org.bouncycastle.operator.ContentSigner Java Examples
The following examples show how to use
org.bouncycastle.operator.ContentSigner.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: KeyStoreDemo.java From Hands-On-Cryptography-with-Java with MIT License | 7 votes |
|
/**
* It's annoying to have to wrap KeyPairs with Certificates, but this is
* "easier" for you to know who the key belongs to.
*
* @param keyPair A KeyPair to wrap
* @return A wrapped certificate with constant name
* @throws CertificateException
* @throws OperatorCreationException
*/
public static Certificate generateCertificate(KeyPair keyPair) throws CertificateException, OperatorCreationException {
X500Name name = new X500Name("cn=Annoying Wrapper");
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
final Date start = new Date();
final Date until = Date.from(LocalDate.now().plus(365, ChronoUnit.DAYS).atStartOfDay().toInstant(ZoneOffset.UTC));
final X509v3CertificateBuilder builder = new X509v3CertificateBuilder(name,
new BigInteger(10, new SecureRandom()), //Choose something better for real use
start,
until,
name,
subPubKeyInfo
);
ContentSigner signer = new JcaContentSignerBuilder("SHA256WithRSA").setProvider(new BouncyCastleProvider()).build(keyPair.getPrivate());
final X509CertificateHolder holder = builder.build(signer);
Certificate cert = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider()).getCertificate(holder);
return cert;
}
Example #2
| Source File: CertificateUtils.java From freehealth-connector with GNU Affero General Public License v3.0 | 7 votes |
|
public static X509Certificate generateCert(PublicKey rqPubKey, BigInteger serialNr, Credential cred) throws TechnicalConnectorException {
try {
X509Certificate cert = cred.getCertificate();
X500Principal principal = cert.getSubjectX500Principal();
Date notBefore = cert.getNotBefore();
Date notAfter = cert.getNotAfter();
X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(principal, serialNr, notBefore, notAfter, principal, rqPubKey);
int keyUsageDetails = 16 + 32;
builder.addExtension(Extension.keyUsage, true, new KeyUsage(keyUsageDetails));
ContentSigner signer = (new JcaContentSignerBuilder(cert.getSigAlgName())).build(cred.getPrivateKey());
X509CertificateHolder holder = builder.build(signer);
return (new JcaX509CertificateConverter()).setProvider("BC").getCertificate(holder);
} catch (OperatorCreationException | IOException | CertificateException ex) {
throw new IllegalArgumentException(ex);
}
}
Example #3
| Source File: X509Util.java From logback-gelf with GNU Lesser General Public License v2.1 | 6 votes |
|
private X509Certificate build() throws NoSuchAlgorithmException,
CertIOException, OperatorCreationException, CertificateException {
final X500Principal issuer = new X500Principal("CN=MyCA");
final BigInteger sn = new BigInteger(64, new SecureRandom());
final Date from = Date.valueOf(LocalDate.now());
final Date to = Date.valueOf(LocalDate.now().plusYears(1));
final X509v3CertificateBuilder v3CertGen =
new JcaX509v3CertificateBuilder(issuer, sn, from, to, issuer, keyPair.getPublic());
final JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
v3CertGen.addExtension(Extension.authorityKeyIdentifier, false,
extUtils.createAuthorityKeyIdentifier(keyPair.getPublic()));
v3CertGen.addExtension(Extension.subjectKeyIdentifier, false,
extUtils.createSubjectKeyIdentifier(keyPair.getPublic()));
v3CertGen.addExtension(Extension.basicConstraints, true,
new BasicConstraints(0));
v3CertGen.addExtension(Extension.keyUsage, true,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
final ContentSigner signer = new JcaContentSignerBuilder(SIG_ALGORITHM)
.build(keyPair.getPrivate());
return new JcaX509CertificateConverter()
.setProvider(BouncyCastleProvider.PROVIDER_NAME)
.getCertificate(v3CertGen.build(signer));
}
Example #4
| Source File: TestSslUtils.java From li-apache-kafka-clients with BSD 2-Clause "Simplified" License | 6 votes |
|
/**
* Create a self-signed X.509 Certificate.
* From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
*
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param pair the KeyPair
* @param days how many days from now the Certificate is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
* @return the self-signed certificate
* @throws CertificateException thrown if a security error or an IO error occurred.
