Search in sources :

Example 36 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project ca3sCore by kuehne-trustable-de.

the class CaInternalConnector method signCertificateRequest.

public Certificate signCertificateRequest(CSR csr, CAConnectorConfig caConfig) throws GeneralSecurityException {
    try {
        csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_CA_PROCESSING_STARTED_TIMESTAMP, "" + System.currentTimeMillis(), false);
        csr.setStatus(CsrStatus.PROCESSING);
        Certificate intermediate = getIntermediate();
        PrivateKey privKeyIntermediate = certUtil.getPrivateKey(intermediate);
        KeyPair kpIntermediate = new KeyPair(certUtil.convertPemToCertificate(intermediate.getContent()).getPublicKey(), privKeyIntermediate);
        PKCS10CertificationRequest p10 = cryptoUtil.convertPemToPKCS10CertificationRequest(csr.getCsrBase64());
        GeneralNames gns = null;
        org.bouncycastle.asn1.pkcs.Attribute[] certAttributes = p10.getAttributes();
        for (org.bouncycastle.asn1.pkcs.Attribute attribute : certAttributes) {
            if (attribute.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
                Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
                gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
            }
        }
        X509Certificate x509Cert = cryptoUtil.issueCertificate(new X500Name(intermediate.getSubject()), kpIntermediate, p10.getSubject(), p10.getSubjectPublicKeyInfo(), Calendar.YEAR, 1, gns, null, PKILevel.END_ENTITY);
        Certificate cert = certUtil.createCertificate(x509Cert.getEncoded(), csr, "", false);
        cert.setRevocationCA(caConfig);
        certRepository.save(cert);
        csrUtil.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_CA_PROCESSING_FINISHED_TIMESTAMP, "" + System.currentTimeMillis(), true);
        csr.setStatus(CsrStatus.ISSUED);
        csrRepository.save(csr);
        return cert;
    } catch (IOException e) {
        LOG.info("Problem signing certificate request", e);
        throw new GeneralSecurityException(e);
    }
/*
		RDN[] rdnArr = new RDN[csr.getRdns().size()];

		int i = 0;
		for(de.trustable.ca3s.core.domain.RDN rdn:csr.getRdns()) {
			LOG.debug("RDN contains #{}", rdn.getRdnAttributes().size());
			int attLen = rdn.getRdnAttributes().size();
			AttributeTypeAndValue[] atavArr = new AttributeTypeAndValue[attLen];
			int j = 0;
			for(RDNAttribute rdnAtt: rdn.getRdnAttributes()) {
				AttributeTypeAndValue atav = new AttributeTypeAndValue( rdnAtt.getAttributeType(), new DEROctetString(rdnAtt.getAttributeValue().getBytes()));
			}
			rdnArr[i++] = new RDN(atav);
		}
		X500Name subject = new X500Name(csr.getRdns());
*/
}
Also used : PKCS10CertificationRequest(org.bouncycastle.pkcs.PKCS10CertificationRequest) KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) CertificateAttribute(de.trustable.ca3s.core.domain.CertificateAttribute) CsrAttribute(de.trustable.ca3s.core.domain.CsrAttribute) GeneralSecurityException(java.security.GeneralSecurityException) X500Name(org.bouncycastle.asn1.x500.X500Name) IOException(java.io.IOException) Extensions(org.bouncycastle.asn1.x509.Extensions) X509Certificate(java.security.cert.X509Certificate) GeneralNames(org.bouncycastle.asn1.x509.GeneralNames) X509Certificate(java.security.cert.X509Certificate) Certificate(de.trustable.ca3s.core.domain.Certificate)

Example 37 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project ca3sCore by kuehne-trustable-de.

the class CaInternalConnector method createNewIntermediate.

