private Certificate readDERCertificate( InputStream in) throws IOException { DERInputStream dIn = new DERInputStream(in); ASN1Sequence seq = (ASN1Sequence)dIn.readObject(); if (seq.size() > 1 && seq.getObjectAt(0) instanceof DERObjectIdentifier) { if (seq.getObjectAt(0).equals(PKCSObjectIdentifiers.signedData)) { sData = new SignedData(ASN1Sequence.getInstance( (ASN1TaggedObject)seq.getObjectAt(1), true)); return new X509CertificateObject( X509CertificateStructure.getInstance( sData.getCertificates().getObjectAt(sDataObjectCount++))); } } return new X509CertificateObject( X509CertificateStructure.getInstance(seq)); }
public static X509Certificate generateCACertificate(String provider, X509Name subject, Date start, Date expired, KeyPair pair, int numberOfCAs, String signartureAlgorthm) throws InvalidKeyException, NoSuchProviderException, SignatureException, IOException { // generate the certificate X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(subject); certGen.setNotBefore(start); certGen.setNotAfter(expired); certGen.setSubjectDN(subject); certGen.setPublicKey(pair.getPublic()); certGen.setSignatureAlgorithm(signartureAlgorthm); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(numberOfCAs)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(pair.getPublic().getEncoded())).readObject()); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki)); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(pair.getPublic().getEncoded())).readObject()); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); return certGen.generateX509Certificate(pair.getPrivate(), provider); }
public static X509CRL createCRL(String provider, X509Certificate caCert, PrivateKey caKey, CRLEntry[] entries, Date expires, String signatureAlgorithm) throws Exception { X509V2CRLGenerator crlGen = new X509V2CRLGenerator(); Date now = new Date(); crlGen.setIssuerDN(new X509Name(caCert.getSubjectDN().getName())); crlGen.setThisUpdate(now); crlGen.setNextUpdate(expires); crlGen.setSignatureAlgorithm(signatureAlgorithm); for (int i = 0; i < entries.length; i++) { crlGen.addCRLEntry(entries[i].getCertificateSerialNumber(), now, entries[i].getReason()); } SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(caCert.getPublicKey().getEncoded())).readObject()); crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(System .currentTimeMillis()))); return crlGen.generateX509CRL(caKey, provider); }
private DigestInfo derDecode( byte[] encoding) throws IOException { ByteArrayInputStream bIn = new ByteArrayInputStream(encoding); DERInputStream dIn = new DERInputStream(bIn); return new DigestInfo((ASN1Sequence)dIn.readObject()); }
static PublicKey createPublicKeyFromDERStream( InputStream in) throws IOException { return createPublicKeyFromPublicKeyInfo( new SubjectPublicKeyInfo((ASN1Sequence)(new DERInputStream(in).readObject()))); }
static PrivateKey createPrivateKeyFromDERStream( InputStream in) throws IOException { return createPrivateKeyFromPrivateKeyInfo( new PrivateKeyInfo((ASN1Sequence)(new DERInputStream(in).readObject()))); }
protected PrivateKey getKey(String alg, byte [] data) throws GeneralSecurityException { if (alg.equals("RSA")) { try { ByteArrayInputStream bis = new ByteArrayInputStream(data); DERInputStream derin = new DERInputStream(bis); DERObject keyInfo = derin.readObject(); DERObjectIdentifier rsa_oid = PKCSObjectIdentifiers.rsaEncryption; AlgorithmIdentifier rsa = new AlgorithmIdentifier(rsa_oid); PrivateKeyInfo pkeyinfo = new PrivateKeyInfo(rsa, keyInfo); DERObject derkey = pkeyinfo.getDERObject(); byte[] keyData = BouncyCastleUtil.toByteArray(derkey); // The DER object needs to be mangled to // create a proper ProvateKeyInfo object PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyData); KeyFactory kfac = KeyFactory.getInstance("RSA"); return kfac.generatePrivate(spec); } catch (IOException e) { // that should never happen return null; } } else { return null; } }
public void setPublicKey( PublicKey key) { try { tbsGen.setSubjectPublicKeyInfo(new SubjectPublicKeyInfo((ASN1Sequence)new DERInputStream( new ByteArrayInputStream(key.getEncoded())).readObject())); } catch (Exception e) { throw new IllegalArgumentException("unable to process key - " + e.toString()); } }
