private static ASN1Sequence fromKey( PublicKey pubKey) throws InvalidKeyException { try { SubjectPublicKeyInfo info = new SubjectPublicKeyInfo( (ASN1Sequence)new ASN1InputStream(pubKey.getEncoded()).readObject()); return (ASN1Sequence)new AuthorityKeyIdentifier(info).toASN1Object(); } catch (Exception e) { throw new InvalidKeyException("can't process key: " + e); } }
private void prepopulateWithValue(byte[] value) throws IOException { AuthorityKeyIdentifier authorityKeyIdentifier = AuthorityKeyIdentifier.getInstance(value); if (authorityKeyIdentifier.getKeyIdentifier() != null) { jkiKeyIdentifier.setKeyIdentifier(authorityKeyIdentifier.getKeyIdentifier()); } GeneralNames authorityCertIssuer = authorityKeyIdentifier.getAuthorityCertIssuer(); if (authorityCertIssuer != null) { jgnAuthorityCertIssuer.setGeneralNames(authorityCertIssuer); } BigInteger authorityCertSerialNumber = authorityKeyIdentifier.getAuthorityCertSerialNumber(); if (authorityCertSerialNumber != null) { jtfAuthorityCertSerialNumber.setText("" + authorityCertSerialNumber.longValue()); jtfAuthorityCertSerialNumber.setCaretPosition(0); } }
/** * Returns the <code>AuthorityKeyIdentifier</code> corresponding * to a given <code>PublicKey</code> * @param publicKey the given public key * @param issuer the certificate issuer * @param serial the certificate serial number * @return the authority key identifier of the public key * @throws IOException */ private AuthorityKeyIdentifier getAuthorityKeyIdentifier(PublicKey publicKey, String issuer, BigInteger serial) throws IOException { InputStream input; SubjectPublicKeyInfo keyInfo; ASN1EncodableVector vector; input = new ByteArrayInputStream(publicKey.getEncoded()); keyInfo = new SubjectPublicKeyInfo((ASN1Sequence)new ASN1InputStream(input).readObject()); vector = new ASN1EncodableVector(); vector.add(new GeneralName(new X509Name(issuer))); return new AuthorityKeyIdentifier(keyInfo, new GeneralNames(new DERSequence(vector)), serial); }
public static X509Certificate generateCACertificate(String provider, X509Name subject, Date start, Date expired, KeyPair pair, int numberOfCAs, String signartureAlgorthm) throws InvalidKeyException, NoSuchProviderException, SignatureException, IOException { // generate the certificate X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(subject); certGen.setNotBefore(start); certGen.setNotAfter(expired); certGen.setSubjectDN(subject); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm(signartureAlgorthm); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(numberOfCAs)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(pair.getPublic().getEncoded())).readObject()); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki)); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(pair.getPublic().getEncoded())).readObject()); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); return certGen.generateX509Certificate(pair.getPrivate(), provider); }
public static X509CRL createCRL(String provider, X509Certificate caCert, PrivateKey caKey, CRLEntry[] entries, Date expires, String signatureAlgorithm) throws Exception { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); crlGen.setIssuerDN(new X509Name(caCert.getSubjectDN().getName())); crlGen.setThisUpdate(now); crlGen.setNextUpdate(expires); crlGen.setSignatureAlgorithm(signatureAlgorithm); for (int i = 0; i < entries.length; i++) { crlGen.addCRLEntry(entries[i].getCertificateSerialNumber(), now, entries[i].getReason()); } SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(caCert.getPublicKey().getEncoded())).readObject()); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(System .currentTimeMillis()))); return crlGen.generateX509CRL(caKey, provider); }
public static X509Certificate generateCACertificate(String provider, X509Name subject, Date start, Date expired, KeyPair pair, int numberOfCAs, String signatureAlgorthm) throws CertificateEncodingException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException, IOException { // generate the certificate X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(subject); certGen.setNotBefore(start); certGen.setNotAfter(expired); certGen.setSubjectDN(subject); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm(signatureAlgorthm); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(numberOfCAs)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(pair.getPublic().getEncoded())).readObject()); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki)); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(pair.getPublic().getEncoded())).readObject()); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); return certGen.generate(pair.getPrivate(), provider); }
