Examples of org.bouncycastle.x509.X509V3CertificateGenerator

• org.bouncycastle.x509.X509V3CertificateGenerator
  class to produce an X.509 Version 3 certificate. @deprecated use org.bouncycastle.cert.X509v3CertificateBuilder.

    }

    public static X509Certificate generateEndEntityCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert)
        throws Exception
    {
        X509V3CertificateGenerator  certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal("CN=Test End Certificate"));
        certGen.setPublicKey(entityKey);
        certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");

        certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
        certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey));
        certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
        certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));

        return certGen.generateX509Certificate(caKey, "BC");
    }

        //

        //
        // create the certificate.
        //
        X509V3CertificateGenerator  certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(new X509Principal(attrs));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal(attrs));
        certGen.setPublicKey(pubKey);
        certGen.setSignatureAlgorithm("MD5WithRSAEncryption");

        Certificate[]   chain = new Certificate[1];

        try
        {
            X509Certificate cert = certGen.generateX509Certificate(privKey);

            cert.checkValidity(new Date());

            cert.verify(pubKey);

        order.addElement(X509Principal.E);

        //
        // create the certificate - version 3
        //
        X509V3CertificateGenerator  certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(new X509Principal(order, attrs));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal(order, attrs));
        certGen.setPublicKey(pubKey);
        certGen.setSignatureAlgorithm("ECDSAwithSHA1");

        Certificate[]    chain = new Certificate[1];

        try
        {
            X509Certificate cert = certGen.generateX509Certificate(privKey);

            cert.checkValidity(new Date());

            cert.verify(pubKey);

                                                String sigAlg,
                                                KeyPair keyPair) throws Exception {
        final long currentTime = new Date().getTime();
        final Date firstDate = new Date(currentTime-24*60*60*1000);
        final Date lastDate = new Date(currentTime + validity * 1000);
        X509V3CertificateGenerator cg = new X509V3CertificateGenerator();
        // Add all mandatory attributes
        cg.setSerialNumber(BigInteger.valueOf(firstDate.getTime()));
        log.debug("keystore signing algorithm "+sigAlg);
        cg.setSignatureAlgorithm(sigAlg);
        cg.setSubjectDN(new X500Principal(myname));
        final PublicKey publicKey = keyPair.getPublic();
        if ( publicKey==null ) {
            throw new Exception("Public key is null");
        }
        cg.setPublicKey(publicKey);
        cg.setNotBefore(firstDate);
        cg.setNotAfter(lastDate);
        cg.setIssuerDN(new X500Principal(myname));
        return cg.generate(keyPair.getPrivate(), this.providerName);
    }

        Date lastDate = new Date();

        // validity in days = validity*24*60*60*1000 milliseconds
        lastDate.setTime(lastDate.getTime() + (validity * (24 * 60 * 60 * 1000)));

        X509V3CertificateGenerator certgen = new X509V3CertificateGenerator();

        // Transform the PublicKey to be sure we have it in a format that the X509 certificate generator handles, it might be
        // a CVC public key that is passed as parameter
        PublicKey publicKey = null;
        if (pubKey instanceof RSAPublicKey) {
          RSAPublicKey rsapk = (RSAPublicKey)pubKey;
        RSAPublicKeySpec rSAPublicKeySpec = new RSAPublicKeySpec(rsapk.getModulus(), rsapk.getPublicExponent());
        try {
        publicKey = KeyFactory.getInstance("RSA").generatePublic(rSAPublicKeySpec);
      } catch (InvalidKeySpecException e) {
        log.error("Error creating RSAPublicKey from spec: ", e);
        publicKey = pubKey;
      }
    } else if (pubKey instanceof ECPublicKey) {
      ECPublicKey ecpk = (ECPublicKey)pubKey;
      try {
        ECPublicKeySpec ecspec = new ECPublicKeySpec(ecpk.getW(), ecpk.getParams()); // will throw NPE if key is "implicitlyCA"
        publicKey = KeyFactory.getInstance("EC").generatePublic(ecspec);
      } catch (InvalidKeySpecException e) {
        log.error("Error creating ECPublicKey from spec: ", e);
        publicKey = pubKey;
      } catch (NullPointerException e) {
        log.debug("NullPointerException, probably it is implicitlyCA generated keys: "+e.getMessage());
        publicKey = pubKey;
      }
    } else {
      log.debug("Not converting key of class. "+pubKey.getClass().getName());
      publicKey = pubKey;
    }