*/
public static X509Certificate generateCertificate(String dn, KeyPair pair,
int days, String algorithm)
throws CertificateException {
try {
Security.addProvider(new BouncyCastleProvider());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
X500Name name = new X500Name(dn);
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000L);
BigInteger sn = new BigInteger(64, new SecureRandom());
X509v1CertificateBuilder v1CertGen = new X509v1CertificateBuilder(name, sn, from, to, name, subPubKeyInfo);
X509CertificateHolder certificateHolder = v1CertGen.build(sigGen);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
} catch (CertificateException ce) {
throw ce;
} catch (Exception e) {
throw new CertificateException(e);
}
}
Example #5
| Source File: TestDefaultProfile.java From hadoop-ozone with Apache License 2.0 | 6 votes |
|
/**
* Generates an CSR with the extension specified.
* This function is used to get an Invalid CSR and test that PKI profile
* rejects these invalid extensions, Hence the function name, by itself it
* is a well formed CSR, but our PKI profile will treat it as invalid CSR.
*
* @param kPair - Key Pair.
* @return CSR - PKCS10CertificationRequest
* @throws OperatorCreationException - on Error.
*/
private PKCS10CertificationRequest getInvalidCSR(KeyPair kPair,
Extensions extensions) throws OperatorCreationException {
X500NameBuilder namebuilder =
new X500NameBuilder(X500Name.getDefaultStyle());
namebuilder.addRDN(BCStyle.CN, "invalidCert");
PKCS10CertificationRequestBuilder p10Builder =
new JcaPKCS10CertificationRequestBuilder(namebuilder.build(),
keyPair.getPublic());
p10Builder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest,
extensions);
JcaContentSignerBuilder csBuilder =
new JcaContentSignerBuilder(this.securityConfig.getSignatureAlgo());
ContentSigner signer = csBuilder.build(keyPair.getPrivate());
return p10Builder.build(signer);
}
Example #6
| Source File: CertificateSignRequest.java From hadoop-ozone with Apache License 2.0 | 6 votes |
|
private PKCS10CertificationRequest generateCSR() throws
OperatorCreationException {
X500Name dnName = SecurityUtil.getDistinguishedName(subject, scmID,
clusterID);
PKCS10CertificationRequestBuilder p10Builder =
new JcaPKCS10CertificationRequestBuilder(dnName, keyPair.getPublic());
ContentSigner contentSigner =
new JcaContentSignerBuilder(config.getSignatureAlgo())
.setProvider(config.getProvider())
.build(keyPair.getPrivate());
if (extensions != null) {
p10Builder.addAttribute(
PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extensions);
}
return p10Builder.build(contentSigner);
}
Example #7
| Source File: SelfSignedCaCertificate.java From nomulus with Apache License 2.0 | 6 votes |
|
/** Returns a self-signed Certificate Authority (CA) certificate. */
static X509Certificate createCaCert(KeyPair keyPair, String fqdn, Date from, Date to)
throws Exception {
X500Name owner = new X500Name("CN=" + fqdn);
ContentSigner signer =
new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(keyPair.getPrivate());
X509v3CertificateBuilder builder =
new JcaX509v3CertificateBuilder(
owner, new BigInteger(64, RANDOM), from, to, owner, keyPair.getPublic());
// Mark cert as CA by adding basicConstraint with cA=true to the builder
BasicConstraints basicConstraints = new BasicConstraints(true);
builder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints);
X509CertificateHolder certHolder = builder.build(signer);
return new JcaX509CertificateConverter().setProvider(PROVIDER).getCertificate(certHolder);
}
Example #8
| Source File: CreateMultipleVisualizations.java From testarea-pdfbox2 with Apache License 2.0 | 6 votes |
|
/**
* Copy of <code>org.apache.pdfbox.examples.signature.CreateSignatureBase.sign(InputStream)</code>
* from the pdfbox examples artifact.
