static String[] generate(String fqdn, KeyPair keypair, SecureRandom random, Date notBefore, Date notAfter) throws Exception { PrivateKey key = keypair.getPrivate(); // Prepare the information required for generating an X.509 certificate. X500Name owner = new X500Name("CN=" + fqdn); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder( owner, new BigInteger(64, random), notBefore, notAfter, owner, keypair.getPublic()); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(key); X509CertificateHolder certHolder = builder.build(signer); X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder); cert.verify(keypair.getPublic()); return newSelfSignedCertificate(fqdn, key, cert); }
public static synchronized X509Certificate createX509V3Certificate(KeyPair kp, int days, X500NameBuilder issuerBuilder, X500NameBuilder subjectBuilder, String domain, String signAlgoritm, Set<String> sanDnsNames ) throws GeneralSecurityException, IOException { PublicKey pubKey = kp.getPublic(); PrivateKey privKey = kp.getPrivate(); random.setSeed((new Date().getTime())); random.nextBytes(serno); BigInteger serial = (new java.math.BigInteger(serno)).abs(); JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder( // final boolean critical = subjectDN.getRDNs().length == 0; certBuilder.addExtension(Extension.subjectAlternativeName, critical, subjectAlternativeNames); certBuilder.addExtension(Extension.subjectKeyIdentifier, false, utils.createSubjectKeyIdentifier(pubKey)); certBuilder.addExtension(Extension.authorityKeyIdentifier, false, utils.createAuthorityKeyIdentifier(pubKey)); ContentSigner signer = new JcaContentSignerBuilder(signAlgoritm).build(privKey); X509CertificateHolder cert = certBuilder.build(signer); return new JcaX509CertificateConverter().getCertificate(cert);
private X509Certificate createSelfSignedCertifcate(KeyPair keyPair) throws Exception { X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE); nameBuilder.addRDN(BCStyle.CN, HOSTNAME); BigInteger serialNumber = new BigInteger(128, new Random()); X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(nameBuilder.build(), serialNumber, certStartTime, certEndTime, nameBuilder.build(), keyPair.getPublic()) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); return new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner)); }
private X509Certificate[] createSelfSignedCertifcateChain(String ipAddress, String hostname) throws Exception { X500NameBuilder nameBuilder = new X500NameBuilder(BCStyle.INSTANCE); nameBuilder.addRDN(BCStyle.CN, "NOT_LOCALHOST"); Date notBefore = new Date(); Calendar cal = Calendar.getInstance(); cal.setTime(notBefore); cal.add(Calendar.YEAR, 1); Date notAfter = cal.getTime(); BigInteger serialNumber = new BigInteger(128, new Random()); X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(nameBuilder.build(), serialNumber, notBefore, notAfter, nameBuilder.build(), keyPair.getPublic()) .addExtension(Extension.basicConstraints, true, new BasicConstraints(0)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign)); List<GeneralName> generalNames = new ArrayList<>(); if (ipAddress != null) { generalNames.add(new GeneralName(GeneralName.iPAddress, ipAddress)); } if (hostname != null) { generalNames.add(new GeneralName(GeneralName.dNSName, hostname)); } if (!generalNames.isEmpty()) { certificateBuilder.addExtension(Extension.subjectAlternativeName, true, new GeneralNames(generalNames.toArray(new GeneralName[] {}))); } ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate()); return new X509Certificate[] { new JcaX509CertificateConverter().getCertificate(certificateBuilder.build(contentSigner)) }; }
X500Name issuerDN = new X500Name(PrincipalUtil.getIssuerX509Principal(caCert).getName()); X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder( issuerDN, BigInteger.valueOf(System.currentTimeMillis()), sslMetadata.notBefore, sslMetadata.notAfter, webDN, pair.getPublic()); certBuilder.addExtension(X509Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(pair.getPublic())); certBuilder.addExtension(X509Extension.basicConstraints, false, new BasicConstraints(false)); certBuilder.addExtension(X509Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert.getPublicKey())); ContentSigner caSigner = new JcaContentSignerBuilder(SIGNING_ALGORITHM) .setProvider(BC).build(caPrivateKey); X509Certificate cert = new JcaX509CertificateConverter().setProvider(BC) .getCertificate(certBuilder.build(caSigner)); cert.checkValidity(new Date()); cert.verify(caCert.getPublicKey()); serverStore.setKeyEntry(sslMetadata.commonName, pair.getPrivate(), sslMetadata.password.toCharArray(), new Certificate[]{cert, caCert}); saveKeyStore(targetStoreFile, serverStore, sslMetadata.password); sslMetadata.serialNumber = cert.getSerialNumber().toString();
