List of usage examples for org.bouncycastle.jce X509KeyUsage cRLSign
int cRLSign
To view the source code for org.bouncycastle.jce X509KeyUsage cRLSign.
Click Source Link
From source file:org.ejbca.ui.web.pub.WebdistHttpTest.java
License:Open Source License
@Before public void setUp() throws Exception { httpPort = SystemTestsConfiguration//from www.j av a 2s . co m .getRemotePortHttp(configurationSession.getProperty(WebConfiguration.CONFIG_HTTPSERVERPUBHTTP)); remoteHost = SystemTestsConfiguration.getRemoteHost("127.0.0.1"); int keyusage = X509KeyUsage.digitalSignature + X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; testx509ca = CaTestUtils.createTestX509CA("CN=TestCA", null, false, keyusage); caSession.addCA(admin, testx509ca); }
From source file:org.ejbca.util.CertTools.java
License:Open Source License
public static X509Certificate genSelfCert(String dn, long validity, String policyId, PrivateKey privKey, PublicKey pubKey, String sigAlg, boolean isCA, String provider) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, CertificateEncodingException, IllegalStateException, NoSuchProviderException { int keyusage = X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; return genSelfCertForPurpose(dn, validity, policyId, privKey, pubKey, sigAlg, isCA, keyusage, provider); }
From source file:org.objectweb.proactive.core.security.CertTools.java
License:Open Source License
/** * DOCUMENT ME!//from w w w .j a va 2s . c o m * * @param dn DOCUMENT ME! * @param validity DOCUMENT ME! * @param policyId DOCUMENT ME! * @param privKey DOCUMENT ME! * @param pubKey DOCUMENT ME! * @param isCA DOCUMENT ME! * * @return DOCUMENT ME! * * @throws NoSuchAlgorithmException DOCUMENT ME! * @throws SignatureException DOCUMENT ME! * @throws InvalidKeyException DOCUMENT ME! * @throws IllegalStateException * @throws CertificateEncodingException */ public static X509Certificate genSelfCert(String dn, long validity, String policyId, PrivateKey privKey, PublicKey pubKey, boolean isCA) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, CertificateEncodingException, IllegalStateException { // Create self signed certificate String sigAlg = "SHA1WithRSA"; Date firstDate = new Date(); // Set back startdate ten minutes to avoid some problems with wrongly set clocks. firstDate.setTime(firstDate.getTime() - (10 * 60 * 1000)); Date lastDate = new Date(); // validity in days = validity*24*60*60*1000 milliseconds lastDate.setTime(lastDate.getTime() + (validity * (24 * 60 * 60 * 1000))); X509V3CertificateGenerator certgen = new X509V3CertificateGenerator(); // Serialnumber is random bits, where random generator is initialized with Date.getTime() when this // bean is created. byte[] serno = new byte[8]; SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.setSeed((new Date().getTime())); random.nextBytes(serno); certgen.setSerialNumber((new java.math.BigInteger(serno)).abs()); certgen.setNotBefore(firstDate); certgen.setNotAfter(lastDate); certgen.setSignatureAlgorithm(sigAlg); certgen.setSubjectDN(CertTools.stringToBcX509Name(dn)); certgen.setIssuerDN(CertTools.stringToBcX509Name(dn)); certgen.setPublicKey(pubKey); // Basic constranits is always critical and MUST be present at-least in CA-certificates. BasicConstraints bc = new BasicConstraints(isCA); certgen.addExtension(X509Extensions.BasicConstraints.getId(), true, bc); // Put critical KeyUsage in CA-certificates if (isCA == true) { int keyusage = X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; X509KeyUsage ku = new X509KeyUsage(keyusage); certgen.addExtension(X509Extensions.KeyUsage.getId(), true, ku); } // Subject and Authority key identifier is always non-critical and MUST be present for certificates to verify in Mozilla. try { if (isCA == true) { SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(pubKey.getEncoded())) .readObject()); SubjectKeyIdentifier ski = new SubjectKeyIdentifier(spki); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(pubKey.getEncoded())) .readObject()); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); certgen.addExtension(X509Extensions.SubjectKeyIdentifier.getId(), false, ski); certgen.addExtension(X509Extensions.AuthorityKeyIdentifier.getId(), false, aki); } } catch (IOException e) { // do nothing } // CertificatePolicies extension if supplied policy ID, always non-critical if (policyId != null) { PolicyInformation pi = new PolicyInformation(new DERObjectIdentifier(policyId)); DERSequence seq = new DERSequence(pi); certgen.addExtension(X509Extensions.CertificatePolicies.getId(), false, seq); } X509Certificate selfcert = certgen.generate(privKey); return selfcert; }
