List of usage examples for org.bouncycastle.cert.jcajce JcaX509CertificateConverter JcaX509CertificateConverter
public JcaX509CertificateConverter()
From source file:fathom.x509.X509Utils.java
License:Apache License
/** * Creates a new certificate authority PKCS#12 store. This function will * destroy any existing CA store./* w w w.j av a 2 s . c om*/ * * @param metadata * @param storeFile * @param x509log * @return */ public static X509Certificate newCertificateAuthority(X509Metadata metadata, File storeFile, X509Log x509log) { try { KeyPair caPair = newKeyPair(); ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPair.getPrivate()); // clone metadata X509Metadata caMetadata = metadata.clone(CA_CN, metadata.password); X500Name issuerDN = buildDistinguishedName(caMetadata); // Generate self-signed certificate X509v3CertificateBuilder caBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), caMetadata.notBefore, caMetadata.notAfter, issuerDN, caPair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); caBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(caPair.getPublic())); caBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caPair.getPublic())); caBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(true)); caBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(BC); X509Certificate cert = converter.getCertificate(caBuilder.build(caSigner)); // confirm the validity of the CA certificate cert.checkValidity(new Date()); cert.verify(cert.getPublicKey()); // Delete existing keystore if (storeFile.exists()) { storeFile.delete(); } // Save private key and certificate to new keystore KeyStore store = openKeyStore(storeFile, caMetadata.password); store.setKeyEntry(CA_ALIAS, caPair.getPrivate(), caMetadata.password.toCharArray(), new Certificate[] { cert }); saveKeyStore(storeFile, store, caMetadata.password); x509log.log(MessageFormat.format("New CA certificate {0,number,0} [{1}]", cert.getSerialNumber(), cert.getIssuerDN().getName())); // update serial number in metadata object caMetadata.serialNumber = cert.getSerialNumber().toString(); return cert; } catch (Throwable t) { throw new RuntimeException("Failed to generate Fathom CA certificate!", t); } }
From source file:fathom.x509.X509Utils.java
License:Apache License
/** * Creates a new client certificate PKCS#12 and PEM store. Any existing * stores are destroyed.//from w w w .ja v a2s . c om * * @param clientMetadata a container for dynamic parameters needed for generation * @param caPrivateKey * @param caCert * @param targetFolder * @return */ public static X509Certificate newClientCertificate(X509Metadata clientMetadata, PrivateKey caPrivateKey, X509Certificate caCert, File targetFolder) { try { KeyPair pair = newKeyPair(); X500Name userDN = buildDistinguishedName(clientMetadata); X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); // create a new certificate signed by the Fathom CA certificate X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(issuerDN, BigInteger.valueOf(System.currentTimeMillis()), clientMetadata.notBefore, clientMetadata.notAfter, userDN, pair.getPublic()); JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils(); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); certBuilder.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature)); if (!Strings.isNullOrEmpty(clientMetadata.emailAddress)) { GeneralNames subjectAltName = new GeneralNames( new GeneralName(GeneralName.rfc822Name, clientMetadata.emailAddress)); certBuilder.addExtension(X509Extension.subjectAlternativeName, false, subjectAltName); } ContentSigner signer = new JcaContentSignerBuilder(SIGNING_ALGORITHM).setProvider(BC) .build(caPrivateKey); X509Certificate userCert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(signer)); PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier) pair.getPrivate(); bagAttr.setBagAttribute(PKCSObjectIdentifiers.pkcs_9_at_localKeyId, extUtils.createSubjectKeyIdentifier(pair.getPublic())); // confirm the validity of the user certificate