Search in sources :

Example 66 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project Openfire by igniterealtime.

the class CertificateManagerTest method testServerIdentitiesXmppAddr.

/**
 * {@link CertificateManager#getServerIdentities(X509Certificate)} should return:
 * <ul>
 *     <li>the 'xmppAddr' subjectAltName value</li>
 *     <li>explicitly not the Common Name</li>
 * </ul>
 *
 * when a certificate contains:
 * <ul>
 *     <li>a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr"</li>
 * </ul>
 */
@Test
public void testServerIdentitiesXmppAddr() throws Exception {
    // Setup fixture.
    final String subjectCommonName = "MySubjectCommonName";
    final String subjectAltNameXmppAddr = "MySubjectAltNameXmppAddr";
    final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(// Issuer
    new X500Name("CN=MyIssuer"), // Random serial number
    BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())), // Not before 30 days ago
    new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * 30)), // Not after 99 days from now
    new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 99)), // Subject
    new X500Name("CN=" + subjectCommonName), subjectKeyPair.getPublic());
    final DERSequence otherName = new DERSequence(new ASN1Encodable[] { XMPP_ADDR_OID, new DERUTF8String(subjectAltNameXmppAddr) });
    final GeneralNames subjectAltNames = new GeneralNames(new GeneralName(GeneralName.otherName, otherName));
    builder.addExtension(Extension.subjectAlternativeName, true, subjectAltNames);
    final X509CertificateHolder certificateHolder = builder.build(contentSigner);
    final X509Certificate cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
    // Execute system under test
    final List<String> serverIdentities = CertificateManager.getServerIdentities(cert);
    // Verify result
    assertEquals(1, serverIdentities.size());
    assertTrue(serverIdentities.contains(subjectAltNameXmppAddr));
    assertFalse(serverIdentities.contains(subjectCommonName));
}
Also used : SecureRandom(java.security.SecureRandom) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) GeneralName(org.bouncycastle.asn1.x509.GeneralName) Test(org.junit.Test)

Example 67 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project indy by Commonjava.

the class CertUtils method generateX509Certificate.

/**
 * Create a self-signed X.509 cert
 *
 * @param pair      KeyPair generated for this request
 * @param dn        the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
 * @param days      how many days from now the cert is valid for
 * @param algorithm the signing algorithm, eg "SHA256withRSA"
 * @return X509Certificate newly generated certificate
 */
public static X509Certificate generateX509Certificate(KeyPair pair, String dn, int days, String algorithm) throws GeneralSecurityException, OperatorCreationException, IOException {
    JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
    PrivateKey subPrivKey = pair.getPrivate();
    PublicKey subPubKey = pair.getPublic();
    ContentSigner contentSignerBuilder = new JcaContentSignerBuilder(algorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(subPrivKey);
    X500Name name = new X500Name(dn);
    Date expires = new Date(System.currentTimeMillis() + (MILLIS_IN_DAY * days));
    X509CertificateHolder holder = new X509v3CertificateBuilder(name, allocateSerialNumber(), new Date(), expires, name, SubjectPublicKeyInfo.getInstance(subPubKey.getEncoded())).build(contentSignerBuilder);
    X509Certificate cert = converter.getCertificate(holder);
    logger.debug("Created cert using CA private key:\n" + cert.toString());
    return cert;
}
Also used : PrivateKey(java.security.PrivateKey) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) PublicKey(java.security.PublicKey) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) ContentSigner(org.bouncycastle.operator.ContentSigner) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate)

Example 68 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project koronavilkku-backend by THLfi.

the class FederationGatewaySigningDev method generateDevRootCertificate.

public X509Certificate generateDevRootCertificate(KeyPair keyPair) throws OperatorCreationException, IOException, CertificateException, NoSuchAlgorithmException {
    X500Name subject = new X500Name("CN=" + DEV_TRUST_ANCHOR_ISSUER);
    ContentSigner signer = new JcaContentSignerBuilder(DIGEST_ALGORITHM + "RSA").build(keyPair.getPrivate());
    X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(subject, new BigInteger(Long.toString(new SecureRandom().nextLong())), Date.from(Instant.now()), Date.from(Instant.now().plus(Duration.ofDays(100))), subject, SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
    JcaX509ExtensionUtils rootCertExtUtils = new JcaX509ExtensionUtils();
    certBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
    certBuilder.addExtension(Extension.subjectKeyIdentifier, false, rootCertExtUtils.createSubjectKeyIdentifier(keyPair.getPublic()));
    X509CertificateHolder rootCertHolder = certBuilder.build(signer);
    return new JcaX509CertificateConverter().setProvider("BC").getCertificate(rootCertHolder);
}
Also used : JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) ContentSigner(org.bouncycastle.operator.ContentSigner) BigInteger(java.math.BigInteger) X500Name(org.bouncycastle.asn1.x500.X500Name) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Example 69 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project koronavilkku-backend by THLfi.

