Examples with AuthorityKeyIdentifierExtension org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension used on opensource projects

Example 1 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project jdk8u_jdk by JetBrains.

the class X509CertSelectorTest method testAuthorityKeyIdentifier.

/*
     * Tests matching on the authority key identifier contained in the
     * certificate.
     */
private void testAuthorityKeyIdentifier() throws IOException {
    System.out.println("X.509 Certificate Match on authorityKeyIdentifier");
    // bad match
    X509CertSelector selector = new X509CertSelector();
    byte[] b = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 };
    AuthorityKeyIdentifierExtension a = new AuthorityKeyIdentifierExtension(new KeyIdentifier(b), null, null);
    selector.setAuthorityKeyIdentifier(a.getExtensionValue());
    checkMatch(selector, cert, false);
    // good match
    DerInputStream in = new DerInputStream(cert.getExtensionValue("2.5.29.35"));
    byte[] encoded = in.getOctetString();
    selector.setAuthorityKeyIdentifier(encoded);
    checkMatch(selector, cert, true);
}

Example 2 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project coprhd-controller by CoprHD.

the class KeyCertificatePairGenerator method generateCertificate.

/**
 * Create a self-signed X.509 Certificate
 *
 * @param pair the KeyPair
 */
private X509Certificate generateCertificate(KeyPair pair) throws GeneralSecurityException, IOException {
    PublicKey pubKey = loadPublicKeyFromBytes(pair.getPublic().getEncoded());
    PrivateKey privkey = pair.getPrivate();
    X509CertInfo info = new X509CertInfo();
    Date from = getNotBefore();
    Date to = new Date(from.getTime() + valuesHolder.getCertificateValidityInDays() * 86400000L);
    CertificateValidity interval = new CertificateValidity(from, to);
    BigInteger sn = new BigInteger(64, new SecureRandom());
    X500Name owner = new X500Name(String.format(CERTIFICATE_COMMON_NAME_FORMAT, valuesHolder.getCertificateCommonName()));
    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, owner);
    info.set(X509CertInfo.ISSUER, owner);
    info.set(X509CertInfo.KEY, new CertificateX509Key(pubKey));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId keyAlgo = AlgorithmId.get(KeyCertificateAlgorithmValuesHolder.DEFAULT_KEY_ALGORITHM);
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(keyAlgo));
    AlgorithmId signingAlgo = AlgorithmId.get(valuesHolder.getSigningAlgorithm());
    info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, signingAlgo);
    // add extensions
    CertificateExtensions ext = new CertificateExtensions();
    ext.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(pubKey).getIdentifier()));
    // CA public key is the same as our public key (self signed)
    ext.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(pubKey), null, null));
    ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(subjectAltNames()));
    info.set(X509CertInfo.EXTENSIONS, ext);
    X509CertImpl cert = new X509CertImpl(info);
    cert.sign(privkey, valuesHolder.getSigningAlgorithm());
    return cert;
}

Example 3 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project candlepin by candlepin.

the class JSSPKIUtility method buildAuthorityKeyIdentifier.

/**
 * Calculate the KeyIdentifier for a public key and place it in an AuthorityKeyIdentifier extension.
 *
 * Java encodes RSA public keys using the SubjectPublicKeyInfo type described in RFC 5280.
 * <pre>
 * SubjectPublicKeyInfo  ::=  SEQUENCE  {
 *   algorithm            AlgorithmIdentifier,
 *   subjectPublicKey     BIT STRING  }
 *
 * AlgorithmIdentifier  ::=  SEQUENCE  {
 *   algorithm               OBJECT IDENTIFIER,
 *   parameters              ANY DEFINED BY algorithm OPTIONAL  }
 * </pre>
 *
 * A KeyIdentifier is a SHA-1 digest of the subjectPublicKey bit string from the ASN.1 above.
 *
 * @param key the public key to use
 * @return an AuthorityKeyIdentifierExtension based on the key
 * @throws IOException if we can't construct a MessageDigest object.
 */
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(PublicKey key) throws IOException {
    try {
        Provider provider = JSSProviderLoader.getProvider(true);
        MessageDigest d = MessageDigest.getInstance("SHA-1", provider);
        byte[] encodedKey = key.getEncoded();
        DerInputStream s = new DerValue(encodedKey).toDerInputStream();
        // Skip the first item in the sequence, AlgorithmIdentifier.
        // The parameter, startLen, is required for skipSequence although it's unused.
        s.skipSequence(0);
        // Get the key's bit string
        BitArray b = s.getUnalignedBitString();
        byte[] digest = d.digest(b.toByteArray());
        KeyIdentifier ki = new KeyIdentifier(digest);
        return new AuthorityKeyIdentifierExtension(ki, null, null);
    } catch (NoSuchAlgorithmException e) {
        throw new IOException("Could not find SHA1 implementation", e);
    }
}

