org.bouncycastle.x509.X509V3CertificateGenerator Java Examples
The following examples show how to use
org.bouncycastle.x509.X509V3CertificateGenerator.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: AbstractKeyStoreManager.java From DeviceConnect-Android with MIT License | 7 votes |
|
private X509Certificate generateX509V3Certificate(final KeyPair keyPair,
final X500Principal subject,
final X500Principal issuer,
final Date notBefore,
final Date notAfter,
final BigInteger serialNumber,
final GeneralNames generalNames,
final boolean isCA) throws GeneralSecurityException {
X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
generator.setSerialNumber(serialNumber);
generator.setIssuerDN(issuer);
generator.setSubjectDN(subject);
generator.setNotBefore(notBefore);
generator.setNotAfter(notAfter);
generator.setPublicKey(keyPair.getPublic());
generator.setSignatureAlgorithm("SHA256WithRSAEncryption");
generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(isCA));
generator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(160));
generator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
if (generalNames != null) {
generator.addExtension(X509Extensions.SubjectAlternativeName, false, generalNames);
}
return generator.generateX509Certificate(keyPair.getPrivate(), SecurityUtil.getSecurityProvider());
}
Example #2
| Source File: ECDSAKeyFactory.java From oxAuth with MIT License | 7 votes |
|
public Certificate generateV3Certificate(Date startDate, Date expirationDate, String dnName) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException {
// Create certificate
BigInteger serialNumber = new BigInteger(1024, new Random()); // serial number for certificate
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X500Principal principal = new X500Principal(dnName);
certGen.setSerialNumber(serialNumber);
certGen.setIssuerDN(principal);
certGen.setNotBefore(startDate);
certGen.setNotAfter(expirationDate);
certGen.setSubjectDN(principal); // note: same as issuer
certGen.setPublicKey(keyPair.getPublic());
certGen.setSignatureAlgorithm(signatureAlgorithm.getAlgorithm());
X509Certificate x509Certificate = certGen.generate(keyPair.getPrivate(), "BC");
return new Certificate(signatureAlgorithm, x509Certificate);
}
Example #3
| Source File: JavaSecurityManagementServiceImpl.java From rice with Educational Community License v2.0 | 7 votes |
|
protected Certificate generateCertificate(KeyPair keyPair, String alias) throws GeneralSecurityException {
//test that Bouncy Castle provider is present and add it if it's not
if( Security.getProvider(org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
}
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
// X509Name nameInfo = new X509Name(false,"CN=" + alias);
certificateGenerator.setSignatureAlgorithm("MD5WithRSA");
certificateGenerator.setSerialNumber(new java.math.BigInteger("1"));
X509Principal nameInfo = new X509Principal("CN=" + alias);
certificateGenerator.setIssuerDN(nameInfo);
certificateGenerator.setSubjectDN(nameInfo); // note: same as issuer for self signed
certificateGenerator.setNotBefore(new Date());
Calendar c = Calendar.getInstance();
c.add(Calendar.DATE, CLIENT_CERT_EXPIRATION_DAYS);
certificateGenerator.setNotAfter(c.getTime());
certificateGenerator.setPublicKey(keyPair.getPublic());
return certificateGenerator.generate(keyPair.getPrivate(), org.bouncycastle.jce.provider.BouncyCastleProvider.PROVIDER_NAME);
}
Example #4
| Source File: CertificateHandler.java From development with Apache License 2.0 | 6 votes |
|
private X509Certificate generateSignedCertificate(
PKCS10CertificationRequest csr) throws NoSuchAlgorithmException,
NoSuchProviderException, InvalidKeyException,
CertificateParsingException, CertificateEncodingException,
SignatureException {
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(rootCert.getSubjectX500Principal());
Calendar c = Calendar.getInstance();
certGen.setNotBefore(c.getTime());
c.add(Calendar.YEAR, 1);
certGen.setNotAfter(c.getTime());
certGen.setSubjectDN(csr.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(csr.getPublicKey("BC"));
certGen.setSignatureAlgorithm(ALGORITHM_SHA256_RSA);
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(rootCert.getPublicKey()));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifierStructure(csr.getPublicKey("BC")));
certGen.addExtension(X509Extensions.BasicConstraints, true,
new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
X509Certificate issuedCert = certGen.generate(rootPrivateKeyEntry
.getPrivateKey());
return issuedCert;
}
Example #5
