Example 16 with X509v3CertificateBuilder
use of org.bouncycastle.cert.X509v3CertificateBuilder in project Openfire by igniterealtime.
the class CertificateManagerTest method testServerIdentitiesDnsSrv.
/**
* {@link CertificateManager#getServerIdentities(X509Certificate)} should return:
* <ul>
* <li>the 'DNS SRV' subjectAltName value</li>
* <li>explicitly not the Common Name</li>
* </ul>
*
* when a certificate contains:
* <ul>
* <li>a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-dnsSRV"</li>
* </ul>
*/
@Test
public void testServerIdentitiesDnsSrv() throws Exception {
// Setup fixture.
final String subjectCommonName = "MySubjectCommonName";
final String subjectAltNameDnsSrv = "MySubjectAltNameXmppAddr";
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// Issuer
new X500Name("CN=MyIssuer"), // Random serial number
BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), // Not before 30 days ago
new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30)), // Not after 99 days from now
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99)), // Subject
new X500Name("CN=" + subjectCommonName), subjectKeyPair.getPublic());
final DERSequence otherName = new DERSequence(new ASN1Encodable[] { DNS_SRV_OID, new DERUTF8String("_xmpp-server." + subjectAltNameDnsSrv) });
final GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.otherName, otherName));
builder.addExtension(Extension.subjectAlternativeName, true, subjectAltNames);
final X509CertificateHolder certificateHolder = builder.build(contentSigner);
final X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
// Execute system under test
final List<String> serverIdentities = CertificateManager.getServerIdentities(cert);
// Verify result
assertEquals(1, serverIdentities.size());
assertTrue(serverIdentities.contains(subjectAltNameDnsSrv));
assertFalse(serverIdentities.contains(subjectCommonName));
}
Also used :
SecureRandom(java.security.SecureRandom)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Test(org.junit.Test)
Example 17 with X509v3CertificateBuilder
use of org.bouncycastle.cert.X509v3CertificateBuilder in project Openfire by igniterealtime.
the class KeystoreTestUtils method generateTestCertificate.
private static X509Certificate generateTestCertificate(final boolean isValid, final KeyPair issuerKeyPair, final KeyPair subjectKeyPair, int indexAwayFromEndEntity) throws Exception {
// Issuer and Subject.
final X500Name subject = new X500Name("CN=" + Base64.encodeBytes(subjectKeyPair.getPublic().getEncoded(), Base64.URL_SAFE));
final X500Name issuer = new X500Name("CN=" + Base64.encodeBytes(issuerKeyPair.getPublic().getEncoded(), Base64.URL_SAFE));
// Validity
final Date notBefore;
final Date notAfter;
if (isValid) {
// 30 days ago
notBefore = new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30));
// 99 days from now.
notAfter = new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99));
} else {
// Generate a certificate for which the validate period has expired.
// 40 days ago
notBefore = new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 40));
// 10 days ago
notAfter = new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 10));
}
// The new certificate should get a unique serial number.
final BigInteger serial = BigInteger.valueOf(Math.abs(new SecureRandom().nextInt()));
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, subjectKeyPair.getPublic());
// When this certificate is used to sign another certificate, basic constraints need to be set.
if (indexAwayFromEndEntity > 0) {
builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(indexAwayFromEndEntity - 1));
}
final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA1withRSA").build(issuerKeyPair.getPrivate());
final X509CertificateHolder certificateHolder = builder.build(contentSigner);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
}
Also used :
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
BigInteger(java.math.BigInteger)
SecureRandom(java.security.SecureRandom)
X500Name(org.bouncycastle.asn1.x500.X500Name)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Date(java.util.Date)
Example 18 with X509v3CertificateBuilder
use of org.bouncycastle.cert.X509v3CertificateBuilder in project helios by spotify.
the class X509CertificateFactory method generate.
