Examples with BasicConstraints org.bouncycastle.asn1.x509.BasicConstraints used on opensource projects

Example 56 with BasicConstraints

use of org.bouncycastle.asn1.x509.BasicConstraints in project credhub by cloudfoundry.

the class CertificateReader method isCa.

public boolean isCa() {
    final Extensions extensions = certificateHolder.getExtensions();
    BasicConstraints basicConstraints = null;
    if (extensions != null) {
        basicConstraints = BasicConstraints.fromExtensions(Extensions.getInstance(extensions));
    }
    return basicConstraints != null && basicConstraints.isCA();
}

Example 57 with BasicConstraints

use of org.bouncycastle.asn1.x509.BasicConstraints in project athenz by AthenZ.

the class Crypto method generateX509Certificate.

public static X509Certificate generateX509Certificate(PKCS10CertificationRequest certReq, PrivateKey caPrivateKey, X500Name issuer, int validityTimeout, boolean basicConstraints) {
    // set validity for the given number of minutes from now
    Date notBefore = new Date();
    Calendar cal = Calendar.getInstance();
    cal.setTime(notBefore);
    cal.add(Calendar.MINUTE, validityTimeout);
    Date notAfter = cal.getTime();
    // Generate self-signed certificate
    X509Certificate cert;
    try {
        JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = new JcaPKCS10CertificationRequest(certReq);
        PublicKey publicKey = jcaPKCS10CertificationRequest.getPublicKey();
        X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(issuer, BigInteger.valueOf(System.currentTimeMillis()), notBefore, notAfter, certReq.getSubject(), publicKey).addExtension(Extension.basicConstraints, false, new BasicConstraints(basicConstraints)).addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.keyEncipherment)).addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
        // see if we have the dns/rfc822/ip address extensions specified in the csr
        ArrayList<GeneralName> altNames = new ArrayList<>();
        Attribute[] certAttributes = jcaPKCS10CertificationRequest.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
        if (certAttributes != null && certAttributes.length > 0) {
            for (Attribute attribute : certAttributes) {
                Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
                GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
                // /CLOVER:OFF
                if (gns == null) {
                    continue;
                }
                // /CLOVER:ON
                GeneralName[] names = gns.getNames();
                for (GeneralName name : names) {
                    switch(name.getTagNo()) {
                        case GeneralName.dNSName:
                        case GeneralName.iPAddress:
                        case GeneralName.rfc822Name:
                        case GeneralName.uniformResourceIdentifier:
                            altNames.add(name);
                            break;
                    }
                }
            }
            if (!altNames.isEmpty()) {
                caBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(altNames.toArray(new GeneralName[0])));
            }
        }
        String signatureAlgorithm = getSignatureAlgorithm(caPrivateKey.getAlgorithm(), SHA256);
        ContentSigner caSigner = new JcaContentSignerBuilder(signatureAlgorithm).setProvider(BC_PROVIDER).build(caPrivateKey);
        JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC_PROVIDER);
        cert = converter.getCertificate(caBuilder.build(caSigner));
    // /CLOVER:OFF
    } catch (CertificateException ex) {
        LOG.error("generateX509Certificate: Caught CertificateException when generating certificate: " + ex.getMessage());
        throw new CryptoException(ex);
    } catch (OperatorCreationException ex) {
        LOG.error("generateX509Certificate: Caught OperatorCreationException when creating JcaContentSignerBuilder: " + ex.getMessage());
        throw new CryptoException(ex);
    } catch (InvalidKeyException ex) {
        LOG.error("generateX509Certificate: Caught InvalidKeySpecException, invalid key spec is being used: " + ex.getMessage());
        throw new CryptoException(ex);
    } catch (NoSuchAlgorithmException ex) {
        LOG.error("generateX509Certificate: Caught NoSuchAlgorithmException, check to make sure the algorithm is supported by the provider: " + ex.getMessage());
        throw new CryptoException(ex);
    } catch (Exception ex) {
        LOG.error("generateX509Certificate: unable to generate X509 Certificate: {}", ex.getMessage());
        throw new CryptoException("Unable to generate X509 Certificate");
    }
    // /CLOVER:ON
    return cert;
}

Example 58 with BasicConstraints

use of org.bouncycastle.asn1.x509.BasicConstraints in project nomulus by google.

the class SelfSignedCaCertificate method createCaCert.