| Source File: X509.java From UAF with Apache License 2.0 | 6 votes |
|
public static X509Certificate generateV3Cert(KeyPair pair) {
X509Certificate cert = null;
try {
X509V3CertificateGenerator gen = new X509V3CertificateGenerator();
gen.setPublicKey(pair.getPublic());
gen.setSerialNumber(new BigInteger(Long.toString(System
.currentTimeMillis() / 1000)));
Hashtable<ASN1ObjectIdentifier, String> attrs = new Hashtable<ASN1ObjectIdentifier, String>();
Vector<ASN1ObjectIdentifier> vOrder = new Vector<ASN1ObjectIdentifier>();
attrs.put(X509Principal.E, "[email protected]");
vOrder.add(0, X509Principal.E);
attrs.put(X509Principal.CN, "eBay, Inc");
vOrder.add(0, X509Principal.CN);
attrs.put(X509Principal.OU, "TNS");
vOrder.add(0, X509Principal.OU);
attrs.put(X509Principal.O, "eBay, Inc.");
vOrder.add(0, X509Principal.O);
attrs.put(X509Principal.L, "San Jose");
vOrder.add(0, X509Principal.L);
attrs.put(X509Principal.ST, "CA");
vOrder.add(0, X509Principal.ST);
attrs.put(X509Principal.C, "US");
vOrder.add(0, X509Principal.C);
gen.setIssuerDN(new X509Principal(vOrder, attrs));
gen.setSubjectDN(new X509Principal(vOrder, attrs));
gen.setNotBefore(new Date(System.currentTimeMillis()));
gen.setNotAfter(new Date(System.currentTimeMillis()
+ VALIDITY_PERIOD));
gen.setSignatureAlgorithm("SHA1WithECDSA");
cert = gen.generate(pair.getPrivate(), "BC");
} catch (Exception e) {
System.out.println("Unable to generate a X509Certificate." + e);
}
return cert;
}
Example #6
| Source File: FluentKeySigner.java From brooklyn-server with Apache License 2.0 | 6 votes |
|
@SuppressWarnings("deprecation")
public X509Certificate newCertificateFor(X500Principal subject, PublicKey keyToCertify) {
try {
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.setSerialNumber(
serialNumber != null ? serialNumber :
// must be positive
BigInteger.valueOf(srand.nextLong()).abs().add(BigInteger.ONE));
v3CertGen.setIssuerDN(issuerPrincipal);
v3CertGen.setNotBefore(validityStartDate);
v3CertGen.setNotAfter(validityEndDate);
v3CertGen.setSignatureAlgorithm(signatureAlgorithm);
v3CertGen.setSubjectDN(subject);
v3CertGen.setPublicKey(keyToCertify);
JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
v3CertGen.addExtension(X509Extension.subjectKeyIdentifier, false,
jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyToCertify));
if (numAllowedIntermediateCAs != null) {
// This certificate is for a CA that can issue certificates.
// See https://unitstep.net/blog/2009/03/16/using-the-basic-constraints-extension-in-x509-v3-certificates-for-intermediate-cas/
v3CertGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(numAllowedIntermediateCAs));
}
if (authorityKeyIdentifier!=null)
v3CertGen.addExtension(X509Extension.authorityKeyIdentifier, false,
authorityKeyIdentifier);
X509Certificate pkCertificate = v3CertGen.generate(issuerKey.getPrivate(), "BC");
return pkCertificate;
} catch (Exception e) {
throw Exceptions.propagate(e);
}
}
Example #7
| Source File: CertCreator.java From fdroidclient with GNU General Public License v3.0 | 5 votes |
|
public static KeySet createKey(String keyAlgorithm, int keySize, String keyName,
String certSignatureAlgorithm, int certValidityYears, DistinguishedNameValues distinguishedNameValues) {
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(keyAlgorithm);
keyPairGenerator.initialize(keySize);
KeyPair KPair = keyPairGenerator.generateKeyPair();
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
X509Principal principal = distinguishedNameValues.getPrincipal();
// generate a postitive serial number
BigInteger serialNumber = BigInteger.valueOf(new SecureRandom().nextInt());
while (serialNumber.compareTo(BigInteger.ZERO) < 0) {
serialNumber = BigInteger.valueOf(new SecureRandom().nextInt());
}
v3CertGen.setSerialNumber(serialNumber);
v3CertGen.setIssuerDN(principal);
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60L * 60L * 24L * 30L));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60L * 60L * 24L * 366L * (long) certValidityYears)));
v3CertGen.setSubjectDN(principal);
v3CertGen.setPublicKey(KPair.getPublic());
v3CertGen.setSignatureAlgorithm(certSignatureAlgorithm);
X509Certificate PKCertificate = v3CertGen.generate(KPair.getPrivate(), "BC");
KeySet keySet = new KeySet();
keySet.setName(keyName);
keySet.setPrivateKey(KPair.getPrivate());
keySet.setPublicKey(PKCertificate);
return keySet;
} catch (Exception x) {
throw new RuntimeException(x.getMessage(), x);
}
}
Example #8
| Source File: X509CertUtils.java From MaxKey with Apache License 2.0 | 4 votes |
|
/**
* Renew a self-signed X509 Version 1 certificate.