private CertificateAndPrivateKey generate(final AgentProxy agentProxy, final Identity identity, final String username) {
final UUID uuid = new UUID();
final Calendar calendar = Calendar.getInstance();
final X500Name issuerdn = new X500Name("C=US,O=Spotify,CN=helios-client");
final X500Name subjectdn = new X500NameBuilder().addRDN(BCStyle.UID, username).build();
calendar.add(Calendar.MILLISECOND, -validBeforeMilliseconds);
final Date notBefore = calendar.getTime();
calendar.add(Calendar.MILLISECOND, validBeforeMilliseconds + validAfterMilliseconds);
final Date notAfter = calendar.getTime();
// Reuse the UUID time as a SN
final BigInteger serialNumber = BigInteger.valueOf(uuid.getTime()).abs();
try {
final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
keyPairGenerator.initialize(KEY_SIZE, new SecureRandom());
final KeyPair keyPair = keyPairGenerator.generateKeyPair();
final SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded()));
final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(issuerdn, serialNumber, notBefore, notAfter, subjectdn, subjectPublicKeyInfo);
final DigestCalculator digestCalculator = new BcDigestCalculatorProvider().get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
final X509ExtensionUtils utils = new X509ExtensionUtils(digestCalculator);
final SubjectKeyIdentifier keyId = utils.createSubjectKeyIdentifier(subjectPublicKeyInfo);
final String keyIdHex = KEY_ID_ENCODING.encode(keyId.getKeyIdentifier());
log.info("generating an X509 certificate for {} with key ID={} and identity={}", username, keyIdHex, identity.getComment());
builder.addExtension(Extension.subjectKeyIdentifier, false, keyId);
builder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(subjectPublicKeyInfo));
builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign));
builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
final X509CertificateHolder holder = builder.build(new SshAgentContentSigner(agentProxy, identity));
final X509Certificate certificate = CERTIFICATE_CONVERTER.getCertificate(holder);
log.debug("generated certificate:\n{}", asPemString(certificate));
return new CertificateAndPrivateKey(certificate, keyPair.getPrivate());
} catch (Exception e) {
throw Throwables.propagate(e);
}
}
Also used :
BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider)
KeyPair(java.security.KeyPair)
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
Calendar(java.util.Calendar)
DigestCalculator(org.bouncycastle.operator.DigestCalculator)
SecureRandom(java.security.SecureRandom)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyPairGenerator(java.security.KeyPairGenerator)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
UUID(com.eaio.uuid.UUID)
X509ExtensionUtils(org.bouncycastle.cert.X509ExtensionUtils)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 19 with X509v3CertificateBuilder
use of org.bouncycastle.cert.X509v3CertificateBuilder in project zaproxy by zaproxy.
the class SslCertificateUtils method createRootCA.
/**
* Creates a new Root CA certificate and returns private and public key as
* {@link KeyStore}. The {@link KeyStore#getDefaultType()} is used.
*
* @return
* @throws NoSuchAlgorithmException If no providers are found
* for 'RSA' key pair generator
* or 'SHA1PRNG' Secure random number generator
* @throws IllegalStateException in case of errors during assembling {@link KeyStore}
*/
public static final KeyStore createRootCA() throws NoSuchAlgorithmException {
final Date startDate = Calendar.getInstance().getTime();
final Date expireDate = new Date(startDate.getTime() + (DEFAULT_VALID_DAYS * 24L * 60L * 60L * 1000L));
final KeyPairGenerator g = KeyPairGenerator.getInstance("RSA");
g.initialize(2048, SecureRandom.getInstance("SHA1PRNG"));
final KeyPair keypair = g.genKeyPair();
final PrivateKey privKey = keypair.getPrivate();
final PublicKey pubKey = keypair.getPublic();
Security.addProvider(new BouncyCastleProvider());
Random rnd = new Random();
// using the hash code of the user's name and home path, keeps anonymity
// but also gives user a chance to distinguish between each other
X500NameBuilder namebld = new X500NameBuilder(BCStyle.INSTANCE);
namebld.addRDN(BCStyle.CN, "OWASP Zed Attack Proxy Root CA");
namebld.addRDN(BCStyle.L, Integer.toHexString(System.getProperty("user.name").hashCode()) + Integer.toHexString(System.getProperty("user.home").hashCode()));
namebld.addRDN(BCStyle.O, "OWASP Root CA");
namebld.addRDN(BCStyle.OU, "OWASP ZAP Root CA");
namebld.addRDN(BCStyle.C, "xx");
X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(namebld.build(), BigInteger.valueOf(rnd.nextInt()), startDate, expireDate, namebld.build(), pubKey);
KeyStore ks = null;
try {
certGen.addExtension(Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifier(pubKey.getEncoded()));
certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
certGen.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign));
KeyPurposeId[] eku = { KeyPurposeId.id_kp_serverAuth, KeyPurposeId.id_kp_clientAuth, KeyPurposeId.anyExtendedKeyUsage };
certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(eku));
final ContentSigner sigGen = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider("BC").build(privKey);
final X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certGen.build(sigGen));
ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
ks.setKeyEntry(SslCertificateService.ZAPROXY_JKS_ALIAS, privKey, SslCertificateService.PASSPHRASE, new Certificate[] { cert });
} catch (final Exception e) {
throw new IllegalStateException("Errors during assembling root CA.", e);
}
return ks;
}
Also used :
KeyPair(java.security.KeyPair)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
PublicKey(java.security.PublicKey)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
KeyPairGenerator(java.security.KeyPairGenerator)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
KeyStore(java.security.KeyStore)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
KeyStoreException(java.security.KeyStoreException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
Random(java.util.Random)
SecureRandom(java.security.SecureRandom)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 20 with X509v3CertificateBuilder
use of org.bouncycastle.cert.X509v3CertificateBuilder in project drill by apache.
the class WebServer method createHttpsConnector.
