Example 1 with GeneralNames
use of org.spongycastle.asn1.x509.GeneralNames in project OpenAttestation by OpenAttestation.
the class X509Builder method dnsAlternativeName.
public X509Builder dnsAlternativeName(String dns) {
try {
v3();
String alternativeName = dns;
if (dns.startsWith("dns:")) {
alternativeName = dns.substring(4);
}
DNSName dnsName = new DNSName(alternativeName);
if (alternativeNames == null) {
alternativeNames = new GeneralNames();
}
alternativeNames.add(new GeneralName(dnsName));
SubjectAlternativeNameExtension san = new SubjectAlternativeNameExtension(alternativeNames);
if (certificateExtensions == null) {
certificateExtensions = new CertificateExtensions();
}
certificateExtensions.set(san.getExtensionId().toString(), san);
info.set(X509CertInfo.EXTENSIONS, certificateExtensions);
} catch (Exception e) {
fault(e, "dnsAlternativeName(%s)", dns);
}
return this;
}
Also used :
GeneralNames(sun.security.x509.GeneralNames)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
CertificateExtensions(sun.security.x509.CertificateExtensions)
GeneralName(sun.security.x509.GeneralName)
DNSName(sun.security.x509.DNSName)
Example 2 with GeneralNames
use of org.spongycastle.asn1.x509.GeneralNames in project Openfire by igniterealtime.
the class CertificateManager method createX509V3Certificate.
/**
* Creates an X509 version3 certificate.
*
* @param kp KeyPair that keeps the public and private keys for the new certificate.
* @param days time to live
* @param issuerBuilder IssuerDN builder
* @param subjectBuilder SubjectDN builder
* @param domain Domain of the server.
* @param signAlgoritm Signature algorithm. This can be either a name or an OID.
* @return X509 V3 Certificate
* @throws GeneralSecurityException
* @throws IOException
*/
public static synchronized X509Certificate createX509V3Certificate(KeyPair kp, int days, X500NameBuilder issuerBuilder, X500NameBuilder subjectBuilder, String domain, String signAlgoritm) throws GeneralSecurityException, IOException {
PublicKey pubKey = kp.getPublic();
PrivateKey privKey = kp.getPrivate();
byte[] serno = new byte[8];
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
random.setSeed((new Date().getTime()));
random.nextBytes(serno);
BigInteger serial = (new java.math.BigInteger(serno)).abs();
X500Name issuerDN = issuerBuilder.build();
X500Name subjectDN = subjectBuilder.build();
// builder
JcaX509v3CertificateBuilder certBuilder = new //
JcaX509v3CertificateBuilder(//
issuerDN, //
serial, //
new Date(), //
new Date(System.currentTimeMillis() + days * (1000L * 60 * 60 * 24)), //
subjectDN, //
pubKey);
// add subjectAlternativeName extension
boolean critical = subjectDN.getRDNs().length == 0;
ASN1Sequence othernameSequence = new DERSequence(new ASN1Encodable[] { new ASN1ObjectIdentifier("1.3.6.1.5.5.7.8.5"), new DERUTF8String(domain) });
GeneralName othernameGN = new GeneralName(GeneralName.otherName, othernameSequence);
GeneralNames subjectAltNames = new GeneralNames(new GeneralName[] { othernameGN });
certBuilder.addExtension(Extension.subjectAlternativeName, critical, subjectAltNames);
// add keyIdentifiers extensions
JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils();
certBuilder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(pubKey));
certBuilder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(pubKey));
try {
// build the certificate
ContentSigner signer = new JcaContentSignerBuilder(signAlgoritm).build(privKey);
X509CertificateHolder cert = certBuilder.build(signer);
// verify the validity
if (!cert.isValidOn(new Date())) {
throw new GeneralSecurityException("Certificate validity not valid");
}
// verify the signature (self-signed)
ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder().build(pubKey);
if (!cert.isSignatureValid(verifierProvider)) {
throw new GeneralSecurityException("Certificate signature not valid");
}
return new JcaX509CertificateConverter().getCertificate(cert);
} catch (OperatorCreationException | CertException e) {
throw new GeneralSecurityException(e);
}
}
Also used :
JcaX509ExtensionUtils(org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils)
PrivateKey(java.security.PrivateKey)
JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)
X500Name(org.bouncycastle.asn1.x500.X500Name)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)
OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)
ContentVerifierProvider(org.bouncycastle.operator.ContentVerifierProvider)
PublicKey(java.security.PublicKey)
GeneralSecurityException(java.security.GeneralSecurityException)
ContentSigner(org.bouncycastle.operator.ContentSigner)
SecureRandom(java.security.SecureRandom)
CertException(org.bouncycastle.cert.CertException)
Date(java.util.Date)
JcaContentVerifierProviderBuilder(org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Example 3 with GeneralNames
use of org.spongycastle.asn1.x509.GeneralNames in project XobotOS by xamarin.