final BigInteger serialNumber = new BigInteger(128, random); final X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder( keyPair.getPublic()); final ContentSigner contentSigner = new JcaContentSignerBuilder( "SHA256WithRSAEncryption").build(keyPair.getPrivate()); final X509Certificate certificate = new JcaX509CertificateConverter() .getCertificate(certificateBuilder.build(contentSigner)); certificate.checkValidity(now.toDate()); certificate.verify(certificate.getPublicKey()); final KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(null, null); keyStore.setKeyEntry("DrillAutoGeneratedCert", keyPair.getPrivate(), keyStorePasswd.toCharArray(), new java.security.cert.Certificate[] { certificate });
/** * 生成CA服务器证书 */ public static X509Certificate genCACert(String subject, Date caNotBefore, Date caNotAfter, KeyPair keyPair) throws Exception { JcaX509v3CertificateBuilder jv3Builder = new JcaX509v3CertificateBuilder(new X500Name(subject), BigInteger.valueOf(System.currentTimeMillis() + (long) (Math.random() * 10000) + 1000), caNotBefore, caNotAfter, new X500Name(subject), keyPair.getPublic()); jv3Builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(0)); ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSAEncryption") .build(keyPair.getPrivate()); return new JcaX509CertificateConverter().getCertificate(jv3Builder.build(signer)); }
BigInteger serial = BigInteger.valueOf(initRandomSerial()); X500Name subject = name.build(); X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuer, serial, NOT_BEFORE, new Date(System.currentTimeMillis() + ONE_DAY), subject, keyPair.getPublic()); builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(keyPair.getPublic())); builder.addExtension(Extension.basicConstraints, false, new BasicConstraints(false)); cert.checkValidity(new Date()); cert.verify(caCert.getPublicKey()); result.setKeyEntry(authority.alias(), keyPair.getPrivate(), authority.password(), chain);
/** * Create a certificate to use by a Certificate Authority, signed by a self signed certificate. */ private X509Certificate createCACert(PublicKey publicKey, PrivateKey privateKey) throws Exception { // signers name X500Name issuerName = new X500Name("CN=www.mockserver.com, O=MockServer, L=London, ST=England, C=UK"); // subjects name - the same as we are self signed. X500Name subjectName = issuerName; // serial BigInteger serial = BigInteger.valueOf(new Random().nextInt(Integer.MAX_VALUE)); // create the certificate - version 3 X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerName, serial, NOT_BEFORE, NOT_AFTER, subjectName, publicKey); builder.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(publicKey)); builder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); KeyUsage usage = new KeyUsage(KeyUsage.keyCertSign | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign); builder.addExtension(Extension.keyUsage, false, usage); ASN1EncodableVector purposes = new ASN1EncodableVector(); purposes.add(KeyPurposeId.id_kp_serverAuth); purposes.add(KeyPurposeId.id_kp_clientAuth); purposes.add(KeyPurposeId.anyExtendedKeyUsage); builder.addExtension(Extension.extendedKeyUsage, false, new DERSequence(purposes)); X509Certificate cert = signCertificate(builder, privateKey); cert.checkValidity(new Date()); cert.verify(publicKey); return cert; }
