List of usage examples for org.bouncycastle.cert.jcajce JcaX509CertificateConverter getCertificate
public X509Certificate getCertificate(X509CertificateHolder certHolder) throws CertificateException
From source file:io.spikex.core.Main.java
License:Apache License
private void createTrustStore(final YamlDocument conf) { YamlDocument confTrustStore = conf.getDocument(CONF_KEY_TRUSTSTORE); boolean generate = confTrustStore.getValue(CONF_KEY_GENERATE, DEF_GENERATE_TRUSSTORE); if (generate) { Path trustStorePath = Paths .get(confTrustStore.getValue(CONF_KEY_PATH, m_confPath.resolve(DEF_TRUSTSTORE_PATH)).toString()) .toAbsolutePath().normalize(); Path certsPath = m_confPath.resolve(DEF_TRUSTSTORE_CERTS_DIR).toAbsolutePath().normalize(); if (!Files.exists(trustStorePath) && Files.exists(certsPath)) { Provider bcProvider = Security.getProvider(BouncyCastleProvider.PROVIDER_NAME); if (bcProvider == null) { Security.addProvider(new BouncyCastleProvider()); }/* w ww .j av a 2s . c om*/ try { // Create keystore m_logger.info("Generating truststore: {}", trustStorePath); KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType()); ts.load(null); // // Import PEM certificates // https://gist.github.com/akorobov/6910564 // try (DirectoryStream<Path> dirStream = Files.newDirectoryStream(certsPath)) { JcaX509CertificateConverter converter = new JcaX509CertificateConverter() .setProvider(BouncyCastleProvider.PROVIDER_NAME); for (Path path : dirStream) { PEMParser parser = new PEMParser(new FileReader(path.toFile())); while (true) { int index = 1; Object object = parser.readObject(); if (object != null) { if (object instanceof X509CertificateHolder) { X509Certificate cert = converter .getCertificate((X509CertificateHolder) object); m_logger.debug( "Certificate issuer: {} subject: {} serial: {} validity: {}-{}", cert.getIssuerX500Principal().getName(), cert.getSubjectX500Principal().getName(), cert.getSerialNumber(), cert.getNotBefore(), cert.getNotAfter()); // Validate cert.checkValidity(new Date()); // Alias String alias = cert.getSubjectX500Principal().getName(); if (Strings.isNullOrEmpty(alias)) { alias = "cert-" + index++; } // Save in trusstore ts.setCertificateEntry(alias, cert); m_logger.info("Imported trusted certificate: {}", alias); } } else { break; } } } } catch (CertificateException e) { m_logger.error("Failed to import trusted certificate", e); } // Save truststore String password = confTrustStore.getValue(CONF_KEY_PASSWORD, DEF_TRUSTSTORE_PASSWORD); ts.store(new FileOutputStream(trustStorePath.toFile()), password.toCharArray()); } catch (IOException | NoSuchAlgorithmException | KeyStoreException | CertificateException e) { throw new RuntimeException("Failed to create truststore: " + trustStorePath, e); } } } }
From source file:jenkins.bouncycastle.api.PEMEncodable.java
License:Open Source License
/** * Creates a {@link PEMEncodable} by decoding PEM formated data from a {@link String} * //from w w w .j a v a 2 s . co m * @param pem {@link String} with the PEM data * @param passphrase passphrase for the encrypted PEM data. null if PEM data is not passphrase protected. The caller * is responsible for zeroing out the char[] after use to ensure the password does not stay in memory, e.g. with * <code>Arrays.fill(passphrase, (char)0)</code> * @return {@link PEMEncodable} object * @throws IOException launched if a problem exists reading the PEM information * @throws UnrecoverableKeyException in case PEM is passphrase protected and none or wrong is provided */ @Nonnull public static PEMEncodable decode(@Nonnull String pem, @Nullable final char[] passphrase) throws IOException, UnrecoverableKeyException { try (PEMParser parser = new PEMParser(new StringReader(pem));) { Object object = parser.readObject(); JcaPEMKeyConverter kConv = new JcaPEMKeyConverter().setProvider("BC"); // handle supported PEM formats. if (object instanceof PEMEncryptedKeyPair) { if (passphrase != null) { PEMDecryptorProvider dp = new JcePEMDecryptorProviderBuilder().build(passphrase); PEMEncryptedKeyPair ekp = (PEMEncryptedKeyPair) object; return new PEMEncodable(kConv.getKeyPair(ekp.decryptKeyPair(dp))); } else { throw new UnrecoverableKeyException(); } } else if (object instanceof PKCS8EncryptedPrivateKeyInfo) { if (passphrase != null) { InputDecryptorProvider dp = new JceOpenSSLPKCS8DecryptorProviderBuilder().build(passphrase); PKCS8EncryptedPrivateKeyInfo epk = (PKCS8EncryptedPrivateKeyInfo) object; return new PEMEncodable(kConv.getPrivateKey(epk.decryptPrivateKeyInfo(dp))); } else { throw new UnrecoverableKeyException(); } } else if (object instanceof PEMKeyPair) { return new PEMEncodable(kConv.getKeyPair((PEMKeyPair) object)); } else if (object instanceof PrivateKeyInfo) { PrivateKey pk = kConv.getPrivateKey((PrivateKeyInfo) object); // JENKINS-35661 in this case we know how to get the public key too if (pk instanceof RSAPrivateCrtKey) { // obtain public key spec from the private key RSAPrivateCrtKey rsaPK = (RSAPrivateCrtKey) pk; RSAPublicKeySpec pubKeySpec = new RSAPublicKeySpec(rsaPK.getModulus(), rsaPK.getPublicExponent()); KeyFactory kf = KeyFactory.getInstance("RSA"); return new PEMEncodable(new KeyPair(kf.generatePublic(pubKeySpec), rsaPK)); } return new PEMEncodable(pk); } else if (object instanceof SubjectPublicKeyInfo) { return new PEMEncodable(kConv.getPublicKey((SubjectPublicKeyInfo) object)); } else if (object instanceof X509CertificateHolder) { JcaX509CertificateConverter cConv = new JcaX509CertificateConverter().setProvider("BC"); return new PEMEncodable(cConv.getCertificate((X509CertificateHolder) object)); } else { throw new IOException( "Could not parse PEM, only key pairs, private keys, public keys and certificates are supported. Received " + object.getClass().getName()); } } catch (OperatorCreationException e) { throw new IOException(e.getMessage(), e); } catch (PKCSException | InvalidKeySpecException e) { LOGGER.log(Level.WARNING, "Could not read PEM encrypted information", e); throw new UnrecoverableKeyException(); } catch (CertificateException e) { throw new IOException("Could not read certificate", e); } catch (NoSuchAlgorithmException e) { throw new AssertionError( "RSA algorithm support is mandated by Java Language Specification. See https://docs.oracle.com/javase/7/docs/api/java/security/KeyFactory.html"); } }
From source file:mitm.common.security.certificate.impl.StandardX509CertificateBuilder.java
License:Open Source License
private X509Certificate getCertificate(X509CertificateHolder holder) throws CertificateException { JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); converter.setProvider(certificateProvider); return converter.getCertificate(holder); }
From source file:mitm.common.security.cms.AbstractCMSSignedDataAdapterImpl.java
License:Open Source License
@Override public List<X509Certificate> getCertificates(String provider) throws NoSuchAlgorithmException, NoSuchProviderException, CMSException { List<X509Certificate> certificates = new LinkedList<X509Certificate>(); Store store = getCertificateStore(); if (store != null) { Collection<?> holders = store.getMatches(null); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); converter.setProvider(provider); for (Object holder : holders) { if (holder instanceof X509CertificateHolder) { try { certificates.add(converter.getCertificate((X509CertificateHolder) holder)); } catch (CertificateException e) { if (logger.isDebugEnabled()) { logger.warn("Certificate is not valid.", e); } else { logger.warn("Certificate is not valid."); }//from w w w . j ava 2s .c o m } } else { logger.warn("object not an X509CertificateHolder"); } } } return certificates; }
From source file:net.markenwerk.utils.mail.smime.SmimeUtil.java
License:Open Source License
private static X509Certificate getCertificate(@SuppressWarnings("rawtypes") Store certificates, SignerId signerId) throws CertificateException { @SuppressWarnings({ "unchecked" }) X509CertificateHolder certificateHolder = (X509CertificateHolder) certificates.getMatches(signerId) .iterator().next();//from w w w .java 2s.co m JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter(); certificateConverter.setProvider(BouncyCastleProvider.PROVIDER_NAME); return certificateConverter.getCertificate(certificateHolder); }
From source file:net.solarnetwork.node.setup.test.PKITestUtils.java
License:Open Source License