*/
@Override
public byte[] sign(InputStream content) throws IOException {
try
{
List<Certificate> certList = new ArrayList<>();
certList.addAll(Arrays.asList(chain));
Store<?> certs = new JcaCertStore(certList);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
org.bouncycastle.asn1.x509.Certificate cert = org.bouncycastle.asn1.x509.Certificate.getInstance(chain[0].getEncoded());
ContentSigner sha1Signer = new JcaContentSignerBuilder("SHA256WithRSA").build(pk);
gen.addSignerInfoGenerator(new JcaSignerInfoGeneratorBuilder(new JcaDigestCalculatorProviderBuilder().build()).build(sha1Signer, new X509CertificateHolder(cert)));
gen.addCertificates(certs);
CMSProcessableInputStream msg = new CMSProcessableInputStream(content);
CMSSignedData signedData = gen.generate(msg, false);
return signedData.getEncoded();
}
catch (GeneralSecurityException | CMSException | OperatorCreationException e)
{
throw new IOException(e);
}
}
Example #9
| Source File: JCEUtils.java From java-11-examples with Apache License 2.0 | 6 votes |
|
public static X509Certificate createSignedCertificate(String issuerName, String subjectName, Date notBefore, Long duration, TimeUnit timeUnit, PublicKey publicKey, PrivateKey privateKey) throws PKIException {
try {
X500Name issuer = new X500Name(CN_NAME + issuerName);
BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
Date notAfter = new Date(notBefore.getTime() + timeUnit.toMillis(duration));
X500Name subject = new X500Name(CN_NAME + subjectName);
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, publicKeyInfo);
JcaContentSignerBuilder jcaContentSignerBuilder = new JcaContentSignerBuilder(SHA256_RSA);
ContentSigner signer = jcaContentSignerBuilder.build(privateKey);
CertificateFactory certificateFactory = CertificateFactory.getInstance(X509, BC_PROVIDER);
byte[] certBytes = certBuilder.build(signer).getEncoded();
return (X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(certBytes));
} catch (Exception e) {
throw new PKIException(e);
}
}
Example #10
| Source File: CertificateGeneratorTest.java From haven-platform with Apache License 2.0 | 6 votes |
|
@Test
public void constructCert() throws Exception {
Security.addProvider(new BouncyCastleProvider());
((Logger)LoggerFactory.getLogger(CertificateGenerator.class)).setLevel(Level.DEBUG);
File file = new File("/tmp/dm-agent.jks");//Files.createTempFile("dm-agent", ".jks");
KeyPair keypair = createKeypair();
JcaX509v3CertificateBuilder cb = createRootCert(keypair);
ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").build(keypair.getPrivate());
X509CertificateHolder rootCert = cb.build(signer);
KeystoreConfig cert = CertificateGenerator.constructCert(rootCert,
keypair.getPrivate(),
file,
ImmutableSet.of("test1", "test2"));
assertNotNull(cert);
}
Example #11
| Source File: CAImpl.java From littleca with Apache License 2.0 | 6 votes |
|
@Override
public PKCS10CertificationRequest makeUserCertReq(PublicKey publicKey, String userDN, String signAlg) throws CertException {
try {
PKCS10CertificationRequestBuilder builder = new PKCS10CertificationRequestBuilder(new X500Name(userDN)
,SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
if(null==signAlg) {
signAlg=DEFAULT_SIGN_ALG;
}
JcaContentSignerBuilder jcaBuilder = new JcaContentSignerBuilder(signAlg);
jcaBuilder.setProvider(BouncyCastleProvider.PROVIDER_NAME);
ContentSigner contentSigner = jcaBuilder.build(privateKey);
PKCS10CertificationRequest certificationRequest = builder.build(contentSigner);
return certificationRequest;
} catch (Exception e) {
throw new CertException("makeUserCertReq failed",e);
}
}
Example #12
| Source File: CertificateManager.java From Launcher with GNU General Public License v3.0 | 6 votes |
|
public X509CertificateHolder generateCertificate(String subjectName, PublicKey subjectPublicKey) throws OperatorCreationException {
SubjectPublicKeyInfo subjectPubKeyInfo = SubjectPublicKeyInfo.getInstance(subjectPublicKey.getEncoded());
BigInteger serial = BigInteger.valueOf(SecurityHelper.newRandom().nextLong());
Date startDate = Date.from(Instant.now().minus(minusHours, ChronoUnit.HOURS));
Date endDate = Date.from(startDate.toInstant().plus(validDays, ChronoUnit.DAYS));
X500NameBuilder subject = new X500NameBuilder();
subject.addRDN(BCStyle.CN, subjectName);
subject.addRDN(BCStyle.O, orgName);
X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(ca.getSubject(), serial,
startDate, endDate, subject.build(), subjectPubKeyInfo);
AlgorithmIdentifier sigAlgId = ca.getSignatureAlgorithm();
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
ContentSigner sigGen = new BcECContentSignerBuilder(sigAlgId, digAlgId).build(caKey);
return v3CertGen.build(sigGen);
}
Example #13
| Source File: SignHelper.java From Launcher with GNU General Public License v3.0 | 6 votes |
|
/**
* Creates the beast that can actually sign the data (for JKS, for other make it).
