use of org.mozilla.jss.netscape.security.x509.X500Name in project ats-framework by Axway.
the class SMimePackageEncryptor method sign.
@PublicAtsApi
public Package sign(Package sourcePackage) throws ActionException {
try {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
}
KeyStore ks = getKeystore();
// TODO wrap exception with possible causes and add some hint
PrivateKey privateKey = (PrivateKey) ks.getKey(aliasOrCN, certPassword.toCharArray());
// Get whole certificate chain
Certificate[] certArr = ks.getCertificateChain(aliasOrCN);
// Pre 4.0.6 behavior was not to attach full cert. chain X509Certificate cer = (X509Certificate) ks.getCertificate(aliasOrCN);
if (certArr.length >= 1) {
LOG.debug("Found certificate of alias: " + aliasOrCN + ". Lenght of cert chain: " + certArr.length + ", child cert:" + certArr[0].toString());
}
X509Certificate childCert = (X509Certificate) certArr[0];
/* Create the SMIMESignedGenerator */
ASN1EncodableVector attributes = new ASN1EncodableVector();
attributes.add(new SMIMEEncryptionKeyPreferenceAttribute(new IssuerAndSerialNumber(new X500Name(childCert.getIssuerDN().getName()), childCert.getSerialNumber())));
SMIMECapabilityVector capabilities = new SMIMECapabilityVector();
capabilities.addCapability(SMIMECapability.aES128_CBC);
capabilities.addCapability(SMIMECapability.dES_EDE3_CBC);
capabilities.addCapability(SMIMECapability.rC2_CBC, 128);
capabilities.addCapability(SMIMECapability.dES_CBC);
attributes.add(new SMIMECapabilitiesAttribute(capabilities));
if (signatureAlgorithm == null) {
// not specified explicitly
// TODO check defaults to be used
signatureAlgorithm = SignatureAlgorithm.DSA.equals(privateKey.getAlgorithm()) ? "SHA1withDSA" : "MD5withRSA";
}
SMIMESignedGenerator signer = new SMIMESignedGenerator();
JcaSimpleSignerInfoGeneratorBuilder signerGeneratorBuilder = new JcaSimpleSignerInfoGeneratorBuilder();
signerGeneratorBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME);
signerGeneratorBuilder.setSignedAttributeGenerator(new AttributeTable(attributes));
signer.addSignerInfoGenerator(signerGeneratorBuilder.build(signatureAlgorithm, privateKey, childCert));
/* Add the list of certs to the generator */
List<X509Certificate> certList = new ArrayList<X509Certificate>();
for (int i = 0; i < certArr.length; i++) {
// first add child cert, and CAs
certList.add((X509Certificate) certArr[i]);
}
Store<?> certs = new JcaCertStore(certList);
signer.addCertificates(certs);
/* Sign the message */
Session session = Session.getDefaultInstance(System.getProperties(), null);
MimeMultipart mm = signer.generate(getMimeMessage(sourcePackage));
MimeMessage signedMessage = new MimeMessage(session);
/* Set all original MIME headers in the signed message */
Enumeration<?> headers = getMimeMessage(sourcePackage).getAllHeaderLines();
while (headers.hasMoreElements()) {
signedMessage.addHeaderLine((String) headers.nextElement());
}
/* Set the content of the signed message */
signedMessage.setContent(mm);
signedMessage.saveChanges();
return new MimePackage(signedMessage);
} catch (Exception e) {
throw new ActionException(EXCEPTION_WHILE_SIGNING, e);
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project j2objc by google.
the class PKCS7 method populateCertIssuerNames.
/**
* Populate array of Issuer DNs from certificates and convert
* each Principal to type X500Name if necessary.
*/
private void populateCertIssuerNames() {
if (certificates == null)
return;
certIssuerNames = new Principal[certificates.length];
for (int i = 0; i < certificates.length; i++) {
X509Certificate cert = certificates[i];
Principal certIssuerName = cert.getIssuerDN();
if (!(certIssuerName instanceof X500Name)) {
// types of String attribute values to be changed)
try {
X509CertInfo tbsCert = new X509CertInfo(cert.getTBSCertificate());
certIssuerName = (Principal) tbsCert.get(X509CertInfo.ISSUER + "." + X509CertInfo.DN_NAME);
} catch (Exception e) {
// error generating X500Name object from the cert's
// issuer DN, leave name as is.
}
}
certIssuerNames[i] = certIssuerName;
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project acme4j by shred.
the class CertificateUtils method createTestIntermediateCertificate.
/**
* Creates an intermediate certificate that is signed by an issuer.
* <p>
* The generated certificate is only meant for testing purposes!
*
* @param subject
* This certificate's subject X.500 name.
* @param notBefore
* {@link Instant} before which the certificate is not valid.
* @param notAfter
* {@link Instant} after which the certificate is not valid.
* @param intermediatePublicKey
* {@link PublicKey} of this certificate
* @param issuer
* The issuer's {@link X509Certificate}.
* @param issuerPrivateKey
* {@link PrivateKey} of the issuer. This is not the private key of this
* intermediate certificate.