From source file:org.objectweb.proactive.core.security.CertTools.java
License:Open Source License
public static X509Certificate genCert(String dn, long validity, String policyId, PrivateKey privKey, PublicKey pubKey, boolean isCA, String caDn, PrivateKey caPrivateKey, PublicKey acPubKey) throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, CertificateEncodingException, IllegalStateException {/* w ww .jav a 2s . co m*/ // Create self signed certificate String sigAlg = "SHA1WithRSA"; Date firstDate = new Date(); // Set back startdate ten minutes to avoid some problems with wrongly set clocks. firstDate.setTime(firstDate.getTime() - (10 * 60 * 1000)); Date lastDate = new Date(); // validity in days = validity*24*60*60*1000 milliseconds lastDate.setTime(lastDate.getTime() + (validity * (24 * 60 * 60 * 1000))); X509V3CertificateGenerator certgen = new X509V3CertificateGenerator(); // Serialnumber is random bits, where random generator is initialized with Date.getTime() when this // bean is created. byte[] serno = new byte[8]; SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.setSeed((new Date().getTime())); random.nextBytes(serno); certgen.setSerialNumber((new java.math.BigInteger(serno)).abs()); certgen.setNotBefore(firstDate); certgen.setNotAfter(lastDate); certgen.setSignatureAlgorithm(sigAlg); certgen.setSubjectDN(CertTools.stringToBcX509Name(dn)); certgen.setIssuerDN(CertTools.stringToBcX509Name(caDn)); certgen.setPublicKey(pubKey); // Basic constranits is always critical and MUST be present at-least in CA-certificates. BasicConstraints bc = new BasicConstraints(isCA); certgen.addExtension(X509Extensions.BasicConstraints.getId(), true, bc); // Put critical KeyUsage in CA-certificates if (false) { //if (isCA == true) { int keyusage = X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; X509KeyUsage ku = new X509KeyUsage(keyusage); certgen.addExtension(X509Extensions.KeyUsage.getId(), true, ku); } // Subject and Authority key identifier is always non-critical and MUST be present for certificates to verify in Mozilla. try { if (false) { //if (isCA == true) { SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(pubKey.getEncoded())) .readObject()); SubjectKeyIdentifier ski = new SubjectKeyIdentifier(spki); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(acPubKey.getEncoded())) .readObject()); AuthorityKeyIdentifier aki = new AuthorityKeyIdentifier(apki); certgen.addExtension(X509Extensions.SubjectKeyIdentifier.getId(), false, ski); certgen.addExtension(X509Extensions.AuthorityKeyIdentifier.getId(), false, aki); } } catch (IOException e) { // do nothing } // CertificatePolicies extension if supplied policy ID, always non-critical if (policyId != null) { PolicyInformation pi = new PolicyInformation(new DERObjectIdentifier(policyId)); DERSequence seq = new DERSequence(pi); certgen.addExtension(X509Extensions.CertificatePolicies.getId(), false, seq); } X509Certificate cert = certgen.generate(caPrivateKey); return cert; }
From source file:org.signserver.module.xades.signer.XAdESSignerUnitTest.java
License:Open Source License
