Example 1 with DistinguishedName
use of org.webpki.asn1.cert.DistinguishedName in project openkeystore by cyberphone.
the class DistinguishedName method toASN1.
/*
* Get the ASN.1 representation of this <code>DistinguishedName</code>.
* @see org.webpki.asn1
*/
public ASN1Sequence toASN1() {
if (asn1Representation == null) {
BaseASN1Object[] t = new BaseASN1Object[components.size()];
for (int i = 0; i < t.length; i++) {
t[i] = components.get(i).toASN1();
}
asn1Representation = new ASN1Sequence(t);
}
return asn1Representation;
}
Also used :
ASN1Sequence(org.webpki.asn1.ASN1Sequence)
BaseASN1Object(org.webpki.asn1.BaseASN1Object)
Example 2 with DistinguishedName
use of org.webpki.asn1.cert.DistinguishedName in project openkeystore by cyberphone.
the class CA method createCert.
public X509Certificate createCert(CertSpec certSpec, DistinguishedName issuerName, BigInteger serialNumber, Date startDate, Date endDate, AsymKeySignerInterface signer, PublicKey issuerPublicKey, PublicKey subjectPublicKey) throws IOException, GeneralSecurityException {
Extensions extensions = new Extensions();
BaseASN1Object version = new CompositeContextSpecific(0, new ASN1Integer(2));
DistinguishedName subjectName = certSpec.getSubjectDistinguishedName();
BaseASN1Object validity = new ASN1Sequence(new BaseASN1Object[] { getASN1Time(startDate), getASN1Time(endDate) });
AsymSignatureAlgorithms certSignAlg = signer.getAlgorithm();
BaseASN1Object signatureAlgorithm = new ASN1Sequence(certSignAlg.getKeyType() == KeyTypes.RSA ? new BaseASN1Object[] { new ASN1ObjectID(certSignAlg.getOid()), // Relic from the RSA hey-days...
new ASN1Null() } : new BaseASN1Object[] { new ASN1ObjectID(certSignAlg.getOid()) });
BaseASN1Object subjectPublicKeyInfo = DerDecoder.decode(subjectPublicKey.getEncoded());
// ////////////////////////////////////////////////////
if (certSpec.endEntity) {
extensions.add(CertificateExtensions.BASIC_CONSTRAINTS, false, new ASN1Sequence(new BaseASN1Object[] {}));
}
// ////////////////////////////////////////////////////
if (certSpec.caCert) {
extensions.add(CertificateExtensions.BASIC_CONSTRAINTS, true, new ASN1Sequence(new ASN1Boolean(true)));
}
// ////////////////////////////////////////////////////
if (!certSpec.keyUsageSet.isEmpty()) {
int i = 0;
for (KeyUsageBits kubit : certSpec.keyUsageSet) {
i |= 1 << kubit.ordinal();
}
byte[] keyUsage = new byte[i > 255 ? 2 : 1];
keyUsage[0] = reverseBits(i);
if (i > 255) {
keyUsage[1] = reverseBits(i >> 8);
}
extensions.add(CertificateExtensions.KEY_USAGE, true, new ASN1BitString(keyUsage));
}
// ////////////////////////////////////////////////////
if (!certSpec.extendedKeyUsageSet.isEmpty()) {
int i = 0;
BaseASN1Object[] ekus = new BaseASN1Object[certSpec.extendedKeyUsageSet.size()];
for (ExtendedKeyUsages eku : certSpec.extendedKeyUsageSet.toArray(new ExtendedKeyUsages[0])) {
ekus[i++] = new ASN1ObjectID(eku.getOID());
}
extensions.add(CertificateExtensions.EXTENDED_KEY_USAGE, false, new ASN1Sequence(ekus));
}
// ////////////////////////////////////////////////////
if (certSpec.skiExtension) {
extensions.add(CertificateExtensions.SUBJECT_KEY_IDENTIFIER, createKeyID(subjectPublicKey));
}
// ////////////////////////////////////////////////////
if (certSpec.akiExtension) {
extensions.add(CertificateExtensions.AUTHORITY_KEY_IDENTIFIER, new ASN1Sequence(new SimpleContextSpecific(0, createKeyID(issuerPublicKey))));
}
// ////////////////////////////////////////////////////
if (!certSpec.subjectAltName.isEmpty()) {
int i = 0;
BaseASN1Object[] san = new BaseASN1Object[certSpec.subjectAltName.size()];
for (CertSpec.NameValue nameValue : certSpec.subjectAltName) {
int type = nameValue.name;
// We currently only handle simple IA5String types.
if (type == SubjectAltNameTypes.RFC822_NAME || type == SubjectAltNameTypes.DNS_NAME || type == SubjectAltNameTypes.UNIFORM_RESOURCE_IDENTIFIER) {
if (!(nameValue.value instanceof ASN1IA5String)) {
throw new IOException("Wrong argument type to SubjectAltNames of type " + type);
}
} else // Or IP addresses.
