Example 61 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project keystore-explorer by kaikramer.
the class OpenSslPvkUtil method get.
/**
* OpenSSL encode a private key.
*
* @param privateKey The private key
* @return The encoding
* @throws CryptoException Problem encountered while getting the encoded private key
*/
public static byte[] get(PrivateKey privateKey) throws CryptoException {
try {
// DER encoding for each key type is a sequence
ASN1Sequence asn1Sequence = null;
if (privateKey instanceof RSAPrivateCrtKey) {
RSAPrivateCrtKey rsaPrivateKey = (RSAPrivateCrtKey) privateKey;
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(new ASN1Integer(VERSION));
vec.add(new ASN1Integer(rsaPrivateKey.getModulus()));
vec.add(new ASN1Integer(rsaPrivateKey.getPublicExponent()));
vec.add(new ASN1Integer(rsaPrivateKey.getPrivateExponent()));
vec.add(new ASN1Integer(rsaPrivateKey.getPrimeP()));
vec.add(new ASN1Integer(rsaPrivateKey.getPrimeQ()));
vec.add(new ASN1Integer(rsaPrivateKey.getPrimeExponentP()));
vec.add(new ASN1Integer(rsaPrivateKey.getPrimeExponentQ()));
vec.add(new ASN1Integer(rsaPrivateKey.getCrtCoefficient()));
asn1Sequence = new DERSequence(vec);
} else if (privateKey instanceof DSAPrivateKey) {
DSAPrivateKey dsaPrivateKey = (DSAPrivateKey) privateKey;
DSAParams dsaParams = dsaPrivateKey.getParams();
BigInteger primeModulusP = dsaParams.getP();
BigInteger primeQ = dsaParams.getQ();
BigInteger generatorG = dsaParams.getG();
BigInteger secretExponentX = dsaPrivateKey.getX();
// Derive public key from private key parts, ie Y = G^X mod P
BigInteger publicExponentY = generatorG.modPow(secretExponentX, primeModulusP);
ASN1EncodableVector vec = new ASN1EncodableVector();
vec.add(new ASN1Integer(VERSION));
vec.add(new ASN1Integer(primeModulusP));
vec.add(new ASN1Integer(primeQ));
vec.add(new ASN1Integer(generatorG));
vec.add(new ASN1Integer(publicExponentY));
vec.add(new ASN1Integer(secretExponentX));
asn1Sequence = new DERSequence(vec);
} else {
ECPrivateKey ecKey = (ECPrivateKey) privateKey;
org.bouncycastle.asn1.sec.ECPrivateKey ecPrivateKey = EccUtil.convertToECPrivateKeyStructure(ecKey);
asn1Sequence = (ASN1Sequence) ecPrivateKey.toASN1Primitive();
}
return asn1Sequence.getEncoded();
} catch (IOException ex) {
throw new CryptoException(res.getString("NoDerEncodeOpenSslPrivateKey.exception.message"), ex);
}
}
Also used :
ECPrivateKey(java.security.interfaces.ECPrivateKey)
RSAPrivateCrtKey(java.security.interfaces.RSAPrivateCrtKey)
ASN1Integer(org.bouncycastle.asn1.ASN1Integer)
DSAParams(java.security.interfaces.DSAParams)
IOException(java.io.IOException)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
DERSequence(org.bouncycastle.asn1.DERSequence)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
DSAPrivateKey(java.security.interfaces.DSAPrivateKey)
BigInteger(java.math.BigInteger)
CryptoException(org.kse.crypto.CryptoException)
Example 62 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project keystore-explorer by kaikramer.
the class EccUtil method convertToECPrivateKeyStructure.
/**
* Converts PKCS#8 EC private key (RFC 5208/5958 ASN.1 PrivateKeyInfo structure) to "traditional" OpenSSL
* ASN.1 structure ECPrivateKey from RFC 5915. As ECPrivateKey is already in the PrivateKey field of PrivateKeyInfo,
* this must only be extracted:
* <p>
* SEQUENCE {
* INTEGER 0
* SEQUENCE {
* OBJECT IDENTIFIER ecPublicKey (1 2 840 10045 2 1)
* OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
* }
* OCTET STRING, encapsulates {
* SEQUENCE {
* INTEGER 1
* OCTET STRING
* 17 12 CA 42 16 79 1B 45 ...B.y.E
* ...
