List of usage examples for java.security PublicKey getEncoded
public byte[] getEncoded();
From source file:org.cesecore.certificates.certificate.CertificateCreateSessionBean.java
@Override public CertificateDataWrapper createCertificate(final AuthenticationToken admin, final EndEntityInformation endEntityInformation, final CA ca, final RequestMessage request, final PublicKey pk, final int keyusage, final Date notBefore, final Date notAfter, final Extensions extensions, final String sequence, CertificateGenerationParams certGenParams, final long updateTime) throws AuthorizationDeniedException, IllegalNameException, CustomCertificateSerialNumberException, CertificateCreateException, CertificateRevokeException, CertificateSerialNumberException, CryptoTokenOfflineException, IllegalKeyException, CertificateExtensionException, IllegalValidityException, CAOfflineException, InvalidAlgorithmException { if (log.isTraceEnabled()) { log.trace(//from w ww. j a v a 2 s . c o m ">createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)"); } // Even though CA is passed as an argument to this method, we do check authorization on that. // To make sure we properly log authorization checks needed to issue a cert. // We need to check that admin have rights to create certificates, and have access to the CA if (!accessSession.isAuthorized(admin, StandardRules.CREATECERT.resource(), StandardRules.CAACCESS.resource() + ca.getCAId())) { final String msg = intres.getLocalizedMessage("createcert.notauthorized", admin.toString(), ca.getCAId()); throw new AuthorizationDeniedException(msg); } // Audit log that we received the request final Map<String, Object> details = new LinkedHashMap<String, Object>(); details.put("subjectdn", endEntityInformation.getDN()); details.put("requestX500name", (request == null || request.getRequestX500Name() == null) ? "null" : request.getRequestX500Name().toString()); details.put("certprofile", endEntityInformation.getCertificateProfileId()); details.put("keyusage", keyusage); details.put("notbefore", notBefore); details.put("notafter", notAfter); details.put("sequence", sequence); details.put("publickey", new String(Base64.encode(pk.getEncoded(), false))); logSession.log(EventTypes.CERT_REQUEST, EventStatus.SUCCESS, ModuleTypes.CERTIFICATE, ServiceTypes.CORE, admin.toString(), String.valueOf(ca.getCAId()), null, endEntityInformation.getUsername(), details); // Set up audit logging of CT pre-certificate addCTLoggingCallback(certGenParams, admin.toString()); try { CertificateDataWrapper result = null; // If the user is of type USER_INVALID, it cannot have any other type (in the mask) if (endEntityInformation.getType().isType(EndEntityTypes.INVALID)) { final String msg = intres.getLocalizedMessage("createcert.usertypeinvalid", endEntityInformation.getUsername()); throw new CertificateCreateException(msg); } final Certificate cacert = ca.getCACertificate(); final String caSubjectDN = CertTools.getSubjectDN(cacert); assertSubjectEnforcements(ca, caSubjectDN, endEntityInformation, pk); // Retrieve the certificate profile this user should have, checking for authorization to the profile final int certProfileId = endEntityInformation.getCertificateProfileId(); final CertificateProfile certProfile = getCertificateProfile(certProfileId, ca.getCAId()); // Check that the request public key fulfills policy verifyKey(pk, certProfile); // Below we have a small loop if it would happen that we generate the same serial number twice // If using only 4 byte serial numbers this do happen once in a while Certificate cert = null; String cafingerprint = null; String serialNo = "unknown"; final boolean useCustomSN; { final ExtendedInformation ei = endEntityInformation.getExtendedinformation(); useCustomSN = ei != null && ei.certificateSerialNumber() != null; } final int maxRetrys; if (useCustomSN) { if (ca.isUseCertificateStorage() && !isUniqueCertificateSerialNumberIndex()) { final String msg = intres.getLocalizedMessage("createcert.not_unique_certserialnumberindex"); log.error(msg); throw new CustomCertificateSerialNumberException(msg); } if (!certProfile.getAllowCertSerialNumberOverride()) { final String msg = intres.getLocalizedMessage( "createcert.certprof_not_allowing_cert_sn_override", Integer.valueOf(certProfileId)); log.info(msg); throw new CustomCertificateSerialNumberException(msg); } maxRetrys = 1; } else { maxRetrys = 5; } // Before storing the new certificate, check if single active certificate constraint is active, and if so let's revoke all active and unexpired certificates if (certProfile.isSingleActiveCertificateConstraint()) { for (Certificate certificate : certificateStoreSession.findCertificatesBySubjectAndIssuer( endEntityInformation.getCertificateDN(), caSubjectDN, true)) { //Authorization to the CA was already checked at the head of this method, so no need to do so now certificateStoreSession.setRevokeStatusNoAuth(admin, certificate, new Date(), RevokedCertInfo.REVOCATION_REASON_SUPERSEDED, endEntityInformation.getDN()); } } CertificateSerialNumberException storeEx = null; // this will not be null if stored == false after the below passage for (int retrycounter = 0; retrycounter < maxRetrys; retrycounter++) { final CryptoToken cryptoToken = cryptoTokenManagementSession .getCryptoToken(ca.getCAToken().getCryptoTokenId()); if (cryptoToken == null) { final String msg = intres.getLocalizedMessage("error.catokenoffline", ca.getCAId()); log.info(msg); CryptoTokenOfflineException exception = new CryptoTokenOfflineException( "CA's CryptoToken not found."); auditFailure(admin, exception, exception.getMessage(), "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); throw exception; } cert = ca.generateCertificate(cryptoToken, endEntityInformation, request, pk, keyusage, notBefore, notAfter, certProfile, extensions, sequence, certGenParams); serialNo = CertTools.getSerialNumberAsString(cert); cafingerprint = CertTools.getFingerprintAsString(cacert); // Store certificate in the database, if this CA is configured to do so. if (!ca.isUseCertificateStorage()) { result = new CertificateDataWrapper(cert, null, null); break; // We have our cert and we don't need to store it.. Move on.. } try { // Remember for CVC serialNo can be alphanumeric, so we can't just try to decode that using normal Java means (BigInteger.valueOf)... assertSerialNumberForIssuerOk(ca, caSubjectDN, CertTools.getSerialNumber(cert)); // Tag is reserved for future use, currently only null final String tag = null; // Authorization was already checked by since this is a private method, the CA parameter should // not be possible to get without authorization result = certificateStoreSession.storeCertificateNoAuth(admin, cert, endEntityInformation.getUsername(), cafingerprint, CertificateConstants.CERT_ACTIVE, certProfile.getType(), certProfileId, tag, updateTime); storeEx = null; break; } catch (CertificateSerialNumberException e) { // If we have created a unique index on (issuerDN,serialNumber) on table CertificateData we can // get a CreateException here if we would happen to generate a certificate with the same serialNumber // as one already existing certificate. if (retrycounter + 1 < maxRetrys) { log.info("Can not store certificate with serNo (" + serialNo + "), will retry (retrycounter=" + retrycounter + ") with a new certificate with new serialNo: " + e.getMessage()); } storeEx = e; } } if (storeEx != null) { if (useCustomSN) { final String msg = intres .getLocalizedMessage("createcert.cert_serial_number_already_in_database", serialNo); log.info(msg); throw new CustomCertificateSerialNumberException(msg); } log.error("Can not store certificate in database in 5 tries, aborting: ", storeEx); throw storeEx; } // Finally we check if this certificate should not be issued as active, but revoked directly upon issuance int revreason = RevokedCertInfo.NOT_REVOKED; ExtendedInformation ei = endEntityInformation.getExtendedinformation(); if (ei != null) { revreason = ei.getIssuanceRevocationReason(); if (revreason != RevokedCertInfo.NOT_REVOKED) { // If we don't store the certificate in the database, we wont support revocation/reactivation so issuing revoked certificates