Search in sources :

Example 1 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project AppManager by MuntashirAkon.

the class KeyStoreUtils method generateCert.

@NonNull
private static X509Certificate generateCert(PrivateKey privateKey, PublicKey publicKey, @NonNull String formattedSubject, long expiryDate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidKeyException, IOException {
    String algorithmName = "SHA512withRSA";
    CertificateExtensions certificateExtensions = new CertificateExtensions();
    certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
    X500Name x500Name = new X500Name(formattedSubject);
    Date notBefore = new Date();
    Date notAfter = new Date(expiryDate);
    certificateExtensions.set("PrivateKeyUsage", new PrivateKeyUsageExtension(notBefore, notAfter));
    CertificateValidity certificateValidity = new CertificateValidity(notBefore, notAfter);
    X509CertInfo x509CertInfo = new X509CertInfo();
    x509CertInfo.set("version", new CertificateVersion(2));
    x509CertInfo.set("serialNumber", new CertificateSerialNumber(new Random().nextInt() & Integer.MAX_VALUE));
    x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(algorithmName)));
    x509CertInfo.set("subject", new CertificateSubjectName(x500Name));
    x509CertInfo.set("key", new CertificateX509Key(publicKey));
    x509CertInfo.set("validity", certificateValidity);
    x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
    x509CertInfo.set("extensions", certificateExtensions);
    X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
    x509CertImpl.sign(privateKey, algorithmName);
    return x509CertImpl;
}
Also used : CertificateSubjectName(android.sun.security.x509.CertificateSubjectName) KeyIdentifier(android.sun.security.x509.KeyIdentifier) X509CertInfo(android.sun.security.x509.X509CertInfo) CertificateIssuerName(android.sun.security.x509.CertificateIssuerName) CertificateVersion(android.sun.security.x509.CertificateVersion) CertificateExtensions(android.sun.security.x509.CertificateExtensions) CertificateValidity(android.sun.security.x509.CertificateValidity) X500Name(android.sun.security.x509.X500Name) CertificateX509Key(android.sun.security.x509.CertificateX509Key) Date(java.util.Date) SubjectKeyIdentifierExtension(android.sun.security.x509.SubjectKeyIdentifierExtension) CertificateSerialNumber(android.sun.security.x509.CertificateSerialNumber) Random(java.util.Random) SecureRandom(java.security.SecureRandom) X509CertImpl(android.sun.security.x509.X509CertImpl) CertificateAlgorithmId(android.sun.security.x509.CertificateAlgorithmId) PrivateKeyUsageExtension(android.sun.security.x509.PrivateKeyUsageExtension) NonNull(androidx.annotation.NonNull)

Example 2 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project jss by dogtagpki.

the class PKCS9Attribute method derEncode.

/**
 * Write the DER encoding of this attribute to an output stream.
 *
 * <P>
 * N.B.: This method always encodes values of ChallengePassword and UnstructuredAddress attributes as ASN.1
 * <code>PrintableString</code>s, without checking whether they should be encoded as <code>T61String</code>s.
 */
@Override
public void derEncode(OutputStream out) throws IOException {
    try (DerOutputStream temp = new DerOutputStream();
        DerOutputStream temp2 = new DerOutputStream();
        DerOutputStream derOut = new DerOutputStream()) {
        temp.putOID(getOID());
        switch(index) {
            // email address
            case 1:
            case // unstructured name
            2:
                {
                    // open scope
                    String[] values = (String[]) value;
                    DerOutputStream[] temps = new DerOutputStream[values.length];
                    for (int i = 0; i < values.length; i++) {
                        temps[i] = new DerOutputStream();
                        temps[i].putIA5String(values[i]);
                    }
                    temp.putOrderedSetOf(DerValue.tag_Set, temps);
                }
                // close scope
                break;
            case // content type
            3:
                {
                    temp2.putOID((ObjectIdentifier) value);
                    temp.write(DerValue.tag_Set, temp2.toByteArray());
                }
                break;
            case // message digest
            4:
                {
                    temp2.putOctetString((byte[]) value);
                    temp.write(DerValue.tag_Set, temp2.toByteArray());
                }
                break;
            case // signing time
            5:
                {
                    temp2.putUTCTime((Date) value);
                    temp.write(DerValue.tag_Set, temp2.toByteArray());
                }
                break;
            case // countersignature
            6:
                temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value);
                break;
            case // challenge password
            7:
                {
                    temp2.putPrintableString((String) value);
                    temp.write(DerValue.tag_Set, temp2.toByteArray());
                }
                break;
            case // unstructured address
            8:
                {
                    // open scope
                    String[] values = (String[]) value;
                    DerOutputStream[] temps = new DerOutputStream[values.length];
                    for (int i = 0; i < values.length; i++) {
                        temps[i] = new DerOutputStream();
                        temps[i].putPrintableString(values[i]);
                    }
                    temp.putOrderedSetOf(DerValue.tag_Set, temps);
                }
                // close scope
                break;
            case // extended-certificate attribute -- not
            9:
                // supported
                throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
            case // IssuerAndSerialNumber attribute -- not
            10:
                // supported
                throw new IOException("PKCS9 IssuerAndSerialNumber " + "attribute not supported.");
            case // passwordCheck attribute -- not
            11:
                // supported
                throw new IOException("PKCS9 passwordCheck " + "attribute not supported.");
            case // PublicKey attribute -- not
            12:
                // supported
                throw new IOException("PKCS9 PublicKey " + "attribute not supported.");
            case // SigningDescription attribute -- not
            13:
                // supported
                throw new IOException("PKCS9 SigningDescription " + "attribute not supported.");
            case // ExtensionRequest attribute
            14:
                try {
                    // temp2.putSequence((CertificateExtensions) value);
                    ((CertificateExtensions) value).encode(temp2);
                    temp.write(DerValue.tag_Sequence, temp2.toByteArray());
                } catch (CertificateException e) {
                    throw new IOException("PKCS9 extension attributes not encoded");
                }
            // can't happen
            default:
        }
        derOut.write(DerValue.tag_Sequence, temp.toByteArray());
        out.write(derOut.toByteArray());
    }
}
Also used : DerOutputStream(org.mozilla.jss.netscape.security.util.DerOutputStream) DerEncoder(org.mozilla.jss.netscape.security.util.DerEncoder) CertificateExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) Date(java.util.Date) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Example 3 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project jss by dogtagpki.

