Examples with X509ExtensionWrapper org.candlepin.pki.X509ExtensionWrapper used on opensource projects

Search in sources :

Example 16 with X509ExtensionWrapper

use of org.candlepin.pki.X509ExtensionWrapper in project candlepin by candlepin.

the class BouncyCastlePKIUtility method createX509Certificate.

@Override
public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws GeneralSecurityException, IOException {
    X509Certificate caCert = reader.getCACert();
    byte[] publicKeyEncoded = clientKeyPair.getPublic().getEncoded();
    X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(X500Name.getInstance(caCert.getSubjectX500Principal().getEncoded()), serialNumber, startDate, endDate, new X500Name(dn), SubjectPublicKeyInfo.getInstance(publicKeyEncoded));
    // set key usage - required for proper x509 function
    KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment);
    // add SSL extensions - required for proper x509 function
    NetscapeCertType certType = new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.smime);
    certGen.addExtension(MiscObjectIdentifiers.netscapeCertType, false, certType);
    certGen.addExtension(Extension.keyUsage, false, keyUsage);
    JcaX509ExtensionUtils extensionUtil = new JcaX509ExtensionUtils();
    AuthorityKeyIdentifier aki = extensionUtil.createAuthorityKeyIdentifier(caCert);
    certGen.addExtension(Extension.authorityKeyIdentifier, false, aki.getEncoded());
    certGen.addExtension(Extension.subjectKeyIdentifier, false, subjectKeyWriter.getSubjectKeyIdentifier(clientKeyPair, extensions));
    certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_clientAuth));
    // Add an additional alternative name if provided.
    if (alternateName != null) {
        /*
             Why add the certificate subject again as an alternative name?  RFC 6125 Section 6.4.4
             stipulates that if SANs are provided, a validator MUST use them instead of the certificate
             subject.  If no SANs are present, the RFC allows the validator to use the subject field.  So,
             if we do have an SAN to add, we need to add the subject field again as an SAN.

             See http://stackoverflow.com/questions/5935369 and
             https://tools.ietf.org/html/rfc6125#section-6.4.4 and

             NB: These extensions should *not* be marked critical since the subject field is not empty.
            */
        GeneralName subject = new GeneralName(GeneralName.directoryName, dn);
        GeneralName name = new GeneralName(GeneralName.directoryName, "CN=" + alternateName);
        ASN1Encodable[] altNameArray = { subject, name };
        GeneralNames altNames = GeneralNames.getInstance(new DERSequence(altNameArray));
        certGen.addExtension(Extension.subjectAlternativeName, false, altNames);
    }
    if (extensions != null) {
        for (X509ExtensionWrapper wrapper : extensions) {
            // Bouncycastle hates null values. So, set them to blank
            // if they are null
            String value = wrapper.getValue() == null ? "" : wrapper.getValue();
            certGen.addExtension(wrapper.toASN1Primitive(), wrapper.isCritical(), new DERUTF8String(value));
        }
    }
    if (byteExtensions != null) {
        for (X509ByteExtensionWrapper wrapper : byteExtensions) {
            // Bouncycastle hates null values. So, set them to blank
            // if they are null
            byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue();
            certGen.addExtension(wrapper.toASN1Primitive(), wrapper.isCritical(), new DEROctetString(value));
        }
    }
    JcaContentSignerBuilder builder = new JcaContentSignerBuilder(SIGNATURE_ALGO).setProvider(BC_PROVIDER);
    ContentSigner signer;
    try {
        signer = builder.build(reader.getCaKey());
    } catch (OperatorCreationException e) {
        throw new IOException(e);
    }
    // Generate the certificate
    return new JcaX509CertificateConverter().getCertificate(certGen.build(signer));
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage) AuthorityKeyIdentifier(org.bouncycastle.asn1.x509.AuthorityKeyIdentifier) X500Name(org.bouncycastle.asn1.x500.X500Name) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERUTF8String(org.bouncycastle.asn1.DERUTF8String) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) DEROctetString(org.bouncycastle.asn1.DEROctetString) DERSequence(org.bouncycastle.asn1.DERSequence) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) NetscapeCertType(org.bouncycastle.asn1.misc.NetscapeCertType) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper) GeneralName(org.bouncycastle.asn1.x509.GeneralName) ASN1Encodable(org.bouncycastle.asn1.ASN1Encodable) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)

Example 17 with X509ExtensionWrapper

use of org.candlepin.pki.X509ExtensionWrapper in project candlepin by candlepin.

the class DefaultEntitlementCertServiceAdapterTest method testPrepareV3EntitlementDataNoConsumerArch.