public static X509Certificate generateNewCACert(PublicKey publicKey, String subject, X509Certificate issuer, PrivateKey issuerKey, String caDN) throws Exception { final X500Name issuerDn = (issuer == null ? new X500Name(subject) : JcaX500NameUtil.getSubject(issuer)); final X500Name subjectDn = new X500Name(subject); final BigInteger serial = getNextSerialNumber(); final Date notBefore = new Date(); final Date notAfter = new Date(System.currentTimeMillis() + 1000L * 60L * 60L); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerDn, serial, notBefore, notAfter, subjectDn, publicKey);/* ww w .j a v a 2s . com*/ // add "CA" extension BasicConstraints basicConstraints; if (issuer == null) { basicConstraints = new BasicConstraints(true); } else { int issuerPathLength = issuer.getBasicConstraints(); basicConstraints = new BasicConstraints(issuerPathLength - 1); } builder.addExtension(X509Extension.basicConstraints, true, basicConstraints); // add subjectKeyIdentifier JcaX509ExtensionUtils utils = new JcaX509ExtensionUtils(); SubjectKeyIdentifier ski = utils.createSubjectKeyIdentifier(publicKey); builder.addExtension(X509Extension.subjectKeyIdentifier, false, ski); // add authorityKeyIdentifier GeneralNames issuerName = new GeneralNames(new GeneralName(GeneralName.directoryName, caDN)); AuthorityKeyIdentifier aki = utils.createAuthorityKeyIdentifier(publicKey); aki = new AuthorityKeyIdentifier(aki.getKeyIdentifier(), issuerName, serial); builder.addExtension(X509Extension.authorityKeyIdentifier, false, aki); // add keyUsage X509KeyUsage keyUsage = new X509KeyUsage(X509KeyUsage.cRLSign | X509KeyUsage.digitalSignature | X509KeyUsage.keyCertSign | X509KeyUsage.nonRepudiation); builder.addExtension(X509Extension.keyUsage, true, keyUsage); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256WithRSA"); ContentSigner signer = signerBuilder.build(issuerKey); X509CertificateHolder holder = builder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); return converter.getCertificate(holder); }
From source file:net.solarnetwork.node.setup.test.PKITestUtils.java
License:Open Source License
public static X509Certificate sign(PKCS10CertificationRequest csr, X509Certificate issuer, PrivateKey issuerPrivateKey) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, IOException, OperatorCreationException, CertificateException, java.security.cert.CertificateException { final BigInteger serial = getNextSerialNumber(); final Date notBefore = new Date(); final Date notAfter = new Date(System.currentTimeMillis() + 24L * 60L * 60L * 1000L); X500Name issuerName = JcaX500NameUtil.getSubject(issuer); X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(issuerName, serial, notBefore, notAfter, csr.getSubject(), csr.getSubjectPublicKeyInfo()); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256WithRSA"); ContentSigner signer = signerBuilder.build(issuerPrivateKey); X509CertificateHolder holder = myCertificateGenerator.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); return converter.getCertificate(holder); }
From source file:net.solarnetwork.pki.bc.BCCertificateService.java
License:Open Source License
@Override public X509Certificate generateCertificate(String dn, PublicKey publicKey, PrivateKey privateKey) { X500Principal issuer = new X500Principal(dn); Date now = new Date(); Date expire = new Date(now.getTime() + (1000L * 60L * 60L * 24L * certificateExpireDays)); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, new BigInteger(String.valueOf(counter.incrementAndGet())), now, expire, issuer, publicKey); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); ContentSigner signer;//w w w . j a v a 2 s . c o m try { signer = signerBuilder.build(privateKey); } catch (OperatorCreationException e) { throw new CertificateException("Error signing certificate", e); } X509CertificateHolder holder = builder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); try { return converter.getCertificate(holder); } catch (java.security.cert.CertificateException e) { throw new CertificateException("Error creating certificate", e); } }
From source file:net.solarnetwork.pki.bc.BCCertificateService.java
License:Open Source License