private CRL readDERCRL( InputStream in) throws IOException { DERInputStream dIn = new DERInputStream(in); return new X509CRLObject(new CertificateList((ASN1Sequence)dIn.readObject())); }
/** * Return a DERObject containing the encoded certificate. * * @param cert the X509Certificate object to be encoded * * @return the DERObject **/ private DERObject getEncodedX509Certificate( X509Certificate cert ) throws CertificateEncodingException { try { ByteArrayInputStream inStream = new ByteArrayInputStream( cert.getEncoded() ); DERInputStream derInStream = new DERInputStream( inStream ); return derInStream.readObject(); } catch ( IOException ex ) { throw new CertificateEncodingException( "IOException caught while encoding certificate\n" + ex.toString() ); } }
private BigInteger[] derDecode( byte[] encoding) throws IOException { ByteArrayInputStream bIn = new ByteArrayInputStream(encoding); DERInputStream dIn = new DERInputStream(bIn); ASN1Sequence s = (ASN1Sequence)dIn.readObject(); BigInteger[] sig = new BigInteger[2]; sig[0] = ((DERInteger)s.getObjectAt(0)).getValue(); sig[1] = ((DERInteger)s.getObjectAt(1)).getValue(); return sig; }
private static ASN1Sequence toDERSequence( byte[] bytes) { try { ByteArrayInputStream bIn = new ByteArrayInputStream(bytes); DERInputStream dIn = new DERInputStream(bIn); return (ASN1Sequence)dIn.readObject(); } catch (Exception e) { throw new IllegalArgumentException("badly encoded request"); } }
/** * Retrieves the actual value of the X.509 extension. * * @param certExtValue the DER-encoded OCTET string value of the extension. * @return the decoded/actual value of the extension (the octets). */ public static byte[] getExtensionValue(byte [] certExtValue) throws IOException { ByteArrayInputStream inStream = new ByteArrayInputStream(certExtValue); DERInputStream derInputStream = new DERInputStream(inStream); DERObject object = derInputStream.readObject(); if (object instanceof ASN1OctetString) { return ((ASN1OctetString)object).getOctets(); } else { throw new IOException("Expected octet string"); } }
public static X509Certificate generateIntermediateCACertificate(String provider, X509Certificate cacert, PrivateKey signerKey, X509Name subject, Date start, Date expired, PublicKey publicKey, String signatureAlgorithm) throws InvalidKeyException, NoSuchProviderException, SignatureException, IOException { int constraints = cacert.getBasicConstraints(); if (constraints <= 1) { throw new SignatureException( "The CA Certificate specified cannot generate an intermediate CA certificate (Basic Constraints :" + constraints + ")"); } constraints = constraints - 1; // generate the certificate X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X509Name(cacert.getSubjectDN().toString())); certGen.setNotBefore(start); certGen.setNotAfter(expired); certGen.setSubjectDN(subject); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm(signatureAlgorithm); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(constraints)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.keyCertSign)); SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(publicKey.getEncoded())).readObject()); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki)); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(cacert.getPublicKey().getEncoded())).readObject()); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); return certGen.generateX509Certificate(signerKey, provider); }
