use of org.mozilla.jss.netscape.security.x509.X500Name in project kafka by apache.
the class TestSslUtils method generateCertificate.
/**
* Create a self-signed X.509 Certificate.
* From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
*
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param pair the KeyPair
* @param days how many days from now the Certificate is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
* @return the self-signed certificate
* @throws CertificateException thrown if a security error or an IO error occurred.
*/
public static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm) throws CertificateException {
try {
Security.addProvider(new BouncyCastleProvider());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
X500Name name = new X500Name(dn);
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000L);
BigInteger sn = new BigInteger(64, new SecureRandom());
X509v1CertificateBuilder v1CertGen = new X509v1CertificateBuilder(name, sn, from, to, name, subPubKeyInfo);
X509CertificateHolder certificateHolder = v1CertGen.build(sigGen);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
} catch (CertificateException ce) {
throw ce;
} catch (Exception e) {
throw new CertificateException(e);
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project OpenAttestation by OpenAttestation.
the class X509Builder method build.
public X509Certificate build() {
if (certificateVersion == null) {
v3();
}
if (certificateValidity == null) {
// 1 year default
expires(365, TimeUnit.DAYS);
}
if (certificateSerialNumber == null) {
randomSerial();
}
if (certificateSubjectName == null) {
if (commonName != null || organizationUnit != null || organizationName != null || country != null) {
try {
subjectName(new X500Name(commonName, organizationUnit, organizationName, country));
} catch (Exception e) {
fault(e, "commonName(%s) organizationUnit(%s) organizationName(%s) country(%s)", commonName, organizationUnit, organizationName, country);
}
}
}
if (certificateIssuerName == null) {
//}
if (commonName != null || organizationUnit != null || organizationName != null || country != null) {
try {
issuerName(new X500Name(commonName, organizationUnit, organizationName, country));
} catch (Exception e) {
fault(e, "commonName(%s) organizationUnit(%s) organizationName(%s) country(%s)", commonName, organizationUnit, organizationName, country);
}
}
}
if (subjectPublicKey == null) {
fault("missing subject public key");
}
// Note: alternativeName is optional so we don't have any defaults or errors for it here
if (algorithm == null) {
// algorithm.getName() == SHA256withRSA
algorithm(new AlgorithmId(AlgorithmId.sha256WithRSAEncryption_oid));
}
//}
try {
if (getFaults().isEmpty()) {
// Sign the cert to identify the algorithm that's used.
X509CertImpl cert = new X509CertImpl(info);
// NoSuchAlgorithMException, InvalidKeyException, NoSuchProviderException, , SignatureException
cert.sign(issuerPrivateKey, algorithm.getName());
/*
* for some unknown reason, if we return the "cert" now then all
* the optioanl fields such as getBasicConstraints() and
* getKeyUsage() are missing even though they are included if you
* call getEncoded() ... but if you re-create the certificate
* then those fields are present in the re-created certificate.
*/
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert2 = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(cert.getEncoded()));
return cert2;
}
return null;
} catch (Exception e) {
fault(e, "cannot sign certificate");
return null;
} finally {
done();
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project OpenAttestation by OpenAttestation.
the class X509AttributeCertificate method valueOf.
/**
*
* @param encodedCertificate
* @return
*/
@JsonCreator
public static X509AttributeCertificate valueOf(@JsonProperty("encoded") byte[] encodedCertificate) {
X509AttributeCertificate result = new X509AttributeCertificate(encodedCertificate);
X509AttributeCertificateHolder cert;
try {
cert = new X509AttributeCertificateHolder(encodedCertificate);
} catch (IOException e) {
throw new IllegalArgumentException(e);
}
// calls toString() on each X500Name so we get the default representation; we can do it ourselves for custom display; output example: CN=Attr CA,OU=CPG,OU=DCSG,O=Intel,ST=CA,C=US
log.debug("issuer: {}", StringUtils.join(cert.getIssuer().getNames(), "; "));
// but expected to be only one
result.issuer = StringUtils.join(cert.getIssuer().getNames(), "; ");
// output example: 1
log.debug("serial number: {}", cert.getSerialNumber().toString());
result.serialNumber = cert.getSerialNumber();
// output example: 2.25=#041092a71a228c174522a18bfd3ed3d00b39
log.debug("holder: {}", StringUtils.join(cert.getHolder().getEntityNames(), ", "));
// now let's get the UUID specifically out of this
log.debug("holder has {} entity names", cert.getHolder().getEntityNames().length);
for (X500Name entityName : cert.getHolder().getEntityNames()) {
log.debug("holder entity name has {} rdns", entityName.getRDNs().length);
for (RDN rdn : entityName.getRDNs()) {
log.debug("entity rdn is multivalued? {}", rdn.isMultiValued());
AttributeTypeAndValue attr = rdn.getFirst();
if (attr.getType().toString().equals(OID.HOST_UUID)) {
UUID uuid = UUID.valueOf(DEROctetString.getInstance(attr.getValue()).getOctets());
log.debug("holder uuid: {}", uuid);
// example: 33766a63-5c55-4461-8a84-5936577df450
result.subject = uuid.toString();
}
}
}
// if we ddin't identify the UUID, just display the subject same way we did the issuer... concat all the entity names. example: 2.25=#041033766a635c5544618a845936577df450 (notice that in the value, there's a #0410 prepended to the uuid 33766a635c5544618a845936577df450)
