List of usage examples for java.security.cert X509Certificate getSubjectX500Principal
public X500Principal getSubjectX500Principal()
From source file:net.sf.keystore_explorer.crypto.x509.X509CertUtil.java
/** * For a given X.509 certificate get a representative alias for it in a * KeyStore. For a self-signed certificate this will be the subject's common * name (if any). For a non-self-signed certificate it will be the subject's * common name followed by the issuer's common name in brackets. Aliases * will always be in lower case.// w w w. j a va 2 s. c o m * * @param cert * The certificate * @return The alias or a blank string if none could be worked out */ public static String getCertificateAlias(X509Certificate cert) { X500Principal subject = cert.getSubjectX500Principal(); X500Principal issuer = cert.getIssuerX500Principal(); String subjectCn = extractCommonName(X500NameUtils.x500PrincipalToX500Name(subject)); String issuerCn = extractCommonName(X500NameUtils.x500PrincipalToX500Name(issuer)); if (subjectCn == null) { return ""; } if (issuerCn == null || subjectCn.equals(issuerCn)) { return subjectCn; } return MessageFormat.format("{0} ({1})", subjectCn, issuerCn); }
From source file:eu.europa.ec.markt.dss.DSSUtils.java
/** * This method loads the issuer certificate from the given location (AIA). The certificate must be DER-encoded and may be supplied in binary or * printable (Base64) encoding. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN * CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----. It throws an * <code>DSSException</code> or return <code>null</code> when the certificate cannot be loaded. * * @param cert certificate for which the issuer should be loaded * @param loader the loader to use/*from ww w .j a v a 2 s. c o m*/ * @return */ public static X509Certificate loadIssuerCertificate(final X509Certificate cert, final HTTPDataLoader loader) { final String url = getAccessLocation(cert, X509ObjectIdentifiers.id_ad_caIssuers); if (url != null) { try { InputStream inputStream = loader.get(url); final X509Certificate issuerCert = (X509Certificate) certificateFactory .generateCertificate(inputStream); if (cert.getIssuerX500Principal().equals(issuerCert.getSubjectX500Principal())) { return cert; } } catch (Exception e) { throw new DSSException("!!! Cannot load the issuer certificate", e); } } return null; }
From source file:net.sf.keystore_explorer.crypto.x509.X509CertUtil.java
/** * Is the supplied X.509 certificate self-signed? * * @param cert//ww w.ja v a 2s .co m * The certificate * @return True if it is */ public static boolean isCertificateSelfSigned(X509Certificate cert) { return cert.getIssuerX500Principal().equals(cert.getSubjectX500Principal()); }
From source file:net.link.util.test.pkix.PkiTestUtils.java
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, PrivateKey issuerPrivateKey, @Nullable X509Certificate issuerCert, DateTime notBefore, DateTime notAfter, @Nullable String signatureAlgorithm, boolean includeAuthorityKeyIdentifier, boolean caCert, boolean timeStampingPurpose, @Nullable URI ocspUri) throws IOException, CertificateException, OperatorCreationException { String finalSignatureAlgorithm = signatureAlgorithm; if (null == signatureAlgorithm) finalSignatureAlgorithm = "SHA512WithRSAEncryption"; X509Principal issuerDN;//from w ww.j a v a2 s . c o m if (null != issuerCert) issuerDN = new X509Principal(issuerCert.getSubjectX500Principal().toString()); else issuerDN = new X509Principal(subjectDn); // new bc 2.0 API X509Principal subject = new X509Principal(subjectDn); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); BigInteger serialNumber = new BigInteger(SERIALNUMBER_NUM_BITS, new SecureRandom()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder( X500Name.getInstance(issuerDN.toASN1Primitive()), serialNumber, notBefore.toDate(), notAfter.toDate(), X500Name.getInstance(subject.toASN1Primitive()), publicKeyInfo); // prepare signer ContentSigner signer = new JcaContentSignerBuilder(finalSignatureAlgorithm).build(issuerPrivateKey); // add extensions certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; if (null != issuerCert) issuerPublicKey = issuerCert.getPublicKey(); else issuerPublicKey = subjectPublicKey; if (includeAuthorityKeyIdentifier) certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); certificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(caCert)); if (timeStampingPurpose) certificateBuilder.