private Certificate createNewIntermediate(Certificate root) throws GeneralSecurityException, IOException {
    KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
    X500Name subject = new X500Name("CN=CA3S-Intermediate" + System.currentTimeMillis() + ", OU=Internal Only, OU=Dev/Test Only, O=trustable solutions, C=DE");
    PrivateKey privKeyRoot = certUtil.getPrivateKey(root);
    KeyPair kpRoot = new KeyPair(certUtil.convertPemToCertificate(root.getContent()).getPublicKey(), privKeyRoot);
    X509Certificate x509Cert = cryptoUtil.issueCertificate(new X500Name(root.getSubject()), kpRoot, subject, keyPair.getPublic().getEncoded(), Calendar.YEAR, 1, PKILevel.INTERMEDIATE);
    Certificate intermediateCert = certUtil.createCertificate(x509Cert.getEncoded(), null, "", false);
    certUtil.storePrivateKey(intermediateCert, keyPair);
    certUtil.setCertAttribute(intermediateCert, CertificateAttribute.ATTRIBUTE_CA3S_INTERMEDIATE, "true");
    certRepository.save(intermediateCert);
    return intermediateCert;
}
Also used : KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) X500Name(org.bouncycastle.asn1.x500.X500Name) X509Certificate(java.security.cert.X509Certificate) X509Certificate(java.security.cert.X509Certificate) Certificate(de.trustable.ca3s.core.domain.Certificate)

Example 38 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project modules by assimbly.

the class CertificatesUtil method selfsignCertificate2.

public static Certificate selfsignCertificate2(KeyPair keyPair, String subjectDN) throws OperatorCreationException, CertificateException, IOException {
    Provider bcProvider = new BouncyCastleProvider();
    Security.addProvider(bcProvider);
    long now = System.currentTimeMillis();
    Date startDate = new Date(now);
    X500Name dnName = new X500Name("CN=" + subjectDN);
    // <-- Using the current timestamp as the certificate serial number
    BigInteger certSerialNumber = new BigInteger(Long.toString(now));
    Calendar calendar = Calendar.getInstance();
    calendar.setTime(startDate);
    // <-- 2 Yr validity
    calendar.add(Calendar.YEAR, 2);
    Date endDate = calendar.getTime();
    // <-- Use appropriate signature algorithm based on your keyPair algorithm.
    String signatureAlgorithm = "SHA256WithRSA";
    ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
    JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, startDate, endDate, dnName, keyPair.getPublic());
    // Extensions --------------------------
    // Basic Constraints
    // <-- true for CA, false for EndEntity
    BasicConstraints basicConstraints = new BasicConstraints(true);
    // Basic Constraints is usually marked as critical.
    certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints);
    return new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
}
Also used : JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) Calendar(java.util.Calendar) ContentSigner(org.bouncycastle.operator.ContentSigner) X500Name(org.bouncycastle.asn1.x500.X500Name) Date(java.util.Date) Provider(java.security.Provider) BcDigestCalculatorProvider(org.bouncycastle.operator.bc.BcDigestCalculatorProvider) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) BigInteger(java.math.BigInteger) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 39 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project modules by assimbly.

the class CertificatesUtil method selfsignCertificate.

/**
 * Generates a self signed certificate using the BouncyCastle lib.
 *
 * @param keyPair used for signing the certificate with PrivateKey
 * @param hashAlgorithm Hash function
 * @param cn Common Name to be used in the subject dn
 * @param days validity period in days of the certificate
 *
 * @return self-signed X509Certificate
 *
 * @throws OperatorCreationException on creating a key id
 * @throws CertIOException on building JcaContentSignerBuilder
 * @throws CertificateException on getting certificate from provider
 */
public static X509Certificate selfsignCertificate(final KeyPair keyPair, final String hashAlgorithm, final String cn, final int days) throws OperatorCreationException, CertificateException, CertIOException {
    final Instant now = Instant.now();
    final Date notBefore = Date.from(now);
    final Date notAfter = Date.from(now.plus(Duration.ofDays(days)));
    final ContentSigner contentSigner = new JcaContentSignerBuilder(hashAlgorithm).build(keyPair.getPrivate());
    final X500Name x500Name = new X500Name("CN=" + cn);
    final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(x500Name, BigInteger.valueOf(now.toEpochMilli()), notBefore, notAfter, x500Name, keyPair.getPublic()).addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyId(keyPair.getPublic())).addExtension(Extension.authorityKeyIdentifier, false, createAuthorityKeyId(keyPair.getPublic())).addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
    return new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(certificateBuilder.build(contentSigner));
}
Also used : JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) Instant(java.time.Instant) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) X500Name(org.bouncycastle.asn1.x500.X500Name) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) Date(java.util.Date) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 40 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project identity-credential by google.

the class DeviceRequestParserTest method testDeviceRequestParserReaderAuthHelper.