* C8 B2 66 0A E5 60 50 0B
* [0] {
* OBJECT IDENTIFIER prime256v1 (1 2 840 10045 3 1 7)
* }
* [1] {
* BIT STRING
* 04 61 C0 08 B4 89 A0 50 .a.....P
* ...
* AE D5 ED C3 4D 0E 47 91 ....M.G.
* 89 .
* }
* }
* }
* }
*
* @param ecPrivateKey An EC key
* @return Object holding ASN1 ECPrivateKey structure
* @throws IOException When ECPrivateKey structure in PrivateKeyInfo's PrivateKey field cannot be parsed
*/
public static org.bouncycastle.asn1.sec.ECPrivateKey convertToECPrivateKeyStructure(ECPrivateKey ecPrivateKey) throws IOException {
PrivateKeyInfo privateKeyInfo = PrivateKeyInfo.getInstance(ecPrivateKey.getEncoded());
ASN1Encodable privateKey = privateKeyInfo.parsePrivateKey();
return org.bouncycastle.asn1.sec.ECPrivateKey.getInstance(privateKey);
}
Also used :
ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable)
PrivateKeyInfo(org.bouncycastle.asn1.pkcs.PrivateKeyInfo)
Example 63 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project ddf by codice.
the class CertificateSigningRequestTest method testNewCertificateBuilderWithSan.
@Test
public void testNewCertificateBuilderWithSan() throws Exception {
final DateTime start = DateTime.now().minusDays(1);
final DateTime end = start.plusYears(100);
final KeyPair kp = makeKeyPair();
csr.setSerialNumber(1);
csr.setNotBefore(start);
csr.setNotAfter(end);
csr.setCommonName("A");
csr.setSubjectKeyPair(kp);
csr.addSubjectAlternativeNames("IP:1.2.3.4", "DNS:A");
final X509Certificate issuerCert = mock(X509Certificate.class);
doReturn(new X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US")).when(issuerCert).getSubjectX500Principal();
final JcaX509v3CertificateBuilder builder = csr.newCertificateBuilder(issuerCert);
final X509CertificateHolder holder = builder.build(new DemoCertificateAuthority().getContentSigner());
assertThat(holder.getSerialNumber(), equalTo(BigInteger.ONE));
assertThat(holder.getNotBefore(), equalTo(new Time(start.toDate()).getDate()));
assertThat(holder.getNotAfter(), equalTo(new Time(end.toDate()).getDate()));
assertThat(holder.getSubject().toString(), equalTo("cn=A"));
assertThat("Unable to validate public key", holder.getSubjectPublicKeyInfo(), equalTo(SubjectPublicKeyInfo.getInstance(kp.getPublic().getEncoded())));
final org.bouncycastle.asn1.x509.Extension csn = holder.getExtension(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName);
assertThat(csn.getParsedValue().toASN1Primitive().getEncoded(ASN1Encoding.DER), equalTo(new GeneralNamesBuilder().addName(new GeneralName(GeneralName.iPAddress, "1.2.3.4")).addName(new GeneralName(GeneralName.dNSName, "A")).build().getEncoded(ASN1Encoding.DER)));
}
Also used :
KeyPair(java.security.KeyPair)
Time(org.bouncycastle.asn1.x509.Time)
DateTime(org.joda.time.DateTime)
DateTime(org.joda.time.DateTime)
X509Certificate(java.security.cert.X509Certificate)
GeneralNamesBuilder(org.bouncycastle.asn1.x509.GeneralNamesBuilder)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
X500Principal(javax.security.auth.x500.X500Principal)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Test(org.junit.Test)
Example 64 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project ddf by codice.
the class KeystoreEditor method addToStore.
