Search in sources :

Example 26 with X509CertInfo

use of org.mozilla.jss.netscape.security.x509.X509CertInfo in project mockserver by mock-server.

the class X509Generator method generateRootX509AndPrivateKey.

public X509AndPrivateKey generateRootX509AndPrivateKey(final CertificateSigningRequest csr) throws IOException, NoSuchAlgorithmException, CertificateException, InvalidKeyException, NoSuchProviderException, SignatureException {
    final KeyPair keyPair = generateKeyPair(csr.getKeyPairAlgorithm(), csr.getKeyPairSize());
    final X500Name subjectAndIssuer = new X500Name(buildDistinguishedName(csr.getCommonName()));
    X509CertInfo x509CertInfo = buildX509CertInfo(subjectAndIssuer, subjectAndIssuer, keyPair.getPublic(), csr);
    updateWithRootCertificateExtensions(x509CertInfo, keyPair.getPublic());
    return signX509KeyPair(keyPair.getPrivate(), keyPair, x509CertInfo, csr.getSigningAlgorithm());
}
Also used : X509CertInfo(sun.security.x509.X509CertInfo) X500Name(sun.security.x509.X500Name)

Example 27 with X509CertInfo

use of org.mozilla.jss.netscape.security.x509.X509CertInfo in project mockserver by mock-server.

the class X509Generator method updateWithCertificateExtensions.

private void updateWithCertificateExtensions(final X509CertInfo x509CertInfo, final PublicKey publicKey, final PublicKey caPublicKey, final Set<String> subjectAlternativeNames) throws IOException, CertificateException {
    CertificateExtensions certificateExtensions = new CertificateExtensions();
    GeneralNames generalNames = subjectAlternativeNames.stream().filter(StringUtils::isNotBlank).map(this::buildGeneralName).filter(Objects::nonNull).collect(Collector.of(GeneralNames::new, GeneralNames::add, // do nothing
    (generalNames1, generalNames2) -> null));
    if (!generalNames.isEmpty()) {
        certificateExtensions.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(Boolean.FALSE, generalNames));
    }
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
    certificateExtensions.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(publicKey).getIdentifier()));
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.2
    certificateExtensions.set(AuthorityKeyIdentifierExtension.NAME, new AuthorityKeyIdentifierExtension(new KeyIdentifier(caPublicKey), null, null));
    // See: https://tools.ietf.org/html/rfc5280#section-4.2.1.1
    x509CertInfo.set(X509CertInfo.EXTENSIONS, certificateExtensions);
}
Also used : CertificateValidity(sun.security.x509.CertificateValidity) X509Certificate(java.security.cert.X509Certificate) java.util(java.util) InternetDomainName(com.google.common.net.InternetDomainName) InvalidKeySpecException(java.security.spec.InvalidKeySpecException) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) CertificateSerialNumber(sun.security.x509.CertificateSerialNumber) StringUtils(org.apache.commons.lang3.StringUtils) GeneralName(sun.security.x509.GeneralName) IPAddressName(sun.security.x509.IPAddressName) X500Name(sun.security.x509.X500Name) Level(org.slf4j.event.Level) CertificateExtensions(sun.security.x509.CertificateExtensions) BigInteger(java.math.BigInteger) SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension) Collector(java.util.stream.Collector) BasicConstraintsExtension(sun.security.x509.BasicConstraintsExtension) DerValue(sun.security.util.DerValue) KeyUsageExtension(sun.security.x509.KeyUsageExtension) java.security(java.security) KeyIdentifier(sun.security.x509.KeyIdentifier) AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension) CertificateSigningRequest(org.mockserver.socket.tls.jdk.CertificateSigningRequest) IOException(java.io.IOException) DNSName(sun.security.x509.DNSName) CertificateException(java.security.cert.CertificateException) X509CertImpl(sun.security.x509.X509CertImpl) CertificateAlgorithmId(sun.security.x509.CertificateAlgorithmId) CertificateX509Key(sun.security.x509.CertificateX509Key) PEMToFile(org.mockserver.socket.tls.PEMToFile) LogEntry(org.mockserver.log.model.LogEntry) CertificateVersion(sun.security.x509.CertificateVersion) MockServerLogger(org.mockserver.logging.MockServerLogger) InetAddresses(com.google.common.net.InetAddresses) GeneralNames(sun.security.x509.GeneralNames) AlgorithmId(sun.security.x509.AlgorithmId) X509CertInfo(sun.security.x509.X509CertInfo) SubjectKeyIdentifierExtension(sun.security.x509.SubjectKeyIdentifierExtension) GeneralNames(sun.security.x509.GeneralNames) KeyIdentifier(sun.security.x509.KeyIdentifier) SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension) AuthorityKeyIdentifierExtension(sun.security.x509.AuthorityKeyIdentifierExtension) CertificateExtensions(sun.security.x509.CertificateExtensions)

