/** * Create a certificate to use by a Certificate Authority, signed by a self signed certificate. */ private X509Certificate createCACert(PublicKey publicKey, PrivateKey privateKey) throws Exception { // signers name X500Name issuerName = new X500Name("CN=www.mockserver.com, O=MockServer, L=London, ST=England, C=UK"); // subjects name - the same as we are self signed. X500Name subjectName = issuerName; // serial BigInteger serial = BigInteger.valueOf(new Random().nextInt(Integer.MAX_VALUE)); // create the certificate - version 3 X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerName, serial, NOT_BEFORE, NOT_AFTER, subjectName, publicKey); builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); KeyUsage usage = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign); builder.addExtension(Extension.keyUsage, false, usage); ASN1EncodableVector purposes = new ASN1EncodableVector(); purposes.add(KeyPurposeId.id_kp_serverAuth); purposes.add(KeyPurposeId.id_kp_clientAuth); purposes.add(KeyPurposeId.anyExtendedKeyUsage); builder.addExtension(Extension.extendedKeyUsage, false, new DERSequence(purposes)); X509Certificate cert = signCertificate(builder, privateKey); cert.checkValidity(new Date()); cert.verify(publicKey); return cert; }
ContentSigner sigGen = new JcaContentSignerBuilder(signingAlgorithm).setProvider(BouncyCastleProvider.PROVIDER_NAME).build(keyPair.getPrivate()); SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()); Date startDate = new Date(); Date endDate = new Date(startDate.getTime() + TimeUnit.DAYS.toMillis(certificateDurationDays)); X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder( reverseX500Name(new X500Name(dn)), getUniqueSerialNumber(), startDate, endDate, reverseX500Name(new X500Name(dn)), subPubKeyInfo); certBuilder.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement | KeyUsage.nonRepudiation | KeyUsage.cRLSign | KeyUsage.keyCertSign)); certBuilder.addExtension(Extension.basicConstraints, false, new BasicConstraints(true)); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, new JcaX509ExtensionUtils().createSubjectKeyIdentifier(keyPair.getPublic()));
KeyPair keyPair, long expirationMillis) throws IOException, OperatorCreationException, GeneralSecurityException { Date now = new Date(); X509v3CertificateBuilder builder = initCertBuilder( new Date(now.getTime() + expirationMillis), subject, keyPair.getPublic()); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); // is a CA builder.addExtension( Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); return buildAndSignCertificate(keyPair.getPrivate(), builder);
private X509Certificate createSelfSignedCertifcate(KeyPair keyPair) throws Exception { X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE); nameBuilder.addRDN(BCStyle.CN, HOSTNAME); BigInteger serialNumber = new BigInteger(128, new Random()); X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(nameBuilder.build(), serialNumber, certStartTime, certEndTime, nameBuilder.build(), keyPair.getPublic()) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); return new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner)); }
private static Certificate issueSubCaCert(PrivateKey rcaKey, X500Name issuer, SubjectPublicKeyInfo pubKeyInfo, X500Name subject, BigInteger serialNumber, Date startTime) throws CertIOException, OperatorCreationException { Date notAfter = new Date(startTime.getTime() + CaEmulator.DAY_IN_MS * 3650); X509v3CertificateBuilder certGenerator = new X509v3CertificateBuilder(issuer, serialNumber, startTime, notAfter, subject, pubKeyInfo); X509KeyUsage ku = new X509KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign); certGenerator.addExtension(Extension.keyUsage, true, ku); BasicConstraints bc = new BasicConstraints(0); certGenerator.addExtension(Extension.basicConstraints, true, bc); String signatureAlgorithm = ScepUtil.getSignatureAlgorithm(rcaKey, ScepHashAlgo.SHA256); ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(rcaKey); return certGenerator.build(contentSigner).toASN1Structure(); }