@Override public X509Certificate generateCertificationAuthorityCertificate(String dn, PublicKey publicKey, PrivateKey privateKey) {// w ww . ja v a 2 s.c o m X500Principal issuer = new X500Principal(dn); Date now = new Date(); Date expire = new Date(now.getTime() + (1000L * 60L * 60L * 24L * authorityExpireDays)); JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, new BigInteger("0"), now, expire, issuer, publicKey); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); DefaultDigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder(); ContentSigner signer; try { DigestCalculatorProvider digestCalcProvider = new JcaDigestCalculatorProviderBuilder() .setProvider(new BouncyCastleProvider()).build(); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils( digestCalcProvider.get(digestAlgFinder.find("SHA-256"))); builder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(true)); builder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(publicKey)); builder.addExtension(X509Extension.keyUsage, true, new KeyUsage( KeyUsage.digitalSignature | KeyUsage.nonRepudiation | KeyUsage.keyCertSign | KeyUsage.cRLSign)); builder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(publicKey)); signer = signerBuilder.build(privateKey); } catch (OperatorCreationException e) { log.error("Error generating CA certificate [{}]", dn, e); throw new CertificateException("Error signing CA certificate", e); } catch (CertIOException e) { log.error("Error generating CA certificate [{}]", dn, e); throw new CertificateException("Error signing CA certificate", e); } X509CertificateHolder holder = builder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); try { return converter.getCertificate(holder); } catch (java.security.cert.CertificateException e) { throw new CertificateException("Error creating certificate", e); } }
From source file:net.solarnetwork.pki.bc.BCCertificateService.java
License:Open Source License
@Override public X509Certificate signCertificate(String csrPEM, X509Certificate caCert, PrivateKey privateKey) throws CertificateException { if (!csrPEM.matches("(?is)^\\s*-----BEGIN.*")) { // let's throw in the guards csrPEM = "-----BEGIN CERTIFICATE REQUEST-----\n" + csrPEM + "\n-----END CERTIFICATE REQUEST-----\n"; }/*from w w w .j ava 2 s.com*/ PemReader reader = null; try { reader = new PemReader(new StringReader(csrPEM)); PemObject pemObj = reader.readPemObject(); log.debug("Parsed PEM type {}", pemObj.getType()); PKCS10CertificationRequest csr = new PKCS10CertificationRequest(pemObj.getContent()); Date now = new Date(); Date expire = new Date(now.getTime() + (1000L * 60L * 60L * 24L * certificateExpireDays)); X509v3CertificateBuilder builder = new X509v3CertificateBuilder(JcaX500NameUtil.getIssuer(caCert), new BigInteger(String.valueOf(counter.incrementAndGet())), now, expire, csr.getSubject(), csr.getSubjectPublicKeyInfo()); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder(signatureAlgorithm); ContentSigner signer; DefaultDigestAlgorithmIdentifierFinder digestAlgFinder = new DefaultDigestAlgorithmIdentifierFinder(); try { DigestCalculatorProvider digestCalcProvider = new JcaDigestCalculatorProviderBuilder() .setProvider(new BouncyCastleProvider()).build(); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils( digestCalcProvider.get(digestAlgFinder.find("SHA-256"))); builder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); builder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(csr.getSubjectPublicKeyInfo())); builder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert)); signer = signerBuilder.build(privateKey); } catch (OperatorException e) { log.error("Error signing CSR {}", csr.getSubject(), e); throw new CertificateException("Error signing CSR" + csr.getSubject() + ": " + e.getMessage()); } catch (CertificateEncodingException e) { log.error("Error signing CSR {}", csr.getSubject().toString(), e); throw new CertificateException("Error signing CSR" + csr.getSubject() + ": " + e.getMessage()); } X509CertificateHolder holder = builder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); try { return converter.getCertificate(holder); } catch (java.security.cert.CertificateException e) { throw new CertificateException("Error creating certificate", e); } } catch (IOException e) { throw new CertificateException("Error signing CSR", e); } finally { if (reader != null) { try { reader.close(); } catch (IOException e2) { log.warn("IOException closing PemReader", e2); } } } }