Example 6 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project certmgr by hdecarne.
the class PKCS12CertReaderWriter method createKeySafeBagBuilder.
private static PKCS12SafeBagBuilder createKeySafeBagBuilder(String alias, KeyPair key, char[] passwordChars) throws GeneralSecurityException {
PKCS12SafeBagBuilder safeBagBuilder = new JcaPKCS12SafeBagBuilder(key.getPrivate(), PKCS12_ENCRYPTOR_BUILDER.build(passwordChars));
safeBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(alias));
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
SubjectKeyIdentifier subjectKeyIdentifier = extensionUtils.createSubjectKeyIdentifier(key.getPublic());
safeBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, subjectKeyIdentifier);
return safeBagBuilder;
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
PKCS12SafeBagBuilder(org.bouncycastle.pkcs.PKCS12SafeBagBuilder)
JcaPKCS12SafeBagBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
JcaPKCS12SafeBagBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder)
Example 7 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project certmgr by hdecarne.
the class PKCS12CertReaderWriter method createKeySafeBagBuilder.
private static PKCS12SafeBagBuilder createKeySafeBagBuilder(String alias, KeyPair key) throws GeneralSecurityException {
PKCS12SafeBagBuilder safeBagBuilder = new JcaPKCS12SafeBagBuilder(key.getPrivate());
safeBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(alias));
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
SubjectKeyIdentifier subjectKeyIdentifier = extensionUtils.createSubjectKeyIdentifier(key.getPublic());
safeBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, subjectKeyIdentifier);
return safeBagBuilder;
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
PKCS12SafeBagBuilder(org.bouncycastle.pkcs.PKCS12SafeBagBuilder)
JcaPKCS12SafeBagBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
JcaPKCS12SafeBagBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder)
Example 8 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project certmgr by hdecarne.
the class PKCS12CertReaderWriter method createCRTSafeBagBuilder.
private static PKCS12SafeBagBuilder createCRTSafeBagBuilder(String alias, X509Certificate crt, boolean addKeyId) throws IOException, GeneralSecurityException {
PKCS12SafeBagBuilder safeBagBuilder = new JcaPKCS12SafeBagBuilder(crt);
safeBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_friendlyName, new DERBMPString(alias));
if (addKeyId) {
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
SubjectKeyIdentifier subjectKeyIdentifier = extensionUtils.createSubjectKeyIdentifier(crt.getPublicKey());
safeBagBuilder.addBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, subjectKeyIdentifier);
}
return safeBagBuilder;
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
DERBMPString(org.bouncycastle.asn1.DERBMPString)
PKCS12SafeBagBuilder(org.bouncycastle.pkcs.PKCS12SafeBagBuilder)
JcaPKCS12SafeBagBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder)
SubjectKeyIdentifier(org.bouncycastle.asn1.x509.SubjectKeyIdentifier)
JcaPKCS12SafeBagBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS12SafeBagBuilder)
Example 9 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project certmgr by hdecarne.
the class X509CertificateHelper method generateCRT.
/**
* Generate a CRT object.
*
* @param dn The CRT's Distinguished Name (DN).
* @param key The CRT's key pair
* @param serial The CRT's serial.
* @param notBefore The CRT's validity start.
* @param notAfter The CRT's validity end.
* @param extensions The CRT's extension objects.
* @param issuerDN The issuer's Distinguished Name (DN).
* @param issuerKey The issuer's key pair.
* @param signatureAlgorithm The signature algorithm to use.
* @return The generated CRT object.
* @throws IOException if an error occurs during generation.
*/
public static X509Certificate generateCRT(X500Principal dn, KeyPair key, BigInteger serial, Date notBefore, Date notAfter, List<X509ExtensionData> extensions, X500Principal issuerDN, KeyPair issuerKey, SignatureAlgorithm signatureAlgorithm) throws IOException {
LOG.info("CRT generation ''{0}'' started...", dn);
// Initialize CRT builder
X509v3CertificateBuilder crtBuilder = new JcaX509v3CertificateBuilder(issuerDN, serial, notBefore, notAfter, dn, key.getPublic());
// Add custom extension objects
for (X509ExtensionData extensionData : extensions) {
String oid = extensionData.oid();
if (!oid.equals(Extension.subjectKeyIdentifier) && !oid.equals(Extension.authorityKeyIdentifier)) {
boolean critical = extensionData.getCritical();
crtBuilder.addExtension(new ASN1ObjectIdentifier(oid), critical, extensionData.encode());
} else {
LOG.warning("Ignoring key identifier extension");
}
}
X509Certificate crt;
try {
// Add standard extensions based upon the CRT's purpose
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
for (X509ExtensionData extensionData : extensions) {
if (extensionData instanceof BasicConstraintsExtensionData) {
BasicConstraintsExtensionData basicConstraintsExtension = (BasicConstraintsExtensionData) extensionData;
if (basicConstraintsExtension.getCA()) {
// CRT is CA --> record it's key's identifier
crtBuilder.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(key.getPublic()));
}
}
}
if (!key.equals(issuerKey)) {
// CRT is not self-signed --> record issuer key's identifier
crtBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerKey.getPublic()));
}
// Sign CRT
ContentSigner crtSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(issuerKey.getPrivate());
crt = new JcaX509CertificateConverter().getCertificate(crtBuilder.build(crtSigner));
} catch (OperatorCreationException | GeneralSecurityException e) {
throw new CertProviderException(e);
}
LOG.info("CRT generation ''{0}'' done", dn);
return crt;
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
GeneralSecurityException(java.security.GeneralSecurityException)
ContentSigner(org.bouncycastle.operator.ContentSigner)
CertProviderException(de.carne.certmgr.certs.CertProviderException)
X509Certificate(java.security.cert.X509Certificate)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 10 with JcaX509ExtensionUtils
use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project gitblit by gitblit.
