use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project meecrowave by apache.
the class Keystores method createSignedCertificate.
private static X509Certificate createSignedCertificate(final X509Certificate cetrificate, final X509Certificate issuerCertificate, final PrivateKey issuerPrivateKey) {
try {
Principal issuer = issuerCertificate.getSubjectDN();
String issuerSigAlg = issuerCertificate.getSigAlgName();
byte[] inCertBytes = cetrificate.getTBSCertificate();
X509CertInfo info = new X509CertInfo(inCertBytes);
info.set(X509CertInfo.ISSUER, (X500Name) issuer);
// No need to add the BasicContraint for leaf cert
if (!cetrificate.getSubjectDN().getName().equals("CN=TOP")) {
CertificateExtensions exts = new CertificateExtensions();
BasicConstraintsExtension bce = new BasicConstraintsExtension(true, -1);
exts.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(false, bce.getExtensionValue()));
info.set(X509CertInfo.EXTENSIONS, exts);
}
final X509CertImpl outCert = new X509CertImpl(info);
outCert.sign(issuerPrivateKey, issuerSigAlg);
return outCert;
} catch (final Exception ex) {
throw new IllegalStateException(ex);
}
}
use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project candlepin by candlepin.
the class JSSPKIUtility method buildStandardExtensions.
/**
* Add boilerplate extensions required by RFC 5280.
* @param certExtensions a CertificateExtensions object to modify
* @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
* @param providedExtensions A Set of provided extensions that will be added to the certificate. In some
* cases (hosted mode) access to the information in those extensions is required for creating the
* subjectKeyIdentifier.
*
* @return a modified version of the certExtensions parameter
* @throws IOException in case of encoding failures
*/
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
/* The RFC states that KeyUsage SHOULD be marked as critical. In previous Candlepin code we were
* not marking it critical but this constructor will. I do not believe there should be any
* compatibility issues, but I am noting it just in case. */
KeyUsageExtension keyUsage = new KeyUsageExtension();
keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
certExtensions.add(keyUsage);
// Not critical by default
ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
/* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
* See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth. This OID
* denotes that a certificate is meant for client authentication over TLS */
extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
certExtensions.add(extendedKeyUsage);
// Not critical for non-CA certs. -1 pathLen means it won't be encoded.
BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
certExtensions.add(basicConstraints);
try {
/* Not critical by default. I am extremely dubious that we actually need this extension
* but I'm keeping it because our old cert creation code added it. */
NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
certExtensions.add(netscapeCertType);
} catch (CertificateException e) {
throw new IOException("Could not construct certificate extensions", e);
}
try {
/* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
* The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
* octet string). Therefore, we need to unpack the KeyIdentifier. */
byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
// Required to be non-critical
SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
certExtensions.add(ski);
// Not critical by default
AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
certExtensions.add(aki);
// Not critical by default and should *not* be critical since the subject field isn't empty
if (alternateName != null) {
SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
GeneralName[] akiName = new GeneralName[2];
akiName[0] = new GeneralName(new X500Name(dn));
akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
GeneralNames generalNames = new GeneralNames(akiName);
altNames.setGeneralNames(generalNames);
certExtensions.add(altNames);
}
} catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
throw new IOException("Could not construct certificate extensions", e);
}
return certExtensions;
}
use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project OpenAttestation by OpenAttestation.
the class X509Builder method keyUsageCertificateAuthority.
public X509Builder keyUsageCertificateAuthority() {
try {
v3();
// certificate authority basic constraint
// true indicates this is a CA; -1 means no restriction on path length; 0 or more to set a restriction on max number of certs under this one in the chain
BasicConstraintsExtension constraintsExtension = new BasicConstraintsExtension(true, -1);
// certificate signing extension
if (keyUsageExtension == null) {
keyUsageExtension = new KeyUsageExtension();
}
keyUsageExtension.set(KeyUsageExtension.KEY_CERTSIGN, true);
// add both
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
certificateExtensions.set(constraintsExtension.getExtensionId().toString(), constraintsExtension);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "keyUsageCertificateAuthority");
}
return this;
}
use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project mockserver by mock-server.
the class X509Generator method updateWithRootCertificateExtensions.
private void updateWithRootCertificateExtensions(final X509CertInfo x509CertInfo, final PublicKey publicKey) throws IOException, CertificateException {
CertificateExtensions certificateExtensions = new CertificateExtensions();
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
certificateExtensions.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(// is critical
true, // is CA
true, // path length
-1));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
boolean[] keyUsage = new boolean[9];
// keyCertSign
keyUsage[5] = true;
certificateExtensions.set(KeyUsageExtension.NAME, new KeyUsageExtension(keyUsage));
// See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
certificateExtensions.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
x509CertInfo.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project jss by dogtagpki.
the class ExtPrettyPrint method getBasicConstraintsExtension.
/**
* String Representation of BasicConstraintsExtension
*/
private String getBasicConstraintsExtension() {
StringBuffer sb = new StringBuffer();
try {
sb.append(pp.indent(mIndentSize) + mResource.getString(PrettyPrintResources.TOKEN_IDENTIFIER));
sb.append(mResource.getString(PrettyPrintResources.TOKEN_BASIC_CONSTRAINTS) + "- " + mExt.getExtensionId().toString() + "\n");
sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_CRITICAL));
BasicConstraintsExtension ext = (BasicConstraintsExtension) mExt;
if (mExt.isCritical()) {
sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
} else {
sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
}
sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_IS_CA));
boolean isCA = ((Boolean) ext.get(BasicConstraintsExtension.IS_CA)).booleanValue();
if (isCA) {
sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
} else {
sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
}
Integer pathLength = (Integer) ext.get(BasicConstraintsExtension.PATH_LEN);
if (pathLength != null) {
if (pathLength.longValue() >= 0) {
sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN) + pathLength.toString() + "\n");
} else if (pathLength.longValue() == -1 || pathLength.longValue() == -2) {
sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN_UNLIMITED) + "\n");
} else {
sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN_INVALID) + " (" + pathLength.toString() + ")\n");
}
}
return sb.toString();
} catch (IOException e) {
e.printStackTrace();
return "";
}
}
Aggregations