.add(ExtendedKeyUsageID.OCSP_SIGNING.getOID());
} else if (OID.isStrictlyValidNumericOID(value)) {
keyPurposeIDs.add(new OID(value));
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_INVALID_EXTENDED_KEY_USAGE.get(value));
return ResultCode.PARAM_ERROR;
}
}
try {
extendedKeyUsage = new ExtendedKeyUsageExtension(false, keyPurposeIDs);
} catch (final Exception e) {
// This should never happen.
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_EXTENDED_KEY_USAGE_ERROR.get());
e.printStackTrace(getErr());
return ResultCode.PARAM_ERROR;
}
extensionList.add(extendedKeyUsage);
}
// Build a list of generic extensions.
final ArrayList<X509CertificateExtension> genericExtensions = new ArrayList<>(5);
final StringArgument extensionArgument = subCommandParser.getStringArgument("extension");
if ((extensionArgument != null) && extensionArgument.isPresent()) {
for (final String value : extensionArgument.getValues()) {
try {
final int firstColonPos = value.indexOf(':');
final int secondColonPos = value.indexOf(':', firstColonPos + 1);
final OID oid = new OID(value.substring(0, firstColonPos));
if (!oid.isStrictlyValidNumericOID()) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_EXT_MALFORMED_OID.get(value, oid.toString()));
return ResultCode.PARAM_ERROR;
}
final boolean criticality;
final String criticalityString = value.substring(firstColonPos + 1, secondColonPos);
if (criticalityString.equalsIgnoreCase("true") || criticalityString.equalsIgnoreCase("t") || criticalityString.equalsIgnoreCase("yes") || criticalityString.equalsIgnoreCase("y") || criticalityString.equalsIgnoreCase("on") || criticalityString.equalsIgnoreCase("1")) {
criticality = true;
} else if (criticalityString.equalsIgnoreCase("false") || criticalityString.equalsIgnoreCase("f") || criticalityString.equalsIgnoreCase("no") || criticalityString.equalsIgnoreCase("n") || criticalityString.equalsIgnoreCase("off") || criticalityString.equalsIgnoreCase("0")) {
criticality = false;
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_EXT_INVALID_CRITICALITY.get(value, criticalityString));
return ResultCode.PARAM_ERROR;
}
final byte[] valueBytes;
try {
valueBytes = StaticUtils.fromHex(value.substring(secondColonPos + 1));
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_EXT_INVALID_VALUE.get(value));
return ResultCode.PARAM_ERROR;
}
final X509CertificateExtension extension = new X509CertificateExtension(oid, criticality, valueBytes);
genericExtensions.add(extension);
extensionList.add(extension);
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_EXT_MALFORMED.get(value));
return ResultCode.PARAM_ERROR;
}
}
}
final String keystoreType;
try {
keystoreType = inferKeystoreType(keystorePath);
} catch (final LDAPException le) {
Debug.debugException(le);
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
final char[] keystorePassword;
try {
keystorePassword = getKeystorePassword(keystorePath);
} catch (final LDAPException le) {
Debug.debugException(le);
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
// Get the keystore.
final KeyStore keystore;
try {
keystore = getKeystore(keystoreType, keystorePath, keystorePassword);
} catch (final LDAPException le) {
Debug.debugException(le);
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
// If there is a private key, then see if we need to use a private key
// password that is different from the keystore password.
final char[] privateKeyPassword;
try {
privateKeyPassword = getPrivateKeyPassword(keystore, alias, keystorePassword);
} catch (final LDAPException le) {
Debug.debugException(le);
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
// perform the appropriate processing for that.
if (replaceExistingCertificate) {
// specified alias.
if (!hasKeyAlias(keystore, alias)) {
if (hasCertificateAlias(keystore, alias)) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_REPLACE_ALIAS_IS_CERT.get(alias, keystorePath.getAbsolutePath()));
return ResultCode.PARAM_ERROR;
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_REPLACE_NO_SUCH_ALIAS.get(alias, keystorePath.getAbsolutePath()));
return ResultCode.PARAM_ERROR;
}
}
// Get the certificate to replace, along with its key pair.
final X509Certificate certToReplace;
final KeyPair keyPair;
try {
final Certificate[] chain = keystore.getCertificateChain(alias);
certToReplace = new X509Certificate(chain[0].getEncoded());
final PublicKey publicKey = chain[0].getPublicKey();
final PrivateKey privateKey = (PrivateKey) keystore.getKey(alias, privateKeyPassword);
keyPair = new KeyPair(publicKey, privateKey);
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_REPLACE_COULD_NOT_GET_CERT.get(alias));
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// Assign the remaining values using information in the existing
// certificate.
signatureAlgorithmIdentifier = SignatureAlgorithmIdentifier.forOID(certToReplace.getSignatureAlgorithmOID());
if (signatureAlgorithmIdentifier == null) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_UNKNOWN_SIG_ALG_IN_CERT.get(certToReplace.getSignatureAlgorithmOID()));
return ResultCode.PARAM_ERROR;
} else {
signatureAlgorithmName = signatureAlgorithmIdentifier.getJavaName();
}
if (subjectDN == null) {
subjectDN = certToReplace.getSubjectDN();
}
if (inheritExtensions) {
for (final X509CertificateExtension extension : certToReplace.getExtensions()) {
if ((extension instanceof AuthorityKeyIdentifierExtension) || (extension instanceof IssuerAlternativeNameExtension)) {
// This extension applies to the issuer. We won't include this in
// the set of inherited extensions.