userCert.checkValidity(); userCert.verify(caCert.getPublicKey()); userCert.getIssuerDN().equals(caCert.getSubjectDN()); // verify user certificate chain verifyChain(userCert, caCert); targetFolder.mkdirs(); // save certificate, stamped with unique name String date = new SimpleDateFormat("yyyyMMdd").format(new Date()); String id = date; File certFile = new File(targetFolder, id + ".cer"); int count = 0; while (certFile.exists()) { id = date + "_" + Character.toString((char) (0x61 + count)); certFile = new File(targetFolder, id + ".cer"); count++; } // save user private key, user certificate and CA certificate to a PKCS#12 store File p12File = new File(targetFolder, clientMetadata.commonName + ".p12"); if (p12File.exists()) { p12File.delete(); } KeyStore userStore = openKeyStore(p12File, clientMetadata.password); userStore.setKeyEntry( MessageFormat.format("Fathom ({0}) {1} {2}", clientMetadata.serverHostname, clientMetadata.userDisplayname, id), pair.getPrivate(), null, new Certificate[] { userCert }); userStore.setCertificateEntry( MessageFormat.format("Fathom ({0}) Certificate Authority", clientMetadata.serverHostname), caCert); saveKeyStore(p12File, userStore, clientMetadata.password); // save user private key, user certificate, and CA certificate to a PEM store File pemFile = new File(targetFolder, clientMetadata.commonName + ".pem"); if (pemFile.exists()) { pemFile.delete(); } PEMWriter pemWriter = new PEMWriter(new FileWriter(pemFile)); pemWriter.writeObject(pair.getPrivate(), "DES-EDE3-CBC", clientMetadata.password.toCharArray(), new SecureRandom()); pemWriter.writeObject(userCert); pemWriter.writeObject(caCert); pemWriter.flush(); pemWriter.close(); // save certificate after successfully creating the key stores saveCertificate(userCert, certFile); // update serial number in metadata object clientMetadata.serialNumber = userCert.getSerialNumber().toString(); return userCert; } catch (Throwable t) { throw new RuntimeException("Failed to generate client certificate!", t); } }
From source file:fi.aalto.cs.drumbeat.CertificateCommons.java
License:Open Source License
public static X509Certificate signCertificate(X509v3CertificateBuilder certificateBuilder, PrivateKey signedWithPrivateKey) throws OperatorCreationException, CertificateException { ContentSigner signer = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER_NAME) .build(signedWithPrivateKey); return new JcaX509CertificateConverter().setProvider(PROVIDER_NAME) .getCertificate(certificateBuilder.build(signer)); }
From source file:id.govca.detachedsignature.CMSController.java
public boolean VerifyCMS(CMSSignedData signedData, String content_digest) throws IOException, CMSException, CertificateException, OperatorCreationException, UnmatchedSignatureException, NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, StringFormatException, ParseException, GeneralSecurityException { rootCertCandidate = null;/*from www .j a v a 2 s . c om*/ Security.addProvider(new BouncyCastleProvider()); byte[] dataku = (byte[]) signedData.getSignedContent().getContent(); System.out.format("%-32s%s\n", "Base64 of Signed Content", Hex.toHexString(dataku)); Store store = signedData.getCertificates(); CertStore certsAndCRLs = new JcaCertStoreBuilder().setProvider("BC") .addCertificates(signedData.getCertificates()).build(); // Verify signature SignerInformationStore signers = signedData.getSignerInfos(); Collection c = signers.getSigners(); System.out.format("%-32s%s\n", "Number of Signers", c.size()); Iterator it = c.iterator(); while (it.hasNext()) { SignerInformation signer = (SignerInformation) it.next(); AttributeTable att = signer.getSignedAttributes(); Attribute mdAtt = att.get(CMSAttributes.messageDigest); ASN1Primitive asp = mdAtt.getAttrValues().getObjectAt(0).toASN1Primitive(); byte[] hasil = asp.getEncoded("DER"); System.out.format("%-32s%s\n", "Digest of Signature", Hex.toHexString(hasil)); Collection certCollection = store.getMatches(signer.getSID()); JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider("BC"); ArrayList<X509CertificateHolder> listCertDatFirm = new ArrayList(store.getMatches(null)); System.out.format("%-32s%d\n", "Number of cert Holders All", listCertDatFirm.size()); try { verifyChain(listCertDatFirm); } catch (CertificateVerificationException ex) { System.out.println("CERTIFICATE CHAIN VERIFICATION FAILED"); Logger.getLogger(CMSController.class.getName()).log(Level.SEVERE, null, ex); throw new UnmatchedSignatureException("Certificate Chain verification failed"); } System.out.println("CERTIFICATE CHAIN VERIFIED"); Collection<X509CertificateHolder> holders = store.getMatches(signer.getSID()); Iterator certIt = certCollection.iterator(); X509CertificateHolder certHolder = (X509CertificateHolder) certIt.next(); X509Certificate certFromSignedData = new JcaX509CertificateConverter() .setProvider(new BouncyCastleProvider()).getCertificate(certHolder); Principal princ = certFromSignedData.getIssuerDN(); //Get Signer Name Principal p = certFromSignedData.getSubjectDN(); System.out.format("%-32s%s\n", "Signer Distinguished Name", p.getName()); this.setDN_fields(StringHelper.DNFieldsMapper(p.getName())); //Get Signing Time org.bouncycastle.asn1.cms.Attribute signingTime = att .get(new ASN1ObjectIdentifier("1.2.840.113549.1.9.5")); String asn1time = signingTime.getAttrValues().toString(); System.out.format("%-32s%s\n", "Signing Time (RAW format)", asn1time); Date signtime = StringHelper.ASN1DateParser(asn1time); SimpleDateFormat formatter = new SimpleDateFormat("dd MMM yyyy hh:mm:ss zzz"); String formattedDate = formatter.format(signtime); System.out.format("%-32s%s\n", "Signing Time (Pretty format)", formattedDate); PublicKey pubkey = certFromSignedData.getPublicKey(); if (signer.verify(new JcaSimpleSignerInfoVerifierBuilder().setProvider(new BouncyCastleProvider()) .build(certFromSignedData))) { System.out.println("SIGNATURE VERIFIED <BY BOUNCY CASTLE STANDARD>"); } else { System.out.println("SIGNATURE VERIFICATION <BY BOUNCY CASTLE STANDARD> FAILED"); throw new UnmatchedSignatureException( "Signature verification failed, probably the signature (CMS) has been altered!"); } Cipher RSADecrypter; RSADecrypter = Cipher.getInstance("RSA/ECB/PKCS1Padding", "BC"); //Initialize the Cipher using our the first key in the keystore works fine for both RSADecrypter.init(Cipher.DECRYPT_MODE, pubkey); byte[] try_decrypt = RSADecrypter.doFinal(dataku); String decrypt_result = Hex.toHexString(try_decrypt); //Because there is magic number for hash algorithm at the beginning of the string, //we only need the last 64 characters from the decryption result String sanitized_decrypt_result = decrypt_result.substring(decrypt_result.length() - 64); System.out.format("%-32s%s\n", "Decryption Result", decrypt_result); System.out.format("%-32s%s\n", "Sanitized Decryption Result", sanitized_decrypt_result); if (!content_digest.equals(sanitized_decrypt_result)) { System.out.println("CONTENT DIGEST VERIFICATION FAILED"); throw new UnmatchedSignatureException( "Content digest verification failed, probably the content has been altered!"); } System.out.println("CONTENT DIGEST VERIFIED"); try { RootCertChecker rc = new RootCertChecker(); rc.checkCertificate(rootCertCandidate, getRoot_cert_path()); } catch (FileNotFoundException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException ex) { System.out.println("ROOT CERT VERIFICATION FAILED"); throw new UnmatchedSignatureException("The System does not recognized this root Certificate"); } System.out.println("ROOT CERTIFICATE VERIFIED"); } return true; }
From source file:id.govca.detachedsignature.CMSController.java
