List of usage examples for org.bouncycastle.asn1.x509 GeneralNames GeneralNames
private GeneralNames(ASN1Sequence seq)
From source file:com.bettertls.nameconstraints.CertificateGenerator.java
License:Apache License
private void generateCertificatesWithNames(KeyStore rootCa, String commonName, String dnsSan, String ipSan) throws Exception { GeneralNames sans = null;/*from ww w .ja va2s . co m*/ if (dnsSan != null || ipSan != null) { List<GeneralName> generalNames = new ArrayList<>(); if (dnsSan != null) { generalNames.add(new GeneralName(GeneralName.dNSName, dnsSan)); } if (ipSan != null) { generalNames.add(new GeneralName(GeneralName.iPAddress, ipSan)); } sans = new GeneralNames(generalNames.toArray(new GeneralName[generalNames.size()])); } for (String ncIpWhitelist : new String[] { null, ipSubtree, invalidIpSubtree }) { for (String ncDnsWhitelist : new String[] { null, hostSubtree, invalidHostSubtree }) { List<GeneralSubtree> permittedWhitelist = new ArrayList<>(); if (ncIpWhitelist != null) { permittedWhitelist .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, ncIpWhitelist))); } if (ncDnsWhitelist != null) { permittedWhitelist .add(new GeneralSubtree(new GeneralName(GeneralName.dNSName, ncDnsWhitelist))); } for (String ncIpBlacklist : new String[] { null, ipSubtree, invalidIpSubtree }) { for (String ncDnsBlacklist : new String[] { null, hostSubtree, invalidHostSubtree }) { List<GeneralSubtree> permittedBlacklist = new ArrayList<>(); if (ncIpBlacklist != null) { permittedBlacklist .add(new GeneralSubtree(new GeneralName(GeneralName.iPAddress, ncIpBlacklist))); } if (ncDnsBlacklist != null) { permittedBlacklist .add(new GeneralSubtree(new GeneralName(GeneralName.dNSName, ncDnsBlacklist))); } NameConstraints nameConstraints = null; if (permittedWhitelist.size() != 0 || permittedBlacklist.size() != 0) { nameConstraints = new NameConstraints( permittedWhitelist.size() == 0 ? null : permittedWhitelist .toArray(new GeneralSubtree[permittedWhitelist.size()]), permittedBlacklist.size() == 0 ? null : permittedBlacklist .toArray(new GeneralSubtree[permittedBlacklist.size()])); } System.out.println("Generating certificate " + nextCertId + "..."); writeCertificateSet(makeTree(nextCertId, rootCa, nameConstraints, commonName, sans), outputDir, Integer.toString(nextCertId)); // Build a manifest JSON entry for the certificate JSONArray manifestSans = new JSONArray(); if (dnsSan != null) { manifestSans.put(dnsSan); } if (ipSan != null) { manifestSans.put(ipSan); } JSONObject manifestNcs = new JSONObject(); JSONArray manifestNcWhitelist = new JSONArray(); if (ncDnsWhitelist != null) { manifestNcWhitelist.put(ncDnsWhitelist); } if (ncIpWhitelist != null) { manifestNcWhitelist.put(ncIpWhitelist); } JSONArray manifestNcBlacklist = new JSONArray(); if (ncDnsBlacklist != null) { manifestNcBlacklist.put(ncDnsBlacklist); } if (ncIpBlacklist != null) { manifestNcBlacklist.put(ncIpBlacklist); } manifestNcs.put("whitelist", manifestNcWhitelist); manifestNcs.put("blacklist", manifestNcBlacklist); certManifest.put(new JSONObject().put("id", nextCertId).put("commonName", commonName) .put("sans", manifestSans).put("nameConstraints", manifestNcs)); nextCertId += 1; } } } } }
From source file:com.example.androidtest.SslUtil.java
License:Open Source License
/** * Generates a new, self-signed X509 V3 certificate for a KeyPair. * // www. ja va2s.c om * @param pair the {@link KeyPair} to be used * @param name X.500 distinguished name * @param notBefore not valid before this date * @param notAfter not valid after this date * @param serialNumber serial number * @return the new certificate * @throws GeneralSecurityException on error generating the certificate */ @SuppressWarnings("deprecation") public static X509Certificate generateX509V3Certificate(KeyPair pair, String name, Date notBefore, Date notAfter, BigInteger serialNumber) throws GeneralSecurityException { java.security.Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); X509Name dnName = new X509Name(name); certGen.setSerialNumber(serialNumber); certGen.setIssuerDN(dnName); certGen.setSubjectDN(dnName); // note: same as issuer certGen.setNotBefore(notBefore); certGen.setNotAfter(notAfter); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); // For self-signed certificates, OpenSSL 0.9.6 has specific requirements // about certificate and extension content. Quoting the `man verify`: // // In OpenSSL 0.9.6 and later all certificates whose subject name matches // the issuer name of the current certificate are subject to further // tests. The relevant authority key identifier components of the current // certificate (if present) must match the subject key identifier (if // present) and issuer and serial number of the candidate issuer, in // addition the keyUsage extension of the candidate issuer (if present) // must permit certificate signing. // // In the code that follows, // - the KeyUsage extension permits cert signing (KeyUsage.keyCertSign); // - the Authority Key Identifier extension is added, matching the // subject key identifier, and using the issuer, and serial number. certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.keyCertSign)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); AuthorityKeyIdentifier authIdentifier = createAuthorityKeyIdentifier(pair.getPublic(), dnName, serialNumber); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, true, authIdentifier); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, true, new SubjectKeyIdentifierStructure(pair.getPublic())); certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "googletv@test.test"))); // This method is deprecated, but Android Eclair does not provide the // generate() methods. X509Certificate cert = certGen.generateX509Certificate(pair.getPrivate(), "BC"); return cert; }
From source file:com.example.androidtest.SslUtil.java
License:Open Source License
/** * Creates an AuthorityKeyIdentifier from a public key, name, and serial * number./*from w w w. j a v a2 s .c om*/ * <p> * {@link AuthorityKeyIdentifierStructure} is <i>almost</i> perfect for this, * but sadly it does not have a constructor suitable for us: * {@link AuthorityKeyIdentifierStructure#AuthorityKeyIdentifierStructure(PublicKey)} * does not set the serial number or name (which is important to us), while * {@link AuthorityKeyIdentifierStructure#AuthorityKeyIdentifierStructure(X509Certificate)} * sets those fields but needs a completed certificate to do so. * <p> * This method addresses the gap in available {@link AuthorityKeyIdentifier} * constructors provided by BouncyCastle; its implementation is derived from * {@link AuthorityKeyIdentifierStructure#AuthorityKeyIdentifierStructure(X509Certificate)}. * * @param publicKey the public key * @param name the name * @param serialNumber the serial number * @return a new {@link AuthorityKeyIdentifier} */ private static AuthorityKeyIdentifier createAuthorityKeyIdentifier(PublicKey publicKey, X509Name name, BigInteger serialNumber) { GeneralName genName = new GeneralName(name); SubjectPublicKeyInfo info; try { info = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(publicKey.getEncoded()).readObject()); } catch (IOException e) { throw new RuntimeException("Error encoding public key"); } return new AuthorityKeyIdentifier(info, new GeneralNames(genName), serialNumber); }
From source file:com.foilen.smalltools.crypt.bouncycastle.cert.RSACertificate.java
License:Open Source License
/** * Sign the {@link #setKeysForSigning(AsymmetricKeys)} with itself and put it in certificateHolder. * * @param certificateDetails// w ww. j a v a2s . c o m * some information to store in the certificate * @return this */ public RSACertificate selfSign(CertificateDetails certificateDetails) { AssertTools.assertNotNull(keysForSigning, "The keysForSigning is not set"); AssertTools.assertNull(certificateHolder, "The certificate already exists"); try { RSAKeyDetails keyDetails = rsaCrypt.retrieveKeyDetails(keysForSigning); PrivateKey privKey = keyDetails.getJcaPrivateKey(); PublicKey publicKey = keyDetails.getJcaPublicKey(); ContentSigner sigGen = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(privKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); Date startDate = certificateDetails.getStartDate(); Date endDate = certificateDetails.getEndDate(); BigInteger serial = certificateDetails.getSerial(); // Common Name X500Name issuer = new X500Name("CN=" + certificateDetails.getCommonName()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(issuer, serial, startDate, endDate, issuer, subPubKeyInfo); // Subject Alternative Names (DNS) if (!CollectionsTools.isNullOrEmpty(certificateDetails.getSanDns())) { GeneralName[] altNames = new GeneralName[certificateDetails.getSanDns().size()]; int i = 0; for (String sanDns : certificateDetails.getSanDns()) { altNames[i++] = new GeneralName(GeneralName.dNSName, sanDns); } GeneralNames subjectAltNames = new GeneralNames(altNames); certificateBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); } certificateHolder = certificateBuilder.build(sigGen); return this; } catch (Exception e) { throw new SmallToolsException("Problem signing the key", e); } }
From source file:com.foilen.smalltools.crypt.bouncycastle.cert.RSACertificate.java
License:Open Source License
/** * Sign another public key.//from ww w . j a va 2 s . co m * * @param publicKeyToSign * the public key to sign * @param certificateDetails * some information to store in the certificate * @return the new certificate */ public RSACertificate signPublicKey(AsymmetricKeys publicKeyToSign, CertificateDetails certificateDetails) { try { PrivateKey privKey = rsaCrypt.retrieveKeyDetails(keysForSigning).getJcaPrivateKey(); PublicKey publicKey = rsaCrypt.retrieveKeyDetails(publicKeyToSign).getJcaPublicKey(); ContentSigner sigGen = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(privKey); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()); Date startDate = certificateDetails.getStartDate(); Date endDate = certificateDetails.getEndDate(); BigInteger serial = certificateDetails.getSerial(); X500Name issuer = new X500Name("CN=" + getCommonName()); X500Name subject = new X500Name("CN=" + certificateDetails.getCommonName()); X509v3CertificateBuilder certificateBuilder = new X509v3CertificateBuilder(issuer, serial, startDate, endDate, subject, subPubKeyInfo); // Subject Alternative Names (DNS) if (!CollectionsTools.isNullOrEmpty(certificateDetails.getSanDns())) { GeneralName[] altNames = new GeneralName[certificateDetails.getSanDns().size()]; int i = 0; for (String sanDns : certificateDetails.getSanDns()) { altNames[i++] = new GeneralName(GeneralName.dNSName, sanDns); } GeneralNames subjectAltNames = new GeneralNames(altNames); certificateBuilder.addExtension(Extension.subjectAlternativeName, false, subjectAltNames); } X509CertificateHolder newCert = certificateBuilder.build(sigGen); return new RSACertificate(newCert, publicKeyToSign); } catch (Exception e) { throw new SmallToolsException("Problem signing the key", e); } }
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Creates a new SSL certificate signed by the CA private key and stored in * keyStore./* ww w . j a v a 2 s . c o m*/ * * @param sslMetadata * @param caPrivateKey * @param caCert * @param targetStoreFile * @param x509log */ public static X509Certificate newSSLCertificate(X509Metadata sslMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetStoreFile, X509Log x509log) { try { KeyPair pair = newKeyPair(); X500Name webDN = buildDistinguishedName(sslMetadata); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), sslMetadata.notBefore, sslMetadata.notAfter, webDN, pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); // support alternateSubjectNames for SSL certificates List<GeneralName> altNames = new ArrayList<GeneralName>(); if (HttpUtils.isIpAddress(sslMetadata.commonName)) { altNames.add(new GeneralName(GeneralName.iPAddress, sslMetadata.commonName)); } if (altNames.size() > 0) { GeneralNames subjectAltName = new GeneralNames(altNames.toArray(new GeneralName[altNames.size()])); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(caSigner)); cert.checkValidity(new Date()); cert.verify(caCert.getPublicKey()); // Save to keystore KeyStore serverStore = openKeyStore(targetStoreFile, sslMetadata.password); serverStore.setKeyEntry(sslMetadata.commonName, pair.getPrivate(), sslMetadata.password.toCharArray(), new Certificate[] { cert, caCert }); saveKeyStore(targetStoreFile, serverStore, sslMetadata.password); x509log.log(MessageFormat.format("New SSL certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getSubjectDN().getName())); // update serial number in metadata object sslMetadata.serialNumber = cert.getSerialNumber().toString(); return cert; } catch (Throwable t) { throw new RuntimeException("Failed to generate SSL certificate!", t); } }