the class RFC3280CertPathUtilities method processCertBC.
protected static void processCertBC(CertPath certPath, int index, PKIXNameConstraintValidator nameConstraintValidator) throws CertPathValidatorException {
List certs = certPath.getCertificates();
X509Certificate cert = (X509Certificate) certs.get(index);
int n = certs.size();
// i as defined in the algorithm description
int i = n - index;
//
if (!(CertPathValidatorUtilities.isSelfIssued(cert) && (i < n))) {
X500Principal principal = CertPathValidatorUtilities.getSubjectPrincipal(cert);
ASN1InputStream aIn = new ASN1InputStream(principal.getEncoded());
ASN1Sequence dns;
try {
dns = DERSequence.getInstance(aIn.readObject());
} catch (Exception e) {
throw new CertPathValidatorException("Exception extracting subject name when checking subtrees.", e, certPath, index);
}
try {
nameConstraintValidator.checkPermittedDN(dns);
nameConstraintValidator.checkExcludedDN(dns);
} catch (PKIXNameConstraintValidatorException e) {
throw new CertPathValidatorException("Subtree check for certificate subject failed.", e, certPath, index);
}
GeneralNames altName = null;
try {
altName = GeneralNames.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.SUBJECT_ALTERNATIVE_NAME));
} catch (Exception e) {
throw new CertPathValidatorException("Subject alternative name extension could not be decoded.", e, certPath, index);
}
Vector emails = new X509Name(dns).getValues(X509Name.EmailAddress);
for (Enumeration e = emails.elements(); e.hasMoreElements(); ) {
String email = (String) e.nextElement();
GeneralName emailAsGeneralName = new GeneralName(GeneralName.rfc822Name, email);
try {
nameConstraintValidator.checkPermitted(emailAsGeneralName);
nameConstraintValidator.checkExcluded(emailAsGeneralName);
} catch (PKIXNameConstraintValidatorException ex) {
throw new CertPathValidatorException("Subtree check for certificate subject alternative email failed.", ex, certPath, index);
}
}
if (altName != null) {
GeneralName[] genNames = null;
try {
genNames = altName.getNames();
} catch (Exception e) {
throw new CertPathValidatorException("Subject alternative name contents could not be decoded.", e, certPath, index);
}
for (int j = 0; j < genNames.length; j++) {
try {
nameConstraintValidator.checkPermitted(genNames[j]);
nameConstraintValidator.checkExcluded(genNames[j]);
} catch (PKIXNameConstraintValidatorException e) {
throw new CertPathValidatorException("Subtree check for certificate subject alternative name failed.", e, certPath, index);
}
}
}
}
}
Also used :
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
Enumeration(java.util.Enumeration)
X509Certificate(java.security.cert.X509Certificate)
IssuingDistributionPoint(org.bouncycastle.asn1.x509.IssuingDistributionPoint)
CRLDistPoint(org.bouncycastle.asn1.x509.CRLDistPoint)
DistributionPoint(org.bouncycastle.asn1.x509.DistributionPoint)
CertificateExpiredException(java.security.cert.CertificateExpiredException)
GeneralSecurityException(java.security.GeneralSecurityException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException)
CertPathBuilderException(java.security.cert.CertPathBuilderException)
IOException(java.io.IOException)
CertPathValidatorException(java.security.cert.CertPathValidatorException)
ExtCertPathValidatorException(org.bouncycastle.jce.exception.ExtCertPathValidatorException)
ASN1Sequence(org.bouncycastle.asn1.ASN1Sequence)
X509Name(org.bouncycastle.asn1.x509.X509Name)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
X500Principal(javax.security.auth.x500.X500Principal)
List(java.util.List)
ArrayList(java.util.ArrayList)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
Vector(java.util.Vector)
ASN1EncodableVector(org.bouncycastle.asn1.ASN1EncodableVector)
Example 4 with GeneralNames
use of org.spongycastle.asn1.x509.GeneralNames in project nhin-d by DirectProject.