private static PKIXCertPathBuilderResult verifyChain(ArrayList<X509CertificateHolder> cert_chain) throws CertificateException, CertificateVerificationException { JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider("BC"); X509Certificate target_cert = null; Set<X509Certificate> additional_cert = new HashSet<>(); for (int i = 0; i < cert_chain.size(); i++) { X509Certificate cert_loop = converter.getCertificate(cert_chain.get(i)); if (i == 0) { target_cert = cert_loop;//from w ww . jav a 2 s . c om } else { additional_cert.add(cert_loop); try { if (ChainVerifier.isSelfSigned(cert_loop)) { rootCertCandidate = cert_loop; } } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidKeyException | SignatureException ex) { Logger.getLogger(CMSController.class.getName()).log(Level.SEVERE, null, ex); } } } PKIXCertPathBuilderResult my_res = ChainVerifier.verifyCertificate(target_cert, additional_cert); return my_res; }
From source file:infn.eToken.TokenUtils.java
License:Apache License
private static KeyPair_Cert createProxyCertificate(int keybit, Boolean rfc, int lifetime, String CN_label, X509Certificate tokenCert, java.security.PrivateKey tokenKey) { KeyPair_Cert result = null;/*from www . j av a2s .c o m*/ Provider bc = null; try { Date lastDate = new Date(); String proxyDN = ""; String issuerDN = ""; // Generate the new KeyPair bc = new org.bouncycastle.jce.provider.BouncyCastleProvider(); Security.insertProviderAt(bc, 1); java.security.KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", bc); SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG"); kpGen.initialize(keybit, secureRandom); java.security.KeyPair pair = kpGen.generateKeyPair(); // Initialize the SerialNumber of the certificate. Random rand = new Random(); //BigInteger serialNum = new BigInteger(20, rand); // Express the validity in milliseconds long validity = lifetime * 60 * 60 * 1000; if (rfc) { // RFC-3280-compliant OID log.debug("[1] Creating RFC-3280-complaint proxy with [ " + keybit + " ] keybit"); issuerDN = tokenCert.getSubjectX500Principal().getName(); log.debug("issuerDN = " + issuerDN); // Create the distinguished name (DN) of the proxy certificate. // This DN is the issuer's DN with an extra "CN=" part, which // value is a random integer. // In the RFC2253 the "CN=" part comes at the beginning. String delegDN = String.valueOf(Math.abs(rand.nextInt())); if (!CN_label.isEmpty() && (!CN_label.equals("eToken:Empty"))) { //RFC 3820 compliant impersonation proxy! log.debug("Adding additional CN label to generate Per-User Sub-Proxy"); proxyDN = "CN=" + CN_label + "," + issuerDN; //proxyDN = "CN=" + delegDN + "," + "CN=" + CN_label + "," + issuerDN; } else proxyDN = "CN=" + delegDN + "," + issuerDN; log.debug("Creating a RFC3280-compliant OID self-signed certificate for: "); log.debug(proxyDN); } else { // Proxy draft (pre-RFC) compliant impersonation proxy // Create the distinguished name (DN) of the proxy certificate. // This DN is the issuer's DN with an extra "CN=proxy" part. // In the pre-RFC the "C/N=proxy" part comes at the beginning. issuerDN = tokenCert.getSubjectX500Principal().getName(); log.debug("issuerDN = " + issuerDN); //Proxy draft (pre-RFC) compliant impersonation proxy proxyDN = "CN=proxy" + "," + issuerDN; log.debug("[1] Creating a fully legacy Globus proxy with [ " + keybit + " ] keybit"); log.debug("DN =" + proxyDN); // Set the subject distinguished name. // The subject describes the entity associated with the public key. //certGen.setSubjectDN(new X500Principal(proxyDN)); log.debug("SubjectDN = " + new X500Principal(proxyDN).getName()); } // Generate self-signed certificate //X500Principal principal = new X500Principal(issuerDN); // Generate self-signed certificate X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(tokenCert.getSubjectX500Principal(), //principal, tokenCert.getSerialNumber(), new Date(lastDate.getTime()), new Date(lastDate.getTime() + validity), new X500Principal(proxyDN), pair.getPublic()); // Add KeyUsage extension(s) to the plain proxy log.debug(""); log.debug("[2] Adding 'KeyUsage extension(s)' to the plain proxy... "); certGen.