@Test
public void testPrepareV3EntitlementDataNoConsumerArch() throws IOException, GeneralSecurityException {
    Set<Product> products = new HashSet<>();
    products.add(product);
    setupEntitlements(null, "3.3");
    Set<X509ExtensionWrapper> extensions = certServiceAdapter.prepareV3Extensions();
    Map<String, X509ExtensionWrapper> map = new HashMap<>();
    for (X509ExtensionWrapper ext : extensions) {
        map.put(ext.getOid(), ext);
    }
    byte[] payload = v3extensionUtil.createEntitlementDataPayload(getProductModels(product, products, "prefix", entitlement), consumer, pool, entitlement.getQuantity());
    String stringValue = "";
    try {
        stringValue = processPayload(payload);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    Map<String, Object> data = (Map<String, Object>) Util.fromJson(stringValue, Map.class);
    List<Map<String, Object>> prods = (List<Map<String, Object>>) data.get("products");
    List<Map<String, Object>> contents = null;
    for (Map<String, Object> prod : prods) {
        String arch = product.hasAttribute(Product.Attributes.ARCHITECTURE) ? product.getAttributeValue(Product.Attributes.ARCHITECTURE) : "";
        StringTokenizer st = new StringTokenizer(arch, ",");
        while (st.hasMoreElements()) {
            assertTrue(((List) prod.get("architectures")).contains(st.nextElement()));
        }
        contents = (List<Map<String, Object>>) prod.get("content");
        for (Map<String, Object> cont : contents) {
            assertEquals(cont.get("id"), CONTENT_ID);
            assertEquals(cont.get("path"), "prefix" + CONTENT_URL);
            assertFalse((Boolean) cont.get("enabled"));
            // since we dont know the consumer arch, we dont filter
            // any contents out
            List<String> arches = new ArrayList<>();
            arches.add(ARCH_LABEL);
            assertEquals(cont.get("arches"), arches);
        }
    }
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Product(org.candlepin.model.Product) Matchers.anyString(org.mockito.Matchers.anyString) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ExpectedException(org.junit.rules.ExpectedException) CertificateSizeException(org.candlepin.util.CertificateSizeException) IOException(java.io.IOException) StringTokenizer(java.util.StringTokenizer) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper) List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) Matchers.anyMap(org.mockito.Matchers.anyMap) HashMap(java.util.HashMap) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 18 with X509ExtensionWrapper

use of org.candlepin.pki.X509ExtensionWrapper in project candlepin by candlepin.

the class DefaultEntitlementCertServiceAdapterTest method testPrepareV3EntitlementDataNoContentArch.

@Test
public void testPrepareV3EntitlementDataNoContentArch() throws IOException, GeneralSecurityException {
    Set<Product> products = new HashSet<>();
    // our content with no arch should inherit this arch
    Product inheritedArchProduct = TestUtil.createProduct("12345", "a product");
    inheritedArchProduct.setAttribute(Product.Attributes.VERSION, "version");
    inheritedArchProduct.setAttribute(Product.Attributes.VARIANT, "variant");
    inheritedArchProduct.setAttribute(Product.Attributes.TYPE, "SVC");
    inheritedArchProduct.setAttribute(Product.Attributes.ARCHITECTURE, ARCH_LABEL);
    inheritedArchProduct.addContent(noArchContent, false);
    products.add(inheritedArchProduct);
    setupEntitlements(ARCH_LABEL, "3.3");
    Set<X509ExtensionWrapper> extensions = certServiceAdapter.prepareV3Extensions();
    Map<String, X509ExtensionWrapper> map = new HashMap<>();
    for (X509ExtensionWrapper ext : extensions) {
        map.put(ext.getOid(), ext);
    }
    assertTrue(map.containsKey("1.3.6.1.4.1.2312.9.6"));
    assertEquals(map.get("1.3.6.1.4.1.2312.9.6").getValue(), ("3.3"));
    byte[] payload = v3extensionUtil.createEntitlementDataPayload(getProductModels(product, products, "prefix", entitlement), consumer, pool, entitlement.getQuantity());
    String stringValue = "";
    try {
        stringValue = processPayload(payload);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    Map<String, Object> data = (Map<String, Object>) Util.fromJson(stringValue, Map.class);
    List<Map<String, Object>> prods = (List<Map<String, Object>>) data.get("products");
    List<Map<String, Object>> contents = null;
    for (Map<String, Object> prod : prods) {
        String arch = product.hasAttribute(Product.Attributes.ARCHITECTURE) ? product.getAttributeValue(Product.Attributes.ARCHITECTURE) : "";
        StringTokenizer st = new StringTokenizer(arch, ",");
        while (st.hasMoreElements()) {
            assertTrue(((List) prod.get("architectures")).contains(st.nextElement()));
        }
        contents = (List<Map<String, Object>>) prod.get("content");
        for (Map<String, Object> cont : contents) {
            // We dont set an arch on Content, but we inherit it
            // from product, so the arch should match ARCH_LABEL,
            // that the Product was created with
            List<String> arches = new ArrayList<>();
            arches.add(ARCH_LABEL);
            assertEquals(cont.get("arches"), arches);
        }
    }
}
Also used : HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) Product(org.candlepin.model.Product) Matchers.anyString(org.mockito.Matchers.anyString) CertificateExpiredException(java.security.cert.CertificateExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) UnsupportedEncodingException(java.io.UnsupportedEncodingException) ExpectedException(org.junit.rules.ExpectedException) CertificateSizeException(org.candlepin.util.CertificateSizeException) IOException(java.io.IOException) StringTokenizer(java.util.StringTokenizer) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper) List(java.util.List) ArrayList(java.util.ArrayList) Map(java.util.Map) Matchers.anyMap(org.mockito.Matchers.anyMap) HashMap(java.util.HashMap) HashSet(java.util.HashSet) Test(org.junit.Test)

