org.bouncycastle.jce.provider.X509CertificateObject Java Examples

The following examples show how to use org.bouncycastle.jce.provider.X509CertificateObject. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: KeyStoreGenerator.java    From cute-proxy with BSD 2-Clause "Simplified" License 4 votes vote down vote up 
/**
 * Generate cert for the domain signed by root certificate
 * look at RFC 2818
 *
 * @param host add to san extension, can be generic
 * @throws Exception
 */
public PrivateKeyAndCertChain generateCertChain(String host, int validityDays) throws Exception {
    logger.debug("Generating certificate for host {}", host);
    // generate the key pair for the new certificate
    KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
    keyGen.initialize(2048, secureRandom);
    KeyPair keypair = keyGen.generateKeyPair();
    PrivateKey privateKey = keypair.getPrivate();
    PublicKey publicKey = keypair.getPublic();

    Calendar calendar = Calendar.getInstance();
    // in case client time behind server time
    calendar.add(Calendar.DAY_OF_YEAR, -1);
    Date startDate = calendar.getTime();
    calendar.setTime(new Date());
    calendar.add(Calendar.DAY_OF_YEAR, validityDays);
    Date expireDate = calendar.getTime();

    String appDName = "CN=ClearTheSky, OU=TianCao, O=TianCao, L=Beijing, ST=Beijing, C=CN";
    X500Name subject = new X500Name(appDName);
    var sigOID = PKCSObjectIdentifiers.sha256WithRSAEncryption;
    var sigAlgId = new AlgorithmIdentifier(sigOID, DERNull.INSTANCE);

    var generator = new V3TBSCertificateGenerator();
    generator.setSerialNumber(new ASN1Integer(random.nextLong() + System.currentTimeMillis()));
    generator.setIssuer(getSubject(rootCert));
    generator.setSubject(subject);
    generator.setSignature(sigAlgId);
    generator.setSubjectPublicKeyInfo(getPublicKeyInfo(publicKey));
    generator.setStartDate(new Time(startDate));
    generator.setEndDate(new Time(expireDate));

    // Set SubjectAlternativeName
    var extensionsGenerator = new ExtensionsGenerator();
    extensionsGenerator.addExtension(Extension.subjectAlternativeName, false, () -> {
        ASN1EncodableVector nameVector = new ASN1EncodableVector();
        int hostType = Networks.getHostType(host);
        if (hostType == Networks.HOST_TYPE_IPV4 || hostType == Networks.HOST_TYPE_IPV6) {
            nameVector.add(new GeneralName(GeneralName.iPAddress, host));
        } else {
            nameVector.add(new GeneralName(GeneralName.dNSName, host));
        }
        return GeneralNames.getInstance(new DERSequence(nameVector)).toASN1Primitive();
    });
    Extensions x509Extensions = extensionsGenerator.generate();
    generator.setExtensions(x509Extensions);

    var tbsCertificateStructure = generator.generateTBSCertificate();
    byte[] data = toBinaryData(tbsCertificateStructure);
    byte[] signatureData = signData(sigOID, data, privateKeyParameters, secureRandom);

    var asn1EncodableVector = new ASN1EncodableVector();
    asn1EncodableVector.add(tbsCertificateStructure);
    asn1EncodableVector.add(sigAlgId);
    asn1EncodableVector.add(new DERBitString(signatureData));

    var derSequence = new DERSequence(asn1EncodableVector);
    Certificate certificate = Certificate.getInstance(derSequence);
    X509CertificateObject clientCertificate = new X509CertificateObject(certificate);
    logger.debug("Verifying certificate for correct signature with CA public key");
    clientCertificate.verify(rootCert.getPublicKey());
    clientCertificate.setBagAttribute(pkcs_9_at_friendlyName, new DERBMPString("Certificate for CuteProxy App"));
    clientCertificate.setBagAttribute(pkcs_9_at_localKeyId,
            jcaX509ExtensionUtils.createSubjectKeyIdentifier(publicKey));