private static MockedCryptoToken generateTokenWithIntermediateCert() throws Exception { final JcaX509CertificateConverter conv = new JcaX509CertificateConverter(); final KeyPair rootcaKeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder rootcaCert = new CertBuilder().setSelfSignKeyPair(rootcaKeyPair) .setSubject("CN=Root, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))).build(); final KeyPair subcaKeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder subcaCert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(subcaKeyPair.getPublic()) .setSubject("CN=Sub, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))).build(); final KeyPair signerKeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder signerCert = new CertBuilder().setIssuerPrivateKey(subcaKeyPair.getPrivate()) .setIssuer(subcaCert.getSubject()).setSubjectPublicKey(signerKeyPair.getPublic()) .setSubject("CN=Signer 1, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain = Arrays.<Certificate>asList(conv.getCertificate(signerCert), conv.getCertificate(subcaCert), conv.getCertificate(rootcaCert)); return new MockedCryptoToken(signerKeyPair.getPrivate(), signerKeyPair.getPublic(), conv.getCertificate(signerCert), chain, "BC"); }
From source file:org.signserver.module.xades.validator.XAdESValidator2UnitTest.java
License:Open Source License
/** * Setting up key-pairs, mocked crypto tokens, certificates and CRLs used * by the tests.//from w ww. j ava 2 s. c o m */ @BeforeClass public static void setUpClass() throws Exception { Security.addProvider(new BouncyCastleProvider()); JcaX509CertificateConverter conv = new JcaX509CertificateConverter(); // Root CA, sub CA rootcaCRLFile = File.createTempFile("xadestest-", "-rootca.crl"); LOG.debug("rootcaCRLFile: " + rootcaCRLFile); subca1CRLFile = File.createTempFile("xadestest-", "-subca.crl"); LOG.debug("subcaCRLFile: " + subca1CRLFile); rootcaKeyPair = CryptoUtils.generateRSA(1024); anotherKeyPair = CryptoUtils.generateRSA(1024); rootcaCert = new CertBuilder().setSelfSignKeyPair(rootcaKeyPair).setSubject("CN=Root, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage( X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign | X509KeyUsage.digitalSignature))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))).build(); final KeyPair subca1KeyPair = CryptoUtils.generateRSA(1024); subca1Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(subca1KeyPair.getPublic()) .addCDPURI(rootcaCRLFile.toURI().toURL().toExternalForm()) .setSubject("CN=Sub 1, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))).build(); subca2KeyPair = CryptoUtils.generateRSA(1024); subca2Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(subca2KeyPair.getPublic()) .setSubject("CN=Sub 2, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.keyUsage, false, new X509KeyUsage( X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign | X509KeyUsage.digitalSignature))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(true))) .addExtension(new CertExt(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.example.com")))) .build(); // Signer 1 is issued directly by the root CA final KeyPair signer1KeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder signer1Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(signer1KeyPair.getPublic()) .setSubject("CN=Signer 1, O=XAdES Test, C=SE") .addCDPURI(rootcaCRLFile.toURI().toURL().toExternalForm()) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain1 = Arrays.<Certificate>asList(conv.getCertificate(signer1Cert), conv.getCertificate(rootcaCert)); token1 = new MockedCryptoToken(signer1KeyPair.getPrivate(), signer1KeyPair.getPublic(), conv.getCertificate(signer1Cert), chain1, "BC"); LOG.debug("Chain 1: \n" + new String(CertTools.getPEMFromCerts(chain1), "ASCII") + "\n"); // Sign a document by signer 1 XAdESSigner instance = new MockedXAdESSigner(token1); WorkerConfig config = new WorkerConfig(); instance.init(4712, config, null, null); RequestContext requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-201-1"); GenericSignRequest request = new GenericSignRequest(201, "<test201/>".getBytes("UTF-8")); GenericSignResponse response = (GenericSignResponse) instance.processData(request, requestContext); byte[] data = response.getProcessedData(); signedXml1 = new String(data); LOG.debug("Signed document by signer 1:\n\n" + signedXml1 + "\n"); // Signer 2 is issued by the sub CA final KeyPair signer2KeyPair = CryptoUtils.generateRSA(1024); final X509CertificateHolder signer2Cert = new CertBuilder().setIssuerPrivateKey(subca1KeyPair.getPrivate()) .setIssuer(subca1Cert.getSubject()).setSubjectPublicKey(signer2KeyPair.getPublic()) .setSubject("CN=Signer 2, O=XAdES Test, C=SE") .addCDPURI(subca1CRLFile.toURI().toURL().toExternalForm()) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain2 = Arrays.