would be // really strange. if (ca.isUseCertificateStorage()) { certificateStoreSession.setRevokeStatusNoAuth(admin, cert, new Date(), revreason, endEntityInformation.getDN()); } else { log.warn( "CA configured to revoke issued certificates directly, but not to store issued the certificates. Revocation will be ignored. Please verify your configuration."); } } } if (log.isDebugEnabled()) { log.debug("Generated certificate with SerialNumber '" + serialNo + "' for user '" + endEntityInformation.getUsername() + "', with revocation reason=" + revreason); log.debug(cert.toString()); } // Audit log that we issued the certificate final Map<String, Object> issuedetails = new LinkedHashMap<String, Object>(); issuedetails.put("subjectdn", endEntityInformation.getDN()); issuedetails.put("certprofile", endEntityInformation.getCertificateProfileId()); issuedetails.put("issuancerevocationreason", revreason); try { issuedetails.put("cert", new String(Base64.encode(cert.getEncoded(), false))); } catch (CertificateEncodingException e) { //Should not be able to happen at this point throw new IllegalStateException(); } logSession.log(EventTypes.CERT_CREATION, EventStatus.SUCCESS, ModuleTypes.CERTIFICATE, ServiceTypes.CORE, admin.toString(), String.valueOf(ca.getCAId()), serialNo, endEntityInformation.getUsername(), issuedetails); if (log.isTraceEnabled()) { log.trace( "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)"); } return result; // We need to catch and re-throw all of these exception just because we need to audit log all failures } catch (CustomCertificateSerialNumberException e) { log.info(e.getMessage()); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); throw e; } catch (AuthorizationDeniedException e) { log.info(e.getMessage()); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); throw e; } catch (CertificateCreateException e) { log.info(e.getMessage()); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); // Rollback throw e; } catch (CryptoTokenOfflineException e) { final String msg = intres.getLocalizedMessage("error.catokenoffline", ca.getCAId()); log.info(msg); auditFailure(admin, e, e.getMessage(), "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); throw e; } catch (CAOfflineException e) { log.error("Error creating certificate", e); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); throw e; } catch (InvalidAlgorithmException e) { log.error("Error creating certificate", e); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); throw e; } catch (IllegalValidityException e) { log.error("Error creating certificate", e); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); throw e; } catch (OperatorCreationException e) { log.error("Error creating certificate", e); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); // Rollback throw new CertificateCreateException(e); } catch (SignatureException e) { log.error("Error creating certificate", e); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); // Rollback throw new CertificateCreateException(e); } catch (CertificateExtensionException e) { log.error("Error creating certificate", e); auditFailure(admin, e, null, "<createCertificate(EndEntityInformation, CA, X500Name, pk, ku, notBefore, notAfter, extesions, sequence)", ca.getCAId(), endEntityInformation.getUsername()); throw e; } }
From source file:com.netscape.cms.servlet.csadmin.ConfigurationUtils.java
public static void storeKeyPair(IConfigStore config, String tag, KeyPair pair) throws TokenException, EBaseException { logger.debug("ConfigurationUtils: storeKeyPair(" + tag + ")"); PublicKey publicKey = pair.getPublic(); if (publicKey instanceof RSAPublicKey) { RSAPublicKey rsaPublicKey = (RSAPublicKey) publicKey; byte modulus[] = rsaPublicKey.getModulus().toByteArray(); config.putString(PCERT_PREFIX + tag + ".pubkey.modulus", CryptoUtil.byte2string(modulus)); byte exponent[] = rsaPublicKey.getPublicExponent().toByteArray(); config.putString(PCERT_PREFIX + tag + ".pubkey.exponent", CryptoUtil.byte2string(exponent)); } else { // ECC logger.debug("ConfigurationUtils: Public key class: " + publicKey.getClass().getName()); byte encoded[] = publicKey.getEncoded(); config.putString(PCERT_PREFIX + tag + ".pubkey.encoded", CryptoUtil.byte2string(encoded)); }/*w w w . ja v a 2 s . c om*/ PrivateKey privateKey = (PrivateKey) pair.getPrivate(); byte id[] = privateKey.getUniqueID(); String kid = CryptoUtil.encodeKeyID(id); config.putString(PCERT_PREFIX + tag + ".privkey.id", kid); String keyAlgo = config.getString(PCERT_PREFIX + tag + ".signingalgorithm"); setSigningAlgorithm(tag, keyAlgo, config); }
From source file:com.netscape.ca.CertificateAuthority.java
public ResponderID getResponderIDByHash() { /*//from www . j a v a 2 s.c o m KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key --(excluding the tag and length fields) */ PublicKey publicKey = getOCSPSigningUnit().getPublicKey(); MessageDigest md = null; try { md = MessageDigest.getInstance("SHA1"); } catch (NoSuchAlgorithmException e) { return null; } md.update(publicKey.getEncoded()); byte digested[] = md.digest(); return new KeyHashID(new OCTET_STRING(digested)); }
From source file:org.ejbca.ui.cli.HSMKeyTool.java
private static boolean doIt(final String[] orgArgs) throws Exception { // Get and remove optional switches final List<String> argsList = CliTools.getAsModifyableList(orgArgs); final KeyStore.ProtectionParameter protectionParameter; final String password = CliTools.getAndRemoveParameter("-password", argsList); if (password != null) { protectionParameter = new KeyStore.PasswordProtection(password.toCharArray()); } else {// www . j a v a2 s. c o m protectionParameter = null; } final String[] args = CliTools.getAsArgs(argsList); if (args[1].toLowerCase().trim().contains(GENERATE_BATCH_SWITCH)) { if (args.length < 4) { printCommandString(args, "<name of batch file> [", TOKEN_ID_PARAM, "]"); printTokenIdDescription(); sunConfigFileUseDescription(); System.err.println( "The batch file is a file which specifies alias and key specification for each key to be generated."); System.err .println("Each row is starting with a key alias then the key specification is following."); System.err.println("The specification of the key is done like this: " + KEY_SPEC_DESC); tooFewArguments(args); } final String storeId; final Pkcs11SlotLabelType slotType; if (args.length > 4) { storeId = trimStoreId(args[4]); slotType = getTokenLabelType(args[4]); } else { storeId = null; slotType = Pkcs11SlotLabelType.SUN_FILE; } final KeyStoreTools store = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter, "batch-" + new Date().getTime()); generateBatch(args[3], store); return true; } if (args[1].toLowerCase().trim().contains(GENERATE_SWITCH)) { if (args.length < 4) { printCommandString(args, Character.valueOf('<'), KEY_SPEC_DESC, "> <key entry name> [", TOKEN_ID_PARAM, "]"); printTokenIdDescription(); sunConfigFileUseDescription(); tooFewArguments(args); } final String keyEntryName = args.length > 4 ? args[4] : "myKey"; final String storeId; final Pkcs11SlotLabelType slotType; if (args.length > 5) { storeId = trimStoreId(args[5]); slotType = getTokenLabelType(args[5]); } else { storeId = null; slotType = Pkcs11SlotLabelType.SUN_FILE; } System.out.println("Using Slot Reference Type: " + slotType + '.'); final KeyStoreTools store = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter, "priv-" + keyEntryName); store.generateKeyPair(args[3], keyEntryName); System.out.println("Created certificate with entry " + keyEntryName + '.'); return true; } if (args[1].toLowerCase().trim().equals(DELETE_SWITCH)) { if (args.length < 4) { printCommandString(args, TOKEN_ID_PARAM, " [<key entry name>]"); printTokenIdDescription(); tooFewArguments(args); } final String alias = args.length > 4 ? args[4] : null; System.out.println("Deleting certificate with alias " + alias + '.'); final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter) .deleteEntry(alias); return true; } if (args[1].toLowerCase().trim().equals(CERT_REQ)) { // First we check if we have a switch for "-explicitecc" for explicit ecc parameters used in ICAO epassports. final List<String> argsListLocal = CliTools.getAsModifyableList(args); final boolean explicitEccParameters = argsListLocal.remove("-explicitecc"); final boolean forAllKeys = argsListLocal.remove("-all"); final String modArgs[] = argsListLocal.toArray(new String[argsListLocal.size()]); if (modArgs.length < 4 || (modArgs.length < 5 && !forAllKeys)) { printCommandString(args, TOKEN_ID_PARAM, " <key entry name> [<CN>] [-explicitecc]"); printCommandString(args, TOKEN_ID_PARAM, " [-all] [-explicitecc]"); printTokenIdDescription(); tooFewArguments(modArgs); } final String storeId = trimStoreId(modArgs[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(modArgs[3]); final KeyStoreTools container = KeyStoreToolsFactory.getInstance(modArgs[2], storeId, slotType, null, protectionParameter); final List<String> entries; if (forAllKeys) { entries = new LinkedList<>(); final CachingKeyStoreWrapper ks = container.getKeyStore(); final Enumeration<String> aliases = ks.aliases(); while (aliases.hasMoreElements()) { final String alias = aliases.nextElement(); if (ks.isKeyEntry(alias)) { entries.add(alias); } } } else { entries = Collections.singletonList(modArgs[4]); } for (String entry : entries) { container.generateCertReq(entry, modArgs.length > 5 ? modArgs[5] : null, explicitEccParameters); } return true; } if (args[1].toLowerCase().trim().equals(INSTALL_CERT)) { if (args.length < 5) { printCommandString(args, TOKEN_ID_PARAM, " <certificate chain files in PEM format (one chain per file)>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools container = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); boolean failure = false; for (int i = 4; i < args.length; i++) { try { container.installCertificate(args[i]); } catch (Exception ex) { failure = true; log.error("File " + args[i] + " failed.", ex); } } if (failure) { throw new Exception("At least one certificate could not be installed. See the log for more info."); } return true; } if (args[1].toLowerCase().trim().equals(INSTALL_TRUSTED_ROOT)) { if (args.length < 5) { printCommandString(args, TOKEN_ID_PARAM, " <trusted root certificate in PEM format>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter) .installTrustedRoot(args[4]); return true; } if (args[1].toLowerCase().trim().equals(ENCRYPT_SWITCH)) { String symmAlgOid = CMSEnvelopedGenerator.AES128_CBC; if (args.length < 5) { System.err.println("There are two ways of doing the encryption:"); printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias> [optional symm algorithm oid]"); printCommandStringNoSharedLib(args, "<input file> <output file> <file with certificate with public key to use> [optional symm algorithm oid]"); printTokenIdDescription(); System.err.println( "Optional symmetric encryption algorithm OID can be for example 2.16.840.1.101.3.4.1.42 (AES256_CBC) or 1.2.392.200011.61.1.1.1.4 (CAMELLIA256_CBC). Default is to use AES256_CBC."); tooFewArguments(args); } if (args.length < 7) { Security.addProvider(new BouncyCastleProvider()); if (args.length > 5) { // We have a symmAlg as last parameter symmAlgOid = args[5]; } System.out.println("Using symmetric encryption algorithm: " + symmAlgOid); try (final InputStream certIS = new FileInputStream(args[4]); final InputStream is = new FileInputStream(args[2]); final OutputStream os = new FileOutputStream(args[3])) { final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509") .generateCertificate(new BufferedInputStream(certIS)); CMS.encrypt(is, os, cert, symmAlgOid); } } else { if (args.length > 7) { // We have a symmAlg as last parameter symmAlgOid = args[7]; } System.out.println("Using symmstric encryption algorithm: " + symmAlgOid); final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); try (final InputStream is = new FileInputStream(args[4]); final OutputStream os = new FileOutputStream(args[5]);) { final Certificate cert = KeyStoreToolsFactory .getInstance(args[2], storeId, slotType, null, protectionParameter).getKeyStore() .getCertificate(args[6]); CMS.encrypt(is, os, (X509Certificate) cert, symmAlgOid); } } return true; } if (args[1].toLowerCase().trim().equals(DECRYPT_SWITCH)) { if (args.length < 7) { printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); try (final InputStream is = new FileInputStream(args[4]); final OutputStream os = new FileOutputStream(args[5])) { final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); CMS.decrypt(is, os, (PrivateKey) keyStore.getKeyStore().getKey(args[6], null), keyStore.getProviderName()); } return true; } if (args[1].toLowerCase().trim().equals(SIGN_SWITCH)) { if (args.length < 7) { printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); final String alias = args[6]; final PrivateKey key = (PrivateKey) keyStore.getKeyStore().getKey(alias, null); final X509Certificate cert = (X509Certificate) keyStore.getKeyStore().getCertificate(alias); try (final InputStream is = new FileInputStream(args[4]); final OutputStream os = new FileOutputStream(args[5]);) { CMS.sign(is, os, key, keyStore.getProviderName(), cert); } return true; } if (args[1].toLowerCase().trim().equals(LINKCERT_SWITCH)) { if (args.length < 8) { printCommandString(args, TOKEN_ID_PARAM, " <old ca-cert> <new ca-cert> <output link-cert> <key alias> [<sig alg override>]"); printTokenIdDescription(); System.err.println(); System.err.println("Creates a link certificate that links the old and new certificate files."); System.err.println("You should use this command with the old HSM key. It does not need any"); System.err.println("access to the new key."); System.err.println(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools ksc = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); final String alias = args[7]; final String oldCertPath = args[4]; final String newCertPath = args[5]; final String outputPath = args[6]; final String signProviderName = ksc.getProviderName(); final String sigAlgOverride = (args.length > 8 ? args[8] : "null"); // Parse certificates final byte[] oldCertBytes; try (final InputStream is = new FileInputStream(oldCertPath)) { oldCertBytes = IOUtils.toByteArray(is); } final byte[] newCertBytes; try (final InputStream is = new FileInputStream(newCertPath)) { newCertBytes = IOUtils.toByteArray(is); } final Certificate oldCert = CertTools.getCertfromByteArray(oldCertBytes, BouncyCastleProvider.PROVIDER_NAME, Certificate.class); final Certificate newCert = CertTools.getCertfromByteArray(newCertBytes, BouncyCastleProvider.PROVIDER_NAME, Certificate.class); final boolean isCVCA = (oldCert instanceof CardVerifiableCertificate); if (isCVCA != (newCert instanceof CardVerifiableCertificate)) { log.error("Error: Old and new certificates are not of the same type (X509 / CVC)"); return true; // = valid command-line syntax } System.out.println("Type of certificates: " + (isCVCA ? "CVC" : "X509")); // Detect name change final String oldDN = CertTools.getSubjectDN(oldCert); final String newDN = CertTools.getSubjectDN(newCert); System.out.println("Old DN: " + oldDN); System.out.println("New DN: " + newDN); final boolean nameChange; if (!oldDN.equals(newDN)) { if (isCVCA) { System.out.println("Name change detected."); } else { System.out.println("Name change detected. Will add Name Change extension."); } nameChange = true; } else { System.out.println("No name change detected."); nameChange = false; } final ByteArrayOutputStream baos = new ByteArrayOutputStream(); // Get new and old key final PublicKey newPubKey = newCert.getPublicKey(); if (newPubKey == null) { System.err.println("Error: Failed to extract public key from new certificate"); return true; } final Key oldKey = ksc.getKeyStore().getKey(alias, null); if (oldKey == null) { System.err.println("Error: Could not find the key named " + alias); return true; } final PrivateKey oldPrivKey = (PrivateKey) oldKey; if (isCVCA) { final CVCertificate oldCertCVC = ((CardVerifiableCertificate) oldCert).getCVCertificate(); final CVCertificate newCertCVC = ((CardVerifiableCertificate) newCert).getCVCertificate(); final String linkSigAlg; if (sigAlgOverride.equalsIgnoreCase("null")) { final OIDField oldKeyTypeOid = oldCertCVC.getCertificateBody().getPublicKey() .getObjectIdentifier(); linkSigAlg = AlgorithmUtil.getAlgorithmName(oldKeyTypeOid); } else { System.err.println("Error: Overriding the signature algorithm is not supported for CVC"); return true; } System.out.println("Using signature algorithm " + linkSigAlg); final HolderReferenceField caHolder = oldCertCVC.getCertificateBody().getHolderReference(); final CAReferenceField caRef = new CAReferenceField(caHolder.getCountry(), caHolder.getMnemonic(), caHolder.getSequence()); final HolderReferenceField certHolder = newCertCVC.getCertificateBody().getHolderReference(); final AuthorizationRole authRole = newCertCVC.getCertificateBody().getAuthorizationTemplate() .getAuthorizationField().getAuthRole(); final AccessRights rights = newCertCVC.getCertificateBody().getAuthorizationTemplate() .getAuthorizationField().getAccessRights(); final Date validFrom = new Date(new Date().getTime() - 60L * 15L * 1000L); // back date by 15 minutes to allow for clock skew final Date validTo = oldCertCVC.getCertificateBody().getValidTo(); final CVCertificate linkCert = CertificateGenerator.createCertificate(newPubKey, oldPrivKey, linkSigAlg, caRef, certHolder, authRole, rights, validFrom, validTo, signProviderName); try (final DataOutputStream dos = new DataOutputStream(baos)) { linkCert.encode(dos); } } else { // X509 CA final X509Certificate oldCertX509 = (X509Certificate) oldCert; final X509Certificate newCertX509 = (X509Certificate) newCert; final String linkSigAlg; if (sigAlgOverride.equalsIgnoreCase("null")) { // Actually, we should use signature algorithm of new cert if the old key allows that. // Instead of doing that we allow the user to manually override the signature algorithm if needed. linkSigAlg = oldCertX509.getSigAlgName(); } else { System.err.println("Warning: Signature algorithm manually overridden!"); linkSigAlg = sigAlgOverride; } System.out.println("Using signature algorithm " + linkSigAlg); final BigInteger serno = SernoGeneratorRandom.instance().getSerno(); final SubjectPublicKeyInfo pkinfo = SubjectPublicKeyInfo.getInstance(newPubKey.getEncoded()); final Date validFrom = new Date(new Date().getTime() - 60L * 15L * 1000L); // back date by 15 minutes to allow for clock skew final Date validTo = oldCertX509.getNotAfter(); final X500Name oldDNName = X500Name.getInstance(oldCertX509.getSubjectX500Principal().getEncoded()); final X500Name newDNName = X500Name.getInstance(newCertX509.getSubjectX500Principal().getEncoded()); final X509v3CertificateBuilder certbuilder = new X509v3CertificateBuilder(oldDNName, serno, validFrom, validTo, newDNName, pkinfo); // Copy all extensions except AKID final ExtensionsGenerator extgen = new ExtensionsGenerator(); final Set<String> oids = new LinkedHashSet<>(); final Set<String> criticalOids = newCertX509.getCriticalExtensionOIDs(); oids.addAll(criticalOids); oids.addAll(newCertX509.getNonCriticalExtensionOIDs()); for (final String extOidStr : oids) { final ASN1ObjectIdentifier extoid = new ASN1ObjectIdentifier(extOidStr); if (!extoid.equals(Extension.authorityKeyIdentifier)) { final byte[] extbytes = newCertX509.getExtensionValue(extOidStr); final ASN1OctetString str = (ASN1OctetString) ASN1Primitive.fromByteArray(extbytes); extgen.addExtension(extoid, criticalOids.contains(extOidStr), ASN1Primitive.fromByteArray(str.getOctets())); } } if (nameChange) { // id-icao-mrtd-security-extensions-nameChange = 2.23.136.1.1.6.1 extgen.addExtension(ICAOObjectIdentifiers.id_icao_extensions_namechangekeyrollover, false, DERNull.INSTANCE); } // Some checks if (newCertX509.getExtensionValue(Extension.subjectKeyIdentifier.getId()) == null) { System.err.println( "Warning: Certificate of new CSCA is missing the Subject Key Identifier extension, which is mandatory."); } if (newCertX509.getExtensionValue(Extension.authorityKeyIdentifier.getId()) == null) { System.err.println( "Warning: Certificate of new CSCA is missing the Authority Key Identifier extension, which is mandatory."); } // If the new cert has an AKID, then add that extension but with the key id value of the old cert final byte[] oldSKIDBytes = oldCertX509.getExtensionValue(Extension.subjectKeyIdentifier.getId()); if (oldSKIDBytes != null) { final ASN1OctetString str = (ASN1OctetString) ASN1Primitive.fromByteArray(oldSKIDBytes); final ASN1OctetString innerStr = (ASN1OctetString) ASN1Primitive.fromByteArray(str.getOctets()); final AuthorityKeyIdentifier akidExt = new AuthorityKeyIdentifier(innerStr.getOctets()); extgen.addExtension(Extension.authorityKeyIdentifier, false, akidExt); } else { System.err.println( "Warning: The old certificate doesn't have any SubjectKeyIdentifier. The link certificate will not have any AuthorityKeyIdentifier."); } // Add extensions to the certificate final Extensions exts = extgen.generate(); for (final ASN1ObjectIdentifier extoid : exts.getExtensionOIDs()) { final Extension ext = exts.getExtension(extoid); certbuilder.addExtension(extoid, ext.isCritical(), ext.getParsedValue()); } // Sign the certificate final ContentSigner signer = new BufferingContentSigner( new JcaContentSignerBuilder(linkSigAlg).setProvider(signProviderName).build(oldPrivKey), 20480); final X509CertificateHolder certHolder = certbuilder.build(signer); baos.write(certHolder.getEncoded()); // Save to output file try (final FileOutputStream fos = new FileOutputStream(outputPath)) { baos.writeTo(fos); } } return true; } if (args[1].toLowerCase().trim().equals(VERIFY_SWITCH)) { final CMS.VerifyResult verifyResult; if (args.length < 5) { System.err.println("There are two ways of doing the encryption:"); printCommandString(args, TOKEN_ID_PARAM, " <input file> <output file> <key alias>"); printTokenIdDescription(); printCommandStringNoSharedLib(args, "<input file> <output file> <file with certificate with public key to use>"); tooFewArguments(args); } if (args.length < 7) { Security.addProvider(new BouncyCastleProvider()); try (final InputStream certIS = new FileInputStream(args[4]); final InputStream is = new FileInputStream(args[2]); final OutputStream os = new FileOutputStream(args[3]);) { final X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509") .generateCertificate(new BufferedInputStream(certIS)); verifyResult = CMS.verify(is, os, cert); } } else { final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); final X509Certificate cert = (X509Certificate) keyStore.getKeyStore().getCertificate(args[6]); try (final InputStream is = new FileInputStream(args[4]); final OutputStream os = new FileOutputStream(args[5])) { verifyResult = CMS.verify(is, os, cert); } } if (verifyResult == null) { System.err.println("Not possible to parse signed file."); System.exit(4); // Not verifying // NOPMD, it's not a JEE app return false;//will never be executes. just to avoid warning. } System.out.println( "The signature of the input " + (verifyResult.isVerifying ? "has been" : "could not be") + " verified. The file was signed on '" + verifyResult.signDate + "'. The public part of the signing key is in a certificate with serial number " + verifyResult.signerId.getSerialNumber() + " issued by '" + verifyResult.signerId.getIssuer() + "'."); if (!verifyResult.isVerifying) { System.exit(4); // Not verifying // NOPMD, it's not a JEE app } return true; } if (args[1].toLowerCase().trim().equals(TEST_SWITCH)) { if (args.length < 4) { printCommandString(args, TOKEN_ID_PARAM, " [<'m:n' m # of threads, n # of tests>] [<alias for stress test>] [<type of stress test>]"); printTokenIdDescription(); System.err.println( " If a file named \"./testData\" exists then the data that is signed, is read from this file."); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final NrOfThreadsAndNrOfTests notanot = new NrOfThreadsAndNrOfTests(args.length > 4 ? args[4] : null); KeyStoreContainerTest.test(args[2], storeId, slotType, notanot.threads, notanot.tests, args.length > 5 ? args[5].trim() : null, args.length > 6 ? args[6].trim() : null, protectionParameter); return true; } if (args[1].toLowerCase().trim().equals(RENAME)) { if (args.length < 6) { printCommandString(args, TOKEN_ID_PARAM, " <old key alias> <new key alias>"); printTokenIdDescription(); tooFewArguments(args); } final String storeId = trimStoreId(args[3]); final Pkcs11SlotLabelType slotType = getTokenLabelType(args[3]); final KeyStoreTools keyStore = KeyStoreToolsFactory.getInstance(args[2], storeId, slotType, null, protectionParameter); keyStore.renameEntry(args[4], args[5]); return true; } if (args[1].toLowerCase().trim().equals(MOVE_SWITCH)) { if (args.length < 5) { printCommandString(args, "<from PKCS#11 token identifier> <to PKCS#11 token identifier>"); printTokenIdDescription(); tooFewArguments(args); } final KeyStoreTools fromKS = KeyStoreToolsFactory.getInstance(args[2], trimStoreId(args[3]), getTokenLabelType(args[3]), null, protectionParameter); final KeyStoreTools toKS = KeyStoreToolsFactory.getInstance(args[2], trimStoreId(args[4]), getTokenLabelType(args[4]), null, protectionParameter); System.out.println("Moving entry with alias '" + args[3] + "' to alias '" + args[4] + '.'); final Enumeration<String> e = fromKS.getKeyStore().aliases(); while (e.hasMoreElements()) { final String alias = e.nextElement(); if (fromKS.getKeyStore().isKeyEntry(alias)) { final Key key = fromKS.getKeyStore().getKey(alias, null); final Certificate chain[] = fromKS.getKeyStore().getCertificateChain(alias); toKS.setKeyEntry(alias, key, chain); } fromKS.getKeyStore().deleteEntry(alias); } fromKS.getKeyStore().store(null, null); toKS.getKeyStore().store(null, null); return true; } return false; }
From source file:org.ejbca.util.CertTools.java
public static X509Certificate genSelfCertForPurpose(String dn, long validity, String policyId, PrivateKey privKey, PublicKey pubKey, String sigAlg, boolean isCA, int keyusage, String provider) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, CertificateEncodingException, IllegalStateException, NoSuchProviderException { // Create self signed certificate Date firstDate = new Date(); // Set back startdate ten minutes to avoid some problems with wrongly set clocks. firstDate.setTime(firstDate.getTime() - (10 * 60 * 1000)); Date lastDate = new Date(); // validity in days = validity*24*60*60*1000 milliseconds lastDate.setTime(lastDate.getTime() + (validity * (24 * 60 * 60 * 1000))); X509V3CertificateGenerator certgen = new X509V3CertificateGenerator(); // Transform the PublicKey to be sure we have it in a format that the X509 certificate generator handles, it might be // a CVC public key that is passed as parameter PublicKey publicKey = null; if (pubKey instanceof RSAPublicKey) { RSAPublicKey rsapk = (RSAPublicKey) pubKey; RSAPublicKeySpec rSAPublicKeySpec = new RSAPublicKeySpec(rsapk.getModulus(), rsapk.getPublicExponent()); try {//from w ww .jav a 2 s . co m publicKey = KeyFactory.getInstance("RSA").generatePublic(rSAPublicKeySpec); } catch (InvalidKeySpecException e) { log.error("Error creating RSAPublicKey from spec: ", e); publicKey = pubKey; } } else if (pubKey instanceof ECPublicKey) { ECPublicKey ecpk = (ECPublicKey) pubKey; try { ECPublicKeySpec ecspec = new ECPublicKeySpec(ecpk.getW(), ecpk.getParams()); // will throw NPE if key is "implicitlyCA" publicKey = KeyFactory.getInstance("EC").generatePublic(ecspec); } catch (InvalidKeySpecException e) { log.error("Error creating ECPublicKey from spec: ", e); publicKey = pubKey; } catch (NullPointerException e) { log.debug("NullPointerException, probably it is implicitlyCA generated keys: " + e.getMessage()); publicKey = pubKey; } } else { log.debug("Not converting key of class. " + pubKey.getClass().getName()); publicKey = pubKey; } // Serialnumber is random bits, where random generator is initialized with Date.getTime() when this // bean is created. byte[] serno = new byte[8]; SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.setSeed(new Date().getTime()); random.nextBytes(serno); certgen.setSerialNumber(new java.math.BigInteger(serno).abs()); certgen.setNotBefore(firstDate); certgen.setNotAfter(lastDate); certgen.setSignatureAlgorithm(sigAlg); certgen.setSubjectDN(CertTools.stringToBcX509Name(dn)); certgen.setIssuerDN(CertTools.stringToBcX509Name(dn)); certgen.setPublicKey(publicKey); // Basic constranits is always critical and MUST be present at-least in CA-certificates. BasicConstraints bc = new BasicConstraints(isCA); certgen.addExtension(X509Extensions.BasicConstraints.getId(), true, bc); // Put critical KeyUsage in CA-certificates if (isCA) { X509KeyUsage ku = new X509KeyUsage(keyusage); certgen.addExtension(X509Extensions.KeyUsage.getId(), true, ku); } // Subject and Authority key identifier is always non-critical and MUST be present for certificates to verify in Firefox. try { if (isCA) { SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded())) .readObject()); SubjectKeyIdentifier ski = new SubjectKeyIdentifier(spki); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(publicKey.getEncoded())) .readObject()); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); certgen.addExtension(X509Extensions.SubjectKeyIdentifier.getId(), false, ski); certgen.addExtension(X509Extensions.AuthorityKeyIdentifier.getId(), false, aki); } } catch (IOException e) { // do nothing } // CertificatePolicies extension if supplied policy ID, always non-critical if (policyId != null) { PolicyInformation pi = new PolicyInformation(new DERObjectIdentifier(policyId)); DERSequence seq = new DERSequence(pi); certgen.addExtension(X509Extensions.CertificatePolicies.getId(), false, seq); } X509Certificate selfcert = certgen.generate(privKey, provider); return selfcert; }
From source file:org.cesecore.util.CertTools.java
public static X509Certificate genSelfCertForPurpose(String dn, long validity, String policyId, PrivateKey privKey, PublicKey pubKey, String sigAlg, boolean isCA, int keyusage, Date privateKeyNotBefore, Date privateKeyNotAfter, String provider, boolean ldapOrder, List<Extension> additionalExtensions) throws CertificateParsingException, IOException, OperatorCreationException { // Create self signed certificate Date firstDate = new Date(); // Set back startdate ten minutes to avoid some problems with wrongly set clocks. firstDate.setTime(firstDate.getTime() - (10 * 60 * 1000)); Date lastDate = new Date(); // validity in days = validity*24*60*60*1000 milliseconds lastDate.setTime(lastDate.getTime() + (validity * (24 * 60 * 60 * 1000))); // Transform the PublicKey to be sure we have it in a format that the X509 certificate generator handles, it might be // a CVC public key that is passed as parameter PublicKey publicKey = null; if (pubKey instanceof RSAPublicKey) { RSAPublicKey rsapk = (RSAPublicKey) pubKey; RSAPublicKeySpec rSAPublicKeySpec = new RSAPublicKeySpec(rsapk.getModulus(), rsapk.getPublicExponent()); try {//from w w w . j a v a2 s . co m publicKey = KeyFactory.getInstance("RSA").generatePublic(rSAPublicKeySpec); } catch (InvalidKeySpecException e) { log.error("Error creating RSAPublicKey from spec: ", e); publicKey = pubKey; } catch (NoSuchAlgorithmException e) { throw new IllegalStateException("RSA was not a known algorithm", e); } } else if (pubKey instanceof ECPublicKey) { ECPublicKey ecpk = (ECPublicKey) pubKey; try { ECPublicKeySpec ecspec = new ECPublicKeySpec(ecpk.getW(), ecpk.getParams()); // will throw NPE if key is "implicitlyCA" final String algo = ecpk.getAlgorithm(); if (algo.equals(AlgorithmConstants.KEYALGORITHM_ECGOST3410)) { try { publicKey = KeyFactory.getInstance("ECGOST3410").generatePublic(ecspec); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException("ECGOST3410 was not a known algorithm", e); } } else if (algo.equals(AlgorithmConstants.KEYALGORITHM_DSTU4145)) { try { publicKey = KeyFactory.getInstance("DSTU4145").generatePublic(ecspec); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException("DSTU4145 was not a known algorithm", e); } } else { try { publicKey = KeyFactory.getInstance("EC").generatePublic(ecspec); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException("EC was not a known algorithm", e); } } } catch (InvalidKeySpecException e) { log.error("Error creating ECPublicKey from spec: ", e); publicKey = pubKey; } catch (NullPointerException e) { log.debug("NullPointerException, probably it is implicitlyCA generated keys: " + e.getMessage()); publicKey = pubKey; } } else { log.debug("Not converting key of class. " + pubKey.getClass().getName()); publicKey = pubKey; } // Serialnumber