Example 1 with SimpleContextSpecific
use of org.webpki.asn1.SimpleContextSpecific in project openkeystore by cyberphone.
the class CA method createCert.
public X509Certificate createCert(CertSpec certSpec, DistinguishedName issuerName, BigInteger serialNumber, Date startDate, Date endDate, AsymKeySignerInterface signer, PublicKey issuerPublicKey, PublicKey subjectPublicKey) throws IOException, GeneralSecurityException {
Extensions extensions = new Extensions();
BaseASN1Object version = new CompositeContextSpecific(0, new ASN1Integer(2));
DistinguishedName subjectName = certSpec.getSubjectDistinguishedName();
BaseASN1Object validity = new ASN1Sequence(new BaseASN1Object[] { getASN1Time(startDate), getASN1Time(endDate) });
AsymSignatureAlgorithms certSignAlg = signer.getAlgorithm();
BaseASN1Object signatureAlgorithm = new ASN1Sequence(certSignAlg.getKeyType() == KeyTypes.RSA ? new BaseASN1Object[] { new ASN1ObjectID(certSignAlg.getOid()), // Relic from the RSA hey-days...
new ASN1Null() } : new BaseASN1Object[] { new ASN1ObjectID(certSignAlg.getOid()) });
BaseASN1Object subjectPublicKeyInfo = DerDecoder.decode(subjectPublicKey.getEncoded());
// ////////////////////////////////////////////////////
if (certSpec.endEntity) {
extensions.add(CertificateExtensions.BASIC_CONSTRAINTS, false, new ASN1Sequence(new BaseASN1Object[] {}));
}
// ////////////////////////////////////////////////////
if (certSpec.caCert) {
extensions.add(CertificateExtensions.BASIC_CONSTRAINTS, true, new ASN1Sequence(new ASN1Boolean(true)));
}
// ////////////////////////////////////////////////////
if (!certSpec.keyUsageSet.isEmpty()) {
int i = 0;
for (KeyUsageBits kubit : certSpec.keyUsageSet) {
i |= 1 << kubit.ordinal();
}
byte[] keyUsage = new byte[i > 255 ? 2 : 1];
keyUsage[0] = reverseBits(i);
if (i > 255) {
keyUsage[1] = reverseBits(i >> 8);
}
extensions.add(CertificateExtensions.KEY_USAGE, true, new ASN1BitString(keyUsage));
}
// ////////////////////////////////////////////////////
if (!certSpec.extendedKeyUsageSet.isEmpty()) {
int i = 0;
BaseASN1Object[] ekus = new BaseASN1Object[certSpec.extendedKeyUsageSet.size()];
for (ExtendedKeyUsages eku : certSpec.extendedKeyUsageSet.toArray(new ExtendedKeyUsages[0])) {
ekus[i++] = new ASN1ObjectID(eku.getOID());
}
extensions.add(CertificateExtensions.EXTENDED_KEY_USAGE, false, new ASN1Sequence(ekus));
}
// ////////////////////////////////////////////////////
if (certSpec.skiExtension) {
extensions.add(CertificateExtensions.SUBJECT_KEY_IDENTIFIER, createKeyID(subjectPublicKey));
}
// ////////////////////////////////////////////////////
if (certSpec.akiExtension) {
extensions.add(CertificateExtensions.AUTHORITY_KEY_IDENTIFIER, new ASN1Sequence(new SimpleContextSpecific(0, createKeyID(issuerPublicKey))));
}
// ////////////////////////////////////////////////////
if (!certSpec.subjectAltName.isEmpty()) {
int i = 0;
BaseASN1Object[] san = new BaseASN1Object[certSpec.subjectAltName.size()];
for (CertSpec.NameValue nameValue : certSpec.subjectAltName) {
int type = nameValue.name;
// We currently only handle simple IA5String types.
if (type == SubjectAltNameTypes.RFC822_NAME || type == SubjectAltNameTypes.DNS_NAME || type == SubjectAltNameTypes.UNIFORM_RESOURCE_IDENTIFIER) {
if (!(nameValue.value instanceof ASN1IA5String)) {
throw new IOException("Wrong argument type to SubjectAltNames of type " + type);
}
} else // Or IP addresses.