the class X509Utils method newClientCertificate.
/**
* Creates a new client certificate PKCS#12 and PEM store. Any existing
* stores are destroyed.
*
* @param clientMetadata a container for dynamic parameters needed for generation
* @param caKeystoreFile
* @param caKeystorePassword
* @param targetFolder
* @return
*/
public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) {
try {
KeyPair pair = newKeyPair();
X500Name userDN = buildDistinguishedName(clientMetadata);
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());
// create a new certificate signed by the Gitblit CA certificate
X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore, clientMetadata.notAfter, userDN, pair.getPublic());
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature));
if (!StringUtils.isEmpty(clientMetadata.emailAddress)) {
GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress));
certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
}
ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);
X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certBuilder.build(signer));
PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate();
bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
// confirm the validity of the user certificate
userCert.checkValidity();
userCert.verify(caCert.getPublicKey());
userCert.getIssuerDN().equals(caCert.getSubjectDN());
// verify user certificate chain
verifyChain(userCert, caCert);
targetFolder.mkdirs();
// save certificate, stamped with unique name
String date = new SimpleDateFormat("yyyyMMdd").format(new Date());
String id = date;
File certFile = new File(targetFolder, id + ".cer");
int count = 0;
while (certFile.exists()) {
id = date + "_" + Character.toString((char) (0x61 + count));
certFile = new File(targetFolder, id + ".cer");
count++;
}
// save user private key, user certificate and CA certificate to a PKCS#12 store
File p12File = new File(targetFolder, clientMetadata.commonName + ".p12");
if (p12File.exists()) {
p12File.delete();
}
KeyStore userStore = openKeyStore(p12File, clientMetadata.password);
userStore.setKeyEntry(MessageFormat.format("Gitblit ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate[] { userCert });
userStore.setCertificateEntry(MessageFormat.format("Gitblit ({0}) Certificate Authority", clientMetadata.serverHostname), caCert);
saveKeyStore(p12File, userStore, clientMetadata.password);
// save user private key, user certificate, and CA certificate to a PEM store
File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem");
if (pemFile.exists()) {
pemFile.delete();
}
JcePEMEncryptorBuilder builder = new JcePEMEncryptorBuilder("DES-EDE3-CBC");
builder.setSecureRandom(new SecureRandom());
PEMEncryptor pemEncryptor = builder.build(clientMetadata.password.toCharArray());
JcaPEMWriter pemWriter = new JcaPEMWriter(new FileWriter(pemFile));
pemWriter.writeObject(pair.getPrivate(), pemEncryptor);
pemWriter.writeObject(userCert);
pemWriter.writeObject(caCert);
pemWriter.flush();
pemWriter.close();
// save certificate after successfully creating the key stores
saveCertificate(userCert, certFile);
// update serial number in metadata object
clientMetadata.serialNumber = userCert.getSerialNumber().toString();
return userCert;
} catch (Throwable t) {
throw new RuntimeException("Failed to generate client certificate!", t);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
FileWriter(java.io.FileWriter)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
PKCS12BagAttributeCarrier(org.bouncycastle.jce.interfaces.PKCS12BagAttributeCarrier)
PEMEncryptor(org.bouncycastle.openssl.PEMEncryptor)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
JcePEMEncryptorBuilder(org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder)
KeyPair(java.security.KeyPair)
ContentSigner(org.bouncycastle.operator.ContentSigner)
SecureRandom(java.security.SecureRandom)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
JcaPEMWriter(org.bouncycastle.openssl.jcajce.JcaPEMWriter)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
SimpleDateFormat(java.text.SimpleDateFormat)
File(java.io.File)
Aggregations
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)32
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)19
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)17
Date (java.util.Date)16
ContentSigner (org.bouncycastle.operator.ContentSigner)16
X500Name (org.bouncycastle.asn1.x500.X500Name)15
BigInteger (java.math.BigInteger)13
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)12
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)12
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)11
KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)10
OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)10
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)9
CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)9
AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)8
X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)8
File (java.io.File)6
X509Certificate (java.security.cert.X509Certificate)6
HashSet (java.util.HashSet)6
ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)6
