Search in sources :

Example 11 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project jdk8u_jdk by JetBrains.

the class PKCS9Attribute method derEncode.

/**
     * Write the DER encoding of this attribute to an output stream.
     *
     * <P> N.B.: This method always encodes values of
     * ChallengePassword and UnstructuredAddress attributes as ASN.1
     * <code>PrintableString</code>s, without checking whether they
     * should be encoded as <code>T61String</code>s.
     */
public void derEncode(OutputStream out) throws IOException {
    DerOutputStream temp = new DerOutputStream();
    temp.putOID(oid);
    switch(index) {
        case // Unknown
        -1:
            temp.write((byte[]) value);
            break;
        // email address
        case 1:
        case // unstructured name
        2:
            {
                // open scope
                String[] values = (String[]) value;
                DerOutputStream[] temps = new DerOutputStream[values.length];
                for (int i = 0; i < values.length; i++) {
                    temps[i] = new DerOutputStream();
                    temps[i].putIA5String(values[i]);
                }
                temp.putOrderedSetOf(DerValue.tag_Set, temps);
            }
            // close scope
            break;
        case // content type
        3:
            {
                DerOutputStream temp2 = new DerOutputStream();
                temp2.putOID((ObjectIdentifier) value);
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // message digest
        4:
            {
                DerOutputStream temp2 = new DerOutputStream();
                temp2.putOctetString((byte[]) value);
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // signing time
        5:
            {
                DerOutputStream temp2 = new DerOutputStream();
                temp2.putUTCTime((Date) value);
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // countersignature
        6:
            temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value);
            break;
        case // challenge password
        7:
            {
                DerOutputStream temp2 = new DerOutputStream();
                temp2.putPrintableString((String) value);
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // unstructured address
        8:
            {
                // open scope
                String[] values = (String[]) value;
                DerOutputStream[] temps = new DerOutputStream[values.length];
                for (int i = 0; i < values.length; i++) {
                    temps[i] = new DerOutputStream();
                    temps[i].putPrintableString(values[i]);
                }
                temp.putOrderedSetOf(DerValue.tag_Set, temps);
            }
            // close scope
            break;
        case // extended-certificate attribute -- not supported
        9:
            throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
        // break unnecessary
        case // issuerAndserialNumber attribute -- not supported
        10:
            throw new IOException("PKCS9 IssuerAndSerialNumber" + "attribute not supported.");
        // RSA DSI proprietary
        case 11:
        case // RSA DSI proprietary
        12:
            throw new IOException("PKCS9 RSA DSI attributes" + "11 and 12, not supported.");
        // break unnecessary
        case // S/MIME unused attribute
        13:
            throw new IOException("PKCS9 attribute #13 not supported.");
        case // ExtensionRequest
        14:
            {
                DerOutputStream temp2 = new DerOutputStream();
                CertificateExtensions exts = (CertificateExtensions) value;
                try {
                    exts.encode(temp2, true);
                } catch (CertificateException ex) {
                    throw new IOException(ex.toString());
                }
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // SMIMECapability
        15:
            throw new IOException("PKCS9 attribute #15 not supported.");
        case // SigningCertificate
        16:
            throw new IOException("PKCS9 SigningCertificate attribute not supported.");
        case // SignatureTimestampToken
        17:
            temp.write(DerValue.tag_Set, (byte[]) value);
            break;
        // can't happen
        default:
    }
    DerOutputStream derOut = new DerOutputStream();
    derOut.write(DerValue.tag_Sequence, temp.toByteArray());
    out.write(derOut.toByteArray());
}
Also used : DerOutputStream(sun.security.util.DerOutputStream) DerEncoder(sun.security.util.DerEncoder) CertificateExtensions(sun.security.x509.CertificateExtensions) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) Date(java.util.Date) ObjectIdentifier(sun.security.util.ObjectIdentifier)

Example 12 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project coprhd-controller by CoprHD.

the class KeyCertificatePairGenerator method generateCertificate.

