Example 1 with X500
use of org.wildfly.security.x500.X500 in project wildfly-core by wildfly.
the class DomainTestCase method populateCertificateChain.
private static X509Certificate[] populateCertificateChain(boolean includeSubjectAltNames) throws Exception {
KeyPairGenerator keyPairGenerator;
try {
keyPairGenerator = KeyPairGenerator.getInstance("RSA");
} catch (NoSuchAlgorithmException e) {
throw new Error(e);
}
final KeyPair[] keyPairs = new KeyPair[5];
for (int i = 0; i < keyPairs.length; i++) {
keyPairs[i] = keyPairGenerator.generateKeyPair();
}
final X509Certificate[] orderedCertificates = new X509Certificate[5];
for (int i = 0; i < orderedCertificates.length; i++) {
X509CertificateBuilder builder = new X509CertificateBuilder();
X500PrincipalBuilder principalBuilder = new X500PrincipalBuilder();
principalBuilder.addItem(X500AttributeTypeAndValue.create(X500.OID_AT_COMMON_NAME, ASN1Encodable.ofUtf8String("bob" + i)));
X500Principal dn = principalBuilder.build();
builder.setSubjectDn(dn);
if (i == orderedCertificates.length - 1) {
// self-signed
builder.setIssuerDn(dn);
builder.setSigningKey(keyPairs[i].getPrivate());
} else {
principalBuilder = new X500PrincipalBuilder();
principalBuilder.addItem(X500AttributeTypeAndValue.create(X500.OID_AT_COMMON_NAME, ASN1Encodable.ofUtf8String("bob" + (i + 1))));
X500Principal issuerDn = principalBuilder.build();
builder.setIssuerDn(issuerDn);
builder.setSigningKey(keyPairs[i + 1].getPrivate());
if (includeSubjectAltNames) {
builder.addExtension(new SubjectAlternativeNamesExtension(true, Arrays.asList(new GeneralName.RFC822Name("bob" + i + "@example.com"), new GeneralName.DNSName("bob" + i + ".example.com"), new GeneralName.RFC822Name("bob" + i + "@anotherexample.com"))));
}
}
builder.setSignatureAlgorithmName("SHA256withRSA");
builder.setPublicKey(keyPairs[i].getPublic());
orderedCertificates[i] = builder.build();
}
return orderedCertificates;
}
Also used :
KeyPair(java.security.KeyPair)
X509CertificateBuilder(org.wildfly.security.x500.cert.X509CertificateBuilder)
KeyPairGenerator(java.security.KeyPairGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X509Certificate(java.security.cert.X509Certificate)
SubjectAlternativeNamesExtension(org.wildfly.security.x500.cert.SubjectAlternativeNamesExtension)
X500Principal(javax.security.auth.x500.X500Principal)
GeneralName(org.wildfly.security.x500.GeneralName)
X500PrincipalBuilder(org.wildfly.security.x500.X500PrincipalBuilder)
Example 2 with X500
use of org.wildfly.security.x500.X500 in project ca3sCore by kuehne-trustable-de.
the class CertificateUtil method insertNameAttributes.
/**
* @param cert
* @param attributeName
* @param x500NameSubject
*/
public void insertNameAttributes(Certificate cert, String attributeName, X500Name x500NameSubject) {
try {
List<Rdn> rdnList = new LdapName(x500NameSubject.toString()).getRdns();
for (Rdn rdn : rdnList) {
String rdnExpression = rdn.getType().toLowerCase() + "=" + rdn.getValue().toString().toLowerCase().trim();
setCertMultiValueAttribute(cert, attributeName, rdnExpression);
}
} catch (InvalidNameException e) {
LOG.info("problem parsing RDN for {}", x500NameSubject);
}
for (RDN rdn : x500NameSubject.getRDNs()) {
for (org.bouncycastle.asn1.x500.AttributeTypeAndValue atv : rdn.getTypesAndValues()) {
String value = atv.getValue().toString().toLowerCase().trim();
setCertMultiValueAttribute(cert, attributeName, value);
String oid = atv.getType().getId().toLowerCase();
setCertMultiValueAttribute(cert, attributeName, oid + "=" + value);
if (!oid.equals(atv.getType().toString().toLowerCase())) {
setCertMultiValueAttribute(cert, attributeName, atv.getType().toString().toLowerCase() + "=" + value);
}
}
}
}
Also used :
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
InvalidNameException(javax.naming.InvalidNameException)
ASN1OctetString(org.bouncycastle.asn1.ASN1OctetString)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
DERIA5String(org.bouncycastle.asn1.DERIA5String)
Rdn(javax.naming.ldap.Rdn)
RDN(org.bouncycastle.asn1.x500.RDN)
LdapName(javax.naming.ldap.LdapName)
Example 3 with X500
use of org.wildfly.security.x500.X500 in project ca3sCore by kuehne-trustable-de.
the class CSRUtil method buildCSR.
