use of org.mozilla.jss.netscape.security.x509.X500Name in project Openfire by igniterealtime.
the class CertificateManagerTest method testServerIdentitiesXmppAddr.
/**
* {@link CertificateManager#getServerIdentities(X509Certificate)} should return:
* <ul>
* <li>the 'xmppAddr' subjectAltName value</li>
* <li>explicitly not the Common Name</li>
* </ul>
*
* when a certificate contains:
* <ul>
* <li>a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"</li>
* </ul>
*/
@Test
public void testServerIdentitiesXmppAddr() throws Exception {
// Setup fixture.
final String subjectCommonName = "MySubjectCommonName";
final String subjectAltNameXmppAddr = "MySubjectAltNameXmppAddr";
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// Issuer
new X500Name("CN=MyIssuer"), // Random serial number
BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), // Not before 30 days ago
new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30)), // Not after 99 days from now
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99)), // Subject
new X500Name("CN=" + subjectCommonName), subjectKeyPair.getPublic());
final DERSequence otherName = new DERSequence(new ASN1Encodable[] { XMPP_ADDR_OID, new DERUTF8String(subjectAltNameXmppAddr) });
final GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.otherName, otherName));
builder.addExtension(Extension.subjectAlternativeName, true, subjectAltNames);
final X509CertificateHolder certificateHolder = builder.build(contentSigner);
final X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
// Execute system under test
final List<String> serverIdentities = CertificateManager.getServerIdentities(cert);
// Verify result
assertEquals(1, serverIdentities.size());
assertTrue(serverIdentities.contains(subjectAltNameXmppAddr));
assertFalse(serverIdentities.contains(subjectCommonName));
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project indy by Commonjava.
the class CertUtils method generateX509Certificate.
/**
* Create a self-signed X.509 cert
*
* @param pair KeyPair generated for this request
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param days how many days from now the cert is valid for
* @param algorithm the signing algorithm, eg "SHA256withRSA"
* @return X509Certificate newly generated certificate
*/
public static X509Certificate generateX509Certificate(KeyPair pair, String dn, int days, String algorithm) throws GeneralSecurityException, OperatorCreationException, IOException {
JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
PrivateKey subPrivKey = pair.getPrivate();
PublicKey subPubKey = pair.getPublic();
ContentSigner contentSignerBuilder = new JcaContentSignerBuilder(algorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(subPrivKey);
X500Name name = new X500Name(dn);
Date expires = new Date(System.currentTimeMillis() + (MILLIS_IN_DAY * days));
X509CertificateHolder holder = new X509v3CertificateBuilder(name, allocateSerialNumber(), new Date(), expires, name, SubjectPublicKeyInfo.getInstance(subPubKey.getEncoded())).build(contentSignerBuilder);
X509Certificate cert = converter.getCertificate(holder);
logger.debug("Created cert using CA private key:\n" + cert.toString());
return cert;
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project koronavilkku-backend by THLfi.
the class FederationGatewaySigningDev method generateDevRootCertificate.
public X509Certificate generateDevRootCertificate(KeyPair keyPair) throws OperatorCreationException, IOException, CertificateException, NoSuchAlgorithmException {
X500Name subject = new X500Name("CN=" + DEV_TRUST_ANCHOR_ISSUER);
ContentSigner signer = new JcaContentSignerBuilder(DIGEST_ALGORITHM + "RSA").build(keyPair.getPrivate());
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(subject, new BigInteger(Long.toString(new SecureRandom().nextLong())), Date.from(Instant.now()), Date.from(Instant.now().plus(Duration.ofDays(100))), subject, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
JcaX509ExtensionUtils rootCertExtUtils = new JcaX509ExtensionUtils();
certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, rootCertExtUtils.createSubjectKeyIdentifier(keyPair.getPublic()));
X509CertificateHolder rootCertHolder = certBuilder.build(signer);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(rootCertHolder);
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project koronavilkku-backend by THLfi.
the class FederationGatewaySigningDev method generateDevCertificate.
public X509Certificate generateDevCertificate(KeyPair keyPair, KeyPair trustAnchorKeyPair, X509Certificate trustAnchorCert) throws OperatorCreationException, IOException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException {
X500Name subject = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.C, "FI").addRDN(BCStyle.CN, "koronavilkku-dev").addRDN(BCStyle.O, "koronavilkku dev").build();
PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
JcaContentSignerBuilder csrBuilder = new JcaContentSignerBuilder(DIGEST_ALGORITHM + "RSA").setProvider("BC");
ContentSigner csrContentSigner = csrBuilder.build(trustAnchorKeyPair.getPrivate());
PKCS10CertificationRequest csr = p10Builder.build(csrContentSigner);
X509v3CertificateBuilder issuedCertBuilder = new X509v3CertificateBuilder(new X500Name("CN=" + DEV_TRUST_ANCHOR_ISSUER), new BigInteger(Long.toString(new SecureRandom().nextLong())), Date.from(Instant.now()), Date.from(Instant.now().plus(Duration.ofDays(100))), csr.getSubject(), csr.getSubjectPublicKeyInfo());
JcaX509ExtensionUtils issuedCertExtUtils = new JcaX509ExtensionUtils();
issuedCertBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
issuedCertBuilder.addExtension(Extension.authorityKeyIdentifier, false, issuedCertExtUtils.createAuthorityKeyIdentifier(trustAnchorCert));
issuedCertBuilder.addExtension(Extension.subjectKeyIdentifier, false, issuedCertExtUtils.createSubjectKeyIdentifier(csr.getSubjectPublicKeyInfo()));
issuedCertBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature));
X509CertificateHolder issuedCertHolder = issuedCertBuilder.build(csrContentSigner);
X509Certificate issuedCert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(issuedCertHolder);
issuedCert.verify(trustAnchorCert.getPublicKey(), "BC");
return issuedCert;
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project neo4j by neo4j.
the class SelfSignedCertificateFactory method createSelfSignedCertificate.
public void createSelfSignedCertificate(Path certificatePath, Path privateKeyPath, String hostName) throws GeneralSecurityException, IOException, OperatorCreationException {
installCleanupHook(certificatePath, privateKeyPath);
KeyPairGenerator keyGen = KeyPairGenerator.getInstance(DEFAULT_ENCRYPTION);
keyGen.initialize(2048, random);
KeyPair keypair = keyGen.generateKeyPair();
// Prepare the information required for generating an X.509 certificate.
X500Name owner = new X500Name("CN=" + hostName);
X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(owner, new BigInteger(64, random), NOT_BEFORE, NOT_AFTER, owner, keypair.getPublic());
// Subject alternative name (part of SNI extension, used for hostname verification)
GeneralNames subjectAlternativeName = new GeneralNames(new GeneralName(GeneralName.dNSName, hostName));
builder.addExtension(Extension.subjectAlternativeName, false, subjectAlternativeName);
PrivateKey privateKey = keypair.getPrivate();
ContentSigner signer = new JcaContentSignerBuilder("SHA512WithRSAEncryption").build(privateKey);
X509CertificateHolder certHolder = builder.build(signer);
X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder);
// check so that cert is valid
cert.verify(keypair.getPublic());
// write to disk
writePem("CERTIFICATE", cert.getEncoded(), certificatePath);
writePem("PRIVATE KEY", privateKey.getEncoded(), privateKeyPath);
// Mark as done so we don't clean up certificates
cleanupRequired = false;
}
Aggregations