Search in sources :

Example 96 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project nhin-d by DirectProject.

the class PKCS11Commands method createCSR.

@Command(name = "CreateCSR", usage = CREATE_CSR)
public void createCSR(String[] args) {
    final String alias = StringArrayUtil.getRequiredValue(args, 0);
    final String commonName = StringArrayUtil.getRequiredValue(args, 1);
    final String subjectAltName = StringArrayUtil.getRequiredValue(args, 2);
    final String keyUsage = StringArrayUtil.getRequiredValue(args, 3);
    // make sure we have a valid keyUsage
    if (!(keyUsage.compareToIgnoreCase("DigitalSignature") == 0 || keyUsage.compareToIgnoreCase("KeyEncipherment") == 0 || keyUsage.compareToIgnoreCase("DualUse") == 0)) {
        System.out.println("Invalid key usage.");
        return;
    }
    final Vector<String> additionalRDNFields = new Vector<String>();
    int cnt = 4;
    String rdnField;
    do {
        rdnField = StringArrayUtil.getOptionalValue(args, cnt++, "");
        if (!StringUtils.isEmpty(rdnField))
            additionalRDNFields.add(rdnField);
    } while (!StringUtils.isEmpty(rdnField));
    try {
        final KeyStore ks = mgr.getKS();
        if (!ks.containsAlias(alias)) {
            System.out.println("Entry with key name " + alias + " does not exist.");
            return;
        }
        final X509Certificate storedCert = (X509Certificate) ks.getCertificate(alias);
        if (storedCert == null) {
            System.out.println("Key name " + alias + " does not contain a certificate that can be exported.  This key may not be an RSA key pair.");
            return;
        }
        final PrivateKey privKey = (PrivateKey) ks.getKey(alias, "".toCharArray());
        if (privKey == null) {
            System.out.println("Failed to object private key.  This key may not be an RSA key pair.");
            return;
        }
        // create the CSR
        //  create the extensions that we want
        final X509ExtensionsGenerator extsGen = new X509ExtensionsGenerator();
        // Key Usage
        int usage;
        if (keyUsage.compareToIgnoreCase("KeyEncipherment") == 0)
            usage = KeyUsage.keyEncipherment;
        else if (keyUsage.compareToIgnoreCase("DigitalSignature") == 0)
            usage = KeyUsage.digitalSignature;
        else
            usage = KeyUsage.keyEncipherment | KeyUsage.digitalSignature;
        extsGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(usage));
        // Subject Alt Name
        int nameType = subjectAltName.contains("@") ? GeneralName.rfc822Name : GeneralName.dNSName;
        final GeneralNames altName = new GeneralNames(new GeneralName(nameType, subjectAltName));
        extsGen.addExtension(X509Extensions.SubjectAlternativeName, false, altName);
        // Extended Key Usage
        final Vector<KeyPurposeId> purposes = new Vector<KeyPurposeId>();
        purposes.add(KeyPurposeId.id_kp_emailProtection);
        extsGen.addExtension(X509Extensions.ExtendedKeyUsage, false, new ExtendedKeyUsage(purposes));
        // Basic constraint
        final BasicConstraints bc = new BasicConstraints(false);
        extsGen.addExtension(X509Extensions.BasicConstraints, true, bc);
        // create the extension requests
        final X509Extensions exts = extsGen.generate();
        final ASN1EncodableVector attributes = new ASN1EncodableVector();
        final Attribute attribute = new Attribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, new DERSet(exts.toASN1Object()));
        attributes.add(attribute);
        final DERSet requestedAttributes = new DERSet(attributes);
        // create the DN
        final StringBuilder dnBuilder = new StringBuilder("CN=").append(commonName);
        for (String field : additionalRDNFields) dnBuilder.append(",").append(field);
        final X500Principal subjectPrin = new X500Principal(dnBuilder.toString());
        final X509Principal xName = new X509Principal(true, subjectPrin.getName());
        // create the CSR
        final PKCS10CertificationRequest request = new PKCS10CertificationRequest("SHA256WITHRSA", xName, storedCert.getPublicKey(), requestedAttributes, privKey, ks.getProvider().getName());
        final byte[] encodedCSR = request.getEncoded();
        final String csrString = "-----BEGIN CERTIFICATE REQUEST-----\r\n" + Base64.encodeBase64String(encodedCSR) + "-----END CERTIFICATE REQUEST-----";
        final File csrFile = new File(alias + "-CSR.pem");
        FileUtils.writeStringToFile(csrFile, csrString);
        System.out.println("CSR written to " + csrFile.getAbsolutePath());
    } catch (Exception e) {
        e.printStackTrace();
        System.err.println("Failed to create CSR : " + e.getMessage());
    }
}
Also used : PrivateKey(java.security.PrivateKey) Attribute(org.bouncycastle.asn1.x509.Attribute) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) X509Extensions(org.bouncycastle.asn1.x509.X509Extensions) DERSet(org.bouncycastle.asn1.DERSet) X509Principal(org.bouncycastle.jce.X509Principal) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) X509ExtensionsGenerator(org.bouncycastle.asn1.x509.X509ExtensionsGenerator) Vector(java.util.Vector) ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) PKCS10CertificationRequest(org.bouncycastle.jce.PKCS10CertificationRequest) KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X500Principal(javax.security.auth.x500.X500Principal) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) File(java.io.File) Command(org.nhindirect.common.tooling.Command)

