use of org.apache.harmony.security.x509.GeneralNames in project candlepin by candlepin.
the class BouncyCastlePKIUtility method createX509Certificate.
@Override
public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws GeneralSecurityException, IOException {
X509Certificate caCert = reader.getCACert();
byte[] publicKeyEncoded = clientKeyPair.getPublic().getEncoded();
X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()), serialNumber, startDate, endDate, new X500Name(dn), SubjectPublicKeyInfo.getInstance(publicKeyEncoded));
// set key usage - required for proper x509 function
KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment);
// add SSL extensions - required for proper x509 function
NetscapeCertType certType = new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime);
certGen.addExtension(MiscObjectIdentifiers.netscapeCertType, false, certType);
certGen.addExtension(Extension.keyUsage, false, keyUsage);
JcaX509ExtensionUtils extensionUtil = new JcaX509ExtensionUtils();
AuthorityKeyIdentifier aki = extensionUtil.createAuthorityKeyIdentifier(caCert);
certGen.addExtension(Extension.authorityKeyIdentifier, false, aki.getEncoded());
certGen.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyWriter.getSubjectKeyIdentifier(clientKeyPair, extensions));
certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
// Add an additional alternative name if provided.
if (alternateName != null) {
/*
Why add the certificate subject again as an alternative name? RFC 6125 Section 6.4.4
stipulates that if SANs are provided, a validator MUST use them instead of the certificate
subject. If no SANs are present, the RFC allows the validator to use the subject field. So,
if we do have an SAN to add, we need to add the subject field again as an SAN.
See http://stackoverflow.com/questions/5935369 and
https://tools.ietf.org/html/rfc6125#section-6.4.4 and
NB: These extensions should *not* be marked critical since the subject field is not empty.
*/
GeneralName subject = new GeneralName(GeneralName.directoryName, dn);
GeneralName name = new GeneralName(GeneralName.directoryName, "CN=" + alternateName);
ASN1Encodable[] altNameArray = { subject, name };
GeneralNames altNames = GeneralNames.getInstance(new DERSequence(altNameArray));
certGen.addExtension(Extension.subjectAlternativeName, false, altNames);
}
if (extensions != null) {
for (X509ExtensionWrapper wrapper : extensions) {
// Bouncycastle hates null values. So, set them to blank
// if they are null
String value = wrapper.getValue() == null ? "" : wrapper.getValue();
certGen.addExtension(wrapper.toASN1Primitive(), wrapper.isCritical(), new DERUTF8String(value));
}
}
if (byteExtensions != null) {
for (X509ByteExtensionWrapper wrapper : byteExtensions) {
// Bouncycastle hates null values. So, set them to blank
// if they are null
byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue();
certGen.addExtension(wrapper.toASN1Primitive(), wrapper.isCritical(), new DEROctetString(value));
}
}
JcaContentSignerBuilder builder = new JcaContentSignerBuilder(SIGNATURE_ALGO).setProvider(BC_PROVIDER);
ContentSigner signer;
try {
signer = builder.build(reader.getCaKey());
} catch (OperatorCreationException e) {
throw new IOException(e);
}
// Generate the certificate
return new JcaX509CertificateConverter().getCertificate(certGen.build(signer));
}
use of org.apache.harmony.security.x509.GeneralNames in project credhub by cloudfoundry-incubator.
the class CertificateReaderTest method returnsParametersCorrectly.
