Example 56 with BasicConstraints
use of org.spongycastle.asn1.x509.BasicConstraints in project zookeeper by apache.
the class X509TestHelpers method newSelfSignedCACert.
/**
* Uses the private key of the given key pair to create a self-signed CA certificate with the public half of the
* key pair and the given subject and expiration. The issuer of the new cert will be equal to the subject.
* Returns the new certificate.
* The returned certificate should be used as the trust store. The private key of the input key pair should be
* used to sign certificates that are used by test peers to establish TLS connections to each other.
* @param subject the subject of the new certificate being created.
* @param keyPair the key pair to use. The public key will be embedded in the new certificate, and the private key
* will be used to self-sign the certificate.
* @param expirationMillis expiration of the new certificate, in milliseconds from now.
* @return a new self-signed CA certificate.
* @throws IOException
* @throws OperatorCreationException
* @throws GeneralSecurityException
*/
public static X509Certificate newSelfSignedCACert(X500Name subject, KeyPair keyPair, long expirationMillis) throws IOException, OperatorCreationException, GeneralSecurityException {
Date now = new Date();
X509v3CertificateBuilder builder = initCertBuilder(// for self-signed certs, issuer == subject
subject, now, new Date(now.getTime() + expirationMillis), subject, keyPair.getPublic());
// is a CA
builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
builder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
return buildAndSignCertificate(keyPair.getPrivate(), builder);
}
Also used :
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Date(java.util.Date)
Example 57 with BasicConstraints
use of org.spongycastle.asn1.x509.BasicConstraints in project athenz by yahoo.
the class Crypto method generateX509Certificate.
public static X509Certificate generateX509Certificate(PKCS10CertificationRequest certReq, PrivateKey caPrivateKey, X500Name issuer, int validityTimeout, boolean basicConstraints) {
// set validity for the given number of minutes from now
Date notBefore = new Date();
Calendar cal = Calendar.getInstance();
cal.setTime(notBefore);
cal.add(Calendar.MINUTE, validityTimeout);
Date notAfter = cal.getTime();
// Generate self-signed certificate
X509Certificate cert;
try {
JcaPKCS10CertificationRequest jcaPKCS10CertificationRequest = new JcaPKCS10CertificationRequest(certReq);
PublicKey publicKey = jcaPKCS10CertificationRequest.getPublicKey();
X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(issuer, BigInteger.valueOf(System.currentTimeMillis()), notBefore, notAfter, certReq.getSubject(), publicKey).addExtension(Extension.basicConstraints, false, new BasicConstraints(basicConstraints)).addExtension(Extension.keyUsage, true, new X509KeyUsage(X509KeyUsage.digitalSignature | X509KeyUsage.keyEncipherment)).addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
// see if we have the dns/rfc822/ip address extensions specified in the csr
ArrayList<GeneralName> altNames = new ArrayList<>();
Attribute[] certAttributes = jcaPKCS10CertificationRequest.getAttributes(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest);
if (certAttributes != null && certAttributes.length > 0) {
for (Attribute attribute : certAttributes) {
Extensions extensions = Extensions.getInstance(attribute.getAttrValues().getObjectAt(0));
GeneralNames gns = GeneralNames.fromExtensions(extensions, Extension.subjectAlternativeName);
// /CLOVER:OFF
if (gns == null) {
continue;
}
// /CLOVER:ON
GeneralName[] names = gns.getNames();
for (GeneralName name : names) {
switch(name.getTagNo()) {
case GeneralName.dNSName:
case GeneralName.iPAddress:
case GeneralName.rfc822Name:
case GeneralName.uniformResourceIdentifier:
altNames.add(name);
break;
}
}
}
if (!altNames.isEmpty()) {
caBuilder.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(altNames.toArray(new GeneralName[0])));
}
}
String signatureAlgorithm = getSignatureAlgorithm(caPrivateKey.getAlgorithm(), SHA256);
ContentSigner caSigner = new JcaContentSignerBuilder(signatureAlgorithm).setProvider(BC_PROVIDER).build(caPrivateKey);
JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC_PROVIDER);
cert = converter.getCertificate(caBuilder.build(caSigner));
// /CLOVER:OFF
} catch (CertificateException ex) {
LOG.error("generateX509Certificate: Caught CertificateException when generating certificate: " + ex.getMessage());
throw new CryptoException(ex);
} catch (OperatorCreationException ex) {
LOG.error("generateX509Certificate: Caught OperatorCreationException when creating JcaContentSignerBuilder: " + ex.getMessage());
throw new CryptoException(ex);
} catch (InvalidKeyException ex) {
LOG.error("generateX509Certificate: Caught InvalidKeySpecException, invalid key spec is being used: " + ex.getMessage());
throw new CryptoException(ex);
} catch (NoSuchAlgorithmException ex) {
LOG.error("generateX509Certificate: Caught NoSuchAlgorithmException, check to make sure the algorithm is supported by the provider: " + ex.getMessage());
throw new CryptoException(ex);
} catch (Exception ex) {
LOG.error("generateX509Certificate: unable to generate X509 Certificate: {}", ex.getMessage());
throw new CryptoException("Unable to generate X509 Certificate");
}
// /CLOVER:ON
return cert;
}
Also used :
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
Extensions(org.bouncycastle.asn1.x509.Extensions)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
X509KeyUsage(org.bouncycastle.jce.X509KeyUsage)
JcaPKCS10CertificationRequest(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest)
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
BCECPublicKey(org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPublicKey)
ContentSigner(org.bouncycastle.operator.ContentSigner)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
InvalidKeySpecException(java.security.spec.InvalidKeySpecException)
CMSException(org.bouncycastle.cms.CMSException)
PKCSException(org.bouncycastle.pkcs.PKCSException)
PEMException(org.bouncycastle.openssl.PEMException)
UnknownHostException(java.net.UnknownHostException)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Example 58 with BasicConstraints
use of org.spongycastle.asn1.x509.BasicConstraints in project qpid-broker-j by apache.