Example 97 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project nhin-d by DirectProject.

the class CertGenerator method createLeafCertificate.

private static CertCreateFields createLeafCertificate(CertCreateFields fields, KeyPair keyPair, boolean addAltNames) throws Exception {
    String altName = "";
    StringBuilder dnBuilder = new StringBuilder();
    // create the DN
    if (fields.getAttributes().containsKey("EMAILADDRESS")) {
        dnBuilder.append("EMAILADDRESS=").append(fields.getAttributes().get("EMAILADDRESS")).append(", ");
        altName = fields.getAttributes().get("EMAILADDRESS").toString();
    }
    if (fields.getAttributes().containsKey("CN"))
        dnBuilder.append("CN=").append(fields.getAttributes().get("CN")).append(", ");
    if (fields.getAttributes().containsKey("C"))
        dnBuilder.append("C=").append(fields.getAttributes().get("C")).append(", ");
    if (fields.getAttributes().containsKey("ST"))
        dnBuilder.append("ST=").append(fields.getAttributes().get("ST")).append(", ");
    if (fields.getAttributes().containsKey("L"))
        dnBuilder.append("L=").append(fields.getAttributes().get("L")).append(", ");
    if (fields.getAttributes().containsKey("O"))
        dnBuilder.append("O=").append(fields.getAttributes().get("O")).append(", ");
    String DN = dnBuilder.toString().trim();
    if (DN.endsWith(","))
        DN = DN.substring(0, DN.length() - 1);
    X509V3CertificateGenerator v1CertGen = new X509V3CertificateGenerator();
    Calendar start = Calendar.getInstance();
    Calendar end = Calendar.getInstance();
    end.add(Calendar.DAY_OF_MONTH, fields.getExpDays());
    // not the best way to do this... generally done with a db file
    v1CertGen.setSerialNumber(BigInteger.valueOf(generatePositiveRandom()));
    // issuer is the parent cert
    v1CertGen.setIssuerDN(fields.getSignerCert().getSubjectX500Principal());
    v1CertGen.setNotBefore(start.getTime());
    v1CertGen.setNotAfter(end.getTime());
    v1CertGen.setSubjectDN(new X509Principal(DN));
    v1CertGen.setPublicKey(keyPair.getPublic());
    v1CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
    // pointer to the parent CA
    v1CertGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(fields.getSignerCert()));
    v1CertGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.getPublic()));
    boolean allowToSign = (fields.getAttributes().get("ALLOWTOSIGN") != null && fields.getAttributes().get("ALLOWTOSIGN").toString().equalsIgnoreCase("true"));
    v1CertGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(allowToSign));
    int keyUsage = 0;
    if (fields.getAttributes().get("KEYENC") != null && fields.getAttributes().get("KEYENC").toString().equalsIgnoreCase("true"))
        keyUsage = keyUsage | KeyUsage.keyEncipherment;
    if (fields.getAttributes().get("DIGSIG") != null && fields.getAttributes().get("DIGSIG").toString().equalsIgnoreCase("true"))
        keyUsage = keyUsage | KeyUsage.digitalSignature;
    if (keyUsage > 0)
        v1CertGen.addExtension(X509Extensions.KeyUsage, false, new KeyUsage(keyUsage));
    if (fields.getSignerCert().getSubjectAlternativeNames() != null) {
        for (List<?> names : fields.getSignerCert().getSubjectAlternativeNames()) {
            GeneralNames issuerAltName = new GeneralNames(new GeneralName((Integer) names.get(0), names.get(1).toString()));
            v1CertGen.addExtension(X509Extensions.IssuerAlternativeName, false, issuerAltName);
        }
    }
    if (addAltNames && !altName.isEmpty()) {
        int nameType = altName.contains("@") ? GeneralName.rfc822Name : GeneralName.dNSName;
        GeneralNames subjectAltName = new GeneralNames(new GeneralName(nameType, altName));
        v1CertGen.addExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
    }
    // use the CA's private key to sign the certificate
    X509Certificate newCACert = v1CertGen.generate((PrivateKey) fields.getSignerKey(), CryptoExtensions.getJCEProviderName());
    // validate the certificate 
    newCACert.verify(fields.getSignerCert().getPublicKey());
    // write the certificate the file system
    writeCertAndKey(newCACert, keyPair.getPrivate(), fields);
    return fields;
}
Also used : SubjectKeyIdentifierStructure(org.bouncycastle.x509.extension.SubjectKeyIdentifierStructure) Calendar(java.util.Calendar) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) AuthorityKeyIdentifierStructure(org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure) X509Certificate(java.security.cert.X509Certificate) BigInteger(java.math.BigInteger) X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509Principal(org.bouncycastle.jce.X509Principal) GeneralName(org.bouncycastle.asn1.x509.GeneralName) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Example 98 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project robovm by robovm.

