use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project AppManager by MuntashirAkon.
the class KeyStoreUtils method generateCert.
@NonNull
private static X509Certificate generateCert(PrivateKey privateKey, PublicKey publicKey, @NonNull String formattedSubject, long expiryDate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidKeyException, IOException {
String algorithmName = "SHA512withRSA";
CertificateExtensions certificateExtensions = new CertificateExtensions();
certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
X500Name x500Name = new X500Name(formattedSubject);
Date notBefore = new Date();
Date notAfter = new Date(expiryDate);
certificateExtensions.set("PrivateKeyUsage", new PrivateKeyUsageExtension(notBefore, notAfter));
CertificateValidity certificateValidity = new CertificateValidity(notBefore, notAfter);
X509CertInfo x509CertInfo = new X509CertInfo();
x509CertInfo.set("version", new CertificateVersion(2));
x509CertInfo.set("serialNumber", new CertificateSerialNumber(new Random().nextInt() & Integer.MAX_VALUE));
x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(algorithmName)));
x509CertInfo.set("subject", new CertificateSubjectName(x500Name));
x509CertInfo.set("key", new CertificateX509Key(publicKey));
x509CertInfo.set("validity", certificateValidity);
x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
x509CertInfo.set("extensions", certificateExtensions);
X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
x509CertImpl.sign(privateKey, algorithmName);
return x509CertImpl;
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project jss by dogtagpki.
the class PKCS9Attribute method derEncode.
/**
* Write the DER encoding of this attribute to an output stream.
*
* <P>
* N.B.: This method always encodes values of ChallengePassword and UnstructuredAddress attributes as ASN.1
* <code>PrintableString</code>s, without checking whether they should be encoded as <code>T61String</code>s.
*/
@Override
public void derEncode(OutputStream out) throws IOException {
try (DerOutputStream temp = new DerOutputStream();
DerOutputStream temp2 = new DerOutputStream();
DerOutputStream derOut = new DerOutputStream()) {
temp.putOID(getOID());
switch(index) {
// email address
case 1:
case // unstructured name
2:
{
// open scope
String[] values = (String[]) value;
DerOutputStream[] temps = new DerOutputStream[values.length];
for (int i = 0; i < values.length; i++) {
temps[i] = new DerOutputStream();
temps[i].putIA5String(values[i]);
}
temp.putOrderedSetOf(DerValue.tag_Set, temps);
}
// close scope
break;
case // content type
3:
{
temp2.putOID((ObjectIdentifier) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // message digest
4:
{
temp2.putOctetString((byte[]) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // signing time
5:
{
temp2.putUTCTime((Date) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // countersignature
6:
temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value);
break;
case // challenge password
7:
{
temp2.putPrintableString((String) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // unstructured address
8:
{
// open scope
String[] values = (String[]) value;
DerOutputStream[] temps = new DerOutputStream[values.length];
for (int i = 0; i < values.length; i++) {
temps[i] = new DerOutputStream();
temps[i].putPrintableString(values[i]);
}
temp.putOrderedSetOf(DerValue.tag_Set, temps);
}
// close scope
break;
case // extended-certificate attribute -- not
9:
// supported
throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
case // IssuerAndSerialNumber attribute -- not
10:
// supported
throw new IOException("PKCS9 IssuerAndSerialNumber " + "attribute not supported.");
case // passwordCheck attribute -- not
11:
// supported
throw new IOException("PKCS9 passwordCheck " + "attribute not supported.");
case // PublicKey attribute -- not
12:
// supported
throw new IOException("PKCS9 PublicKey " + "attribute not supported.");
case // SigningDescription attribute -- not
13:
// supported
throw new IOException("PKCS9 SigningDescription " + "attribute not supported.");
case // ExtensionRequest attribute
14:
try {
// temp2.putSequence((CertificateExtensions) value);
((CertificateExtensions) value).encode(temp2);
temp.write(DerValue.tag_Sequence, temp2.toByteArray());
} catch (CertificateException e) {
throw new IOException("PKCS9 extension attributes not encoded");
}
// can't happen
default:
}
derOut.write(DerValue.tag_Sequence, temp.toByteArray());
out.write(derOut.toByteArray());
}
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project jss by dogtagpki.
the class PKCS9Attribute method decode.
/**
* Decode a PKCS9 attribute.
*
* @param val
* the DerValue representing the DER encoding of the attribute.