        // Serialnumber is random bits, where random generator is initialized with Date.getTime() when this
        // bean is created.
        byte[] serno = new byte[8];
        SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
        random.setSeed(new Date().getTime());
        random.nextBytes(serno);
        certgen.setSerialNumber(new java.math.BigInteger(serno).abs());
        certgen.setNotBefore(firstDate);
        certgen.setNotAfter(lastDate);
        certgen.setSignatureAlgorithm(sigAlg);
        certgen.setSubjectDN(CertTools.stringToBcX509Name(dn));
        certgen.setIssuerDN(CertTools.stringToBcX509Name(dn));
        certgen.setPublicKey(publicKey);

        // Basic constranits is always critical and MUST be present at-least in CA-certificates.
        BasicConstraints bc = new BasicConstraints(isCA);
        certgen.addExtension(X509Extensions.BasicConstraints.getId(), true, bc);

        // Put critical KeyUsage in CA-certificates
        if (isCA) {
            X509KeyUsage ku = new X509KeyUsage(keyusage);
            certgen.addExtension(X509Extensions.KeyUsage.getId(), true, ku);
        }

        // Subject and Authority key identifier is always non-critical and MUST be present for certificates to verify in Firefox.
        try {
            if (isCA) {
                SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream(
                            new ByteArrayInputStream(publicKey.getEncoded())).readObject());
                SubjectKeyIdentifier ski = new SubjectKeyIdentifier(spki);

                SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream(
                            new ByteArrayInputStream(publicKey.getEncoded())).readObject());
                AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki);

                certgen.addExtension(X509Extensions.SubjectKeyIdentifier.getId(), false, ski);
                certgen.addExtension(X509Extensions.AuthorityKeyIdentifier.getId(), false, aki);
            }
        } catch (IOException e) { // do nothing
        }

        // CertificatePolicies extension if supplied policy ID, always non-critical
        if (policyId != null) {
                PolicyInformation pi = new PolicyInformation(new DERObjectIdentifier(policyId));
                DERSequence seq = new DERSequence(pi);
                certgen.addExtension(X509Extensions.CertificatePolicies.getId(), false, seq);
        }

        X509Certificate selfcert = certgen.generate(privKey, provider);

        return selfcert;
    } //genselfCertForPurpose

              if (!adaptive) {
                continue;
              }
              final Date time = new Date();              // time from which certificate is valid
              final KeyPair key_pair = KeyTools.genKeys("1024", AlgorithmConstants.KEYALGORITHM_RSA);
              final X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
              final X500Principal dnName = new X500Principal("CN=Dummy Missing in Imported CRL, serialNumber=" + serialHex);
              certGen.setSerialNumber(serialNr);
              certGen.setIssuerDN(cacert.getSubjectX500Principal());
              certGen.setNotBefore(time);
              certGen.setNotAfter(new Date (time.getTime() + 1000L * 60 * 60 * 24 * 365 * 10));  // 10 years of life
              certGen.setSubjectDN(dnName);                       // note: same as issuer
              certGen.setPublicKey(key_pair.getPublic());
              certGen.setSignatureAlgorithm("SHA1withRSA");
              final X509Certificate certificate = certGen.generate(key_pair.getPrivate(), "BC");
              final String fingerprint = CertTools.getFingerprintAsString(certificate);
              // We add all certificates that does not have a user already to "missing_user_name"
              final UserDataVO missingUserDataVO = ejb.getUserAdminSession().findUser(getAdmin(), missing_user_name);
              if (missingUserDataVO == null) {
                // Add the user and change status to REVOKED

        final boolean isRootCA = certProfile.getType()==CertificateProfile.TYPE_ROOTCA;

