use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project jdk8u_jdk by JetBrains.
the class PKCS9Attribute method derEncode.
/**
* Write the DER encoding of this attribute to an output stream.
*
* <P> N.B.: This method always encodes values of
* ChallengePassword and UnstructuredAddress attributes as ASN.1
* <code>PrintableString</code>s, without checking whether they
* should be encoded as <code>T61String</code>s.
*/
public void derEncode(OutputStream out) throws IOException {
DerOutputStream temp = new DerOutputStream();
temp.putOID(oid);
switch(index) {
case // Unknown
-1:
temp.write((byte[]) value);
break;
// email address
case 1:
case // unstructured name
2:
{
// open scope
String[] values = (String[]) value;
DerOutputStream[] temps = new DerOutputStream[values.length];
for (int i = 0; i < values.length; i++) {
temps[i] = new DerOutputStream();
temps[i].putIA5String(values[i]);
}
temp.putOrderedSetOf(DerValue.tag_Set, temps);
}
// close scope
break;
case // content type
3:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putOID((ObjectIdentifier) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // message digest
4:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putOctetString((byte[]) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // signing time
5:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putUTCTime((Date) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // countersignature
6:
temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value);
break;
case // challenge password
7:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putPrintableString((String) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // unstructured address
8:
{
// open scope
String[] values = (String[]) value;
DerOutputStream[] temps = new DerOutputStream[values.length];
for (int i = 0; i < values.length; i++) {
temps[i] = new DerOutputStream();
temps[i].putPrintableString(values[i]);
}
temp.putOrderedSetOf(DerValue.tag_Set, temps);
}
// close scope
break;
case // extended-certificate attribute -- not supported
9:
throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
// break unnecessary
case // issuerAndserialNumber attribute -- not supported
10:
throw new IOException("PKCS9 IssuerAndSerialNumber" + "attribute not supported.");
// RSA DSI proprietary
case 11:
case // RSA DSI proprietary
12:
throw new IOException("PKCS9 RSA DSI attributes" + "11 and 12, not supported.");
// break unnecessary
case // S/MIME unused attribute
13:
throw new IOException("PKCS9 attribute #13 not supported.");
case // ExtensionRequest
14:
{
DerOutputStream temp2 = new DerOutputStream();
CertificateExtensions exts = (CertificateExtensions) value;
try {
exts.encode(temp2, true);
} catch (CertificateException ex) {
throw new IOException(ex.toString());
}
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // SMIMECapability
15:
throw new IOException("PKCS9 attribute #15 not supported.");
case // SigningCertificate
16:
throw new IOException("PKCS9 SigningCertificate attribute not supported.");
case // SignatureTimestampToken
17:
temp.write(DerValue.tag_Set, (byte[]) value);
break;
// can't happen
default:
}
DerOutputStream derOut = new DerOutputStream();
derOut.write(DerValue.tag_Sequence, temp.toByteArray());
out.write(derOut.toByteArray());
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project coprhd-controller by CoprHD.
the class KeyCertificatePairGenerator method generateCertificate.
/**
* Create a self-signed X.509 Certificate
*
* @param pair the KeyPair
*/
private X509Certificate generateCertificate(KeyPair pair) throws GeneralSecurityException, IOException {
PublicKey pubKey = loadPublicKeyFromBytes(pair.getPublic().getEncoded());
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = getNotBefore();
Date to = new Date(from.getTime() + valuesHolder.getCertificateValidityInDays() * 86400000L);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(String.format(CERTIFICATE_COMMON_NAME_FORMAT, valuesHolder.getCertificateCommonName()));
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, owner);
info.set(X509CertInfo.ISSUER, owner);
info.set(X509CertInfo.KEY, new CertificateX509Key(pubKey));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId keyAlgo = AlgorithmId.get(KeyCertificateAlgorithmValuesHolder.DEFAULT_KEY_ALGORITHM);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(keyAlgo));
AlgorithmId signingAlgo = AlgorithmId.get(valuesHolder.getSigningAlgorithm());
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, signingAlgo);
// add extensions
CertificateExtensions ext = new CertificateExtensions();
ext.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(pubKey).getIdentifier()));
// CA public key is the same as our public key (self signed)
ext.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(pubKey), null, null));
ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(subjectAltNames()));
info.set(X509CertInfo.EXTENSIONS, ext);
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, valuesHolder.getSigningAlgorithm());
return cert;
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project Bytecoder by mirkosertic.
the class PKCS9Attribute method derEncode.
/**
* Write the DER encoding of this attribute to an output stream.
*
* <P> N.B.: This method always encodes values of
* ChallengePassword and UnstructuredAddress attributes as ASN.1
* <code>PrintableString</code>s, without checking whether they
* should be encoded as <code>T61String</code>s.
