Example 1 with SubjectKeyIdentifierExtension
use of org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension in project AppManager by MuntashirAkon.
the class KeyStoreUtils method generateCert.
@NonNull
private static X509Certificate generateCert(PrivateKey privateKey, PublicKey publicKey, @NonNull String formattedSubject, long expiryDate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidKeyException, IOException {
String algorithmName = "SHA512withRSA";
CertificateExtensions certificateExtensions = new CertificateExtensions();
certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
X500Name x500Name = new X500Name(formattedSubject);
Date notBefore = new Date();
Date notAfter = new Date(expiryDate);
certificateExtensions.set("PrivateKeyUsage", new PrivateKeyUsageExtension(notBefore, notAfter));
CertificateValidity certificateValidity = new CertificateValidity(notBefore, notAfter);
X509CertInfo x509CertInfo = new X509CertInfo();
x509CertInfo.set("version", new CertificateVersion(2));
x509CertInfo.set("serialNumber", new CertificateSerialNumber(new Random().nextInt() & Integer.MAX_VALUE));
x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(algorithmName)));
x509CertInfo.set("subject", new CertificateSubjectName(x500Name));
x509CertInfo.set("key", new CertificateX509Key(publicKey));
x509CertInfo.set("validity", certificateValidity);
x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
x509CertInfo.set("extensions", certificateExtensions);
X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
x509CertImpl.sign(privateKey, algorithmName);
return x509CertImpl;
}
Also used :
CertificateSubjectName(android.sun.security.x509.CertificateSubjectName)
KeyIdentifier(android.sun.security.x509.KeyIdentifier)
X509CertInfo(android.sun.security.x509.X509CertInfo)
CertificateIssuerName(android.sun.security.x509.CertificateIssuerName)
CertificateVersion(android.sun.security.x509.CertificateVersion)
CertificateExtensions(android.sun.security.x509.CertificateExtensions)
CertificateValidity(android.sun.security.x509.CertificateValidity)
X500Name(android.sun.security.x509.X500Name)
CertificateX509Key(android.sun.security.x509.CertificateX509Key)
Date(java.util.Date)
SubjectKeyIdentifierExtension(android.sun.security.x509.SubjectKeyIdentifierExtension)
CertificateSerialNumber(android.sun.security.x509.CertificateSerialNumber)
Random(java.util.Random)
SecureRandom(java.security.SecureRandom)
X509CertImpl(android.sun.security.x509.X509CertImpl)
CertificateAlgorithmId(android.sun.security.x509.CertificateAlgorithmId)
PrivateKeyUsageExtension(android.sun.security.x509.PrivateKeyUsageExtension)
NonNull(androidx.annotation.NonNull)
Example 2 with SubjectKeyIdentifierExtension
use of org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension in project coprhd-controller by CoprHD.
the class KeyCertificatePairGenerator method generateCertificate.
/**
* Create a self-signed X.509 Certificate
*
* @param pair the KeyPair
*/
private X509Certificate generateCertificate(KeyPair pair) throws GeneralSecurityException, IOException {
PublicKey pubKey = loadPublicKeyFromBytes(pair.getPublic().getEncoded());
PrivateKey privkey = pair.getPrivate();
X509CertInfo info = new X509CertInfo();
Date from = getNotBefore();
Date to = new Date(from.getTime() + valuesHolder.getCertificateValidityInDays() * 86400000L);
CertificateValidity interval = new CertificateValidity(from, to);
BigInteger sn = new BigInteger(64, new SecureRandom());
X500Name owner = new X500Name(String.format(CERTIFICATE_COMMON_NAME_FORMAT, valuesHolder.getCertificateCommonName()));
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
info.set(X509CertInfo.SUBJECT, owner);
info.set(X509CertInfo.ISSUER, owner);
info.set(X509CertInfo.KEY, new CertificateX509Key(pubKey));
info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
AlgorithmId keyAlgo = AlgorithmId.get(KeyCertificateAlgorithmValuesHolder.DEFAULT_KEY_ALGORITHM);
info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(keyAlgo));
AlgorithmId signingAlgo = AlgorithmId.get(valuesHolder.getSigningAlgorithm());
info.set(CertificateAlgorithmId.NAME + "." + CertificateAlgorithmId.ALGORITHM, signingAlgo);
// add extensions
CertificateExtensions ext = new CertificateExtensions();