        // Get certificate validity time notBefore and notAfter
        final CertificateValidity val = new CertificateValidity(subject, certProfile, notBefore, notAfter, cacert, isRootCA);

        final X509V3CertificateGenerator certgen = new X509V3CertificateGenerator();
        {
            // Serialnumber is either random bits, where random generator is initialized by the serno generator.
          // Or a custom serial number defined in the end entity object
            final ExtendedInformation ei = subject.getExtendedinformation();
            BigInteger customSN = ei!=null ? ei.certificateSerialNumber() : null;
      if (customSN != null) {
        if (!certProfile.getAllowCertSerialNumberOverride()) {
          final String msg = intres.getLocalizedMessage("signsession.certprof_not_allowing_cert_sn_override_using_normal", customSN.toString(16));
          log.info(msg);
          customSN = null;
        } else {
                if (log.isDebugEnabled()) {
                  log.debug("Using custom serial number: "+customSN.toString(16));
                }
        }
      }
            final BigInteger serno = customSN!=null ? customSN : SernoGenerator.instance().getSerno();
            certgen.setSerialNumber(serno);
        }
        certgen.setNotBefore(val.getNotBefore());
        certgen.setNotAfter(val.getNotAfter());
        certgen.setSignatureAlgorithm(sigAlg);

        // Make DNs
        if(certProfile.getUseSubjectDNSubSet()){
          dn= certProfile.createSubjectDNSubSet(dn);
        }

        if(certProfile.getUseCNPostfix()){
          dn = CertTools.insertCNPostfix(dn,certProfile.getCNPostfix());
        }

        X509NameEntryConverter converter = null;
        if (getUsePrintableStringSubjectDN()) {
          converter = new PrintableStringEntryConverter();
        } else {
          converter = new X509DefaultEntryConverter();
        }
        // Will we use LDAP DN order (CN first) or X500 DN order (CN last) for the subject DN
        boolean ldapdnorder = true;
        if ((getUseLdapDNOrder() == false) || (certProfile.getUseLdapDnOrder() == false)) {
          ldapdnorder = false;
        }
        X509Name subjectDNName = CertTools.stringToBcX509Name(dn, converter, ldapdnorder);
        if (certProfile.getAllowDNOverride() && (requestX509Name != null) ) {
          subjectDNName = requestX509Name;
            if (log.isDebugEnabled()) {
              log.debug("Using X509Name from request instead of user's registered.");
            }
        }
        if (log.isDebugEnabled()) {
          log.debug("Using subjectDN: "+subjectDNName.toString());
        }
        certgen.setSubjectDN(subjectDNName);
        // We must take the issuer DN directly from the CA-certificate otherwise we risk re-ordering the DN
        // which many applications do not like.
        if (isRootCA) {
          // This will be an initial root CA, since no CA-certificate exists
          // Or it is a root CA, since the cert is self signed. If it is a root CA we want to use the same encoding for subject and issuer,
          // it might have changed over the years.
          if (log.isDebugEnabled()) {
            log.debug("Using subject DN also as issuer DN, because it is a root CA");
          }
            certgen.setIssuerDN(subjectDNName);
        } else {
          javax.security.auth.x500.X500Principal issuerPrincipal = cacert.getSubjectX500Principal();
          if (log.isDebugEnabled()) {
            log.debug("Using issuer DN directly from the CA certificate: "+issuerPrincipal.getName());
          }
            certgen.setIssuerDN(issuerPrincipal);
        }
        certgen.setPublicKey(publicKey);

        //
        // X509 Certificate Extensions
        //

        // Extensions we will add to the certificate, later when we have filled the structure with
        // everything we want.
        X509ExtensionsGenerator extgen = new X509ExtensionsGenerator();

        // First we check if there is general extension override, and add all extensions from
        // the request in that case
        if (certProfile.getAllowExtensionOverride() && extensions!=null) {
          Enumeration en = extensions.oids();
          while (en!=null && en.hasMoreElements()) {
            DERObjectIdentifier oid = (DERObjectIdentifier)en.nextElement();
            X509Extension ext = extensions.getExtension(oid);
            if (log.isDebugEnabled()) {
              log.debug("Overriding extension with oid: "+oid);
            }
            extgen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
          }
        }

