Search in sources :

Example 1 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project AppManager by MuntashirAkon.

the class KeyStoreUtils method generateCert.

@NonNull
private static X509Certificate generateCert(PrivateKey privateKey, PublicKey publicKey, @NonNull String formattedSubject, long expiryDate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, InvalidKeyException, IOException {
    String algorithmName = "SHA512withRSA";
    CertificateExtensions certificateExtensions = new CertificateExtensions();
    certificateExtensions.set("SubjectKeyIdentifier", new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
    X500Name x500Name = new X500Name(formattedSubject);
    Date notBefore = new Date();
    Date notAfter = new Date(expiryDate);
    certificateExtensions.set("PrivateKeyUsage", new PrivateKeyUsageExtension(notBefore, notAfter));
    CertificateValidity certificateValidity = new CertificateValidity(notBefore, notAfter);
    X509CertInfo x509CertInfo = new X509CertInfo();
    x509CertInfo.set("version", new CertificateVersion(2));
    x509CertInfo.set("serialNumber", new CertificateSerialNumber(new Random().nextInt() & Integer.MAX_VALUE));
    x509CertInfo.set("algorithmID", new CertificateAlgorithmId(AlgorithmId.get(algorithmName)));
    x509CertInfo.set("subject", new CertificateSubjectName(x500Name));
    x509CertInfo.set("key", new CertificateX509Key(publicKey));
    x509CertInfo.set("validity", certificateValidity);
    x509CertInfo.set("issuer", new CertificateIssuerName(x500Name));
    x509CertInfo.set("extensions", certificateExtensions);
    X509CertImpl x509CertImpl = new X509CertImpl(x509CertInfo);
    x509CertImpl.sign(privateKey, algorithmName);
    return x509CertImpl;
}
Also used : CertificateSubjectName(android.sun.security.x509.CertificateSubjectName) KeyIdentifier(android.sun.security.x509.KeyIdentifier) X509CertInfo(android.sun.security.x509.X509CertInfo) CertificateIssuerName(android.sun.security.x509.CertificateIssuerName) CertificateVersion(android.sun.security.x509.CertificateVersion) CertificateExtensions(android.sun.security.x509.CertificateExtensions) CertificateValidity(android.sun.security.x509.CertificateValidity) X500Name(android.sun.security.x509.X500Name) CertificateX509Key(android.sun.security.x509.CertificateX509Key) Date(java.util.Date) SubjectKeyIdentifierExtension(android.sun.security.x509.SubjectKeyIdentifierExtension) CertificateSerialNumber(android.sun.security.x509.CertificateSerialNumber) Random(java.util.Random) SecureRandom(java.security.SecureRandom) X509CertImpl(android.sun.security.x509.X509CertImpl) CertificateAlgorithmId(android.sun.security.x509.CertificateAlgorithmId) PrivateKeyUsageExtension(android.sun.security.x509.PrivateKeyUsageExtension) NonNull(androidx.annotation.NonNull)

Example 2 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jss by dogtagpki.

the class X509CertTest method testEC.

public static void testEC(CryptoToken token, Date notBefore, Date notAfter) throws Exception {
    X509CertImpl certImpl = null;
    X509CertInfo certInfo = null;
    KeyPairGenerator gen = token.getKeyPairGenerator(KeyPairAlgorithm.EC);
    gen.initialize(gen.getCurveCodeByName("secp521r1"));
    KeyPair keypairCA = gen.genKeyPair();
    testKeys(keypairCA);
    PublicKey pubCA = keypairCA.getPublic();
    gen.initialize(gen.getCurveCodeByName("secp521r1"));
    KeyPair keypairUser = gen.genKeyPair();
    testKeys(keypairUser);
    PublicKey pubUser = keypairUser.getPublic();
    CertificateIssuerName issuernameObj = new CertificateIssuerName(new X500Name(issuerDN));
    certInfo = createX509CertInfo(convertPublicKeyToX509Key(pubUser), BigInteger.valueOf(1), issuernameObj, subjectDN, notBefore, notAfter, "SHA256withEC");
    certImpl = new X509CertImpl(certInfo);
    certImpl.sign(keypairCA.getPrivate(), "SHA256withEC");
    String certOutput = certImpl.toString();
    System.out.println("Test certificate output: \n" + certOutput);
}
Also used : KeyPair(java.security.KeyPair) X509CertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo) RSAPublicKey(java.security.interfaces.RSAPublicKey) PublicKey(java.security.PublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) PK11ECPublicKey(org.mozilla.jss.pkcs11.PK11ECPublicKey) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) CertificateIssuerName(org.mozilla.jss.netscape.security.x509.CertificateIssuerName) KeyPairGenerator(org.mozilla.jss.crypto.KeyPairGenerator) X500Name(org.mozilla.jss.netscape.security.x509.X500Name)