X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder( serverCertificate, new BigInteger("1"), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + 30L * 365L * 24L * 60L * 60L * 1000L), jcaPKCS10CertificationRequest.getSubject(), jcaPKCS10CertificationRequest.getPublicKey() /*).addExtension( new ASN1ObjectIdentifier("2.5.29.35"), false, new AuthorityKeyIdentifier(keyPair.getPublic().getEncoded())*/ ).addExtension( new ASN1ObjectIdentifier("2.5.29.19"), false, new BasicConstraints(false) // true if it is allowed to sign other certs ).addExtension( new ASN1ObjectIdentifier("2.5.29.15"), true, new X509KeyUsage( X509KeyUsage.digitalSignature | X509KeyUsage.nonRepudiation | X509KeyUsage.keyEncipherment | X509KeyUsage.dataEncipherment));
stmt.setString(idx++, tbsCert.getSerialNumber().getPositiveValue().toString(16)); stmt.setLong(idx++, tbsCert.getStartDate().getDate().getTime() / 1000); stmt.setLong(idx++, tbsCert.getEndDate().getDate().getTime() / 1000); setInt(stmt, idx++, cert.getRev()); setInt(stmt, idx++, cert.getRr()); if (extension != null) { ASN1Encodable asn1 = extension.getParsedValue(); ee = !BasicConstraints.getInstance(asn1).isCA();
final String serNumStr = formatter.format( new Date( System.currentTimeMillis() ) ); final BigInteger serialNumber = new BigInteger( serNumStr ); final Date notBefore = new Date( System.currentTimeMillis() - TimeUnit.DAYS.toMillis( 2 ) ); final Date notAfter = new Date( System.currentTimeMillis() + ( futureSeconds * 1000 ) ); final BasicConstraints basic = new BasicConstraints( false ); certGen.addExtension( Extension.basicConstraints, true, basic.getEncoded() ); final KeyUsage keyUsage = new KeyUsage( KeyUsage.digitalSignature | KeyUsage.keyEncipherment ); certGen.addExtension( Extension.keyUsage, true, keyUsage.getEncoded() ); certGen.addExtension( Extension.extendedKeyUsage, true, extKeyUsage.getEncoded() );
if (caCertHolder != null && cal.getTime().after(caCertHolder.getNotAfter())) { cal.setTime(caCertHolder.getNotAfter()); subjectNameStr += ", CN=" + commonName; X500Name subjectName = new X500Name(subjectNameStr); X509v3CertificateBuilder certGen = new X509v3CertificateBuilder( caCertHolder == null ? subjectName : caCertHolder.getSubject(), BigInteger.valueOf(System.nanoTime()), new Date(), cal.getTime(), subjectName, bcPk ); certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(isCa)); if (nameConstraints != null) { certGen.addExtension(Extension.nameConstraints, true, nameConstraints);
generator.setSerialNumber(serialNumber); generator.setIssuerDN(signedByPrincipal); generator.setNotBefore(new Date(notBefore)); generator.setNotAfter(new Date(notAfter)); generator.setSubjectDN(subject); generator.setPublicKey(heldKeyPair.getPublic()); new BasicConstraints(maxIntermediateCas));
tbsGen.setSerialNumber(new ASN1Integer(serialNum)); tbsGen.setIssuer(issuer); tbsGen.setStartDate(new Time(new Date(startDate))); tbsGen.setEndDate(new Time(new Date(endDate))); tbsGen.setSubject(new X500Name(dn)); tbsGen.setSubjectPublicKeyInfo(SubjectPublicKeyInfo.getInstance(certPubKey.getEncoded())); BasicConstraints basic = new BasicConstraints(false); Extension basicExt = new Extension( Extension.basicConstraints, false, basic.getEncoded());
new Object[] {new TrustedInput(validDate), new TrustedInput(new Date())}); addNotification(msg); try bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS)); if (bc != null) if (!bc.isCA())
|| paramsPKIX.getDate().before(crl.getNextUpdate())) || pkixParams.getDate().before(onlineCRL.getNextUpdate())) reason = crlReasons[reasonCode.getValue().intValue()]; if (!validDate.before(crl_entry.getRevocationDate())) try baseSelect.setMaxCRLNumber(((ASN1Integer)getExtensionValue(crl, CRL_NUMBER)).getPositiveValue().subtract(BigInteger.valueOf(1))); try bc = BasicConstraints.getInstance(getExtensionValue(cert, BASIC_CONSTRAINTS)); if (p.onlyContainsUserCerts() && (bc != null && bc.isCA())) if (p.onlyContainsCACerts() && (bc == null || !bc.isCA()))
@Test public void getSignedByIssuer_generatesACertificateWithTheRightValues() throws Exception { final X509Certificate generatedCertificate = subject .getSignedByIssuer(generatedCertificateKeyPair, certificateGenerationParameters, certificateAuthorityWithSubjectKeyId, issuerKey.getPrivate()); assertThat(generatedCertificate.getIssuerDN().getName(), containsString("CN=ca DN")); assertThat(generatedCertificate.getIssuerDN().getName(), containsString("O=credhub")); assertThat(generatedCertificate.getSerialNumber(), equalTo(BigInteger.valueOf(1337L))); assertThat(generatedCertificate.getNotBefore().toString(), equalTo(Date.from(now).toString())); assertThat(generatedCertificate.getNotAfter().toString(), equalTo(Date.from(later).toString())); assertThat(generatedCertificate.getSubjectDN().toString(), containsString("CN=my cert name")); assertThat(generatedCertificate.getPublicKey(), equalTo(generatedCertificateKeyPair.getPublic())); assertThat(generatedCertificate.getSigAlgName(), equalTo("SHA256WITHRSA")); generatedCertificate.verify(issuerKey.getPublic()); final byte[] isCaExtension = generatedCertificate.getExtensionValue(Extension.basicConstraints.getId()); assertThat(Arrays.copyOfRange(isCaExtension, 2, isCaExtension.length), equalTo(new BasicConstraints(true).getEncoded())); }