/**
* @param csrBase64
* @param p10ReqHolder
* @param pipelineType
* @return
* @throws IOException
*/
public CSR buildCSR(final String csrBase64, String requestorName, final Pkcs10RequestHolder p10ReqHolder, PipelineType pipelineType, Pipeline pipeline) throws IOException {
CSR csr = new CSR();
csr.setStatus(CsrStatus.PENDING);
csr.setPipeline(pipeline);
csr.setPipelineType(pipelineType);
// avoid to forward the initial CSR text: don't store accidentially included private keys or XSS attacks
// csr.setCsrBase64(csrBase64);
csr.setCsrBase64(CryptoUtil.pkcs10RequestToPem(p10ReqHolder.getP10Req()));
csr.setSubject(p10ReqHolder.getSubject());
/**
* produce a readable form of algorithms
*/
String sigAlgName = OidNameMapper.lookupOid(p10ReqHolder.getSigningAlgorithm());
String keyAlgName = getKeyAlgoName(sigAlgName);
csr.setSigningAlgorithm(sigAlgName);
csr.setIsCSRValid(p10ReqHolder.isCSRValid());
csr.setx509KeySpec(p10ReqHolder.getX509KeySpec());
csr.setPublicKeyAlgorithm(keyAlgName);
csr.setPublicKeyHash(p10ReqHolder.getPublicKeyHash());
csr.setKeyLength(CertificateUtil.getAlignedKeyLength(p10ReqHolder.getPublicSigningKey()));
csr.setServersideKeyGeneration(false);
csr.setSubjectPublicKeyInfoBase64(p10ReqHolder.getSubjectPublicKeyInfoBase64());
/*
* if( p10ReqHolder.publicSigningKey != null ){ try {
* this.setPublicKeyPEM(cryptoUtil.publicKeyToPem(
* p10ReqHolder.publicSigningKey)); } catch (IOException e) {
* logger.warn("wrapping of public key into PEM failed."); } }
*/
// not yet ...
// setProcessInstanceId(processInstanceId);
csr.setRequestedOn(Instant.now());
csr.setRequestedBy(requestorName);
csrRepository.save(csr);
AlgorithmInfo algorithmInfo = p10ReqHolder.getAlgorithmInfo();
setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_HASH_ALGO, algorithmInfo.getHashAlgName(), false);
setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_SIGN_ALGO, algorithmInfo.getSigAlgName(), false);
setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_PADDING_ALGO, algorithmInfo.getPaddingAlgName(), false);
if (algorithmInfo.getMfgName() != null && !algorithmInfo.getMfgName().isEmpty()) {
setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_MFG, algorithmInfo.getMfgName(), false);
}
LOG.debug("RDN arr #" + p10ReqHolder.getSubjectRDNs().length);
Set<RDN> newRdns = new HashSet<>();
for (org.bouncycastle.asn1.x500.RDN currentRdn : p10ReqHolder.getSubjectRDNs()) {
RDN rdn = new RDN();
rdn.csr(csr);
LOG.debug("AttributeTypeAndValue arr #" + currentRdn.size());
Set<RDNAttribute> rdnAttributes = new HashSet<>();
AttributeTypeAndValue[] attrTVArr = currentRdn.getTypesAndValues();
for (AttributeTypeAndValue attrTV : attrTVArr) {
RDNAttribute rdnAttr = new RDNAttribute();
rdnAttr.setRdn(rdn);
rdnAttr.setAttributeType(attrTV.getType().toString());
rdnAttr.setAttributeValue(attrTV.getValue().toString());
rdnAttributes.add(rdnAttr);
}
rdn.setRdnAttributes(rdnAttributes);
newRdns.add(rdn);
}
try {
insertNameAttributes(csr, CsrAttribute.ATTRIBUTE_SUBJECT, new LdapName(p10ReqHolder.getSubject()));
} catch (InvalidNameException e) {
LOG.info("problem parsing RDN for {}", p10ReqHolder.getSubject());
}
insertNameAttributes(csr, CsrAttribute.ATTRIBUTE_SUBJECT, p10ReqHolder.getSubjectRDNs());
Set<GeneralName> gNameSet = getSANList(p10ReqHolder);
String allSans = "";
LOG.debug("putting SANs into CSRAttributes");
for (GeneralName gName : gNameSet) {
String sanValue = gName.getName().toString();
if (GeneralName.otherName == gName.getTagNo()) {
sanValue = "--other value--";
}
if (allSans.length() > 0) {
allSans += ";";
}
allSans += sanValue;
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_SAN, sanValue, true);
if (GeneralName.dNSName == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "DNS:" + sanValue, true);