*/
public static CMSSignedDataGenerator createSignedDataGenerator(KeyStore keyStore, String keyAlias, String signAlgo, String keyPassword) throws KeyStoreException, OperatorCreationException, CertificateEncodingException, UnrecoverableKeyException, NoSuchAlgorithmException, CMSException {
List<Certificate> certChain = new ArrayList<>(Arrays.asList(keyStore.getCertificateChain(keyAlias)));
@SuppressWarnings("rawtypes")
Store certStore = new JcaCertStore(certChain);
Certificate cert = keyStore.getCertificate(keyAlias);
PrivateKey privateKey = (PrivateKey) keyStore.getKey(keyAlias, keyPassword != null ? keyPassword.toCharArray() : null);
ContentSigner signer = new JcaContentSignerBuilder(signAlgo).setProvider("BC").build(privateKey);
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
DigestCalculatorProvider dcp = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build();
SignerInfoGenerator sig = new JcaSignerInfoGeneratorBuilder(dcp).build(signer, (X509Certificate) cert);
generator.addSignerInfoGenerator(sig);
generator.addCertificates(certStore);
return generator;
}
Example #14
| Source File: OcspCertificateValidatorTest.java From localization_nifi with Apache License 2.0 | 6 votes |
|
/**
* Generates a certificate with a specific public key signed by the issuer key.
*
* @param dn the subject DN
* @param publicKey the subject public key
* @param issuerDn the issuer DN
* @param issuerKey the issuer private key
* @return the certificate
* @throws IOException if an exception occurs
* @throws NoSuchAlgorithmException if an exception occurs
* @throws CertificateException if an exception occurs
* @throws NoSuchProviderException if an exception occurs
* @throws SignatureException if an exception occurs
* @throws InvalidKeyException if an exception occurs
* @throws OperatorCreationException if an exception occurs
*/
private static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, String issuerDn, PrivateKey issuerKey) throws IOException, NoSuchAlgorithmException,
CertificateException, NoSuchProviderException, SignatureException, InvalidKeyException, OperatorCreationException {
ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(issuerKey);
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
Date startDate = new Date(YESTERDAY);
Date endDate = new Date(ONE_YEAR_FROM_NOW);
X509v3CertificateBuilder v3CertGen = new X509v3CertificateBuilder(
new X500Name(issuerDn),
BigInteger.valueOf(System.currentTimeMillis()),
startDate, endDate,
new X500Name(dn),
subPubKeyInfo);
X509CertificateHolder certificateHolder = v3CertGen.build(sigGen);
return new JcaX509CertificateConverter().setProvider(PROVIDER)
.getCertificate(certificateHolder);
}
Example #15
| Source File: BouncyCastleSecurityProviderTool.java From AndroidHttpCapture with MIT License | 5 votes |
|
/**
* Creates a ContentSigner that can be used to sign certificates with the given private key and signature algorithm.
