Search in sources :

Example 1 with KeyCertBundle

use of de.trustable.ca3s.cert.bundle.KeyCertBundle in project ca3sCore by kuehne-trustable-de.

the class Ca3sFallbackBundleFactory method newKeyBundle.

@Override
public KeyCertBundle newKeyBundle(final String bundleName, long minValiditySeconds) throws GeneralSecurityException {
    KeyPair localKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
    try {
        InetAddress ip = InetAddress.getLocalHost();
        String hostname = ip.getHostName();
        LOG.debug("requesting certificate for host : " + hostname);
        String x500Name = "CN=" + hostname;
        if (!dnSuffix.trim().isEmpty()) {
            x500Name += ", " + dnSuffix;
        }
        X500Name subject = new X500Name(x500Name);
        GeneralName[] sanArray = new GeneralName[1];
        sanArray[0] = new GeneralName(GeneralName.dNSName, hostname);
        GeneralNames gns = new GeneralNames(sanArray);
        List<Map<String, Object>> extensions = new ArrayList<>();
        Map<String, Object> serverAuthMap = new HashMap<>();
        serverAuthMap.put("oid", Extension.extendedKeyUsage.getId());
        serverAuthMap.put("critical", Boolean.FALSE);
        List<String> valList = new ArrayList<>();
        valList.add(KeyPurposeId.id_kp_serverAuth.getId());
        serverAuthMap.put("value", valList);
        extensions.add(serverAuthMap);
        LOG.debug("building certificate for SAN '{}' and EKU {}", hostname, Extension.extendedKeyUsage.getId());
        X509Certificate issuedCertificate = cryptoUtil.issueCertificate(x500Issuer, getRootKeyPair(), subject, SubjectPublicKeyInfo.getInstance(localKeyPair.getPublic().getEncoded()), Calendar.HOUR, 1, gns, extensions, PKILevel.END_ENTITY);
        // build the (short) chain
        X509Certificate[] certificateChain = { issuedCertificate, getRootCertificate() };
        LOG.debug("returning temp. certificate : " + issuedCertificate);
        return new KeyCertBundle(bundleName, certificateChain, issuedCertificate, localKeyPair.getPrivate());
    } catch (IOException e) {
        // certificate creation failed with an exception not inheriting from 'GeneralSecurityException'
        throw new GeneralSecurityException(e);
    }
}
Also used : KeyPair(java.security.KeyPair) KeyCertBundle(de.trustable.ca3s.cert.bundle.KeyCertBundle) GeneralSecurityException(java.security.GeneralSecurityException) X500Name(org.bouncycastle.asn1.x500.X500Name) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) InetAddress(java.net.InetAddress)

Example 2 with KeyCertBundle

use of de.trustable.ca3s.cert.bundle.KeyCertBundle in project ca3sCore by kuehne-trustable-de.

the class BundleCertHolder method createKeyBundle.