ext.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(pubKey).getIdentifier()));
// CA public key is the same as our public key (self signed)
ext.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(pubKey), null, null));
ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(subjectAltNames()));
info.set(X509CertInfo.EXTENSIONS, ext);
X509CertImpl cert = new X509CertImpl(info);
cert.sign(privkey, valuesHolder.getSigningAlgorithm());
return cert;
}
Also used :
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
KeyIdentifier(sun.security.x509.KeyIdentifier)
X509CertInfo(sun.security.x509.X509CertInfo)
PublicKey(java.security.PublicKey)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
SecureRandom(java.security.SecureRandom)
CertificateVersion(sun.security.x509.CertificateVersion)
CertificateValidity(sun.security.x509.CertificateValidity)
CertificateExtensions(sun.security.x509.CertificateExtensions)
X500Name(sun.security.x509.X500Name)
CertificateX509Key(sun.security.x509.CertificateX509Key)
Date(java.util.Date)
CertificateSerialNumber(sun.security.x509.CertificateSerialNumber)
SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension)
AlgorithmId(sun.security.x509.AlgorithmId)
CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId)
X509CertImpl(sun.security.x509.X509CertImpl)
BigInteger(java.math.BigInteger)
AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension)
CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId)
Example 3 with SubjectKeyIdentifierExtension
use of org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension in project candlepin by candlepin.
the class JSSPKIUtility method buildStandardExtensions.
/**
* Add boilerplate extensions required by RFC 5280.
* @param certExtensions a CertificateExtensions object to modify
* @param keyPair the KeyPair used to create the SubjectKeyIdentifier extension
* @param providedExtensions A Set of provided extensions that will be added to the certificate. In some
* cases (hosted mode) access to the information in those extensions is required for creating the
* subjectKeyIdentifier.
*
* @return a modified version of the certExtensions parameter
* @throws IOException in case of encoding failures
*/
private CertificateExtensions buildStandardExtensions(CertificateExtensions certExtensions, String dn, KeyPair keyPair, Set<X509ExtensionWrapper> providedExtensions, X509Certificate caCert, String alternateName) throws IOException {
/* The RFC states that KeyUsage SHOULD be marked as critical. In previous Candlepin code we were
* not marking it critical but this constructor will. I do not believe there should be any
* compatibility issues, but I am noting it just in case. */
KeyUsageExtension keyUsage = new KeyUsageExtension();
keyUsage.set(KeyUsageExtension.DIGITAL_SIGNATURE, true);
keyUsage.set(KeyUsageExtension.KEY_ENCIPHERMENT, true);
keyUsage.set(KeyUsageExtension.DATA_ENCIPHERMENT, true);
certExtensions.add(keyUsage);
// Not critical by default
ExtendedKeyUsageExtension extendedKeyUsage = new ExtendedKeyUsageExtension();
/* JSS doesn't have a constant defined for the "clientAuth" OID so we have to put it in by hand.
* See https://tools.ietf.org/html/rfc5280#appendix-A specifically id-kp-clientAuth. This OID
* denotes that a certificate is meant for client authentication over TLS */
extendedKeyUsage.addOID(new ObjectIdentifier("1.3.6.1.5.5.7.3.2"));
certExtensions.add(extendedKeyUsage);
// Not critical for non-CA certs. -1 pathLen means it won't be encoded.
BasicConstraintsExtension basicConstraints = new BasicConstraintsExtension(false, -1);
certExtensions.add(basicConstraints);
try {
/* Not critical by default. I am extremely dubious that we actually need this extension
* but I'm keeping it because our old cert creation code added it. */
NSCertTypeExtension netscapeCertType = new NSCertTypeExtension();
netscapeCertType.set(NSCertTypeExtension.SSL_CLIENT, true);
netscapeCertType.set(NSCertTypeExtension.EMAIL, true);
certExtensions.add(netscapeCertType);
} catch (CertificateException e) {
throw new IOException("Could not construct certificate extensions", e);
}
try {
/* The JSS SubjectKeyIdentifierExtension class expects you to give it the unencoded KeyIdentifier.