} else if (extension instanceof SubjectKeyIdentifierExtension) {
// The generated certificate will automatically include a subject
// key identifier extension, so we don't need to include it.
} else if (extension instanceof BasicConstraintsExtension) {
// Don't override a value already provided on the command line.
if (basicConstraints == null) {
basicConstraints = (BasicConstraintsExtension) extension;
extensionList.add(basicConstraints);
}
} else if (extension instanceof ExtendedKeyUsageExtension) {
// Don't override a value already provided on the command line.
if (extendedKeyUsage == null) {
extendedKeyUsage = (ExtendedKeyUsageExtension) extension;
extensionList.add(extendedKeyUsage);
}
} else if (extension instanceof KeyUsageExtension) {
// Don't override a value already provided on the command line.
if (keyUsage == null) {
keyUsage = (KeyUsageExtension) extension;
extensionList.add(keyUsage);
}
} else if (extension instanceof SubjectAlternativeNameExtension) {
// line.
if (sanValues.isEmpty()) {
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
for (final String dnsName : e.getDNSNames()) {
sanValues.add("DNS:" + dnsName);
}
for (final InetAddress ipAddress : e.getIPAddresses()) {
sanValues.add("IP:" + ipAddress.getHostAddress());
}
for (final String emailAddress : e.getRFC822Names()) {
sanValues.add("EMAIL:" + emailAddress);
}
for (final String uri : e.getUniformResourceIdentifiers()) {
sanValues.add("URI:" + uri);
}
for (final OID oid : e.getRegisteredIDs()) {
sanValues.add("OID:" + oid.toString());
}
extensionList.add(extension);
}
} else {
genericExtensions.add(extension);
extensionList.add(extension);
}
}
}
// Create an array with the final set of extensions to include in the
// certificate or certificate signing request.
final X509CertificateExtension[] extensions = new X509CertificateExtension[extensionList.size()];
extensionList.toArray(extensions);
// a keytool command that we could use to accomplish it.
if (isGenerateCertificate) {
if (displayKeytoolCommand) {
final ArrayList<String> keytoolArguments = new ArrayList<>(30);
keytoolArguments.add("-selfcert");
keytoolArguments.add("-keystore");
keytoolArguments.add(keystorePath.getAbsolutePath());
keytoolArguments.add("-storetype");
keytoolArguments.add(keystoreType);
keytoolArguments.add("-storepass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-keypass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-alias");
keytoolArguments.add(alias);
keytoolArguments.add("-dname");
keytoolArguments.add(subjectDN.toString());
keytoolArguments.add("-sigalg");
keytoolArguments.add(signatureAlgorithmName);
keytoolArguments.add("-validity");
keytoolArguments.add(String.valueOf(daysValid));
if (validityStartTime != null) {
keytoolArguments.add("-startdate");
keytoolArguments.add(formatValidityStartTime(validityStartTime));
}
addExtensionArguments(keytoolArguments, basicConstraints, keyUsage, extendedKeyUsage, sanValues, ianValues, genericExtensions);
displayKeytoolCommand(keytoolArguments);
}
// Generate the self-signed certificate.
final long notBefore;
if (validityStartTime == null) {
notBefore = System.currentTimeMillis();
} else {
notBefore = validityStartTime.getTime();
}
final long notAfter = notBefore + TimeUnit.DAYS.toMillis(daysValid);
final X509Certificate certificate;
final Certificate[] chain;
try {
certificate = X509Certificate.generateSelfSignedCertificate(signatureAlgorithmIdentifier, keyPair, subjectDN, notBefore, notAfter, extensions);
chain = new Certificate[] { certificate.toCertificate() };
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_GENERATING_CERT.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// Update the keystore with the new certificate.
try {
keystore.setKeyEntry(alias, keyPair.getPrivate(), privateKeyPassword, chain);
writeKeystore(keystore, keystorePath, keystorePassword);
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_UPDATING_KEYSTORE.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// Display the certificate we just generated to the end user.