From source file:com.gitblit.utils.X509Utils.java
License:Apache License
/** * Creates a new client certificate PKCS#12 and PEM store. Any existing * stores are destroyed.//from w w w. j ava2s . c om * * @param clientMetadata a container for dynamic parameters needed for generation * @param caKeystoreFile * @param caKeystorePassword * @param targetFolder * @return */ public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) { try { KeyPair pair = newKeyPair(); X500Name userDN = buildDistinguishedName(clientMetadata); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); // create a new certificate signed by the Gitblit CA certificate X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore, clientMetadata.notAfter, userDN, pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); if (!StringUtils.isEmpty(clientMetadata.emailAddress)) { GeneralNames subjectAltName = new GeneralNames( new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(signer)); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate(); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pair.getPublic())); // confirm the validity of the user certificate userCert.checkValidity(); userCert.verify(caCert.getPublicKey()); userCert.getIssuerDN().equals(caCert.getSubjectDN()); // verify user certificate chain verifyChain(userCert, caCert); targetFolder.mkdirs(); // save certificate, stamped with unique name String date = new SimpleDateFormat("yyyyMMdd").format(new Date()); String id = date; File certFile = new File(targetFolder, id + ".cer"); int count = 0; while (certFile.exists()) { id = date + "_" + Character.toString((char) (0x61 + count)); certFile = new File(targetFolder, id + ".cer"); count++; } // save user private key, user certificate and CA certificate to a PKCS#12 store File p12File = new File(targetFolder, clientMetadata.commonName + ".p12"); if (p12File.exists()) { p12File.delete(); } KeyStore userStore = openKeyStore(p12File, clientMetadata.password); userStore.setKeyEntry( MessageFormat.format("Gitblit ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate[] { userCert }); userStore.setCertificateEntry( MessageFormat.format("Gitblit ({0}) Certificate Authority", clientMetadata.serverHostname), caCert); saveKeyStore(p12File, userStore, clientMetadata.password); // save user private key, user certificate, and CA certificate to a PEM store File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem"); if (pemFile.exists()) { pemFile.delete(); } JcePEMEncryptorBuilder builder = new JcePEMEncryptorBuilder("DES-EDE3-CBC"); builder.setSecureRandom(new SecureRandom()); PEMEncryptor pemEncryptor = builder.build(clientMetadata.password.toCharArray()); JcaPEMWriter pemWriter = new JcaPEMWriter(new FileWriter(pemFile)); pemWriter.writeObject(pair.getPrivate(), pemEncryptor); pemWriter.writeObject(userCert); pemWriter.writeObject(caCert); pemWriter.flush(); pemWriter.close(); // save certificate after successfully creating the key stores saveCertificate(userCert, certFile); // update serial number in metadata object clientMetadata.serialNumber = userCert.getSerialNumber().toString(); return userCert; } catch (Throwable t) { throw new RuntimeException("Failed to generate client certificate!", t); } }
From source file:com.integralblue.httpresponsecache.compat.java.security.TestKeyStore.java
License:Apache License
