net.lightbody.bmp.mitm.exception.CertificateCreationException Java Examples

The following examples show how to use net.lightbody.bmp.mitm.exception.CertificateCreationException. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: BouncyCastleSecurityProviderTool.java    From CapturePacket with MIT License 5 votes vote down vote up
/**
 * Creates a ContentSigner that can be used to sign certificates with the given private key and signature algorithm.
 *
 * @param certAuthorityPrivateKey the private key to use to sign certificates
 * @param signatureAlgorithm      the algorithm to use to sign certificates
 * @return a ContentSigner
 */
private static ContentSigner getCertificateSigner(PrivateKey certAuthorityPrivateKey, String signatureAlgorithm) {
    try {
        return new JcaContentSignerBuilder(signatureAlgorithm)
                .build(certAuthorityPrivateKey);
    } catch (OperatorCreationException e) {
        throw new CertificateCreationException("Unable to create ContentSigner using signature algorithm: " + signatureAlgorithm, e);
    }
}
 
Example #2
Source File: BouncyCastleSecurityProviderTool.java    From CapturePacket with MIT License 5 votes vote down vote up
/**
 * Converts a Bouncy Castle X509CertificateHolder into a JCA X590Certificate.
 *
 * @param bouncyCastleCertificate BC X509CertificateHolder
 * @return JCA X509Certificate
 */
private static X509Certificate convertToJcaCertificate(X509CertificateHolder bouncyCastleCertificate) {
    try {
        return new JcaX509CertificateConverter()
                .getCertificate(bouncyCastleCertificate);
    } catch (CertificateException e) {
        throw new CertificateCreationException("Unable to convert X590CertificateHolder to JCA X590Certificate", e);
    }
}
 
Example #3
Source File: BouncyCastleSecurityProviderTool.java    From Dream-Catcher with MIT License 5 votes vote down vote up
/**
 * Creates a ContentSigner that can be used to sign certificates with the given private key and signature algorithm.
 *
 * @param certAuthorityPrivateKey the private key to use to sign certificates
 * @param signatureAlgorithm      the algorithm to use to sign certificates
 * @return a ContentSigner
 */
private static ContentSigner getCertificateSigner(PrivateKey certAuthorityPrivateKey, String signatureAlgorithm) {
    try {
        return new JcaContentSignerBuilder(signatureAlgorithm)
                .build(certAuthorityPrivateKey);
    } catch (OperatorCreationException e) {
        throw new CertificateCreationException("Unable to create ContentSigner using signature algorithm: " + signatureAlgorithm, e);
    }
}
 
Example #4
Source File: BouncyCastleSecurityProviderTool.java    From Dream-Catcher with MIT License 5 votes vote down vote up
/**
 * Converts a Bouncy Castle X509CertificateHolder into a JCA X590Certificate.
 *
 * @param bouncyCastleCertificate BC X509CertificateHolder
 * @return JCA X509Certificate
 */
private static X509Certificate convertToJcaCertificate(X509CertificateHolder bouncyCastleCertificate) {
    try {
        return new JcaX509CertificateConverter()
                .getCertificate(bouncyCastleCertificate);
    } catch (CertificateException e) {
        throw new CertificateCreationException("Unable to convert X590CertificateHolder to JCA X590Certificate", e);
    }
}
 
Example #5
Source File: BouncyCastleSecurityProviderTool.java    From AndroidHttpCapture with MIT License 5 votes vote down vote up
/**
 * Creates a ContentSigner that can be used to sign certificates with the given private key and signature algorithm.
 *
 * @param certAuthorityPrivateKey the private key to use to sign certificates
 * @param signatureAlgorithm      the algorithm to use to sign certificates
 * @return a ContentSigner
 */
private static ContentSigner getCertificateSigner(PrivateKey certAuthorityPrivateKey, String signatureAlgorithm) {
    try {
        return new JcaContentSignerBuilder(signatureAlgorithm)
                .build(certAuthorityPrivateKey);
    } catch (OperatorCreationException e) {
        throw new CertificateCreationException("Unable to create ContentSigner using signature algorithm: " + signatureAlgorithm, e);
    }
}
 
Example #6
Source File: BouncyCastleSecurityProviderTool.java    From AndroidHttpCapture with MIT License 5 votes vote down vote up
/**
 * Converts a Bouncy Castle X509CertificateHolder into a JCA X590Certificate.
 *
 * @param bouncyCastleCertificate BC X509CertificateHolder
 * @return JCA X509Certificate
 */
private static X509Certificate convertToJcaCertificate(X509CertificateHolder bouncyCastleCertificate) {
    try {
        return new JcaX509CertificateConverter()
                .getCertificate(bouncyCastleCertificate);
    } catch (CertificateException e) {
        throw new CertificateCreationException("Unable to convert X590CertificateHolder to JCA X590Certificate", e);
    }
}
 
Example #7
Source File: BouncyCastleSecurityProviderTool.java    From CapturePacket with MIT License 4 votes vote down vote up
@Override
public CertificateAndKey createServerCertificate(CertificateInfo certificateInfo,
                                                 X509Certificate caRootCertificate,
                                                 PrivateKey caPrivateKey,
                                                 KeyPair serverKeyPair,
                                                 String messageDigest) {
    // make sure certificateInfo contains all fields necessary to generate the certificate
    if (certificateInfo.getCommonName() == null) {
        throw new IllegalArgumentException("Must specify CN for server certificate");
    }

    if (certificateInfo.getNotBefore() == null) {
        throw new IllegalArgumentException("Must specify Not Before for server certificate");
    }

    if (certificateInfo.getNotAfter() == null) {
        throw new IllegalArgumentException("Must specify Not After for server certificate");
    }

    // create the subject for the new server certificate. when impersonating an upstream server, this should contain
    // the hostname of the server we are trying to impersonate in the CN field
    X500Name serverCertificateSubject = createX500NameForCertificate(certificateInfo);

    // get the algorithm that will be used to sign the new certificate, which is a combination of the message digest
    // and the digital signature from the CA's private key
    String signatureAlgorithm = EncryptionUtil.getSignatureAlgorithm(messageDigest, caPrivateKey);

    // get a ContentSigner with our CA private key that will be used to sign the new server certificate
    ContentSigner signer = getCertificateSigner(caPrivateKey, signatureAlgorithm);

    // generate a serial number for the new certificate. serial numbers only need to be unique within our
    // certification authority; a large random integer will satisfy that requirement.
    BigInteger serialNumber = EncryptionUtil.getRandomBigInteger(CERTIFICATE_SERIAL_NUMBER_SIZE);

    // create the X509Certificate using Bouncy Castle. the BC X509CertificateHolder can be converted to a JCA X509Certificate.
    X509CertificateHolder certificateHolder;
    try {
        certificateHolder = new JcaX509v3CertificateBuilder(caRootCertificate,
                serialNumber,
                certificateInfo.getNotBefore(),
                certificateInfo.getNotAfter(),
                serverCertificateSubject,
                serverKeyPair.getPublic())
                .addExtension(Extension.subjectAlternativeName, false, getDomainNameSANsAsASN1Encodable(certificateInfo.getSubjectAlternativeNames()))
                .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(serverKeyPair.getPublic()))
                .addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
                .build(signer);
    } catch (CertIOException e) {
        throw new CertificateCreationException("Error creating new server certificate", e);
    }

    // convert the Bouncy Castle certificate holder into a JCA X509Certificate
    X509Certificate serverCertificate = convertToJcaCertificate(certificateHolder);

    return new CertificateAndKey(serverCertificate, serverKeyPair.getPrivate());
}
 
Example #8
Source File: BouncyCastleSecurityProviderTool.java    From CapturePacket with MIT License 4 votes vote down vote up
@Override
public CertificateAndKey createCARootCertificate(CertificateInfo certificateInfo,
                                                 KeyPair keyPair,
                                                 String messageDigest) {
    if (certificateInfo.getNotBefore() == null) {
        throw new IllegalArgumentException("Must specify Not Before for server certificate");
    }

    if (certificateInfo.getNotAfter() == null) {
        throw new IllegalArgumentException("Must specify Not After for server certificate");
    }

    // create the X500Name that will be both the issuer and the subject of the new root certificate
    X500Name issuer = createX500NameForCertificate(certificateInfo);

    BigInteger serial = EncryptionUtil.getRandomBigInteger(CERTIFICATE_SERIAL_NUMBER_SIZE);

    PublicKey rootCertificatePublicKey = keyPair.getPublic();