*
* @return The renewed certificate
* @param oldCert
* old certificate
* @param iValidity
* Validity period of certificate in days to add to the old
* cert's expiry date, or current time if the certificate has
* expired
* @param publicKey
* Public part of key pair
* @param privateKey
* Private part of key pair
* @throws CryptoException
* If there was a problem generating the certificate
*/
public static X509Certificate renewCert(X509Certificate oldCert,
int iValidity, PublicKey publicKey, PrivateKey privateKey)
throws CryptoException {
// Get an X509 Version 1 Certificate generator
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
// Load the generator with generation parameters
// Valid before and after dates now to iValidity days in the future from
// now or existing expiry date
Date now = new Date();
Date oldExpiry = oldCert.getNotAfter();
if (oldExpiry == null || oldExpiry.before(now)) {
oldExpiry = now;
}
certGen.setNotBefore(now);
certGen.setNotAfter(new Date(oldExpiry.getTime()
+ ((long) iValidity * 24 * 60 * 60 * 1000)));
// Set the public key
certGen.setPublicKey(publicKey);
// Set the algorithm
certGen.setSignatureAlgorithm(oldCert.getSigAlgName());
// Set the serial number
certGen.setSerialNumber(generateX509SerialNumber());
try {
// Set the issuer distinguished name
// TODO: verify/force self-signedness
certGen.setIssuerDN(PrincipalUtil.getIssuerX509Principal(oldCert));
// Set the subject distinguished name (same as issuer for our
// purposes)
certGen.setSubjectDN(PrincipalUtil.getSubjectX509Principal(oldCert));
// Generate an X.509 certificate, based on the current issuer and
// subject
return certGen.generate(privateKey, "BC");
}
// Something went wrong
catch (GeneralSecurityException ex) {
throw new CryptoException("Certificate generation failed.", ex);
}
}
Example #9
| Source File: CertificateUtil.java From nexus-public with Eclipse Public License 1.0 | 4 votes |
|
public static X509Certificate generateCertificate(final PublicKey publicKey,
final PrivateKey privateKey,
final String algorithm,
final int validDays,
final String commonName,
final String orgUnit,
final String organization,
final String locality,
final String state,
final String country)
throws SignatureException, InvalidKeyException, NoSuchAlgorithmException, CertificateEncodingException
{
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
Vector<ASN1ObjectIdentifier> order = new Vector<>();
Hashtable<ASN1ObjectIdentifier, String> attributeMap = new Hashtable<>();
if (commonName != null) {
attributeMap.put(X509Name.CN, commonName);
order.add(X509Name.CN);
}
if (orgUnit != null) {
attributeMap.put(X509Name.OU, orgUnit);
order.add(X509Name.OU);
}
if (organization != null) {
attributeMap.put(X509Name.O, organization);
order.add(X509Name.O);
}
if (locality != null) {
attributeMap.put(X509Name.L, locality);
order.add(X509Name.L);
}
if (state != null) {
attributeMap.put(X509Name.ST, state);
order.add(X509Name.ST);
}
if (country != null) {
attributeMap.put(X509Name.C, country);
order.add(X509Name.C);
}
X509Name issuerDN = new X509Name(order, attributeMap);
// validity
long now = System.currentTimeMillis();
long expire = now + (long) validDays * 24 * 60 * 60 * 1000;
certificateGenerator.setNotBefore(new Date(now));
certificateGenerator.setNotAfter(new Date(expire));
certificateGenerator.setIssuerDN(issuerDN);
certificateGenerator.setSubjectDN(issuerDN);
certificateGenerator.setPublicKey(publicKey);
certificateGenerator.setSignatureAlgorithm(algorithm);
certificateGenerator.setSerialNumber(BigInteger.valueOf(now));
// make certificate
return certificateGenerator.generate(privateKey);
}
Example #10
| Source File: SslUtil.java From DeviceConnect-Android with MIT License | 4 votes |
|
/**
* Generates a new, self-signed X509 V3 certificate for a KeyPair.
