use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project structr by structr.
the class SignedJarBuilder method writeSignatureBlock.
/**
* Write the certificate file with a digital signature.
*/
private void writeSignatureBlock(final JarOutputStream jos, final CMSTypedData data, final X509Certificate publicKey, final PrivateKey privateKey) throws IOException, CertificateEncodingException, OperatorCreationException, CMSException {
final List<X509Certificate> certList = new ArrayList<>();
certList.add(publicKey);
final JcaCertStore certs = new JcaCertStore(certList);
final CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
final ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA1with" + privateKey.getAlgorithm()).build(privateKey);
gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()).setDirectSignature(true).build(sha1Signer, publicKey));
gen.addCertificates(certs);
final CMSSignedData sigData = gen.generate(data, false);
final ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded());
final DEROutputStream dos = new DEROutputStream(jos);
dos.writeObject(asn1.readObject());
}
use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project drill by axbaretto.
the class WebServer method createHttpsConnector.
/**
* Create an HTTPS connector for given jetty server instance. If the admin has
* specified keystore/truststore settings they will be used else a self-signed
* certificate is generated and used.
* <p>
* This is a shameless copy of
* {@link org.apache.drill.exec.server.rest.Webserver#createHttpsConnector( )}.
* The two should be merged at some point. The primary issue is that the Drill
* version is tightly coupled to Drillbit configuration.
*
* @return Initialized {@link ServerConnector} for HTTPS connections.
* @throws Exception
*/
private ServerConnector createHttpsConnector(Config config) throws Exception {
LOG.info("Setting up HTTPS connector for web server");
final SslContextFactory sslContextFactory = new SslContextFactory();
// if (config.hasPath(ExecConstants.HTTP_KEYSTORE_PATH) &&
// !Strings.isNullOrEmpty(config.getString(ExecConstants.HTTP_KEYSTORE_PATH)))
// {
// LOG.info("Using configured SSL settings for web server");
// sslContextFactory.setKeyStorePath(config.getString(ExecConstants.HTTP_KEYSTORE_PATH));
// sslContextFactory.setKeyStorePassword(config.getString(ExecConstants.HTTP_KEYSTORE_PASSWORD));
//
// // TrustStore and TrustStore password are optional
// if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PATH)) {
// sslContextFactory.setTrustStorePath(config.getString(ExecConstants.HTTP_TRUSTSTORE_PATH));
// if (config.hasPath(ExecConstants.HTTP_TRUSTSTORE_PASSWORD)) {
// sslContextFactory.setTrustStorePassword(config.getString(ExecConstants.HTTP_TRUSTSTORE_PASSWORD));
// }
// }
// } else {
LOG.info("Using generated self-signed SSL settings for web server");
final SecureRandom random = new SecureRandom();
// Generate a private-public key pair
final KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024, random);
final KeyPair keyPair = keyPairGenerator.generateKeyPair();
final DateTime now = DateTime.now();
// Create builder for certificate attributes
final X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.OU, "Apache Drill (auth-generated)").addRDN(BCStyle.O, "Apache Software Foundation (auto-generated)").addRDN(BCStyle.CN, "Drill AM");
final Date notBefore = now.minusMinutes(1).toDate();
final Date notAfter = now.plusYears(5).toDate();
final BigInteger serialNumber = new BigInteger(128, random);
// Create a certificate valid for 5years from now.
final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(// attributes
nameBuilder.build(), serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic());
// Sign the certificate using the private key
final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
final X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner));
// Check the validity
certificate.checkValidity(now.toDate());
// Make sure the certificate is self-signed.
certificate.verify(certificate.getPublicKey());
// Generate a random password for keystore protection
final String keyStorePasswd = RandomStringUtils.random(20);
final KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
keyStore.setKeyEntry("DrillAutoGeneratedCert", keyPair.getPrivate(), keyStorePasswd.toCharArray(), new java.security.cert.Certificate[] { certificate });
sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setKeyStorePassword(keyStorePasswd);
// }
final HttpConfiguration httpsConfig = new HttpConfiguration();
httpsConfig.addCustomizer(new SecureRequestCustomizer());
// SSL Connector
final ServerConnector sslConnector = new ServerConnector(jettyServer, new SslConnectionFactory(sslContextFactory, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(httpsConfig));
sslConnector.setPort(config.getInt(DrillOnYarnConfig.HTTP_PORT));
return sslConnector;
}
use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project certmgr by hdecarne.
the class X509CertificateHelper method generateCRT.