public static byte[] extractAki(X509Certificate cert) throws CertificateEncodingException { byte[] extValue = getCoreExtValue(cert, Extension.authorityKeyIdentifier); if (extValue == null) { return null; } try { AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(extValue); return aki.getKeyIdentifier(); } catch (IllegalArgumentException ex) { throw new CertificateEncodingException("invalid extension AuthorityKeyIdentifier: " + ex.getMessage()); } }
public static byte[] extractAki(org.bouncycastle.asn1.x509.Certificate cert) throws CertificateEncodingException { ParamUtil.requireNonNull("cert", cert); try { AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.fromExtensions( cert.getTBSCertificate().getExtensions()); return (aki == null) ? null : aki.getKeyIdentifier(); } catch (IllegalArgumentException ex) { throw new CertificateEncodingException("invalid extension AuthorityKeyIdentifier: " + ex.getMessage()); } }
public KeyIdentifierImpl(X509Certificate cert) throws CertificateException, IOException { byte[] extVal = cert.getExtensionValue(Extension.authorityKeyIdentifier.getId()); if (extVal == null) { lock = true; return; } AuthorityKeyIdentifier aki = AuthorityKeyIdentifier.getInstance(X509ExtensionUtil.fromExtensionValue(extVal)); keyIdentifier = aki.getKeyIdentifier(); }
/** * Create an AuthorityKeyIdentifier from the passed in arguments. * * @param certHolder the issuer certificate that the AuthorityKeyIdentifier should refer to. * @return an AuthorityKeyIdentifier. */ public AuthorityKeyIdentifier createAuthorityKeyIdentifier( X509CertificateHolder certHolder) { GeneralName genName = new GeneralName(certHolder.getIssuer()); return new AuthorityKeyIdentifier( getSubjectKeyIdentifier(certHolder), new GeneralNames(genName), certHolder.getSerialNumber()); }
private static ASN1Sequence fromKey( PublicKey pubKey) throws InvalidKeyException { try { SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(pubKey.getEncoded()); return (ASN1Sequence)new AuthorityKeyIdentifier(info).toASN1Primitive(); } catch (Exception e) { throw new InvalidKeyException("can't process key: " + e); } }
private X509Certificate generateSelfSignedCertificate(KeyPair keyPair, String subjectDn, DateTime notBefore, DateTime notAfter) throws IOException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, CertificateException { PublicKey subjectPublicKey = keyPair.getPublic(); PrivateKey issuerPrivateKey = keyPair.getPrivate(); String signatureAlgorithm = "SHA1WithRSAEncryption"; X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator(); certificateGenerator.reset(); certificateGenerator.setPublicKey(subjectPublicKey); certificateGenerator.setSignatureAlgorithm(signatureAlgorithm); certificateGenerator.setNotBefore(notBefore.toDate()); certificateGenerator.setNotAfter(notAfter.toDate()); X509Principal issuerDN = new X509Principal(subjectDn); certificateGenerator.setIssuerDN(issuerDN); certificateGenerator.setSubjectDN(new X509Principal(subjectDn)); certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom())); certificateGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey)); PublicKey issuerPublicKey; issuerPublicKey = subjectPublicKey; certificateGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey)); certificateGenerator.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(true)); X509Certificate certificate; certificate = certificateGenerator.generate(issuerPrivateKey); /* * Next certificate factory trick is needed to make sure that the * certificate delivered to the caller is provided by the default * security provider instead of BouncyCastle. If we don't do this trick * we might run into trouble when trying to use the CertPath validator. */ CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); certificate = (X509Certificate) certificateFactory .generateCertificate(new ByteArrayInputStream(certificate.getEncoded())); return certificate; }