* The SubjectKeyIdentifierExtension class, however, returns the encoded KeyIdentifier (an DER
* octet string). Therefore, we need to unpack the KeyIdentifier. */
byte[] encodedSki = subjectKeyWriter.getSubjectKeyIdentifier(keyPair, providedExtensions);
OCTET_STRING extOctets = (OCTET_STRING) ASN1Util.decode(new OCTET_STRING.Template(), encodedSki);
// Required to be non-critical
SubjectKeyIdentifierExtension ski = new SubjectKeyIdentifierExtension(extOctets.toByteArray());
certExtensions.add(ski);
// Not critical by default
AuthorityKeyIdentifierExtension aki = buildAuthorityKeyIdentifier(caCert);
certExtensions.add(aki);
// Not critical by default and should *not* be critical since the subject field isn't empty
if (alternateName != null) {
SubjectAlternativeNameExtension altNames = new SubjectAlternativeNameExtension();
GeneralName[] akiName = new GeneralName[2];
akiName[0] = new GeneralName(new X500Name(dn));
akiName[1] = new GeneralName(new X500Name("CN=" + alternateName));
GeneralNames generalNames = new GeneralNames(akiName);
altNames.setGeneralNames(generalNames);
certExtensions.add(altNames);
}
} catch (InvalidBERException | GeneralNamesException | NoSuchAlgorithmException e) {
throw new IOException("Could not construct certificate extensions", e);
}
return certExtensions;
}
Also used :
ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension)
NSCertTypeExtension(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension)
SubjectAlternativeNameExtension(org.mozilla.jss.netscape.security.x509.SubjectAlternativeNameExtension)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
X500Name(org.mozilla.jss.netscape.security.x509.X500Name)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SubjectKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension)
InvalidBERException(org.mozilla.jss.asn1.InvalidBERException)
BasicConstraintsExtension(org.mozilla.jss.netscape.security.x509.BasicConstraintsExtension)
OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING)
GeneralNames(org.mozilla.jss.netscape.security.x509.GeneralNames)
GeneralNamesException(org.mozilla.jss.netscape.security.x509.GeneralNamesException)
AuthorityKeyIdentifierExtension(org.mozilla.jss.netscape.security.x509.AuthorityKeyIdentifierExtension)
GeneralName(org.mozilla.jss.netscape.security.x509.GeneralName)
KeyUsageExtension(org.mozilla.jss.netscape.security.x509.KeyUsageExtension)
ExtendedKeyUsageExtension(org.mozilla.jss.netscape.security.extensions.ExtendedKeyUsageExtension)
ObjectIdentifier(org.mozilla.jss.netscape.security.util.ObjectIdentifier)
Example 4 with SubjectKeyIdentifierExtension
use of org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension in project jdk8u_jdk by JetBrains.
the class Vertex method certToString.
/**
* Return string representation of this vertex's
* certificate information.
*
* @returns String representation of certificate info
*/
public String certToString() {
StringBuilder sb = new StringBuilder();
X509CertImpl x509Cert = null;
try {
x509Cert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
ce.printStackTrace();
}
return sb.toString();
}
sb.append("Issuer: ").append(x509Cert.getIssuerX500Principal()).append("\n");
sb.append("Subject: ").append(x509Cert.getSubjectX500Principal()).append("\n");
sb.append("SerialNum: ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
sb.append("Expires: ").append(x509Cert.getNotAfter().toString()).append("\n");
boolean[] iUID = x509Cert.getIssuerUniqueID();
if (iUID != null) {
sb.append("IssuerUID: ");
for (boolean b : iUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
boolean[] sUID = x509Cert.getSubjectUniqueID();
if (sUID != null) {
sb.append("SubjectUID: ");
for (boolean b : sUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
try {
SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
if (sKeyID != null) {
KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
sb.append("SubjKeyID: ").append(keyID.toString());
}
AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
if (aKeyID != null) {
KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
sb.append("AuthKeyID: ").append(keyID.toString());
}
} catch (IOException e) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
e.printStackTrace();
}
}
return sb.toString();
}
Also used :
SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension)
KeyIdentifier(sun.security.x509.KeyIdentifier)
X509CertImpl(sun.security.x509.X509CertImpl)
AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
Example 5 with SubjectKeyIdentifierExtension
use of org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension in project Bytecoder by mirkosertic.
the class Vertex method certToString.