/**
* Create an HTTPS connector for given jetty server instance. If the admin has specified keystore/truststore settings
* they will be used else a self-signed certificate is generated and used.
*
* @return Initialized {@link ServerConnector} for HTTPS connectios.
* @throws Exception
*/
private ServerConnector createHttpsConnector() throws Exception {
logger.info("Setting up HTTPS connector for web server");
final SslContextFactory sslContextFactory = new SslContextFactory();
if (config.hasPath(ExecConstants.HTTP_KEYSTORE_PATH) && !Strings.isNullOrEmpty(config.getString(ExecConstants.HTTP_KEYSTORE_PATH))) {
logger.info("Using configured SSL settings for web server");
sslContextFactory.setKeyStorePath(config.getString(ExecConstants.HTTP_KEYSTORE_PATH));
sslContextFactory.setKeyStorePassword(config.getString(ExecConstants.HTTP_KEYSTORE_PASSWORD));
// TrustStore and TrustStore password are optional
if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PATH)) {
sslContextFactory.setTrustStorePath(config.getString(ExecConstants.HTTP_TRUSTSTORE_PATH));
if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PASSWORD)) {
sslContextFactory.setTrustStorePassword(config.getString(ExecConstants.HTTP_TRUSTSTORE_PASSWORD));
}
}
} else {
logger.info("Using generated self-signed SSL settings for web server");
final SecureRandom random = new SecureRandom();
// Generate a private-public key pair
final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024, random);
final KeyPair keyPair = keyPairGenerator.generateKeyPair();
final DateTime now = DateTime.now();
// Create builder for certificate attributes
final X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.OU, "Apache Drill (auth-generated)").addRDN(BCStyle.O, "Apache Software Foundation (auto-generated)").addRDN(BCStyle.CN, workManager.getContext().getEndpoint().getAddress());
final Date notBefore = now.minusMinutes(1).toDate();
final Date notAfter = now.plusYears(5).toDate();
final BigInteger serialNumber = new BigInteger(128, random);
// Create a certificate valid for 5years from now.
final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(// attributes
nameBuilder.build(), serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic());
// Sign the certificate using the private key
final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
final X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner));
// Check the validity
certificate.checkValidity(now.toDate());
// Make sure the certificate is self-signed.
certificate.verify(certificate.getPublicKey());
// Generate a random password for keystore protection
final String keyStorePasswd = RandomStringUtils.random(20);
final KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
keyStore.setKeyEntry("DrillAutoGeneratedCert", keyPair.getPrivate(), keyStorePasswd.toCharArray(), new java.security.cert.Certificate[] { certificate });
sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setKeyStorePassword(keyStorePasswd);
}
final HttpConfiguration httpsConfig = new HttpConfiguration();
httpsConfig.addCustomizer(new SecureRequestCustomizer());
// SSL Connector
final ServerConnector sslConnector = new ServerConnector(embeddedJetty, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig));
sslConnector.setPort(config.getInt(ExecConstants.HTTP_PORT));
return sslConnector;
}
Also used :
KeyPair(java.security.KeyPair)
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
SecureRequestCustomizer(org.eclipse.jetty.server.SecureRequestCustomizer)
HttpConnectionFactory(org.eclipse.jetty.server.HttpConnectionFactory)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
SecureRandom(java.security.SecureRandom)
KeyPairGenerator(java.security.KeyPairGenerator)
HttpConfiguration(org.eclipse.jetty.server.HttpConfiguration)
SslConnectionFactory(org.eclipse.jetty.server.SslConnectionFactory)
KeyStore(java.security.KeyStore)
DateTime(org.joda.time.DateTime)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
ServerConnector(org.eclipse.jetty.server.ServerConnector)
SslContextFactory(org.eclipse.jetty.util.ssl.SslContextFactory)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
BigInteger(java.math.BigInteger)
Aggregations
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)24
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)22
X509Certificate (java.security.cert.X509Certificate)21
Date (java.util.Date)21
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)20
X500Name (org.bouncycastle.asn1.x500.X500Name)18
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)17
SecureRandom (java.security.SecureRandom)14
ContentSigner (org.bouncycastle.operator.ContentSigner)14
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)13
BigInteger (java.math.BigInteger)11
KeyPair (java.security.KeyPair)10
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)9
GeneralName (org.bouncycastle.asn1.x509.GeneralName)9
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)9
X500NameBuilder (org.bouncycastle.asn1.x500.X500NameBuilder)7
IOException (java.io.IOException)6
KeyPairGenerator (java.security.KeyPairGenerator)6
KeyStore (java.security.KeyStore)6
Test (org.junit.Test)5
