Package org.bouncycastle.cert.jcajce

Examples of org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder


      // serial the serial number for the certificate.
      // notBefore date before which the certificate is not valid.
      // notAfter date after which the certificate is not valid.
      // subject X500Name representing the subject of this certificate.
      // publicKey the public key to be associated with the certificate.
      final X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(
          builder.build(),
          generateSerialNumber(BigInteger.valueOf(KEY_SIZE)),
          calBegin.getTime(), calEnd.getTime(), builder.build(),
          kp.getPublic());
      certGen.addExtension(X509Extension.subjectKeyIdentifier, false,
          new SubjectKeyIdentifier(kp.getPublic().getEncoded()));
      certGen.addExtension(X509Extension.basicConstraints, false,
          new BasicConstraints(0));
      // convert the certificate to a standard one
      final X509Certificate cert = new JcaX509CertificateConverter()
          .setProvider(BouncyCastleProvider.PROVIDER_NAME)
          .getCertificate(certGen.build(sigGen));

      cert.checkValidity(new Date());

      // build key store
      final KeyStore ks = KeyStore.getInstance(KEY_STORE_TYPE,
View Full Code Here


    Calendar endDate = Calendar.getInstance();
    endDate.add(Calendar.YEAR, 100);

    BigInteger serialNumber = BigInteger.valueOf((startDate.getTimeInMillis()));
    X500Name issuer = new X500Name(IETFUtils.rDNsFromString(issuerDirString, RFC4519Style.INSTANCE));
    JcaX509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(issuer, serialNumber, startDate.getTime(), endDate.getTime(), issuer, kp.getPublic());
    JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
    certGen.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(kp.getPublic()));
    certGen.addExtension(Extension.basicConstraints, false, new BasicConstraints(isCertAuthority));
    certGen.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(signerPublicKey));
    if (isCertAuthority) {
      certGen.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign));
    }
    X509CertificateHolder cert = certGen.build(new JcaContentSignerBuilder(signingAlgorithm).build(signerPrivateKey));
    return new X509CertificateObject(cert.toASN1Structure());
  }
View Full Code Here

  Date notBefore = cal.getTime();

  cal.add(Calendar.YEAR, 2);
  Date notAfter = cal.getTime();

  JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
    issuer, serial, notBefore, notAfter, subject, pubKey);
  builder.addExtension(X509Extension.basicConstraints, true,
    new BasicConstraints(0));

  ContentSigner signer;
  try {
      signer = new JcaContentSignerBuilder("SHA1withRSA").build(priKey);
  } catch (OperatorCreationException e) {
      throw new Exception(e);
  }
  X509CertificateHolder holder = builder.build(signer);
  return new JcaX509CertificateConverter().getCertificate(holder);
    }
View Full Code Here

      Date notBefore = cal.getTime();
      cal.add(Calendar.DATE, 2);
      Date notAfter = cal.getTime();
      X500Name subject = issuer;
      PublicKey publicKey = idPair.getPublic();
      JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
          issuer, serial, notBefore, notAfter, subject, publicKey);
      X509CertificateHolder idHolder = certBuilder.build(signerBuilder
          .build(idPair.getPrivate()));
      // Convert Bouncy Castle representation of X509Certificate into
      // something usable
      X509Certificate id = (X509Certificate) CertificateFactory.getInstance(
          "X509").generateCertificate(
View Full Code Here

    return response;
  }

  protected CertificateResponse buildV3Certificate(final BouncyCastleCertificateRequest request) throws OperatorCreationException, GeneralSecurityException, IOException {
    JcaX509v3CertificateBuilder builder = null;
    ContentSigner contentSigner = null;

    JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder(request.getSignAlgorithm());
    contentSignerBuilder.setProvider(request.getProvider());

    if ((request.getIssuerPrivateKey() != null) && (request.getIssuerCertificate() != null)) {
      builder = new JcaX509v3CertificateBuilder(request.getIssuerCertificate(), request.getSerialNumber(), request.getNotBefore(), request.getNotAfter(), request.getSubjectAsX500Principal(), request.getPublicKey());

      if (request.isCa()) {
        AuthorityKeyIdentifier authorityKeyIdentifier = new JcaX509ExtensionUtils().createAuthorityKeyIdentifier(request.getIssuerCertificate().getPublicKey());
        builder.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier);
      }

      SubjectKeyIdentifier subjectKeyIdentifier = new JcaX509ExtensionUtils().createSubjectKeyIdentifier(request.getIssuerCertificate().getPublicKey());
      builder.addExtension(X509Extension.subjectKeyIdentifier, false, subjectKeyIdentifier);

      contentSigner = contentSignerBuilder.build(request.getIssuerPrivateKey());
    } else {
      builder = new JcaX509v3CertificateBuilder(request.getIssuerAsX500Name(), request.getSerialNumber(), request.getNotBefore(), request.getNotAfter(), request.getSubjectAsX500Name(), request.getPublicKey());