/**
* Return string representation of this vertex's
* certificate information.
*
* @return String representation of certificate info
*/
public String certToString() {
StringBuilder sb = new StringBuilder();
X509CertImpl x509Cert = null;
try {
x509Cert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
ce.printStackTrace();
}
return sb.toString();
}
sb.append("Issuer: ").append(x509Cert.getIssuerX500Principal()).append("\n");
sb.append("Subject: ").append(x509Cert.getSubjectX500Principal()).append("\n");
sb.append("SerialNum: ").append(x509Cert.getSerialNumber().toString(16)).append("\n");
sb.append("Expires: ").append(x509Cert.getNotAfter().toString()).append("\n");
boolean[] iUID = x509Cert.getIssuerUniqueID();
if (iUID != null) {
sb.append("IssuerUID: ");
for (boolean b : iUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
boolean[] sUID = x509Cert.getSubjectUniqueID();
if (sUID != null) {
sb.append("SubjectUID: ");
for (boolean b : sUID) {
sb.append(b ? 1 : 0);
}
sb.append("\n");
}
try {
SubjectKeyIdentifierExtension sKeyID = x509Cert.getSubjectKeyIdentifierExtension();
if (sKeyID != null) {
KeyIdentifier keyID = sKeyID.get(SubjectKeyIdentifierExtension.KEY_ID);
sb.append("SubjKeyID: ").append(keyID.toString());
}
AuthorityKeyIdentifierExtension aKeyID = x509Cert.getAuthorityKeyIdentifierExtension();
if (aKeyID != null) {
KeyIdentifier keyID = (KeyIdentifier) aKeyID.get(AuthorityKeyIdentifierExtension.KEY_ID);
sb.append("AuthKeyID: ").append(keyID.toString());
}
} catch (IOException e) {
if (debug != null) {
debug.println("Vertex.certToString() unexpected exception");
e.printStackTrace();
}
}
return sb.toString();
}
Also used :
SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension)
KeyIdentifier(sun.security.x509.KeyIdentifier)
X509CertImpl(sun.security.x509.X509CertImpl)
AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension)
CertificateException(java.security.cert.CertificateException)
IOException(java.io.IOException)
Aggregations
IOException (java.io.IOException)6
CertificateException (java.security.cert.CertificateException)5
KeyIdentifier (sun.security.x509.KeyIdentifier)5
SubjectKeyIdentifierExtension (sun.security.x509.SubjectKeyIdentifierExtension)5
AuthorityKeyIdentifierExtension (sun.security.x509.AuthorityKeyIdentifierExtension)4
X509CertImpl (sun.security.x509.X509CertImpl)4
BigInteger (java.math.BigInteger)2
SecureRandom (java.security.SecureRandom)2
Date (java.util.Date)2
SubjectKeyIdentifierExtension (org.mozilla.jss.netscape.security.x509.SubjectKeyIdentifierExtension)2
AlgorithmId (sun.security.x509.AlgorithmId)2
BasicConstraintsExtension (sun.security.x509.BasicConstraintsExtension)2
CertificateExtensions (sun.security.x509.CertificateExtensions)2
KeyUsageExtension (sun.security.x509.KeyUsageExtension)2
CertificateAlgorithmId (android.sun.security.x509.CertificateAlgorithmId)1
CertificateExtensions (android.sun.security.x509.CertificateExtensions)1
CertificateIssuerName (android.sun.security.x509.CertificateIssuerName)1
CertificateSerialNumber (android.sun.security.x509.CertificateSerialNumber)1
CertificateSubjectName (android.sun.security.x509.CertificateSubjectName)1
CertificateValidity (android.sun.security.x509.CertificateValidity)1