    String signatureAlgorithm = EncryptionUtil.getSignatureAlgorithm(messageDigest, keyPair.getPrivate());

    // this is a CA root certificate, so it is self-signed
    ContentSigner selfSigner = getCertificateSigner(keyPair.getPrivate(), signatureAlgorithm);

    ASN1EncodableVector extendedKeyUsages = new ASN1EncodableVector();
    extendedKeyUsages.add(KeyPurposeId.id_kp_serverAuth);
    extendedKeyUsages.add(KeyPurposeId.id_kp_clientAuth);
    extendedKeyUsages.add(KeyPurposeId.anyExtendedKeyUsage);

    X509CertificateHolder certificateHolder;
    try {
        certificateHolder = new JcaX509v3CertificateBuilder(
                issuer,
                serial,
                certificateInfo.getNotBefore(),
                certificateInfo.getNotAfter(),
                issuer,
                rootCertificatePublicKey)
                .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(rootCertificatePublicKey))
                .addExtension(Extension.basicConstraints, true, new BasicConstraints(true))
                .addExtension(Extension.keyUsage, false, new KeyUsage(
                        KeyUsage.keyCertSign
                                | KeyUsage.digitalSignature
                                | KeyUsage.keyEncipherment
                                | KeyUsage.dataEncipherment
                                | KeyUsage.cRLSign))
                .addExtension(Extension.extendedKeyUsage, false, new DERSequence(extendedKeyUsages))
                .build(selfSigner);
    } catch (CertIOException e) {
        throw new CertificateCreationException("Error creating root certificate", e);
    }

    // convert the Bouncy Castle X590CertificateHolder to a JCA cert
    X509Certificate cert = convertToJcaCertificate(certificateHolder);

    return new CertificateAndKey(cert, keyPair.getPrivate());
}
 
Example #9
Source File: BouncyCastleSecurityProviderTool.java    From Dream-Catcher with MIT License 4 votes vote down vote up
@Override
public CertificateAndKey createServerCertificate(CertificateInfo certificateInfo,
                                                 X509Certificate caRootCertificate,
                                                 PrivateKey caPrivateKey,
                                                 KeyPair serverKeyPair,
                                                 String messageDigest) {
    // make sure certificateInfo contains all fields necessary to generate the certificate
    if (certificateInfo.getCommonName() == null) {
        throw new IllegalArgumentException("Must specify CN for server certificate");
    }

    if (certificateInfo.getNotBefore() == null) {
        throw new IllegalArgumentException("Must specify Not Before for server certificate");
    }

    if (certificateInfo.getNotAfter() == null) {
        throw new IllegalArgumentException("Must specify Not After for server certificate");
    }

    // create the subject for the new server certificate. when impersonating an upstream server, this should contain
    // the hostname of the server we are trying to impersonate in the CN field
    X500Name serverCertificateSubject = createX500NameForCertificate(certificateInfo);

    // get the algorithm that will be used to sign the new certificate, which is a combination of the message digest
    // and the digital signature from the CA's private key
    String signatureAlgorithm = EncryptionUtil.getSignatureAlgorithm(messageDigest, caPrivateKey);

    // get a ContentSigner with our CA private key that will be used to sign the new server certificate
    ContentSigner signer = getCertificateSigner(caPrivateKey, signatureAlgorithm);

    // generate a serial number for the new certificate. serial numbers only need to be unique within our
    // certification authority; a large random integer will satisfy that requirement.
    BigInteger serialNumber = EncryptionUtil.getRandomBigInteger(CERTIFICATE_SERIAL_NUMBER_SIZE);

    // create the X509Certificate using Bouncy Castle. the BC X509CertificateHolder can be converted to a JCA X509Certificate.
    X509CertificateHolder certificateHolder;
    try {
        certificateHolder = new JcaX509v3CertificateBuilder(caRootCertificate,
                serialNumber,
                certificateInfo.getNotBefore(),
                certificateInfo.getNotAfter(),
                serverCertificateSubject,
                serverKeyPair.getPublic())
                .addExtension(Extension.subjectAlternativeName, false, getDomainNameSANsAsASN1Encodable(certificateInfo.getSubjectAlternativeNames()))
                .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(serverKeyPair.getPublic()))
                .addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
                .build(signer);
    } catch (CertIOException e) {
        throw new CertificateCreationException("Error creating new server certificate", e);
    }