<Certificate>asList(conv.getCertificate(signer2Cert), conv.getCertificate(subca1Cert), conv.getCertificate(rootcaCert)); token2 = new MockedCryptoToken(signer2KeyPair.getPrivate(), signer2KeyPair.getPublic(), conv.getCertificate(signer2Cert), chain2, "BC"); LOG.debug("Chain 2: \n" + new String(CertTools.getPEMFromCerts(chain2)) + "\n"); // Sign a document by signer 2 instance = new MockedXAdESSigner(token2); config = new WorkerConfig(); instance.init(4713, config, null, null); requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-202-1"); request = new GenericSignRequest(202, "<test202/>".getBytes("UTF-8")); response = (GenericSignResponse) instance.processData(request, requestContext); data = response.getProcessedData(); signedXml2 = new String(data); LOG.debug("Signed document by signer 2:\n\n" + signedXml2 + "\n"); // CRL with all active (empty CRL) rootcaCRLEmpty = new CRLBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).build(); subca1CRLEmpty = new CRLBuilder().setIssuerPrivateKey(subca1KeyPair.getPrivate()) .setIssuer(subca1Cert.getSubject()).build(); rootcaCRLSubCAAndSigner1Revoked = new CRLBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()) .addCRLEntry(subca1Cert.getSerialNumber(), new Date(), CRLReason.keyCompromise) .addCRLEntry(signer1Cert.getSerialNumber(), new Date(), CRLReason.keyCompromise).build(); subca1CRLSigner2Revoked = new CRLBuilder().setIssuerPrivateKey(subca1KeyPair.getPrivate()) .setIssuer(subca1Cert.getSubject()) .addCRLEntry(signer2Cert.getSerialNumber(), new Date(), CRLReason.keyCompromise).build(); otherCRL = new CRLBuilder().setIssuer(subca1Cert.getSubject()) // Setting Sub CA DN all though an other key will be used .build(); // signer 3, issued by the root CA with an OCSP authority information access in the signer cert final KeyPair signer3KeyPair = CryptoUtils.generateRSA(1024); signer3Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(signer3KeyPair.getPublic()) .setSubject("CN=Signer 3, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.example.com")))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain3 = Arrays.<Certificate>asList(conv.getCertificate(signer3Cert), conv.getCertificate(rootcaCert)); token3 = new MockedCryptoToken(signer3KeyPair.getPrivate(), signer3KeyPair.getPublic(), conv.getCertificate(signer3Cert), chain3, "BC"); LOG.debug("Chain 3: \n" + new String(CertTools.getPEMFromCerts(chain3)) + "\n"); // signer 4, issued by the sub CA2 with an OCSP authority information access in the signer cert final KeyPair signer4KeyPair = CryptoUtils.generateRSA(1024); signer4Cert = new CertBuilder().setIssuerPrivateKey(subca2KeyPair.getPrivate()) .setIssuer(subca2Cert.getSubject()).setSubjectPublicKey(signer4KeyPair.getPublic()) .setSubject("CN=Signer 4, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.example.com")))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain4 = Arrays.<Certificate>asList(conv.getCertificate(signer4Cert), conv.getCertificate(subca2Cert), conv.getCertificate(rootcaCert)); token4 = new MockedCryptoToken(signer4KeyPair.getPrivate(), signer4KeyPair.getPublic(), conv.getCertificate(signer4Cert), chain4, "BC"); LOG.debug("Chain 4: \n" + new String(CertTools.getPEMFromCerts(chain4)) + "\n"); // ocspSigner 1, OCSP responder issued by the root CA with an ocsp-nocheck in the signer cert ocspSigner1KeyPair = CryptoUtils.generateRSA(1024); ocspSigner1Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(ocspSigner1KeyPair.getPublic()) .setSubject("CN=OCSP Responder 1, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))) .addExtension(new CertExt(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning))) .addExtension(new CertExt(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, new DERNull())) .build(); // ocspSigner 2, OCSP responder issued by the sub CA2 with an ocsp-nocheck in the signer cert ocspSigner2KeyPair = CryptoUtils.generateRSA(1024); ocspSigner2Cert = new CertBuilder().setIssuerPrivateKey(subca2KeyPair.getPrivate()) .setIssuer(subca2Cert.getSubject()).setSubjectPublicKey(ocspSigner2KeyPair.getPublic()) .setSubject("CN=OCSP Responder 2, O=XAdES Test, C=SE") .