private void checkExtensionBasicConstraints(final StringBuilder failureMsg, final byte[] extensionValue) { BasicConstraints bc = BasicConstraints.getInstance(extensionValue); X509CertLevel certLevel = certProfile.certLevel(); boolean ca = (X509CertLevel.RootCA == certLevel) || (X509CertLevel.SubCA == certLevel); if (ca != bc.isCA()) { addViolation(failureMsg, "ca", bc.isCA(), ca); } if (bc.isCA()) { BigInteger tmpPathLen = bc.getPathLenConstraint(); Integer pathLen = certProfile.pathLen(); if (pathLen == null) { if (tmpPathLen != null) { addViolation(failureMsg, "pathLen", tmpPathLen, "absent"); } } else { if (tmpPathLen == null) { addViolation(failureMsg, "pathLen", "null", pathLen); } else if (!BigInteger.valueOf(pathLen).equals(tmpPathLen)) { addViolation(failureMsg, "pathLen", tmpPathLen, pathLen); } } } } // method checkExtensionBasicConstraints
BigInteger serial = BigInteger.valueOf(initRandomSerial()); X500Name subject = issuer; PublicKey pubKey = keyPair.getPublic(); issuer, serial, NOT_BEFORE, NOT_AFTER, subject, pubKey); generator.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(pubKey)); generator.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); KeyUsage usage = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign); generator.addExtension(Extension.keyUsage, false, usage);
private Certificate generateCert(String keyName, KeyPair kp, boolean isCertAuthority, PublicKey signerPublicKey, PrivateKey signerPrivateKey) throws IOException, CertIOException, OperatorCreationException, CertificateException, NoSuchAlgorithmException { Calendar startDate = Calendar.getInstance(); Calendar endDate = Calendar.getInstance(); endDate.add(Calendar.YEAR, 100); BigInteger serialNumber = BigInteger.valueOf((startDate.getTimeInMillis())); X500Name issuer = new X500Name( IETFUtils.rDNsFromString(issuerDirString, RFC4519Style.INSTANCE)); JcaX509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder(issuer, serialNumber, startDate.getTime(), endDate.getTime(), issuer, kp.getPublic()); JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); certGen.addExtension(Extension.subjectKeyIdentifier, false, extensionUtils.createSubjectKeyIdentifier(kp.getPublic())); certGen.addExtension(Extension.basicConstraints, false, new BasicConstraints(isCertAuthority)); certGen.addExtension(Extension.authorityKeyIdentifier, false, extensionUtils.createAuthorityKeyIdentifier(signerPublicKey)); if (isCertAuthority) { certGen.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.keyCertSign)); } X509CertificateHolder cert = certGen .build(new JcaContentSignerBuilder(signingAlgorithm).build(signerPrivateKey)); return new JcaX509CertificateConverter().getCertificate(cert); }
try bc = BasicConstraints.getInstance(CertPathValidatorUtilities.getExtensionValue(cert, RFC3280CertPathUtilities.BASIC_CONSTRAINTS)); BigInteger _pathLengthConstraint = bc.getPathLenConstraint(); int _plc = _pathLengthConstraint.intValue();
/** * 生成CA服务器证书 */ public static X509Certificate genCACert(String subject, Date caNotBefore, Date caNotAfter, KeyPair keyPair) throws Exception { JcaX509v3CertificateBuilder jv3Builder = new JcaX509v3CertificateBuilder(new X500Name(subject), BigInteger.valueOf(System.currentTimeMillis() + (long) (Math.random() * 10000) + 1000), caNotBefore, caNotAfter, new X500Name(subject), keyPair.getPublic()); jv3Builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); return new JcaX509CertificateConverter().getCertificate(jv3Builder.build(signer)); }
private void prepopulateWithValue(byte[] value) throws IOException { BasicConstraints basicConstraints = BasicConstraints.getInstance(value); jcbSubjectIsCa.setSelected(basicConstraints.isCA()); if (basicConstraints.getPathLenConstraint() != null) { jtfPathLengthConstraint.setText("" + basicConstraints.getPathLenConstraint().intValue()); jtfPathLengthConstraint.setCaretPosition(0); } }