*
* @param pair the {@link KeyPair} to be used
* @param name X.500 distinguished name
* @param notBefore not valid before this date
* @param notAfter not valid after this date
* @param serialNumber serial number
* @return the new certificate
* @throws GeneralSecurityException on error generating the certificate
*/
@SuppressWarnings("deprecation")
public static X509Certificate generateX509V3Certificate(KeyPair pair,
String name, Date notBefore, Date notAfter, BigInteger serialNumber)
throws GeneralSecurityException {
java.security.Security.addProvider(
new org.bouncycastle.jce.provider.BouncyCastleProvider());
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X509Name dnName = new X509Name(name);
certGen.setSerialNumber(serialNumber);
certGen.setIssuerDN(dnName);
certGen.setSubjectDN(dnName); // note: same as issuer
certGen.setNotBefore(notBefore);
certGen.setNotAfter(notAfter);
certGen.setPublicKey(pair.getPublic());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
// For self-signed certificates, OpenSSL 0.9.6 has specific requirements
// about certificate and extension content. Quoting the `man verify`:
//
// In OpenSSL 0.9.6 and later all certificates whose subject name matches
// the issuer name of the current certificate are subject to further
// tests. The relevant authority key identifier components of the current
// certificate (if present) must match the subject key identifier (if
// present) and issuer and serial number of the candidate issuer, in
// addition the keyUsage extension of the candidate issuer (if present)
// must permit certificate signing.
//
// In the code that follows,
// - the KeyUsage extension permits cert signing (KeyUsage.keyCertSign);
// - the Authority Key Identifier extension is added, matching the
// subject key identifier, and using the issuer, and serial number.
certGen.addExtension(X509Extensions.BasicConstraints, true,
new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature
| KeyUsage.keyEncipherment | KeyUsage.keyCertSign));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(
KeyPurposeId.id_kp_serverAuth));
AuthorityKeyIdentifier authIdentifier = createAuthorityKeyIdentifier(
pair.getPublic(), dnName, serialNumber);
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, true,
authIdentifier);
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, true,
new SubjectKeyIdentifierStructure(pair.getPublic()));
certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(
new GeneralName(GeneralName.rfc822Name, "[email protected]")));
// This method is deprecated, but Android Eclair does not provide the
// generate() methods.
X509Certificate cert = certGen.generateX509Certificate(pair.getPrivate(), SecurityUtil.getSecurityProvider());
return cert;
}
Example #11
| Source File: AutoCA.java From swift-k with Apache License 2.0 | 4 votes |
|
public AutoCA() {
gen = new X509V3CertificateGenerator();
jvmLock = new ReentrantLock();
}
Example #12
| Source File: CertificateCreator.java From odo with Apache License 2.0 | 4 votes |
|
/**
* Creates a typical Certification Authority (CA) certificate.
* @param keyPair
* @throws SecurityException
* @throws InvalidKeyException
* @throws NoSuchProviderException
* @throws NoSuchAlgorithmException
* @throws CertificateException
*/
@SuppressWarnings("deprecation")
public static X509Certificate createTypicalMasterCert(final KeyPair keyPair)
throws SignatureException, InvalidKeyException, SecurityException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException
{
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
// BEGIN ODO CHANGES
// Added the Common Name "CN=CyberVillains CA" to the X.509 Distinguished Name below.
// This was added to work around a bug in iOS where certificates that lack Common Name's
// do not show up in the list of CA certificates found in Settings / General / About / Certificate Trust Settings.
// We needed this CA certificate to show up in this list so that we could manually trust it and therefore
// avoid the App Transport Security "Untrusted root certificate" errors.
X509Principal issuer=new X509Principal("CN=CyberVillains CA,OU=CyberVillains Certification Authority,O=CyberVillains.com,C=US");
// END ODO CHANGES
// Create
v3CertGen.setSerialNumber(BigInteger.valueOf(1));
v3CertGen.setIssuerDN(issuer);
v3CertGen.setSubjectDN(issuer);
//Set validity period
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 12 /* months */ *(1000L * 60 * 60 * 24 * 30)));
v3CertGen.setNotAfter (new Date(System.currentTimeMillis() + 240 /* months */ *(1000L * 60 * 60 * 24 * 30)));
//Set signature algorithm & public key
v3CertGen.setPublicKey(keyPair.getPublic());
v3CertGen.setSignatureAlgorithm(CertificateCreator.SIGN_ALGO);
// Add typical extensions for signing cert
v3CertGen.addExtension(
X509Extensions.SubjectKeyIdentifier,
false,
new SubjectKeyIdentifierStructure(keyPair.getPublic()));
v3CertGen.addExtension(
X509Extensions.BasicConstraints,
true,
new BasicConstraints(0));
v3CertGen.addExtension(
X509Extensions.KeyUsage,
false,
new KeyUsage(KeyUsage.cRLSign | KeyUsage.keyCertSign) );
DEREncodableVector typicalCAExtendedKeyUsages = new DEREncodableVector();
typicalCAExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.serverAuth));
typicalCAExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.OCSPSigning));
typicalCAExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.verisignUnknown));
v3CertGen.addExtension(
X509Extensions.ExtendedKeyUsage,
false,
new DERSequence(typicalCAExtendedKeyUsages));
X509Certificate cert = v3CertGen.generate(keyPair.getPrivate(), "BC");
cert.checkValidity(new Date());
cert.verify(keyPair.getPublic());
return cert;
}