private byte[] getAuthorityKeyId(X509Certificate cert) throws IOException { byte[] extvalue = cert.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId()); if (extvalue == null) { return null; } DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(extvalue)).readObject()); AuthorityKeyIdentifier keyId = new AuthorityKeyIdentifier( (ASN1Sequence) new ASN1InputStream(new ByteArrayInputStream(oct.getOctets())).readObject()); return keyId.getKeyIdentifier(); }
private void checkConstraints(final Collection<X509CertExtension> extensions) { if (CollectionUtils.isEmpty(extensions)) { return; } final Extensions exts = new Extensions(extensions.stream().map(X509CertExtension::toExtension).toArray(Extension[]::new)); checkArgument(AuthorityKeyIdentifier.fromExtensions(exts) == null, "AuthorityKeyIdentifier must not be specified as an extension - it is added automatically"); }
static AuthorityKeyIdentifier createAuthorityKeyId( PublicKey pub) throws IOException { SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(pub.getEncoded()); return new AuthorityKeyIdentifier(info); }
private Map<DERObjectIdentifier, DEREncodable> createExtensions(PublicKey caPub, PublicKey userPub) throws IOException { Map<DERObjectIdentifier, DEREncodable> ext = new HashMap<DERObjectIdentifier, DEREncodable>(); // not a CA ext.put(X509Extensions.BasicConstraints, new BasicConstraints(false)); // obvious ext.put(X509Extensions.KeyUsage, new KeyUsage(KeyUsage.dataEncipherment | KeyUsage.digitalSignature)); ext.put(X509Extensions.SubjectKeyIdentifier, getSubjectKeyInfo(userPub)); ext.put(X509Extensions.AuthorityKeyIdentifier, getAuthorityKeyIdentifier(caPub)); return ext; }
public static X509Certificate makeCertificate(KeyPair _subKP, String _subDN, KeyPair _issKP, String _issDN, String algorithm, boolean _ca) throws Exception { PublicKey _subPub = _subKP.getPublic(); PrivateKey _issPriv = _issKP.getPrivate(); PublicKey _issPub = _issKP.getPublic(); X509V3CertificateGenerator _v3CertGen = new X509V3CertificateGenerator(); _v3CertGen.reset(); _v3CertGen.setSerialNumber(allocateSerialNumber()); _v3CertGen.setIssuerDN(new X509Name(_issDN)); _v3CertGen.setNotBefore(new Date(System.currentTimeMillis())); _v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 100))); _v3CertGen.setSubjectDN(new X509Name(_subDN)); _v3CertGen.setPublicKey(_subPub); _v3CertGen.setSignatureAlgorithm(algorithm); _v3CertGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(_subPub)); _v3CertGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(_issPub)); _v3CertGen.addExtension(X509Extensions.BasicConstraints, false, new BasicConstraints(_ca)); X509Certificate _cert = _v3CertGen.generate(_issPriv); _cert.checkValidity(new Date()); _cert.verify(_issPub); return _cert; }
private static AuthorityKeyIdentifier createAuthorityKeyId(PublicKey _pubKey) throws IOException { ByteArrayInputStream _bais = new ByteArrayInputStream(_pubKey .getEncoded()); SubjectPublicKeyInfo _info = new SubjectPublicKeyInfo( (ASN1Sequence)new ASN1InputStream(_bais).readObject()); return new AuthorityKeyIdentifier(_info); }
/** * Returns the <code>AuthorityKeyIdentifier</code> corresponding * to a given <code>PublicKey</code> * @param publicKey the given public key * @param issuer the certificate issuer * @param serial the certificate serial number * @return the authority key identifier of the public key * @throws IOException */ private AuthorityKeyIdentifier getAuthorityKeyIdentifier(PublicKey publicKey, String issuer, BigInteger serial) throws IOException { InputStream input; SubjectPublicKeyInfo keyInfo; ASN1EncodableVector vector; input = new ByteArrayInputStream(publicKey.getEncoded()); keyInfo = new SubjectPublicKeyInfo((ASN1Sequence)new ASN1InputStream(input).readObject()); vector = new ASN1EncodableVector(); vector.add(new GeneralName(new X509Name(issuer))); return new AuthorityKeyIdentifier(keyInfo, GeneralNames.getInstance(new DERSequence(vector)), serial); }
/** * Generate a CA Root certificate. */ private static X509Certificate generateRootCert(String DN, KeyPair pair) throws Exception { X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setIssuerDN(new X509Name(true, X509Name.DefaultLookUp, DN)); certGen.setSubjectDN(new X509Name(true, X509Name.DefaultLookUp, DN)); setSerialNumberAndValidityPeriod(certGen, true, DEFAULT_VALIDITY_PERIOD); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier( new GeneralNames(new GeneralName(new X509Name(true, X509Name.DefaultLookUp, DN))), BigInteger.ONE)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(pair.getPublic())); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign | KeyUsage.nonRepudiation)); certGen.addExtension(MiscObjectIdentifiers.netscapeCertType, false, new NetscapeCertType(NetscapeCertType.smimeCA | NetscapeCertType.sslCA | NetscapeCertType.objectSigning)); return certGen.generate(pair.getPrivate(), "BC"); }