        // Second we see if there is Key usage override
      X509Extensions overridenexts = extgen.generate();
        if (certProfile.getAllowKeyUsageOverride() && (keyusage >= 0)) {
          if (log.isDebugEnabled()) {
            log.debug("AllowKeyUsageOverride=true. Using KeyUsage from parameter: "+keyusage);
          }
            if ( (certProfile.getUseKeyUsage() == true) && (keyusage >=0) ){
                X509KeyUsage ku = new X509KeyUsage(keyusage);
               // We don't want to try to add custom extensions with the same oid if we have already added them
               // from the request, if AllowExtensionOverride is enabled.
               // Two extensions with the same oid is not allowed in the standard.
             if (overridenexts.getExtension(X509Extensions.KeyUsage) == null) {
                     extgen.addExtension(
                             X509Extensions.KeyUsage, certProfile.getKeyUsageCritical(), ku);
             } else {
               if (log.isDebugEnabled()) {
                 log.debug("KeyUsage was already overridden by an extension, not using KeyUsage from parameter.");
               }
             }
            }
        }

        // Third, check for standard Certificate Extensions that should be added.
        // Standard certificate extensions are defined in CertificateProfile and CertificateExtensionFactory
        // and implemented in package org.ejbca.core.model.certextensions.standard
        CertificateExtensionFactory fact = CertificateExtensionFactory.getInstance();
        List<String> usedStdCertExt = certProfile.getUsedStandardCertificateExtensions();
        Iterator<String> certStdExtIter = usedStdCertExt.iterator();
      overridenexts = extgen.generate();
        while(certStdExtIter.hasNext()){
          String oid = certStdExtIter.next();
           // We don't want to try to add standard extensions with the same oid if we have already added them
          // from the request, if AllowExtensionOverride is enabled.
          // Two extensions with the same oid is not allowed in the standard.
          if (overridenexts.getExtension(new DERObjectIdentifier(oid)) == null) {
              CertificateExtension certExt = fact.getStandardCertificateExtension(oid, certProfile);
              if (certExt != null) {
                DEREncodable value = certExt.getValue(subject, this, certProfile, publicKey, caPublicKey);
                if (value != null) {
                  extgen.addExtension(new DERObjectIdentifier(certExt.getOID()),certExt.isCriticalFlag(),value);
                }
              }
          } else {
            if (log.isDebugEnabled()) {
              log.debug("Extension with oid "+oid+" has been overridden, standard extension will not be added.");
            }
          }
        }

         // Fourth, check for custom Certificate Extensions that should be added.
         // Custom certificate extensions is defined in certextensions.properties
         fact = CertificateExtensionFactory.getInstance();
         List<Integer> usedCertExt = certProfile.getUsedCertificateExtensions();
         Iterator<Integer> certExtIter = usedCertExt.iterator();
         while(certExtIter.hasNext()){
           Integer id = certExtIter.next();
           CertificateExtension certExt = fact.getCertificateExtensions(id);
           if (certExt != null) {
               // We don't want to try to add custom extensions with the same oid if we have already added them
               // from the request, if AllowExtensionOverride is enabled.
               // Two extensions with the same oid is not allowed in the standard.
             if (overridenexts.getExtension(new DERObjectIdentifier(certExt.getOID())) == null) {
               DEREncodable value = certExt.getValue(subject, this, certProfile, publicKey, caPublicKey);
               if (value != null) {
                 extgen.addExtension(new DERObjectIdentifier(certExt.getOID()),certExt.isCriticalFlag(),value);
               }
             } else {
               if (log.isDebugEnabled()) {
                 log.debug("Extension with oid "+certExt.getOID()+" has been overridden, custom extension will not be added.");
               }
               }
           }
         }

         // Finally add extensions to certificate generator
         X509Extensions exts = extgen.generate();
         Enumeration en = exts.oids();
         while (en.hasMoreElements()) {
           DERObjectIdentifier oid = (DERObjectIdentifier)en.nextElement();
           X509Extension ext = exts.getExtension(oid);
           certgen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
         }

         //
         // End of extensions
         //

         X509Certificate cert;
         if (log.isTraceEnabled()) {
           log.trace(">certgen.generate");
         }
         cert = certgen.generate(caPrivateKey, provider);
         if (log.isTraceEnabled()) {
           log.trace("<certgen.generate");
         }

        // Verify before returning

            boolean degitalSigning, boolean dataEncryption, PublicKey key,
            X509Certificate caCert, PrivateKey caKey) {

        try {

            X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
            X500Principal principal = new X500Principal(identifier);

