Search in sources :

Example 16 with CertificateSerialNumber

use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project wiremock by wiremock.

the class X509CertificateSpecification method certificateFor.

@Override
public X509Certificate certificateFor(KeyPair keyPair) throws CertificateException, InvalidKeyException, SignatureException {
    try {
        SecureRandom random = new SecureRandom();
        X509CertInfo info = new X509CertInfo();
        info.set(X509CertInfo.VERSION, version.getVersion());
        // On Java >= 1.8 it has to be an `X500Name`
        try {
            info.set(X509CertInfo.SUBJECT, subject);
        } catch (CertificateException ignore) {
            info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(subject));
        }
        // On Java >= 1.8 it has to be an `X500Name`
        try {
            info.set(X509CertInfo.ISSUER, issuer);
        } catch (CertificateException ignore) {
            info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer));
        }
        info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
        info.set(X509CertInfo.KEY, new CertificateX509Key(keyPair.getPublic()));
        info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger(64, random)));
        info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(new AlgorithmId(AlgorithmId.SHA256_oid)));
        // Sign the cert to identify the algorithm that's used.
        X509CertImpl cert = new X509CertImpl(info);
        cert.sign(keyPair.getPrivate(), "SHA256withRSA");
        // Update the algorithm and sign again.
        info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG));
        cert = new X509CertImpl(info);
        cert.sign(keyPair.getPrivate(), "SHA256withRSA");
        cert.verify(keyPair.getPublic());
        return cert;
    } catch (IOException | NoSuchAlgorithmException | NoSuchProviderException e) {
        return throwUnchecked(e, null);
    }
}
Also used : CertificateSubjectName(sun.security.x509.CertificateSubjectName) X509CertInfo(sun.security.x509.X509CertInfo) CertificateIssuerName(sun.security.x509.CertificateIssuerName) SecureRandom(java.security.SecureRandom) CertificateException(java.security.cert.CertificateException) CertificateValidity(sun.security.x509.CertificateValidity) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) CertificateX509Key(sun.security.x509.CertificateX509Key) CertificateSerialNumber(sun.security.x509.CertificateSerialNumber) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId) AlgorithmId(sun.security.x509.AlgorithmId) X509CertImpl(sun.security.x509.X509CertImpl) BigInteger(java.math.BigInteger) NoSuchProviderException(java.security.NoSuchProviderException) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId)

Example 17 with CertificateSerialNumber

use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project candlepin by candlepin.

the class JSSPKIUtility method createX509Certificate.

@Override
public X509Certificate createX509Certificate(String dn, Set<X509ExtensionWrapper> extensions, Set<X509ByteExtensionWrapper> byteExtensions, Date startDate, Date endDate, KeyPair clientKeyPair, BigInteger serialNumber, String alternateName) throws IOException {
    // Ensure JSS is properly initialized before attempting any operations with it
    JSSProviderLoader.initialize();
    X509CertInfo certInfo = new X509CertInfo();
    try {
        X509Certificate caCert = reader.getCACert();
        byte[] publicKeyEncoded = clientKeyPair.getPublic().getEncoded();
        certInfo.set(X509CertInfo.ISSUER, new CertificateIssuerName(new X500Name(caCert.getSubjectX500Principal().getEncoded())));
        certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialNumber));
        certInfo.set(X509CertInfo.VALIDITY, new CertificateValidity(startDate, endDate));
        certInfo.set(X509CertInfo.SUBJECT, new CertificateSubjectName(new X500Name(dn)));
        certInfo.set(X509CertInfo.KEY, new CertificateX509Key(X509Key.parse(new DerValue(publicKeyEncoded))));
        certInfo.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get(SIGNING_ALG_ID)));
        certInfo.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
        CertificateExtensions certExtensions = buildStandardExtensions(new CertificateExtensions(), dn, clientKeyPair, extensions, caCert, alternateName);
        certInfo.set(X509CertInfo.EXTENSIONS, certExtensions);
        if (extensions != null) {
            for (X509ExtensionWrapper wrapper : extensions) {
                // Avoid null values. Set them to blank if they are null
                String value = wrapper.getValue() == null ? "" : wrapper.getValue();
                UTF8String der = new UTF8String(value);
                certExtensions.add(buildCustomExtension(wrapper.getOid(), wrapper.isCritical(), der));
            }
        }
        if (byteExtensions != null) {
            for (X509ByteExtensionWrapper wrapper : byteExtensions) {
                // Avoid null values. Set them to blank if they are null
                byte[] value = wrapper.getValue() == null ? new byte[0] : wrapper.getValue();
                OCTET_STRING der = new OCTET_STRING(value);
                certExtensions.add(buildCustomExtension(wrapper.getOid(), wrapper.isCritical(), der));
            }
        }
        X509CertImpl certImpl = new X509CertImpl(certInfo);
        certImpl.sign(reader.getCaKey(), SIGNING_ALG_ID);
        // valid, it just won't have any extensions present in the object.
        return new X509CertImpl(certImpl.getEncoded());
    } catch (GeneralSecurityException e) {
        throw new RuntimeException("Could not create X.509 certificate", e);
    }
}
Also used : CertificateSubjectName(org.mozilla.jss.netscape.security.x509.CertificateSubjectName) UTF8String(org.mozilla.jss.asn1.UTF8String) X509CertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo) CertificateIssuerName(org.mozilla.jss.netscape.security.x509.CertificateIssuerName) GeneralSecurityException(java.security.GeneralSecurityException) CertificateVersion(org.mozilla.jss.netscape.security.x509.CertificateVersion) CertificateValidity(org.mozilla.jss.netscape.security.x509.CertificateValidity) CertificateExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions) X500Name(org.mozilla.jss.netscape.security.x509.X500Name) UTF8String(org.mozilla.jss.asn1.UTF8String) CertificateX509Key(org.mozilla.jss.netscape.security.x509.CertificateX509Key) X509Certificate(java.security.cert.X509Certificate) CertificateSerialNumber(org.mozilla.jss.netscape.security.x509.CertificateSerialNumber) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) TokenRuntimeException(org.mozilla.jss.crypto.TokenRuntimeException) DerValue(org.mozilla.jss.netscape.security.util.DerValue) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) X509ByteExtensionWrapper(org.candlepin.pki.X509ByteExtensionWrapper) X509ExtensionWrapper(org.candlepin.pki.X509ExtensionWrapper) CertificateAlgorithmId(org.mozilla.jss.netscape.security.x509.CertificateAlgorithmId)