void testDeviceRequestParserReaderAuthHelper(String curveName, String algorithm) throws Exception {
    byte[] encodedSessionTranscript = Util.cborEncodeBytestring(new byte[] { 0x01, 0x02 });
    Map<String, Map<String, Boolean>> mdlItemsToRequest = new HashMap<>();
    Map<String, Boolean> mdlNsItems = new HashMap<>();
    mdlNsItems.put("family_name", true);
    mdlNsItems.put("portrait", false);
    mdlItemsToRequest.put(MDL_NAMESPACE, mdlNsItems);
    BouncyCastleProvider bcProvider = new BouncyCastleProvider();
    KeyPairGenerator kpg = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC, bcProvider);
    ECGenParameterSpec ecSpec = new ECGenParameterSpec(curveName);
    kpg.initialize(ecSpec);
    KeyPair readerKeyPair = kpg.generateKeyPair();
    kpg = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_EC);
    ecSpec = new ECGenParameterSpec("prime256v1");
    kpg.initialize(ecSpec);
    KeyPair trustPointKeyPair = kpg.generateKeyPair();
    X500Name issuer = new X500Name("CN=Some Reader Authority");
    X500Name subject = new X500Name("CN=Some Reader Key");
    // Valid from now to five years from now.
    Date now = new Date();
    final long kMilliSecsInOneYear = 365L * 24 * 60 * 60 * 1000;
    Date expirationDate = new Date(now.getTime() + 5 * kMilliSecsInOneYear);
    BigInteger serial = new BigInteger("42");
    JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serial, now, expirationDate, subject, readerKeyPair.getPublic());
    ContentSigner signer = new JcaContentSignerBuilder("SHA256withECDSA").build(trustPointKeyPair.getPrivate());
    byte[] encodedCert = builder.build(signer).getEncoded();
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    ByteArrayInputStream bais = new ByteArrayInputStream(encodedCert);
    X509Certificate readerCert = (X509Certificate) cf.generateCertificate(bais);
    ArrayList<X509Certificate> readerCertChain = new ArrayList<>();
    readerCertChain.add(readerCert);
    Map<String, byte[]> mdlRequestInfo = new HashMap<>();
    mdlRequestInfo.put("foo", Util.cborEncodeString("bar"));
    mdlRequestInfo.put("bar", Util.cborEncodeNumber(42));
    Signature signature = Signature.getInstance(algorithm, bcProvider);
    signature.initSign(readerKeyPair.getPrivate());
    byte[] encodedDeviceRequest = new DeviceRequestGenerator().setSessionTranscript(encodedSessionTranscript).addDocumentRequest(MDL_DOCTYPE, mdlItemsToRequest, mdlRequestInfo, signature, readerCertChain).generate();
    DeviceRequestParser.DeviceRequest deviceRequest = new DeviceRequestParser().setSessionTranscript(encodedSessionTranscript).setDeviceRequest(encodedDeviceRequest).parse();
    Assert.assertEquals("1.0", deviceRequest.getVersion());
    List<DeviceRequestParser.DocumentRequest> documentRequests = deviceRequest.getDocumentRequests();
    Assert.assertTrue(documentRequests.get(0).getReaderAuthenticated());
}
Also used : HashMap(java.util.HashMap) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ECGenParameterSpec(java.security.spec.ECGenParameterSpec) ArrayList(java.util.ArrayList) X500Name(org.bouncycastle.asn1.x500.X500Name) CertificateFactory(java.security.cert.CertificateFactory) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) KeyPair(java.security.KeyPair) ContentSigner(org.bouncycastle.operator.ContentSigner) KeyPairGenerator(java.security.KeyPairGenerator) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) ByteArrayInputStream(java.io.ByteArrayInputStream) Signature(java.security.Signature) BigInteger(java.math.BigInteger) HashMap(java.util.HashMap) Map(java.util.Map)

Aggregations

X500Name (org.bouncycastle.asn1.x500.X500Name)510 X509Certificate (java.security.cert.X509Certificate)182 BigInteger (java.math.BigInteger)175 Date (java.util.Date)168 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)158 ContentSigner (org.bouncycastle.operator.ContentSigner)149 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)145 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)127 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)127 IOException (java.io.IOException)104 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)100 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)93 KeyPair (java.security.KeyPair)79 RDN (org.bouncycastle.asn1.x500.RDN)75 X500Name (sun.security.x509.X500Name)68 PrivateKey (java.security.PrivateKey)64 CertificateException (java.security.cert.CertificateException)64 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)55 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)55 SecureRandom (java.security.SecureRandom)54