private synchronized void addToStore(String alias, String keyPassword, String storePassword, String data, String type, String fileName, String path, String storepass, KeyStore store) throws KeystoreEditorException {
OutputStream fos = null;
try (InputStream inputStream = new ByteArrayInputStream(Base64.getDecoder().decode(data))) {
if (StringUtils.isBlank(alias)) {
throw new IllegalArgumentException(NULL_ALIAS_MSG);
}
Path storeFile = Paths.get(path);
// check the two most common key/cert stores first (pkcs12 and jks)
if (PKCS12_TYPE.equals(type) || StringUtils.endsWithIgnoreCase(fileName, ".p12")) {
// priv key + cert chain
KeyStore pkcs12Store = KeyStore.getInstance("PKCS12");
pkcs12Store.load(inputStream, storePassword.toCharArray());
Certificate[] chain = pkcs12Store.getCertificateChain(alias);
Key key = pkcs12Store.getKey(alias, keyPassword.toCharArray());
if (key != null) {
store.setKeyEntry(alias, key, keyPassword.toCharArray(), chain);
fos = Files.newOutputStream(storeFile);
store.store(fos, storepass.toCharArray());
}
} else if (JKS_TYPE.equals(type) || StringUtils.endsWithIgnoreCase(fileName, ".jks")) {
// java keystore file
KeyStore jks = KeyStore.getInstance("jks");
jks.load(inputStream, storePassword.toCharArray());
Enumeration<String> aliases = jks.aliases();
// we are going to store all entries from the jks regardless of the passed in alias
while (aliases.hasMoreElements()) {
String jksAlias = aliases.nextElement();
if (jks.isKeyEntry(jksAlias)) {
Key key = jks.getKey(jksAlias, keyPassword.toCharArray());
Certificate[] certificateChain = jks.getCertificateChain(jksAlias);
store.setKeyEntry(jksAlias, key, keyPassword.toCharArray(), certificateChain);
} else {
Certificate certificate = jks.getCertificate(jksAlias);
store.setCertificateEntry(jksAlias, certificate);
}
}
fos = Files.newOutputStream(storeFile);
store.store(fos, storepass.toCharArray());
// need to parse der separately from pem, der has the same mime type but is binary hence
// checking both
} else if (DER_TYPE.equals(type) && StringUtils.endsWithIgnoreCase(fileName, ".der")) {
ASN1InputStream asn1InputStream = new ASN1InputStream(inputStream);
ASN1Primitive asn1Primitive = asn1InputStream.readObject();
X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(asn1Primitive.getEncoded());
CertificateFactory certificateFactory = CertificateFactory.getInstance(X509, "BC");
Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded()));
X500Name x500name = new JcaX509CertificateHolder((X509Certificate) certificate).getSubject();
RDN cn = x500name.getRDNs(BCStyle.CN)[0];
String cnStr = IETFUtils.valueToString(cn.getFirst().getValue());
if (!store.isCertificateEntry(cnStr) && !store.isKeyEntry(cnStr)) {
store.setCertificateEntry(cnStr, certificate);
}
store.setCertificateEntry(alias, certificate);
fos = Files.newOutputStream(storeFile);
store.store(fos, storepass.toCharArray());
// if it isn't one of the stores we support, it might be a key or cert by itself
} else if (isPemParsable(type, fileName)) {
// This is the catch all case for PEM, P7B, etc. with common file extensions if the mime
// type isn't read correctly in the browser
Reader reader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
PEMParser pemParser = new PEMParser(reader);
Object object;
boolean setEntry = false;
while ((object = pemParser.readObject()) != null) {
if (object instanceof PEMEncryptedKeyPair || object instanceof PEMKeyPair) {
PEMKeyPair pemKeyPair;
if (object instanceof PEMEncryptedKeyPair) {
PEMEncryptedKeyPair pemEncryptedKeyPairKeyPair = (PEMEncryptedKeyPair) object;
JcePEMDecryptorProviderBuilder jcePEMDecryptorProviderBuilder = new JcePEMDecryptorProviderBuilder();
pemKeyPair = pemEncryptedKeyPairKeyPair.decryptKeyPair(jcePEMDecryptorProviderBuilder.build(keyPassword.toCharArray()));
} else {
pemKeyPair = (PEMKeyPair) object;
}
KeyPair keyPair = new JcaPEMKeyConverter().setProvider("BC").getKeyPair(pemKeyPair);
PrivateKey privateKey = keyPair.getPrivate();
Certificate[] chain = store.getCertificateChain(alias);
if (chain == null) {
chain = buildCertChain(alias, store);