*/
public void derEncode(OutputStream out) throws IOException {
DerOutputStream temp = new DerOutputStream();
temp.putOID(oid);
switch(index) {
case // Unknown
-1:
temp.write((byte[]) value);
break;
// email address
case 1:
case // unstructured name
2:
{
// open scope
String[] values = (String[]) value;
DerOutputStream[] temps = new DerOutputStream[values.length];
for (int i = 0; i < values.length; i++) {
temps[i] = new DerOutputStream();
temps[i].putIA5String(values[i]);
}
temp.putOrderedSetOf(DerValue.tag_Set, temps);
}
// close scope
break;
case // content type
3:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putOID((ObjectIdentifier) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // message digest
4:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putOctetString((byte[]) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // signing time
5:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putUTCTime((Date) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // countersignature
6:
temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value);
break;
case // challenge password
7:
{
DerOutputStream temp2 = new DerOutputStream();
temp2.putPrintableString((String) value);
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // unstructured address
8:
{
// open scope
String[] values = (String[]) value;
DerOutputStream[] temps = new DerOutputStream[values.length];
for (int i = 0; i < values.length; i++) {
temps[i] = new DerOutputStream();
temps[i].putPrintableString(values[i]);
}
temp.putOrderedSetOf(DerValue.tag_Set, temps);
}
// close scope
break;
case // extended-certificate attribute -- not supported
9:
throw new IOException("PKCS9 extended-certificate " + "attribute not supported.");
// break unnecessary
case // issuerAndserialNumber attribute -- not supported
10:
throw new IOException("PKCS9 IssuerAndSerialNumber" + "attribute not supported.");
// RSA DSI proprietary
case 11:
case // RSA DSI proprietary
12:
throw new IOException("PKCS9 RSA DSI attributes" + "11 and 12, not supported.");
// break unnecessary
case // S/MIME unused attribute
13:
throw new IOException("PKCS9 attribute #13 not supported.");
case // ExtensionRequest
14:
{
DerOutputStream temp2 = new DerOutputStream();
CertificateExtensions exts = (CertificateExtensions) value;
try {
exts.encode(temp2, true);
} catch (CertificateException ex) {
throw new IOException(ex.toString());
}
temp.write(DerValue.tag_Set, temp2.toByteArray());
}
break;
case // SMIMECapability
15:
throw new IOException("PKCS9 attribute #15 not supported.");
case // SigningCertificate
16:
throw new IOException("PKCS9 SigningCertificate attribute not supported.");
case // SignatureTimestampToken
17:
temp.write(DerValue.tag_Set, (byte[]) value);
break;
// can't happen
default:
}
DerOutputStream derOut = new DerOutputStream();
derOut.write(DerValue.tag_Sequence, temp.toByteArray());
out.write(derOut.toByteArray());
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project meecrowave by apache.
the class Keystores method createSignedCertificate.
private static X509Certificate createSignedCertificate(final X509Certificate cetrificate, final X509Certificate issuerCertificate, final PrivateKey issuerPrivateKey) {
try {
Principal issuer = issuerCertificate.getSubjectDN();
String issuerSigAlg = issuerCertificate.getSigAlgName();
byte[] inCertBytes = cetrificate.getTBSCertificate();
X509CertInfo info = new X509CertInfo(inCertBytes);
info.set(X509CertInfo.ISSUER, (X500Name) issuer);
// No need to add the BasicContraint for leaf cert
if (!cetrificate.getSubjectDN().getName().equals("CN=TOP")) {
CertificateExtensions exts = new CertificateExtensions();
BasicConstraintsExtension bce = new BasicConstraintsExtension(true, -1);
exts.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(false, bce.getExtensionValue()));
info.set(X509CertInfo.EXTENSIONS, exts);
}
final X509CertImpl outCert = new X509CertImpl(info);
outCert.sign(issuerPrivateKey, issuerSigAlg);
return outCert;
} catch (final Exception ex) {
throw new IllegalStateException(ex);
}
}
use of org.mozilla.jss.netscape.security.x509.CertificateExtensions in project candlepin by candlepin.
the class JSSPKIUtility method buildStandardExtensions.
/**
* Add boilerplate extensions required by RFC 5280.
* @param certExtensions a CertificateExtensions object to modify
* @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
* @param providedExtensions A Set of provided extensions that will be added to the certificate. In some
* cases (hosted mode) access to the information in those extensions is required for creating the
* subjectKeyIdentifier.
*
* @return a modified version of the certExtensions parameter
* @throws IOException in case of encoding failures
*/
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
/* The RFC states that KeyUsage SHOULD be marked as critical. In previous Candlepin code we were
* not marking it critical but this constructor will. I do not believe there should be any
* compatibility issues, but I am noting it just in case. */
KeyUsageExtension keyUsage = new KeyUsageExtension();
keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
certExtensions.add(keyUsage);
// Not critical by default
ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
/* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
* See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth. This OID
* denotes that a certificate is meant for client authentication over TLS */
extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
certExtensions.add(extendedKeyUsage);
// Not critical for non-CA certs. -1 pathLen means it won't be encoded.
BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
certExtensions.add(basicConstraints);
try {
/* Not critical by default. I am extremely dubious that we actually need this extension
* but I'm keeping it because our old cert creation code added it. */
NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
certExtensions.add(netscapeCertType);
} catch (CertificateException e) {
throw new IOException("Could not construct certificate extensions", e);
}
try {
/* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
* The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
* octet string). Therefore, we need to unpack the KeyIdentifier. */
byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
// Required to be non-critical
SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
certExtensions.add(ski);
// Not critical by default
AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
certExtensions.add(aki);
// Not critical by default and should *not* be critical since the subject field isn't empty
if (alternateName != null) {
SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
GeneralName[] akiName = new GeneralName[2];
akiName[0] = new GeneralName(new X500Name(dn));
akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
GeneralNames generalNames = new GeneralNames(akiName);
altNames.setGeneralNames(generalNames);
certExtensions.add(altNames);
}
} catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
throw new IOException("Could not construct certificate extensions", e);
}
return certExtensions;
}
Aggregations