the class CertGenerator method createNewCA.
private static CertCreateFields createNewCA(CertCreateFields fields, KeyPair keyPair, boolean addAltNames) throws Exception {
StringBuilder dnBuilder = new StringBuilder();
String altName = "";
// create the DN
if (fields.getAttributes().containsKey("EMAILADDRESS")) {
dnBuilder.append("EMAILADDRESS=").append(fields.getAttributes().get("EMAILADDRESS")).append(", ");
altName = fields.getAttributes().get("EMAILADDRESS").toString();
}
if (fields.getAttributes().containsKey("CN"))
dnBuilder.append("CN=").append(fields.getAttributes().get("CN")).append(", ");
if (fields.getAttributes().containsKey("C"))
dnBuilder.append("C=").append(fields.getAttributes().get("C")).append(", ");
if (fields.getAttributes().containsKey("ST"))
dnBuilder.append("ST=").append(fields.getAttributes().get("ST")).append(", ");
if (fields.getAttributes().containsKey("L"))
dnBuilder.append("L=").append(fields.getAttributes().get("L")).append(", ");
if (fields.getAttributes().containsKey("O"))
dnBuilder.append("O=").append(fields.getAttributes().get("O")).append(", ");
String DN = dnBuilder.toString().trim();
if (DN.endsWith(","))
DN = DN.substring(0, DN.length() - 1);
X509V3CertificateGenerator v1CertGen = new X509V3CertificateGenerator();
Calendar start = Calendar.getInstance();
Calendar end = Calendar.getInstance();
end.add(Calendar.DAY_OF_MONTH, fields.getExpDays());
v1CertGen.setSerialNumber(BigInteger.valueOf(generatePositiveRandom()));
v1CertGen.setIssuerDN(new X509Principal(DN));
v1CertGen.setNotBefore(start.getTime());
v1CertGen.setNotAfter(end.getTime());
// issuer and subject are the same for a CA
v1CertGen.setSubjectDN(new X509Principal(DN));
v1CertGen.setPublicKey(keyPair.getPublic());
v1CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
v1CertGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
if (addAltNames && !altName.isEmpty()) {
int nameType = altName.contains("@") ? GeneralName.rfc822Name : GeneralName.dNSName;
GeneralNames subjectAltName = new GeneralNames(new GeneralName(nameType, altName));
v1CertGen.addExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
}
X509Certificate newCACert = v1CertGen.generate(keyPair.getPrivate(), CryptoExtensions.getJCEProviderName());
// validate the certificate
newCACert.verify(keyPair.getPublic());
// write the certificate the file system
writeCertAndKey(newCACert, keyPair.getPrivate(), fields);
return fields;
}
Also used :
X509V3CertificateGenerator(org.bouncycastle.x509.X509V3CertificateGenerator)
GeneralNames(org.bouncycastle.asn1.x509.GeneralNames)
X509Principal(org.bouncycastle.jce.X509Principal)
Calendar(java.util.Calendar)
GeneralName(org.bouncycastle.asn1.x509.GeneralName)
BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints)
X509Certificate(java.security.cert.X509Certificate)
Example 5 with GeneralNames
use of org.spongycastle.asn1.x509.GeneralNames in project OpenAM by OpenRock.