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))) .addExtension(new CertExt(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(KeyPurposeId.id_kp_OCSPSigning))) .addExtension(new CertExt(OCSPObjectIdentifiers.id_pkix_ocsp_nocheck, false, new DERNull())) .build(); // Sign a document by signer 3 instance = new MockedXAdESSigner(token3); config = new WorkerConfig(); instance.init(4714, config, null, null); requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-203-1"); request = new GenericSignRequest(202, "<test203/>".getBytes("UTF-8")); response = (GenericSignResponse) instance.processData(request, requestContext); data = response.getProcessedData(); signedXml3 = new String(data); LOG.debug("Signed document by signer 3:\n\n" + signedXml3 + "\n"); // Sign a document by signer 4 instance = new MockedXAdESSigner(token4); config = new WorkerConfig(); instance.init(4715, config, null, null); requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-204-1"); request = new GenericSignRequest(203, "<test204/>".getBytes("UTF-8")); response = (GenericSignResponse) instance.processData(request, requestContext); data = response.getProcessedData(); signedXml4 = new String(data); LOG.debug("Signed document by signer 4:\n\n" + signedXml4 + "\n"); // Signer 5 is issued directly by the root CA final KeyPair signer5KeyPair = CryptoUtils.generateRSA(1024); signer5Cert = new CertBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()).setSubjectPublicKey(signer5KeyPair.getPublic()) .setSubject("CN=Signer 5, O=XAdES Test, C=SE") .addCDPURI(rootcaCRLFile.toURI().toURL().toExternalForm()) .addExtension(new CertExt(Extension.authorityInfoAccess, false, new AuthorityInformationAccess(AccessDescription.id_ad_ocsp, new GeneralName(GeneralName.uniformResourceIdentifier, "http://ocsp.example.com")))) .addExtension(new CertExt(Extension.basicConstraints, false, new BasicConstraints(false))).build(); final List<Certificate> chain5 = Arrays.<Certificate>asList(conv.getCertificate(signer5Cert), conv.getCertificate(rootcaCert)); token5 = new MockedCryptoToken(signer5KeyPair.getPrivate(), signer5KeyPair.getPublic(), conv.getCertificate(signer1Cert), chain5, "BC"); LOG.debug("Chain 5: \n" + new String(CertTools.getPEMFromCerts(chain5)) + "\n"); // Sign a document by signer 5 instance = new MockedXAdESSigner(token5); config = new WorkerConfig(); instance.init(4712, config, null, null); requestContext = new RequestContext(); requestContext.put(RequestContext.TRANSACTION_ID, "0000-205-1"); request = new GenericSignRequest(205, "<test205/>".getBytes("UTF-8")); response = (GenericSignResponse) instance.processData(request, requestContext); data = response.getProcessedData(); signedXml5 = new String(data); LOG.debug("Signed document by signer 5:\n\n" + signedXml5 + "\n"); // CRL with signer 5 revoked rootcaCRLSigner5Revoked = new CRLBuilder().setIssuerPrivateKey(rootcaKeyPair.getPrivate()) .setIssuer(rootcaCert.getSubject()) .addCRLEntry(signer5Cert.getSerialNumber(), new Date(), CRLReason.keyCompromise).build(); }
From source file:org.signserver.validationservice.server.ValidationServiceWorkerTest.java
License:Open Source License
