use of org.mozilla.jss.netscape.security.x509.X500Name in project dcache by dCache.
the class ServerGsiEngineDssContextFactoryTest method generateSelfSignedCert.
private void generateSelfSignedCert() throws GeneralSecurityException, OperatorCreationException, IOException {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
keyPairGenerator.initialize(2048, new SecureRandom());
KeyPair keyPair = keyPairGenerator.generateKeyPair();
long notBefore = System.currentTimeMillis();
long notAfter = notBefore + TimeUnit.DAYS.toMillis(1);
X500Name subjectDN = new X500Name("CN=localhost, O=dCache.org");
X500Name issuerDN = subjectDN;
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(issuerDN, BigInteger.ONE, new Date(notBefore), new Date(notAfter), subjectDN, subjectPublicKeyInfo);
String signatureAlgorithm = "SHA256WithRSA";
// sign with own key
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
var cert = new JcaX509CertificateConverter().getCertificate(certificateHolder);
try (OutputStream certOut = Files.newOutputStream(certFile.toPath(), CREATE, TRUNCATE_EXISTING, WRITE);
OutputStream keyOut = Files.newOutputStream(keyFile.toPath(), CREATE, TRUNCATE_EXISTING, WRITE)) {
CertificateUtils.saveCertificate(certOut, cert, Encoding.PEM);
CertificateUtils.savePrivateKey(keyOut, keyPair.getPrivate(), Encoding.PEM, null, null);
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project powerauth-webflow by wultra.
the class ICACertificateParser method parse.
/**
* Parse certificate in PEM format and return structured information about organization.
*
* @param certificatePem Certificate in PEM format.
* @return Structured certificate information.
* @throws CertificateException In case certificate cannot be parsed (or in rare case X.509 is not supported).
*/
public CertInfo parse(String certificatePem) throws CertificateException {
// Check for null certificate value
if (certificatePem == null) {
throw new CertificateException("Certificate in PEM format not found.");
}
// Handle the URL encoded certificates
if (certificatePem.startsWith("-----BEGIN%20CERTIFICATE-----")) {
// certificate is URL encoded by nginx.
try {
certificatePem = URLDecoder.decode(certificatePem, StandardCharsets.UTF_8.toString());
} catch (UnsupportedEncodingException e) {
throw new CertificateException("Unable to extract certificate in PEM format (nginx).");
}
}
// Replace spaces in Apache forwarded certificate by newlines correctly
certificatePem = certificatePem.replaceAll(" ", "\n").replace("-----BEGIN\nCERTIFICATE-----", "-----BEGIN CERTIFICATE-----").replace("-----END\nCERTIFICATE-----", "-----END CERTIFICATE-----");
final CertificateFactory cf = CertificateFactory.getInstance("X.509");
final ByteArrayInputStream bais = new ByteArrayInputStream(certificatePem.getBytes(StandardCharsets.UTF_8));
X509Certificate cert = (X509Certificate) cf.generateCertificate(bais);
try {
final byte[] qcStatement = cert.getExtensionValue("1.3.6.1.5.5.7.1.3");
if (qcStatement == null) {
throw new CertificateException("Unable to extract PSD2 mandates.");
}
final ASN1Primitive qcStatementAsn1Primitive = JcaX509ExtensionUtils.parseExtensionValue(qcStatement);
if (qcStatementAsn1Primitive == null) {
throw new CertificateException("Unable to extract PSD2 mandates from extension value.");
}
final DLSequence it = ((DLSequence) qcStatementAsn1Primitive);
Set<CertInfo.PSD2> psd2Mandates = new HashSet<>();
for (ASN1Encodable asn1Primitive : it) {
if (asn1Primitive instanceof DLSequence) {
DLSequence sequence = (DLSequence) asn1Primitive;
if (sequence.size() == 2) {
ASN1ObjectIdentifier id = (ASN1ObjectIdentifier) sequence.getObjectAt(0);
DLSequence mandates = (DLSequence) sequence.getObjectAt(1);
if (psd2.equals(id.getId())) {
for (ASN1Encodable mandate : mandates) {
if (mandate instanceof DLSequence) {
for (ASN1Encodable seq : (DLSequence) mandate) {
DLSequence a = (DLSequence) seq;
final ASN1ObjectIdentifier identifier = (ASN1ObjectIdentifier) ((DLSequence) seq).getObjectAt(0);
if (psp_as.equals(identifier.getId())) {
psd2Mandates.add(CertInfo.PSD2.PSP_AS);
}
if (psp_ai.equals(identifier.getId())) {
psd2Mandates.add(CertInfo.PSD2.PSP_AI);
}
if (psp_pi.equals(identifier.getId())) {
psd2Mandates.add(CertInfo.PSD2.PSP_PI);
}
if (psp_ic.equals(identifier.getId())) {
psd2Mandates.add(CertInfo.PSD2.PSP_IC);
}
}
}
}
}
}
}
}
final List<AVA> avaList = ((X500Name) cert.getSubjectDN()).allAvas();
String country = null;
String serialNumber = null;
String commonName = null;
String psd2License = null;
String organization = null;
String street = null;
String city = null;
String zipCode = null;
String region = null;
String website = null;
for (AVA ava : avaList) {
final String oid = ava.getObjectIdentifier().toString();
final String val = ava.getValueString();
switch(oid) {
case "2.5.4.6":
{
// C=CZ => 2.5.4.6
country = val;
break;
}
case "2.5.4.3":
{
// CN=cnb.cz => 2.5.4.3
commonName = val;
website = "https://" + val;
break;
}
case "2.5.4.10":
{
// O=ČESKÁ NÁRODNÍ BANKA => 2.5.4.10
organization = val;
break;
}
case "2.5.4.9":
{
// STREET=Na příkopě 864/28 => 2.5.4.9
street = val;
break;
}
case "2.5.4.7":
{
// L=Praha 1 => 2.5.4.7
city = val;
break;
}
case "2.5.4.17":
{
// OID.2.5.4.17=11000 => 2.5.4.17
zipCode = val;
break;
}
case "2.5.4.5":
{
// SERIALNUMBER=48136450 => 2.5.4.5
serialNumber = val;
break;
}
case "2.5.4.8":
{
// ST=Hlavní město Praha => 2.5.4.8
region = val;
break;
}
case "2.5.4.97":
{
// OID.2.5.4.97=PSDCZ-CNB-48136450 => 2.5.4.97
psd2License = val;
break;
}
}
}
return new CertInfo(serialNumber, commonName, psd2License, organization, street, city, zipCode, region, country, website, psd2Mandates);
} catch (Throwable e) {
// catch all errors that can occur
throw new CertificateException("Unable to extract PSD2 mandates.");
}
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project interlok by adaptris.