Example 3 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jss by dogtagpki.

the class PKCS12Util method addCertBag.

public void addCertBag(PKCS12CertInfo certInfo, SEQUENCE safeContents) throws Exception {
    byte[] id = certInfo.getID();
    logger.debug(" - Certificate ID: " + Utils.HexEncode(id));
    X509CertImpl cert = certInfo.getCert();
    ASN1Value certAsn1 = new OCTET_STRING(cert.getEncoded());
    CertBag certBag = new CertBag(CertBag.X509_CERT_TYPE, certAsn1);
    SET certAttrs = createCertBagAttrs(certInfo);
    SafeBag safeBag = new SafeBag(SafeBag.CERT_BAG, certBag, certAttrs);
    safeContents.addElement(safeBag);
}
Also used : ASN1Value(org.mozilla.jss.asn1.ASN1Value) OCTET_STRING(org.mozilla.jss.asn1.OCTET_STRING) CertBag(org.mozilla.jss.pkcs12.CertBag) SET(org.mozilla.jss.asn1.SET) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) SafeBag(org.mozilla.jss.pkcs12.SafeBag)

Example 4 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jss by dogtagpki.

the class PKCS12Util method importKey.

public void importKey(PKCS12 pkcs12, Password password, String nickname, PKCS12KeyInfo keyInfo) throws Exception {
    PKCS12CertInfo certInfo = pkcs12.getCertInfoByKeyID(keyInfo.getID());
    if (certInfo == null) {
        logger.debug("Private key has no certificate, ignore");
        return;
    }
    CryptoManager cm = CryptoManager.getInstance();
    CryptoToken token = cm.getInternalKeyStorageToken();
    PK11Store store = (PK11Store) token.getCryptoStore();
    X509CertImpl certImpl = certInfo.getCert();
    X509Certificate cert = cm.importCACertPackage(certImpl.getEncoded());
    // get public key
    PublicKey publicKey = cert.getPublicKey();
    byte[] epkiBytes = keyInfo.getEncryptedPrivateKeyInfoBytes();
    if (epkiBytes == null) {
        logger.debug("No EncryptedPrivateKeyInfo for key '" + keyInfo.getFriendlyName() + "'; skipping key");
    }
    try {
        // first true without BMPString-encoding the passphrase.
        store.importEncryptedPrivateKeyInfo(null, password, nickname, publicKey, epkiBytes);
    } catch (Exception e) {
        // if that failed, try again with BMPString-encoded
        // passphrase.  This is required for PKCS #12 PBE
        // schemes and for PKCS #12 files using PBES2 generated
        // by NSS < 3.31
        store.importEncryptedPrivateKeyInfo(new PasswordConverter(), password, nickname, publicKey, epkiBytes);
    }
    // with the correct nickname)
    try {
        store.deleteCertOnly(cert);
    } catch (NoSuchItemOnTokenException e) {
    // this is OK
    }
}
Also used : CryptoToken(org.mozilla.jss.crypto.CryptoToken) PublicKey(java.security.PublicKey) PK11Store(org.mozilla.jss.pkcs11.PK11Store) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) NoSuchItemOnTokenException(org.mozilla.jss.crypto.NoSuchItemOnTokenException) PasswordConverter(org.mozilla.jss.pkcs12.PasswordConverter) CryptoManager(org.mozilla.jss.CryptoManager) X509Certificate(org.mozilla.jss.crypto.X509Certificate) NoSuchItemOnTokenException(org.mozilla.jss.crypto.NoSuchItemOnTokenException) ObjectNotFoundException(org.mozilla.jss.crypto.ObjectNotFoundException) CertificateException(java.security.cert.CertificateException) InvalidNameException(javax.naming.InvalidNameException)

Example 5 with X509CertImpl

use of org.mozilla.jss.netscape.security.x509.X509CertImpl in project jss by dogtagpki.

the class PKCS12Util method storeCertIntoNSS.