    // convert the Bouncy Castle certificate holder into a JCA X509Certificate
    X509Certificate serverCertificate = convertToJcaCertificate(certificateHolder);

    return new CertificateAndKey(serverCertificate, serverKeyPair.getPrivate());
}
 
Example #10
Source File: BouncyCastleSecurityProviderTool.java    From Dream-Catcher with MIT License 4 votes vote down vote up
@Override
public CertificateAndKey createCARootCertificate(CertificateInfo certificateInfo,
                                                 KeyPair keyPair,
                                                 String messageDigest) {
    if (certificateInfo.getNotBefore() == null) {
        throw new IllegalArgumentException("Must specify Not Before for server certificate");
    }

    if (certificateInfo.getNotAfter() == null) {
        throw new IllegalArgumentException("Must specify Not After for server certificate");
    }

    // create the X500Name that will be both the issuer and the subject of the new root certificate
    X500Name issuer = createX500NameForCertificate(certificateInfo);

    BigInteger serial = EncryptionUtil.getRandomBigInteger(CERTIFICATE_SERIAL_NUMBER_SIZE);

    PublicKey rootCertificatePublicKey = keyPair.getPublic();

    String signatureAlgorithm = EncryptionUtil.getSignatureAlgorithm(messageDigest, keyPair.getPrivate());

    // this is a CA root certificate, so it is self-signed
    ContentSigner selfSigner = getCertificateSigner(keyPair.getPrivate(), signatureAlgorithm);

    ASN1EncodableVector extendedKeyUsages = new ASN1EncodableVector();
    extendedKeyUsages.add(KeyPurposeId.id_kp_serverAuth);
    extendedKeyUsages.add(KeyPurposeId.id_kp_clientAuth);
    extendedKeyUsages.add(KeyPurposeId.anyExtendedKeyUsage);

    X509CertificateHolder certificateHolder;
    try {
        certificateHolder = new JcaX509v3CertificateBuilder(
                issuer,
                serial,
                certificateInfo.getNotBefore(),
                certificateInfo.getNotAfter(),
                issuer,
                rootCertificatePublicKey)
                .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(rootCertificatePublicKey))
                .addExtension(Extension.basicConstraints, true, new BasicConstraints(true))
                .addExtension(Extension.keyUsage, false, new KeyUsage(
                        KeyUsage.keyCertSign
                                | KeyUsage.digitalSignature
                                | KeyUsage.keyEncipherment
                                | KeyUsage.dataEncipherment
                                | KeyUsage.cRLSign))
                .addExtension(Extension.extendedKeyUsage, false, new DERSequence(extendedKeyUsages))
                .build(selfSigner);
    } catch (CertIOException e) {
        throw new CertificateCreationException("Error creating root certificate", e);
    }

    // convert the Bouncy Castle X590CertificateHolder to a JCA cert
    X509Certificate cert = convertToJcaCertificate(certificateHolder);

    return new CertificateAndKey(cert, keyPair.getPrivate());
}
 
Example #11
Source File: BouncyCastleSecurityProviderTool.java    From AndroidHttpCapture with MIT License 4 votes vote down vote up
@Override
public CertificateAndKey createServerCertificate(CertificateInfo certificateInfo,
                                                 X509Certificate caRootCertificate,
                                                 PrivateKey caPrivateKey,
                                                 KeyPair serverKeyPair,
                                                 String messageDigest) {
    // make sure certificateInfo contains all fields necessary to generate the certificate
    if (certificateInfo.getCommonName() == null) {
        throw new IllegalArgumentException("Must specify CN for server certificate");
    }

    if (certificateInfo.getNotBefore() == null) {
        throw new IllegalArgumentException("Must specify Not Before for server certificate");
    }

    if (certificateInfo.getNotAfter() == null) {
        throw new IllegalArgumentException("Must specify Not After for server certificate");
    }

    // create the subject for the new server certificate. when impersonating an upstream server, this should contain
    // the hostname of the server we are trying to impersonate in the CN field
    X500Name serverCertificateSubject = createX500NameForCertificate(certificateInfo);

    // get the algorithm that will be used to sign the new certificate, which is a combination of the message digest
    // and the digital signature from the CA's private key
    String signatureAlgorithm = EncryptionUtil.getSignatureAlgorithm(messageDigest, caPrivateKey);