the class X509Builder method build.
private X509Certificate build() throws NoSuchAlgorithmException, CertificateException, OperatorCreationException {
X509Certificate result = null;
if (privateKey == null) {
createKeyPair();
}
// The certificate is self-signed, so use the current
// subject as the issuer
X500Name name = certificateParm.getSubjectInfo();
// The certificate is self-signed, do we exactly care what
// the serial number that uniquely identifies is
BigInteger serial = BigInteger.valueOf(Integer.valueOf(SecurityUtil.getSecureRandom().nextInt(10000)).longValue());
GregorianCalendar valid = new GregorianCalendar();
Date notBefore = valid.getTime();
valid.add(Calendar.MONTH, 12);
Date notAfter = valid.getTime();
SubjectPublicKeyInfo pubKeyInfo = SubjectPublicKeyInfo.getInstance(ASN1Sequence.getInstance(publicKey.getEncoded()));
X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(name, serial, notBefore, notAfter, name, pubKeyInfo);
String alg = certificateParm.getSignatureAlgorithm();
JcaContentSignerBuilder builder = new JcaContentSignerBuilder(alg);
// build and sign the certificate
X509CertificateHolder certHolder = certGen.build(builder.build(privateKey));
result = new JcaX509CertificateConverter().getCertificate(certHolder);
return result;
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project AppManager by MuntashirAkon.
the class KeyStoreUtils method generateCert.
@NonNull
private static X509Certificate generateCert(PrivateKey privateKey, PublicKey publicKey, @NonNull String formattedSubject, long expiryDate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidKeyException, IOException {
String algorithmName = "SHA512withRSA";
CertificateExtensions certificateExtensions = new CertificateExtensions();
certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
X500Name x500Name = new X500Name(formattedSubject);
Date notBefore = new Date();
Date notAfter = new Date(expiryDate);
certificateExtensions.set("PrivateKeyUsage", new PrivateKeyUsageExtension(notBefore, notAfter));
CertificateValidity certificateValidity = new CertificateValidity(notBefore, notAfter);
X509CertInfo x509CertInfo = new X509CertInfo();
x509CertInfo.set("version", new CertificateVersion(2));
x509CertInfo.set("serialNumber", new CertificateSerialNumber(new Random().nextInt() & Integer.MAX_VALUE));
x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(algorithmName)));
x509CertInfo.set("subject", new CertificateSubjectName(x500Name));
x509CertInfo.set("key", new CertificateX509Key(publicKey));
x509CertInfo.set("validity", certificateValidity);
x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
x509CertInfo.set("extensions", certificateExtensions);
X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
x509CertImpl.sign(privateKey, algorithmName);
return x509CertImpl;
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project remoting by jenkinsci.
the class X509CertificateRule method apply.
@Override
public Statement apply(final Statement base, final Description description) {
Skip skip = description.getAnnotation(Skip.class);
if (skip != null && (skip.value().length == 0 || Arrays.asList(skip.value()).contains(id))) {
return base;
}
return new Statement() {
@Override
public void evaluate() throws Throwable {
Date now = new Date();
Date firstDate = new Date(now.getTime() + startDateOffsetMillis);
Date lastDate = new Date(now.getTime() + endDateOffsetMillis);
SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectKey.getPublic().getEncoded());
X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
if (id != null) {
nameBuilder.addRDN(BCStyle.CN, id);
}
X500Name subject = nameBuilder.addRDN(BCStyle.CN, description.getDisplayName()).addRDN(BCStyle.C, "US").build();
X509v3CertificateBuilder certGen = new X509v3CertificateBuilder(subject, BigInteger.ONE, firstDate, lastDate, subject, subjectPublicKeyInfo);
JcaX509ExtensionUtils instance = new JcaX509ExtensionUtils();
certGen.addExtension(Extension.subjectKeyIdentifier, false, instance.createSubjectKeyIdentifier(subjectPublicKeyInfo));
ContentSigner signer = new JcaContentSignerBuilder("SHA1withRSA").setProvider(BOUNCY_CASTLE_PROVIDER).build(X509CertificateRule.this.signerKey.getPrivate());
certificate = new JcaX509CertificateConverter().setProvider(BOUNCY_CASTLE_PROVIDER).getCertificate(certGen.build(signer));
try {
base.evaluate();
} finally {
certificate = null;
}
}
};
}
Aggregations