private X509Certificate createSelfSignedCertificate(CertType certType, KeyPair keyPair, String san) throws Exception { X509v3CertificateBuilder certBuilder = createCertBuilder(keyPair); // Basic constraints BasicConstraints constraints = new BasicConstraints(false); certBuilder.addExtension( Extension.basicConstraints, true, constraints.getEncoded()); // Key usage KeyUsage usage = new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature); certBuilder.addExtension(Extension.keyUsage, false, usage.getEncoded()); // Extended key usage certBuilder.addExtension( Extension.extendedKeyUsage, false, certType.keyUsage().getEncoded()); if (san != null) { addSAN(certBuilder, san); } ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm) .build(keyPair.getPrivate()); X509CertificateHolder holder = certBuilder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); converter.setProvider(new BouncyCastleProvider()); return converter.getCertificate(holder); }
value = basicConstraints.getEncoded(ASN1Encoding.DER); } catch (IOException e) { DError.displayError(this, e);
private void addBasicConstraints(X509ExtensionSet extensionSet) throws IOException { BasicConstraints bc = new BasicConstraints(true); byte[] bcEncoded = wrapInOctetString(bc.getEncoded()); extensionSet.addExtension(X509ExtensionType.BASIC_CONSTRAINTS.oid(), true, bcEncoded); }
@Test public void getSignedByIssuer_generatesACertificateWithTheRightValues() throws Exception { final X509Certificate generatedCertificate = subject .getSignedByIssuer(generatedCertificateKeyPair, certificateGenerationParameters, certificateAuthorityWithSubjectKeyId, issuerKey.getPrivate()); assertThat(generatedCertificate.getIssuerDN().getName(), containsString("CN=ca DN")); assertThat(generatedCertificate.getIssuerDN().getName(), containsString("O=credhub")); assertThat(generatedCertificate.getSerialNumber(), equalTo(BigInteger.valueOf(1337L))); assertThat(generatedCertificate.getNotBefore().toString(), equalTo(Date.from(now).toString())); assertThat(generatedCertificate.getNotAfter().toString(), equalTo(Date.from(later).toString())); assertThat(generatedCertificate.getSubjectDN().toString(), containsString("CN=my cert name")); assertThat(generatedCertificate.getPublicKey(), equalTo(generatedCertificateKeyPair.getPublic())); assertThat(generatedCertificate.getSigAlgName(), equalTo("SHA256WITHRSA")); generatedCertificate.verify(issuerKey.getPublic()); final byte[] isCaExtension = generatedCertificate.getExtensionValue(Extension.basicConstraints.getId()); assertThat(Arrays.copyOfRange(isCaExtension, 2, isCaExtension.length), equalTo(new BasicConstraints(true).getEncoded())); }
certGen.addExtension( Extension.basicConstraints, true, basic.getEncoded() );
Extension.basicConstraints, false, basic.getEncoded());
if (chainLengthConstraint > 0) { extensions.add(new Extension(Extension.basicConstraints, criticalCaConstraints, new BasicConstraints(chainLengthConstraint).getEncoded())); } else { extensions.add(new Extension(Extension.basicConstraints, criticalCaConstraints, new BasicConstraints(true).getEncoded()));
private X509Certificate createSelfSignedCertificate(CertType certType, KeyPair keyPair, String san) throws Exception { X509v3CertificateBuilder certBuilder = createCertBuilder(keyPair); // Basic constraints BasicConstraints constraints = new BasicConstraints(false); certBuilder.addExtension( Extension.basicConstraints, true, constraints.getEncoded()); // Key usage KeyUsage usage = new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature); certBuilder.addExtension(Extension.keyUsage, false, usage.getEncoded()); // Extended key usage certBuilder.addExtension( Extension.extendedKeyUsage, false, certType.keyUsage().getEncoded()); if (san != null) { addSAN(certBuilder, san); } ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm) .build(keyPair.getPrivate()); X509CertificateHolder holder = certBuilder.build(signer); JcaX509CertificateConverter converter = new JcaX509CertificateConverter(); converter.setProvider(new BouncyCastleProvider()); return converter.getCertificate(holder); }