}
store.setKeyEntry(alias, privateKey, keyPassword.toCharArray(), chain);
setEntry = true;
} else if (object instanceof X509CertificateHolder) {
X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) object;
CertificateFactory certificateFactory = CertificateFactory.getInstance(X509, "BC");
Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(x509CertificateHolder.getEncoded()));
X500Name x500name = new JcaX509CertificateHolder((X509Certificate) certificate).getSubject();
RDN cn = x500name.getRDNs(BCStyle.CN)[0];
String cnStr = IETFUtils.valueToString(cn.getFirst().getValue());
if (!store.isCertificateEntry(cnStr) && !store.isKeyEntry(cnStr)) {
store.setCertificateEntry(cnStr, certificate);
}
store.setCertificateEntry(alias, certificate);
setEntry = true;
} else if (object instanceof ContentInfo) {
ContentInfo contentInfo = (ContentInfo) object;
if (contentInfo.getContentType().equals(CMSObjectIdentifiers.envelopedData)) {
CMSEnvelopedData cmsEnvelopedData = new CMSEnvelopedData(contentInfo);
OriginatorInfo originatorInfo = cmsEnvelopedData.getOriginatorInfo().toASN1Structure();
ASN1Set certificates = originatorInfo.getCertificates();
setEntry = importASN1CertificatesToStore(store, setEntry, certificates);
} else if (contentInfo.getContentType().equals(CMSObjectIdentifiers.signedData)) {
SignedData signedData = SignedData.getInstance(contentInfo.getContent());
ASN1Set certificates = signedData.getCertificates();
setEntry = importASN1CertificatesToStore(store, setEntry, certificates);
}
} else if (object instanceof PKCS8EncryptedPrivateKeyInfo) {
PKCS8EncryptedPrivateKeyInfo pkcs8EncryptedPrivateKeyInfo = (PKCS8EncryptedPrivateKeyInfo) object;
Certificate[] chain = store.getCertificateChain(alias);
if (chain == null) {
chain = buildCertChain(alias, store);
}
try {
store.setKeyEntry(alias, pkcs8EncryptedPrivateKeyInfo.getEncoded(), chain);
setEntry = true;
} catch (KeyStoreException keyEx) {
try {
PKCS8Key pkcs8Key = new PKCS8Key(pkcs8EncryptedPrivateKeyInfo.getEncoded(), keyPassword.toCharArray());
store.setKeyEntry(alias, pkcs8Key.getPrivateKey(), keyPassword.toCharArray(), chain);
setEntry = true;
} catch (GeneralSecurityException e) {
LOGGER.info("Unable to add PKCS8 key to keystore with secondary method. Throwing original exception.", e);
throw keyEx;
}
}
}
}
if (setEntry) {
fos = Files.newOutputStream(storeFile);
store.store(fos, storepass.toCharArray());
}
}
} catch (Exception e) {
LOGGER.info("Unable to add entry {} to store", alias, e);
throw new KeystoreEditorException("Unable to add entry " + alias + " to store", e);
} finally {
if (fos != null) {
try {
fos.close();
} catch (IOException ignore) {
}
}
}
init();
}
Also used :
OriginatorInfo(org.bouncycastle.asn1.cms.OriginatorInfo)
PrivateKey(java.security.PrivateKey)
OutputStream(java.io.OutputStream)
FileOutputStream(java.io.FileOutputStream)
Reader(java.io.Reader)
InputStreamReader(java.io.InputStreamReader)
BufferedReader(java.io.BufferedReader)
JcaPEMKeyConverter(org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter)
X500Name(org.bouncycastle.asn1.x500.X500Name)
JcePEMDecryptorProviderBuilder(org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder)
CertificateFactory(java.security.cert.CertificateFactory)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
PEMParser(org.bouncycastle.openssl.PEMParser)
ContentInfo(org.bouncycastle.asn1.cms.ContentInfo)
RDN(org.bouncycastle.asn1.x500.RDN)
Path(java.nio.file.Path)
PKCS8Key(org.apache.commons.ssl.PKCS8Key)
CMSEnvelopedData(org.bouncycastle.cms.CMSEnvelopedData)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
KeyPair(java.security.KeyPair)
PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
Enumeration(java.util.Enumeration)
InputStreamReader(java.io.InputStreamReader)
SignedData(org.bouncycastle.asn1.cms.SignedData)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
InputStream(java.io.InputStream)
GeneralSecurityException(java.security.GeneralSecurityException)
PKCS8EncryptedPrivateKeyInfo(org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo)