the class PKCS9Attribute method decode.

/**
 * Decode a PKCS9 attribute.
 *
 * @param val
 *            the DerValue representing the DER encoding of the attribute.
 */
private void decode(DerValue derVal) throws IOException {
    DerInputStream derIn = new DerInputStream(derVal.toByteArray());
    DerValue[] val = derIn.getSequence(2);
    if (derIn.available() != 0)
        throw new IOException("Excess data parsing PKCS9Attribute");
    if (val.length != 2)
        throw new IOException("PKCS9Attribute doesn't have two components");
    DerValue[] elems;
    // get the oid
    ObjectIdentifier oid = val[0].getOID();
    index = indexOf(oid, PKCS9_OIDS, 1);
    Byte tag;
    if (index == -1)
        throw new IOException("Invalid OID for PKCS9 attribute: " + oid);
    elems = new DerInputStream(val[1].toByteArray()).getSet(1);
    // check single valued have only one value
    if (SINGLE_VALUED[index] && elems.length > 1)
        throwSingleValuedException();
    // check for illegal element tags
    for (int i = 0; i < elems.length; i++) {
        tag = Byte.valueOf(elems[i].tag);
        if (indexOf(tag, PKCS9_VALUE_TAGS[index], 0) == -1)
            throwTagException(tag);
    }
    switch(index) {
        // email address
        case 1:
        // unstructured name
        case 2:
        case // unstructured address
        8:
            {
                // open scope
                String[] values = new String[elems.length];
                for (int i = 0; i < elems.length; i++) values[i] = elems[i].getAsString();
                value = values;
            }
            // close scope
            break;
        case // content type
        3:
            value = elems[0].getOID();
            break;
        case // message digest
        4:
            value = elems[0].getOctetString();
            break;
        case // signing time
        5:
            value = (new DerInputStream(elems[0].toByteArray())).getUTCTime();
            break;
        case // countersignature
        6:
            {
                // open scope
                SignerInfo[] values = new SignerInfo[elems.length];
                for (int i = 0; i < elems.length; i++) values[i] = new SignerInfo(elems[i].toDerInputStream());
                value = values;
            }
            // close scope
            break;
        case // challenge password
        7:
            value = elems[0].getAsString();
            break;
        case // extended-certificate attribute -- not
        9:
            // supported
            throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
        case // IssuerAndSerialNumber attribute -- not
        10:
            // supported
            throw new IOException("PKCS9 IssuerAndSerialNumber " + "attribute not supported.");
        case // passwordCheck attribute -- not
        11:
            // supported
            throw new IOException("PKCS9 passwordCheck " + "attribute not supported.");
        case // PublicKey attribute -- not
        12:
            // supported
            throw new IOException("PKCS9 PublicKey " + "attribute not supported.");
        case // SigningDescription attribute -- not
        13:
            // supported
            throw new IOException("PKCS9 SigningDescription " + "attribute not supported.");
        case // ExtensionRequest attribute
        14:
            value = new CertificateExtensions(elems[0].toDerInputStream());
        // can't happen
        default:
    }
}
Also used : DerValue(org.mozilla.jss.netscape.security.util.DerValue) DerInputStream(org.mozilla.jss.netscape.security.util.DerInputStream) CertificateExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions) IOException(java.io.IOException) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Example 4 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project CipherTrust_Application_Protection by thalescpl-io.

the class SelfSignedCertificateUtility method generateCertificate.