} else if (GeneralName.iPAddress == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "IP:" + sanValue, true);
} else if (GeneralName.ediPartyName == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "EDI:" + sanValue, true);
} else if (GeneralName.otherName == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "other:" + sanValue, true);
} else if (GeneralName.registeredID == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "regID:" + sanValue, true);
} else if (GeneralName.rfc822Name == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "rfc822:" + sanValue, true);
} else if (GeneralName.uniformResourceIdentifier == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "URI:" + sanValue, true);
} else if (GeneralName.x400Address == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "X400:" + sanValue, true);
} else if (GeneralName.directoryName == gName.getTagNo()) {
this.setCsrAttribute(csr, CsrAttribute.ATTRIBUTE_TYPED_SAN, "DirName:" + sanValue, true);
} else {
LOG.info("unexpected name / tag '{}' in SANs", gName.getTagNo());
}
}
csr.setSans(CryptoUtil.limitLength(allSans, 250));
if (p10ReqHolder.getSubjectRDNs().length == 0) {
LOG.info("Subject empty, using SANs");
for (GeneralName gName : gNameSet) {
if (GeneralName.dNSName == gName.getTagNo()) {
RDN rdn = new RDN();
rdn.csr(csr);
Set<RDNAttribute> rdnAttributes = new HashSet<>();
RDNAttribute rdnAttr = new RDNAttribute();
rdnAttr.setRdn(rdn);
rdnAttr.setAttributeType(X509ObjectIdentifiers.commonName.toString());
rdnAttr.setAttributeValue(gName.getName().toString());
rdnAttributes.add(rdnAttr);
rdn.setRdnAttributes(rdnAttributes);
newRdns.add(rdn);
LOG.info("First DNS SAN inserted as CN: " + gName.getName().toString());
// just one CN !
break;
}
}
}
csr.setRdns(newRdns);
Set<RequestAttribute> newRas = new HashSet<>();
for (Attribute attr : p10ReqHolder.getReqAttributes()) {
RequestAttribute reqAttrs = new RequestAttribute();
reqAttrs.setCsr(csr);
reqAttrs.setAttributeType(attr.getAttrType().toString());
Set<RequestAttributeValue> requestAttributes = new HashSet<>();
String type = attr.getAttrType().toString();
ASN1Set valueSet = attr.getAttrValues();
LOG.debug("AttributeSet type " + type + " #" + valueSet.size());
for (ASN1Encodable asn1Enc : valueSet.toArray()) {
String value = asn1Enc.toString();
LOG.debug("Attribute value " + value);
RequestAttributeValue reqAttrValue = new RequestAttributeValue();
reqAttrValue.setReqAttr(reqAttrs);
reqAttrValue.setAttributeValue(asn1Enc.toString());
requestAttributes.add(reqAttrValue);
}
reqAttrs.setRequestAttributeValues(requestAttributes);
newRas.add(reqAttrs);
}
csr.setRas(newRas);
// add requestor
CsrAttribute csrAttRequestorName = new CsrAttribute();
csrAttRequestorName.setCsr(csr);
csrAttRequestorName.setName(CsrAttribute.ATTRIBUTE_REQUESTED_BY);
csrAttRequestorName.setValue(requestorName);
csr.getCsrAttributes().add(csrAttRequestorName);
rdnRepository.saveAll(csr.getRdns());
for (RDN rdn : csr.getRdns()) {
rdnAttRepository.saveAll(rdn.getRdnAttributes());
}
/*
rasRepository.saveAll(csr.getRas());
for( RequestAttribute ras: csr.getRas()) {
rasvRepository.saveAll(ras.getRequestAttributeValues());
}
*/
csrAttRepository.saveAll(csr.getCsrAttributes());
csrRepository.save(csr);
LOG.debug("saved #{} csr attributes, ", newRas.size());
return csr;
}
Also used :
Attribute(org.bouncycastle.asn1.pkcs.Attribute)
AlgorithmInfo(de.trustable.util.AlgorithmInfo)
InvalidNameException(javax.naming.InvalidNameException)
HashSet(java.util.HashSet)
AttributeTypeAndValue(org.bouncycastle.asn1.x500.AttributeTypeAndValue)
LdapName(javax.naming.ldap.LdapName)
Example 4 with X500
use of org.wildfly.security.x500.X500 in project wildfly-elytron by wildfly-security.
the class CustomRealmMapperTest method populateCertificateChain.