Example 4 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project candlepin by candlepin.

the class JSSPKIUtility method buildStandardExtensions.

/**
 * Add boilerplate extensions required by RFC 5280.
 * @param certExtensions a CertificateExtensions object to modify
 * @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
 * @param providedExtensions A Set of provided extensions that will be added to the certificate.  In some
 * cases (hosted mode) access to the information in those extensions is required for creating the
 * subjectKeyIdentifier.
 *
 * @return a modified version of the certExtensions parameter
 * @throws IOException in case of encoding failures
 */
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
    /* The RFC states that KeyUsage SHOULD be marked as critical.  In previous Candlepin code we were
         * not marking it critical but this constructor will.  I do not believe there should be any
         * compatibility issues, but I am noting it just in case. */
    KeyUsageExtension keyUsage = new KeyUsageExtension();
    keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
    keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
    keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
    certExtensions.add(keyUsage);
    // Not critical by default
    ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
    /* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
         * See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth.  This OID
         * denotes that a certificate is meant for client authentication over TLS */
    extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
    certExtensions.add(extendedKeyUsage);
    // Not critical for non-CA certs.  -1 pathLen means it won't be encoded.
    BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
    certExtensions.add(basicConstraints);
    try {
        /* Not critical by default.  I am extremely dubious that we actually need this extension
             * but I'm keeping it because our old cert creation code added it. */
        NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
        netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
        netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
        certExtensions.add(netscapeCertType);
    } catch (CertificateException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    try {
        /* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
             * The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
             * octet string).  Therefore, we need to unpack the KeyIdentifier. */
        byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
        OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
        // Required to be non-critical
        SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
        certExtensions.add(ski);
        // Not critical by default
        AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
        certExtensions.add(aki);
        // Not critical by default and should *not* be critical since the subject field isn't empty
        if (alternateName != null) {
            SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
            GeneralName[] akiName = new GeneralName[2];
            akiName[0] = new GeneralName(new X500Name(dn));
            akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
            GeneralNames generalNames = new GeneralNames(akiName);
            altNames.setGeneralNames(generalNames);
            certExtensions.add(altNames);
        }
    } catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    return certExtensions;
}

Example 5 with AuthorityKeyIdentifierExtension

use of org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension in project candlepin by candlepin.

the class JSSPKIUtilityTest method testCalculateAuthorityKeyIdentifier.

@Test
public void testCalculateAuthorityKeyIdentifier() throws Exception {
    KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
    RSAPublicKey key = (RSAPublicKey) gen.generateKeyPair().getPublic();
    AuthorityKeyIdentifier expectedAki = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(key);
    AuthorityKeyIdentifierExtension actualAki = JSSPKIUtility.buildAuthorityKeyIdentifier(key);
    byte[] expectedKeyIdentifier = expectedAki.getKeyIdentifier();
    byte[] actualKeyIdentifier = ((KeyIdentifier) actualAki.get(AuthorityKeyIdentifierExtension.KEY_ID)).getIdentifier();
    assertArrayEquals(expectedKeyIdentifier, actualKeyIdentifier);
}