@Test
public void returnsParametersCorrectly() {
final String distinguishedName = "O=test-org, ST=Jupiter, C=MilkyWay, CN=test-common-name, OU=test-org-unit, L=Europa";
final GeneralNames generalNames = new GeneralNames(new GeneralName(GeneralName.dNSName, "SolarSystem"));
CertificateReader certificateReader = new CertificateReader(CertificateStringConstants.BIG_TEST_CERT);
assertThat(certificateReader.getAlternativeNames(), equalTo(generalNames));
assertThat(asList(certificateReader.getExtendedKeyUsage().getUsages()), containsInAnyOrder(KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth));
assertThat(certificateReader.getKeyUsage().hasUsages(KeyUsage.digitalSignature), equalTo(true));
assertThat(certificateReader.getSubjectName().toString(), equalTo(distinguishedName));
}
use of org.apache.harmony.security.x509.GeneralNames in project jruby-openssl by jruby.
the class X509Cert method uniqueExtensions.
private Collection<X509Extension> uniqueExtensions() {
final Map<ASN1ObjectIdentifier, X509Extension> unique = new LinkedHashMap<ASN1ObjectIdentifier, X509Extension>();
for (X509Extension current : this.extensions) {
final ASN1ObjectIdentifier oid = current.getRealObjectID();
final X509Extension existing = unique.get(oid);
if (existing == null) {
unique.put(oid, current);
continue;
}
// commonly used e.g. with subjectAltName || issuserAltName :
if ("2.5.29.17".equals(oid.getId()) || "2.5.29.18".equals(oid.getId())) {
final ASN1EncodableVector vec = new ASN1EncodableVector();
try {
GeneralName[] n1 = extRealNames(existing);
for (int i = 0; i < n1.length; i++) vec.add(n1[i]);
GeneralName[] n2 = extRealNames(current);
for (int i = 0; i < n2.length; i++) vec.add(n2[i]);
GeneralNames nn = GeneralNames.getInstance(new DLSequence(vec));
final X509Extension existingDup = existing.clone();
existingDup.setRealValue(nn);
unique.put(oid, existingDup);
} catch (IOException ex) {
throw getRuntime().newIOErrorFromException(ex);
}
continue;
}
// TODO do we need special care for any others here ?!?
final ASN1EncodableVector vec = new ASN1EncodableVector();
try {
final ASN1Encodable existingValue = existing.getRealValue();
if (existingValue instanceof ASN1Sequence) {
final ASN1Sequence seq = (ASN1Sequence) existingValue;
for (int i = 0; i < seq.size(); i++) {
vec.add(seq.getObjectAt(i));
}
} else {
vec.add(existingValue);
}
vec.add(current.getRealValue());
// existing.setRealValue( new DLSequence(vec) );
final X509Extension existingDup = existing.clone();
existingDup.setRealValue(new DLSequence(vec));
unique.put(oid, existingDup);
} catch (IOException ex) {
throw getRuntime().newIOErrorFromException(ex);
}
}
return unique.values();
}
use of org.apache.harmony.security.x509.GeneralNames in project certmgr by hdecarne.
the class CRLDistributionPointsController method init.
/**
* Initialize the dialog with existing extension data.
*
* @param data The extension data to use.
* @param expertMode Whether to run in expert mode ({@code true}) or not ({@code false}).
* @return This controller.
*/
public CRLDistributionPointsController init(CRLDistributionPointsExtensionData data, boolean expertMode) {
init(expertMode);
this.ctlCritical.setSelected(data.getCritical());
ObservableList<GeneralName> nameItems = this.ctlNames.getItems();
for (DistributionPoint distributionPoint : data) {
DistributionPointName distributionPointName = distributionPoint.getName();
if (distributionPointName != null) {
GeneralNames names = distributionPointName.getFullName();
if (names != null) {
for (GeneralName name : names) {
nameItems.add(name);
}
}
break;
}
}
return this;
}
use of org.apache.harmony.security.x509.GeneralNames in project certmgr by hdecarne.
the class CRLDistributionPointsController method validateAndGetDistributionPoint.
private DistributionPoint validateAndGetDistributionPoint() throws ValidationException {
GeneralNames names = new GeneralNames();
int nameCount = 0;
for (GeneralName name : this.ctlNames.getItems()) {
names.addName(name);
nameCount++;
}
InputValidator.isTrue(nameCount > 0, CRLDistributionPointsI18N::formatSTR_MESSAGE_NO_NAMES);
return new DistributionPoint(new DistributionPointName(names));
}
Aggregations