Example 28 with X509CertInfo

use of org.mozilla.jss.netscape.security.x509.X509CertInfo in project jss by dogtagpki.

the class CertPrettyPrint method X509toString.

public String X509toString(Locale clientLocale) {
    // get I18N resources
    ResourceBundle resource = ResourceBundle.getBundle(PrettyPrintResources.class.getName());
    DateFormat dateFormater = DateFormat.getDateTimeInstance(DateFormat.FULL, DateFormat.FULL, clientLocale);
    // get timezone and timezone ID
    String tz = " ";
    String tzid = " ";
    StringBuffer sb = new StringBuffer();
    try {
        X509CertInfo info = (X509CertInfo) mX509Cert.get(X509CertImpl.NAME + "." + X509CertImpl.INFO);
        String serial2 = mX509Cert.getSerialNumber().toString(16).toUpperCase();
        // get correct instance of key
        PublicKey pKey = mX509Cert.getPublicKey();
        X509Key key = null;
        if (pKey instanceof CertificateX509Key) {
            CertificateX509Key certKey = (CertificateX509Key) pKey;
            key = (X509Key) certKey.get(CertificateX509Key.KEY);
        }
        if (pKey instanceof X509Key) {
            key = (X509Key) pKey;
        }
        // take care of spki
        sb.append(pp.indent(4) + resource.getString(PrettyPrintResources.TOKEN_CERTIFICATE) + "\n");
        sb.append(pp.indent(8) + resource.getString(PrettyPrintResources.TOKEN_DATA) + "\n");
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_VERSION) + " v");
        sb.append((mX509Cert.getVersion() + 1) + "\n");
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_SERIAL) + "0x" + serial2 + "\n");
        // XXX I18N Algorithm Name ?
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_SIGALG) + mX509Cert.getSigAlgName() + " - " + mX509Cert.getSigAlgOID() + "\n");
        // XXX I18N IssuerDN ?
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_ISSUER) + mX509Cert.getIssuerX500Principal() + "\n");
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_VALIDITY) + "\n");
        String notBefore = dateFormater.format(mX509Cert.getNotBefore());
        String notAfter = dateFormater.format(mX509Cert.getNotAfter());
        // get timezone and timezone ID
        if (TimeZone.getDefault() != null) {
            tz = TimeZone.getDefault().getDisplayName(TimeZone.getDefault().inDaylightTime(mX509Cert.getNotBefore()), TimeZone.SHORT, clientLocale);
            tzid = TimeZone.getDefault().getID();
        }
        // Specify notBefore
        if (tz.equals(tzid) || tzid.equals(CUSTOM_LOCALE)) {
            // Do NOT append timezone ID
            sb.append(pp.indent(16) + resource.getString(PrettyPrintResources.TOKEN_NOT_BEFORE) + notBefore + "\n");
        } else {
            // Append timezone ID
            sb.append(pp.indent(16) + resource.getString(PrettyPrintResources.TOKEN_NOT_BEFORE) + notBefore + " " + tzid + "\n");
        }
        // re-get timezone (just in case it is different . . .)
        if (TimeZone.getDefault() != null) {
            tz = TimeZone.getDefault().getDisplayName(TimeZone.getDefault().inDaylightTime(mX509Cert.getNotAfter()), TimeZone.SHORT, clientLocale);
