Search in sources :

Example 31 with GeneralNames

use of org.apache.harmony.security.x509.GeneralNames in project apiRecord by tobecoder2015.

the class CertUtil method genCert.

/**
 * 动态生成服务器证书,并进行CA签授
 *
 * @param issuer       颁发机构
 * @param serverPubKey
 * @param caPriKey
 * @param caPubKey
 * @param host
 * @return
 * @throws Exception
 */
public static X509Certificate genCert(String issuer, PublicKey serverPubKey, PrivateKey caPriKey, PublicKey caPubKey, String host) throws Exception {
    X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
    /* String issuer = "C=CN, ST=GD, L=SZ, O=lee, OU=study, CN=ProxyeeRoot";
        String subject = "C=CN, ST=GD, L=SZ, O=lee, OU=study, CN=" + host;*/
    // 根据CA证书subject来动态生成目标服务器证书的issuer和subject
    String subject = Arrays.stream(issuer.split(", ")).map((dn) -> {
        String[] temp = dn.split("=");
        if (temp[0].equalsIgnoreCase("CN")) {
            return temp[0] + "=" + host;
        }
        return dn;
    }).collect(Collectors.joining(", "));
    v3CertGen.reset();
    v3CertGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
    v3CertGen.setIssuerDN(new X509Principal(issuer));
    v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 10 * ONE_DAY));
    v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + 3650 * ONE_DAY));
    v3CertGen.setSubjectDN(new X509Principal(subject));
    v3CertGen.setPublicKey(serverPubKey);
    // SHA256 Chrome需要此哈希算法否则会出现不安全提示
    v3CertGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
    // SAN扩展 Chrome需要此扩展否则会出现不安全提示
    GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.dNSName, host));
    v3CertGen.addExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
    X509Certificate cert = v3CertGen.generateX509Certificate(caPriKey);
    cert.checkValidity(new Date());
    cert.verify(caPubKey);
    return cert;
}
Also used : X509Certificate(java.security.cert.X509Certificate) IntStream(java.util.stream.IntStream) java.security(java.security) X509Principal(org.bouncycastle.jce.X509Principal) Arrays(java.util.Arrays) EncodedKeySpec(java.security.spec.EncodedKeySpec) ByteArrayOutputStream(java.io.ByteArrayOutputStream) CertificateFactory(java.security.cert.CertificateFactory) PKCS8EncodedKeySpec(java.security.spec.PKCS8EncodedKeySpec) X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator) Files(java.nio.file.Files) Date(java.util.Date) X509Extensions(org.bouncycastle.asn1.x509.X509Extensions) FileInputStream(java.io.FileInputStream) X509EncodedKeySpec(java.security.spec.X509EncodedKeySpec) Collectors(java.util.stream.Collectors) TimeUnit(java.util.concurrent.TimeUnit) GeneralName(org.bouncycastle.asn1.x509.GeneralName) List(java.util.List) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) Paths(java.nio.file.Paths) BigInteger(java.math.BigInteger) URI(java.net.URI) InputStream(java.io.InputStream) X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509Principal(org.bouncycastle.jce.X509Principal) GeneralName(org.bouncycastle.asn1.x509.GeneralName) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate)

Example 32 with GeneralNames

use of org.apache.harmony.security.x509.GeneralNames in project Bytecoder by mirkosertic.

the class ForwardState method updateState.

/**
 * Update the state with the next certificate added to the path.
 *
 * @param cert the certificate which is used to update the state
 */
@Override
public void updateState(X509Certificate cert) throws CertificateException, IOException, CertPathValidatorException {
    if (cert == null)
        return;
    X509CertImpl icert = X509CertImpl.toImpl(cert);
    /* see if certificate key has null parameters */
    if (PKIX.isDSAPublicKeyWithoutParams(icert.getPublicKey())) {
        keyParamsNeededFlag = true;
    }
    /* update certificate */
    this.cert = icert;
    /* update issuer DN */
    issuerDN = cert.getIssuerX500Principal();
    if (!X509CertImpl.isSelfIssued(cert)) {
        /*
             * update traversedCACerts only if this is a non-self-issued
             * intermediate CA cert
             */
        if (!init && cert.getBasicConstraints() != -1) {
            traversedCACerts++;
        }
    }
    /* update subjectNamesTraversed only if this is the EE cert or if
           this cert is not self-issued */
    if (init || !X509CertImpl.isSelfIssued(cert)) {
        X500Principal subjName = cert.getSubjectX500Principal();
        subjectNamesTraversed.add(X500Name.asX500Name(subjName));
        try {
            SubjectAlternativeNameExtension subjAltNameExt = icert.getSubjectAlternativeNameExtension();
            if (subjAltNameExt != null) {
                GeneralNames gNames = subjAltNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
                for (GeneralName gName : gNames.names()) {
                    subjectNamesTraversed.add(gName.getName());
                }
            }
        } catch (IOException e) {
            if (debug != null) {
                debug.println("ForwardState.updateState() unexpected " + "exception");
                e.printStackTrace();
            }
            throw new CertPathValidatorException(e);
        }
    }
    init = false;
}
Also used : CertPathValidatorException(java.security.cert.CertPathValidatorException) GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertImpl(sun.security.x509.X509CertImpl) X500Principal(javax.security.auth.x500.X500Principal) GeneralName(sun.security.x509.GeneralName) IOException(java.io.IOException)