private static X509Certificate createCertificate(PublicKey publicKey, PrivateKey privateKey, X500Principal subject, X500Principal issuer, int keyUsage, boolean ca, List<GeneralName> subjectAltNames, Vector<GeneralSubtree> permittedNameConstraints, Vector<GeneralSubtree> excludedNameConstraints) throws Exception { // Note that there is no way to programmatically make a // Certificate using java.* or javax.* APIs. The // CertificateFactory interface assumes you want to read // in a stream of bytes, typically the X.509 factory would // allow ASN.1 DER encoded bytes and optionally some PEM // formats. Here we use Bouncy Castle's // X509V3CertificateGenerator and related classes. long millisPerDay = 24 * 60 * 60 * 1000; long now = System.currentTimeMillis(); Date start = new Date(now - millisPerDay); Date end = new Date(now + millisPerDay); BigInteger serial = BigInteger.valueOf(1); String keyAlgorithm = privateKey.getAlgorithm(); String signatureAlgorithm;// w w w . j a v a 2 s . co m if (keyAlgorithm.equals("RSA")) { signatureAlgorithm = "sha1WithRSA"; } else if (keyAlgorithm.equals("DSA")) { signatureAlgorithm = "sha1WithDSA"; } else if (keyAlgorithm.equals("EC")) { signatureAlgorithm = "sha1WithECDSA"; } else if (keyAlgorithm.equals("EC_RSA")) { signatureAlgorithm = "sha1WithRSA"; } else { throw new IllegalArgumentException("Unknown key algorithm " + keyAlgorithm); } X509V3CertificateGenerator x509cg = new X509V3CertificateGenerator(); x509cg.setSubjectDN(subject); x509cg.setIssuerDN(issuer); x509cg.setNotBefore(start); x509cg.setNotAfter(end); x509cg.setPublicKey(publicKey); x509cg.setSignatureAlgorithm(signatureAlgorithm); x509cg.setSerialNumber(serial); if (keyUsage != 0) { x509cg.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(keyUsage)); } if (ca) { x509cg.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); } for (GeneralName subjectAltName : subjectAltNames) { x509cg.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(subjectAltName).getEncoded()); } if (!permittedNameConstraints.isEmpty() || !excludedNameConstraints.isEmpty()) { x509cg.addExtension(X509Extensions.NameConstraints, true, new NameConstraints(permittedNameConstraints, excludedNameConstraints)); } if (privateKey instanceof ECPrivateKey) { /* * bouncycastle needs its own ECPrivateKey implementation */ KeyFactory kf = KeyFactory.getInstance(keyAlgorithm, "BC"); PKCS8EncodedKeySpec ks = new PKCS8EncodedKeySpec(privateKey.getEncoded()); privateKey = kf.generatePrivate(ks); } X509Certificate x509c = x509cg.generateX509Certificate(privateKey); if (StandardNames.IS_RI) { /* * The RI can't handle the BC EC signature algorithm * string of "ECDSA", since it expects "...WITHEC...", * so convert from BC to RI X509Certificate * implementation via bytes. */ CertificateFactory cf = CertificateFactory.getInstance("X.509"); ByteArrayInputStream bais = new ByteArrayInputStream(x509c.getEncoded()); Certificate c = cf.generateCertificate(bais); x509c = (X509Certificate) c; } return x509c; }
From source file:com.intirix.cloudpasswordmanager.services.ssl.CertPinningServiceImplUnitSpec.java
License:Apache License
public static X509Certificate generateV3Certificate(KeyPair pair) throws InvalidKeyException, NoSuchProviderException, SignatureException { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X500Principal("CN=Test Certificate")); certGen.setNotBefore(new Date(System.currentTimeMillis() - 10000)); certGen.setNotAfter(new Date(System.currentTimeMillis() + 10000)); certGen.setSubjectDN(new X500Principal("CN=Test Certificate")); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test"))); return certGen.generateX509Certificate(pair.getPrivate(), "BC"); }
From source file:com.otterca.common.crypto.X509CertificateBuilderImpl.java
License:Apache License
/** * Set Authority Key Identifier (RFC3280 4.2.1.1) * // ww w. j av a 2 s . c o m * @throws InvalidKeyException * @throws CertificateParsingException */ protected final void setAKID() throws InvalidKeyException, CertificateParsingException { if (issuer != null) { // signed certificates AuthorityKeyIdentifierStructure akis = new AuthorityKeyIdentifierStructure(issuer); generator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, akis); } else { // self-signed certificates since we already require subjectDN = // issuerDN GeneralNames issuerName = new GeneralNames(new GeneralName(GeneralName.directoryName, issuerDN)); AuthorityKeyIdentifier akis = new AuthorityKeyIdentifierStructure(pubkey); akis = new AuthorityKeyIdentifier(akis.getKeyIdentifier(), issuerName, serialNumber); generator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, akis); } }