private X509Certificate generateCertificate(final KeyPair keypair) throws Exception { val dn = new X500Name("CN=" + hostname); val notBefore = new GregorianCalendar(); val notOnOrAfter = new GregorianCalendar(); notOnOrAfter.set(GregorianCalendar.YEAR, notOnOrAfter.get(GregorianCalendar.YEAR) + certificateLifetimeInYears); val builder = new JcaX509v3CertificateBuilder( dn, new BigInteger(X509_CERT_BITS_SIZE, RandomUtils.getNativeInstance()), notBefore.getTime(), notOnOrAfter.getTime(), dn, keypair.getPublic() ); val extUtils = new JcaX509ExtensionUtils(); builder.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(keypair.getPublic())); builder.addExtension(Extension.subjectAlternativeName, false, GeneralNames.getInstance(new DERSequence(buildSubjectAltNames()))); val certHldr = builder.build(new JcaContentSignerBuilder(certificateAlgorithm).build(keypair.getPrivate())); val cert = new JcaX509CertificateConverter().getCertificate(certHldr); cert.checkValidity(new Date()); cert.verify(keypair.getPublic()); return cert; }
private X509v3CertificateBuilder createCertBuilder(KeyPair keyPair) { X500Name subject = new X500NameBuilder(BCStyle.INSTANCE) .addRDN(BCStyle.CN, commonName) .build(); Calendar notBefore = new GregorianCalendar(); notBefore.add(Calendar.DAY_OF_MONTH, -1); Calendar notAfter = new GregorianCalendar(); notAfter.add(Calendar.YEAR, 10); return new JcaX509v3CertificateBuilder( subject, new BigInteger(160, rand), notBefore.getTime(), notAfter.getTime(), subject, keyPair.getPublic()); }
BigInteger serial = BigInteger.valueOf(initRandomSerial()); X500Name subject = issuer; PublicKey pubKey = keyPair.getPublic(); X509v3CertificateBuilder generator = new JcaX509v3CertificateBuilder( issuer, serial, NOT_BEFORE, NOT_AFTER, subject, pubKey); generator.addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(pubKey)); generator.addExtension(Extension.basicConstraints, true, new BasicConstraints(true)); | KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.cRLSign); generator.addExtension(Extension.keyUsage, false, usage); new DERSequence(purposes)); X509Certificate cert = signCertificate(generator, keyPair.getPrivate()); result.setKeyEntry(authority.alias(), keyPair.getPrivate(), authority.password(), new Certificate[] { cert }); return result;
X500Name subjName = new X500Name("C=US, ST=NY, O=Certs_R_Us, CN=notreal@example.com"); BigInteger serialNumber = new BigInteger("900"); Calendar cal = Calendar.getInstance(); cal.set(2014, 6, 7, 11, 59, 59); Date notAfter = cal.getTime(); JcaX509v3CertificateBuilder x509Builder = new JcaX509v3CertificateBuilder(subjName, serialNumber, notBefore, notAfter, subjName, kp.getPublic()); JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256WITHRSA"); ContentSigner signer = signerBuilder.build(kp.getPrivate()); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); X509Certificate mySelfSignedCert = converter.getCertificate(x509Builder.build(signer)); ks.load(null, password); KeyStore.PrivateKeyEntry privKeyEntry = new KeyStore.PrivateKeyEntry(kp.getPrivate(), new Certificate[] {mySelfSignedCert}); ks.setEntry("myRSAkey", privKeyEntry, new KeyStore.PasswordProtection(password));
final BigInteger serialNo = new BigInteger(String.valueOf(random.nextInt())); certBuilder = new JcaX509v3CertificateBuilder(name, serialNo, begin.getTime(), end.getTime(), name, publicKey); if (issuerCert.exists()) { issuerCertificate = (X509Certificate) KeyUtils.loadCertificate(issuerCert.getPath()); certBuilder = new JcaX509v3CertificateBuilder(issuerCertificate, serialNo, begin.getTime(), end.getTime(), name, publicKey); certBuilder.addExtension(extension); .build(new JcaContentSignerBuilder(signatureAlgorithm).build(signerPrivateKey)); return new JcaX509CertificateConverter().getCertificate(certificateHolder);
certificateHolder = new JcaX509v3CertificateBuilder(caRootCertificate, serialNumber, certificateInfo.getNotBefore(), certificateInfo.getNotAfter(), serverCertificateSubject, serverKeyPair.getPublic()) .addExtension(Extension.subjectAlternativeName, false, getDomainNameSANsAsASN1Encodable(certificateInfo.getSubjectAlternativeNames())) .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(serverKeyPair.getPublic())) .addExtension(Extension.basicConstraints, false, new BasicConstraints(false)) .build(signer); } catch (CertIOException e) { throw new CertificateCreationException("Error creating new server certificate", e); return new CertificateAndKey(serverCertificate, serverKeyPair.getPrivate());