the class Cert method getTokenFromSubjectAltExt.
private void getTokenFromSubjectAltExt(X509Certificate cert) throws AuthLoginException {
try {
X509CertImpl certImpl = new X509CertImpl(cert.getEncoded());
X509CertInfo cinfo = new X509CertInfo(certImpl.getTBSCertificate());
CertificateExtensions exts = (CertificateExtensions) cinfo.get(X509CertInfo.EXTENSIONS);
SubjectAlternativeNameExtension altNameExt = (SubjectAlternativeNameExtension) exts.get(SubjectAlternativeNameExtension.NAME);
if (altNameExt != null) {
GeneralNames names = (GeneralNames) altNameExt.get(SubjectAlternativeNameExtension.SUBJECT_NAME);
GeneralName generalname = null;
ObjectIdentifier upnoid = new ObjectIdentifier(UPNOID);
Iterator itr = (Iterator) names.iterator();
while ((userTokenId == null) && itr.hasNext()) {
generalname = (GeneralName) itr.next();
if (generalname != null) {
if (amAuthCert_subjectAltExtMapper.equalsIgnoreCase("UPN") && (generalname.getType() == GeneralNameInterface.NAME_ANY)) {
OtherName othername = (OtherName) generalname.getName();
if (upnoid.equals((Object) (othername.getOID()))) {
byte[] nval = othername.getNameValue();
DerValue derValue = new DerValue(nval);
userTokenId = derValue.getData().getUTF8String();
}
} else if (amAuthCert_subjectAltExtMapper.equalsIgnoreCase("RFC822Name") && (generalname.getType() == GeneralNameInterface.NAME_RFC822)) {
RFC822Name email = (RFC822Name) generalname.getName();
userTokenId = email.getName();
}
}
}
}
} catch (Exception e) {
debug.error("Certificate - " + "Error in getTokenFromSubjectAltExt = ", e);
throw new AuthLoginException(amAuthCert, "CertNoReg", null);
}
}
Also used :
X509CertInfo(sun.security.x509.X509CertInfo)
SubjectAlternativeNameExtension(sun.security.x509.SubjectAlternativeNameExtension)
OtherName(sun.security.x509.OtherName)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
CertificateExtensions(sun.security.x509.CertificateExtensions)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
AuthLoginException(com.sun.identity.authentication.spi.AuthLoginException)
GeneralNames(sun.security.x509.GeneralNames)
RFC822Name(sun.security.x509.RFC822Name)
X509CertImpl(sun.security.x509.X509CertImpl)
DerValue(sun.security.util.DerValue)
Iterator(java.util.Iterator)
GeneralName(sun.security.x509.GeneralName)
ObjectIdentifier(sun.security.util.ObjectIdentifier)
Aggregations
GeneralNames (org.bouncycastle.asn1.x509.GeneralNames)72
GeneralName (org.bouncycastle.asn1.x509.GeneralName)61
IOException (java.io.IOException)31
X509Certificate (java.security.cert.X509Certificate)22
ArrayList (java.util.ArrayList)19
X500Name (org.bouncycastle.asn1.x500.X500Name)19
DERIA5String (org.bouncycastle.asn1.DERIA5String)15
DEROctetString (org.bouncycastle.asn1.DEROctetString)14
CRLDistPoint (org.bouncycastle.asn1.x509.CRLDistPoint)14
DistributionPoint (org.bouncycastle.asn1.x509.DistributionPoint)14
Date (java.util.Date)13
List (java.util.List)13
X500Principal (javax.security.auth.x500.X500Principal)12
ASN1Encodable (org.bouncycastle.asn1.ASN1Encodable)12
JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)12
GeneralNames (sun.security.x509.GeneralNames)12
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)11
BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)11
JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)11
Test (org.junit.Test)11
