Examples with JcaX509ExtensionUtils org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils used on opensource projects

Search in sources :

Example 21 with JcaX509ExtensionUtils

use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project candlepin by candlepin.

the class X509CRLStreamWriterTest method testKeySizeChange.

@Test
public void testKeySizeChange() throws Exception {
    int[] sizes = { 1024, 4096 };
    for (int size : sizes) {
        X509CRLHolder holder = createCRL();
        File crlToChange = writeCRL(holder);
        generator.initialize(size);
        KeyPair differentKeyPair = generator.generateKeyPair();
        X509CRLStreamWriter stream = new X509CRLStreamWriter(crlToChange, (RSAPrivateKey) differentKeyPair.getPrivate(), (RSAPublicKey) differentKeyPair.getPublic());
        stream.preScan(crlToChange).lock();
        OutputStream o = new BufferedOutputStream(new FileOutputStream(outfile));
        stream.write(o);
        o.close();
        X509CRL originalCrl = new JcaX509CRLConverter().setProvider(BC_PROVIDER).getCRL(holder);
        X509CRL changedCrl = readCRL(differentKeyPair.getPublic());
        Set<BigInteger> discoveredSerials = new HashSet<>();
        for (X509CRLEntry entry : changedCrl.getRevokedCertificates()) {
            discoveredSerials.add(entry.getSerialNumber());
        }
        Set<BigInteger> expected = new HashSet<>();
        expected.add(new BigInteger("100"));
        assertEquals(expected, discoveredSerials);
        // Since the key changed, the authorityKeyIdentifier must change
        byte[] oldAkiBytes = originalCrl.getExtensionValue(Extension.authorityKeyIdentifier.getId());
        byte[] newAkiBytes = changedCrl.getExtensionValue(Extension.authorityKeyIdentifier.getId());
        oldAkiBytes = ASN1OctetString.getInstance(oldAkiBytes).getOctets();
        newAkiBytes = ASN1OctetString.getInstance(newAkiBytes).getOctets();
        AuthorityKeyIdentifier oldAki = AuthorityKeyIdentifier.getInstance(oldAkiBytes);
        AuthorityKeyIdentifier newAki = AuthorityKeyIdentifier.getInstance(newAkiBytes);
        AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
        assertEquals(oldAki, identifier);
        AuthorityKeyIdentifier differentIdentifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(differentKeyPair.getPublic());
        assertEquals(newAki, differentIdentifier);
    }
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) KeyPair(java.security.KeyPair) PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair) X509CRL(java.security.cert.X509CRL) BufferedOutputStream(java.io.BufferedOutputStream) OutputStream(java.io.OutputStream) FileOutputStream(java.io.FileOutputStream) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X509CRLEntry(java.security.cert.X509CRLEntry) JcaX509CRLConverter(org.bouncycastle.cert.jcajce.JcaX509CRLConverter) FileOutputStream(java.io.FileOutputStream) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) File(java.io.File) BufferedOutputStream(java.io.BufferedOutputStream) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 22 with JcaX509ExtensionUtils

use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project candlepin by candlepin.

the class X509CRLEntryStreamTest method testCRLwithoutUpdateTime.

@Test
public void testCRLwithoutUpdateTime() throws Exception {
    X509v2CRLBuilder crlBuilder = new X509v2CRLBuilder(issuer, new Date());
    AuthorityKeyIdentifier identifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic());
    crlBuilder.addExtension(Extension.authorityKeyIdentifier, false, identifier);
    crlBuilder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("127")));
    crlBuilder.addCRLEntry(new BigInteger("100"), new Date(), CRLReason.unspecified);
    X509CRLHolder holder = crlBuilder.build(signer);
    File noUpdateTimeCrl = new File(folder.getRoot(), "test.crl");
    FileUtils.writeByteArrayToFile(noUpdateTimeCrl, holder.getEncoded());
    X509CRLEntryStream stream = new X509CRLEntryStream(noUpdateTimeCrl);
    try {
        Set<BigInteger> streamedSerials = new HashSet<>();
        while (stream.hasNext()) {
            streamedSerials.add(getSerial(stream.next()));
        }
        assertEquals(1, streamedSerials.size());
        assertTrue(streamedSerials.contains(new BigInteger("100")));
    } finally {
        stream.close();
    }
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) File(java.io.File) Date(java.util.Date) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 23 with JcaX509ExtensionUtils

use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project cas by apereo.

the class DefaultSamlIdPCertificateAndKeyWriter method generateCertificate.