the class FederationGatewaySigningDev method generateDevCertificate.

public X509Certificate generateDevCertificate(KeyPair keyPair, KeyPair trustAnchorKeyPair, X509Certificate trustAnchorCert) throws OperatorCreationException, IOException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException, InvalidKeyException, SignatureException {
    X500Name subject = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.C, "FI").addRDN(BCStyle.CN, "koronavilkku-dev").addRDN(BCStyle.O, "koronavilkku dev").build();
    PKCS10CertificationRequestBuilder p10Builder = new JcaPKCS10CertificationRequestBuilder(subject, keyPair.getPublic());
    JcaContentSignerBuilder csrBuilder = new JcaContentSignerBuilder(DIGEST_ALGORITHM + "RSA").setProvider("BC");
    ContentSigner csrContentSigner = csrBuilder.build(trustAnchorKeyPair.getPrivate());
    PKCS10CertificationRequest csr = p10Builder.build(csrContentSigner);
    X509v3CertificateBuilder issuedCertBuilder = new X509v3CertificateBuilder(new X500Name("CN=" + DEV_TRUST_ANCHOR_ISSUER), new BigInteger(Long.toString(new SecureRandom().nextLong())), Date.from(Instant.now()), Date.from(Instant.now().plus(Duration.ofDays(100))), csr.getSubject(), csr.getSubjectPublicKeyInfo());
    JcaX509ExtensionUtils issuedCertExtUtils = new JcaX509ExtensionUtils();
    issuedCertBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(false));
    issuedCertBuilder.addExtension(Extension.authorityKeyIdentifier, false, issuedCertExtUtils.createAuthorityKeyIdentifier(trustAnchorCert));
    issuedCertBuilder.addExtension(Extension.subjectKeyIdentifier, false, issuedCertExtUtils.createSubjectKeyIdentifier(csr.getSubjectPublicKeyInfo()));
    issuedCertBuilder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.digitalSignature));
    X509CertificateHolder issuedCertHolder = issuedCertBuilder.build(csrContentSigner);
    X509Certificate issuedCert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(issuedCertHolder);
    issuedCert.verify(trustAnchorCert.getPublicKey(), "BC");
    return issuedCert;
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils) X500NameBuilder(org.bouncycastle.asn1.x500.X500NameBuilder) JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) PKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder) JcaPKCS10CertificationRequestBuilder(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder) KeyUsage(org.bouncycastle.asn1.x509.KeyUsage) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)

Example 70 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project neo4j by neo4j.

the class SelfSignedCertificateFactory method createSelfSignedCertificate.

public void createSelfSignedCertificate(Path certificatePath, Path privateKeyPath, String hostName) throws GeneralSecurityException, IOException, OperatorCreationException {
    installCleanupHook(certificatePath, privateKeyPath);
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance(DEFAULT_ENCRYPTION);
    keyGen.initialize(2048, random);
    KeyPair keypair = keyGen.generateKeyPair();
    // Prepare the information required for generating an X.509 certificate.
    X500Name owner = new X500Name("CN=" + hostName);
    X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(owner, new BigInteger(64, random), NOT_BEFORE, NOT_AFTER, owner, keypair.getPublic());
    // Subject alternative name (part of SNI extension, used for hostname verification)
    GeneralNames subjectAlternativeName = new GeneralNames(new GeneralName(GeneralName.dNSName, hostName));
    builder.addExtension(Extension.subjectAlternativeName, false, subjectAlternativeName);
    PrivateKey privateKey = keypair.getPrivate();
    ContentSigner signer = new JcaContentSignerBuilder("SHA512WithRSAEncryption").build(privateKey);
    X509CertificateHolder certHolder = builder.build(signer);
    X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder);
    // check so that cert is valid
    cert.verify(keypair.getPublic());
    // write to disk
    writePem("CERTIFICATE", cert.getEncoded(), certificatePath);
    writePem("PRIVATE KEY", privateKey.getEncoded(), privateKeyPath);
    // Mark as done so we don't clean up certificates
    cleanupRequired = false;
}
Also used : KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) KeyPairGenerator(java.security.KeyPairGenerator) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) GeneralName(org.bouncycastle.asn1.x509.GeneralName)

Aggregations

X500Name (org.bouncycastle.asn1.x500.X500Name)510 X509Certificate (java.security.cert.X509Certificate)182 BigInteger (java.math.BigInteger)175 Date (java.util.Date)168 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)158 ContentSigner (org.bouncycastle.operator.ContentSigner)149 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)145 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)127 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)127 IOException (java.io.IOException)104 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)100 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)93 KeyPair (java.security.KeyPair)79 RDN (org.bouncycastle.asn1.x500.RDN)75 X500Name (sun.security.x509.X500Name)68 PrivateKey (java.security.PrivateKey)64 CertificateException (java.security.cert.CertificateException)64 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)55 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)55 SecureRandom (java.security.SecureRandom)54