        }
        // Specify notAfter
        if (tz.equals(tzid) || tzid.equals(CUSTOM_LOCALE)) {
            // Do NOT append timezone ID
            sb.append(pp.indent(16) + resource.getString(PrettyPrintResources.TOKEN_NOT_AFTER) + notAfter + "\n");
        } else {
            // Append timezone ID
            sb.append(pp.indent(16) + resource.getString(PrettyPrintResources.TOKEN_NOT_AFTER) + notAfter + " " + tzid + "\n");
        }
        // XXX I18N SubjectDN ?
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_SUBJECT) + mX509Cert.getSubjectX500Principal() + "\n");
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_SPKI) + "\n");
        PubKeyPrettyPrint pkpp = new PubKeyPrettyPrint(key);
        sb.append(pkpp.toString(clientLocale, 16, 16));
        // take care of extensions
        CertificateExtensions extensions = (CertificateExtensions) info.get(X509CertInfo.EXTENSIONS);
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_EXTENSIONS) + "\n");
        if (extensions != null)
            for (int i = 0; i < extensions.size(); i++) {
                Extension ext = extensions.elementAt(i);
                ExtPrettyPrint extpp = new ExtPrettyPrint(ext, 16);
                sb.append(extpp.toString());
            }
        // take care of signature
        sb.append(pp.indent(8) + resource.getString(PrettyPrintResources.TOKEN_SIGNATURE) + "\n");
        // XXX I18N Algorithm Name ?
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_ALGORITHM) + mX509Cert.getSigAlgName() + " - " + mX509Cert.getSigAlgOID() + "\n");
        sb.append(pp.indent(12) + resource.getString(PrettyPrintResources.TOKEN_SIGNATURE) + "\n");
        sb.append(pp.toHexString(mX509Cert.getSignature(), 16, 16));
        // fingerprints
        String[] hashes = new String[] { "MD2", "MD5", "SHA-1", "SHA-256", "SHA-512" };
        StringBuffer certFingerprints = new StringBuffer();
        sb.append(pp.indent(8) + "FingerPrint\n");
        for (int i = 0; i < hashes.length; i++) {
            MessageDigest md = MessageDigest.getInstance(hashes[i]);
            md.update(mX509Cert.getEncoded());
            certFingerprints.append(pp.indent(12) + hashes[i] + ":\n" + pp.toHexString(md.digest(), 16, 16));
        }
        sb.append(certFingerprints.toString());
    } catch (Exception e) {
        e.printStackTrace();
    }
    return sb.toString();
}
Also used : X509CertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo) PublicKey(java.security.PublicKey) CertificateExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions) X509Key(org.mozilla.jss.netscape.security.x509.X509Key) CertificateX509Key(org.mozilla.jss.netscape.security.x509.CertificateX509Key) CertificateX509Key(org.mozilla.jss.netscape.security.x509.CertificateX509Key) Extension(org.mozilla.jss.netscape.security.x509.Extension) DateFormat(java.text.DateFormat) ResourceBundle(java.util.ResourceBundle) MessageDigest(java.security.MessageDigest)

Example 29 with X509CertInfo

use of org.mozilla.jss.netscape.security.x509.X509CertInfo in project jss by dogtagpki.

the class X509CertTest method createX509CertInfo.