/**
 * Store a certificate (and key, if present) in NSSDB.
 */
public void storeCertIntoNSS(PKCS12 pkcs12, Password password, PKCS12CertInfo certInfo, boolean overwrite) throws Exception {
    CryptoManager cm = CryptoManager.getInstance();
    CryptoToken ct = cm.getInternalKeyStorageToken();
    CryptoStore store = ct.getCryptoStore();
    String nickname = certInfo.getFriendlyName();
    for (X509Certificate cert : cm.findCertsByNickname(nickname)) {
        if (!overwrite) {
            return;
        }
        store.deleteCert(cert);
    }
    X509CertImpl certImpl = certInfo.getCert();
    X509Certificate cert;
    byte[] keyID = certInfo.getKeyID();
    if (keyID != null) {
        // cert has key
        logger.debug("Importing private key for " + certInfo.getFriendlyName());
        PKCS12KeyInfo keyInfo = pkcs12.getKeyInfoByID(keyID);
        importKey(pkcs12, password, certInfo.getFriendlyName(), keyInfo);
        logger.debug("Importing user certificate " + certInfo.getFriendlyName());
        cert = cm.importUserCACertPackage(certImpl.getEncoded(), certInfo.getFriendlyName());
    } else {
        // cert has no key
        logger.debug("Importing CA certificate " + certInfo.getFriendlyName());
        // Note: JSS does not preserve CA certificate nickname
        cert = cm.importCACertPackage(certImpl.getEncoded());
    }
    String trustFlags = certInfo.getTrustFlags();
    if (trustFlags != null && trustFlagsEnabled) {
        PK11Cert pk11Cert = (PK11Cert) cert;
        pk11Cert.setTrustFlags(trustFlags);
    }
}
Also used : CryptoStore(org.mozilla.jss.crypto.CryptoStore) CryptoToken(org.mozilla.jss.crypto.CryptoToken) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) CryptoManager(org.mozilla.jss.CryptoManager) BMPString(org.mozilla.jss.asn1.BMPString) X509Certificate(org.mozilla.jss.crypto.X509Certificate) PK11Cert(org.mozilla.jss.pkcs11.PK11Cert)

Aggregations

X509CertImpl (sun.security.x509.X509CertImpl)92 CertificateException (java.security.cert.CertificateException)41 IOException (java.io.IOException)31 X509Certificate (java.security.cert.X509Certificate)23 CertPathValidatorException (java.security.cert.CertPathValidatorException)17 BigInteger (java.math.BigInteger)16 PublicKey (java.security.PublicKey)15 X500Name (sun.security.x509.X500Name)14 X509CertInfo (sun.security.x509.X509CertInfo)14 AlgorithmId (sun.security.x509.AlgorithmId)13 CertificateAlgorithmId (sun.security.x509.CertificateAlgorithmId)13 X509CertImpl (org.mozilla.jss.netscape.security.x509.X509CertImpl)12 CertificateSerialNumber (sun.security.x509.CertificateSerialNumber)11 CertificateValidity (sun.security.x509.CertificateValidity)11 CertificateX509Key (sun.security.x509.CertificateX509Key)11 CertificateFactory (java.security.cert.CertificateFactory)10 CertificateVersion (sun.security.x509.CertificateVersion)10 SubjectAlternativeNameExtension (sun.security.x509.SubjectAlternativeNameExtension)9 CertificateIssuerName (sun.security.x509.CertificateIssuerName)8 CertificateSubjectName (sun.security.x509.CertificateSubjectName)8