the class X509CertSelectorTest method test_setSubjectAlternativeNamesLjava_util_Collection.

/**
     * java.security.cert.X509CertSelector#setSubjectAlternativeNames(Collection<List<?>>)
     */
public void test_setSubjectAlternativeNamesLjava_util_Collection() throws Exception {
    GeneralName san0 = new GeneralName(new OtherName("1.2.3.4.5", new byte[] { 1, 2, 0, 1 }));
    GeneralName san1 = new GeneralName(1, "rfc@822.Name");
    GeneralName san2 = new GeneralName(2, "dNSName");
    GeneralName san3 = new GeneralName(new ORAddress());
    GeneralName san4 = new GeneralName(new Name("O=Organization"));
    GeneralName san6 = new GeneralName(6, "http://uniform.Resource.Id");
    GeneralName san7 = new GeneralName(7, "1.1.1.1");
    GeneralName san8 = new GeneralName(8, "1.2.3.4444.55555");
    GeneralNames sans1 = new GeneralNames();
    sans1.addName(san0);
    sans1.addName(san1);
    sans1.addName(san2);
    sans1.addName(san3);
    sans1.addName(san4);
    sans1.addName(san6);
    sans1.addName(san7);
    sans1.addName(san8);
    GeneralNames sans2 = new GeneralNames();
    sans2.addName(san0);
    TestCert cert1 = new TestCert(sans1);
    TestCert cert2 = new TestCert(sans2);
    X509CertSelector selector = new X509CertSelector();
    selector.setMatchAllSubjectAltNames(true);
    selector.setSubjectAlternativeNames(null);
    assertTrue("Any certificate should match in the case of null " + "subjectAlternativeNames criteria.", selector.match(cert1) && selector.match(cert2));
    Collection<List<?>> sans = sans1.getPairsList();
    selector.setSubjectAlternativeNames(sans);
    selector.getSubjectAlternativeNames();
}
Also used : GeneralNames(org.apache.harmony.security.x509.GeneralNames) OtherName(org.apache.harmony.security.x509.OtherName) X509CertSelector(java.security.cert.X509CertSelector) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(org.apache.harmony.security.x509.GeneralName) ORAddress(org.apache.harmony.security.x509.ORAddress) GeneralName(org.apache.harmony.security.x509.GeneralName) OtherName(org.apache.harmony.security.x509.OtherName) Name(org.apache.harmony.security.x501.Name)

Example 99 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project robovm by robovm.

the class X509CertSelectorTest method test_addSubjectAlternativeNameLintLjava_lang_String2.