@SuppressWarnings("JavaUtilDate")
private X509Certificate generateCertificate(final KeyPair keypair) throws Exception {
    val dn = new X500Name("CN=" + hostname);
    val notBefore = new GregorianCalendar();
    val notOnOrAfter = new GregorianCalendar();
    notOnOrAfter.set(GregorianCalendar.YEAR, notOnOrAfter.get(GregorianCalendar.YEAR) + certificateLifetimeInYears);
    val builder = new JcaX509v3CertificateBuilder(dn, new BigInteger(X509_CERT_BITS_SIZE, RandomUtils.getNativeInstance()), notBefore.getTime(), notOnOrAfter.getTime(), dn, keypair.getPublic());
    val extUtils = new JcaX509ExtensionUtils();
    builder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(keypair.getPublic()));
    builder.addExtension(Extension.subjectAlternativeName, false, GeneralNames.getInstance(new DERSequence(buildSubjectAltNames())));
    val certHldr = builder.build(new JcaContentSignerBuilder(certificateAlgorithm).build(keypair.getPrivate()));
    val cert = new JcaX509CertificateConverter().getCertificate(certHldr);
    cert.checkValidity(new Date());
    cert.verify(keypair.getPublic());
    return cert;
}
Also used : lombok.val(lombok.val) JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) DERSequence(org.bouncycastle.asn1.DERSequence) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) GregorianCalendar(java.util.GregorianCalendar) BigInteger(java.math.BigInteger) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date)

Example 24 with JcaX509ExtensionUtils

use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project zookeeper by apache.

the class QuorumSSLTest method buildCRL.

private void buildCRL(X509Certificate x509Certificate, String crlPath) throws Exception {
    X509v2CRLBuilder builder = new JcaX509v2CRLBuilder(x509Certificate.getIssuerX500Principal(), certStartTime);
    builder.addCRLEntry(x509Certificate.getSerialNumber(), certStartTime, CRLReason.cACompromise);
    builder.setNextUpdate(certEndTime);
    builder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(rootCertificate));
    builder.addExtension(Extension.cRLNumber, false, new CRLNumber(new BigInteger("1000")));
    X509CRLHolder cRLHolder = builder.build(contentSigner);
    PemWriter pemWriter = new PemWriter(new FileWriter(crlPath));
    pemWriter.writeObject(new MiscPEMGenerator(cRLHolder));
    pemWriter.flush();
    pemWriter.close();
}
Also used : MiscPEMGenerator(org.bouncycastle.openssl.MiscPEMGenerator) JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) PemWriter(org.bouncycastle.util.io.pem.PemWriter) CRLNumber(org.bouncycastle.asn1.x509.CRLNumber) FileWriter(java.io.FileWriter) X509CRLHolder(org.bouncycastle.cert.X509CRLHolder) BigInteger(java.math.BigInteger) JcaX509v2CRLBuilder(org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder) X509v2CRLBuilder(org.bouncycastle.cert.X509v2CRLBuilder) JcaX509v2CRLBuilder(org.bouncycastle.cert.jcajce.JcaX509v2CRLBuilder)

Example 25 with JcaX509ExtensionUtils

use of org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils in project nifi-registry by apache.

the class CertificateUtils method generateSelfSignedX509Certificate.

/**
 * Generates a self-signed {@link X509Certificate} suitable for use as a Certificate Authority.
 *
 * @param keyPair                 the {@link KeyPair} to generate the {@link X509Certificate} for
 * @param dn                      the distinguished name to user for the {@link X509Certificate}
 * @param signingAlgorithm        the signing algorithm to use for the {@link X509Certificate}
 * @param certificateDurationDays the duration in days for which the {@link X509Certificate} should be valid
 * @return a self-signed {@link X509Certificate} suitable for use as a Certificate Authority
 * @throws CertificateException      if there is an generating the new certificate
 */
public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) throws CertificateException {
    try {
        ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate());
        SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
        Date startDate = new Date();
        Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(certificateDurationDays));
        X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(dn)), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo);
        // Set certificate extensions
        // (1) digitalSignature extension
        certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation | KeyUsage.cRLSign | KeyUsage.keyCertSign));
        certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
        certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
        certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic()));
        // (2) extendedKeyUsage extension
        certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
        // Sign the certificate
        X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
        return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder);
    } catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) {
        throw new CertificateException(e);
    }
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) CertificateException(java.security.cert.CertificateException) X500Name(org.bouncycastle.asn1.x500.X500Name) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) CertIOException(org.bouncycastle.cert.CertIOException) Date(java.util.Date) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)

Aggregations

JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)32 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)19 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)17 Date (java.util.Date)16 ContentSigner (org.bouncycastle.operator.ContentSigner)16 X500Name (org.bouncycastle.asn1.x500.X500Name)15 BigInteger (java.math.BigInteger)13 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)12 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)12 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)11 KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)10 OperatorCreationException (org.bouncycastle.operator.OperatorCreationException)10 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)9 CRLNumber (org.bouncycastle.asn1.x509.CRLNumber)9 AuthorityKeyIdentifier (org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)8 X509v2CRLBuilder (org.bouncycastle.cert.X509v2CRLBuilder)8 File (java.io.File)6 X509Certificate (java.security.cert.X509Certificate)6 HashSet (java.util.HashSet)6 ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)6
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial