Search in sources :

Example 1 with BasicConstraintsExtension

use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project meecrowave by apache.

the class Keystores method createSignedCertificate.

private static X509Certificate createSignedCertificate(final X509Certificate cetrificate, final X509Certificate issuerCertificate, final PrivateKey issuerPrivateKey) {
    try {
        Principal issuer = issuerCertificate.getSubjectDN();
        String issuerSigAlg = issuerCertificate.getSigAlgName();
        byte[] inCertBytes = cetrificate.getTBSCertificate();
        X509CertInfo info = new X509CertInfo(inCertBytes);
        info.set(X509CertInfo.ISSUER, (X500Name) issuer);
        // No need to add the BasicContraint for leaf cert
        if (!cetrificate.getSubjectDN().getName().equals("CN=TOP")) {
            CertificateExtensions exts = new CertificateExtensions();
            BasicConstraintsExtension bce = new BasicConstraintsExtension(true, -1);
            exts.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(false, bce.getExtensionValue()));
            info.set(X509CertInfo.EXTENSIONS, exts);
        }
        final X509CertImpl outCert = new X509CertImpl(info);
        outCert.sign(issuerPrivateKey, issuerSigAlg);
        return outCert;
    } catch (final Exception ex) {
        throw new IllegalStateException(ex);
    }
}
Also used : BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension) X509CertInfo(sun.security.x509.X509CertInfo) X509CertImpl(sun.security.x509.X509CertImpl) CertificateExtensions(sun.security.x509.CertificateExtensions) Principal(java.security.Principal)

Example 2 with BasicConstraintsExtension

use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project candlepin by candlepin.

the class JSSPKIUtility method buildStandardExtensions.

/**
 * Add boilerplate extensions required by RFC 5280.
 * @param certExtensions a CertificateExtensions object to modify
 * @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
 * @param providedExtensions A Set of provided extensions that will be added to the certificate.  In some
 * cases (hosted mode) access to the information in those extensions is required for creating the
 * subjectKeyIdentifier.
 *
 * @return a modified version of the certExtensions parameter
 * @throws IOException in case of encoding failures
 */
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
    /* The RFC states that KeyUsage SHOULD be marked as critical.  In previous Candlepin code we were
         * not marking it critical but this constructor will.  I do not believe there should be any
         * compatibility issues, but I am noting it just in case. */
    KeyUsageExtension keyUsage = new KeyUsageExtension();
    keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
    keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
    keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
    certExtensions.add(keyUsage);
    // Not critical by default
    ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
    /* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
         * See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth.  This OID
         * denotes that a certificate is meant for client authentication over TLS */
    extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
    certExtensions.add(extendedKeyUsage);
    // Not critical for non-CA certs.  -1 pathLen means it won't be encoded.
    BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
    certExtensions.add(basicConstraints);
    try {
        /* Not critical by default.  I am extremely dubious that we actually need this extension
             * but I'm keeping it because our old cert creation code added it. */
        NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
        netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
        netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
        certExtensions.add(netscapeCertType);
    } catch (CertificateException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    try {
        /* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
             * The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
             * octet string).  Therefore, we need to unpack the KeyIdentifier. */
        byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
        OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
        // Required to be non-critical
        SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
        certExtensions.add(ski);
        // Not critical by default
        AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
        certExtensions.add(aki);
        // Not critical by default and should *not* be critical since the subject field isn't empty
        if (alternateName != null) {
            SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
            GeneralName[] akiName = new GeneralName[2];
            akiName[0] = new GeneralName(new X500Name(dn));
            akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
            GeneralNames generalNames = new GeneralNames(akiName);
            altNames.setGeneralNames(generalNames);
            certExtensions.add(altNames);
        }
    } catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    return certExtensions;
}
Also used : ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension) NSCertTypeExtension(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension) SubjectAlternativeNameExtension(org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) X500Name(org.mozilla.jss.netscape.security.x509.X500Name) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SubjectKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension) InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) BasicConstraintsExtension(org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) GeneralNames(org.mozilla.jss.netscape.security.x509.GeneralNames) GeneralNamesException(org.mozilla.jss.netscape.security.x509.GeneralNamesException) AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension) GeneralName(org.mozilla.jss.netscape.security.x509.GeneralName) KeyUsageExtension(org.mozilla.jss.netscape.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Example 3 with BasicConstraintsExtension

use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project OpenAttestation by OpenAttestation.

the class X509Builder method keyUsageCertificateAuthority.

public X509Builder keyUsageCertificateAuthority() {
    try {
        v3();
        // certificate authority basic constraint
        // true indicates this is a CA;  -1 means no restriction on path length;  0 or more to set a restriction on max number of certs under this one in the chain
        BasicConstraintsExtension constraintsExtension = new BasicConstraintsExtension(true, -1);
        // certificate signing extension
        if (keyUsageExtension == null) {
            keyUsageExtension = new KeyUsageExtension();
        }
        keyUsageExtension.set(KeyUsageExtension.KEY_CERTSIGN, true);
        // add both
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
        certificateExtensions.set(constraintsExtension.getExtensionId().toString(), constraintsExtension);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    } catch (Exception e) {
        fault(e, "keyUsageCertificateAuthority");
    }
    return this;
}
Also used : BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension) CertificateExtensions(sun.security.x509.CertificateExtensions) KeyUsageExtension(sun.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)

Example 4 with BasicConstraintsExtension

use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project mockserver by mock-server.

the class X509Generator method updateWithRootCertificateExtensions.

private void updateWithRootCertificateExtensions(final X509CertInfo x509CertInfo, final PublicKey publicKey) throws IOException, CertificateException {
    CertificateExtensions certificateExtensions = new CertificateExtensions();
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.9
    certificateExtensions.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(// is critical
    true, // is CA
    true, // path length
    -1));
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.3
    boolean[] keyUsage = new boolean[9];
    // keyCertSign
    keyUsage[5] = true;
    certificateExtensions.set(KeyUsageExtension.NAME, new KeyUsageExtension(keyUsage));
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
    certificateExtensions.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
    x509CertInfo.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
Also used : SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension) BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension) KeyIdentifier(sun.security.x509.KeyIdentifier) CertificateExtensions(sun.security.x509.CertificateExtensions) KeyUsageExtension(sun.security.x509.KeyUsageExtension)

Example 5 with BasicConstraintsExtension

use of org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension in project jss by dogtagpki.

the class ExtPrettyPrint method getBasicConstraintsExtension.

/**
 * String Representation of BasicConstraintsExtension
 */
private String getBasicConstraintsExtension() {
    StringBuffer sb = new StringBuffer();
    try {
        sb.append(pp.indent(mIndentSize) + mResource.getString(PrettyPrintResources.TOKEN_IDENTIFIER));
        sb.append(mResource.getString(PrettyPrintResources.TOKEN_BASIC_CONSTRAINTS) + "- " + mExt.getExtensionId().toString() + "\n");
        sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_CRITICAL));
        BasicConstraintsExtension ext = (BasicConstraintsExtension) mExt;
        if (mExt.isCritical()) {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
        } else {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
        }
        sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_IS_CA));
        boolean isCA = ((Boolean) ext.get(BasicConstraintsExtension.IS_CA)).booleanValue();
        if (isCA) {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_YES) + "\n");
        } else {
            sb.append(mResource.getString(PrettyPrintResources.TOKEN_NO) + "\n");
        }
        Integer pathLength = (Integer) ext.get(BasicConstraintsExtension.PATH_LEN);
        if (pathLength != null) {
            if (pathLength.longValue() >= 0) {
                sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN) + pathLength.toString() + "\n");
            } else if (pathLength.longValue() == -1 || pathLength.longValue() == -2) {
                sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN_UNLIMITED) + "\n");
            } else {
                sb.append(pp.indent(mIndentSize + 4) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN) + mResource.getString(PrettyPrintResources.TOKEN_PATH_LEN_INVALID) + " (" + pathLength.toString() + ")\n");
            }
        }
        return sb.toString();
    } catch (IOException e) {
        e.printStackTrace();
        return "";
    }
}
Also used : BigInteger(java.math.BigInteger) BasicConstraintsExtension(org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension) IOException(java.io.IOException)

Aggregations

BasicConstraintsExtension (sun.security.x509.BasicConstraintsExtension)3 CertificateExtensions (sun.security.x509.CertificateExtensions)3 IOException (java.io.IOException)2 BasicConstraintsExtension (org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension)2 KeyUsageExtension (sun.security.x509.KeyUsageExtension)2 BigInteger (java.math.BigInteger)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 Principal (java.security.Principal)1 CertificateException (java.security.cert.CertificateException)1 InvalidBERException (org.mozilla.jss.asn1.InvalidBERException)1 OCTET_STRING (org.mozilla.jss.asn1.OCTET_STRING)1 ExtendedKeyUsageExtension (org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension)1 NSCertTypeExtension (org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension)1 ObjectIdentifier (org.mozilla.jss.netscape.security.util.ObjectIdentifier)1 AuthorityKeyIdentifierExtension (org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)1 GeneralName (org.mozilla.jss.netscape.security.x509.GeneralName)1 GeneralNames (org.mozilla.jss.netscape.security.x509.GeneralNames)1 GeneralNamesException (org.mozilla.jss.netscape.security.x509.GeneralNamesException)1 KeyUsageExtension (org.mozilla.jss.netscape.security.x509.KeyUsageExtension)1 SubjectAlternativeNameExtension (org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension)1