KeyStoreException(java.security.KeyStoreException)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
KeyStoreException(java.security.KeyStoreException)
GeneralSecurityException(java.security.GeneralSecurityException)
InstanceAlreadyExistsException(javax.management.InstanceAlreadyExistsException)
KeyManagementException(java.security.KeyManagementException)
MalformedObjectNameException(javax.management.MalformedObjectNameException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
UnrecoverableKeyException(java.security.UnrecoverableKeyException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchProviderException(java.security.NoSuchProviderException)
PEMEncryptedKeyPair(org.bouncycastle.openssl.PEMEncryptedKeyPair)
ASN1Set(org.bouncycastle.asn1.ASN1Set)
ByteArrayInputStream(java.io.ByteArrayInputStream)
JcaX509CertificateHolder(org.bouncycastle.cert.jcajce.JcaX509CertificateHolder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BufferedReader(java.io.BufferedReader)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
ASN1Primitive(org.bouncycastle.asn1.ASN1Primitive)
Key(java.security.Key)
PrivateKey(java.security.PrivateKey)
PKCS8Key(org.apache.commons.ssl.PKCS8Key)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 65 with org.bouncycastle.asn1.x509
use of org.bouncycastle.asn1.x509 in project ddf by codice.
the class PkiTools method makeDistinguishedName.
/**
* Create an X500 name with a single populated attribute, the "common name". An X500 name object
* details the identity of a machine, person, or organization. The name object is used as the
* "subject" of a certificate. SSL/TLS typically uses a subject's common name as the DNS name for
* a machine and this name must be correct or SSl/TLS will not trust the machine's certificate.
*
* <p>TLS can use a different set of attributes to, the Subject Alternative Names. SANs are
* extensions to the X509 specification and can include IP addresses, DNS names and other machine
* information. This package does not use SANs.
*
* @param commonName the fully qualified host name of the end entity
* @return X500 name object with common name attribute set
* @see <a href="https://www.ietf.org/rfc/rfc4514.txt">RFC 4514, section 'LDAP: Distinguished
* Names'</a>
* @see <a href="https://tools.ietf.org/html/rfc4519">RFC 4519 details the exact construction of
* distinguished names</a>
* @see <a href="https://en.wikipedia.org/wiki/SubjectAltName">Subject Alternative Names on
* Wikipedia'</a>
*/
public static X500Name makeDistinguishedName(String commonName) {
Validate.isTrue(commonName != null, "Certificate common name cannot be null");
if (commonName.isEmpty()) {
LOGGER.warn("Setting certificate common name to empty string. This could result in an unusable TLS certificate.");
}
X500NameBuilder nameBuilder = new X500NameBuilder(RFC4519Style.INSTANCE);
// Add more nameBuilder.addRDN(....) statements to support more X500 attributes.
nameBuilder.addRDN(RFC4519Style.cn, commonName);
return nameBuilder.build();
}
Also used :
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
Aggregations
IOException (java.io.IOException)81
X509Certificate (java.security.cert.X509Certificate)61
X500Name (org.bouncycastle.asn1.x500.X500Name)43
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)39
ASN1Sequence (org.bouncycastle.asn1.ASN1Sequence)36
BigInteger (java.math.BigInteger)34
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)33
ASN1OctetString (org.bouncycastle.asn1.ASN1OctetString)31
DEROctetString (org.bouncycastle.asn1.DEROctetString)31
DERIA5String (org.bouncycastle.asn1.DERIA5String)28
Date (java.util.Date)27
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)26
ArrayList (java.util.ArrayList)25
CertificateEncodingException (java.security.cert.CertificateEncodingException)24
CertificateException (java.security.cert.CertificateException)24
GeneralName (org.bouncycastle.asn1.x509.GeneralName)24
ByteArrayInputStream (java.io.ByteArrayInputStream)23
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)23
PrivateKey (java.security.PrivateKey)21
GeneralSecurityException (java.security.GeneralSecurityException)20