the class TlsResourceBuilder method generateIntermediateCertificate.
private static X509Certificate generateIntermediateCertificate(final KeyPair keyPair, final KeyCertificatePair rootCA, final String dn, final ValidityPeriod validityPeriod, final String crlUri) throws CertificateException {
try {
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(rootCA.getCertificate(), generateSerialNumber(), new Date(validityPeriod.getFrom().toEpochMilli()), new Date(validityPeriod.getTo().toEpochMilli()), new X500Name(RFC4519Style.INSTANCE, dn), keyPair.getPublic());
// builder.addExtension(Extension.keyUsage, false, new KeyUsage(KeyUsage.keyCertSign));
builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
builder.addExtension(createSubjectKeyExtension(keyPair.getPublic()));
builder.addExtension(createAuthorityKeyExtension(rootCA.getCertificate().getPublicKey()));
if (crlUri != null) {
builder.addExtension(createDistributionPointExtension(crlUri));
}
return buildX509Certificate(builder, rootCA.getPrivateKey());
} catch (OperatorException | IOException e) {
throw new CertificateException(e);
}
}
Also used :
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
IOException(java.io.IOException)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Date(java.util.Date)
OperatorException(org.bouncycastle.operator.OperatorException)
Example 59 with BasicConstraints
use of org.spongycastle.asn1.x509.BasicConstraints in project qpid-broker-j by apache.
the class TlsResourceBuilder method createSelfSignedCertificate.
private static X509Certificate createSelfSignedCertificate(final KeyPair keyPair, final String dn, final ValidityPeriod period, final AlternativeName... alternativeName) throws CertificateException {
try {
final X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(new X500Name(RFC4519Style.INSTANCE, dn), generateSerialNumber(), new Date(period.getFrom().toEpochMilli()), new Date(period.getTo().toEpochMilli()), new X500Name(RFC4519Style.INSTANCE, dn), keyPair.getPublic());
builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false));
builder.addExtension(createKeyUsageExtension());
builder.addExtension(createSubjectKeyExtension(keyPair.getPublic()));
builder.addExtension(createAlternateNamesExtension(alternativeName));
return buildX509Certificate(builder, keyPair.getPrivate());
} catch (OperatorException | IOException e) {
throw new CertificateException(e);
}
}
Also used :
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
IOException(java.io.IOException)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
Date(java.util.Date)
OperatorException(org.bouncycastle.operator.OperatorException)
Example 60 with BasicConstraints
use of org.spongycastle.asn1.x509.BasicConstraints in project nifi-registry by apache.
the class CertificateUtils method generateSelfSignedX509Certificate.
/**
* Generates a self-signed {@link X509Certificate} suitable for use as a Certificate Authority.
*
* @param keyPair the {@link KeyPair} to generate the {@link X509Certificate} for
* @param dn the distinguished name to user for the {@link X509Certificate}
* @param signingAlgorithm the signing algorithm to use for the {@link X509Certificate}
* @param certificateDurationDays the duration in days for which the {@link X509Certificate} should be valid
* @return a self-signed {@link X509Certificate} suitable for use as a Certificate Authority
* @throws CertificateException if there is an generating the new certificate
*/
public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) throws CertificateException {
try {
ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
Date startDate = new Date();
Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(certificateDurationDays));
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(reverseX500Name(new X500Name(dn)), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo);
// Set certificate extensions
// (1) digitalSignature extension
certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation | KeyUsage.cRLSign | KeyUsage.keyCertSign));
certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true));
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(keyPair.getPublic()));
// (2) extendedKeyUsage extension
certBuilder.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }));
// Sign the certificate
X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
return new JcaX509CertificateConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME).getCertificate(certificateHolder);
} catch (CertIOException | NoSuchAlgorithmException | OperatorCreationException e) {
throw new CertificateException(e);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
KeyPurposeId(org.bouncycastle.asn1.x509.KeyPurposeId)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
ContentSigner(org.bouncycastle.operator.ContentSigner)
KeyUsage(org.bouncycastle.asn1.x509.KeyUsage)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
CertIOException(org.bouncycastle.cert.CertIOException)
Date(java.util.Date)
X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
ExtendedKeyUsage(org.bouncycastle.asn1.x509.ExtendedKeyUsage)
Aggregations
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)63
X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)35
X500Name (org.bouncycastle.asn1.x500.X500Name)30
Date (java.util.Date)29
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)29
X509Certificate (java.security.cert.X509Certificate)28
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)27
ContentSigner (org.bouncycastle.operator.ContentSigner)27
JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)25
BigInteger (java.math.BigInteger)23
KeyUsage (org.bouncycastle.asn1.x509.KeyUsage)22
GeneralName (org.bouncycastle.asn1.x509.GeneralName)20
IOException (java.io.IOException)18
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)17
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)15
ExtendedKeyUsage (org.bouncycastle.asn1.x509.ExtendedKeyUsage)14
CertificateException (java.security.cert.CertificateException)12
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)12
KeyPair (java.security.KeyPair)10
ArrayList (java.util.ArrayList)10