Example 18 with CertificateSerialNumber

use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project candlepin by candlepin.

the class JSSPKIUtility method buildAuthorityKeyIdentifier.

public static AuthorityKeyIdentifierExtension buildAuthorityKeyIdentifier(X509Certificate caCert) throws InvalidBERException, IOException {
    // The subject key identifier of the CA becomes the Authority Key Identifer of the CRL.
    byte[] extValue = caCert.getExtensionValue(PKIXExtensions.SubjectKey_Id.toString());
    /* The getExtensionValue returns us the Extension extnValue element which is an octet string.  For
         * the SubjectKeyIdentifier extension the extnValue only contains a KeyIdentifier.  The actual
         * KeyIdentifier is also an octet string.  The extnValue for the SubjectKeyIdentifier
         * is therefore ultimately an octet string of an octet string.  See Appendix A of RFC 5280. */
    OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extValue);
    OCTET_STRING ski = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), extOctets.toByteArray());
    if (ski == null) {
        /* If the SubjectPublicKey extension isn't available, we can calculate the value ourselves
             * from the certificate's public key. */
        return buildAuthorityKeyIdentifier(caCert.getPublicKey());
    }
    /* RFC 5280 section 4.2.1.1 is a bit odd.  It states the AuthorityKeyIdentifier MAY contain
         * a KeyIdentifier or the issuer name and CertificateSerialNumber.  The KeyIdentifier is mandatory for
         * non-self-signed certificates, but there is no additional guidance about when or why one should
         * provide the issuer name or CertificateSerialNumber.  I've found at least one place,
         * https://www.v13.gr/blog/?p=293, that explicitly recommends against giving them.  Also,
         * the semantics around the issuer field in this extension can be very confusing
         * (see https://www.openssl.org/docs/faq.html#USER14).  Our old crypto code that used BouncyCastle
         * did include the issuer and serial number along with the key identifier, but I think it's best if
         * we leave it out.
         */
    KeyIdentifier ki = new KeyIdentifier(ski.toByteArray());
    return new AuthorityKeyIdentifierExtension(ki, null, null);
}
Also used : OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) KeyIdentifier(org.mozilla.jss.netscape.security.x509.KeyIdentifier) AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)

Example 19 with CertificateSerialNumber

use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project netty by netty.

the class OpenJdkSelfSignedCertGenerator method generate.