*
* @param certAuthorityPrivateKey the private key to use to sign certificates
* @param signatureAlgorithm the algorithm to use to sign certificates
* @return a ContentSigner
*/
private static ContentSigner getCertificateSigner(PrivateKey certAuthorityPrivateKey, String signatureAlgorithm) {
try {
return new JcaContentSignerBuilder(signatureAlgorithm)
.build(certAuthorityPrivateKey);
} catch (OperatorCreationException e) {
throw new CertificateCreationException("Unable to create ContentSigner using signature algorithm: " + signatureAlgorithm, e);
}
}
Example #16
| Source File: ElasticsearchCluster.java From dremio-oss with Apache License 2.0 | 5 votes |
|
private static ContentSigner newSigner(PrivateKey privateKey, String algo) {
try {
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algo);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
return new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
.build(PrivateKeyFactory.createKey(privateKey.getEncoded()));
} catch (OperatorCreationException | IOException e) {
throw new RuntimeException(e);
}
}
Example #17
| Source File: V1SchemeSigner.java From walle with Apache License 2.0 | 5 votes |
|
private static byte[] generateSignatureBlock(
SignerConfig signerConfig, byte[] signatureFileBytes)
throws InvalidKeyException, CertificateEncodingException, SignatureException {
JcaCertStore certs = new JcaCertStore(signerConfig.certificates);
X509Certificate signerCert = signerConfig.certificates.get(0);
String jcaSignatureAlgorithm =
getJcaSignatureAlgorithm(
signerCert.getPublicKey(), signerConfig.signatureDigestAlgorithm);
try {
ContentSigner signer =
new JcaContentSignerBuilder(jcaSignatureAlgorithm)
.build(signerConfig.privateKey);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
gen.addSignerInfoGenerator(
new SignerInfoGeneratorBuilder(
new JcaDigestCalculatorProviderBuilder().build(),
SignerInfoSignatureAlgorithmFinder.INSTANCE)
.setDirectSignature(true)
.build(signer, new JcaX509CertificateHolder(signerCert)));
gen.addCertificates(certs);
CMSSignedData sigData =
gen.generate(new CMSProcessableByteArray(signatureFileBytes), false);
ByteArrayOutputStream out = new ByteArrayOutputStream();
try (ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded())) {
DEROutputStream dos = new DEROutputStream(out);
dos.writeObject(asn1.readObject());
}
return out.toByteArray();
} catch (OperatorCreationException | CMSException | IOException e) {
throw new SignatureException("Failed to generate signature", e);
}
}
Example #18
| Source File: ApkUtils.java From NBANDROID-V2 with Apache License 2.0 | 5 votes |
|
private static Pair<PrivateKey, X509Certificate> generateKeyAndCertificate(String asymmetric, String sign, int validityYears, String dn) throws NoSuchAlgorithmException, OperatorCreationException, CertificateException {
Preconditions.checkArgument(validityYears > 0, "validityYears <= 0");
KeyPair keyPair = KeyPairGenerator.getInstance(asymmetric).generateKeyPair();
Date notBefore = new Date(System.currentTimeMillis());
Date notAfter = new Date(System.currentTimeMillis() + validityYears * 31536000000l);
X500Name issuer = new X500Name(new X500Principal(dn).getName());
SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
X509v1CertificateBuilder builder = new X509v1CertificateBuilder(issuer, BigInteger.ONE, notBefore, notAfter, issuer, publicKeyInfo);
ContentSigner signer = new JcaContentSignerBuilder(sign).setProvider(new BouncyCastleProvider()).build(keyPair.getPrivate());
X509CertificateHolder holder = builder.build(signer);
JcaX509CertificateConverter converter = new JcaX509CertificateConverter().setProvider(new BouncyCastleProvider());
X509Certificate certificate = converter.getCertificate(holder);
return Pair.of(keyPair.getPrivate(), certificate);
}
Example #19
| Source File: SignedJarBuilder.java From javaide with GNU General Public License v3.0 | 5 votes |
|
/** Write the certificate file with a digital signature. */
private void writeSignatureBlock(CMSTypedData data, X509Certificate publicKey,
PrivateKey privateKey)
throws IOException,
CertificateEncodingException,
OperatorCreationException,
CMSException {
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
certList.add(publicKey);
JcaCertStore certs = new JcaCertStore(certList);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner sha1Signer = new JcaContentSignerBuilder(
"SHA1with" + privateKey.getAlgorithm())
.build(privateKey);
gen.addSignerInfoGenerator(
new JcaSignerInfoGeneratorBuilder(
new JcaDigestCalculatorProviderBuilder()
.build())
.setDirectSignature(true)