is random bits, where random generator is initialized with Date.getTime() when this // bean is created. byte[] serno = new byte[8]; SecureRandom random; try { random = SecureRandom.getInstance("SHA1PRNG"); } catch (NoSuchAlgorithmException e) { throw new IllegalStateException("SHA1PRNG was not a known algorithm", e); } random.setSeed(new Date().getTime()); random.nextBytes(serno); SubjectPublicKeyInfo pkinfo; try { pkinfo = new SubjectPublicKeyInfo((ASN1Sequence) ASN1Primitive.fromByteArray(publicKey.getEncoded())); } catch (IOException e) { throw new IllegalArgumentException("Provided public key could not be read to ASN1Primitive", e); } X509v3CertificateBuilder certbuilder = new X509v3CertificateBuilder( CertTools.stringToBcX500Name(dn, ldapOrder), new BigInteger(serno).abs(), firstDate, lastDate, CertTools.stringToBcX500Name(dn, ldapOrder), pkinfo); // Basic constranits is always critical and MUST be present at-least in CA-certificates. BasicConstraints bc = new BasicConstraints(isCA); certbuilder.addExtension(Extension.basicConstraints, true, bc); // Put critical KeyUsage in CA-certificates if (isCA || keyusage != 0) { X509KeyUsage ku = new X509KeyUsage(keyusage); certbuilder.addExtension(Extension.keyUsage, true, ku); } if ((privateKeyNotBefore != null) || (privateKeyNotAfter != null)) { final ASN1EncodableVector v = new ASN1EncodableVector(); if (privateKeyNotBefore != null) { v.add(new DERTaggedObject(false, 0, new DERGeneralizedTime(privateKeyNotBefore))); } if (privateKeyNotAfter != null) { v.add(new DERTaggedObject(false, 1, new DERGeneralizedTime(privateKeyNotAfter))); } certbuilder.addExtension(Extension.privateKeyUsagePeriod, false, new DERSequence(v)); } // Subject and Authority key identifier is always non-critical and MUST be present for certificates to verify in Firefox. try { if (isCA) { ASN1InputStream sAsn1InputStream = new ASN1InputStream( new ByteArrayInputStream(publicKey.getEncoded())); ASN1InputStream aAsn1InputStream = new ASN1InputStream( new ByteArrayInputStream(publicKey.getEncoded())); try { SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo( (ASN1Sequence) sAsn1InputStream.readObject()); X509ExtensionUtils x509ExtensionUtils = new BcX509ExtensionUtils(); SubjectKeyIdentifier ski = x509ExtensionUtils.createSubjectKeyIdentifier(spki); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo( (ASN1Sequence) aAsn1InputStream.readObject()); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); certbuilder.addExtension(Extension.subjectKeyIdentifier, false, ski); certbuilder.addExtension(Extension.authorityKeyIdentifier, false, aki); } finally { sAsn1InputStream.close(); aAsn1InputStream.close(); } } } catch (IOException e) { // do nothing } // CertificatePolicies extension if supplied policy ID, always non-critical if (policyId != null) { PolicyInformation pi = new PolicyInformation(new ASN1ObjectIdentifier(policyId)); DERSequence seq = new DERSequence(pi); certbuilder.addExtension(Extension.certificatePolicies, false, seq); } // Add any additional if (additionalExtensions != null) { for (final Extension extension : additionalExtensions) { certbuilder.addExtension(extension.getExtnId(), extension.isCritical(), extension.getParsedValue()); } } final ContentSigner signer = new BufferingContentSigner( new JcaContentSignerBuilder(sigAlg).setProvider(provider).build(privKey), 20480); final X509CertificateHolder certHolder = certbuilder.build(signer); final X509Certificate selfcert = (X509Certificate) CertTools.getCertfromByteArray(certHolder.getEncoded()); return selfcert; }
From source file:org.cesecore.certificates.ca.X509CA.java
/** * Sequence is ignored by X509CA. The ctParams argument will NOT be kept after the function call returns, * and is allowed to contain references to session beans. * /* w ww. jav a2 s. c om*/ * @throws CAOfflineException if the CA wasn't active * @throws InvalidAlgorithmException if the signing algorithm in the certificate profile (or the CA Token if not found) was invalid. * @throws IllegalValidityException if validity was invalid * @throws IllegalNameException if the name specified in the certificate request was invalid * @throws CertificateExtensionException if any of the certificate extensions were invalid * @throws OperatorCreationException if CA's private key contained an unknown algorithm or provider * @throws CertificateCreateException if an error occurred when trying to create a certificate. * @throws SignatureException if the CA's certificate's and request's certificate's and signature algorithms differ */ private Certificate generateCertificate(final EndEntityInformation subject, final RequestMessage request, final PublicKey publicKey, final int keyusage, final Date notBefore, final Date notAfter, final CertificateProfile certProfile, final Extensions extensions, final String sequence, final PublicKey caPublicKey, final PrivateKey caPrivateKey, final String provider, CertificateGenerationParams certGenParams) throws CAOfflineException, InvalidAlgorithmException, IllegalValidityException, IllegalNameException, CertificateExtensionException, OperatorCreationException, CertificateCreateException, SignatureException { // We must only allow signing to take place if the CA itself is on line, even if the token is on-line. // We have to allow expired as well though, so we can renew expired CAs if ((getStatus() != CAConstants.CA_ACTIVE) && ((getStatus() != CAConstants.CA_EXPIRED))) { final String msg = intres.getLocalizedMessage("error.caoffline", getName(), getStatus()); if (log.isDebugEnabled()) { log.debug(msg); // This is something we handle so no need to log with higher priority } throw new CAOfflineException(msg); } final String sigAlg; if (certProfile.getSignatureAlgorithm() == null) { sigAlg = getCAToken().getSignatureAlgorithm(); } else { sigAlg = certProfile.getSignatureAlgorithm(); } // Check that the signature algorithm is one of the allowed ones if (!ArrayUtils.contains(AlgorithmConstants.AVAILABLE_SIGALGS, sigAlg)) { final String msg = intres.getLocalizedMessage("createcert.invalidsignaturealg", sigAlg); throw new InvalidAlgorithmException(msg); } // Check if this is a root CA we are creating final boolean isRootCA = certProfile.getType() == CertificateConstants.CERTTYPE_ROOTCA; final X509Certificate cacert = (X509Certificate) getCACertificate(); // Check CA certificate PrivateKeyUsagePeriod if it exists (throws CAOfflineException if it exists and is not within this time) CertificateValidity.checkPrivateKeyUsagePeriod(cacert); // Get certificate validity time notBefore and notAfter final CertificateValidity val = new CertificateValidity(subject, certProfile, notBefore, notAfter, cacert, isRootCA); final BigInteger serno; { // Serialnumber is either random bits, where random generator is initialized by the serno generator. // Or a custom serial number defined in the end entity object final ExtendedInformation ei = subject.getExtendedinformation(); if (certProfile.getAllowCertSerialNumberOverride()) { if (ei != null && ei.certificateSerialNumber() != null) { serno = ei.certificateSerialNumber(); } else { serno = SernoGeneratorRandom.instance().getSerno(); } } else { serno = SernoGeneratorRandom.instance().getSerno(); if ((ei != null) && (ei.certificateSerialNumber() != null)) { final String msg = intres.getLocalizedMessage( "createcert.certprof_not_allowing_cert_sn_override_using_normal", ei.certificateSerialNumber().toString(16)); log.info(msg); } } } // Make DNs String dn = subject.getCertificateDN(); if (certProfile.getUseSubjectDNSubSet()) { dn = certProfile.createSubjectDNSubSet(dn); } final X500NameStyle nameStyle; if (getUsePrintableStringSubjectDN()) { nameStyle = PrintableStringNameStyle.INSTANCE; } else { nameStyle = CeSecoreNameStyle.INSTANCE; } if (certProfile.getUseCNPostfix()) { dn = CertTools.insertCNPostfix(dn, certProfile.getCNPostfix(), nameStyle); } // Will we use LDAP DN order (CN first) or X500 DN order (CN last) for the subject DN final boolean ldapdnorder; if ((getUseLdapDNOrder() == false) || (certProfile.getUseLdapDnOrder() == false)) { ldapdnorder = false; } else { ldapdnorder = true; } final X500Name subjectDNName; if (certProfile.getAllowDNOverride() && (request != null) && (request.getRequestX500Name() != null)) { subjectDNName = request.getRequestX500Name(); if (log.isDebugEnabled()) { log.debug("Using X509Name from request instead of user's registered."); } } else { final ExtendedInformation ei = subject.getExtendedinformation(); if (certProfile.getAllowDNOverrideByEndEntityInformation() && ei != null && ei.getRawSubjectDn() != null) { final String stripped = StringTools.strip(ei.getRawSubjectDn()); final String escapedPluses = CertTools.handleUnescapedPlus(stripped); final String emptiesRemoved = DNFieldsUtil.removeAllEmpties(escapedPluses); final X500Name subjectDNNameFromEei = CertTools.stringToUnorderedX500Name(emptiesRemoved, CeSecoreNameStyle.INSTANCE); if (subjectDNNameFromEei.toString().length() > 0) { subjectDNName = subjectDNNameFromEei; if (log.isDebugEnabled()) { log.debug( "Using X500Name from end entity information instead of user's registered subject DN fields."); log.debug("ExtendedInformation.getRawSubjectDn(): " + ei.getRawSubjectDn() + " will use: " + CeSecoreNameStyle.INSTANCE.toString(subjectDNName)); } } else { subjectDNName = CertTools.stringToBcX500Name(dn, nameStyle, ldapdnorder); } } else { subjectDNName = CertTools.stringToBcX500Name(dn, nameStyle, ldapdnorder); } } // Make sure the DN does not contain dangerous characters if (StringTools.hasStripChars(subjectDNName.toString())) { if (log.isTraceEnabled()) { log.trace("DN with illegal name: " + subjectDNName); } final String msg = intres.getLocalizedMessage("createcert.illegalname"); throw new IllegalNameException(msg); } if (log.isDebugEnabled()) { log.debug("Using subjectDN: " + subjectDNName.toString()); } // We must take the issuer DN directly from the CA-certificate otherwise we risk re-ordering the DN // which many applications do not like. X500Name issuerDNName; if (isRootCA) { // This will be an initial root CA, since no CA-certificate exists // Or it is a root CA, since the cert is self signed. If it is a root CA we want to use the same encoding for subject and issuer, // it might have changed over the years. if (log.isDebugEnabled()) { log.debug("Using subject DN also as issuer DN, because it is a root CA"); } issuerDNName = subjectDNName; } else { issuerDNName = X500Name.getInstance(cacert.getSubjectX500Principal().getEncoded()); if (log.isDebugEnabled()) { log.debug("Using issuer DN directly from the CA certificate: " + issuerDNName.toString()); } } SubjectPublicKeyInfo pkinfo; try { pkinfo = new SubjectPublicKeyInfo((ASN1Sequence) ASN1Primitive.fromByteArray(publicKey.getEncoded())); } catch (IOException e) { throw new IllegalStateException("Caught unexpected IOException.", e); } final X509v3CertificateBuilder certbuilder = new X509v3CertificateBuilder(issuerDNName, serno, val.getNotBefore(), val.getNotAfter(), subjectDNName, pkinfo); // Only created and used if Certificate Transparency is enabled final X509v3CertificateBuilder precertbuilder = certProfile.isUseCertificateTransparencyInCerts() ? new X509v3CertificateBuilder(issuerDNName, serno, val.getNotBefore(), val.getNotAfter(), subjectDNName, pkinfo) : null; // Check that the certificate fulfills name constraints if (cacert instanceof X509Certificate) { GeneralNames altNameGNs = null; String altName = subject.getSubjectAltName(); if (certProfile.getUseSubjectAltNameSubSet()) { altName = certProfile.createSubjectAltNameSubSet(altName); } if (altName != null && altName.length() > 0) { altNameGNs = CertTools.getGeneralNamesFromAltName(altName); } CertTools.checkNameConstraints((X509Certificate) cacert, subjectDNName, altNameGNs); } // If the subject has Name Constraints, then name constraints must be enabled in the certificate profile! if (subject.getExtendedinformation() != null) { final ExtendedInformation ei = subject.getExtendedinformation(); final List<String> permittedNC = ei.getNameConstraintsPermitted(); final List<String> excludedNC = ei.getNameConstraintsExcluded(); if ((permittedNC != null && !permittedNC.isEmpty()) || (excludedNC != null && !excludedNC.isEmpty())) { if (!certProfile.getUseNameConstraints()) { throw new CertificateCreateException( "Tried to issue a certificate with Name Constraints without having enabled NC in the certificate profile."); } } } // // X509 Certificate Extensions // // Extensions we will add to the certificate, later when we have filled the structure with // everything we want. final ExtensionsGenerator extgen = new ExtensionsGenerator(); // First we check if there is general extension override, and add all extensions from // the request in that case if (certProfile.getAllowExtensionOverride() && extensions != null) { ASN1ObjectIdentifier[] oids = extensions.getExtensionOIDs(); for (ASN1ObjectIdentifier oid : oids) { final Extension ext = extensions.getExtension(oid); if (log.isDebugEnabled()) { log.debug("Overriding extension with oid: " + oid); } try { extgen.addExtension(oid, ext.isCritical(), ext.getParsedValue()); } catch (IOException e) { throw new IllegalStateException("Caught unexpected IOException.", e); } } } // Second we see if there is Key usage override Extensions overridenexts = extgen.generate(); if (certProfile.getAllowKeyUsageOverride() && (keyusage >= 0)) { if (log.isDebugEnabled()) { log.debug("AllowKeyUsageOverride=true. Using KeyUsage from parameter: " + keyusage); } if ((certProfile.getUseKeyUsage() == true) && (keyusage >= 0)) { final KeyUsage ku = new KeyUsage(keyusage); // We don't want to try to add custom extensions with the same oid if we have already added them // from the request, if AllowExtensionOverride is enabled. // Two extensions with the same oid is not allowed in the standard. if (overridenexts.getExtension(Extension.keyUsage) == null) { try { extgen.addExtension(Extension.keyUsage, certProfile.getKeyUsageCritical(), ku); } catch (IOException e) { throw new IllegalStateException("Caught unexpected IOException.", e); } } else { if (log.isDebugEnabled()) { log.debug( "KeyUsage was already overridden by an extension, not using KeyUsage from parameter."); } } } } // Third, check for standard Certificate Extensions that should be added. // Standard certificate extensions are defined in CertificateProfile and CertificateExtensionFactory // and implemented in package org.ejbca.core.model.certextensions.standard final CertificateExtensionFactory fact = CertificateExtensionFactory.getInstance(); final List<String> usedStdCertExt = certProfile.getUsedStandardCertificateExtensions(); final Iterator<String> certStdExtIter = usedStdCertExt.iterator(); overridenexts = extgen.generate(); while (certStdExtIter.hasNext()) { final String oid = certStdExtIter.next(); // We don't want to try to add standard extensions with the same oid if we have already added them // from the request, if AllowExtensionOverride is enabled. // Two extensions with the same oid is not allowed in the standard. if (overridenexts.getExtension(new ASN1ObjectIdentifier(oid)) == null) { final CertificateExtension certExt = fact.getStandardCertificateExtension(oid, certProfile); if (certExt != null) { final byte[] value = certExt.getValueEncoded(subject, this, certProfile, publicKey, caPublicKey, val); if (value != null) { extgen.addExtension(new ASN1ObjectIdentifier(certExt.getOID()), certExt.isCriticalFlag(), value); } } } else { if (log.isDebugEnabled()) { log.debug("Extension with oid " + oid + " has been overridden, standard extension will not be added."); } } } // Fourth, check for custom Certificate Extensions that should be added. // Custom certificate extensions is defined in certextensions.properties final List<Integer> usedCertExt = certProfile.getUsedCertificateExtensions(); final Iterator<Integer> certExtIter = usedCertExt.iterator(); while (certExtIter.hasNext()) { final Integer id = certExtIter.next(); final CertificateExtension certExt = fact.getCertificateExtensions(id); if (certExt != null) { // We don't want to try to add custom extensions with the same oid if we have already added them // from the request, if AllowExtensionOverride is enabled. // Two extensions with the same oid is not allowed in the standard. if (overridenexts.getExtension(new