if (type == SubjectAltNameTypes.IP_ADDRESS) {
if (!(nameValue.value instanceof ASN1OctetString)) {
throw new IOException("Wrong argument type to SubjectAltNames of type IP address");
}
} else {
throw new IOException("SubjectAltNames of type " + type + " are not handled.");
}
san[i++] = new SimpleContextSpecific(type, nameValue.value);
}
extensions.add(CertificateExtensions.SUBJECT_ALT_NAME, new ASN1Sequence(san));
}
// ////////////////////////////////////////////////////
if (!certSpec.certPolicyOids.isEmpty()) {
int i = 0;
BaseASN1Object[] policies = new BaseASN1Object[certSpec.certPolicyOids.size()];
for (String oid : certSpec.certPolicyOids) {
policies[i++] = new ASN1Sequence(new ASN1ObjectID(oid));
}
extensions.add(CertificateExtensions.CERTIFICATE_POLICIES, new ASN1Sequence(policies));
}
// ////////////////////////////////////////////////////
if (!certSpec.aiaLocators.isEmpty()) {
int i = 0;
BaseASN1Object[] locators = new BaseASN1Object[certSpec.aiaLocators.size()];
for (String[] loc_info : certSpec.aiaLocators) {
locators[i++] = new ASN1Sequence(new BaseASN1Object[] { new ASN1ObjectID(loc_info[0]), new SimpleContextSpecific(6, new ASN1IA5String(loc_info[1])) });
}
extensions.add(CertificateExtensions.AUTHORITY_INFO_ACCESS, new ASN1Sequence(locators));
}
// ////////////////////////////////////////////////////
if (!certSpec.crlDistPoints.isEmpty()) {
int i = 0;
BaseASN1Object[] cdps = new BaseASN1Object[certSpec.crlDistPoints.size()];
for (String uri : certSpec.crlDistPoints) {
cdps[i++] = new ASN1Sequence(new CompositeContextSpecific(0, new CompositeContextSpecific(0, new SimpleContextSpecific(6, new ASN1IA5String(uri)))));
}
extensions.add(CertificateExtensions.CRL_DISTRIBUTION_POINTS, new ASN1Sequence(cdps));
}
// ////////////////////////////////////////////////////
// Certificate Creation!
// ////////////////////////////////////////////////////
BaseASN1Object[] inner = new BaseASN1Object[extensions.isEmpty() ? 7 : 8];
inner[0] = version;
inner[1] = new ASN1Integer(serialNumber);
inner[2] = signatureAlgorithm;
inner[3] = issuerName.toASN1();
inner[4] = validity;
inner[5] = subjectName.toASN1();
inner[6] = subjectPublicKeyInfo;
if (!extensions.isEmpty()) {
inner[7] = new CompositeContextSpecific(3, extensions.getExtensionData());
}
BaseASN1Object tbsCertificate = new ASN1Sequence(inner);
BaseASN1Object signature = new ASN1BitString(signer.signData(tbsCertificate.encode()));
byte[] certificate = new ASN1Sequence(new BaseASN1Object[] { tbsCertificate, signatureAlgorithm, signature }).encode();
return CertificateUtil.getCertificateFromBlob(certificate);
}
Also used :
ASN1OctetString(org.webpki.asn1.ASN1OctetString)
KeyUsageBits(org.webpki.crypto.KeyUsageBits)
DistinguishedName(org.webpki.asn1.cert.DistinguishedName)
BaseASN1Object(org.webpki.asn1.BaseASN1Object)
CompositeContextSpecific(org.webpki.asn1.CompositeContextSpecific)
ASN1Integer(org.webpki.asn1.ASN1Integer)
IOException(java.io.IOException)
ASN1IA5String(org.webpki.asn1.ASN1IA5String)
ASN1OctetString(org.webpki.asn1.ASN1OctetString)
ASN1BitString(org.webpki.asn1.ASN1BitString)
CertificateExtensions(org.webpki.crypto.CertificateExtensions)
ExtendedKeyUsages(org.webpki.crypto.ExtendedKeyUsages)
ASN1BitString(org.webpki.asn1.ASN1BitString)
ASN1Sequence(org.webpki.asn1.ASN1Sequence)
ASN1ObjectID(org.webpki.asn1.ASN1ObjectID)
ASN1IA5String(org.webpki.asn1.ASN1IA5String)
ASN1Boolean(org.webpki.asn1.ASN1Boolean)
AsymSignatureAlgorithms(org.webpki.crypto.AsymSignatureAlgorithms)
SimpleContextSpecific(org.webpki.asn1.SimpleContextSpecific)
ASN1Null(org.webpki.asn1.ASN1Null)
Example 3 with DistinguishedName
use of org.webpki.asn1.cert.DistinguishedName in project openkeystore by cyberphone.