Example 19 with X509ExtensionWrapper

use of org.candlepin.pki.X509ExtensionWrapper in project candlepin by candlepin.

the class X509ExtensionUtil method consumerExtensions.

public Set<X509ExtensionWrapper> consumerExtensions(Consumer consumer) {
    Set<X509ExtensionWrapper> toReturn = new LinkedHashSet<>();
    // 1.3.6.1.4.1.2312.9.5.1
    // REDHAT_OID here seems wrong...
    String consumerOid = OIDUtil.REDHAT_OID + "." + OIDUtil.TOPLEVEL_NAMESPACES.get(OIDUtil.SYSTEM_NAMESPACE_KEY);
    toReturn.add(new X509ExtensionWrapper(consumerOid + "." + OIDUtil.SYSTEM_OIDS.get(OIDUtil.UUID_KEY), false, consumer.getUuid()));
    return toReturn;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper)

Example 20 with X509ExtensionWrapper

use of org.candlepin.pki.X509ExtensionWrapper in project candlepin by candlepin.

the class X509ExtensionUtil method productExtensions.

public Set<X509ExtensionWrapper> productExtensions(Product product) {
    Set<X509ExtensionWrapper> toReturn = new LinkedHashSet<>();
    String productCertOid = OIDUtil.REDHAT_OID + "." + OIDUtil.TOPLEVEL_NAMESPACES.get(OIDUtil.PRODUCT_CERT_NAMESPACE_KEY);
    // XXX need to deal with non hash style IDs
    String productOid = productCertOid + "." + product.getId();
    toReturn.add(new X509ExtensionWrapper(productOid + "." + OIDUtil.ORDER_PRODUCT_OIDS.get(OIDUtil.OP_NAME_KEY), false, product.getName()));
    String arch = product.getAttributeValue(Product.Attributes.ARCHITECTURE);
    toReturn.add(new X509ExtensionWrapper(productOid + "." + OIDUtil.ORDER_PRODUCT_OIDS.get(OIDUtil.OP_ARCH_KEY), false, arch != null ? arch : ""));
    String version = product.getAttributeValue(Product.Attributes.VERSION);
    toReturn.add(new X509ExtensionWrapper(productOid + "." + OIDUtil.ORDER_PRODUCT_OIDS.get(OIDUtil.OP_VERSION_KEY), false, version != null ? version : ""));
    String brandType = product.getAttributeValue(Product.Attributes.BRANDING_TYPE);
    toReturn.add(new X509ExtensionWrapper(productOid + "." + OIDUtil.ORDER_PRODUCT_OIDS.get(OIDUtil.OP_BRAND_TYPE_KEY), false, brandType != null ? brandType : ""));
    return toReturn;
}
Also used : LinkedHashSet(java.util.LinkedHashSet) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper)

Aggregations

X509ExtensionWrapper (org.candlepin.pki.X509ExtensionWrapper)25 Product (org.candlepin.model.Product)13 HashSet (java.util.HashSet)12 Test (org.junit.Test)12 Matchers.anyString (org.mockito.Matchers.anyString)12 HashMap (java.util.HashMap)8 LinkedHashSet (java.util.LinkedHashSet)8 IOException (java.io.IOException)7 CertificateSizeException (org.candlepin.util.CertificateSizeException)7 UnsupportedEncodingException (java.io.UnsupportedEncodingException)6 GeneralSecurityException (java.security.GeneralSecurityException)6 CertificateExpiredException (java.security.cert.CertificateExpiredException)6 ArrayList (java.util.ArrayList)6 Map (java.util.Map)6 ProductContent (org.candlepin.model.ProductContent)6 ExpectedException (org.junit.rules.ExpectedException)6 Matchers.anyMap (org.mockito.Matchers.anyMap)6 List (java.util.List)5 EnvironmentContent (org.candlepin.model.EnvironmentContent)5 X509Certificate (java.security.cert.X509Certificate)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial