Example 36 with JcaX509v3CertificateBuilder
use of org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder in project signer by demoiselle.
the class CertificateHelper method createServerCertificate.
public static KeyStore createServerCertificate(String commonName, SubjectAlternativeNameHolder subjectAlternativeNames, Authority authority, Certificate caCert, PrivateKey caPrivKey) throws NoSuchAlgorithmException, NoSuchProviderException, IOException, OperatorCreationException, CertificateException, InvalidKeyException, SignatureException, KeyStoreException {
KeyPair keyPair = generateKeyPair(FAKE_KEYSIZE);
X500Name issuer = new X509CertificateHolder(caCert.getEncoded()).getSubject();
BigInteger serial = BigInteger.valueOf(initRandomSerial());
X500NameBuilder name = new X500NameBuilder(BCStyle.INSTANCE);
name.addRDN(BCStyle.CN, commonName);
name.addRDN(BCStyle.O, authority.certOrganisation());
name.addRDN(BCStyle.OU, authority.certOrganizationalUnitName());
X500Name subject = name.build();
X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serial, NOT_BEFORE, NOT_AFTER, subject, keyPair.getPublic());
builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(keyPair.getPublic()));
builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
subjectAlternativeNames.fillInto(builder);
X509Certificate cert = signCertificate(builder, caPrivKey);
cert.checkValidity(new Date());
cert.verify(caCert.getPublicKey());
KeyStore result = KeyStore.getInstance("PKCS12");
result.load(null, null);
Certificate[] chain = { cert, caCert };
result.setKeyEntry(authority.alias(), keyPair.getPrivate(), authority.password(), chain);
return result;
}
Also used :
KeyPair(java.security.KeyPair)
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
BigInteger(java.math.BigInteger)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Example 37 with JcaX509v3CertificateBuilder
use of org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder in project signer by demoiselle.
the class CertificateHelper method createRootCertificate.
public static KeyStore createRootCertificate(Authority authority, String keyStoreType) throws NoSuchAlgorithmException, NoSuchProviderException, CertIOException, IOException, OperatorCreationException, CertificateException, KeyStoreException {
KeyPair keyPair = generateKeyPair(ROOT_KEYSIZE);
X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
nameBuilder.addRDN(BCStyle.CN, authority.commonName());
nameBuilder.addRDN(BCStyle.O, authority.organization());
nameBuilder.addRDN(BCStyle.OU, authority.organizationalUnitName());
X500Name issuer = nameBuilder.build();
BigInteger serial = BigInteger.valueOf(initRandomSerial());
X500Name subject = issuer;
PublicKey pubKey = keyPair.getPublic();
X509v3CertificateBuilder generator = new JcaX509v3CertificateBuilder(issuer, serial, NOT_BEFORE, NOT_AFTER, subject, pubKey);
generator.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(pubKey));
generator.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
KeyUsage usage = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign);
generator.addExtension(Extension.keyUsage, false, usage);
ASN1EncodableVector purposes = new ASN1EncodableVector();
purposes.add(KeyPurposeId.id_kp_serverAuth);
purposes.add(KeyPurposeId.id_kp_clientAuth);
purposes.add(KeyPurposeId.anyExtendedKeyUsage);
generator.addExtension(Extension.extendedKeyUsage, false, new DERSequence(purposes));
X509Certificate cert = signCertificate(generator, keyPair.getPrivate());
KeyStore result = KeyStore.getInstance(keyStoreType);
result.load(null, null);
result.setKeyEntry(authority.alias(), keyPair.getPrivate(), authority.password(), new Certificate[] { cert });
return result;
}
Also used :
KeyPair(java.security.KeyPair)
X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder)
PublicKey(java.security.PublicKey)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
X500Name(org.bouncycastle.asn1.x500.X500Name)
KeyStore(java.security.KeyStore)
X509Certificate(java.security.cert.X509Certificate)
DERSequence(org.bouncycastle.asn1.DERSequence)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
BigInteger(java.math.BigInteger)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 38 with JcaX509v3CertificateBuilder
use of org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder in project photon-model by vmware.
the class CertificateUtil method generateCertificateAndSign.
private static CertChainKeyPair generateCertificateAndSign(String fqdn, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, List<ExtensionHolder> extensions) throws CertificateException, CertIOException, OperatorCreationException {
AssertUtil.assertNotNull(issuerCertificate, "issuerCertificate");
AssertUtil.assertNotNull(issuerPrivateKey, "issuerPrivateKey");
// private key that we are creating certificate for
KeyPair pair = KeyUtil.generateRSAKeyPair();
PublicKey publicKey = pair.getPublic();
PrivateKey privateKey = convertToSunImpl(pair.getPrivate());
ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(PROVIDER).build(issuerPrivateKey);
X500Name subjectName = new X500Name("CN=" + fqdn);
// serial number of certificate
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
// valid from
Date notBefore = generateNotBeforeDate();
// valid to
Date notAfter = generateNotAfterDate(notBefore, DEFAULT_VALIDITY);
X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerCertificate, serial, notBefore, notAfter, subjectName, publicKey);
for (ExtensionHolder extension : extensions) {
certBuilder.addExtension(extension.getOID(), extension.isCritical(), extension.getValue());
}
X509CertificateHolder certificateHolder = certBuilder.build(signer);
X509Certificate certificate = new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certificateHolder);
List<X509Certificate> certificateChain = new ArrayList<>(2);
certificateChain.add(certificate);
certificateChain.add(issuerCertificate);
return new CertChainKeyPair(certificateChain, certificate, privateKey);
}
Also used :
KeyPair(java.security.KeyPair)
PEMKeyPair(org.bouncycastle.openssl.PEMKeyPair)
PrivateKey(java.security.PrivateKey)
PublicKey(java.security.PublicKey)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
ArrayList(java.util.ArrayList)
X500Name(org.bouncycastle.asn1.x500.X500Name)
Date(java.util.Date)
X509Certificate(java.security.cert.X509Certificate)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
Example 39 with JcaX509v3CertificateBuilder
use of org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder in project oxAuth by GluuFederation.