*/
private void decode(DerValue derVal) throws IOException {
DerInputStream derIn = new DerInputStream(derVal.toByteArray());
DerValue[] val = derIn.getSequence(2);
if (derIn.available() != 0)
throw new IOException("Excess data parsing PKCS9Attribute");
if (val.length != 2)
throw new IOException("PKCS9Attribute doesn't have two components");
DerValue[] elems;
// get the oid
ObjectIdentifier oid = val[0].getOID();
index = indexOf(oid, PKCS9_OIDS, 1);
Byte tag;
if (index == -1)
throw new IOException("Invalid OID for PKCS9 attribute: " + oid);
elems = new DerInputStream(val[1].toByteArray()).getSet(1);
// check single valued have only one value
if (SINGLE_VALUED[index] && elems.length > 1)
throwSingleValuedException();
// check for illegal element tags
for (int i = 0; i < elems.length; i++) {
tag = Byte.valueOf(elems[i].tag);
if (indexOf(tag, PKCS9_VALUE_TAGS[index], 0) == -1)
throwTagException(tag);
}
switch(index) {
// email address
case 1:
// unstructured name
case 2:
case // unstructured address
8:
{
// open scope
String[] values = new String[elems.length];
for (int i = 0; i < elems.length; i++) values[i] = elems[i].getAsString();
value = values;
}
// close scope
break;
case // content type
3:
value = elems[0].getOID();
break;
case // message digest
4:
value = elems[0].getOctetString();
break;
case // signing time
5:
value = (new DerInputStream(elems[0].toByteArray())).getUTCTime();
break;
case // countersignature
6:
{
// open scope
SignerInfo[] values = new SignerInfo[elems.length];
for (int i = 0; i < elems.length; i++) values[i] = new SignerInfo(elems[i].toDerInputStream());
value = values;
}
// close scope
break;
case // challenge password
7:
value = elems[0].getAsString();
break;
case // extended-certificate attribute -- not
9:
// supported
throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
case // IssuerAndSerialNumber attribute -- not
10:
// supported
throw new IOException("PKCS9 IssuerAndSerialNumber " + "attribute not supported.");
case // passwordCheck attribute -- not
11:
// supported
throw new IOException("PKCS9 passwordCheck " + "attribute not supported.");
case // PublicKey attribute -- not
12:
// supported
throw new IOException("PKCS9 PublicKey " + "attribute not supported.");
case // SigningDescription attribute -- not
13:
// supported
throw new IOException("PKCS9 SigningDescription " + "attribute not supported.");
case // ExtensionRequest attribute
14:
value = new CertificateExtensions(elems[0].toDerInputStream());
// can't happen
default:
}
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project CipherTrust_Application_Protection by thalescpl-io.
the class SelfSignedCertificateUtility method generateCertificate.
private static X509Certificate generateCertificate(PublicKey publicKey, PrivateKey privateKey, Map<String, String> certificateProeprties) throws Exception {
String dn = makeDN(certificateProeprties);
X509CertInfo info = new X509CertInfo();
Date from = new Date();
Date to = new Date(from.getTime() + Integer.valueOf(certificateProeprties.get("Validity")) * 86400000l);
CertificateValidity interval = new CertificateValidity(from, to);
X500Name owner = new X500Name(dn);
boolean[] kueOk = getKeyUsgaeExtension(certificateProeprties.get("KeyUsage"));
KeyUsageExtension kue = new KeyUsageExtension(kueOk);
CertificateExtensions ext = new CertificateExtensions();
ext.set(KeyUsageExtension.NAME, kue);
info.set(X509CertInfo.VALIDITY, interval);
BigInteger sn = new BigInteger(64, new SecureRandom());
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
boolean justName = isJavaAtLeast(1.8);
if (justName) {
info.set(X509CertInfo.SUBJECT, owner);
info.set(X509CertInfo.ISSUER, owner);
} else {
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
}
info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId algo = null;
String provider = null;
switch(certificateProeprties.get("Algorithm")) {
case "SHA1WithRSA":
break;
case "SHA256WithRSA":
break;
case "SHA384WithRSA":
break;
case "SHA512WithRSA":
provider = "BC";
break;
case "SHA1WithECDSA":
provider = "BC";
break;
case "SHA224WithECDSA":
provider = "BC";
break;
case "SHA256WithECDSA":
provider = "BC";
break;
case "SHA384WithECDSA":
provider = "BC";
break;
case "SHA512WithECDSA":
provider = "BC";
break;
default:
throw new NAEException(certificateProeprties.get("Algorithm") + " not supported.");
}
algo = AlgorithmId.get(certificateProeprties.get("Algorithm"));
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
info.set(X509CertInfo.EXTENSIONS, ext);
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
if (provider != null)
cert.sign(privateKey, certificateProeprties.get("Algorithm"), provider);
else
cert.sign(privateKey, certificateProeprties.get("Algorithm"));
return cert;
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project OpenAttestation by OpenAttestation.
the class X509Builder method keyUsageCRLSign.
public X509Builder keyUsageCRLSign() {
try {
v3();
if (keyUsageExtension == null) {
keyUsageExtension = new KeyUsageExtension();
}
keyUsageExtension.set(KeyUsageExtension.CRL_SIGN, true);
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "keyUsageCRLSign");
}
return this;
}
Aggregations