use of org.mozilla.jss.netscape.security.x509.X500Name in project ca3sCore by kuehne-trustable-de.
the class CaInternalConnector method signCertificateRequest.
public Certificate signCertificateRequest(CSR csr, CAConnectorConfig caConfig) throws GeneralSecurityException {
try {
csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_CA_PROCESSING_STARTED_TIMESTAMP, "" + System.currentTimeMillis(), false);
csr.setStatus(CsrStatus.PROCESSING);
Certificate intermediate = getIntermediate();
PrivateKey privKeyIntermediate = certUtil.getPrivateKey(intermediate);
KeyPair kpIntermediate = new KeyPair(certUtil.convertPemToCertificate(intermediate.getContent()).getPublicKey(), privKeyIntermediate);
PKCS10CertificationRequest p10 = cryptoUtil.convertPemToPKCS10CertificationRequest(csr.getCsrBase64());
GeneralNames gns = null;
org.bouncycastle.asn1.pkcs.Attribute[] certAttributes = p10.getAttributes();
for (org.bouncycastle.asn1.pkcs.Attribute attribute : certAttributes) {
if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
}
}
X509Certificate x509Cert = cryptoUtil.issueCertificate(new X500Name(intermediate.getSubject()), kpIntermediate, p10.getSubject(), p10.getSubjectPublicKeyInfo(), Calendar.YEAR, 1, gns, null, PKILevel.END_ENTITY);
Certificate cert = certUtil.createCertificate(x509Cert.getEncoded(), csr, "", false);
cert.setRevocationCA(caConfig);
certRepository.save(cert);
csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_CA_PROCESSING_FINISHED_TIMESTAMP, "" + System.currentTimeMillis(), true);
csr.setStatus(CsrStatus.ISSUED);
csrRepository.save(csr);
return cert;
} catch (IOException e) {
LOG.info("Problem signing certificate request", e);
throw new GeneralSecurityException(e);
}
/*
RDN[] rdnArr = new RDN[csr.getRdns().size()];
int i = 0;
for(de.trustable.ca3s.core.domain.RDN rdn:csr.getRdns()) {
LOG.debug("RDN contains #{}", rdn.getRdnAttributes().size());
int attLen = rdn.getRdnAttributes().size();
AttributeTypeAndValue[] atavArr = new AttributeTypeAndValue[attLen];
int j = 0;
for(RDNAttribute rdnAtt: rdn.getRdnAttributes()) {
AttributeTypeAndValue atav = new AttributeTypeAndValue( rdnAtt.getAttributeType(), new DEROctetString(rdnAtt.getAttributeValue().getBytes()));
}
rdnArr[i++] = new RDN(atav);
}
X500Name subject = new X500Name(csr.getRdns());
*/
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project ca3sCore by kuehne-trustable-de.
the class CaInternalConnector method createNewIntermediate.
private Certificate createNewIntermediate(Certificate root) throws GeneralSecurityException, IOException {
KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
X500Name subject = new X500Name("CN=CA3S-Intermediate" + System.currentTimeMillis() + ", OU=Internal Only, OU=Dev/Test Only, O=trustable solutions, C=DE");
PrivateKey privKeyRoot = certUtil.getPrivateKey(root);
KeyPair kpRoot = new KeyPair(certUtil.convertPemToCertificate(root.getContent()).getPublicKey(), privKeyRoot);
X509Certificate x509Cert = cryptoUtil.issueCertificate(new X500Name(root.getSubject()), kpRoot, subject, keyPair.getPublic().getEncoded(), Calendar.YEAR, 1, PKILevel.INTERMEDIATE);
Certificate intermediateCert = certUtil.createCertificate(x509Cert.getEncoded(), null, "", false);
certUtil.storePrivateKey(intermediateCert, keyPair);
certUtil.setCertAttribute(intermediateCert, CertificateAttribute.ATTRIBUTE_CA3S_INTERMEDIATE, "true");
certRepository.save(intermediateCert);
return intermediateCert;
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project modules by assimbly.
the class CertificatesUtil method selfsignCertificate2.
public static Certificate selfsignCertificate2(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException {
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
long now = System.currentTimeMillis();
Date startDate = new Date(now);
X500Name dnName = new X500Name("CN=" + subjectDN);
// <-- Using the current timestamp as the certificate serial number
BigInteger certSerialNumber = new BigInteger(Long.toString(now));
Calendar calendar = Calendar.getInstance();
calendar.setTime(startDate);
// <-- 2 Yr validity
calendar.add(Calendar.YEAR, 2);
Date endDate = calendar.getTime();
// <-- Use appropriate signature algorithm based on your keyPair algorithm.
