use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project azure-iot-sdk-java by Azure.
the class X509CertificateGenerator method createX509CertificateFromKeyPair.
/**
* Create a new self signed x509 certificate with the specified common name
*/
private static X509Certificate createX509CertificateFromKeyPair(KeyPair keyPair, String commonName) throws OperatorCreationException, CertificateException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
StringBuilder issuerStringBuilder = new StringBuilder(ISSUER_STRING);
if (commonName != null && !commonName.isEmpty()) {
issuerStringBuilder.append(", CN=").append(commonName);
}
X500Name issuer = new X500Name(issuerStringBuilder.toString());
BigInteger serial = BigInteger.ONE;
// valid from 24 hours earlier as well, to avoid clock skew issues with start time
Date notBefore = new Date(System.currentTimeMillis() - TimeUnit.HOURS.toMillis(24));
// 2 hour lifetime
Date notAfter = new Date(System.currentTimeMillis() + TimeUnit.HOURS.toMillis(2));
X500Name subject = new X500Name(issuerStringBuilder.toString());
PublicKey publicKey = keyPair.getPublic();
JcaX509v3CertificateBuilder v3Bldr = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKey);
X509CertificateHolder certHldr = v3Bldr.build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).build(keyPair.getPrivate()));
X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certHldr);
cert.checkValidity(new Date());
cert.verify(keyPair.getPublic());
return cert;
}
use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project Openfire by igniterealtime.
the class CertificateManager method createSigningRequest.
/**
* Creates and returns the content of a new singing request for the specified certificate. Signing
* requests are required by Certificate Authorities as part of their signing process. The signing request
* contains information about the certificate issuer, subject DN, subject alternative names and public key.
* Private keys are not included. After the Certificate Authority verified and signed the certificate a new
* certificate is going to be returned.
*
* @param cert the certificate to create a signing request.
* @param privKey the private key of the certificate.
* @return the content of a new singing request for the specified certificate.
* @throws OperatorCreationException if there was a problem creating the CSR
* @throws IOException if there was a problem creating the CSR
* @throws CertificateParsingException if there was a problem creating the CSR
*/
public static String createSigningRequest(X509Certificate cert, PrivateKey privKey) throws OperatorCreationException, IOException, CertificateParsingException {
JcaPKCS10CertificationRequestBuilder csrBuilder = new //
JcaPKCS10CertificationRequestBuilder(//
cert.getSubjectX500Principal(), //
cert.getPublicKey());
// Add SubjectAlternativeNames (SANs)
final ASN1EncodableVector subjectAlternativeNames = new ASN1EncodableVector();
final Collection<List<?>> certSans = cert.getSubjectAlternativeNames();
if (certSans != null) {
for (final List<?> certSan : certSans) {
final int nameType = (Integer) certSan.get(0);
// this is either a string, or a byte-array that represents the ASN.1 DER encoded form.
final Object value = certSan.get(1);
switch(nameType) {
case 0:
// OtherName: search for "id-on-xmppAddr" or 'sRVName' or 'userPrincipalName'
try (final ASN1InputStream decoder = new ASN1InputStream((byte[]) value)) {
// By specification, OtherName instances must always be an ASN.1 Sequence.
final ASN1Primitive object = decoder.readObject();
final ASN1Sequence otherNameSeq = (ASN1Sequence) object;
// By specification, an OtherName instance consists of:
// - the type-id (which is an Object Identifier), followed by:
// - a tagged value, of which the tag number is 0 (zero) and the value is defined by the type-id.
final ASN1ObjectIdentifier typeId = (ASN1ObjectIdentifier) otherNameSeq.getObjectAt(0);
final ASN1TaggedObject taggedValue = (ASN1TaggedObject) otherNameSeq.getObjectAt(1);
final int tagNo = taggedValue.getTagNo();
if (tagNo != 0) {
throw new IllegalArgumentException("subjectAltName 'otherName' sequence's second object is expected to be a tagged value of which the tag number is 0. The tag number that was detected: " + tagNo);
}
subjectAlternativeNames.add(new DERTaggedObject(false, GeneralName.otherName, new DERSequence(new ASN1Encodable[] { typeId, taggedValue })));
} catch (Exception e) {
Log.warn("Unable to parse certificate SAN 'otherName' value", e);
}
break;
case 2:
// DNS
subjectAlternativeNames.add(new GeneralName(GeneralName.dNSName, (String) value));
break;
case 6:
// URI
subjectAlternativeNames.add(new GeneralName(GeneralName.uniformResourceIdentifier, (String) value));
break;
default:
// Not applicable to XMPP, so silently ignore them
break;
}
}
}
final GeneralNames subjectAltNames = GeneralNames.getInstance(new DERSequence(subjectAlternativeNames));
final ExtensionsGenerator extGen = new ExtensionsGenerator();
extGen.addExtension(Extension.subjectAlternativeName, false, subjectAltNames);
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
String signatureAlgorithm = "SHA256WITH" + cert.getPublicKey().getAlgorithm();
ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(privKey);
PKCS10CertificationRequest csr = csrBuilder.build(signer);
StringWriter string = new StringWriter();
PemWriter pemWriter = new PemWriter(string);
PemObjectGenerator objGen = new MiscPEMGenerator(csr);
pemWriter.writeObject(objGen);
pemWriter.close();
return string.toString();
}
use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project syncany by syncany.
the class CipherUtil method generateSelfSignedCertificate.
/**
* Generates a self-signed certificate, given a public/private key pair.