/**
     * java.security.cert.X509CertSelector#addSubjectAlternativeName(int, String)
     */
public void test_addSubjectAlternativeNameLintLjava_lang_String2() throws Exception {
    GeneralName san6 = new GeneralName(6, "http://uniform.Resource.Id");
    GeneralName san2 = new GeneralName(2, "dNSName");
    GeneralNames sans1 = new GeneralNames();
    sans1.addName(san6);
    sans1.addName(san2);
    X509CertSelector selector = new X509CertSelector();
    selector.addSubjectAlternativeName(6, "http://uniform.Resource.Id");
    selector.addSubjectAlternativeName(2, "dNSName");
    GeneralNames sans2 = new GeneralNames();
    sans2.addName(san2);
    TestCert cert1 = new TestCert(sans1);
    TestCert cert2 = new TestCert(sans2);
    assertTrue(selector.match(cert1));
    assertFalse(selector.match(cert2));
    selector.setSubjectAlternativeNames(null);
    GeneralName name = new GeneralName(new Name("O=Android"));
    try {
        selector.addSubjectAlternativeName(0, (name.toString()));
    } catch (IOException e) {
    // ok
    }
}
Also used : GeneralNames(org.apache.harmony.security.x509.GeneralNames) X509CertSelector(java.security.cert.X509CertSelector) GeneralName(org.apache.harmony.security.x509.GeneralName) IOException(java.io.IOException) GeneralName(org.apache.harmony.security.x509.GeneralName) OtherName(org.apache.harmony.security.x509.OtherName) Name(org.apache.harmony.security.x501.Name)

Example 100 with GeneralName

use of de.carne.certmgr.certs.x509.GeneralName in project robovm by robovm.

the class X509CertSelectorTest method test_setPathToNamesLjava_util_Collection.

/**
     * java.security.cert.X509CertSelector#setPathToNames(Collection<List<?>>)
     */
public void test_setPathToNamesLjava_util_Collection() throws Exception {
    GeneralName san0 = new GeneralName(new OtherName("1.2.3.4.5", new byte[] { 1, 2, 0, 1 }));
    GeneralName san1 = new GeneralName(1, "rfc@822.Name");
    GeneralName san2 = new GeneralName(2, "dNSName");
    GeneralName san3 = new GeneralName(new ORAddress());
    GeneralName san4 = new GeneralName(new Name("O=Organization"));
    GeneralName san6 = new GeneralName(6, "http://uniform.Resource.Id");
    GeneralName san7 = new GeneralName(7, "1.1.1.1");
    GeneralName san8 = new GeneralName(8, "1.2.3.4444.55555");
    GeneralNames sans1 = new GeneralNames();
    sans1.addName(san0);
    sans1.addName(san1);
    sans1.addName(san2);
    sans1.addName(san3);
    sans1.addName(san4);
    sans1.addName(san6);
    sans1.addName(san7);
    sans1.addName(san8);
    GeneralNames sans2 = new GeneralNames();
    sans2.addName(san0);
    TestCert cert1 = new TestCert(sans1);
    TestCert cert2 = new TestCert(sans2);
    X509CertSelector selector = new X509CertSelector();
    selector.setMatchAllSubjectAltNames(true);
    selector.setPathToNames(null);
    assertTrue("Any certificate should match in the case of null " + "subjectAlternativeNames criteria.", selector.match(cert1) && selector.match(cert2));
    Collection<List<?>> sans = sans1.getPairsList();
    selector.setPathToNames(sans);
    selector.getPathToNames();
}
Also used : GeneralNames(org.apache.harmony.security.x509.GeneralNames) OtherName(org.apache.harmony.security.x509.OtherName) X509CertSelector(java.security.cert.X509CertSelector) List(java.util.List) ArrayList(java.util.ArrayList) GeneralName(org.apache.harmony.security.x509.GeneralName) ORAddress(org.apache.harmony.security.x509.ORAddress) GeneralName(org.apache.harmony.security.x509.GeneralName) OtherName(org.apache.harmony.security.x509.OtherName) Name(org.apache.harmony.security.x501.Name)

Aggregations

GeneralName (org.bouncycastle.asn1.x509.GeneralName)125 GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)58 IOException (java.io.IOException)50 DERIA5String (org.bouncycastle.asn1.DERIA5String)36 ArrayList (java.util.ArrayList)34 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)32 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)31 X500Name (org.bouncycastle.asn1.x500.X500Name)30 ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)28 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)27 X509Certificate (java.security.cert.X509Certificate)25 DEROctetString (org.bouncycastle.asn1.DEROctetString)24 List (java.util.List)21 ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)19 Date (java.util.Date)18 GeneralName (org.apache.harmony.security.x509.GeneralName)18 DirectoryString (org.bouncycastle.asn1.x500.DirectoryString)18 DERSequence (org.bouncycastle.asn1.DERSequence)17 DERUTF8String (org.bouncycastle.asn1.DERUTF8String)16 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)16