static AuthorityKeyIdentifier createAuthorityKeyId( PublicKey pub) throws IOException { ByteArrayInputStream bIn = new ByteArrayInputStream(pub.getEncoded()); SubjectPublicKeyInfo info = new SubjectPublicKeyInfo( (ASN1Sequence)new ASN1InputStream(bIn).readObject()); return new AuthorityKeyIdentifier(info); }
private AuthorityKeyIdentifier createAuthorityKeyId( SubjectPublicKeyInfo info, X500Name name, int sNumber) { GeneralName genName = new GeneralName(name); ASN1EncodableVector v = new ASN1EncodableVector(); v.add(genName); return new AuthorityKeyIdentifier( info, GeneralNames.getInstance(new DERSequence(v)), BigInteger.valueOf(sNumber)); }
public static X509Certificate generateIntermediateCACertificate(String provider, X509Certificate cacert, PrivateKey signerKey, X509Name subject, Date start, Date expired, PublicKey publicKey, String signatureAlgorithm) throws InvalidKeyException, NoSuchProviderException, SignatureException, IOException { int constraints = cacert.getBasicConstraints(); if (constraints <= 1) { throw new SignatureException( "The CA Certificate specified cannot generate an intermediate CA certificate (Basic Constraints :" + constraints + ")"); } constraints = constraints - 1; // generate the certificate X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X509Name(cacert.getSubjectDN().toString())); certGen.setNotBefore(start); certGen.setNotAfter(expired); certGen.setSubjectDN(subject); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm(signatureAlgorithm); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(constraints)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.keyCertSign)); SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(publicKey.getEncoded())).readObject()); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki)); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(cacert.getPublicKey().getEncoded())).readObject()); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); return certGen.generateX509Certificate(signerKey, provider); }
public static X509Certificate generateCertificate(String provider, X509Name subject, Date start, Date expired, PublicKey publicKey, X509Certificate cacert, PrivateKey signerKey, String signatureAlgorithm, String policyId) throws InvalidKeyException, NoSuchProviderException, SignatureException, IOException { // create the certificate using the information in the request X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X509Name(cacert.getSubjectDN().getName())); certGen.setNotBefore(start); certGen.setNotAfter(expired); certGen.setSubjectDN(subject); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm(signatureAlgorithm); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.nonRepudiation)); SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(publicKey.getEncoded())).readObject()); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki)); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(cacert.getPublicKey().getEncoded())).readObject()); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); if (policyId != null) { PolicyInformation pi = new PolicyInformation(new DERObjectIdentifier(policyId)); DERSequence seq = new DERSequence(pi); certGen.addExtension(X509Extensions.CertificatePolicies.getId(), false, seq); } X509Certificate issuedCert = certGen.generateX509Certificate(signerKey, provider); return issuedCert; }
/** * Get the authority key identifier from a certificate extensions * * @param cert certificate containing the extension * @return byte[] containing the authority key identifier * @throws IOException if extension can not be parsed */ public static byte[] getAuthorityKeyId(X509Certificate cert) throws IOException { byte[] extvalue = cert.getExtensionValue("2.5.29.35"); if (extvalue == null) { return null; } DEROctetString oct = (DEROctetString) (new ASN1InputStream(new ByteArrayInputStream(extvalue)) .readObject()); AuthorityKeyIdentifier keyId = new AuthorityKeyIdentifier((ASN1Sequence) new ASN1InputStream( new ByteArrayInputStream(oct.getOctets())).readObject()); return keyId.getKeyIdentifier(); }