* @return Generated {@link X509Certificate}
* @since 2.8
*/
public static X509Certificate createTestIntermediateCertificate(String subject, Instant notBefore, Instant notAfter, PublicKey intermediatePublicKey, X509Certificate issuer, PrivateKey issuerPrivateKey) {
Objects.requireNonNull(subject, "subject");
Objects.requireNonNull(notBefore, "notBefore");
Objects.requireNonNull(notAfter, "notAfter");
Objects.requireNonNull(intermediatePublicKey, "intermediatePublicKey");
Objects.requireNonNull(issuer, "issuer");
Objects.requireNonNull(issuerPrivateKey, "issuerPrivateKey");
JcaX509v1CertificateBuilder certBuilder = new JcaX509v1CertificateBuilder(new X500Name(issuer.getIssuerX500Principal().getName()), BigInteger.valueOf(System.currentTimeMillis()), Date.from(notBefore), Date.from(notAfter), new X500Name(subject), intermediatePublicKey);
return buildCertificate(certBuilder::build, issuerPrivateKey);
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project acme4j by shred.
the class CSRBuilderTest method csrTest.
/**
* Checks if the CSR contains the right parameters.
* <p>
* This is not supposed to be a Bouncy Castle test. If the
* {@link PKCS10CertificationRequest} contains the right parameters, we assume that
* Bouncy Castle encodes it properly.
*/
private void csrTest(PKCS10CertificationRequest csr) {
X500Name name = csr.getSubject();
try (AutoCloseableSoftAssertions softly = new AutoCloseableSoftAssertions()) {
softly.assertThat(name.getRDNs(BCStyle.CN)).as("CN").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("abc.de");
softly.assertThat(name.getRDNs(BCStyle.C)).as("C").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("XX");
softly.assertThat(name.getRDNs(BCStyle.L)).as("L").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testville");
softly.assertThat(name.getRDNs(BCStyle.O)).as("O").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testing Co");
softly.assertThat(name.getRDNs(BCStyle.OU)).as("OU").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testunit");
softly.assertThat(name.getRDNs(BCStyle.ST)).as("ST").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("ABC");
}
Attribute[] attr = csr.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
assertThat(attr).hasSize(1);
ASN1Encodable[] extensions = attr[0].getAttrValues().toArray();
assertThat(extensions).hasSize(1);
GeneralNames names = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName);
assertThat(names.getNames()).filteredOn(gn -> gn.getTagNo() == GeneralName.dNSName).extracting(gn -> ASN1IA5String.getInstance(gn.getName()).getString()).containsExactlyInAnyOrder("abc.de", "fg.hi", "jklm.no", "pqr.st", "uv.wx", "y.z", "*.wild.card", "ide1.nt", "ide2.nt", "ide3.nt");
assertThat(names.getNames()).filteredOn(gn -> gn.getTagNo() == GeneralName.iPAddress).extracting(gn -> getIP(gn.getName()).getHostAddress()).containsExactlyInAnyOrder("192.168.0.1", "192.168.0.2", "10.0.0.1", "10.0.0.2", "fd00:0:0:0:0:0:0:1", "fd00:0:0:0:0:0:0:2", "192.168.5.5", "192.168.5.6", "192.168.5.7");
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project acme4j by shred.
the class SMIMECSRBuilderTest method smimeCsrTest.
/**
* Checks if the S/MIME CSR contains the right parameters.
* <p>
* This is not supposed to be a Bouncy Castle test. If the
* {@link PKCS10CertificationRequest} contains the right parameters, we assume that
* Bouncy Castle encodes it properly.
*/
private void smimeCsrTest(PKCS10CertificationRequest csr) {
X500Name name = csr.getSubject();
try (AutoCloseableSoftAssertions softly = new AutoCloseableSoftAssertions()) {
softly.assertThat(name.getRDNs(BCStyle.CN)).as("CN").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("mail@example.com");
softly.assertThat(name.getRDNs(BCStyle.C)).as("C").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("XX");
softly.assertThat(name.getRDNs(BCStyle.L)).as("L").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testville");
softly.assertThat(name.getRDNs(BCStyle.O)).as("O").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testing Co");
softly.assertThat(name.getRDNs(BCStyle.OU)).as("OU").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("Testunit");
softly.assertThat(name.getRDNs(BCStyle.ST)).as("ST").extracting(rdn -> rdn.getFirst().getValue().toString()).contains("ABC");
}
Attribute[] attr = csr.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
assertThat(attr).hasSize(1);
ASN1Encodable[] extensions = attr[0].getAttrValues().toArray();
assertThat(extensions).hasSize(1);
GeneralNames names = GeneralNames.fromExtensions((Extensions) extensions[0], Extension.subjectAlternativeName);
assertThat(names.getNames()).filteredOn(gn -> gn.getTagNo() == GeneralName.rfc822Name).extracting(gn -> DERIA5String.getInstance(gn.getName()).getString()).containsExactlyInAnyOrder("mail@example.com", "info@example.com", "sales@example.com", "shop@example.com", "support@example.com", "help@example.com");
}
Aggregations