Example 91 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project nifi by apache.
the class CertificateUtils method generateIssuedCertificate.
/**
* Generates an issued {@link X509Certificate} from the given issuer certificate and {@link KeyPair}
*
* @param dn the distinguished name to use
* @param publicKey the public key to issue the certificate to
* @param extensions extensions extracted from the CSR
* @param issuer the issuer's certificate
* @param issuerKeyPair the issuer's keypair
* @param signingAlgorithm the signing algorithm to use
* @param days the number of days it should be valid for
* @return an issued {@link X509Certificate} from the given issuer certificate and {@link KeyPair}
* @throws CertificateException if there is an error issuing the certificate
*/
public static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, Extensions extensions, X509Certificate issuer, KeyPair issuerKeyPair, String signingAlgorithm, int days) throws CertificateException {
try {
ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(issuerKeyPair.getPrivate());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
Date startDate = new Date();
Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(days));
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(issuer.getSubjectX500Principal().getName())), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo);
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(publicKey));
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(issuerKeyPair.getPublic()));
// Set certificate extensions
// (1) digitalSignature extension
certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation));
certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
// (2) extendedKeyUsage extension
certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
// (3) subjectAlternativeName
if (extensions != null && extensions.getExtension(Extension.subjectAlternativeName) != null) {
certBuilder.addExtension(Extension.subjectAlternativeName, false, extensions.getExtensionParsedValue(Extension.subjectAlternativeName));
}
X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder);
} catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) {
throw new CertificateException(e);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
CertIOException(org.bouncycastle.cert.CertIOException)
Date(java.util.Date)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
Example 92 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project credhub by cloudfoundry-incubator.
the class CertificateReader method isCa.
public boolean isCa() {
Extensions extensions = certificateHolder.getExtensions();
BasicConstraints basicConstraints = null;
if (extensions != null) {
basicConstraints = BasicConstraints.fromExtensions(Extensions.getInstance(extensions));
}
return basicConstraints != null && basicConstraints.isCA();
}
Also used :
Extensions(org.bouncycastle.asn1.x509.Extensions)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 93 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project credhub by cloudfoundry-incubator.
the class SignedCertificateGenerator method getSignedByIssuer.
private X509Certificate getSignedByIssuer(X509Certificate issuerCertificate, PrivateKey issuerKey, X500Principal issuerDn, SubjectKeyIdentifier caSubjectKeyIdentifier, KeyPair keyPair, CertificateGenerationParameters params) throws Exception {
Instant now = timeProvider.getNow().toInstant();
BigInteger certificateSerialNumber = serialNumberGenerator.generate();
BigInteger caSerialNumber = issuerCertificate != null ? issuerCertificate.getSerialNumber() : certificateSerialNumber;
final JcaX509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(issuerDn, certificateSerialNumber, Date.from(now), Date.from(now.plus(Duration.ofDays(params.getDuration()))), params.getX500Principal(), keyPair.getPublic());
certificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, getSubjectKeyIdentifierFromKeyInfo(keyPair.getPublic()));
if (params.getAlternativeNames() != null) {
certificateBuilder.addExtension(Extension.subjectAlternativeName, false, params.getAlternativeNames());
}
if (params.getKeyUsage() != null) {
certificateBuilder.addExtension(Extension.keyUsage, true, params.getKeyUsage());
}
if (params.getExtendedKeyUsage() != null) {
certificateBuilder.addExtension(Extension.extendedKeyUsage, false, params.getExtendedKeyUsage());
}
if (caSubjectKeyIdentifier.getKeyIdentifier() != null) {
PublicKey issuerPublicKey = issuerCertificate != null ? issuerCertificate.getPublicKey() : keyPair.getPublic();
AuthorityKeyIdentifier authorityKeyIdentifier = jcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerPublicKey, issuerDn, caSerialNumber);
certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, authorityKeyIdentifier);
}
certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(params.isCa()));
ContentSigner contentSigner = jcaContentSignerBuilder.build(issuerKey);
X509CertificateHolder holder = certificateBuilder.build(contentSigner);
return jcaX509CertificateConverter.getCertificate(holder);
}
Also used :
PublicKey(java.security.PublicKey)
Instant(java.time.Instant)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 94 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project credhub by cloudfoundry-incubator.
the class SignedCertificateGeneratorTest method getSignedByIssuer_generatesACertificateWithTheRightValues.
@Test
public void getSignedByIssuer_generatesACertificateWithTheRightValues() throws Exception {
X509Certificate generatedCertificate = subject.getSignedByIssuer(generatedCertificateKeyPair, certificateGenerationParameters, certificateAuthorityWithSubjectKeyId, issuerKey.getPrivate());
assertThat(generatedCertificate.getIssuerDN().getName(), containsString("CN=ca DN"));
assertThat(generatedCertificate.getIssuerDN().getName(), containsString("O=credhub"));
assertThat(generatedCertificate.getSerialNumber(), equalTo(BigInteger.valueOf(1337l)));
assertThat(generatedCertificate.getNotBefore().toString(), equalTo(Date.from(now.toInstant()).toString()));
assertThat(generatedCertificate.getNotAfter().toString(), equalTo(Date.from(later.toInstant()).toString()));
assertThat(generatedCertificate.getSubjectDN().toString(), containsString("CN=my cert name"));
assertThat(generatedCertificate.getPublicKey(), equalTo(generatedCertificateKeyPair.getPublic()));
assertThat(generatedCertificate.getSigAlgName(), equalTo("SHA256WITHRSA"));
generatedCertificate.verify(issuerKey.getPublic());
byte[] isCaExtension = generatedCertificate.getExtensionValue(Extension.basicConstraints.getId());
assertThat(Arrays.copyOfRange(isCaExtension, 2, isCaExtension.length), equalTo(new BasicConstraints(true).getEncoded()));
}
Also used :
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 95 with BasicConstraints
use of org.bouncycastle.asn1.x509.BasicConstraints in project credhub by cloudfoundry-incubator.
the class CertificateGeneratorTest method makeCert.
private X509CertificateHolder makeCert(KeyPair certKeyPair, PrivateKey caPrivateKey, X500Name caDn, X500Name subjectDn, boolean isCa) throws OperatorCreationException, NoSuchAlgorithmException, CertIOException {
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(certKeyPair.getPublic().getEncoded());
ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256withRSA").setProvider(BouncyCastleProvider.PROVIDER_NAME).build(caPrivateKey);
CurrentTimeProvider currentTimeProvider = new CurrentTimeProvider();
Instant now = currentTimeProvider.getNow().toInstant();
X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(caDn, BigInteger.TEN, Date.from(now), Date.from(now.plus(Duration.ofDays(365))), subjectDn, publicKeyInfo);
x509v3CertificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(isCa));
return x509v3CertificateBuilder.build(contentSigner);
}
Also used :
CurrentTimeProvider(org.cloudfoundry.credhub.util.CurrentTimeProvider)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
Instant(java.time.Instant)
ContentSigner(org.bouncycastle.operator.ContentSigner)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Aggregations
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)113
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)67
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)65
X500Name (org.bouncycastle.asn1.x500.X500Name)64
ContentSigner (org.bouncycastle.operator.ContentSigner)62
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)59
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)57
BigInteger (java.math.BigInteger)56
X509Certificate (java.security.cert.X509Certificate)50
Date (java.util.Date)48
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)37
KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)36
IOException (java.io.IOException)29
GeneralName (org.bouncycastle.asn1.x509.GeneralName)29
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)28
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)22
ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)21
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)21
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)19
X500NameBuilder (org.bouncycastle.asn1.x500.X500NameBuilder)17