*
* @see <a href="https://code.google.com/p/gitblit/source/browse/src/com/gitblit/MakeCertificate.java?r=88598bb2f779b73479512d818c675dea8fa72138">Original source of this method</a>
*/
public static X509Certificate generateSelfSignedCertificate(String commonName, KeyPair keyPair) throws OperatorCreationException, CertificateException, InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException {
// Certificate CN, O and OU
X500NameBuilder builder = new X500NameBuilder(BCStyle.INSTANCE);
builder.addRDN(BCStyle.CN, commonName);
builder.addRDN(BCStyle.O, CipherParams.CERTIFICATE_ORGANIZATION);
builder.addRDN(BCStyle.OU, CipherParams.CERTIFICATE_ORGUNIT);
// Dates and serial
Date notBefore = new Date(System.currentTimeMillis() - 1 * 24 * 60 * 60 * 1000L);
Date notAfter = new Date(System.currentTimeMillis() + 5 * 365 * 24 * 60 * 60 * 1000L);
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
// Issuer and subject (identical, because self-signed)
X500Name issuer = builder.build();
X500Name subject = issuer;
X509v3CertificateBuilder certificateGenerator = new JcaX509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, keyPair.getPublic());
ContentSigner signatureGenerator = new JcaContentSignerBuilder("SHA256WithRSAEncryption").setProvider(CipherParams.CRYPTO_PROVIDER).build(keyPair.getPrivate());
X509Certificate certificate = new JcaX509CertificateConverter().setProvider(CipherParams.CRYPTO_PROVIDER).getCertificate(certificateGenerator.build(signatureGenerator));
certificate.checkValidity(new Date());
certificate.verify(certificate.getPublicKey());
return certificate;
}
use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project Payara by payara.
the class PrintCertificateCommandTest method createSelfSignedCertificate.
private static X509Certificate createSelfSignedCertificate(KeyPair keyPair) throws OperatorCreationException, CertificateException {
final Instant now = LocalDate.of(2019, 8, 1).atStartOfDay(ZoneId.of("UTC")).toInstant();
final X500Name dn = //
new X500NameBuilder().addRDN(BCStyle.C, //
"CZ").addRDN(BCStyle.L, //
"Pilsen").addRDN(BCStyle.O, //
"Payara Foundation").addRDN(BCStyle.OU, //
"Test Test, Test").addRDN(BCStyle.CN, //
PrintCertificateCommandTest.class.getSimpleName()).addRDN(BCStyle.EmailAddress, //
"nobody@nowhere.space").addRDN(BCStyle.UID, //
"LDAP-Test").build();
final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSA").build(keyPair.getPrivate());
final JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dn, BigInteger.ONE, Date.from(now), Date.from(now.plus(Duration.ofDays(1))), dn, keyPair.getPublic());
return new JcaX509CertificateConverter().getCertificate(certBuilder.build(contentSigner));
}
use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project oxTrust by GluuFederation.
the class UpdateTrustRelationshipAction method getCertForGeneratedSP.
public String getCertForGeneratedSP() throws IOException {
X509Certificate cert = null;
if ((certWrapper != null) && (certWrapper.getInputStream() != null)) {
try {
cert = sslService.getPEMCertificate(certWrapper.getInputStream());
} catch (Exception e) {
log.error(e.getMessage(), e);
}
}
if ((cert == null) && (trustRelationship.getUrl() != null)) {
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Certificate were not provided, or was incorrect. Appliance will create a self-signed certificate.");
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
}
try {
KeyPairGenerator keyPairGen = KeyPairGenerator.getInstance("RSA", "BC");
keyPairGen.initialize(2048);
KeyPair pair = keyPairGen.generateKeyPair();
StringWriter keyWriter = new StringWriter();
JcaPEMWriter pemFormatWriter = new JcaPEMWriter(keyWriter);
pemFormatWriter.writeObject(pair.getPrivate());
pemFormatWriter.close();
String url = trustRelationship.getUrl().replaceFirst(".*//", "");
X509v3CertificateBuilder v3CertGen = new JcaX509v3CertificateBuilder(new X500Name("CN=" + url + ", OU=None, O=None L=None, C=None"), BigInteger.valueOf(new SecureRandom().nextInt()), new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30), new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10)), new X500Name("CN=" + url + ", OU=None, O=None L=None, C=None"), pair.getPublic());
cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(v3CertGen.build(new JcaContentSignerBuilder("MD5withRSA").setProvider("BC").build(pair.getPrivate())));
org.apache.commons.codec.binary.Base64 encoder = new org.apache.commons.codec.binary.Base64(64);
byte[] derCert = cert.getEncoded();
String pemCertPre = new String(encoder.encode(derCert));
log.debug(Shibboleth3ConfService.PUBLIC_CERTIFICATE_START_LINE);
log.debug(pemCertPre);
log.debug(Shibboleth3ConfService.PUBLIC_CERTIFICATE_END_LINE);
shibboleth3ConfService.saveCert(trustRelationship, pemCertPre);
shibboleth3ConfService.saveKey(trustRelationship, keyWriter.toString());
} catch (Exception e) {
e.printStackTrace();
}
}
String certificate = null;
if (cert != null) {
try {
certificate = new String(Base64.encode(cert.getEncoded()));
log.info("##### certificate = " + certificate);
} catch (CertificateEncodingException e) {
certificate = null;
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Failed to encode provided certificate. Please notify Gluu support about this.");
log.error("Failed to encode certificate to DER", e);
}
} else {
facesMessages.add(FacesMessage.SEVERITY_ERROR, "Certificate were not provided, or was incorrect. Appliance will create a self-signed certificate.");
}
return certificate;
}
Aggregations