public static X509CertInfo createX509CertInfo(X509Key x509key, BigInteger serialno, CertificateIssuerName issuernameObj, String subjname, Date notBefore, Date notAfter, String alg) throws Exception {
    X509CertInfo info = new X509CertInfo();
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(serialno));
    if (issuernameObj != null) {
        info.set(X509CertInfo.ISSUER, issuernameObj);
    }
    info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(new X500Name(subjname)));
    info.set(X509CertInfo.VALIDITY, new CertificateValidity(notBefore, notAfter));
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(AlgorithmId.get(alg)));
    info.set(X509CertInfo.KEY, new CertificateX509Key(x509key));
    info.set(X509CertInfo.EXTENSIONS, new CertificateExtensions());
    return info;
}
Also used : CertificateSerialNumber(org.mozilla.jss.netscape.security.x509.CertificateSerialNumber) CertificateSubjectName(org.mozilla.jss.netscape.security.x509.CertificateSubjectName) X509CertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo) CertificateVersion(org.mozilla.jss.netscape.security.x509.CertificateVersion) CertificateValidity(org.mozilla.jss.netscape.security.x509.CertificateValidity) CertificateExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions) X500Name(org.mozilla.jss.netscape.security.x509.X500Name) CertificateAlgorithmId(org.mozilla.jss.netscape.security.x509.CertificateAlgorithmId) CertificateX509Key(org.mozilla.jss.netscape.security.x509.CertificateX509Key)

Example 30 with X509CertInfo

use of org.mozilla.jss.netscape.security.x509.X509CertInfo in project jss by dogtagpki.

the class X509CertTest method testRSA.

public static void testRSA(CryptoToken token, Date notBefore, Date notAfter) throws Exception {
    X509CertImpl certImpl = null;
    X509CertInfo certInfo = null;
    KeyPairGenerator gen = token.getKeyPairGenerator(KeyPairAlgorithm.RSA);
    gen.initialize(4096);
    KeyPair keypairCA = gen.genKeyPair();
    testKeys(keypairCA);
    PublicKey pubCA = keypairCA.getPublic();
    gen.initialize(4096);
    KeyPair keypairUser = gen.genKeyPair();
    testKeys(keypairUser);
    PublicKey pubUser = keypairUser.getPublic();
    CertificateIssuerName issuernameObj = new CertificateIssuerName(new X500Name(issuerDN));
    certInfo = createX509CertInfo(convertPublicKeyToX509Key(pubUser), BigInteger.valueOf(1), issuernameObj, subjectDN, notBefore, notAfter, "SHA256withRSA");
    certImpl = new X509CertImpl(certInfo);
    certImpl.sign(keypairCA.getPrivate(), "SHA256withRSA");
    String certOutput = certImpl.toString();
    System.out.println("Test certificate output: \n" + certOutput);
}
Also used : KeyPair(java.security.KeyPair) X509CertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo) RSAPublicKey(java.security.interfaces.RSAPublicKey) PublicKey(java.security.PublicKey) ECPublicKey(java.security.interfaces.ECPublicKey) PK11ECPublicKey(org.mozilla.jss.pkcs11.PK11ECPublicKey) X509CertImpl(org.mozilla.jss.netscape.security.x509.X509CertImpl) CertificateIssuerName(org.mozilla.jss.netscape.security.x509.CertificateIssuerName) KeyPairGenerator(org.mozilla.jss.crypto.KeyPairGenerator) X500Name(org.mozilla.jss.netscape.security.x509.X500Name)

Aggregations

X509CertInfo (sun.security.x509.X509CertInfo)24 X500Name (sun.security.x509.X500Name)19 X509CertImpl (sun.security.x509.X509CertImpl)15 CertificateAlgorithmId (sun.security.x509.CertificateAlgorithmId)13 CertificateSerialNumber (sun.security.x509.CertificateSerialNumber)13 CertificateValidity (sun.security.x509.CertificateValidity)13 CertificateX509Key (sun.security.x509.CertificateX509Key)13 BigInteger (java.math.BigInteger)12 CertificateVersion (sun.security.x509.CertificateVersion)12 AlgorithmId (sun.security.x509.AlgorithmId)11 CertificateException (java.security.cert.CertificateException)9 CertificateIssuerName (sun.security.x509.CertificateIssuerName)8 CertificateSubjectName (sun.security.x509.CertificateSubjectName)8 PrivateKey (java.security.PrivateKey)7 SecureRandom (java.security.SecureRandom)6 X509Certificate (java.security.cert.X509Certificate)6 CertificateExtensions (sun.security.x509.CertificateExtensions)6 PublicKey (java.security.PublicKey)5 Date (java.util.Date)5 KeyPair (java.security.KeyPair)4