use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project wiremock by wiremock.
the class X509CertificateSpecification method certificateFor.
@Override
public X509Certificate certificateFor(KeyPair keyPair) throws CertificateException, InvalidKeyException, SignatureException {
try {
SecureRandom random = new SecureRandom();
X509CertInfo info = new X509CertInfo();
info.set(X509CertInfo.VERSION, version.getVersion());
// On Java >= 1.8 it has to be an `X500Name`
try {
info.set(X509CertInfo.SUBJECT, subject);
} catch (CertificateException ignore) {
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(subject));
}
// On Java >= 1.8 it has to be an `X500Name`
try {
info.set(X509CertInfo.ISSUER, issuer);
} catch (CertificateException ignore) {
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer));
}
info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
info.set(X509CertInfo.KEY, new CertificateX509Key(keyPair.getPublic()));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger(64, random)));
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.SHA256_oid)));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(keyPair.getPrivate(), "SHA256withRSA");
// Update the algorithm and sign again.
info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG));
cert = new X509CertImpl(info);
cert.sign(keyPair.getPrivate(), "SHA256withRSA");
cert.verify(keyPair.getPublic());
return cert;
} catch (IOException | NoSuchAlgorithmException | NoSuchProviderException e) {
return throwUnchecked(e, null);
}
}
use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project candlepin by candlepin.
the class JSSPKIUtility method createX509Certificate.
@Override
public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws IOException {
// Ensure JSS is properly initialized before attempting any operations with it
JSSProviderLoader.initialize();
X509CertInfo certInfo = new X509CertInfo();
try {
X509Certificate caCert = reader.getCACert();
byte[] publicKeyEncoded = clientKeyPair.getPublic().getEncoded();
certInfo.set(X509CertInfo.ISSUER, new CertificateIssuerName(new X500Name(caCert.getSubjectX500Principal().getEncoded())));
certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber));
certInfo.set(X509CertInfo.VALIDITY, new CertificateValidity(startDate, endDate));
certInfo.set(X509CertInfo.SUBJECT, new CertificateSubjectName(new X500Name(dn)));
certInfo.set(X509CertInfo.KEY, new CertificateX509Key(X509Key.parse(new DerValue(publicKeyEncoded))));
certInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get(SIGNING_ALG_ID)));
certInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
CertificateExtensions certExtensions = buildStandardExtensions(new CertificateExtensions(), dn, clientKeyPair, extensions, caCert, alternateName);
certInfo.set(X509CertInfo.EXTENSIONS, certExtensions);
if (extensions != null) {
for (X509ExtensionWrapper wrapper : extensions) {
// Avoid null values. Set them to blank if they are null
String value = wrapper.getValue() == null ? "" : wrapper.getValue();
UTF8String der = new UTF8String(value);
certExtensions.add(buildCustomExtension(wrapper.getOid(), wrapper.isCritical(), der));
}
}
if (byteExtensions != null) {
for (X509ByteExtensionWrapper wrapper : byteExtensions) {
// Avoid null values. Set them to blank if they are null
byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue();
OCTET_STRING der = new OCTET_STRING(value);
certExtensions.add(buildCustomExtension(wrapper.getOid(), wrapper.isCritical(), der));
}
}
X509CertImpl certImpl = new X509CertImpl(certInfo);
certImpl.sign(reader.getCaKey(), SIGNING_ALG_ID);
// valid, it just won't have any extensions present in the object.
return new X509CertImpl(certImpl.getEncoded());
} catch (GeneralSecurityException e) {
throw new RuntimeException("Could not create X.509 certificate", e);
}
}
use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project candlepin by candlepin.
the class JSSPKIUtility method buildAuthorityKeyIdentifier.
public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(X509Certificate caCert) throws InvalidBERException, IOException {
// The subject key identifier of the CA becomes the Authority Key Identifer of the CRL.
byte[] extValue = caCert.getExtensionValue(PKIXExtensions.SubjectKey_Id.toString());
/* The getExtensionValue returns us the Extension extnValue element which is an octet string. For
* the SubjectKeyIdentifier extension the extnValue only contains a KeyIdentifier. The actual
* KeyIdentifier is also an octet string. The extnValue for the SubjectKeyIdentifier
* is therefore ultimately an octet string of an octet string. See Appendix A of RFC 5280. */
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extValue);
OCTET_STRING ski = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extOctets.toByteArray());
if (ski == null) {
/* If the SubjectPublicKey extension isn't available, we can calculate the value ourselves
* from the certificate's public key. */
return buildAuthorityKeyIdentifier(caCert.getPublicKey());
}
/* RFC 5280 section 4.2.1.1 is a bit odd. It states the AuthorityKeyIdentifier MAY contain
* a KeyIdentifier or the issuer name and CertificateSerialNumber. The KeyIdentifier is mandatory for
* non-self-signed certificates, but there is no additional guidance about when or why one should
* provide the issuer name or CertificateSerialNumber. I've found at least one place,
* https://www.v13.gr/blog/?p=293, that explicitly recommends against giving them. Also,
* the semantics around the issuer field in this extension can be very confusing
* (see https://www.openssl.org/docs/faq.html#USER14). Our old crypto code that used BouncyCastle
* did include the issuer and serial number along with the key identifier, but I think it's best if
* we leave it out.
*/
KeyIdentifier ki = new KeyIdentifier(ski.toByteArray());
return new AuthorityKeyIdentifierExtension(ki, null, null);
}
use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project netty by netty.
the class OpenJdkSelfSignedCertGenerator method generate.
@SuppressJava6Requirement(reason = "Usage guarded by dependency check")
static String[] generate(String fqdn, KeyPair keypair, SecureRandom random, Date notBefore, Date notAfter, String algorithm) throws Exception {
PrivateKey key = keypair.getPrivate();
// Prepare the information required for generating an X.509 certificate.
X509CertInfo info = new X509CertInfo();
X500Name owner = new X500Name("CN=" + fqdn);
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger(64, random)));
try {
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
} catch (CertificateException ignore) {
info.set(X509CertInfo.SUBJECT, owner);
}
try {
info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
} catch (CertificateException ignore) {
info.set(X509CertInfo.ISSUER, owner);
}
info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
info.set(X509CertInfo.KEY, new CertificateX509Key(keypair.getPublic()));
info.set(X509CertInfo.ALGORITHM_ID, // sha256WithRSAEncryption
new CertificateAlgorithmId(AlgorithmId.get("1.2.840.113549.1.1.11")));
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
cert.sign(key, algorithm.equalsIgnoreCase("EC") ? "SHA256withECDSA" : "SHA256withRSA");
// Update the algorithm and sign again.
info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG));
cert = new X509CertImpl(info);
cert.sign(key, algorithm.equalsIgnoreCase("EC") ? "SHA256withECDSA" : "SHA256withRSA");
cert.verify(keypair.getPublic());
return newSelfSignedCertificate(fqdn, key, cert);
}
use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project jss by dogtagpki.
the class X509CertTest method createX509CertInfo.
public static X509CertInfo createX509CertInfo(X509Key x509key, BigInteger serialno, CertificateIssuerName issuernameObj, String subjname, Date notBefore, Date notAfter, String alg) throws Exception {
X509CertInfo info = new X509CertInfo();
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialno));
if (issuernameObj != null) {
info.set(X509CertInfo.ISSUER, issuernameObj);
}
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(new X500Name(subjname)));
info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get(alg)));
info.set(X509CertInfo.KEY, new CertificateX509Key(x509key));
info.set(X509CertInfo.EXTENSIONS, new CertificateExtensions());
return info;
}
Aggregations