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_GENERATED_SELF_CERT.get());
printCertificate(certificate, "", false);
// If we should write an output file, then do that now.
if (outputFile != null) {
try (PrintStream ps = new PrintStream(outputFile)) {
final byte[] certBytes = certificate.getX509CertificateBytes();
if (outputPEM) {
writePEMCertificate(ps, certBytes);
} else {
ps.write(certBytes);
}
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_WROTE_OUTPUT_FILE.get(outputFile.getAbsolutePath()));
} catch (final Exception e) {
Debug.debugException(e);
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_WRITING_CERT.get(outputFile.getAbsolutePath()));
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
}
return ResultCode.SUCCESS;
} else {
// Build the keytool command used to generate the certificate signing
// request.
Validator.ensureTrue(isGenerateCSR);
if (displayKeytoolCommand) {
final ArrayList<String> keytoolArguments = new ArrayList<>(30);
keytoolArguments.add("-certreq");
keytoolArguments.add("-keystore");
keytoolArguments.add(keystorePath.getAbsolutePath());
keytoolArguments.add("-storetype");
keytoolArguments.add(keystoreType);
keytoolArguments.add("-storepass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-keypass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-alias");
keytoolArguments.add(alias);
keytoolArguments.add("-dname");
keytoolArguments.add(subjectDN.toString());
keytoolArguments.add("-sigalg");
keytoolArguments.add(signatureAlgorithmName);
addExtensionArguments(keytoolArguments, basicConstraints, keyUsage, extendedKeyUsage, sanValues, ianValues, genericExtensions);
if (outputFile != null) {
keytoolArguments.add("-file");
keytoolArguments.add(outputFile.getAbsolutePath());
}
displayKeytoolCommand(keytoolArguments);
}
// Generate the certificate signing request.
final PKCS10CertificateSigningRequest certificateSigningRequest;
try {
certificateSigningRequest = PKCS10CertificateSigningRequest.generateCertificateSigningRequest(signatureAlgorithmIdentifier, keyPair, subjectDN, extensions);
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_GENERATING_CSR.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// location.
try {
final PrintStream ps;
if (outputFile == null) {
ps = getOut();
} else {
ps = new PrintStream(outputFile);
}
if (outputPEM) {
writePEMCertificateSigningRequest(ps, certificateSigningRequest.getPKCS10CertificateSigningRequestBytes());
} else {
ps.write(certificateSigningRequest.getPKCS10CertificateSigningRequestBytes());
}
if (outputFile != null) {
ps.close();
}
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_WRITING_CSR.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// able to see it.
if (outputFile != null) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_GENERATED_CSR.get(outputFile.getAbsolutePath()));
}
return ResultCode.SUCCESS;
}
}
// certificate. Perform any remaining argument assignment and validation.
if ((subjectDN == null) && (!isSignCSR)) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_NO_SUBJECT_DN_WITHOUT_REPLACE.get());
return ResultCode.PARAM_ERROR;
}
if (keyAlgorithmIdentifier == null) {
keyAlgorithmIdentifier = PublicKeyAlgorithmIdentifier.RSA;
keyAlgorithmName = keyAlgorithmIdentifier.getName();
}
if (keySizeBits == null) {
keySizeBits = 2048;
}
if ((signatureAlgorithmIdentifier == null) && (!isSignCSR)) {
signatureAlgorithmIdentifier = SignatureAlgorithmIdentifier.SHA_256_WITH_RSA;
signatureAlgorithmName = signatureAlgorithmIdentifier.getJavaName();
}
// certificate.
if (isGenerateCertificate || isGenerateCSR) {
// keystore.
if (hasKeyAlias(keystore, alias) || hasCertificateAlias(keystore, alias)) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ALIAS_EXISTS_WITHOUT_REPLACE.get(alias));
return ResultCode.PARAM_ERROR;
}
if (displayKeytoolCommand) {
final ArrayList<String> keytoolArguments = new ArrayList<>(30);
keytoolArguments.add("-genkeypair");
keytoolArguments.add("-keystore");
keytoolArguments.add(keystorePath.getAbsolutePath());
keytoolArguments.add("-storetype");
keytoolArguments.add(keystoreType);
keytoolArguments.add("-storepass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-keypass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-alias");
keytoolArguments.add(alias);
keytoolArguments.add("-dname");
keytoolArguments.add(subjectDN.toString());
keytoolArguments.add("-keyalg");
keytoolArguments.add(keyAlgorithmName);
keytoolArguments.add("-keysize");
keytoolArguments.add(String.valueOf(keySizeBits));
keytoolArguments.add("-sigalg");
keytoolArguments.add(signatureAlgorithmName);
keytoolArguments.add("-validity");
keytoolArguments.add(String.valueOf(daysValid));
if (validityStartTime != null) {
keytoolArguments.add("-startdate");
keytoolArguments.add(formatValidityStartTime(validityStartTime));
}
addExtensionArguments(keytoolArguments, basicConstraints, keyUsage, extendedKeyUsage, sanValues, ianValues, genericExtensions);
displayKeytoolCommand(keytoolArguments);
}
// Generate the self-signed certificate.