the class CommandLineCA method decodeCommandLine.
void decodeCommandLine(String[] argv) throws IOException {
if (argv.length == 0) {
show();
System.exit(3);
}
for (int i = 0; i < argv.length; i++) {
String arg = argv[i];
if (arg.indexOf('-') != 0) {
bad("Command '" + arg + "' MUST start with a '-'");
}
CmdLineArgument cla = get(arg);
if (cla.optargument == null)
continue;
if (++i >= argv.length) {
bad("Missing argument for command: " + arg);
}
String opt = argv[i];
if (opt.indexOf('-') == 0) {
bad("Argument to command '" + arg + "' MUST NOT start with a '-'");
}
cla.argvalue.add(opt);
}
checkConsistency();
try {
CA ca = new CA();
CertSpec certspec = new CertSpec();
// /////////////////////////////////////////////////////////////
// Create the target certificate key-pair
// /////////////////////////////////////////////////////////////
KeyPairGenerator kpg = null;
if (CMD_ecc_curve.found) {
KeyAlgorithms keyAlgorithm = CMD_ecc_curve.getKeyAlgorithm();
if (keyAlgorithm.getKeyType() == KeyTypes.EC) {
kpg = KeyPairGenerator.getInstance("EC");
kpg.initialize(new ECGenParameterSpec(keyAlgorithm.getJceName()));
} else {
kpg = KeyPairGenerator.getInstance(keyAlgorithm.getJceName());
}
} else {
kpg = KeyPairGenerator.getInstance("RSA");
if (CMD_exponent.found) {
kpg.initialize(new RSAKeyGenParameterSpec(CMD_rsa_key_size.getInteger(), BigInteger.valueOf(CMD_exponent.getInteger())));
} else {
kpg.initialize(CMD_rsa_key_size.getInteger());
}
}
KeyPair key_pair = kpg.generateKeyPair();
PrivateKey priv_key = key_pair.getPrivate();
PublicKey subject_pub_key = key_pair.getPublic();
// /////////////////////////////////////////////////////////////
// Get signature algorithm
// /////////////////////////////////////////////////////////////
AsymSignatureAlgorithms certalg = CMD_sig_alg.getAlgorithm();
// /////////////////////////////////////////////////////////////
// Get the subject DN
// /////////////////////////////////////////////////////////////
certspec.setSubject(CMD_subject_dn.getString());
// /////////////////////////////////////////////////////////////
// Get the signing key and CA certificate(s)
// /////////////////////////////////////////////////////////////
// Assume self-signed
PrivateKey sign_key = priv_key;
PublicKey issuer_pub_key = subject_pub_key;
DistinguishedName issuer = certspec.getSubjectDistinguishedName();
ArrayList<Certificate> cert_path = new ArrayList<>();
if (!CMD_self_signed.found) {
KeyStore ks = KeyStore.getInstance(CMD_ca_ks_type.getString());
ks.load(new FileInputStream(CMD_ca_keystore.getString()), CMD_ca_ks_pass.toCharArray());
String ca_key_alias = CMD_ca_key_alias.getString();
if (ks.isKeyEntry(ca_key_alias)) {
Certificate[] cert_list = ks.getCertificateChain(ca_key_alias);
if (cert_list == null || cert_list.length == 0) {
bad("No certficates found for key alias: " + ca_key_alias);
}
issuer = DistinguishedName.subjectDN((X509Certificate) cert_list[0]);
issuer_pub_key = cert_list[0].getPublicKey();
if (CMD_ca_addpath.found) {
int n = cert_list.length;
if (!CMD_ca_addpath.getString().equals("all")) {
int l = CMD_ca_addpath.getInteger();
if (l < 1 || l > n) {
bad("The \"ca/addpath\" qualifier is out of range");
}
n = l;
}
for (int q = 0; q < n; q++) {
cert_path.add(cert_list[q]);
}
}
} else {
bad("Bad CA key alias: " + ca_key_alias);
}
sign_key = (PrivateKey) ks.getKey(ca_key_alias, CMD_ca_key_pass.toCharArray());
if (sign_key == null) {
bad("No signature key found for key alias: " + ca_key_alias);
}
}
// /////////////////////////////////////////////////////////////
// Get serial number
// /////////////////////////////////////////////////////////////
BigInteger serial = CMD_serial.found ? CMD_serial.getBigInteger() : createSerial();
// /////////////////////////////////////////////////////////////
// Get validity
// /////////////////////////////////////////////////////////////
Date start_date = CMD_valid_start.getDateTime();
Date end_date = CMD_valid_end.getDateTime();
// /////////////////////////////////////////////////////////////
if (CMD_ca_cert.found) {
certspec.setCACertificateConstraint();
} else if (CMD_ee_cert.found) {
certspec.setEndEntityConstraint();
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_key_usage.argvalue) {
certspec.setKeyUsageBit(KeyUsageBits.getKeyUsageBit(arg));
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_ext_eku.argvalue) {
certspec.setExtendedKeyUsage(ExtendedKeyUsages.getExtendedKeyUsage(arg));
}
// /////////////////////////////////////////////////////////////
if (CMD_ext_ski.found) {
certspec.setSubjectKeyIdentifier();
}
// /////////////////////////////////////////////////////////////
if (CMD_ext_aki.found) {
certspec.setAuthorityKeyIdentifier();
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_ext_certpol.argvalue) {
certspec.addCertificatePolicyOID(arg);
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_ext_ocsp.argvalue) {
certspec.addOCSPResponderURI(arg);
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_ext_caissuers.argvalue) {
certspec.addCAIssuersURI(arg);
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_ext_cdp.argvalue) {
certspec.addCRLDistributionPointURI(arg);
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_ext_email.argvalue) {
certspec.addEmailAddress(arg);
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_ext_dns.argvalue) {
certspec.addDNSName(arg);
}
// /////////////////////////////////////////////////////////////
for (String arg : CMD_ext_ip.argvalue) {
certspec.addIPAddress(arg);
}
// /////////////////////////////////////////////////////////////
// And now: Create the certificate path...