the class OxAuthCryptoProvider method generateV3Certificate.
public X509Certificate generateV3Certificate(KeyPair keyPair, String issuer, String signatureAlgorithm, Long expirationTime) throws CertIOException, OperatorCreationException, CertificateException {
PrivateKey privateKey = keyPair.getPrivate();
PublicKey publicKey = keyPair.getPublic();
// Signers name
X500Name issuerName = new X500Name(issuer);
// Subjects name - the same as we are self signed.
X500Name subjectName = new X500Name(issuer);
// Serial
BigInteger serial = new BigInteger(256, new SecureRandom());
// Not before
Date notBefore = new Date(System.currentTimeMillis() - 10000);
Date notAfter = new Date(expirationTime);
// Create the certificate - version 3
JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerName, serial, notBefore, notAfter, subjectName, publicKey);
ASN1EncodableVector purposes = new ASN1EncodableVector();
purposes.add(KeyPurposeId.id_kp_serverAuth);
purposes.add(KeyPurposeId.id_kp_clientAuth);
purposes.add(KeyPurposeId.anyExtendedKeyUsage);
ASN1ObjectIdentifier extendedKeyUsage = new ASN1ObjectIdentifier("2.5.29.37").intern();
builder.addExtension(extendedKeyUsage, false, new DERSequence(purposes));
ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).setProvider("BC").build(privateKey);
X509CertificateHolder holder = builder.build(signer);
X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(holder);
return cert;
}
Also used :
PrivateKey(java.security.PrivateKey)
RSAPublicKey(java.security.interfaces.RSAPublicKey)
PublicKey(java.security.PublicKey)
ECPublicKey(java.security.interfaces.ECPublicKey)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
X500Name(org.bouncycastle.asn1.x500.X500Name)
X509Certificate(java.security.cert.X509Certificate)
DERSequence(org.bouncycastle.asn1.DERSequence)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)
Example 40 with JcaX509v3CertificateBuilder
use of org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder in project credhub by cloudfoundry-incubator.
the class SignedCertificateGenerator method getSignedByIssuer.
private X509Certificate getSignedByIssuer(X509Certificate issuerCertificate, PrivateKey issuerKey, X500Principal issuerDn, SubjectKeyIdentifier caSubjectKeyIdentifier, KeyPair keyPair, CertificateGenerationParameters params) throws Exception {
Instant now = timeProvider.getNow().toInstant();
BigInteger certificateSerialNumber = serialNumberGenerator.generate();
BigInteger caSerialNumber = issuerCertificate != null ? issuerCertificate.getSerialNumber() : certificateSerialNumber;
final JcaX509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(issuerDn, certificateSerialNumber, Date.from(now), Date.from(now.plus(Duration.ofDays(params.getDuration()))), params.getX500Principal(), keyPair.getPublic());
certificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, getSubjectKeyIdentifierFromKeyInfo(keyPair.getPublic()));
if (params.getAlternativeNames() != null) {
certificateBuilder.addExtension(Extension.subjectAlternativeName, false, params.getAlternativeNames());
}
if (params.getKeyUsage() != null) {
certificateBuilder.addExtension(Extension.keyUsage, true, params.getKeyUsage());
}
if (params.getExtendedKeyUsage() != null) {
certificateBuilder.addExtension(Extension.extendedKeyUsage, false, params.getExtendedKeyUsage());
}
if (caSubjectKeyIdentifier.getKeyIdentifier() != null) {
PublicKey issuerPublicKey = issuerCertificate != null ? issuerCertificate.getPublicKey() : keyPair.getPublic();
AuthorityKeyIdentifier authorityKeyIdentifier = jcaX509ExtensionUtils.createAuthorityKeyIdentifier(issuerPublicKey, issuerDn, caSerialNumber);
certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, authorityKeyIdentifier);
}
certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(params.isCa()));
ContentSigner contentSigner = jcaContentSignerBuilder.build(issuerKey);
X509CertificateHolder holder = certificateBuilder.build(contentSigner);
return jcaX509CertificateConverter.getCertificate(holder);
}
Also used :
PublicKey(java.security.PublicKey)
Instant(java.time.Instant)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Aggregations
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)54
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)48
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)41
X509Certificate (java.security.cert.X509Certificate)38
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)36
ContentSigner (org.bouncycastle.operator.ContentSigner)34
X500Name (org.bouncycastle.asn1.x500.X500Name)32
Date (java.util.Date)28
BigInteger (java.math.BigInteger)27
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)26
KeyPair (java.security.KeyPair)22
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)21
SecureRandom (java.security.SecureRandom)18
GeneralName (org.bouncycastle.asn1.x509.GeneralName)17
X500NameBuilder (org.bouncycastle.asn1.x500.X500NameBuilder)16
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)16
KeyStore (java.security.KeyStore)14
KeyPairGenerator (java.security.KeyPairGenerator)12
JcaX509ExtensionUtils (org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)11
PrivateKey (java.security.PrivateKey)10