final long notBefore;
if (validityStartTime == null) {
notBefore = System.currentTimeMillis();
} else {
notBefore = validityStartTime.getTime();
}
final long notAfter = notBefore + TimeUnit.DAYS.toMillis(daysValid);
final X509CertificateExtension[] extensions = new X509CertificateExtension[extensionList.size()];
extensionList.toArray(extensions);
final Certificate[] chain;
final KeyPair keyPair;
final X509Certificate certificate;
try {
final ObjectPair<X509Certificate, KeyPair> p = X509Certificate.generateSelfSignedCertificate(signatureAlgorithmIdentifier, keyAlgorithmIdentifier, keySizeBits, subjectDN, notBefore, notAfter, extensions);
certificate = p.getFirst();
chain = new Certificate[] { certificate.toCertificate() };
keyPair = p.getSecond();
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_GENERATING_CERT.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// Update the keystore with the new certificate.
try {
keystore.setKeyEntry(alias, keyPair.getPrivate(), privateKeyPassword, chain);
writeKeystore(keystore, keystorePath, keystorePassword);
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_UPDATING_KEYSTORE.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
if (isNewKeystore) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_CERT_CREATED_KEYSTORE.get(getUserFriendlyKeystoreType(keystoreType)));
}
// file.
if (isGenerateCertificate) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_GENERATED_SELF_CERT.get());
printCertificate(certificate, "", false);
// If we should write an output file, then do that now.
if (outputFile != null) {
try (PrintStream ps = new PrintStream(outputFile)) {
final byte[] certBytes = certificate.getX509CertificateBytes();
if (outputPEM) {
writePEMCertificate(ps, certBytes);
} else {
ps.write(certBytes);
}
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_WROTE_OUTPUT_FILE.get(outputFile.getAbsolutePath()));
} catch (final Exception e) {
Debug.debugException(e);
err();
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_WRITING_CERT.get(outputFile.getAbsolutePath()));
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
}
return ResultCode.SUCCESS;
}
// If we're generating a certificate signing request, then put together
// the appropriate set of arguments for that.
Validator.ensureTrue(isGenerateCSR);
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_GENERATED_KEYPAIR.get());
if (displayKeytoolCommand) {
final ArrayList<String> keytoolArguments = new ArrayList<>(30);
keytoolArguments.add("-certreq");
keytoolArguments.add("-keystore");
keytoolArguments.add(keystorePath.getAbsolutePath());
keytoolArguments.add("-storetype");
keytoolArguments.add(keystoreType);
keytoolArguments.add("-storepass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-keypass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-alias");
keytoolArguments.add(alias);
keytoolArguments.add("-dname");
keytoolArguments.add(subjectDN.toString());
keytoolArguments.add("-sigalg");
keytoolArguments.add(signatureAlgorithmName);
addExtensionArguments(keytoolArguments, basicConstraints, keyUsage, extendedKeyUsage, sanValues, ianValues, genericExtensions);
if (outputFile != null) {
keytoolArguments.add("-file");
keytoolArguments.add(outputFile.getAbsolutePath());
}
displayKeytoolCommand(keytoolArguments);
}
// Generate the certificate signing request.
final PKCS10CertificateSigningRequest certificateSigningRequest;
try {
certificateSigningRequest = PKCS10CertificateSigningRequest.generateCertificateSigningRequest(signatureAlgorithmIdentifier, keyPair, subjectDN, extensions);
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_GENERATING_CSR.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// location.
try {
final PrintStream ps;
if (outputFile == null) {
ps = getOut();
} else {
ps = new PrintStream(outputFile);
}
if (outputPEM) {
writePEMCertificateSigningRequest(ps, certificateSigningRequest.getPKCS10CertificateSigningRequestBytes());
} else {
ps.write(certificateSigningRequest.getPKCS10CertificateSigningRequestBytes());
}
if (outputFile != null) {
ps.close();
}
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_WRITING_CSR.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// able to see it.
if (outputFile != null) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_GENERATED_CSR.get(outputFile.getAbsolutePath()));
}
return ResultCode.SUCCESS;
}
// If we've gotten here, then we should be signing a certificate signing
// request. Make sure that the keystore already has a private key entry
// with the specified alias.