/**
 * Create a self-signed X.509 Certificate
 *
 * @param pair the KeyPair
 */
private X509Certificate generateCertificate(KeyPair pair) throws GeneralSecurityException, IOException {
    PublicKey pubKey = loadPublicKeyFromBytes(pair.getPublic().getEncoded());
    PrivateKey privkey = pair.getPrivate();
    X509CertInfo info = new X509CertInfo();
    Date from = getNotBefore();
    Date to = new Date(from.getTime() + valuesHolder.getCertificateValidityInDays() * 86400000L);
    CertificateValidity interval = new CertificateValidity(from, to);
    BigInteger sn = new BigInteger(64, new SecureRandom());
    X500Name owner = new X500Name(String.format(CERTIFICATE_COMMON_NAME_FORMAT, valuesHolder.getCertificateCommonName()));
    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, owner);
    info.set(X509CertInfo.ISSUER, owner);
    info.set(X509CertInfo.KEY, new CertificateX509Key(pubKey));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId keyAlgo = AlgorithmId.get(KeyCertificateAlgorithmValuesHolder.DEFAULT_KEY_ALGORITHM);
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(keyAlgo));
    AlgorithmId signingAlgo = AlgorithmId.get(valuesHolder.getSigningAlgorithm());
    info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, signingAlgo);
    // add extensions
    CertificateExtensions ext = new CertificateExtensions();
    ext.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(pubKey).getIdentifier()));
    // CA public key is the same as our public key (self signed)
    ext.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(pubKey), null, null));
    ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(subjectAltNames()));
    info.set(X509CertInfo.EXTENSIONS, ext);
    X509CertImpl cert = new X509CertImpl(info);
    cert.sign(privkey, valuesHolder.getSigningAlgorithm());
    return cert;
}
Also used : RSAPrivateKey(java.security.interfaces.RSAPrivateKey) PrivateKey(java.security.PrivateKey) KeyIdentifier(sun.security.x509.KeyIdentifier) X509CertInfo(sun.security.x509.X509CertInfo) PublicKey(java.security.PublicKey) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) SecureRandom(java.security.SecureRandom) CertificateVersion(sun.security.x509.CertificateVersion) CertificateValidity(sun.security.x509.CertificateValidity) CertificateExtensions(sun.security.x509.CertificateExtensions) X500Name(sun.security.x509.X500Name) CertificateX509Key(sun.security.x509.CertificateX509Key) Date(java.util.Date) CertificateSerialNumber(sun.security.x509.CertificateSerialNumber) SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension) AlgorithmId(sun.security.x509.AlgorithmId) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId) X509CertImpl(sun.security.x509.X509CertImpl) BigInteger(java.math.BigInteger) AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId)

Example 13 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project Bytecoder by mirkosertic.

the class PKCS9Attribute method derEncode.