public static X509Certificate generateCertificate(String provider, X509Name subject, Date start, Date expired, PublicKey publicKey, X509Certificate cacert, PrivateKey signerKey, String signatureAlgorithm, String policyId) throws InvalidKeyException, NoSuchProviderException, SignatureException, IOException { // create the certificate using the information in the request X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setIssuerDN(new X509Name(cacert.getSubjectDN().getName())); certGen.setNotBefore(start); certGen.setNotAfter(expired); certGen.setSubjectDN(subject); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm(signatureAlgorithm); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.nonRepudiation)); SubjectPublicKeyInfo spki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(publicKey.getEncoded())).readObject()); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifier(spki)); SubjectPublicKeyInfo apki = new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream( new ByteArrayInputStream(cacert.getPublicKey().getEncoded())).readObject()); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifier(apki)); if (policyId != null) { PolicyInformation pi = new PolicyInformation(new DERObjectIdentifier(policyId)); DERSequence seq = new DERSequence(pi); certGen.addExtension(X509Extensions.CertificatePolicies.getId(), false, seq); } X509Certificate issuedCert = certGen.generateX509Certificate(signerKey, provider); return issuedCert; }
public void testParseProxyCertInfo() throws Exception { ProxyPolicy policy = new ProxyPolicy(testOid, testPolicy); ProxyCertInfo info = new ProxyCertInfo(3, policy); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(info); ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); DERInputStream dIn = new DERInputStream(bIn); DERObject obj = dIn.readObject(); assertTrue(obj instanceof ASN1Sequence); ProxyCertInfo testInfo = new ProxyCertInfo((ASN1Sequence)obj); assertEquals(3, testInfo.getPathLenConstraint()); assertEquals(testPolicy, testInfo.getProxyPolicy().getPolicyAsString()); assertEquals(testOid, testInfo.getProxyPolicy().getPolicyLanguage()); }
/** * Creates a proxy certificate from the certificate request. (Signs a * certificate request creating a new certificate) * * @see #createProxyCertificate(X509Certificate, PrivateKey, PublicKey, int, * int, X509ExtensionSet, String) createProxyCertificate * @param certRequestInputStream * the input stream to read the certificate request from. * @param cert * the issuer certificate * @param privateKey * the private key to sign the new certificate with. * @param lifetime * lifetime of the new certificate in seconds. If 0 (or less * then) the new certificate will have the same lifetime as the * issuing certificate. * @param delegationMode * the type of proxy credential to create * @param extSet * a set of X.509 extensions to be included in the new proxy * certificate. Can be null. If delegation mode is * {@link GSIConstants#GSI_3_RESTRICTED_PROXY * GSIConstants.GSI_3_RESTRICTED_PROXY} then * {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension * ProxyCertInfoExtension} must be present in the extension set. * @param cnValue * the value of the CN component of the subject of the new * certificate. If null, the defaults will be used depending on * the proxy certificate type created. * @return <code>X509Certificate</code> the new proxy certificate * @exception IOException * if error reading the certificate request * @exception GeneralSecurityException * if a security error occurs. */ public X509Certificate createCertificate(String provider, InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, X509ExtensionSet extSet, String cnValue, String signatureAlgorithm) throws IOException, GeneralSecurityException { DERInputStream derin = new DERInputStream(certRequestInputStream); DERObject reqInfo = derin.readObject(); PKCS10CertificationRequest certReq = new PKCS10CertificationRequest((ASN1Sequence) reqInfo); boolean rs = certReq.verify(); if (!rs) { throw new GeneralSecurityException("Certificate request verification failed!"); } return createProxyCertificate(provider, cert, privateKey, certReq.getPublicKey(), lifetime, delegationMode, extSet, cnValue, signatureAlgorithm); }
/** * Converts the DER-encoded byte array into a * <code>DERObject</code>. * * @param data the DER-encoded byte array to convert. * @return the DERObject. * @exception IOException if conversion fails */ public static DERObject toDERObject(byte[] data) throws IOException { ByteArrayInputStream inStream = new ByteArrayInputStream(data); DERInputStream derInputStream = new DERInputStream(inStream); return derInputStream.readObject(); }