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, new DERIA5String(ocspUri.toString())); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateBuilder.addExtension(X509Extension.authorityInfoAccess, false, authorityInformationAccess); } // build return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateBuilder.build(signer)); }
From source file:net.sf.keystore_explorer.crypto.x509.X509CertUtil.java
/** * Get short name for certificate. Common name if available, otherwise use * entire distinguished name./*from w ww .j a v a 2 s . com*/ * * @param cert * Certificate * @return Short name */ public static String getShortName(X509Certificate cert) { X500Name subject = X500NameUtils.x500PrincipalToX500Name(cert.getSubjectX500Principal()); String shortName = extractCommonName(subject); if (shortName == null) { shortName = subject.toString(); } return shortName; }
From source file:ee.ria.xroad.signer.certmanager.OcspClient.java
private static OCSPReq createRequest(X509Certificate subjectCert, X509Certificate issuerCert, PrivateKey signerKey, X509Certificate signerCert, String signAlgoId) throws Exception { OCSPReqBuilder requestBuilder = new OCSPReqBuilder(); CertificateID id = CryptoUtils.createCertId(subjectCert, issuerCert); requestBuilder.addRequest(id);//from ww w . j a va 2s. co m if (signerKey != null && signerCert != null) { X509CertificateHolder signerCertHolder = new X509CertificateHolder(signerCert.getEncoded()); ContentSigner contentSigner = CryptoUtils.createContentSigner(signAlgoId, signerKey); log.trace("Creating signed OCSP request for certificate '{}' (signed by {})", subjectCert.getSubjectX500Principal(), signerCertHolder.getSubject()); // needs to be set when generating signed requests requestBuilder.setRequestorName(signerCertHolder.getSubject()); return requestBuilder.build(contentSigner, new X509CertificateHolder[] { signerCertHolder }); } log.trace("Creating unsigned OCSP request for certificate '{}'", subjectCert.getSubjectX500Principal()); return requestBuilder.build(); }
From source file:net.sf.keystore_explorer.crypto.x509.X509CertUtil.java
private static X509Certificate[] establishTrust(X509Certificate cert, List<X509Certificate> compCerts) throws CryptoException { /*/*w w w .j av a 2 s. co m*/ * Check whether or not a trust path exists between the supplied X.509 * certificate and and the supplied comparison certificates , ie that a * chain of trust exists between the certificate and a self-signed * trusted certificate in the comparison set */ for (int i = 0; i < compCerts.size(); i++) { X509Certificate compCert = compCerts.get(i); // Verify of certificate issuer is sam as comparison certificate's subject if (cert.getIssuerX500Principal().equals(compCert.getSubjectX500Principal())) { // Verify if the comparison certificate's private key was used to sign the certificate if (X509CertUtil.verifyCertificate(cert, compCert)) { // If the comparision certificate is self-signed then a chain of trust exists if (compCert.getSubjectX500Principal().equals(compCert.getIssuerX500Principal())) { return new X509Certificate[] { cert, compCert }; } /* * Otherwise try and establish a chain of trust from the * comparison certificate against the other comparison certificates */ X509Certificate[] tmpChain = establishTrust(compCert, compCerts); if (tmpChain != null) { X509Certificate[] trustChain = new X509Certificate[tmpChain.length + 1]; trustChain[0] = cert; System.arraycopy(tmpChain, 0, trustChain, 1, tmpChain.length); return trustChain; } } } } return null; // No chain of trust }
From source file:test.integ.be.fedict.trust.util.TestUtils.java