.build(sha1Signer, publicKey));
gen.addCertificates(certs);
CMSSignedData sigData = gen.generate(data, false);
ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded());
DEROutputStream dos = new DEROutputStream(mOutputJar);
dos.writeObject(asn1.readObject());
dos.flush();
dos.close();
asn1.close();
}
Example #20
| Source File: ZipUtils.java From isu with GNU General Public License v3.0 | 5 votes |
|
/** Sign data and write the digital signature to 'out'. */
private static void writeSignatureBlock(
CMSTypedData data, X509Certificate publicKey, PrivateKey privateKey,
OutputStream out)
throws IOException,
CertificateEncodingException,
OperatorCreationException,
CMSException {
ArrayList < X509Certificate > certList = new ArrayList < > (1);
certList.add(publicKey);
JcaCertStore certs = new JcaCertStore(certList);
CMSSignedDataGenerator gen = new CMSSignedDataGenerator();
ContentSigner signer = new JcaContentSignerBuilder(getSignatureAlgorithm(publicKey))
.setProvider(sBouncyCastleProvider)
.build(privateKey);
gen.addSignerInfoGenerator(
new JcaSignerInfoGeneratorBuilder(
new JcaDigestCalculatorProviderBuilder()
.setProvider(sBouncyCastleProvider)
.build())
.setDirectSignature(true)
.build(signer, publicKey));
gen.addCertificates(certs);
CMSSignedData sigData = gen.generate(data, false);
ASN1InputStream asn1 = new ASN1InputStream(sigData.getEncoded());
DEROutputStream dos = new DEROutputStream(out);
dos.writeObject(asn1.readObject());
}
Example #21
| Source File: TLSCertificateBuilder.java From fabric-sdk-java with Apache License 2.0 | 5 votes |
|
private X509Certificate createSelfSignedCertificate(CertType certType, KeyPair keyPair, String san) throws Exception {
X509v3CertificateBuilder certBuilder = createCertBuilder(keyPair);
// Basic constraints
BasicConstraints constraints = new BasicConstraints(false);
certBuilder.addExtension(
Extension.basicConstraints,
true,
constraints.getEncoded());
// Key usage
KeyUsage usage = new KeyUsage(KeyUsage.keyEncipherment | KeyUsage.digitalSignature);
certBuilder.addExtension(Extension.keyUsage, false, usage.getEncoded());
// Extended key usage
certBuilder.addExtension(
Extension.extendedKeyUsage,
false,
certType.keyUsage().getEncoded());
if (san != null) {
addSAN(certBuilder, san);
}
ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm)
.build(keyPair.getPrivate());
X509CertificateHolder holder = certBuilder.build(signer);
JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
converter.setProvider(new BouncyCastleProvider());
return converter.getCertificate(holder);
}
Example #22
| Source File: Certificates.java From icure-backend with GNU General Public License v2.0 | 5 votes |
|
/**
* Creates a Master certificate for ICure.
*/
public static X509Certificate createMasterCertificateV3(PublicKey publicKey, PrivateKey privateKey) throws Exception {
X500Name issuer = new X500Name("C=BE, O=Taktik, OU=ICureCloud, CN=ICureCloud");
X500Name subject = new X500Name("C=BE, O=Taktik, OU=ICureCloud, CN=ICureCloud"); // self signed
BigInteger serial = BigInteger.valueOf(RSAKeysUtils.random.nextLong());
Date notBefore = new Date(System.currentTimeMillis() - 10000);
Date notAfter = new Date(System.currentTimeMillis() + 24L * 3600 * 1000);
SubjectPublicKeyInfo spki = SubjectPublicKeyInfo.getInstance(publicKey.getEncoded());
X509v3CertificateBuilder x509v3CertBuilder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, spki);
x509v3CertBuilder.addExtension(X509Extension.basicConstraints, true, new BasicConstraints(true)); // icure is CA
// Create a content signer
AlgorithmIdentifier signatureAlgorithmId = new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256withRSA");
AlgorithmIdentifier digestAlgorithmId = new DefaultDigestAlgorithmIdentifierFinder().find(signatureAlgorithmId);
AsymmetricKeyParameter akp = PrivateKeyFactory.createKey(privateKey.getEncoded());
ContentSigner contentSigner = new BcRSAContentSignerBuilder(signatureAlgorithmId, digestAlgorithmId).build(akp);
X509CertificateHolder holder = x509v3CertBuilder.build(contentSigner);
Certificate certificateStructure = holder.toASN1Structure();
X509Certificate certificate = convertToJavaCertificate(certificateStructure);
certificate.verify(publicKey);
return certificate;
}
Example #23
| Source File: CertificateGeneratorTest.java From credhub with Apache License 2.0 | 5 votes |
|
private X509CertificateHolder makeCert(final KeyPair certKeyPair,
final PrivateKey caPrivateKey,
final X500Name caDn,
final X500Name subjectDn,
final boolean isCa) throws OperatorCreationException, NoSuchAlgorithmException, CertIOException {