/** * Creates a proxy certificate from the certificate request. * (Signs a certificate request creating a new certificate) * * @see #createProxyCertificate(X509Certificate, PrivateKey, PublicKey, * int, int, X509ExtensionSet, String) createProxyCertificate * @param certRequestInputStream the input stream to read the * certificate request from. * @param cert the issuer certificate * @param privateKey the private key to sign the new * certificate with. * @param lifetime lifetime of the new certificate in seconds. * If 0 (or less then) the new certificate will have the * same lifetime as the issuing certificate. * @param delegationMode the type of proxy credential to create * @param extSet a set of X.509 extensions to be included in the new * proxy certificate. Can be null. If delegation mode is * {@link GSIConstants#GSI_3_RESTRICTED_PROXY * GSIConstants.GSI_3_RESTRICTED_PROXY} then * {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension * ProxyCertInfoExtension} must be present in the extension * set. * @param cnValue the value of the CN component of the subject of * the new certificate. If null, the defaults will be used * depending on the proxy certificate type created. * @return <code>X509Certificate</code> the new proxy certificate * @exception IOException if error reading the certificate * request * @exception GeneralSecurityException if a security error * occurs. */ public X509Certificate createCertificate(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, X509ExtensionSet extSet, String cnValue) throws IOException, GeneralSecurityException { DERInputStream derin = new DERInputStream(certRequestInputStream); DERObject reqInfo = derin.readObject(); PKCS10CertificationRequest certReq = new PKCS10CertificationRequest((ASN1Sequence)reqInfo); boolean rs = certReq.verify(); if (!rs) { throw new GeneralSecurityException("Certificate request verification failed!"); } return createProxyCertificate(cert, privateKey, certReq.getPublicKey(), lifetime, delegationMode, extSet, cnValue); }
/** * Loads a X509 certificate from the specified input stream. * Input stream must contain DER-encoded certificate. * * @param in the input stream to read the certificate from. * @return <code>X509Certificate</code> the loaded certificate. * @exception GeneralSecurityException if certificate failed to load. */ public X509Certificate loadCertificate(InputStream in) throws IOException, GeneralSecurityException { DERInputStream derin = new DERInputStream(in); DERObject certInfo = derin.readObject(); ASN1Sequence seq = ASN1Sequence.getInstance(certInfo); return new X509CertificateObject(new X509CertificateStructure(seq)); }
public void testCreateProxyCertInfo2() throws Exception { ProxyPolicy policy = new ProxyPolicy(testOid, testPolicy); ProxyCertInfo info = new ProxyCertInfo(policy); assertEquals(Integer.MAX_VALUE, info.getPathLenConstraint()); assertEquals(testPolicy, info.getProxyPolicy().getPolicyAsString()); assertEquals(testOid, info.getProxyPolicy().getPolicyLanguage()); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); DEROutputStream dOut = new DEROutputStream(bOut); dOut.writeObject(info); ByteArrayInputStream bIn = new ByteArrayInputStream(bOut.toByteArray()); DERInputStream dIn = new DERInputStream(bIn); DERObject obj = dIn.readObject(); ProxyCertInfo testInfo = new ProxyCertInfo((ASN1Sequence)obj); assertEquals(Integer.MAX_VALUE, testInfo.getPathLenConstraint()); assertEquals(testPolicy, testInfo.getProxyPolicy().getPolicyAsString()); assertEquals(testOid, testInfo.getProxyPolicy().getPolicyLanguage()); }
/** * Loads a X509 certificate from the specified input stream. Input stream * must contain DER-encoded certificate. * * @param in * the input stream to read the certificate from. * @return <code>X509Certificate</code> the loaded certificate. * @exception GeneralSecurityException * if certificate failed to load. */ public X509Certificate loadCertificate(InputStream in) throws IOException, GeneralSecurityException { DERInputStream derin = new DERInputStream(in); DERObject certInfo = derin.readObject(); ASN1Sequence seq = ASN1Sequence.getInstance(certInfo); return new X509CertificateObject(new X509CertificateStructure(seq)); }