now.add(Calendar.YEAR, 3); Date notAfter = now.getTime(); BigInteger serial = BigInteger.valueOf(System.currentTimeMillis()); X509v3CertificateBuilder certGen = new JcaX509v3CertificateBuilder( builder.build(), serial, notBefore, notAfter, builder.build(), pair.getPublic()); ContentSigner sigGen = new JcaContentSignerBuilder( CertManagerConstants.CERT_ALGORITHM.SHA1withRSA.toString()).setProvider(CertManagerConstants.BC).build(pair.getPrivate()); X509CertificateHolder holder = certGen.build(sigGen); Certificate eeX509CertificateStructure = holder.toASN1Structure(); CertificateFactory cf = null;
keyPair = generateKeyPair(certs[i].getPublicKey()); Date startDate = certs[i].getNotBefore(); Date expiryDate = certs[i].getNotAfter(); BigInteger serialNumber = certs[i].getSerialNumber(); X500Principal subject = certs[i].getSubjectX500Principal(); + "', self-signing using '" + subject + "'"); issuer = subject; caKey = keyPair.getPrivate(); caKey = keyPair.getPrivate(); X509v3CertificateBuilder generator = new JcaX509v3CertificateBuilder(issuer, serialNumber, startDate, expiryDate, subject, keyPair.getPublic()); Set<String> criticalExtensionOids = certs[i].getCriticalExtensionOIDs(); byte[] ext = certs[i].getExtensionValue(oid); ASN1Primitive p = getObject(oid, ext); generator.addExtension(new ASN1ObjectIdentifier(oid), true, p); Set<String> nonCriticalExtensionOids = certs[i].getNonCriticalExtensionOIDs(); byte[] ext = certs[i].getExtensionValue(oid); ASN1Primitive p = getObject(oid, ext); generator.addExtension(new ASN1ObjectIdentifier(oid), false, p);
private static JcaX509v3CertificateBuilder addJcaX509Extension(String commonsName, RSAPublicKey publicKey, X509Certificate issuerCertificate, long duration, boolean isCaCertificate) throws NoSuchAlgorithmException, CertIOException { long end = System.currentTimeMillis() + duration; BigInteger serial = BigInteger.valueOf(new SecureRandom(publicKey.getEncoded()).nextLong()); JcaX509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(new org.bouncycastle.asn1.x500.X500Name(issuerCertificate.getSubjectDN().getName()), serial, new Date(), new Date(end), new org.bouncycastle.asn1.x500.X500Name(COMMON_NAME_ENTRY + commonsName), publicKey); JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); certificateBuilder.addExtension(subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(publicKey)); certificateBuilder.addExtension(basicConstraints, isCaCertificate, new BasicConstraints(isCaCertificate)); return certificateBuilder; }
public static X509Certificate generateClientCert(String subject, PublicKey entityKey, PrivateKey caKey, X509Certificate caCert, String... sans) throws NoSuchAlgorithmException, CertIOException, OperatorCreationException, CertificateException { X509v3CertificateBuilder certBldr = new JcaX509v3CertificateBuilder( caCert.getSubjectX500Principal(), BigInteger.valueOf(Math.abs(RANDOM.nextLong())), new Date(System.currentTimeMillis()), new Date(System.currentTimeMillis() + EXPIRATION.get() * 24 * 60 * 60 * 1000), certBldr.addExtension(Extension.subjectAlternativeName, false, new GeneralNames(sanNames)) .addExtension(Extension.basicConstraints, true, new BasicConstraints(false)) .addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)) ); ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(caKey); return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certBldr.build(signer));
when(timeProvider.getInstant()).thenReturn(now); serialNumberGenerator = mock(RandomSerialNumberGenerator.class); when(serialNumberGenerator.generate()).thenReturn(BigInteger.valueOf(1337)); jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); jcaX509ExtensionUtils.createSubjectKeyIdentifier(issuerKey.getPublic()); caSerialNumber = BigInteger.valueOf(42L); final JcaX509v3CertificateBuilder x509v3CertificateBuilder = new JcaX509v3CertificateBuilder( issuerDn, caSerialNumber, Date.from(later), issuerDn, issuerKey.getPublic() ); x509v3CertificateBuilder.addExtension(Extension.subjectKeyIdentifier, false, caSubjectKeyIdentifier); certificateAuthorityWithSubjectKeyId = createCertificateAuthority(x509v3CertificateBuilder); expectedSubjectKeyIdentifier = certificateAuthorityWithSubjectKeyId.getExtensionValue(Extension.subjectKeyIdentifier.getId());