if (type == SubjectAltNameTypes.IP_ADDRESS) {
if (!(nameValue.value instanceof ASN1OctetString)) {
throw new IOException("Wrong argument type to SubjectAltNames of type IP address");
}
} else {
throw new IOException("SubjectAltNames of type " + type + " are not handled.");
}
san[i++] = new SimpleContextSpecific(type, nameValue.value);
}
extensions.add(CertificateExtensions.SUBJECT_ALT_NAME, new ASN1Sequence(san));
}
// ////////////////////////////////////////////////////
if (!certSpec.certPolicyOids.isEmpty()) {
int i = 0;
BaseASN1Object[] policies = new BaseASN1Object[certSpec.certPolicyOids.size()];
for (String oid : certSpec.certPolicyOids) {
policies[i++] = new ASN1Sequence(new ASN1ObjectID(oid));
}
extensions.add(CertificateExtensions.CERTIFICATE_POLICIES, new ASN1Sequence(policies));
}
// ////////////////////////////////////////////////////
if (!certSpec.aiaLocators.isEmpty()) {
int i = 0;
BaseASN1Object[] locators = new BaseASN1Object[certSpec.aiaLocators.size()];
for (String[] loc_info : certSpec.aiaLocators) {
locators[i++] = new ASN1Sequence(new BaseASN1Object[] { new ASN1ObjectID(loc_info[0]), new SimpleContextSpecific(6, new ASN1IA5String(loc_info[1])) });
}
extensions.add(CertificateExtensions.AUTHORITY_INFO_ACCESS, new ASN1Sequence(locators));
}
// ////////////////////////////////////////////////////
if (!certSpec.crlDistPoints.isEmpty()) {
int i = 0;
BaseASN1Object[] cdps = new BaseASN1Object[certSpec.crlDistPoints.size()];
for (String uri : certSpec.crlDistPoints) {
cdps[i++] = new ASN1Sequence(new CompositeContextSpecific(0, new CompositeContextSpecific(0, new SimpleContextSpecific(6, new ASN1IA5String(uri)))));
}
extensions.add(CertificateExtensions.CRL_DISTRIBUTION_POINTS, new ASN1Sequence(cdps));
}
// ////////////////////////////////////////////////////
// Certificate Creation!
// ////////////////////////////////////////////////////
BaseASN1Object[] inner = new BaseASN1Object[extensions.isEmpty() ? 7 : 8];
inner[0] = version;
inner[1] = new ASN1Integer(serialNumber);
inner[2] = signatureAlgorithm;
inner[3] = issuerName.toASN1();
inner[4] = validity;
inner[5] = subjectName.toASN1();
inner[6] = subjectPublicKeyInfo;
if (!extensions.isEmpty()) {
inner[7] = new CompositeContextSpecific(3, extensions.getExtensionData());
}
BaseASN1Object tbsCertificate = new ASN1Sequence(inner);
BaseASN1Object signature = new ASN1BitString(signer.signData(tbsCertificate.encode()));
byte[] certificate = new ASN1Sequence(new BaseASN1Object[] { tbsCertificate, signatureAlgorithm, signature }).encode();
return CertificateUtil.getCertificateFromBlob(certificate);
}
Also used :
ASN1OctetString(org.webpki.asn1.ASN1OctetString)
KeyUsageBits(org.webpki.crypto.KeyUsageBits)
DistinguishedName(org.webpki.asn1.cert.DistinguishedName)
BaseASN1Object(org.webpki.asn1.BaseASN1Object)
CompositeContextSpecific(org.webpki.asn1.CompositeContextSpecific)
ASN1Integer(org.webpki.asn1.ASN1Integer)
IOException(java.io.IOException)
ASN1IA5String(org.webpki.asn1.ASN1IA5String)
ASN1OctetString(org.webpki.asn1.ASN1OctetString)
ASN1BitString(org.webpki.asn1.ASN1BitString)
CertificateExtensions(org.webpki.crypto.CertificateExtensions)
ExtendedKeyUsages(org.webpki.crypto.ExtendedKeyUsages)
ASN1BitString(org.webpki.asn1.ASN1BitString)
ASN1Sequence(org.webpki.asn1.ASN1Sequence)
ASN1ObjectID(org.webpki.asn1.ASN1ObjectID)
ASN1IA5String(org.webpki.asn1.ASN1IA5String)
ASN1Boolean(org.webpki.asn1.ASN1Boolean)
AsymSignatureAlgorithms(org.webpki.crypto.AsymSignatureAlgorithms)
SimpleContextSpecific(org.webpki.asn1.SimpleContextSpecific)
ASN1Null(org.webpki.asn1.ASN1Null)
Example 2 with SimpleContextSpecific
use of org.webpki.asn1.SimpleContextSpecific in project openkeystore by cyberphone.