    // get a ContentSigner with our CA private key that will be used to sign the new server certificate
    ContentSigner signer = getCertificateSigner(caPrivateKey, signatureAlgorithm);

    // generate a serial number for the new certificate. serial numbers only need to be unique within our
    // certification authority; a large random integer will satisfy that requirement.
    BigInteger serialNumber = EncryptionUtil.getRandomBigInteger(CERTIFICATE_SERIAL_NUMBER_SIZE);

    // create the X509Certificate using Bouncy Castle. the BC X509CertificateHolder can be converted to a JCA X509Certificate.
    X509CertificateHolder certificateHolder;
    try {
        certificateHolder = new JcaX509v3CertificateBuilder(caRootCertificate,
                serialNumber,
                certificateInfo.getNotBefore(),
                certificateInfo.getNotAfter(),
                serverCertificateSubject,
                serverKeyPair.getPublic())
                .addExtension(Extension.subjectAlternativeName, false, getDomainNameSANsAsASN1Encodable(certificateInfo.getSubjectAlternativeNames()))
                .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(serverKeyPair.getPublic()))
                .addExtension(Extension.basicConstraints, false, new BasicConstraints(false))
                .build(signer);
    } catch (CertIOException e) {
        throw new CertificateCreationException("Error creating new server certificate", e);
    }

    // convert the Bouncy Castle certificate holder into a JCA X509Certificate
    X509Certificate serverCertificate = convertToJcaCertificate(certificateHolder);

    return new CertificateAndKey(serverCertificate, serverKeyPair.getPrivate());
}
 
Example #12
Source File: BouncyCastleSecurityProviderTool.java    From AndroidHttpCapture with MIT License 4 votes vote down vote up
@Override
public CertificateAndKey createCARootCertificate(CertificateInfo certificateInfo,
                                                 KeyPair keyPair,
                                                 String messageDigest) {
    if (certificateInfo.getNotBefore() == null) {
        throw new IllegalArgumentException("Must specify Not Before for server certificate");
    }

    if (certificateInfo.getNotAfter() == null) {
        throw new IllegalArgumentException("Must specify Not After for server certificate");
    }

    // create the X500Name that will be both the issuer and the subject of the new root certificate
    X500Name issuer = createX500NameForCertificate(certificateInfo);

    BigInteger serial = EncryptionUtil.getRandomBigInteger(CERTIFICATE_SERIAL_NUMBER_SIZE);

    PublicKey rootCertificatePublicKey = keyPair.getPublic();

    String signatureAlgorithm = EncryptionUtil.getSignatureAlgorithm(messageDigest, keyPair.getPrivate());

    // this is a CA root certificate, so it is self-signed
    ContentSigner selfSigner = getCertificateSigner(keyPair.getPrivate(), signatureAlgorithm);

    ASN1EncodableVector extendedKeyUsages = new ASN1EncodableVector();
    extendedKeyUsages.add(KeyPurposeId.id_kp_serverAuth);
    extendedKeyUsages.add(KeyPurposeId.id_kp_clientAuth);
    extendedKeyUsages.add(KeyPurposeId.anyExtendedKeyUsage);

    X509CertificateHolder certificateHolder;
    try {
        certificateHolder = new JcaX509v3CertificateBuilder(
                issuer,
                serial,
                certificateInfo.getNotBefore(),
                certificateInfo.getNotAfter(),
                issuer,
                rootCertificatePublicKey)
                .addExtension(Extension.subjectKeyIdentifier, false, createSubjectKeyIdentifier(rootCertificatePublicKey))
                .addExtension(Extension.basicConstraints, true, new BasicConstraints(true))
                .addExtension(Extension.keyUsage, false, new KeyUsage(
                        KeyUsage.keyCertSign
                                | KeyUsage.digitalSignature
                                | KeyUsage.keyEncipherment
                                | KeyUsage.dataEncipherment
                                | KeyUsage.cRLSign))
                .addExtension(Extension.extendedKeyUsage, false, new DERSequence(extendedKeyUsages))
                .build(selfSigner);
    } catch (CertIOException e) {
        throw new CertificateCreationException("Error creating root certificate", e);
    }

    // convert the Bouncy Castle X590CertificateHolder to a JCA cert
    X509Certificate cert = convertToJcaCertificate(certificateHolder);

    return new CertificateAndKey(cert, keyPair.getPrivate());
}