      SubjectKeyIdentifier subjectKeyIdentifier = new JcaX509ExtensionUtils().createSubjectKeyIdentifier(request.getPublicKey());
      builder.addExtension(X509Extension.subjectKeyIdentifier, false, subjectKeyIdentifier);

      contentSigner = contentSignerBuilder.build(request.getPrivateKey());
    }

    this.addV3KeyUsage(builder, request);
    this.addV3ExtendedKeyUsage(builder, request);
    this.addV3CertificatePolicies(builder, request);
    this.addV3OtherNames(builder, request);
    this.addV3Comment(builder, request);
    this.addV3CRLDistPoint(builder, request);
    this.addV3OcspUrl(builder, request);
    this.addV3PolicyUrl(builder, request);
    this.addV3CAExtensions(builder, request);

    // builder.addExtension(MiscObjectIdentifiers.netscapeCertType, false, new
    // NetscapeCertType(NetscapeCertType.objectSigning | NetscapeCertType.smime));

    X509CertificateHolder holder = builder.build(contentSigner);

    X509Certificate certificate = (X509Certificate) Certificates.get(holder.getEncoded());

    if ((request.getIssuerPrivateKey() != null) && (request.getIssuerCertificate() != null)) {
      certificate.verify(request.getIssuerCertificate().getPublicKey());
View Full Code Here

        dateBuilder.addYears(1);
        notAfter = dateBuilder.getDate();
      }

      if (this.v3) {
        JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(this.toX500Name(issuer), serialNumber, notBefore, notAfter, this.toX500Name(subject), keyPair.getPublic());

        JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder(signType.getAlgorithm());
        contentSignerBuilder.setProvider(BouncyCastleProviderHelper.PROVIDER_NAME);
        ContentSigner contentSigner = contentSignerBuilder.build(keyPair.getPrivate());

        if (this.keyUsage.size() > 0) {
          int usage = 0;
          for (KeyUsageType keyUsage : this.keyUsage) {
            usage = usage | this.toKeyUsage(keyUsage);
          }
          org.bouncycastle.asn1.x509.KeyUsage ku = new org.bouncycastle.asn1.x509.KeyUsage(usage);
          builder.addExtension(X509Extension.keyUsage, false, ku);
        }

        if (this.extendedKeyUsage.size() > 0) {
          Vector<DERObject> vector = new Vector<DERObject>();
          for (ExtendedKeyUsageType keyUsageType : this.extendedKeyUsage) {
            KeyPurposeId keyPurposeId = this.toExtendedKeyUsage(keyUsageType);
            if (keyPurposeId != null) {
              vector.add(keyPurposeId);
            }
          }
          if (vector.size() > 0) {
            org.bouncycastle.asn1.x509.ExtendedKeyUsage extendedKeyUsage = new org.bouncycastle.asn1.x509.ExtendedKeyUsage(vector);
            builder.addExtension(X509Extension.extendedKeyUsage, true, extendedKeyUsage);
          } else {
            org.bouncycastle.asn1.x509.ExtendedKeyUsage extendedKeyUsage = new org.bouncycastle.asn1.x509.ExtendedKeyUsage(KeyPurposeId.anyExtendedKeyUsage);
            builder.addExtension(X509Extension.extendedKeyUsage, false, extendedKeyUsage);
          }
        } else {
          org.bouncycastle.asn1.x509.ExtendedKeyUsage extendedKeyUsage = new org.bouncycastle.asn1.x509.ExtendedKeyUsage(KeyPurposeId.anyExtendedKeyUsage);
          builder.addExtension(X509Extension.extendedKeyUsage, false, extendedKeyUsage);
        }

        GeneralNames subjectAltName = new GeneralNames(new GeneralName(GeneralName.rfc822Name, subject));
        builder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);

        SubjectKeyIdentifierStructure subjectKeyIdentifierStructure = new SubjectKeyIdentifierStructure(keyPair.getPublic());
        builder.addExtension(X509Extension.subjectKeyIdentifier, false, subjectKeyIdentifierStructure);

        X509CertificateHolder holder = builder.build(contentSigner);

        certificate = (X509Certificate) SecurityUtils.getCertificateFromFile(holder.getEncoded(), CertificateType.X509);
        privateKey = keyPair.getPrivate();
      } else {
        JcaX509v1CertificateBuilder builder = new JcaX509v1CertificateBuilder(this.toX500Name(issuer), serialNumber, notBefore, notAfter, this.toX500Name(subject), keyPair.getPublic());

        JcaContentSignerBuilder contentSignerBuilder = new JcaContentSignerBuilder(signType.getAlgorithm());
        contentSignerBuilder.setProvider(BouncyCastleProviderHelper.PROVIDER_NAME);
        ContentSigner contentSigner = contentSignerBuilder.build(keyPair.getPrivate());

        X509CertificateHolder holder = builder.build(contentSigner);

        certificate = (X509Certificate) SecurityUtils.getCertificateFromFile(holder.getEncoded(), CertificateType.X509);
        privateKey = keyPair.getPrivate();
      }
View Full Code Here

      KeyPair pair = newKeyPair();

      X500Name webDN = buildDistinguishedName(sslMetadata);
      X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());