/**
 * Returns a self-signed Certificate Authority (CA) certificate.
 */
static X509Certificate createCaCert(KeyPair keyPair, String fqdn, Date from, Date to) throws Exception {
    X500Name owner = new X500Name("CN=" + fqdn);
    String publicKeyAlg = keyPair.getPublic().getAlgorithm();
    checkArgument(KEY_SIGNATURE_ALGS.containsKey(publicKeyAlg), "Unexpected public key algorithm");
    String signatureAlgorithm = KEY_SIGNATURE_ALGS.get(publicKeyAlg);
    ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
    X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(owner, new BigInteger(64, RANDOM), from, to, owner, keyPair.getPublic());
    // Mark cert as CA by adding basicConstraint with cA=true to the builder
    BasicConstraints basicConstraints = new BasicConstraints(true);
    builder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints);
    X509CertificateHolder certHolder = builder.build(signer);
    return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder);
}

Example 59 with BasicConstraints

use of org.bouncycastle.asn1.x509.BasicConstraints in project fabric-sdk-java by hyperledger.

the class TLSCertificateBuilder method createSelfSignedCertificate.

private X509Certificate createSelfSignedCertificate(CertType certType, KeyPair keyPair, String san) throws Exception {
    X509v3CertificateBuilder certBuilder = createCertBuilder(keyPair);
    // Basic constraints
    BasicConstraints constraints = new BasicConstraints(false);
    certBuilder.addExtension(Extension.basicConstraints, true, constraints.getEncoded());
    // Key usage
    KeyUsage usage = new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature);
    certBuilder.addExtension(Extension.keyUsage, false, usage.getEncoded());
    // Extended key usage
    certBuilder.addExtension(Extension.extendedKeyUsage, false, certType.keyUsage().getEncoded());
    if (san != null) {
        addSAN(certBuilder, san);
    }
    ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
    X509CertificateHolder holder = certBuilder.build(signer);
    JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
    converter.setProvider(new BouncyCastleProvider());
    return converter.getCertificate(holder);
}

Example 60 with BasicConstraints

use of org.bouncycastle.asn1.x509.BasicConstraints in project MaxKey by dromara.

the class X509V3CertGen method genV3Certificate.

public static X509Certificate genV3Certificate(String issuerName, String subjectName, Date notBefore, Date notAfter, KeyPair keyPair) throws Exception {
    // issuer same as  subject is CA
    BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
    X500Name x500Name = new X500Name(issuerName);
    X500Name subject = new X500Name(subjectName);
    PublicKey publicKey = keyPair.getPublic();
    PrivateKey privateKey = keyPair.getPrivate();
    SubjectPublicKeyInfo subjectPublicKeyInfo = null;
    ASN1InputStream publicKeyInputStream = null;
    try {
        publicKeyInputStream = new ASN1InputStream(publicKey.getEncoded());
        Object aiStream = publicKeyInputStream.readObject();
        subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(aiStream);
    } catch (IOException e1) {
        e1.printStackTrace();
    } finally {
        if (publicKeyInputStream != null)
            publicKeyInputStream.close();
    }
    X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(x500Name, serial, notBefore, notAfter, subject, subjectPublicKeyInfo);
    ContentSigner sigGen = new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(privateKey);
    // certBuilder.addExtension(X509Extensions.BasicConstraints,  true, new BasicConstraints(false));
    // certBuilder.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature| KeyUsage.keyEncipherment));
    // certBuilder.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
    // certBuilder.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "connsec@163.com")));
    X509CertificateHolder x509CertificateHolder = certBuilder.build(sigGen);
    CertificateFactory certificateFactory = CertificateFactory.class.newInstance();
    InputStream inputStream = new ByteArrayInputStream(x509CertificateHolder.toASN1Structure().getEncoded());
    X509Certificate x509Certificate = (X509Certificate) certificateFactory.engineGenerateCertificate(inputStream);
    inputStream.close();
    return x509Certificate;
}