String signatureAlgorithm = "SHA256WithRSA";
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic());
// Extensions --------------------------
// Basic Constraints
// <-- true for CA, false for EndEntity
BasicConstraints basicConstraints = new BasicConstraints(true);
// Basic Constraints is usually marked as critical.
certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints);
return new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project modules by assimbly.
the class CertificatesUtil method selfsignCertificate.
/**
* Generates a self signed certificate using the BouncyCastle lib.
*
* @param keyPair used for signing the certificate with PrivateKey
* @param hashAlgorithm Hash function
* @param cn Common Name to be used in the subject dn
* @param days validity period in days of the certificate
*
* @return self-signed X509Certificate
*
* @throws OperatorCreationException on creating a key id
* @throws CertIOException on building JcaContentSignerBuilder
* @throws CertificateException on getting certificate from provider
*/
public static X509Certificate selfsignCertificate(final KeyPair keyPair, final String hashAlgorithm, final String cn, final int days) throws OperatorCreationException, CertificateException, CertIOException {
final Instant now = Instant.now();
final Date notBefore = Date.from(now);
final Date notAfter = Date.from(now.plus(Duration.ofDays(days)));
final ContentSigner contentSigner = new JcaContentSignerBuilder(hashAlgorithm).build(keyPair.getPrivate());
final X500Name x500Name = new X500Name("CN=" + cn);
final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(x500Name, BigInteger.valueOf(now.toEpochMilli()), notBefore, notAfter, x500Name, keyPair.getPublic()).addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyId(keyPair.getPublic())).addExtension(Extension.authorityKeyIdentifier, false, createAuthorityKeyId(keyPair.getPublic())).addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
return new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(certificateBuilder.build(contentSigner));
}
use of org.mozilla.jss.netscape.security.x509.X500Name in project identity-credential by google.
the class DeviceRequestParserTest method testDeviceRequestParserReaderAuthHelper.
void testDeviceRequestParserReaderAuthHelper(String curveName, String algorithm) throws Exception {
byte[] encodedSessionTranscript = Util.cborEncodeBytestring(new byte[] { 0x01, 0x02 });
Map<String, Map<String, Boolean>> mdlItemsToRequest = new HashMap<>();
Map<String, Boolean> mdlNsItems = new HashMap<>();
mdlNsItems.put("family_name", true);
mdlNsItems.put("portrait", false);
mdlItemsToRequest.put(MDL_NAMESPACE, mdlNsItems);
BouncyCastleProvider bcProvider = new BouncyCastleProvider();
KeyPairGenerator kpg = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, bcProvider);
ECGenParameterSpec ecSpec = new ECGenParameterSpec(curveName);
kpg.initialize(ecSpec);
KeyPair readerKeyPair = kpg.generateKeyPair();
kpg = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC);
ecSpec = new ECGenParameterSpec("prime256v1");
kpg.initialize(ecSpec);
KeyPair trustPointKeyPair = kpg.generateKeyPair();
X500Name issuer = new X500Name("CN=Some Reader Authority");
X500Name subject = new X500Name("CN=Some Reader Key");
// Valid from now to five years from now.
Date now = new Date();
final long kMilliSecsInOneYear = 365L * 24 * 60 * 60 * 1000;
Date expirationDate = new Date(now.getTime() + 5 * kMilliSecsInOneYear);
BigInteger serial = new BigInteger("42");
JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serial, now, expirationDate, subject, readerKeyPair.getPublic());
ContentSigner signer = new JcaContentSignerBuilder("SHA256withECDSA").build(trustPointKeyPair.getPrivate());
byte[] encodedCert = builder.build(signer).getEncoded();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ByteArrayInputStream bais = new ByteArrayInputStream(encodedCert);
X509Certificate readerCert = (X509Certificate) cf.generateCertificate(bais);
ArrayList<X509Certificate> readerCertChain = new ArrayList<>();
readerCertChain.add(readerCert);
Map<String, byte[]> mdlRequestInfo = new HashMap<>();
mdlRequestInfo.put("foo", Util.cborEncodeString("bar"));
mdlRequestInfo.put("bar", Util.cborEncodeNumber(42));
Signature signature = Signature.getInstance(algorithm, bcProvider);
signature.initSign(readerKeyPair.getPrivate());
byte[] encodedDeviceRequest = new DeviceRequestGenerator().setSessionTranscript(encodedSessionTranscript).addDocumentRequest(MDL_DOCTYPE, mdlItemsToRequest, mdlRequestInfo, signature, readerCertChain).generate();
DeviceRequestParser.DeviceRequest deviceRequest = new DeviceRequestParser().setSessionTranscript(encodedSessionTranscript).setDeviceRequest(encodedDeviceRequest).parse();
Assert.assertEquals("1.0", deviceRequest.getVersion());
List<DeviceRequestParser.DocumentRequest> documentRequests = deviceRequest.getDocumentRequests();
Assert.assertTrue(documentRequests.get(0).getReaderAuthenticated());
}
Aggregations