Validator.ensureTrue(isSignCSR);
if (!hasKeyAlias(keystore, alias)) {
if (hasCertificateAlias(keystore, alias)) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_SIGN_ALIAS_IS_CERT.get(alias, keystorePath.getAbsolutePath()));
return ResultCode.PARAM_ERROR;
} else {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_SIGN_NO_SUCH_ALIAS.get(alias, keystorePath.getAbsolutePath()));
return ResultCode.PARAM_ERROR;
}
}
// Get the signing certificate and its key pair.
final PrivateKey issuerPrivateKey;
final X509Certificate issuerCertificate;
try {
final Certificate[] chain = keystore.getCertificateChain(alias);
issuerCertificate = new X509Certificate(chain[0].getEncoded());
issuerPrivateKey = (PrivateKey) keystore.getKey(alias, privateKeyPassword);
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_SIGN_CANNOT_GET_SIGNING_CERT.get(alias));
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// Make sure that we can decode the certificate signing request.
final PKCS10CertificateSigningRequest csr;
try {
csr = readCertificateSigningRequestFromFile(inputFile);
} catch (final LDAPException le) {
Debug.debugException(le);
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
// Make sure that we can verify the certificate signing request's signature.
try {
csr.verifySignature();
} catch (final CertException ce) {
Debug.debugException(ce);
wrapErr(0, WRAP_COLUMN, ce.getMessage());
return ResultCode.PARAM_ERROR;
}
// Prompt about whether to sign the request, if appropriate.
if (!noPrompt) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_SIGN_CONFIRM.get());
out();
printCertificateSigningRequest(csr, false, "");
out();
try {
if (!promptForYesNo(INFO_MANAGE_CERTS_GEN_CERT_PROMPT_SIGN.get())) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_SIGN_CANCELED.get());
return ResultCode.USER_CANCELED;
}
} catch (final LDAPException le) {
Debug.debugException(le);
err();
wrapErr(0, WRAP_COLUMN, le.getMessage());
return le.getResultCode();
}
}
// from it.
if ((subjectDN == null) || (signatureAlgorithmIdentifier == null) || includeRequestedExtensions) {
if (subjectDN == null) {
subjectDN = csr.getSubjectDN();
}
if (signatureAlgorithmIdentifier == null) {
signatureAlgorithmIdentifier = SignatureAlgorithmIdentifier.forOID(csr.getSignatureAlgorithmOID());
if (signatureAlgorithmIdentifier == null) {
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_UNKNOWN_SIG_ALG_IN_CSR.get(csr.getSignatureAlgorithmOID()));
return ResultCode.PARAM_ERROR;
} else {
signatureAlgorithmName = signatureAlgorithmIdentifier.getJavaName();
}
}
if (includeRequestedExtensions) {
for (final X509CertificateExtension extension : csr.getExtensions()) {
if ((extension instanceof AuthorityKeyIdentifierExtension) || (extension instanceof IssuerAlternativeNameExtension)) {
// This extension applies to the issuer. We won't include this in
// the set of inherited extensions.
} else if (extension instanceof SubjectKeyIdentifierExtension) {
// The generated certificate will automatically include a subject
// key identifier extension, so we don't need to include it.
} else if (extension instanceof BasicConstraintsExtension) {
// Don't override a value already provided on the command line.
if (basicConstraints == null) {
basicConstraints = (BasicConstraintsExtension) extension;
extensionList.add(basicConstraints);
}
} else if (extension instanceof ExtendedKeyUsageExtension) {
// Don't override a value already provided on the command line.
if (extendedKeyUsage == null) {
extendedKeyUsage = (ExtendedKeyUsageExtension) extension;
extensionList.add(extendedKeyUsage);
}
} else if (extension instanceof KeyUsageExtension) {
// Don't override a value already provided on the command line.
if (keyUsage == null) {
keyUsage = (KeyUsageExtension) extension;
extensionList.add(keyUsage);
}
} else if (extension instanceof SubjectAlternativeNameExtension) {
// line.
if (sanValues.isEmpty()) {
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
for (final String dnsName : e.getDNSNames()) {
sanBuilder.addDNSName(dnsName);
sanValues.add("DNS:" + dnsName);
}
for (final InetAddress ipAddress : e.getIPAddresses()) {
sanBuilder.addIPAddress(ipAddress);
sanValues.add("IP:" + ipAddress.getHostAddress());
}
for (final String emailAddress : e.getRFC822Names()) {
sanBuilder.addRFC822Name(emailAddress);
sanValues.add("EMAIL:" + emailAddress);
}
for (final String uri : e.getUniformResourceIdentifiers()) {
sanBuilder.addUniformResourceIdentifier(uri);
sanValues.add("URI:" + uri);
}
for (final OID oid : e.getRegisteredIDs()) {
sanBuilder.addRegisteredID(oid);
sanValues.add("OID:" + oid.toString());
}
try {
extensionList.add(new SubjectAlternativeNameExtension(false, sanBuilder.build()));
} catch (final Exception ex) {
// This should never happen.