/**
 * Write the DER encoding of this attribute to an output stream.
 *
 * <P> N.B.: This method always encodes values of
 * ChallengePassword and UnstructuredAddress attributes as ASN.1
 * <code>PrintableString</code>s, without checking whether they
 * should be encoded as <code>T61String</code>s.
 */
public void derEncode(OutputStream out) throws IOException {
    DerOutputStream temp = new DerOutputStream();
    temp.putOID(oid);
    switch(index) {
        case // Unknown
        -1:
            temp.write((byte[]) value);
            break;
        // email address
        case 1:
        case // unstructured name
        2:
            {
                // open scope
                String[] values = (String[]) value;
                DerOutputStream[] temps = new DerOutputStream[values.length];
                for (int i = 0; i < values.length; i++) {
                    temps[i] = new DerOutputStream();
                    temps[i].putIA5String(values[i]);
                }
                temp.putOrderedSetOf(DerValue.tag_Set, temps);
            }
            // close scope
            break;
        case // content type
        3:
            {
                DerOutputStream temp2 = new DerOutputStream();
                temp2.putOID((ObjectIdentifier) value);
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // message digest
        4:
            {
                DerOutputStream temp2 = new DerOutputStream();
                temp2.putOctetString((byte[]) value);
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // signing time
        5:
            {
                DerOutputStream temp2 = new DerOutputStream();
                temp2.putUTCTime((Date) value);
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // countersignature
        6:
            temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value);
            break;
        case // challenge password
        7:
            {
                DerOutputStream temp2 = new DerOutputStream();
                temp2.putPrintableString((String) value);
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // unstructured address
        8:
            {
                // open scope
                String[] values = (String[]) value;
                DerOutputStream[] temps = new DerOutputStream[values.length];
                for (int i = 0; i < values.length; i++) {
                    temps[i] = new DerOutputStream();
                    temps[i].putPrintableString(values[i]);
                }
                temp.putOrderedSetOf(DerValue.tag_Set, temps);
            }
            // close scope
            break;
        case // extended-certificate attribute -- not supported
        9:
            throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
        // break unnecessary
        case // issuerAndserialNumber attribute -- not supported
        10:
            throw new IOException("PKCS9 IssuerAndSerialNumber" + "attribute not supported.");
        // RSA DSI proprietary
        case 11:
        case // RSA DSI proprietary
        12:
            throw new IOException("PKCS9 RSA DSI attributes" + "11 and 12, not supported.");
        // break unnecessary
        case // S/MIME unused attribute
        13:
            throw new IOException("PKCS9 attribute #13 not supported.");
        case // ExtensionRequest
        14:
            {
                DerOutputStream temp2 = new DerOutputStream();
                CertificateExtensions exts = (CertificateExtensions) value;
                try {
                    exts.encode(temp2, true);
                } catch (CertificateException ex) {
                    throw new IOException(ex.toString());
                }
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }
            break;
        case // SMIMECapability
        15:
            throw new IOException("PKCS9 attribute #15 not supported.");
        case // SigningCertificate
        16:
            throw new IOException("PKCS9 SigningCertificate attribute not supported.");
        case // SignatureTimestampToken
        17:
            temp.write(DerValue.tag_Set, (byte[]) value);
            break;
        // can't happen
        default:
    }
    DerOutputStream derOut = new DerOutputStream();
    derOut.write(DerValue.tag_Sequence, temp.toByteArray());
    out.write(derOut.toByteArray());
}
Also used : DerOutputStream(sun.security.util.DerOutputStream) DerEncoder(sun.security.util.DerEncoder) CertificateExtensions(sun.security.x509.CertificateExtensions) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) Date(java.util.Date) ObjectIdentifier(sun.security.util.ObjectIdentifier)

Example 14 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project meecrowave by apache.

the class Keystores method createSignedCertificate.

private static X509Certificate createSignedCertificate(final X509Certificate cetrificate, final X509Certificate issuerCertificate, final PrivateKey issuerPrivateKey) {
    try {
        Principal issuer = issuerCertificate.getSubjectDN();
        String issuerSigAlg = issuerCertificate.getSigAlgName();
        byte[] inCertBytes = cetrificate.getTBSCertificate();
        X509CertInfo info = new X509CertInfo(inCertBytes);
        info.set(X509CertInfo.ISSUER, (X500Name) issuer);
        // No need to add the BasicContraint for leaf cert
        if (!cetrificate.getSubjectDN().getName().equals("CN=TOP")) {
            CertificateExtensions exts = new CertificateExtensions();
            BasicConstraintsExtension bce = new BasicConstraintsExtension(true, -1);
            exts.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(false, bce.getExtensionValue()));
            info.set(X509CertInfo.EXTENSIONS, exts);
        }
        final X509CertImpl outCert = new X509CertImpl(info);
        outCert.sign(issuerPrivateKey, issuerSigAlg);
        return outCert;
    } catch (final Exception ex) {
        throw new IllegalStateException(ex);
    }
}
Also used : BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension) X509CertInfo(sun.security.x509.X509CertInfo) X509CertImpl(sun.security.x509.X509CertImpl) CertificateExtensions(sun.security.x509.CertificateExtensions) Principal(java.security.Principal)

Example 15 with CertificateExtensions

use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project candlepin by candlepin.

the class JSSPKIUtility method buildStandardExtensions.