public static X509V2CRLGenerator getCrlGenerator(int crlNumber, X509Certificate issuerCertificate, DateTime thisUpdate, DateTime nextUpdate, List<BigInteger> revokedCertificateSerialNumbers) throws CertificateParsingException { X509V2CRLGenerator crlGenerator = new X509V2CRLGenerator(); crlGenerator.setThisUpdate(thisUpdate.toDate()); crlGenerator.setNextUpdate(nextUpdate.toDate()); crlGenerator.setSignatureAlgorithm("SHA1withRSA"); crlGenerator.setIssuerDN(issuerCertificate.getSubjectX500Principal()); List<RevokedCertificate> revokedCertificates = new LinkedList<RevokedCertificate>(); for (BigInteger revokedCertificateSerialNumber : revokedCertificateSerialNumbers) { revokedCertificates.add(new RevokedCertificate(revokedCertificateSerialNumber, thisUpdate)); }//from w ww . j av a 2s . c om for (RevokedCertificate revokedCertificate : revokedCertificates) { crlGenerator.addCRLEntry(revokedCertificate.serialNumber, revokedCertificate.revocationDate.toDate(), CRLReason.privilegeWithdrawn); } crlGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(issuerCertificate)); crlGenerator.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(new BigInteger(Integer.toString(crlNumber)))); return crlGenerator; }
From source file:net.link.util.common.KeyUtils.java
public static X509Certificate generateCertificate(PublicKey subjectPublicKey, String subjectDn, PrivateKey issuerPrivateKey, @Nullable X509Certificate issuerCert, DateTime notBefore, DateTime notAfter, String inSignatureAlgorithm, boolean caCert, boolean timeStampingPurpose, @Nullable URI ocspUri) {// ww w. ja va2 s. co m try { String signatureAlgorithm = inSignatureAlgorithm; if (null == signatureAlgorithm) signatureAlgorithm = String.format("SHA1With%s", issuerPrivateKey.getAlgorithm()); X509Principal issuerDN; if (null != issuerCert) issuerDN = new X509Principal(issuerCert.getSubjectX500Principal().toString()); else issuerDN = new X509Principal(subjectDn); // new bc 2.0 API X509Principal subject = new X509Principal(subjectDn); SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded()); BigInteger serialNumber = new BigInteger(SERIALNUMBER_NUM_BITS, new SecureRandom()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder( X500Name.getInstance(issuerDN.toASN1Primitive()), serialNumber, notBefore.toDate(), notAfter.toDate(), X500Name.getInstance(subject.toASN1Primitive()), publicKeyInfo); // prepare signer ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).build(issuerPrivateKey); certificateBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; if (null != issuerCert) issuerPublicKey = issuerCert.getPublicKey(); else issuerPublicKey = subjectPublicKey; certificateBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); certificateBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(caCert)); if (timeStampingPurpose) certificateBuilder.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); if (null != ocspUri) { GeneralName ocspName = new GeneralName(GeneralName.uniformResourceIdentifier, ocspUri.toString()); AuthorityInformationAccess authorityInformationAccess = new AuthorityInformationAccess( X509ObjectIdentifiers.ocspAccessMethod, ocspName); certificateBuilder.addExtension(X509Extension.authorityInfoAccess, false, authorityInformationAccess); } // build return new JcaX509CertificateConverter().setProvider("BC") .getCertificate(certificateBuilder.build(signer)); } catch (CertificateException e) { throw new InternalInconsistencyException("X.509 is not supported.", e); } catch (OperatorCreationException e) { throw new InternalInconsistencyException(e); } catch (CertIOException e) { throw new InternalInconsistencyException(e); } }
From source file:net.sf.keystore_explorer.crypto.x509.X509CertUtil.java
private static X509Certificate findIssuedCert(X509Certificate issuerCert, X509Certificate[] certs) { // Find a certificate issued by the supplied certificate based on distiguished name for (int i = 0; i < certs.length; i++) { X509Certificate cert = certs[i]; if (issuerCert.getSubjectX500Principal().equals(cert.getSubjectX500Principal()) && issuerCert.getIssuerX500Principal().equals(cert.getIssuerX500Principal())) { // Checked certificate is issuer - ignore it continue; }// w ww . j a va2 s . c om if (issuerCert.getSubjectX500Principal().equals(cert.getIssuerX500Principal())) { return cert; } } return null; }