private static X509Certificate generateCertificate(PublicKey publicKey, PrivateKey privateKey, Map<String, String> certificateProeprties) throws Exception {
    String dn = makeDN(certificateProeprties);
    X509CertInfo info = new X509CertInfo();
    Date from = new Date();
    Date to = new Date(from.getTime() + Integer.valueOf(certificateProeprties.get("Validity")) * 86400000l);
    CertificateValidity interval = new CertificateValidity(from, to);
    X500Name owner = new X500Name(dn);
    boolean[] kueOk = getKeyUsgaeExtension(certificateProeprties.get("KeyUsage"));
    KeyUsageExtension kue = new KeyUsageExtension(kueOk);
    CertificateExtensions ext = new CertificateExtensions();
    ext.set(KeyUsageExtension.NAME, kue);
    info.set(X509CertInfo.VALIDITY, interval);
    BigInteger sn = new BigInteger(64, new SecureRandom());
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    boolean justName = isJavaAtLeast(1.8);
    if (justName) {
        info.set(X509CertInfo.SUBJECT, owner);
        info.set(X509CertInfo.ISSUER, owner);
    } else {
        info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
        info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
    }
    info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId algo = null;
    String provider = null;
    switch(certificateProeprties.get("Algorithm")) {
        case "SHA1WithRSA":
            break;
        case "SHA256WithRSA":
            break;
        case "SHA384WithRSA":
            break;
        case "SHA512WithRSA":
            provider = "BC";
            break;
        case "SHA1WithECDSA":
            provider = "BC";
            break;
        case "SHA224WithECDSA":
            provider = "BC";
            break;
        case "SHA256WithECDSA":
            provider = "BC";
            break;
        case "SHA384WithECDSA":
            provider = "BC";
            break;
        case "SHA512WithECDSA":
            provider = "BC";
            break;
        default:
            throw new NAEException(certificateProeprties.get("Algorithm") + " not supported.");
    }
    algo = AlgorithmId.get(certificateProeprties.get("Algorithm"));
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));
    info.set(X509CertInfo.EXTENSIONS, ext);
    // Sign the cert to identify the algorithm that's used.
    X509CertImpl cert = new X509CertImpl(info);
    if (provider != null)
        cert.sign(privateKey, certificateProeprties.get("Algorithm"), provider);
    else
        cert.sign(privateKey, certificateProeprties.get("Algorithm"));
    return cert;
}
Also used : CertificateSubjectName(sun.security.x509.CertificateSubjectName) NAEException(com.ingrian.security.nae.NAEException) X509CertInfo(sun.security.x509.X509CertInfo) CertificateIssuerName(sun.security.x509.CertificateIssuerName) SecureRandom(java.security.SecureRandom) CertificateVersion(sun.security.x509.CertificateVersion) CertificateValidity(sun.security.x509.CertificateValidity) CertificateExtensions(sun.security.x509.CertificateExtensions) X500Name(sun.security.x509.X500Name) CertificateX509Key(sun.security.x509.CertificateX509Key) Date(java.util.Date) CertificateSerialNumber(sun.security.x509.CertificateSerialNumber) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId) AlgorithmId(sun.security.x509.AlgorithmId) X509CertImpl(sun.security.x509.X509CertImpl) BigInteger(java.math.BigInteger) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId) KeyUsageExtension(sun.security.x509.KeyUsageExtension)

Example 5 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project OpenAttestation by OpenAttestation.

the class X509Builder method keyUsageCRLSign.

public X509Builder keyUsageCRLSign() {
    try {
        v3();
        if (keyUsageExtension == null) {
            keyUsageExtension = new KeyUsageExtension();
        }
        keyUsageExtension.set(KeyUsageExtension.CRL_SIGN, true);
        if (certificateExtensions == null) {
            certificateExtensions = new CertificateExtensions();
        }
        certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension);
        info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
    } catch (Exception e) {
        fault(e, "keyUsageCRLSign");
    }
    return this;
}
Also used : CertificateExtensions(sun.security.x509.CertificateExtensions) KeyUsageExtension(sun.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(sun.security.x509.ExtendedKeyUsageExtension)

Aggregations

CertificateExtensions (sun.security.x509.CertificateExtensions)21 KeyUsageExtension (sun.security.x509.KeyUsageExtension)9 IOException (java.io.IOException)8 Date (java.util.Date)8 ExtendedKeyUsageExtension (sun.security.x509.ExtendedKeyUsageExtension)8 SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)7 CertificateException (java.security.cert.CertificateException)6 GeneralName (sun.security.x509.GeneralName)6 GeneralNames (sun.security.x509.GeneralNames)6 X509CertImpl (sun.security.x509.X509CertImpl)6 X509CertInfo (sun.security.x509.X509CertInfo)6 CertificateExtensions (org.mozilla.jss.netscape.security.x509.CertificateExtensions)5 ObjectIdentifier (sun.security.util.ObjectIdentifier)4 X500Name (sun.security.x509.X500Name)4 BigInteger (java.math.BigInteger)3 SecureRandom (java.security.SecureRandom)3 X509Certificate (java.security.cert.X509Certificate)3 ObjectIdentifier (org.mozilla.jss.netscape.security.util.ObjectIdentifier)3 CertificateX509Key (org.mozilla.jss.netscape.security.x509.CertificateX509Key)3 X509CertInfo (org.mozilla.jss.netscape.security.x509.X509CertInfo)3