@Test public void test00SetupDatabase() throws Exception { KeyPair validRootCA1Keys = KeyTools.genKeys("1024", "RSA"); validRootCA1 = ValidationTestUtils.genCert("CN=ValidRootCA1", "CN=ValidRootCA1", validRootCA1Keys.getPrivate(), validRootCA1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), true); KeyPair validSubCA1Keys = KeyTools.genKeys("1024", "RSA"); validSubCA1 = ValidationTestUtils.genCert("CN=ValidSubCA1", "CN=ValidRootCA1", validRootCA1Keys.getPrivate(), validSubCA1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), true); KeyPair validCert1Keys = KeyTools.genKeys("1024", "RSA"); validCert1 = ValidationTestUtils.genCert("CN=ValidCert1", "CN=ValidSubCA1", validSubCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false); revokedCert1 = ValidationTestUtils.genCert("CN=revokedCert1", "CN=ValidSubCA1", validSubCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false); expiredCert1 = ValidationTestUtils.genCert("CN=expiredCert1", "CN=ValidSubCA1", validSubCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() - 1000000), false); noYetValidCert1 = ValidationTestUtils.genCert("CN=noYetValidCert1", "CN=ValidSubCA1", validSubCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(System.currentTimeMillis() + 1000000), new Date(System.currentTimeMillis() + 2000000), false);/* ww w . j av a 2s. com*/ badSigCert1 = ValidationTestUtils.genCert("CN=badSigCert1", "CN=ValidSubCA1", validRootCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false); identificationCert1 = ValidationTestUtils.genCert("CN=identificationCert1", "CN=ValidSubCA1", validSubCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false, X509KeyUsage.digitalSignature + X509KeyUsage.keyEncipherment); esigCert1 = ValidationTestUtils.genCert("CN=esigCert1", "CN=ValidSubCA1", validSubCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false, X509KeyUsage.nonRepudiation); badKeyUsageCert1 = ValidationTestUtils.genCert("CN=badKeyUsageCert1", "CN=ValidSubCA1", validSubCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false, X509KeyUsage.dataEncipherment + X509KeyUsage.cRLSign); KeyPair expiredRootCA1Keys = KeyTools.genKeys("1024", "RSA"); expiredRootCA1 = ValidationTestUtils.genCert("CN=expiredRootCA1", "CN=expiredRootCA1", expiredRootCA1Keys.getPrivate(), expiredRootCA1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() - 1000000), true); certByExpiredRoot = ValidationTestUtils.genCert("CN=certByExpiredRoot", "CN=expiredRootCA1", expiredRootCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false); KeyPair notYetValidSubCA1Keys = KeyTools.genKeys("1024", "RSA"); notYetValidCA = ValidationTestUtils.genCert("CN=notYetValidCA", "CN=ValidRootCA1", validRootCA1Keys.getPrivate(), notYetValidSubCA1Keys.getPublic(), new Date(System.currentTimeMillis() + 1000000), new Date(System.currentTimeMillis() + 2000000), true); certByNotYetValidSub = ValidationTestUtils.genCert("CN=certByNotYetValidSub", "CN=notYetValidCA", notYetValidSubCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false); KeyPair revocedRootCA1Keys = KeyTools.genKeys("1024", "RSA"); revocedRootCA1 = ValidationTestUtils.genCert("CN=revocedRootCA1", "CN=revocedRootCA1", revocedRootCA1Keys.getPrivate(), revocedRootCA1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), true); certByRevocedRoot = ValidationTestUtils.genCert("CN=certByRevocedRoot", "CN=revocedRootCA1", revocedRootCA1Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false); KeyPair validSubCA2Keys = KeyTools.genKeys("1024", "RSA"); validSubCA2 = ValidationTestUtils.genCert("CN=ValidSubCA2", "CN=ValidRootCA1", validRootCA1Keys.getPrivate(), validSubCA2Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), true); KeyPair validSubSubCA2Keys = KeyTools.genKeys("1024", "RSA"); validSubSubCA2 = ValidationTestUtils.genCert("CN=ValidSubSubCA2", "CN=ValidSubCA2", validSubCA2Keys.getPrivate(), validSubSubCA2Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), true); KeyPair validSubSubSubCA2Keys = KeyTools.genKeys("1024", "RSA"); validSubSubSubCA2 = ValidationTestUtils.genCert("CN=ValidSubSubSubCA2", "CN=ValidSubSubCA2", validSubSubCA2Keys.getPrivate(), validSubSubSubCA2Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), true); KeyPair validSubSubSubSubCA2Keys = KeyTools.genKeys("1024", "RSA"); validSubSubSubSubCA2 = ValidationTestUtils.genCert("CN=ValidSubSubSubSubCA2", "CN=ValidSubSubSubCA2", validSubSubSubCA2Keys.getPrivate(), validSubSubSubSubCA2Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), true); certSignedByLongChain = ValidationTestUtils.genCert("CN=certSignedByLongChain", "CN=ValidSubSubSubSubCA2", validSubSubSubSubCA2Keys.getPrivate(), validCert1Keys.getPublic(), new Date(0), new Date(System.currentTimeMillis() + 1000000), false); ArrayList<X509Certificate> validChain1 = new ArrayList<X509Certificate>(); // Add in the wrong order validChain1.add(validRootCA1); validChain1.add(validSubCA1); ArrayList<X509Certificate> expiredRootChain = new ArrayList<X509Certificate>(); expiredRootChain.add(expiredRootCA1); ArrayList<X509Certificate> notYetValidSubChain = new ArrayList<X509Certificate>(); notYetValidSubChain.add(notYetValidCA); notYetValidSubChain.add(validRootCA1); ArrayList<X509Certificate> revocedRootCA1Chain = new ArrayList<X509Certificate>(); revocedRootCA1Chain.add(revocedRootCA1); ArrayList<X509Certificate> longChain = new ArrayList<X509Certificate>(); longChain.add(validSubCA2); longChain.add(validSubSubSubCA2); longChain.add(validRootCA1); longChain.add(validSubSubSubSubCA2); longChain.add(validSubSubCA2); // Worker 15 - DummyValidator gCSession.setProperty(GlobalConfiguration.SCOPE_GLOBAL, "WORKER15.CLASSPATH", "org.signserver.validationservice.server.ValidationServiceWorker"); sSSession.setWorkerProperty(15, "AUTHTYPE", "NOAUTH"); sSSession.setWorkerProperty(15, "VAL1.CLASSPATH", "org.signserver.validationservice.server.DummyValidator"); sSSession.setWorkerProperty(15, "VAL1.TESTPROP", "TEST"); sSSession.setWorkerProperty(15, "VAL1.ISSUER1.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(validChain1)); sSSession.setWorkerProperty(15, "VAL1.ISSUER2.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(expiredRootChain)); sSSession.setWorkerProperty(15, "VAL1.ISSUER4.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(notYetValidSubChain)); sSSession.setWorkerProperty(15, "VAL2.CLASSPATH", "org.signserver.validationservice.server.DummyValidator"); sSSession.setWorkerProperty(15, "VAL2.TESTPROP", "TEST"); sSSession.setWorkerProperty(15, "VAL2.ISSUER1.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(revocedRootCA1Chain)); sSSession.setWorkerProperty(15, "VAL2.ISSUER250.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(longChain)); sSSession.reloadConfiguration(15); // Worker 16 - NoRevokationCheckingValidator gCSession.setProperty(GlobalConfiguration.SCOPE_GLOBAL, "WORKER16.CLASSPATH", "org.signserver.validationservice.server.ValidationServiceWorker"); sSSession.setWorkerProperty(16, "AUTHTYPE", "NOAUTH"); sSSession.setWorkerProperty(16, "VAL1.CLASSPATH", "org.signserver.validationservice.server.NoRevocationCheckingValidator"); sSSession.setWorkerProperty(16, "VAL1.ISSUER1.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(validChain1)); sSSession.setWorkerProperty(16, "VAL1.ISSUER2.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(expiredRootChain)); sSSession.setWorkerProperty(16, "VAL1.ISSUER4.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(notYetValidSubChain)); sSSession.setWorkerProperty(16, "VAL2.CLASSPATH", "org.signserver.validationservice.server.NoRevocationCheckingValidator"); sSSession.setWorkerProperty(16, "VAL2.ISSUER1.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(revocedRootCA1Chain)); sSSession.setWorkerProperty(16, "VAL2.ISSUER250.CERTCHAIN", ValidationTestUtils.genPEMStringFromChain(longChain)); sSSession.reloadConfiguration(16); }
From source file:org.signserver.validationservice.server.ValidationTestUtils.java
License:Open Source License