the class KeyStore2PEMConverter method writePrivateKey.
public void writePrivateKey(PrivateKey privateKey, PublicKey publicKey) throws Exception {
byte[] encoded;
KeyAlgorithms keyAlgorithm = KeyAlgorithms.getKeyAlgorithm(privateKey);
if (privateKey instanceof RSAKey) {
encoded = privateKey.getEncoded();
} else if (privateKey instanceof ECKey) {
JSONObjectReader jwk = JSONParser.parse(new KeyStore2JWKConverter().writePrivateKey(privateKey, publicKey));
encoded = new ASN1Sequence(new BaseASN1Object[] { new ASN1Integer(0), new ASN1Sequence(new BaseASN1Object[] { new ASN1ObjectID(EC_PUBLIC_KEY_OID), new ASN1ObjectID(keyAlgorithm.getECDomainOID()) }), new ASN1OctetString(new ASN1Sequence(new BaseASN1Object[] { new ASN1Integer(1), new ASN1OctetString(jwk.getBinary("d")), new CompositeContextSpecific(1, new ASN1BitString(ArrayUtil.add(new byte[] { 4 }, ArrayUtil.add(jwk.getBinary("x"), jwk.getBinary("y"))))) }).encode()) }).encode();
} else {
encoded = new ASN1Sequence(new BaseASN1Object[] { new ASN1Integer(1), new ASN1Sequence(new ASN1ObjectID(keyAlgorithm.getECDomainOID())), new ASN1OctetString(new ASN1OctetString(OkpSupport.private2RawOkpKey(privateKey, keyAlgorithm)).encode()), new SimpleContextSpecific(1, // BITSTRING unused bits
ArrayUtil.add(// BITSTRING unused bits
new byte[] { 0 }, OkpSupport.public2RawOkpKey(publicKey, keyAlgorithm))) }).encode();
}
writeObject("PRIVATE KEY", encoded);
}
Also used :
ASN1OctetString(org.webpki.asn1.ASN1OctetString)
RSAKey(java.security.interfaces.RSAKey)
BaseASN1Object(org.webpki.asn1.BaseASN1Object)
CompositeContextSpecific(org.webpki.asn1.CompositeContextSpecific)
JSONObjectReader(org.webpki.json.JSONObjectReader)
KeyAlgorithms(org.webpki.crypto.KeyAlgorithms)
ECKey(java.security.interfaces.ECKey)
ASN1Integer(org.webpki.asn1.ASN1Integer)
ASN1BitString(org.webpki.asn1.ASN1BitString)
ASN1Sequence(org.webpki.asn1.ASN1Sequence)
ASN1ObjectID(org.webpki.asn1.ASN1ObjectID)
SimpleContextSpecific(org.webpki.asn1.SimpleContextSpecific)
Aggregations
ASN1BitString (org.webpki.asn1.ASN1BitString)2
ASN1Integer (org.webpki.asn1.ASN1Integer)2
ASN1ObjectID (org.webpki.asn1.ASN1ObjectID)2
ASN1OctetString (org.webpki.asn1.ASN1OctetString)2
ASN1Sequence (org.webpki.asn1.ASN1Sequence)2
BaseASN1Object (org.webpki.asn1.BaseASN1Object)2
CompositeContextSpecific (org.webpki.asn1.CompositeContextSpecific)2
SimpleContextSpecific (org.webpki.asn1.SimpleContextSpecific)2
IOException (java.io.IOException)1
ECKey (java.security.interfaces.ECKey)1
RSAKey (java.security.interfaces.RSAKey)1
ASN1Boolean (org.webpki.asn1.ASN1Boolean)1
ASN1IA5String (org.webpki.asn1.ASN1IA5String)1
ASN1Null (org.webpki.asn1.ASN1Null)1
DistinguishedName (org.webpki.asn1.cert.DistinguishedName)1
AsymSignatureAlgorithms (org.webpki.crypto.AsymSignatureAlgorithms)1
CertificateExtensions (org.webpki.crypto.CertificateExtensions)1
ExtendedKeyUsages (org.webpki.crypto.ExtendedKeyUsages)1
KeyAlgorithms (org.webpki.crypto.KeyAlgorithms)1
KeyUsageBits (org.webpki.crypto.KeyUsageBits)1