/**
 * Add boilerplate extensions required by RFC 5280.
 * @param certExtensions a CertificateExtensions object to modify
 * @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
 * @param providedExtensions A Set of provided extensions that will be added to the certificate.  In some
 * cases (hosted mode) access to the information in those extensions is required for creating the
 * subjectKeyIdentifier.
 *
 * @return a modified version of the certExtensions parameter
 * @throws IOException in case of encoding failures
 */
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
    /* The RFC states that KeyUsage SHOULD be marked as critical.  In previous Candlepin code we were
         * not marking it critical but this constructor will.  I do not believe there should be any
         * compatibility issues, but I am noting it just in case. */
    KeyUsageExtension keyUsage = new KeyUsageExtension();
    keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
    keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
    keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
    certExtensions.add(keyUsage);
    // Not critical by default
    ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
    /* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
         * See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth.  This OID
         * denotes that a certificate is meant for client authentication over TLS */
    extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
    certExtensions.add(extendedKeyUsage);
    // Not critical for non-CA certs.  -1 pathLen means it won't be encoded.
    BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
    certExtensions.add(basicConstraints);
    try {
        /* Not critical by default.  I am extremely dubious that we actually need this extension
             * but I'm keeping it because our old cert creation code added it. */
        NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
        netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
        netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
        certExtensions.add(netscapeCertType);
    } catch (CertificateException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    try {
        /* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
             * The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
             * octet string).  Therefore, we need to unpack the KeyIdentifier. */
        byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
        OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
        // Required to be non-critical
        SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
        certExtensions.add(ski);
        // Not critical by default
        AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
        certExtensions.add(aki);
        // Not critical by default and should *not* be critical since the subject field isn't empty
        if (alternateName != null) {
            SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
            GeneralName[] akiName = new GeneralName[2];
            akiName[0] = new GeneralName(new X500Name(dn));
            akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
            GeneralNames generalNames = new GeneralNames(akiName);
            altNames.setGeneralNames(generalNames);
            certExtensions.add(altNames);
        }
    } catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
        throw new IOException("Could not construct certificate extensions", e);
    }
    return certExtensions;
}
Also used : ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension) NSCertTypeExtension(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension) SubjectAlternativeNameExtension(org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension) CertificateException(java.security.cert.CertificateException) IOException(java.io.IOException) X500Name(org.mozilla.jss.netscape.security.x509.X500Name) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) SubjectKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension) InvalidBERException(org.mozilla.jss.asn1.InvalidBERException) BasicConstraintsExtension(org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) GeneralNames(org.mozilla.jss.netscape.security.x509.GeneralNames) GeneralNamesException(org.mozilla.jss.netscape.security.x509.GeneralNamesException) AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension) GeneralName(org.mozilla.jss.netscape.security.x509.GeneralName) KeyUsageExtension(org.mozilla.jss.netscape.security.x509.KeyUsageExtension) ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension) ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)

Aggregations

CertificateExtensions (sun.security.x509.CertificateExtensions)21 KeyUsageExtension (sun.security.x509.KeyUsageExtension)9 IOException (java.io.IOException)8 Date (java.util.Date)8 ExtendedKeyUsageExtension (sun.security.x509.ExtendedKeyUsageExtension)8 SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)7 CertificateException (java.security.cert.CertificateException)6 GeneralName (sun.security.x509.GeneralName)6 GeneralNames (sun.security.x509.GeneralNames)6 X509CertImpl (sun.security.x509.X509CertImpl)6 X509CertInfo (sun.security.x509.X509CertInfo)6 CertificateExtensions (org.mozilla.jss.netscape.security.x509.CertificateExtensions)5 ObjectIdentifier (sun.security.util.ObjectIdentifier)4 X500Name (sun.security.x509.X500Name)4 BigInteger (java.math.BigInteger)3 SecureRandom (java.security.SecureRandom)3 X509Certificate (java.security.cert.X509Certificate)3 ObjectIdentifier (org.mozilla.jss.netscape.security.util.ObjectIdentifier)3 CertificateX509Key (org.mozilla.jss.netscape.security.x509.CertificateX509Key)3 X509CertInfo (org.mozilla.jss.netscape.security.x509.X509CertInfo)3