//            certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert));
            certGen.setIssuerDN(new X509Name(PrincipalUtil.getSubjectX509Principal(caCert).getName()));
            certGen.setSerialNumber(serialNumber);
            certGen.setNotBefore(startDate);
            certGen.setNotAfter(expiryDate);

//            certGen.setSubjectDN(principal);
            certGen.setSubjectDN(new X509Name(principal.getName()));
            certGen.setPublicKey(key);
            certGen.setSignatureAlgorithm("SHA1withRSA");

            certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
                    new AuthorityKeyIdentifierStructure(caCert));
            certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false,
                    new SubjectKeyIdentifierStructure(key));

            // this are default values which will be supported.
            KeyUsage ku = buildKeyUsage(degitalSigning, dataEncryption);
            certGen.addExtension(X509Extensions.KeyUsage, false, ku);

            return certGen.generateX509Certificate(caKey, "BC");
        } catch (Exception e) {
            e.printStackTrace();
            throw new RuntimeException(e);
        }
    }

        SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
        random.setSeed((new Date().getTime()));
        random.nextBytes(serno);
        BigInteger serial = (new java.math.BigInteger(serno)).abs();

        X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
        certGenerator.reset();

        certGenerator.setSerialNumber(serial);
        certGenerator.setIssuerDN(new X509Name(issuerDN));
        certGenerator.setNotBefore(new Date(System.currentTimeMillis()));
        certGenerator.setNotAfter(
                new Date(System.currentTimeMillis() + months * (1000L * 60 * 60 * 24 * 30)));
        certGenerator.setSubjectDN(new X509Name(subjectDN));
        certGenerator.setPublicKey(pubKey);
        certGenerator.setSignatureAlgorithm(signAlgoritm);

        // Generate the subject alternative name
        boolean critical = subjectDN == null || "".equals(subjectDN.trim());
        DERSequence othernameSequence = new DERSequence(new ASN1Encodable[]{
                new DERObjectIdentifier("1.3.6.1.5.5.7.8.5"), new DERTaggedObject(true, 0, new DERUTF8String(domain))});
        GeneralName othernameGN = new GeneralName(GeneralName.otherName, othernameSequence);
        GeneralNames subjectAltNames = new GeneralNames(new DERSequence(new ASN1Encodable[]{othernameGN}));
        // Add subject alternative name extension
        certGenerator.addExtension(X509Extensions.SubjectAlternativeName, critical, subjectAltNames);

        X509Certificate cert =
                certGenerator.generateX509Certificate(privKey, "BC", new SecureRandom());
        cert.checkValidity(new Date());
        cert.verify(pubKey);

        return cert;
    }

    final Date expireDate = new Date(startDate.getTime()
            + (100L * 365L * 24L * 60L * 60L * 1000L));
    // The Root CA serial number is '1'
    final BigInteger serialNumber = new BigInteger("1");

    final X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
    // using the hash code of the user's name and home path, keeps anonymity
    // but also gives user a chance to distinguish between each other
    final X500Principal x500principal = new X500Principal(
            "CN = Snova Framework Root Fake CA, "
                    + "L = "
                    + Integer.toHexString(System.getProperty("user.name")
                            .hashCode())
                    + Integer.toHexString(System.getProperty("user.home")
                            .hashCode()) + ", "
                    + "O = Snova Root Fake CA, "
                    + "OU = Snova Root Fake CA, " + "C = XX");

    certGen.setSerialNumber(serialNumber);
    certGen.setSubjectDN(x500principal);
    certGen.setIssuerDN(x500principal);
    certGen.setNotBefore(startDate);
    certGen.setNotAfter(expireDate);
    certGen.setPublicKey(keypair.getPublic());
    certGen.setSignatureAlgorithm("SHA1withRSA");

    KeyStore ks = null;
    try
    {
      certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false,
              new SubjectKeyIdentifierStructure(keypair.getPublic()));
      certGen.addExtension(X509Extensions.BasicConstraints, false,
              new BasicConstraints(true));
      final X509Certificate cert = certGen.generate(keypair.getPrivate());
      return cert;
    }
    catch (final Exception e)
    {
      throw new IllegalStateException(