private static X509Certificate[] populateCertificateChain() throws Exception {
KeyPairGenerator keyPairGenerator;
try {
keyPairGenerator = KeyPairGenerator.getInstance("RSA");
} catch (NoSuchAlgorithmException e) {
throw new Error(e);
}
final KeyPair[] keyPairs = new KeyPair[5];
for (int i = 0; i < keyPairs.length; i++) {
keyPairs[i] = keyPairGenerator.generateKeyPair();
}
final X509Certificate[] orderedCertificates = new X509Certificate[5];
for (int i = 0; i < orderedCertificates.length; i++) {
X509CertificateBuilder builder = new X509CertificateBuilder();
X500PrincipalBuilder principalBuilder = new X500PrincipalBuilder();
principalBuilder.addItem(X500AttributeTypeAndValue.create(X500.OID_AT_COMMON_NAME, ASN1Encodable.ofUtf8String("bob" + i)));
X500Principal dn = principalBuilder.build();
builder.setSubjectDn(dn);
if (i == orderedCertificates.length - 1) {
// self-signed
builder.setIssuerDn(dn);
builder.setSigningKey(keyPairs[i].getPrivate());
} else {
principalBuilder = new X500PrincipalBuilder();
principalBuilder.addItem(X500AttributeTypeAndValue.create(X500.OID_AT_COMMON_NAME, ASN1Encodable.ofUtf8String("bob" + (i + 1))));
X500Principal issuerDn = principalBuilder.build();
builder.setIssuerDn(issuerDn);
builder.setSigningKey(keyPairs[i + 1].getPrivate());
builder.addExtension(new SubjectAlternativeNamesExtension(true, Arrays.asList(new GeneralName.RFC822Name("bob" + i + "@example.com"), new GeneralName.DNSName("bob" + i + ".example.com"), new GeneralName.RFC822Name("bob" + i + "@anotherexample.com"))));
}
builder.setSignatureAlgorithmName("SHA256withRSA");
builder.setPublicKey(keyPairs[i].getPublic());
orderedCertificates[i] = builder.build();
}
return orderedCertificates;
}
Also used :
KeyPair(java.security.KeyPair)
X509CertificateBuilder(org.wildfly.security.x500.cert.X509CertificateBuilder)
KeyPairGenerator(java.security.KeyPairGenerator)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
X509Certificate(java.security.cert.X509Certificate)
SubjectAlternativeNamesExtension(org.wildfly.security.x500.cert.SubjectAlternativeNamesExtension)
X500Principal(javax.security.auth.x500.X500Principal)
GeneralName(org.wildfly.security.x500.GeneralName)
X500PrincipalBuilder(org.wildfly.security.x500.X500PrincipalBuilder)
Example 5 with X500
use of org.wildfly.security.x500.X500 in project wildfly-elytron by wildfly-security.
the class X509CertificateBuilderTest method populateBasicCertBuilder.
private static X509CertificateBuilder populateBasicCertBuilder() throws NoSuchAlgorithmException {
X509CertificateBuilder builder = new X509CertificateBuilder();
X500PrincipalBuilder principalBuilder = new X500PrincipalBuilder();
principalBuilder.addItem(X500AttributeTypeAndValue.create(X500.OID_AT_COMMON_NAME, ASN1Encodable.ofUtf8String("jane")));
final X500Principal dn = principalBuilder.build();
builder.setIssuerDn(dn);
builder.setSubjectDn(dn);
builder.setSignatureAlgorithmName("SHA256withRSA");
builder.setSigningKey(signingKey);
builder.setPublicKey(publicKey);
return builder;
}
Also used :
X500Principal(javax.security.auth.x500.X500Principal)
X500PrincipalBuilder(org.wildfly.security.x500.X500PrincipalBuilder)
Aggregations
X500Principal (javax.security.auth.x500.X500Principal)14
KeyPair (java.security.KeyPair)11
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)11
KeyPairGenerator (java.security.KeyPairGenerator)10
X509Certificate (java.security.cert.X509Certificate)9
X500PrincipalBuilder (org.wildfly.security.x500.X500PrincipalBuilder)8
X509CertificateBuilder (org.wildfly.security.x500.cert.X509CertificateBuilder)7
X500Name (org.bouncycastle.asn1.x500.X500Name)6
IOException (java.io.IOException)5
PrivateKey (java.security.PrivateKey)5
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)5
ContentSigner (org.bouncycastle.operator.ContentSigner)5
ByteArrayOutputStream (java.io.ByteArrayOutputStream)4
OutputStream (java.io.OutputStream)4
InvalidKeyException (java.security.InvalidKeyException)4
Signature (java.security.Signature)4
SignatureException (java.security.SignatureException)4
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)4
PKCS10CertificationRequestBuilder (org.bouncycastle.pkcs.PKCS10CertificationRequestBuilder)4
PKCS10CertificationRequestHolder (org.bouncycastle.pkcs.PKCS10CertificationRequestHolder)4