ASN1ObjectIdentifier(certExt.getOID())) == null) { final byte[] value = certExt.getValueEncoded(subject, this, certProfile, publicKey, caPublicKey, val); if (value != null) { extgen.addExtension(new ASN1ObjectIdentifier(certExt.getOID()), certExt.isCriticalFlag(), value); } } else { if (log.isDebugEnabled()) { log.debug("Extension with oid " + certExt.getOID() + " has been overridden, custom extension will not be added."); } } } } // Finally add extensions to certificate generator final Extensions exts = extgen.generate(); ASN1ObjectIdentifier[] oids = exts.getExtensionOIDs(); try { for (ASN1ObjectIdentifier oid : oids) { final Extension extension = exts.getExtension(oid); if (oid.equals(Extension.subjectAlternativeName)) { // subjectAlternativeName extension value needs special handling ExtensionsGenerator sanExtGen = getSubjectAltNameExtensionForCert(extension, precertbuilder != null); Extensions sanExts = sanExtGen.generate(); Extension eext = sanExts.getExtension(oid); certbuilder.addExtension(oid, eext.isCritical(), eext.getParsedValue()); // adding subjetAlternativeName extension to certbuilder if (precertbuilder != null) { // if a pre-certificate is to be published to a CTLog eext = getSubjectAltNameExtensionForCTCert(extension).generate().getExtension(oid); precertbuilder.addExtension(oid, eext.isCritical(), eext.getParsedValue()); // adding subjectAlternativeName extension to precertbuilder eext = sanExts.getExtension(new ASN1ObjectIdentifier("1.3.6.1.4.1.11129.2.4.6")); if (eext != null) { certbuilder.addExtension(eext.getExtnId(), eext.isCritical(), eext.getParsedValue()); // adding nrOfRedactedLabels extension to certbuilder } } } else { // if not a subjectAlternativeName extension, just add it to both certbuilder and precertbuilder final boolean isCritical = extension.isCritical(); // We must get the raw octets here in order to be able to create invalid extensions that is not constructed from proper ASN.1 final byte[] value = extension.getExtnValue().getOctets(); certbuilder.addExtension(extension.getExtnId(), isCritical, value); if (precertbuilder != null) { precertbuilder.addExtension(extension.getExtnId(), isCritical, value); } } } // Add Certificate Transparency extension. It needs to access the certbuilder and // the CA key so it has to be processed here inside X509CA. if (ct != null && certProfile.isUseCertificateTransparencyInCerts() && certGenParams.getConfiguredCTLogs() != null && certGenParams.getCTAuditLogCallback() != null) { // Create pre-certificate // A critical extension is added to prevent this cert from being used ct.addPreCertPoison(precertbuilder); // Sign pre-certificate /* * TODO: Should be able to use a special CT signing certificate. * It should have CA=true and ExtKeyUsage=PRECERTIFICATE_SIGNING_OID, * and should not have any other key usages. */ final ContentSigner signer = new BufferingContentSigner( new JcaContentSignerBuilder(sigAlg).setProvider(provider).build(caPrivateKey), 20480); final X509CertificateHolder certHolder = precertbuilder.build(signer); final X509Certificate cert = (X509Certificate) CertTools .getCertfromByteArray(certHolder.getEncoded()); // Get certificate chain final List<Certificate> chain = new ArrayList<Certificate>(); chain.add(cert); chain.addAll(getCertificateChain()); // Submit to logs and get signed timestamps byte[] sctlist = null; try { sctlist = ct.fetchSCTList(chain, certProfile, certGenParams.getConfiguredCTLogs()); } finally { // Notify that pre-cert has been successfully or unsuccessfully submitted so it can be audit logged. certGenParams.getCTAuditLogCallback().logPreCertSubmission(this, subject, cert, sctlist != null); } if (sctlist != null) { // can be null if the CTLog has been deleted from the configuration ASN1ObjectIdentifier sctOid = new ASN1ObjectIdentifier(CertificateTransparency.SCTLIST_OID); certbuilder.addExtension(sctOid, false, new DEROctetString(sctlist)); } } else { if (log.isDebugEnabled()) { String cause = ""; if (ct == null) { cause += "CT is not available in this version of EJBCA."; } else { if (!certProfile.isUseCertificateTransparencyInCerts()) { cause += "CT is not enabled in the certificate profile. "; } if (certGenParams == null) { cause += "Certificate generation parameters was null."; } else if (certGenParams.getCTAuditLogCallback() == null) { cause += "No CT audit logging callback was passed to X509CA."; } else if (certGenParams.getConfiguredCTLogs() == null) { cause += "There are no CT logs configured in System Configuration."; } } log.debug("Not logging to CT. " + cause); } } } catch (CertificateException e) { throw new CertificateCreateException( "Could not process CA's private key when parsing Certificate Transparency extension.", e); } catch (IOException e) { throw new CertificateCreateException( "IOException was caught when parsing Certificate Transparency extension.", e); } catch (CTLogException e) { throw new CertificateCreateException( "An exception occurred because too many CT servers were down to satisfy the certificate profile.", e); } // // End of extensions // if (log.isTraceEnabled()) { log.trace(">certgen.generate"); } final ContentSigner signer = new BufferingContentSigner( new JcaContentSignerBuilder(sigAlg).setProvider(provider).build(caPrivateKey), 20480); final X509CertificateHolder certHolder = certbuilder.build(signer); X509Certificate cert; try { cert = (X509Certificate) CertTools.getCertfromByteArray(certHolder.getEncoded()); } catch (IOException e) { throw new IllegalStateException("Unexpected IOException caught when parsing certificate holder.", e); } catch (CertificateException e) { throw new CertificateCreateException("Could not create certificate from CA's private key,", e); } if (log.isTraceEnabled()) { log.trace("<certgen.generate"); } // Verify using the CA certificate before returning // If we can not verify the issued certificate using the CA certificate we don't want to issue this cert // because something is wrong... final PublicKey verifyKey; // We must use the configured public key if this is a rootCA, because then we can renew our own certificate, after changing // the keys. In this case the _new_ key will not match the current CA certificate. if ((cacert != null) && (!isRootCA)) { verifyKey = cacert.getPublicKey(); } else { verifyKey = caPublicKey; } try { cert.verify(verifyKey); } catch (InvalidKeyException e) { throw new CertificateCreateException("CA's public key was invalid,", e); } catch (NoSuchAlgorithmException e) { throw new CertificateCreateException(e); } catch (NoSuchProviderException e) { throw new IllegalStateException("Provider was unknown", e); } catch (CertificateException e) { throw new CertificateCreateException(e); } // If we have a CA-certificate, verify that we have all path verification stuff correct if (cacert != null) { final byte[] aki = CertTools.getAuthorityKeyId(cert); final byte[] ski = CertTools.getSubjectKeyId(isRootCA ? cert : cacert); if ((aki != null) && (ski != null)) { final boolean eq = Arrays.equals(aki, ski); if (!eq) { final String akistr = new String(Hex.encode(aki)); final String skistr = new String(Hex.encode(ski)); final String msg = intres.getLocalizedMessage("createcert.errorpathverifykeyid", akistr, skistr); log.error(msg); // This will differ if we create link certificates, NewWithOld, therefore we can not throw an exception here. } } final Principal issuerDN = cert.getIssuerX500Principal(); final Principal caSubjectDN = cacert.getSubjectX500Principal(); if ((issuerDN != null) && (caSubjectDN != null)) { final boolean eq = issuerDN.equals(caSubjectDN); if (!eq) { final String msg = intres.getLocalizedMessage("createcert.errorpathverifydn", issuerDN.getName(), caSubjectDN.getName()); log.error(msg); throw new CertificateCreateException(msg); } } } // Before returning from this method, we will set the private key and provider in the request message, in case the response message needs to be signed if (request != null) { request.setResponseKeyInfo(caPrivateKey, provider); } if (log.isDebugEnabled()) { log.debug("X509CA: generated certificate, CA " + this.getCAId() + " for DN: " + subject.getCertificateDN()); } return cert; }