Debug.debugException(ex);
throw new RuntimeException(ex);
}
}
} else {
genericExtensions.add(extension);
extensionList.add(extension);
}
}
}
}
// Generate the keytool arguments to use to sign the requested certificate.
final ArrayList<String> keytoolArguments = new ArrayList<>(30);
keytoolArguments.add("-gencert");
keytoolArguments.add("-keystore");
keytoolArguments.add(keystorePath.getAbsolutePath());
keytoolArguments.add("-storetype");
keytoolArguments.add(keystoreType);
keytoolArguments.add("-storepass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-keypass");
keytoolArguments.add("*****REDACTED*****");
keytoolArguments.add("-alias");
keytoolArguments.add(alias);
keytoolArguments.add("-dname");
keytoolArguments.add(subjectDN.toString());
keytoolArguments.add("-sigalg");
keytoolArguments.add(signatureAlgorithmName);
keytoolArguments.add("-validity");
keytoolArguments.add(String.valueOf(daysValid));
if (validityStartTime != null) {
keytoolArguments.add("-startdate");
keytoolArguments.add(formatValidityStartTime(validityStartTime));
}
addExtensionArguments(keytoolArguments, basicConstraints, keyUsage, extendedKeyUsage, sanValues, ianValues, genericExtensions);
keytoolArguments.add("-infile");
keytoolArguments.add(inputFile.getAbsolutePath());
if (outputFile != null) {
keytoolArguments.add("-outfile");
keytoolArguments.add(outputFile.getAbsolutePath());
}
if (outputPEM) {
keytoolArguments.add("-rfc");
}
if (displayKeytoolCommand) {
displayKeytoolCommand(keytoolArguments);
}
// Generate the signed certificate.
final long notBefore;
if (validityStartTime == null) {
notBefore = System.currentTimeMillis();
} else {
notBefore = validityStartTime.getTime();
}
final long notAfter = notBefore + TimeUnit.DAYS.toMillis(daysValid);
final X509CertificateExtension[] extensions = new X509CertificateExtension[extensionList.size()];
extensionList.toArray(extensions);
final X509Certificate signedCertificate;
try {
signedCertificate = X509Certificate.generateIssuerSignedCertificate(signatureAlgorithmIdentifier, issuerCertificate, issuerPrivateKey, csr.getPublicKeyAlgorithmOID(), csr.getPublicKeyAlgorithmParameters(), csr.getEncodedPublicKey(), csr.getDecodedPublicKey(), subjectDN, notBefore, notAfter, extensions);
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_SIGNING_CERT.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// Write the signed certificate signing request to the appropriate location.
try {
final PrintStream ps;
if (outputFile == null) {
ps = getOut();
} else {
ps = new PrintStream(outputFile);
}
if (outputPEM) {
writePEMCertificate(ps, signedCertificate.getX509CertificateBytes());
} else {
ps.write(signedCertificate.getX509CertificateBytes());
}
if (outputFile != null) {
ps.close();
}
} catch (final Exception e) {
Debug.debugException(e);
wrapErr(0, WRAP_COLUMN, ERR_MANAGE_CERTS_GEN_CERT_ERROR_WRITING_SIGNED_CERT.get());
e.printStackTrace(getErr());
return ResultCode.LOCAL_ERROR;
}
// able to see it.
if (outputFile != null) {
out();
wrapOut(0, WRAP_COLUMN, INFO_MANAGE_CERTS_GEN_CERT_SUCCESSFULLY_SIGNED_CERT.get(outputFile.getAbsolutePath()));
}
return ResultCode.SUCCESS;
}
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class ManageCertificates method printExtensions.
/**
* Prints information about the provided extensions.
*
* @param extensions The list of extensions to be printed.
* @param indent The string to place at the beginning of each line to
* indent that line.