/**
* Generate a CRT object.
*
* @param dn The CRT's Distinguished Name (DN).
* @param key The CRT's key pair
* @param serial The CRT's serial.
* @param notBefore The CRT's validity start.
* @param notAfter The CRT's validity end.
* @param extensions The CRT's extension objects.
* @param issuerDN The issuer's Distinguished Name (DN).
* @param issuerKey The issuer's key pair.
* @param signatureAlgorithm The signature algorithm to use.
* @return The generated CRT object.
* @throws IOException if an error occurs during generation.
*/
public static X509Certificate generateCRT(X500Principal dn, KeyPair key, BigInteger serial, Date notBefore, Date notAfter, List<X509ExtensionData> extensions, X500Principal issuerDN, KeyPair issuerKey, SignatureAlgorithm signatureAlgorithm) throws IOException {
LOG.info("CRT generation ''{0}'' started...", dn);
// Initialize CRT builder
X509v3CertificateBuilder crtBuilder = new JcaX509v3CertificateBuilder(issuerDN, serial, notBefore, notAfter, dn, key.getPublic());
// Add custom extension objects
for (X509ExtensionData extensionData : extensions) {
String oid = extensionData.oid();
if (!oid.equals(Extension.subjectKeyIdentifier) && !oid.equals(Extension.authorityKeyIdentifier)) {
boolean critical = extensionData.getCritical();
crtBuilder.addExtension(new ASN1ObjectIdentifier(oid), critical, extensionData.encode());
} else {
LOG.warning("Ignoring key identifier extension");
}
}
X509Certificate crt;
try {
// Add standard extensions based upon the CRT's purpose
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
for (X509ExtensionData extensionData : extensions) {
if (extensionData instanceof BasicConstraintsExtensionData) {
BasicConstraintsExtensionData basicConstraintsExtension = (BasicConstraintsExtensionData) extensionData;
if (basicConstraintsExtension.getCA()) {
// CRT is CA --> record it's key's identifier
crtBuilder.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(key.getPublic()));
}
}
}
if (!key.equals(issuerKey)) {
// CRT is not self-signed --> record issuer key's identifier
crtBuilder.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(issuerKey.getPublic()));
}
// Sign CRT
ContentSigner crtSigner = new JcaContentSignerBuilder(signatureAlgorithm.algorithm()).build(issuerKey.getPrivate());
crt = new JcaX509CertificateConverter().getCertificate(crtBuilder.build(crtSigner));
} catch (OperatorCreationException | GeneralSecurityException e) {
throw new CertProviderException(e);
}
LOG.info("CRT generation ''{0}'' done", dn);
return crt;
}
use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project dcos-commons by mesosphere.
the class CertificateAuthorityClientTest method createCSR.
private byte[] createCSR() throws IOException, OperatorCreationException {
KeyPair keyPair = KEY_PAIR_GENERATOR.generateKeyPair();
X500Name name = new X500NameBuilder().addRDN(BCStyle.CN, "issuer").build();
ExtensionsGenerator extensionsGenerator = new ExtensionsGenerator();
extensionsGenerator.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature));
extensionsGenerator.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
GeneralNames subAtlNames = new GeneralNames(new GeneralName[] { new GeneralName(GeneralName.dNSName, "test.com"), new GeneralName(GeneralName.iPAddress, TEST_IP_ADDR) });
extensionsGenerator.addExtension(Extension.subjectAlternativeName, true, subAtlNames);
ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate());
PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(name, keyPair.getPublic()).addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensionsGenerator.generate());
return PEMUtils.toPEM(csrBuilder.build(signer));
}
use of org.bouncycastle.operator.jcajce.JcaContentSignerBuilder in project dcos-commons by mesosphere.
the class CertificateAuthorityClientTest method createCertificate.
private X509Certificate createCertificate() throws Exception {
KeyPair keyPair = KEY_PAIR_GENERATOR.generateKeyPair();
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
X500Name issuer = new X500NameBuilder().addRDN(BCStyle.CN, "issuer").build();
X500Name subject = new X500NameBuilder().addRDN(BCStyle.CN, "subject").build();
ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").build(keyPair.getPrivate());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509CertificateHolder certHolder = new X509v3CertificateBuilder(issuer, new BigInteger("1000"), Date.from(Instant.now()), Date.from(Instant.now().plusSeconds(100000)), subject, subjectPublicKeyInfo).build(signer);
return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certHolder.getEncoded()));
}
Aggregations