      X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
          issuerDN,
          BigInteger.valueOf(System.currentTimeMillis()),
          sslMetadata.notBefore,
          sslMetadata.notAfter,
          webDN,
          pair.getPublic());

      JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
      certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
      certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
      certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));

      // support alternateSubjectNames for SSL certificates
      List<GeneralName> altNames = new ArrayList<GeneralName>();
      if (HttpUtils.isIpAddress(sslMetadata.commonName)) {
        altNames.add(new GeneralName(GeneralName.iPAddress, sslMetadata.commonName));
      }
      if (altNames.size() > 0) {
        GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName [altNames.size()]));
        certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
      }

      ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM)
          .setProvider(BC).build(caPrivateKey);
      X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC)
          .getCertificate(certBuilder.build(caSigner));

      cert.checkValidity(new Date());
      cert.verify(caCert.getPublicKey());

      // Save to keystore
View Full Code Here

      // clone metadata
      X509Metadata caMetadata = metadata.clone(CA_CN, metadata.password);
      X500Name issuerDN = buildDistinguishedName(caMetadata);

      // Generate self-signed certificate
      X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(
          issuerDN,
          BigInteger.valueOf(System.currentTimeMillis()),
          caMetadata.notBefore,
          caMetadata.notAfter,
          issuerDN,
          caPair.getPublic());

      JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
      caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic()));
      caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic()));
      caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true));
      caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));

      JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC);
      X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner));

      // confirm the validity of the CA certificate
      cert.checkValidity(new Date());
      cert.verify(cert.getPublicKey());
View Full Code Here

      X500Name userDN = buildDistinguishedName(clientMetadata);
      X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName());

      // create a new certificate signed by the Gitblit CA certificate
      X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
          issuerDN,
          BigInteger.valueOf(System.currentTimeMillis()),
          clientMetadata.notBefore,
          clientMetadata.notAfter,
          userDN,
          pair.getPublic());

      JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
      certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic()));
      certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false));
      certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey()));
      certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature));
      if (!StringUtils.isEmpty(clientMetadata.emailAddress)) {
        GeneralNames subjectAltName = new GeneralNames(
                    new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress));
        certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName);
      }

      ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC).build(caPrivateKey);

      X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC).getCertificate(certBuilder.build(signer));
      PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)pair.getPrivate();
      bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId,
          extUtils.createSubjectKeyIdentifier(pair.getPublic()));

      // confirm the validity of the user certificate
View Full Code Here

        if (baseCrt != null) {
            subject = baseCrt.getSubjectX500Principal();
        }

        JcaX509v3CertificateBuilder certificateBuilder;
        certificateBuilder = new JcaX509v3CertificateBuilder(issuer, serialNo,
                begin, ends, subject, pubKey);

        if (subject.equals(issuer)) {
            certificateBuilder.addExtension(
                    X509Extension.basicConstraints, true,
                    new BasicConstraints(5));
        } else {
            JcaX509ExtensionUtils jxeu = new JcaX509ExtensionUtils();

            if (baseCrt != null) {
                byte[] sans = baseCrt.getExtensionValue(X509Extension.subjectAlternativeName.getId());
                if (sans != null) {
                    certificateBuilder.copyAndAddExtension(X509Extension.subjectAlternativeName, true, baseCrt);
                }
            }

            SubjectKeyIdentifier subjectKeyIdentifier = jxeu.createSubjectKeyIdentifier(pubKey);
            certificateBuilder.addExtension(
                    X509Extension.subjectKeyIdentifier, false, subjectKeyIdentifier);

            AuthorityKeyIdentifier authorityKeyIdentifier = jxeu.createAuthorityKeyIdentifier(caPubKey);
            certificateBuilder.addExtension(
                    X509Extension.authorityKeyIdentifier, false,
                    authorityKeyIdentifier);

            certificateBuilder.addExtension(
                    X509Extension.basicConstraints, true,
                    new BasicConstraints(false));

            NetscapeCertType netscapeCertType = new NetscapeCertType(NetscapeCertType.sslClient | NetscapeCertType.sslServer);
            certificateBuilder.addExtension(
                    MiscObjectIdentifiers.netscapeCertType, false,
                    netscapeCertType);

            KeyUsage keyUsage = new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment);
            certificateBuilder.addExtension(X509Extension.keyUsage, true,
                    keyUsage);

            ExtendedKeyUsage extendedKeyUsage = new ExtendedKeyUsage(new KeyPurposeId[]{
                KeyPurposeId.id_kp_clientAuth,
                KeyPurposeId.id_kp_serverAuth
            });
            certificateBuilder.addExtension(X509Extension.extendedKeyUsage, false,
                    extendedKeyUsage);
        }

        JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(SIGALG);
        X509CertificateHolder holder = certificateBuilder.build(signerBuilder.build(caKey));

        /*
         * Next certificate factory trick is needed to make sure that the
         * certificate delivered to the caller is provided by the default
         * security provider instead of BouncyCastle. If we don't do this trick
View Full Code Here

TOP

Related Classes of org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.