final SubjectPublicKeyInfo publicKeyInfo = SubjectPublicKeyInfo.getInstance(certKeyPair.getPublic()
.getEncoded());
final ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256withRSA")
.setProvider(BouncyCastleFipsProvider.PROVIDER_NAME)
.build(caPrivateKey);
final CurrentTimeProvider currentTimeProvider = new CurrentTimeProvider();
final Instant now = Instant.from(currentTimeProvider.getInstant());
final X509v3CertificateBuilder x509v3CertificateBuilder = new X509v3CertificateBuilder(
caDn,
BigInteger.TEN,
Date.from(now),
Date.from(now.plus(Duration.ofDays(365))),
subjectDn,
publicKeyInfo
);
x509v3CertificateBuilder
.addExtension(Extension.basicConstraints, true, new BasicConstraints(isCa));
return x509v3CertificateBuilder.build(contentSigner);
}
Example #24
| Source File: CertificateHelper.java From AndroidHttpCapture with MIT License | 5 votes |
|
private static X509Certificate signCertificate(
X509v3CertificateBuilder certificateBuilder,
PrivateKey signedWithPrivateKey) throws OperatorCreationException,
CertificateException {
ContentSigner signer = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM)
.setProvider(PROVIDER_NAME).build(signedWithPrivateKey);
return new JcaX509CertificateConverter().setProvider(
PROVIDER_NAME).getCertificate(certificateBuilder.build(signer));
}
Example #25
| Source File: CertificateServiceImpl.java From graviteeio-access-management with Apache License 2.0 | 5 votes |
|
private X509Certificate generateCertificate(String dn, KeyPair keyPair, int validity, String sigAlgName) throws GeneralSecurityException, IOException, OperatorCreationException {
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
// Use appropriate signature algorithm based on your keyPair algorithm.
String signatureAlgorithm = sigAlgName;
X500Name dnName = new X500Name(dn);
Date from = new Date();
Date to = new Date(from.getTime() + validity * 1000L * 24L * 60L * 60L);
// Using the current timestamp as the certificate serial number
BigInteger certSerialNumber = new BigInteger(Long.toString(from.getTime()));
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(keyPair.getPrivate());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
dnName, certSerialNumber, from, to, dnName, keyPair.getPublic());
// true for CA, false for EndEntity
BasicConstraints basicConstraints = new BasicConstraints(true);
// Basic Constraints is usually marked as critical.
certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints);
return new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
}
Example #26
| Source File: SignHelper.java From Launcher with GNU General Public License v3.0 | 5 votes |
|
public static CMSSignedDataGenerator createSignedDataGenerator(PrivateKey privateKey, Certificate cert, List<Certificate> certChain, String signAlgo) throws OperatorCreationException, CertificateEncodingException, CMSException {
@SuppressWarnings("rawtypes")
Store certStore = new JcaCertStore(certChain);
ContentSigner signer = new JcaContentSignerBuilder(signAlgo).setProvider("BC").build(privateKey);
CMSSignedDataGenerator generator = new CMSSignedDataGenerator();
DigestCalculatorProvider dcp = new JcaDigestCalculatorProviderBuilder().setProvider("BC").build();
SignerInfoGenerator sig = new JcaSignerInfoGeneratorBuilder(dcp).build(signer, (X509Certificate) cert);
generator.addSignerInfoGenerator(sig);
generator.addCertificates(certStore);
return generator;
}
Example #27
| Source File: CertificateHelper.java From signer with GNU Lesser General Public License v3.0 | 5 votes |
|
private static X509Certificate signCertificate(X509v3CertificateBuilder certificateBuilder,
PrivateKey signedWithPrivateKey) throws OperatorCreationException, CertificateException {
ContentSigner signer = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER_NAME)
.build(signedWithPrivateKey);
X509Certificate cert = new JcaX509CertificateConverter().setProvider(PROVIDER_NAME)
.getCertificate(certificateBuilder.build(signer));
return cert;
}
Example #28
| Source File: BouncyCastleProviderConfigurationTest.java From credhub with Apache License 2.0 | 5 votes |
|
@Test
public void jcaContentSignerBuilder() throws Exception {
final PrivateKey key = generator.generateKeyPair().getPrivate();
final ContentSigner signer = jcaContentSignerBuilder.build(key);
assertThat(signer.getAlgorithmIdentifier().getAlgorithm(), equalTo(sha256WithRSAEncryption));
}
Example #29
| Source File: OcspCertificateValidatorTest.java From localization_nifi with Apache License 2.0 | 5 votes |
|
/**
* Generates a signed certificate with a specific keypair.
