use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project AppManager by MuntashirAkon.
the class KeyStoreUtils method generateCert.
@NonNull
private static X509Certificate generateCert(PrivateKey privateKey, PublicKey publicKey, @NonNull String formattedSubject, long expiryDate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidKeyException, IOException {
String algorithmName = "SHA512withRSA";
CertificateExtensions certificateExtensions = new CertificateExtensions();
certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
X500Name x500Name = new X500Name(formattedSubject);
Date notBefore = new Date();
Date notAfter = new Date(expiryDate);
certificateExtensions.set("PrivateKeyUsage", new PrivateKeyUsageExtension(notBefore, notAfter));
CertificateValidity certificateValidity = new CertificateValidity(notBefore, notAfter);
X509CertInfo x509CertInfo = new X509CertInfo();
x509CertInfo.set("version", new CertificateVersion(2));
x509CertInfo.set("serialNumber", new CertificateSerialNumber(new Random().nextInt() & Integer.MAX_VALUE));
x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(algorithmName)));
x509CertInfo.set("subject", new CertificateSubjectName(x500Name));
x509CertInfo.set("key", new CertificateX509Key(publicKey));
x509CertInfo.set("validity", certificateValidity);
x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
x509CertInfo.set("extensions", certificateExtensions);
X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
x509CertImpl.sign(privateKey, algorithmName);
return x509CertImpl;
}
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jss by dogtagpki.
the class X509CertTest method testEC.
public static void testEC(CryptoToken token, Date notBefore, Date notAfter) throws Exception {
X509CertImpl certImpl = null;
X509CertInfo certInfo = null;
KeyPairGenerator gen = token.getKeyPairGenerator(KeyPairAlgorithm.EC);
gen.initialize(gen.getCurveCodeByName("secp521r1"));
KeyPair keypairCA = gen.genKeyPair();
testKeys(keypairCA);
PublicKey pubCA = keypairCA.getPublic();
gen.initialize(gen.getCurveCodeByName("secp521r1"));
KeyPair keypairUser = gen.genKeyPair();
testKeys(keypairUser);
PublicKey pubUser = keypairUser.getPublic();
CertificateIssuerName issuernameObj = new CertificateIssuerName(new X500Name(issuerDN));
certInfo = createX509CertInfo(convertPublicKeyToX509Key(pubUser), BigInteger.valueOf(1), issuernameObj, subjectDN, notBefore, notAfter, "SHA256withEC");
certImpl = new X509CertImpl(certInfo);
certImpl.sign(keypairCA.getPrivate(), "SHA256withEC");
String certOutput = certImpl.toString();
System.out.println("Test certificate output: \n" + certOutput);
}
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jss by dogtagpki.
the class PKCS12Util method addCertBag.
public void addCertBag(PKCS12CertInfo certInfo, SEQUENCE safeContents) throws Exception {
byte[] id = certInfo.getID();
logger.debug(" - Certificate ID: " + Utils.HexEncode(id));
X509CertImpl cert = certInfo.getCert();
ASN1Value certAsn1 = new OCTET_STRING(cert.getEncoded());
CertBag certBag = new CertBag(CertBag.X509_CERT_TYPE, certAsn1);
SET certAttrs = createCertBagAttrs(certInfo);
SafeBag safeBag = new SafeBag(SafeBag.CERT_BAG, certBag, certAttrs);
safeContents.addElement(safeBag);
}
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jss by dogtagpki.
the class PKCS12Util method importKey.
public void importKey(PKCS12 pkcs12, Password password, String nickname, PKCS12KeyInfo keyInfo) throws Exception {
PKCS12CertInfo certInfo = pkcs12.getCertInfoByKeyID(keyInfo.getID());
if (certInfo == null) {
logger.debug("Private key has no certificate, ignore");
return;
}
CryptoManager cm = CryptoManager.getInstance();
CryptoToken token = cm.getInternalKeyStorageToken();
PK11Store store = (PK11Store) token.getCryptoStore();
X509CertImpl certImpl = certInfo.getCert();
X509Certificate cert = cm.importCACertPackage(certImpl.getEncoded());
// get public key
PublicKey publicKey = cert.getPublicKey();
byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes();
if (epkiBytes == null) {
logger.debug("No EncryptedPrivateKeyInfo for key '" + keyInfo.getFriendlyName() + "'; skipping key");
}
try {
// first true without BMPString-encoding the passphrase.
store.importEncryptedPrivateKeyInfo(null, password, nickname, publicKey, epkiBytes);
} catch (Exception e) {
// if that failed, try again with BMPString-encoded
// passphrase. This is required for PKCS #12 PBE
// schemes and for PKCS #12 files using PBES2 generated
// by NSS < 3.31
store.importEncryptedPrivateKeyInfo(new PasswordConverter(), password, nickname, publicKey, epkiBytes);
}
// with the correct nickname)
try {
store.deleteCertOnly(cert);
} catch (NoSuchItemOnTokenException e) {
// this is OK
}
}
use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jss by dogtagpki.
the class PKCS12Util method storeCertIntoNSS.
/**
* Store a certificate (and key, if present) in NSSDB.
*/
public void storeCertIntoNSS(PKCS12 pkcs12, Password password, PKCS12CertInfo certInfo, boolean overwrite) throws Exception {
CryptoManager cm = CryptoManager.getInstance();
CryptoToken ct = cm.getInternalKeyStorageToken();
CryptoStore store = ct.getCryptoStore();
String nickname = certInfo.getFriendlyName();
for (X509Certificate cert : cm.findCertsByNickname(nickname)) {
if (!overwrite) {
return;
}
store.deleteCert(cert);
}
X509CertImpl certImpl = certInfo.getCert();
X509Certificate cert;
byte[] keyID = certInfo.getKeyID();
if (keyID != null) {
// cert has key
logger.debug("Importing private key for " + certInfo.getFriendlyName());
PKCS12KeyInfo keyInfo = pkcs12.getKeyInfoByID(keyID);
importKey(pkcs12, password, certInfo.getFriendlyName(), keyInfo);
logger.debug("Importing user certificate " + certInfo.getFriendlyName());
cert = cm.importUserCACertPackage(certImpl.getEncoded(), certInfo.getFriendlyName());
} else {
// cert has no key
logger.debug("Importing CA certificate " + certInfo.getFriendlyName());
// Note: JSS does not preserve CA certificate nickname
cert = cm.importCACertPackage(certImpl.getEncoded());
}
String trustFlags = certInfo.getTrustFlags();
if (trustFlags != null && trustFlagsEnabled) {
PK11Cert pk11Cert = (PK11Cert) cert;
pk11Cert.setTrustFlags(trustFlags);
}
}
Aggregations