Example 33 with GeneralNames

use of org.apache.harmony.security.x509.GeneralNames in project Bytecoder by mirkosertic.

the class Builder method targetDistance.

/**
 * Determine how close a given certificate gets you toward
 * a given target.
 *
 * @param constraints Current NameConstraints; if null,
 *        then caller must verify NameConstraints
 *        independently, realizing that this certificate
 *        may not actually lead to the target at all.
 * @param cert Candidate certificate for chain
 * @param target GeneralNameInterface name of target
 * @return distance from this certificate to target:
 * <ul>
 * <li>-1 means certificate could be CA for target, but
 *     there are no NameConstraints limiting how close
 * <li> 0 means certificate subject or subjectAltName
 *      matches target
 * <li> 1 means certificate is permitted to be CA for
 *      target.
 * <li> 2 means certificate is permitted to be CA for
 *      parent of target.
 * <li>&gt;0 in general, means certificate is permitted
 *     to be a CA for this distance higher in the naming
 *     hierarchy than the target, plus 1.
 * </ul>
 * <p>Note that the subject and/or subjectAltName of the
 * candidate cert does not have to be an ancestor of the
 * target in order to be a CA that can issue a certificate to
 * the target. In these cases, the target distance is calculated
 * by inspecting the NameConstraints extension in the candidate
 * certificate. For example, suppose the target is an X.500 DN with
 * a value of "CN=mullan,OU=ireland,O=sun,C=us" and the
 * NameConstraints extension in the candidate certificate
 * includes a permitted component of "O=sun,C=us", which implies
 * that the candidate certificate is allowed to issue certs in
 * the "O=sun,C=us" namespace. The target distance is 3
 * ((distance of permitted NC from target) + 1).
 * The (+1) is added to distinguish the result from the case
 * which returns (0).
 * @throws IOException if certificate does not get closer
 */
static int targetDistance(NameConstraintsExtension constraints, X509Certificate cert, GeneralNameInterface target) throws IOException {
    /* ensure that certificate satisfies existing name constraints */
    if (constraints != null && !constraints.verify(cert)) {
        throw new IOException("certificate does not satisfy existing name " + "constraints");
    }
    X509CertImpl certImpl;
    try {
        certImpl = X509CertImpl.toImpl(cert);
    } catch (CertificateException e) {
        throw new IOException("Invalid certificate", e);
    }
    /* see if certificate subject matches target */
    X500Name subject = X500Name.asX500Name(certImpl.getSubjectX500Principal());
    if (subject.equals(target)) {
        /* match! */
        return 0;
    }
    SubjectAlternativeNameExtension altNameExt = certImpl.getSubjectAlternativeNameExtension();
    if (altNameExt != null) {
        GeneralNames altNames = altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
        /* see if any alternative name matches target */
        if (altNames != null) {
            for (int j = 0, n = altNames.size(); j < n; j++) {
                GeneralNameInterface altName = altNames.get(j).getName();
                if (altName.equals(target)) {
                    return 0;
                }
            }
        }
    }
    /* no exact match; see if certificate can get us to target */
    /* first, get NameConstraints out of certificate */
    NameConstraintsExtension ncExt = certImpl.getNameConstraintsExtension();
    if (ncExt == null) {
        return -1;
    }
    /* merge certificate's NameConstraints with current NameConstraints */
    if (constraints != null) {
        constraints.merge(ncExt);
    } else {
        // Make sure we do a clone here, because we're probably
        // going to modify this object later and we don't want to
        // be sharing it with a Certificate object!
        constraints = (NameConstraintsExtension) ncExt.clone();
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() merged constraints: " + String.valueOf(constraints));
    }
    /* reduce permitted by excluded */
    GeneralSubtrees permitted = constraints.get(NameConstraintsExtension.PERMITTED_SUBTREES);
    GeneralSubtrees excluded = constraints.get(NameConstraintsExtension.EXCLUDED_SUBTREES);
    if (permitted != null) {
        permitted.reduce(excluded);
    }
    if (debug != null) {
        debug.println("Builder.targetDistance() reduced constraints: " + permitted);
    }
    /* see if new merged constraints allow target */
    if (!constraints.verify(target)) {
        throw new IOException("New certificate not allowed to sign " + "certificate for target");
    }
    /* find distance to target, if any, in permitted */
    if (permitted == null) {
        /* certificate is unconstrained; could sign for anything */
        return -1;
    }
    for (int i = 0, n = permitted.size(); i < n; i++) {
        GeneralNameInterface perName = permitted.get(i).getName().getName();
        int distance = distance(perName, target, -1);
        if (distance >= 0) {
            return (distance + 1);
        }
    }
    /* no matching type in permitted; cert holder could certify target */
    return -1;
}
Also used : GeneralNameInterface(sun.security.x509.GeneralNameInterface) GeneralNames(sun.security.x509.GeneralNames) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) X509CertImpl(sun.security.x509.X509CertImpl) GeneralSubtrees(sun.security.x509.GeneralSubtrees) IOException(java.io.IOException) X500Name(sun.security.x509.X500Name) NameConstraintsExtension(sun.security.x509.NameConstraintsExtension)