*
* @param dn the DN
* @param keyPair the public key will be included in the certificate and the the private key is used to sign the certificate
* @return the certificate
* @throws IOException if an exception occurs
* @throws NoSuchAlgorithmException if an exception occurs
* @throws CertificateException if an exception occurs
* @throws NoSuchProviderException if an exception occurs
* @throws SignatureException if an exception occurs
* @throws InvalidKeyException if an exception occurs
* @throws OperatorCreationException if an exception occurs
*/
private static X509Certificate generateCertificate(String dn, KeyPair keyPair) throws IOException, NoSuchAlgorithmException, CertificateException, NoSuchProviderException, SignatureException,
InvalidKeyException, OperatorCreationException {
PrivateKey privateKey = keyPair.getPrivate();
ContentSigner sigGen = new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(PROVIDER).build(privateKey);
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
Date startDate = new Date(YESTERDAY);
Date endDate = new Date(ONE_YEAR_FROM_NOW);
X509v3CertificateBuilder certBuilder = new X509v3CertificateBuilder(
new X500Name(dn),
BigInteger.valueOf(System.currentTimeMillis()),
startDate, endDate,
new X500Name(dn),
subPubKeyInfo);
// Set certificate extensions
// (1) digitalSignature extension
certBuilder.addExtension(X509Extension.keyUsage, true,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment | KeyUsage.dataEncipherment | KeyUsage.keyAgreement));
// (2) extendedKeyUsage extension
Vector<KeyPurposeId> ekUsages = new Vector<>();
ekUsages.add(KeyPurposeId.id_kp_clientAuth);
ekUsages.add(KeyPurposeId.id_kp_serverAuth);
certBuilder.addExtension(X509Extension.extendedKeyUsage, false, new ExtendedKeyUsage(ekUsages));
// Sign the certificate
X509CertificateHolder certificateHolder = certBuilder.build(sigGen);
return new JcaX509CertificateConverter().setProvider(PROVIDER)
.getCertificate(certificateHolder);
}
Example #30
| Source File: JwtSecurityProviderIntegrationTest.java From cruise-control with BSD 2-Clause "Simplified" License | 5 votes |
|
private File createCertificate(TokenGenerator.TokenAndKeys tokenAndKeys) throws Exception {
String subjectDN = "C=US, ST=California, L=Santa Clara, O=LinkedIn, CN=localhost";
Provider bcProvider = new BouncyCastleProvider();
Security.addProvider(bcProvider);
long now = System.currentTimeMillis();
Date startDate = new Date(now);
X500Name dnName = new X500Name(subjectDN);
BigInteger certSerialNumber = new BigInteger(Long.toString(now));
Calendar calendar = Calendar.getInstance();
calendar.setTime(startDate);
calendar.add(Calendar.YEAR, 100);
Date endDate = calendar.getTime();
String signatureAlgorithm = "SHA256WithRSA";
ContentSigner contentSigner = new JcaContentSignerBuilder(signatureAlgorithm).build(tokenAndKeys.privateKey());
JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
dnName, certSerialNumber, startDate, endDate, dnName, tokenAndKeys.publicKey());
X509Certificate cert = new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
File certificate = File.createTempFile("test-certificate", ".pub");
try (OutputStream os = new FileOutputStream(certificate)) {
Base64.Encoder encoder = Base64.getEncoder();
os.write("-----BEGIN CERTIFICATE-----\n".getBytes(StandardCharsets.UTF_8));
os.write(encoder.encodeToString(cert.getEncoded()).getBytes(StandardCharsets.UTF_8));
os.write("\n-----END CERTIFICATE-----\n".getBytes(StandardCharsets.UTF_8));
}
return certificate;
}