    return new PrivateKeyAndCertChain(privateKey, new X509Certificate[]{clientCertificate, rootCert});
}
Example #2
Source File: CertificateGenerator.java    From haven-platform with Apache License 2.0 4 votes vote down vote up 
private static Certificate toJava(X509CertificateHolder certHolder) throws Exception {
    return new X509CertificateObject(certHolder.toASN1Structure());
}
Example #3
Source File: JwtUtil.java    From oxAuth with MIT License 4 votes vote down vote up 
public static PublicKey getPublicKey(
        String jwksUri, String jwks, SignatureAlgorithm signatureAlgorithm, String keyId) {
    log.debug("Retrieving JWK...");

    JSONObject jsonKeyValue = getJsonKey(jwksUri, jwks, keyId);

    if (jsonKeyValue == null) {
        return null;
    }

    org.gluu.oxauth.model.crypto.PublicKey publicKey = null;

    try {
        String resultKeyId = jsonKeyValue.getString(KEY_ID);
        if (signatureAlgorithm == null) {
            signatureAlgorithm = SignatureAlgorithm.fromString(jsonKeyValue.getString(ALGORITHM));
            if (signatureAlgorithm == null) {
                log.error(String.format("Failed to determine key '%s' signature algorithm", resultKeyId));
                return null;
            }
        }

        JSONObject jsonPublicKey = jsonKeyValue;
        if (jsonKeyValue.has(PUBLIC_KEY)) {
            // Use internal jwks.json format
            jsonPublicKey = jsonKeyValue.getJSONObject(PUBLIC_KEY);
        }

        if (signatureAlgorithm == SignatureAlgorithm.RS256 || signatureAlgorithm == SignatureAlgorithm.RS384 || signatureAlgorithm == SignatureAlgorithm.RS512) {
            //String alg = jsonKeyValue.getString(ALGORITHM);
            //String use = jsonKeyValue.getString(KEY_USE);
            String exp = jsonPublicKey.getString(EXPONENT);
            String mod = jsonPublicKey.getString(MODULUS);

            BigInteger publicExponent = new BigInteger(1, Base64Util.base64urldecode(exp));
            BigInteger modulus = new BigInteger(1, Base64Util.base64urldecode(mod));

            publicKey = new RSAPublicKey(modulus, publicExponent);
        } else if (signatureAlgorithm == SignatureAlgorithm.ES256 || signatureAlgorithm == SignatureAlgorithm.ES384 || signatureAlgorithm == SignatureAlgorithm.ES512) {
            //String alg = jsonKeyValue.getString(ALGORITHM);
            //String use = jsonKeyValue.getString(KEY_USE);
            //String crv = jsonKeyValue.getString(CURVE);
            String xx = jsonPublicKey.getString(X);
            String yy = jsonPublicKey.getString(Y);

            BigInteger x = new BigInteger(1, Base64Util.base64urldecode(xx));
            BigInteger y = new BigInteger(1, Base64Util.base64urldecode(yy));

            publicKey = new ECDSAPublicKey(signatureAlgorithm, x, y);
        }

        if (publicKey != null && jsonKeyValue.has(CERTIFICATE_CHAIN)) {
            final String BEGIN = "-----BEGIN CERTIFICATE-----";
            final String END = "-----END CERTIFICATE-----";

            JSONArray certChain = jsonKeyValue.getJSONArray(CERTIFICATE_CHAIN);
            String certificateString = BEGIN + "\n" + certChain.getString(0) + "\n" + END;
            StringReader sr = new StringReader(certificateString);
            PEMParser pemReader = new PEMParser(sr);
            X509Certificate cert = (X509CertificateObject) pemReader.readObject();
            Certificate certificate = new Certificate(signatureAlgorithm, cert);
            publicKey.setCertificate(certificate);
        }
        if (publicKey != null) {
            publicKey.setKeyId(resultKeyId);
            publicKey.setSignatureAlgorithm(signatureAlgorithm);
        }
    } catch (Exception ex) {
        log.error(ex.getMessage(), ex);
    }

    return publicKey;
}