if (result.subject == null) {
result.subject = StringUtils.join(cert.getHolder().getEntityNames(), "; ");
}
// output example: Thu Aug 08 15:21:13 PDT 2013
log.debug("not before: {}", cert.getNotBefore());
// output example: Sun Sep 08 15:21:13 PDT 2013
log.debug("not after: {}", cert.getNotAfter());
result.notBefore = cert.getNotBefore();
result.notAfter = cert.getNotAfter();
Attribute[] attributes = cert.getAttributes();
result.tags1 = new ArrayList<UTF8NameValueMicroformat>();
result.tags2 = new ArrayList<UTF8NameValueSequence>();
result.tagsOther = new ArrayList<ASN1Encodable>();
for (Attribute attr : attributes) {
log.debug("attr {} is {}", attr.hashCode(), attr.toString());
result.attributes.add(attr);
for (ASN1Encodable value : attr.getAttributeValues()) {
// result.tags.add(new AttributeOidAndValue(attr.getAttrType().toString(), DERUTF8String.getInstance(value).getString()));
if (attr.getAttrType().toString().equals(UTF8NameValueMicroformat.OID)) {
// our values are just UTF-8 strings but if you use new String(value.getEncoded()) you will get two extra spaces at the beginning of the string
log.debug("name-value microformat attribute: {}", DERUTF8String.getInstance(value).getString());
UTF8NameValueMicroformat microformat = new UTF8NameValueMicroformat(DERUTF8String.getInstance(value));
log.debug("name-value microformat attribute (2) name {} value {}", microformat.getName(), microformat.getValue());
result.tags1.add(microformat);
} else if (attr.getAttrType().toString().equals(UTF8NameValueSequence.OID)) {
UTF8NameValueSequence sequence = new UTF8NameValueSequence(ASN1Sequence.getInstance(value));
String name = sequence.getName();
List<String> values = sequence.getValues();
log.debug("name-values asn.1 attribute {} values {}", name, values);
result.tags2.add(sequence);
} else {
log.debug("unrecognzied attribute type {}", attr.getAttrType().toString());
result.tagsOther.add(value);
}
/*
* output examples:
* attribute: 1.3.6.1.4.1.99999.1.1.1.1 is US
* attribute: 1.3.6.1.4.1.99999.2.2.2.2 is CA
* attribute: 1.3.6.1.4.1.99999.3.3.3.3 is Folsom
*/
}
}
log.debug("valueOf ok");
return result;
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project OpenAttestation by OpenAttestation.
the class X509AttrBuilder method subjectUuid.
/*
public X509AttrBuilder subjectName(sun.security.x509.X500Name subjectName) {
return subjectName(subjectName.getRFC2253Name());
}
*/
public X509AttrBuilder subjectUuid(UUID uuid) {
DEROctetString uuidText = new DEROctetString(uuid.toByteArray().getBytes());
ASN1ObjectIdentifier oid = new ASN1ObjectIdentifier(OID.HOST_UUID);
AttributeTypeAndValue attr = new AttributeTypeAndValue(oid, uuidText);
RDN rdn = new RDN(attr);
subjectName = new X500Name(new RDN[] { rdn });
return this;
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project Openfire by igniterealtime.
the class CertificateManager method createX509V3Certificate.
/**
* Creates an X509 version3 certificate.
*
* @param kp KeyPair that keeps the public and private keys for the new certificate.
* @param days time to live
* @param issuerBuilder IssuerDN builder
* @param subjectBuilder SubjectDN builder
* @param domain Domain of the server.
* @param signAlgoritm Signature algorithm. This can be either a name or an OID.
* @return X509 V3 Certificate
* @throws GeneralSecurityException
* @throws IOException
*/
public static synchronized X509Certificate createX509V3Certificate(KeyPair kp, int days, X500NameBuilder issuerBuilder, X500NameBuilder subjectBuilder, String domain, String signAlgoritm) throws GeneralSecurityException, IOException {
PublicKey pubKey = kp.getPublic();
PrivateKey privKey = kp.getPrivate();
byte[] serno = new byte[8];
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.setSeed((new Date().getTime()));
random.nextBytes(serno);
BigInteger serial = (new java.math.BigInteger(serno)).abs();
X500Name issuerDN = issuerBuilder.build();
X500Name subjectDN = subjectBuilder.build();
// builder
JcaX509v3CertificateBuilder certBuilder = new //
JcaX509v3CertificateBuilder(//
issuerDN, //
serial, //
new Date(), //
new Date(System.currentTimeMillis() + days * (1000L * 60 * 60 * 24)), //
subjectDN, //
pubKey);
// add subjectAlternativeName extension
boolean critical = subjectDN.getRDNs().length == 0;
ASN1Sequence othernameSequence = new DERSequence(new ASN1Encodable[] { new ASN1ObjectIdentifier("1.3.6.1.5.5.7.8.5"), new DERUTF8String(domain) });
GeneralName othernameGN = new GeneralName(GeneralName.otherName, othernameSequence);
GeneralNames subjectAltNames = new GeneralNames(new GeneralName[] { othernameGN });
certBuilder.addExtension(Extension.subjectAlternativeName, critical, subjectAltNames);
// add keyIdentifiers extensions
JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils();
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(pubKey));
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(pubKey));
try {
// build the certificate
ContentSigner signer = new JcaContentSignerBuilder(signAlgoritm).build(privKey);
X509CertificateHolder cert = certBuilder.build(signer);
// verify the validity
if (!cert.isValidOn(new Date())) {
throw new GeneralSecurityException("Certificate validity not valid");
}
// verify the signature (self-signed)
ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder().build(pubKey);
if (!cert.isSignatureValid(verifierProvider)) {
throw new GeneralSecurityException("Certificate signature not valid");
}
return new JcaX509CertificateConverter().getCertificate(cert);
} catch (OperatorCreationException | CertException e) {
throw new GeneralSecurityException(e);
}
}
Aggregations