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment)); if (rfc) { ProxyPolicy policy = new ProxyPolicy(ProxyPolicy.INHERITALL_POLICY_OID); String oid = ProxyCertInfoExtension.RFC_EXTENSION_OID; ProxyCertInfoExtension extValue = new ProxyCertInfoExtension(Integer.MAX_VALUE, policy); log.debug("[2'] Adding 'X509v3 extension(s)' to the RFC proxy... "); certGen.addExtension(new ASN1ObjectIdentifier(oid), true, extValue); } else { /*certGen.addExtension(X509Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign)); Vector eku = new Vector(5, 1); eku.add(KeyPurposeId.id_kp_serverAuth); eku.add(KeyPurposeId.id_kp_clientAuth); eku.add(KeyPurposeId.anyExtendedKeyUsage); certGen.addExtension(X509Extension.extendedKeyUsage, true, new ExtendedKeyUsage(eku));*/ } // -------------------------------------------------------- // Generate the Proxy Certificate // -------------------------------------------------------- try { ContentSigner sigGen = new JcaContentSignerBuilder(tokenCert.getSigAlgName()) //new JcaContentSignerBuilder("sha1WithRSAEncryption") //.setProvider(bc) .build(tokenKey); X509CertificateHolder certHolder = certGen.build(sigGen); log.debug("[3] Generate the plain proxy ... "); X509Certificate cert = new JcaX509CertificateConverter().setProvider(bc).getCertificate(certHolder); cert.checkValidity(new Date()); result = new KeyPair_Cert(pair.getPublic(), pair.getPrivate(), cert); } catch (Exception e) { log.error(e.getMessage()); } } catch (Exception e) { log.error(e.getMessage()); } finally { Security.removeProvider(bc.getName()); } return result; }
From source file:io.kodokojo.commons.utils.RSAUtils.java
License:Open Source License
public static X509Certificate readRsaPublicKey(Reader reader) { Security.addProvider(new BouncyCastleProvider()); try {//from w w w . j a v a 2 s .c om PEMParser pemParser = new PEMParser(reader); X509CertificateHolder cert = (X509CertificateHolder) pemParser.readObject(); JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter(); return certificateConverter.getCertificate(cert); } catch (IOException | CertificateException e) { throw new RuntimeException("Unable to extract public RAS Key .", e); } }
From source file:io.kodokojo.commons.utils.ssl.SSLUtils.java
License:Open Source License
private static X509Certificate verifyCertificate(PrivateKey caPrivateKey, PublicKey caPublicKey, JcaX509v3CertificateBuilder certificateBuilder) throws OperatorCreationException, CertificateException, NoSuchAlgorithmException, InvalidKeyException, NoSuchProviderException, SignatureException { ContentSigner signer = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER_NAME) .build(caPrivateKey);//from w w w .j ava 2s. co m X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER_NAME) .getCertificate(certificateBuilder.build(signer)); cert.checkValidity(new Date()); cert.verify(caPublicKey); return cert; }
From source file:io.netty.example.ocsp.OcspServerExample.java
License:Apache License
private static X509Certificate[] parseCertificates(Reader reader) throws Exception { JcaX509CertificateConverter converter = new JcaX509CertificateConverter() .setProvider(new BouncyCastleProvider()); List<X509Certificate> dst = new ArrayList<X509Certificate>(); PEMParser parser = new PEMParser(reader); try {/*from w w w . j a v a 2s . co m*/ X509CertificateHolder holder = null; while ((holder = (X509CertificateHolder) parser.readObject()) != null) { X509Certificate certificate = converter.getCertificate(holder); if (certificate == null) { continue; } dst.add(certificate); } } finally { parser.close(); } return dst.toArray(new X509Certificate[0]); }
From source file:io.netty.handler.ssl.util.BouncyCastleSelfSignedCertGenerator.java
License:Apache License
static String[] generate(String fqdn, KeyPair keypair, SecureRandom random) throws Exception { PrivateKey key = keypair.getPrivate(); // Prepare the information required for generating an X.509 certificate. X500Name owner = new X500Name("CN=" + fqdn); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(owner, new BigInteger(64, random), NOT_BEFORE, NOT_AFTER, owner, keypair.getPublic()); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(key); X509CertificateHolder certHolder = builder.build(signer); X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder); cert.verify(keypair.getPublic());/* www. j a v a2 s . c om*/ return newSelfSignedCertificate(fqdn, key, cert); }