public BundleCertHolder createKeyBundle(final String bundleName, long minValiditySeconds) throws GeneralSecurityException {
    KeyPair localKeyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
    try {
        InetAddress ip = InetAddress.getLocalHost();
        String hostname = ip.getCanonicalHostName();
        String x500Name = "CN=" + hostname;
        if (!dnSuffix.trim().isEmpty()) {
            x500Name += ", " + dnSuffix;
        }
        X500Principal subject = new X500Principal(x500Name);
        LOG.debug("requesting certificate for subject : " + subject.getName());
        GeneralName[] sanArray = CertificateUtil.splitSANString(sans, hostname);
        List<Map<String, Object>> extensions = new ArrayList<>();
        Map<String, Object> serverAuthMap = new HashMap<>();
        serverAuthMap.put("oid", Extension.extendedKeyUsage.getId());
        serverAuthMap.put("critical", Boolean.FALSE);
        List<String> valList = new ArrayList<>();
        valList.add(KeyPurposeId.id_kp_serverAuth.getId());
        serverAuthMap.put("value", valList);
        extensions.add(serverAuthMap);
        PKCS10CertificationRequest req = CryptoUtil.getCsr(subject, localKeyPair.getPublic(), localKeyPair.getPrivate(), null, extensions, sanArray);
        String csrBase64 = CryptoUtil.pkcs10RequestToPem(req);
        Certificate cert = cacAdapt.signCertificateRequest(csrBase64, caConfigDao);
        certUtil.setCertAttribute(cert, CertificateAttribute.ATTRIBUTE_TLS_CERTIFICATE, "true");
        // build the chain
        X509Certificate[] certificateChain = certUtil.getX509CertificateChain(cert);
        LOG.debug("returning new certificate : " + certificateChain[0]);
        return new BundleCertHolder(new KeyCertBundle(bundleName, certificateChain, certificateChain[0], localKeyPair.getPrivate()), cert);
    } catch (IOException e) {
        // certificate creation failed with an exception not inheriting from 'GeneralSecurityException'
        throw new GeneralSecurityException(e);
    }
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) KeyPair(java.security.KeyPair) KeyCertBundle(de.trustable.ca3s.cert.bundle.KeyCertBundle) HashMap(java.util.HashMap) GeneralSecurityException(java.security.GeneralSecurityException) ArrayList(java.util.ArrayList) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) X500Principal(javax.security.auth.x500.X500Principal) GeneralName(org.bouncycastle.asn1.x509.GeneralName) InetAddress(java.net.InetAddress) HashMap(java.util.HashMap) Map(java.util.Map) X509Certificate(java.security.cert.X509Certificate) Certificate(de.trustable.ca3s.core.domain.Certificate)

Example 3 with KeyCertBundle

use of de.trustable.ca3s.cert.bundle.KeyCertBundle in project ca3sCore by kuehne-trustable-de.

the class BundleCertHolder method newDBKeyBundle.

public KeyCertBundle newDBKeyBundle(final String bundleName, long minValiditySeconds) throws GeneralSecurityException {
    List<Certificate> certDaoList = certificateRepository.findActiveTLSCertificate();
    if (certDaoList.isEmpty()) {
        LOG.debug("Creating new TLS certificate.");
        BundleCertHolder bundleCertHolder = createKeyBundle(bundleName, minValiditySeconds);
        KeyCertBundle keyCertBundle = bundleCertHolder.getKeyCertBundle();
        KeyPair keyPair = new KeyPair(keyCertBundle.getCertificate().getPublicKey(), (PrivateKey) keyCertBundle.getKey());
        try {
            certUtil.storePrivateKey(bundleCertHolder.getCertificate(), keyPair);
            certUtil.setCertAttribute(bundleCertHolder.getCertificate(), CertificateAttribute.ATTRIBUTE_TLS_KEY, "true");
        } catch (IOException e) {
            LOG.warn("problem storing key and certificate ", e);
            throw new GeneralSecurityException(e.getMessage());
        }
        return keyCertBundle;
    } else {
        Certificate certificate = certDaoList.get(0);
        LOG.debug("Found TLS certificate {} in database.", certificate.getId());
        X509Certificate[] certificateChain = certUtil.getX509CertificateChain(certificate);
        PrivateKey privateKey = certUtil.getPrivateKey(certificate);
        return new KeyCertBundle(bundleName, certificateChain, certificateChain[0], privateKey);
    }
}
Also used : KeyPair(java.security.KeyPair) KeyCertBundle(de.trustable.ca3s.cert.bundle.KeyCertBundle) PrivateKey(java.security.PrivateKey) GeneralSecurityException(java.security.GeneralSecurityException) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(de.trustable.ca3s.core.domain.Certificate)

Aggregations

KeyCertBundle (de.trustable.ca3s.cert.bundle.KeyCertBundle)3 IOException (java.io.IOException)3 GeneralSecurityException (java.security.GeneralSecurityException)3 KeyPair (java.security.KeyPair)3 X509Certificate (java.security.cert.X509Certificate)3 Certificate (de.trustable.ca3s.core.domain.Certificate)2 InetAddress (java.net.InetAddress)2 PrivateKey (java.security.PrivateKey)1 ArrayList (java.util.ArrayList)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 X500Principal (javax.security.auth.x500.X500Principal)1 X500Name (org.bouncycastle.asn1.x500.X500Name)1 GeneralName (org.bouncycastle.asn1.x509.GeneralName)1 PKCS10CertificationRequest (org.bouncycastle.pkcs.PKCS10CertificationRequest)1