// /////////////////////////////////////////////////////////////
X509Certificate signer_cert = ca.createCert(certspec, issuer, serial, start_date, end_date, new CertificateSigner(sign_key, certalg), issuer_pub_key, subject_pub_key);
cert_path.add(0, signer_cert);
// /////////////////////////////////////////////////////////////
// The final: Write the whole thing out
// /////////////////////////////////////////////////////////////
KeyStore ks = KeyStore.getInstance(CMD_out_ks_type.getString());
if (CMD_out_update.found) {
ks.load(new FileInputStream(CMD_out_keystore.getString()), CMD_out_ks_pass.toCharArray());
} else {
ks.load(null, null);
}
FileOutputStream ofile = new FileOutputStream(CMD_out_keystore.getString());
ks.setKeyEntry(CMD_out_key_alias.getString(), priv_key, CMD_out_pkey_pass.toCharArray(), cert_path.toArray(new Certificate[0]));
ks.store(ofile, CMD_out_ks_pass.toCharArray());
} catch (GeneralSecurityException gse) {
bad(gse.getMessage());
}
}
Also used :
PrivateKey(java.security.PrivateKey)
ECGenParameterSpec(java.security.spec.ECGenParameterSpec)
ArrayList(java.util.ArrayList)
RSAKeyGenParameterSpec(java.security.spec.RSAKeyGenParameterSpec)
KeyAlgorithms(org.webpki.crypto.KeyAlgorithms)
KeyPair(java.security.KeyPair)
DistinguishedName(org.webpki.asn1.cert.DistinguishedName)
PublicKey(java.security.PublicKey)
GeneralSecurityException(java.security.GeneralSecurityException)
KeyPairGenerator(java.security.KeyPairGenerator)
KeyStore(java.security.KeyStore)
FileInputStream(java.io.FileInputStream)
X509Certificate(java.security.cert.X509Certificate)
Date(java.util.Date)
FileOutputStream(java.io.FileOutputStream)
BigInteger(java.math.BigInteger)
AsymSignatureAlgorithms(org.webpki.crypto.AsymSignatureAlgorithms)
X509Certificate(java.security.cert.X509Certificate)
Certificate(java.security.cert.Certificate)
Aggregations
ASN1Sequence (org.webpki.asn1.ASN1Sequence)2
BaseASN1Object (org.webpki.asn1.BaseASN1Object)2
DistinguishedName (org.webpki.asn1.cert.DistinguishedName)2
AsymSignatureAlgorithms (org.webpki.crypto.AsymSignatureAlgorithms)2
FileInputStream (java.io.FileInputStream)1
FileOutputStream (java.io.FileOutputStream)1
IOException (java.io.IOException)1
BigInteger (java.math.BigInteger)1
GeneralSecurityException (java.security.GeneralSecurityException)1
KeyPair (java.security.KeyPair)1
KeyPairGenerator (java.security.KeyPairGenerator)1
KeyStore (java.security.KeyStore)1
PrivateKey (java.security.PrivateKey)1
PublicKey (java.security.PublicKey)1
Certificate (java.security.cert.Certificate)1
X509Certificate (java.security.cert.X509Certificate)1
ECGenParameterSpec (java.security.spec.ECGenParameterSpec)1
RSAKeyGenParameterSpec (java.security.spec.RSAKeyGenParameterSpec)1
ArrayList (java.util.ArrayList)1
Date (java.util.Date)1