*/
void printExtensions(@NotNull final List<X509CertificateExtension> extensions, @NotNull final String indent) {
if (extensions.isEmpty()) {
return;
}
out(indent + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXTENSIONS.get());
for (final X509CertificateExtension extension : extensions) {
if (extension instanceof AuthorityKeyIdentifierExtension) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_AUTH_KEY_ID_EXT.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
final AuthorityKeyIdentifierExtension e = (AuthorityKeyIdentifierExtension) extension;
if (e.getKeyIdentifier() != null) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_AUTH_KEY_ID_ID.get());
final String idHex = toColonDelimitedHex(e.getKeyIdentifier().getValue());
for (final String line : StaticUtils.wrapLine(idHex, 78)) {
out(indent + " " + line);
}
}
if (e.getAuthorityCertIssuer() != null) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_AUTH_KEY_ID_ISSUER.get());
printGeneralNames(e.getAuthorityCertIssuer(), indent + " ");
}
if (e.getAuthorityCertSerialNumber() != null) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_AUTH_KEY_ID_SERIAL.get(toColonDelimitedHex(e.getAuthorityCertSerialNumber().toByteArray())));
}
} else if (extension instanceof BasicConstraintsExtension) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_BASIC_CONST_EXT.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
final BasicConstraintsExtension e = (BasicConstraintsExtension) extension;
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_BASIC_CONST_IS_CA.get(String.valueOf(e.isCA())));
if (e.getPathLengthConstraint() != null) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_BASIC_CONST_LENGTH.get(e.getPathLengthConstraint()));
}
} else if (extension instanceof CRLDistributionPointsExtension) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_EXT.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
final CRLDistributionPointsExtension crlDPE = (CRLDistributionPointsExtension) extension;
for (final CRLDistributionPoint dp : crlDPE.getCRLDistributionPoints()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_HEADER.get());
if (dp.getFullName() != null) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_FULL_NAME.get());
printGeneralNames(dp.getFullName(), indent + " ");
}
if (dp.getNameRelativeToCRLIssuer() != null) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_REL_NAME.get(dp.getNameRelativeToCRLIssuer()));
}
if (!dp.getPotentialRevocationReasons().isEmpty()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_REASON.get());
for (final CRLDistributionPointRevocationReason r : dp.getPotentialRevocationReasons()) {
out(indent + " " + r.getName());
}
}
if (dp.getCRLIssuer() != null) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_CRL_DP_CRL_ISSUER.get());
printGeneralNames(dp.getCRLIssuer(), indent + " ");
}
}
} else if (extension instanceof ExtendedKeyUsageExtension) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_EKU_EXT.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
final ExtendedKeyUsageExtension e = (ExtendedKeyUsageExtension) extension;
for (final OID oid : e.getKeyPurposeIDs()) {
final ExtendedKeyUsageID id = ExtendedKeyUsageID.forOID(oid);
if (id == null) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_EKU_ID.get(oid));
} else {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_EKU_ID.get(id.getName()));
}
}
} else if (extension instanceof IssuerAlternativeNameExtension) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IAN_EXT.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
final IssuerAlternativeNameExtension e = (IssuerAlternativeNameExtension) extension;
printGeneralNames(e.getGeneralNames(), indent + " ");
} else if (extension instanceof KeyUsageExtension) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_EXT.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_USAGES.get());
final KeyUsageExtension kue = (KeyUsageExtension) extension;
if (kue.isDigitalSignatureBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_DS.get());
}
if (kue.isNonRepudiationBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_NR.get());
}
if (kue.isKeyEnciphermentBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_KE.get());
}
if (kue.isDataEnciphermentBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_DE.get());
}
if (kue.isKeyAgreementBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_KA.get());
}
if (kue.isKeyCertSignBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_KCS.get());
}
if (kue.isCRLSignBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_CRL_SIGN.get());
}
if (kue.isEncipherOnlyBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_EO.get());
}
if (kue.isDecipherOnlyBitSet()) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_KU_DO.get());
}
} else if (extension instanceof SubjectAlternativeNameExtension) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_SAN_EXT.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
final SubjectAlternativeNameExtension e = (SubjectAlternativeNameExtension) extension;
printGeneralNames(e.getGeneralNames(), indent + " ");
} else if (extension instanceof SubjectKeyIdentifierExtension) {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_SKI_EXT.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
final SubjectKeyIdentifierExtension e = (SubjectKeyIdentifierExtension) extension;
final String idHex = toColonDelimitedHex(e.getKeyIdentifier().getValue());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_SKI_ID.get());
for (final String line : StaticUtils.wrapLine(idHex, 78)) {
out(indent + " " + line);
}
} else {
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_GENERIC.get());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_OID.get(extension.getOID().toString()));
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_IS_CRITICAL.get(String.valueOf(extension.isCritical())));
final String valueHex = toColonDelimitedHex(extension.getValue());
out(indent + " " + INFO_MANAGE_CERTS_PRINT_CERT_LABEL_EXT_VALUE.get());
getOut().print(StaticUtils.toHexPlusASCII(extension.getValue(), (indent.length() + 15)));
}
}
}
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class ASN1ObjectIdentifier method decodeAsObjectIdentifier.
/**
* Decodes the contents of the provided byte array as an object identifier
* element.
*
* @param elementBytes The byte array to decode as an ASN.1 object
* identifier element.
*
* @return The decoded ASN.1 object identifier element.
*
* @throws ASN1Exception If the provided array cannot be decoded as an
* object identifier element.