public static X509Certificate genCert(String dn, String issuerdn, PrivateKey privKey, PublicKey pubKey, Date startDate, Date endDate, boolean isCA, int keyUsage, CRLDistPoint crlDistPoint) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException { X509V3CertificateGenerator certgen = new X509V3CertificateGenerator(); byte[] serno = new byte[8]; SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); random.setSeed((new Date().getTime())); random.nextBytes(serno);/* w w w .j a v a2s. c o m*/ certgen.setSerialNumber((new java.math.BigInteger(serno)).abs()); certgen.setNotBefore(startDate); certgen.setNotAfter(endDate); certgen.setSignatureAlgorithm("SHA1WithRSA"); certgen.setSubjectDN(CertTools.stringToBcX509Name(dn)); certgen.setIssuerDN(CertTools.stringToBcX509Name(issuerdn)); certgen.setPublicKey(pubKey); // CRL Distribution point if (crlDistPoint != null) { certgen.addExtension(X509Extensions.CRLDistributionPoints, false, crlDistPoint); } // Basic constranits is always critical and MUST be present at-least in CA-certificates. BasicConstraints bc = new BasicConstraints(isCA); certgen.addExtension(X509Extensions.BasicConstraints.getId(), true, bc); // Put critical KeyUsage in CA-certificates if (keyUsage == 0) { if (isCA == true) { int keyusage = X509KeyUsage.keyCertSign + X509KeyUsage.cRLSign; X509KeyUsage ku = new X509KeyUsage(keyusage); certgen.addExtension(X509Extensions.KeyUsage.getId(), true, ku); } } else { X509KeyUsage ku = new X509KeyUsage(keyUsage); certgen.addExtension(X509Extensions.KeyUsage.getId(), true, ku); } X509Certificate cert = certgen.generate(privKey); return cert; }
From source file:org.xipki.pki.scep.serveremulator.ScepServer.java
License:Open Source License
private static Certificate issueSubCaCert(final PrivateKey rcaKey, final X500Name issuer, final SubjectPublicKeyInfo pubKeyInfo, final X500Name subject, final BigInteger serialNumber, final Date startTime) throws CertIOException, OperatorCreationException { Date notAfter = new Date(startTime.getTime() + CaEmulator.DAY_IN_MS * 3650); X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(issuer, serialNumber, startTime, notAfter, subject, pubKeyInfo); X509KeyUsage ku = new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign); certGenerator.addExtension(Extension.keyUsage, true, ku); BasicConstraints bc = new BasicConstraints(0); certGenerator.addExtension(Extension.basicConstraints, true, bc); String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(rcaKey, ScepHashAlgoType.SHA256); ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(rcaKey); return certGenerator.build(contentSigner).toASN1Structure(); }
From source file:org.xipki.security.P12KeypairGenerator.java
License:Open Source License
public P12KeypairGenerationResult generateIdentity() throws Exception { KeyPairWithSubjectPublicKeyInfo kp = genKeypair(); Date now = new Date(); Date notBefore = new Date(now.getTime() - 10 * MIN); // 10 minutes past Date notAfter = new Date(notBefore.getTime() + validity * DAY); X500Name subjectDN = new X500Name(subject); subjectDN = X509Util.sortX509Name(subjectDN); SubjectPublicKeyInfo subjectPublicKeyInfo = kp.getSubjectPublicKeyInfo(); ContentSigner contentSigner = getContentSigner(kp.getKeypair().getPrivate()); // Generate keystore X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(subjectDN, BigInteger.valueOf(serialNumber), notBefore, notAfter, subjectDN, subjectPublicKeyInfo); X509KeyUsage ku;/* www . j a v a 2 s . c om*/ if (keyUsage == null) { ku = new X509KeyUsage(X509KeyUsage.nonRepudiation | X509KeyUsage.digitalSignature | X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign); } else { ku = new X509KeyUsage(keyUsage); } certGenerator.addExtension(Extension.keyUsage, true, ku); if (CollectionUtil.isNotEmpty(extendedKeyUsage)) { KeyPurposeId[] kps = new KeyPurposeId[extendedKeyUsage.size()]; int i = 0; for (ASN1ObjectIdentifier oid : extendedKeyUsage) { kps[i++] = KeyPurposeId.getInstance(oid); } certGenerator.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(kps)); } KeyAndCertPair identity = new KeyAndCertPair(certGenerator.build(contentSigner), kp.getKeypair().getPrivate()); KeyStore ks = KeyStore.getInstance("PKCS12", "BC"); ks.load(null, password); ks.setKeyEntry("main", identity.getKey(), password, new Certificate[] { identity.getJceCert() }); ByteArrayOutputStream ksStream = new ByteArrayOutputStream(); try { ks.store(ksStream, password); } finally { ksStream.flush(); } P12KeypairGenerationResult result = new P12KeypairGenerationResult(ksStream.toByteArray(), identity.getCert()); result.setKeystoreObject(ks); return result; }