Example 34 with GeneralNames

use of org.apache.harmony.security.x509.GeneralNames in project keystore-explorer by kaikramer.

the class DAuthorityKeyIdentifier method prepopulateWithValue.

private void prepopulateWithValue(byte[] value) throws IOException {
    AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(value);
    if (authorityKeyIdentifier.getKeyIdentifier() != null) {
        jkiKeyIdentifier.setKeyIdentifier(authorityKeyIdentifier.getKeyIdentifier());
    }
    GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer();
    if (authorityCertIssuer != null) {
        jgnAuthorityCertIssuer.setGeneralNames(authorityCertIssuer);
    }
    BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber();
    if (authorityCertSerialNumber != null) {
        jtfAuthorityCertSerialNumber.setText("" + authorityCertSerialNumber.longValue());
        jtfAuthorityCertSerialNumber.setCaretPosition(0);
    }
}
Also used : JGeneralNames(org.kse.gui.crypto.generalname.JGeneralNames) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) BigInteger(java.math.BigInteger) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)

Example 35 with GeneralNames

use of org.apache.harmony.security.x509.GeneralNames in project keystore-explorer by kaikramer.

the class DSubjectAlternativeName method okPressed.

private void okPressed() {
    GeneralNames alternativeName = jgnAlternativeName.getGeneralNames();
    if (alternativeName.getNames().length == 0) {
        JOptionPane.showMessageDialog(this, res.getString("DSubjectAlternativeName.ValueReq.message"), getTitle(), JOptionPane.WARNING_MESSAGE);
        return;
    }
    try {
        value = alternativeName.getEncoded(ASN1Encoding.DER);
    } catch (IOException ex) {
        DError dError = new DError(this, ex);
        dError.setLocationRelativeTo(this);
        dError.setVisible(true);
        return;
    }
    closeDialog();
}
Also used : JGeneralNames(org.kse.gui.crypto.generalname.JGeneralNames) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) IOException(java.io.IOException) DError(org.kse.gui.error.DError)

Aggregations

GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)86 GeneralName (org.bouncycastle.asn1.x509.GeneralName)71 IOException (java.io.IOException)37 X509Certificate (java.security.cert.X509Certificate)27 X500Name (org.bouncycastle.asn1.x500.X500Name)24 ArrayList (java.util.ArrayList)23 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)19 ContentSigner (org.bouncycastle.operator.ContentSigner)18 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)18 BigInteger (java.math.BigInteger)16 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)16 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)16 List (java.util.List)15 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)15 CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)15 DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)15 X500Principal (javax.security.auth.x500.X500Principal)14 DERIA5String (org.bouncycastle.asn1.DERIA5String)14 GeneralNames (sun.security.x509.GeneralNames)14 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)13