*/
@NotNull()
public static ASN1ObjectIdentifier decodeAsObjectIdentifier(@NotNull final byte[] elementBytes) throws ASN1Exception {
try {
int valueStartPos = 2;
int length = (elementBytes[1] & 0x7F);
if (length != elementBytes[1]) {
final int numLengthBytes = length;
length = 0;
for (int i = 0; i < numLengthBytes; i++) {
length <<= 8;
length |= (elementBytes[valueStartPos++] & 0xFF);
}
}
if ((elementBytes.length - valueStartPos) != length) {
throw new ASN1Exception(ERR_ELEMENT_LENGTH_MISMATCH.get(length, (elementBytes.length - valueStartPos)));
}
final byte[] elementValue = new byte[length];
System.arraycopy(elementBytes, valueStartPos, elementValue, 0, length);
final OID oid = decodeValue(elementValue);
return new ASN1ObjectIdentifier(elementBytes[0], oid, elementValue);
} catch (final ASN1Exception ae) {
Debug.debugException(ae);
throw ae;
} catch (final Exception e) {
Debug.debugException(e);
throw new ASN1Exception(ERR_ELEMENT_DECODE_EXCEPTION.get(e), e);
}
}
use of com.unboundid.util.OID in project ldapsdk by pingidentity.
the class PKCS10CertificateSigningRequest method generateCertificateSigningRequest.
/**
* Generates a PKCS #10 certificate signing request with the provided
* information.
*
* @param signatureAlgorithm The algorithm to use to generate the signature.
* This must not be {@code null}.
* @param keyPair The key pair to use for the certificate signing
* request. This must not be {@code null}.
* @param subjectDN The subject DN for the certificate signing
* request. This must not be {@code null}.
* @param extensions The set of extensions to include in the
* certificate signing request. This may be
* {@code null} or empty if the request should not
* include any custom extensions.
*
* @return The generated PKCS #10 certificate signing request.
*
* @throws CertException If a problem is encountered while creating the
* certificate signing request.
*/
@NotNull()
public static PKCS10CertificateSigningRequest generateCertificateSigningRequest(@NotNull final SignatureAlgorithmIdentifier signatureAlgorithm, @NotNull final KeyPair keyPair, @NotNull final DN subjectDN, @Nullable final X509CertificateExtension... extensions) throws CertException {
// Extract the parameters and encoded public key from the generated key
// pair. And while we're at it, generate a subject key identifier from
// the encoded public key.
DecodedPublicKey decodedPublicKey = null;
final ASN1BitString encodedPublicKey;
final ASN1Element publicKeyAlgorithmParameters;
final byte[] subjectKeyIdentifier;
final OID publicKeyAlgorithmOID;
try {
final ASN1Element[] pkElements = ASN1Sequence.decodeAsSequence(keyPair.getPublic().getEncoded()).elements();
final ASN1Element[] pkAlgIDElements = ASN1Sequence.decodeAsSequence(pkElements[0]).elements();
publicKeyAlgorithmOID = pkAlgIDElements[0].decodeAsObjectIdentifier().getOID();
if (pkAlgIDElements.length == 1) {
publicKeyAlgorithmParameters = null;
} else {
publicKeyAlgorithmParameters = pkAlgIDElements[1];
}
encodedPublicKey = pkElements[1].decodeAsBitString();
try {
if (publicKeyAlgorithmOID.equals(PublicKeyAlgorithmIdentifier.RSA.getOID())) {
decodedPublicKey = new RSAPublicKey(encodedPublicKey);
} else if (publicKeyAlgorithmOID.equals(PublicKeyAlgorithmIdentifier.EC.getOID())) {
decodedPublicKey = new EllipticCurvePublicKey(encodedPublicKey);
}
} catch (final Exception e) {
Debug.debugException(e);
}
final MessageDigest sha256 = CryptoHelper.getMessageDigest(SubjectKeyIdentifierExtension.SUBJECT_KEY_IDENTIFIER_DIGEST_ALGORITHM);
subjectKeyIdentifier = sha256.digest(encodedPublicKey.getBytes());
} catch (final Exception e) {
Debug.debugException(e);
throw new CertException(ERR_CSR_GEN_CANNOT_PARSE_KEY_PAIR.get(StaticUtils.getExceptionMessage(e)), e);
}
// Construct the set of all extensions for the certificate.
final ArrayList<X509CertificateExtension> extensionList = new ArrayList<>(10);
extensionList.add(new SubjectKeyIdentifierExtension(false, new ASN1OctetString(subjectKeyIdentifier)));
if (extensions != null) {
for (final X509CertificateExtension e : extensions) {
if (!e.getOID().equals(SubjectKeyIdentifierExtension.SUBJECT_KEY_IDENTIFIER_OID)) {
extensionList.add(e);
}
}
}
final X509CertificateExtension[] allExtensions = new X509CertificateExtension[extensionList.size()];
extensionList.toArray(allExtensions);
final ASN1BitString encodedSignature = generateSignature(signatureAlgorithm, keyPair.getPrivate(), subjectDN, publicKeyAlgorithmOID, publicKeyAlgorithmParameters, encodedPublicKey, allExtensions);
return new PKCS10CertificateSigningRequest(PKCS10CertificateSigningRequestVersion.V1, signatureAlgorithm.getOID(), null, encodedSignature, subjectDN, publicKeyAlgorithmOID, publicKeyAlgorithmParameters, encodedPublicKey, decodedPublicKey, null, allExtensions);
}
Aggregations