@SuppressJava6Requirement(reason = "Usage guarded by dependency check")
static String[] generate(String fqdn, KeyPair keypair, SecureRandom random, Date notBefore, Date notAfter, String algorithm) throws Exception {
    PrivateKey key = keypair.getPrivate();
    // Prepare the information required for generating an X.509 certificate.
    X509CertInfo info = new X509CertInfo();
    X500Name owner = new X500Name("CN=" + fqdn);
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(new BigInteger(64, random)));
    try {
        info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
    } catch (CertificateException ignore) {
        info.set(X509CertInfo.SUBJECT, owner);
    }
    try {
        info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
    } catch (CertificateException ignore) {
        info.set(X509CertInfo.ISSUER, owner);
    }
    info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
    info.set(X509CertInfo.KEY, new CertificateX509Key(keypair.getPublic()));
    info.set(X509CertInfo.ALGORITHM_ID, // sha256WithRSAEncryption
    new CertificateAlgorithmId(AlgorithmId.get("1.2.840.113549.1.1.11")));
    // Sign the cert to identify the algorithm that's used.
    X509CertImpl cert = new X509CertImpl(info);
    cert.sign(key, algorithm.equalsIgnoreCase("EC") ? "SHA256withECDSA" : "SHA256withRSA");
    // Update the algorithm and sign again.
    info.set(CertificateAlgorithmId.NAME + '.' + CertificateAlgorithmId.ALGORITHM, cert.get(X509CertImpl.SIG_ALG));
    cert = new X509CertImpl(info);
    cert.sign(key, algorithm.equalsIgnoreCase("EC") ? "SHA256withECDSA" : "SHA256withRSA");
    cert.verify(keypair.getPublic());
    return newSelfSignedCertificate(fqdn, key, cert);
}
Also used : CertificateSubjectName(sun.security.x509.CertificateSubjectName) PrivateKey(java.security.PrivateKey) X509CertInfo(sun.security.x509.X509CertInfo) CertificateIssuerName(sun.security.x509.CertificateIssuerName) CertificateVersion(sun.security.x509.CertificateVersion) CertificateException(java.security.cert.CertificateException) CertificateValidity(sun.security.x509.CertificateValidity) X500Name(sun.security.x509.X500Name) CertificateX509Key(sun.security.x509.CertificateX509Key) CertificateSerialNumber(sun.security.x509.CertificateSerialNumber) X509CertImpl(sun.security.x509.X509CertImpl) BigInteger(java.math.BigInteger) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId) SuppressJava6Requirement(io.netty.util.internal.SuppressJava6Requirement)

Example 20 with CertificateSerialNumber

use of org.mozilla.jss.netscape.security.x509.CertificateSerialNumber in project jss by dogtagpki.

the class X509CertTest method createX509CertInfo.

public static X509CertInfo createX509CertInfo(X509Key x509key, BigInteger serialno, CertificateIssuerName issuernameObj, String subjname, Date notBefore, Date notAfter, String alg) throws Exception {
    X509CertInfo info = new X509CertInfo();
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialno));
    if (issuernameObj != null) {
        info.set(X509CertInfo.ISSUER, issuernameObj);
    }
    info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(new X500Name(subjname)));
    info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get(alg)));
    info.set(X509CertInfo.KEY, new CertificateX509Key(x509key));
    info.set(X509CertInfo.EXTENSIONS, new CertificateExtensions());
    return info;
}
Also used : CertificateSerialNumber(org.mozilla.jss.netscape.security.x509.CertificateSerialNumber) CertificateSubjectName(org.mozilla.jss.netscape.security.x509.CertificateSubjectName) X509CertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo) CertificateVersion(org.mozilla.jss.netscape.security.x509.CertificateVersion) CertificateValidity(org.mozilla.jss.netscape.security.x509.CertificateValidity) CertificateExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions) X500Name(org.mozilla.jss.netscape.security.x509.X500Name) CertificateAlgorithmId(org.mozilla.jss.netscape.security.x509.CertificateAlgorithmId) CertificateX509Key(org.mozilla.jss.netscape.security.x509.CertificateX509Key)

Aggregations

CertificateSerialNumber (sun.security.x509.CertificateSerialNumber)13 BigInteger (java.math.BigInteger)12 CertificateAlgorithmId (sun.security.x509.CertificateAlgorithmId)12 CertificateValidity (sun.security.x509.CertificateValidity)12 CertificateX509Key (sun.security.x509.CertificateX509Key)12 X509CertInfo (sun.security.x509.X509CertInfo)12 CertificateVersion (sun.security.x509.CertificateVersion)11 X509CertImpl (sun.security.x509.X509CertImpl)11 AlgorithmId (sun.security.x509.AlgorithmId)10 X500Name (sun.security.x509.X500Name)9 SecureRandom (java.security.SecureRandom)8 CertificateIssuerName (sun.security.x509.CertificateIssuerName)8 CertificateSubjectName (sun.security.x509.CertificateSubjectName)8 PrivateKey (java.security.PrivateKey)7 Date (java.util.Date)6 CertificateException (java.security.cert.CertificateException)5 IOException (java.io.IOException)3 KeyPair (java.security.KeyPair)2 KeyPairGenerator (java.security.KeyPairGenerator)2 PublicKey (java.security.PublicKey)2