本文整理汇总了Java中org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure类的典型用法代码示例。如果您正苦于以下问题:Java AuthorityKeyIdentifierStructure类的具体用法?Java AuthorityKeyIdentifierStructure怎么用?Java AuthorityKeyIdentifierStructure使用的例子?那么, 这里精选的类代码示例或许可以为您提供帮助。
AuthorityKeyIdentifierStructure类属于org.bouncycastle.x509.extension包,在下文中一共展示了AuthorityKeyIdentifierStructure类的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Java代码示例。
示例1: generateSignedCertificate
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
private X509Certificate generateSignedCertificate(
PKCS10CertificationRequest csr) throws NoSuchAlgorithmException,
NoSuchProviderException, InvalidKeyException,
CertificateParsingException, CertificateEncodingException,
SignatureException {
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(rootCert.getSubjectX500Principal());
Calendar c = Calendar.getInstance();
certGen.setNotBefore(c.getTime());
c.add(Calendar.YEAR, 1);
certGen.setNotAfter(c.getTime());
certGen.setSubjectDN(csr.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(csr.getPublicKey("BC"));
certGen.setSignatureAlgorithm(ALGORITHM_SHA256_RSA);
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(rootCert.getPublicKey()));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifierStructure(csr.getPublicKey("BC")));
certGen.addExtension(X509Extensions.BasicConstraints, true,
new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(
KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
X509Certificate issuedCert = certGen.generate(rootPrivateKeyEntry
.getPrivateKey());
return issuedCert;
}
示例2: generateIntermediateCert
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
public static X509Certificate generateIntermediateCert(PublicKey intKey, PrivateKey caKey, X509Certificate caCert)
throws Exception
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(1));
certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert));
certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
certGen.setSubjectDN(new X509Principal("CN=Test Intermediate Certificate"));
certGen.setPublicKey(intKey);
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(intKey));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
return certGen.generate(caKey, "BC");
}
示例3: generateEndEntityCert
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
public static X509Certificate generateEndEntityCert(PublicKey entityKey, PrivateKey caKey, X509Certificate caCert)
throws Exception
{
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(1));
certGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert));
certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
certGen.setSubjectDN(new X509Principal("CN=Test End Certificate"));
certGen.setPublicKey(entityKey);
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(entityKey));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
return certGen.generate(caKey, "BC");
}
示例4: createCRL
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
public static X509CRL createCRL(
X509Certificate caCert,
PrivateKey caKey,
BigInteger serialNumber)
throws Exception
{
X509V2CRLGenerator crlGen = new X509V2CRLGenerator();
Date now = new Date();
BigInteger revokedSerialNumber = BigInteger.valueOf(2);
crlGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert));
crlGen.setThisUpdate(now);
crlGen.setNextUpdate(new Date(now.getTime() + 100000));
crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
crlGen.addCRLEntry(serialNumber, now, CRLReason.privilegeWithdrawn);
crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
crlGen.addExtension(X509Extensions.CRLNumber, false, new CRLNumber(BigInteger.valueOf(1)));
return crlGen.generate(caKey, "BC");
}
示例5: sign
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
public static X509Certificate sign(String CN, PublicKey publicKey, Date expiryDate, long serialNumber, X509Certificate caCert, PrivateKey privateKey) throws CertificateParsingException, CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException {
// Date expiryDate = ...; // time after which certificate is not valid
// BigInteger serialNumber = ...; // serial number for certificate
// PrivateKey caKey = ...; // private key of the certifying authority (ca) certificate
// X509Certificate caCert = ...; // public key certificate of the certifying authority
// KeyPair keyPair = ...; // public/private key pair that we are creating certificate for
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X500Principal subjectName = new X500Principal("CN="+CN);
certGen.setSerialNumber(BigInteger.valueOf(serialNumber));
certGen.setIssuerDN(caCert.getSubjectX500Principal());
certGen.setNotBefore(new Date());
certGen.setNotAfter(expiryDate);
certGen.setSubjectDN(subjectName);
certGen.setPublicKey(publicKey);
certGen.setSignatureAlgorithm(DEFAULT_SIGNATURE_ALGORITHM);
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(caCert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifierStructure(publicKey));
X509Certificate cert = certGen.generate(privateKey, "BC"); // note: private key of CA
return cert;
}
示例6: generateClientCertificate
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
public X509Certificate generateClientCertificate(final PrivateKey rootCAPrivateKey, final X509Certificate rootCACert,
final KeyPair keyPair, final String publicIPAddress, final boolean isMasterNode) throws IOException, CertificateParsingException, InvalidKeyException, NoSuchAlgorithmException, CertificateEncodingException, NoSuchProviderException, SignatureException, InvalidKeySpecException {
final DateTime now = DateTime.now(DateTimeZone.UTC);
final X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();;
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(new X500Principal(CCS_ROOTCA_CN));
certGen.setSubjectDN(new X500Principal(CCS_CLUSTER_CN));
certGen.setNotBefore(now.minusDays(1).toDate());
certGen.setNotAfter(now.plusYears(10).toDate());
certGen.setPublicKey(keyPair.getPublic());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(rootCACert));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifierStructure(keyPair.getPublic()));
if (isMasterNode) {
final List<ASN1Encodable> subjectAlternativeNames = new ArrayList<ASN1Encodable>();
subjectAlternativeNames.add(new GeneralName(GeneralName.iPAddress, publicIPAddress));
subjectAlternativeNames.add(new GeneralName(GeneralName.iPAddress, "10.0.0.1"));
subjectAlternativeNames.add(new GeneralName(GeneralName.iPAddress, "10.1.1.1"));
subjectAlternativeNames.add(new GeneralName(GeneralName.dNSName, "kubernetes"));
subjectAlternativeNames.add(new GeneralName(GeneralName.dNSName, "kubernetes.default"));
subjectAlternativeNames.add(new GeneralName(GeneralName.dNSName, "kubernetes.default.svc"));
subjectAlternativeNames.add(new GeneralName(GeneralName.dNSName, "kubernetes.default.svc.cluster.local"));
final DERSequence subjectAlternativeNamesExtension = new DERSequence(
subjectAlternativeNames.toArray(new ASN1Encodable[subjectAlternativeNames.size()]));
certGen.addExtension(X509Extensions.SubjectAlternativeName, false,
subjectAlternativeNamesExtension);
}
return certGen.generate(rootCAPrivateKey, "BC");
}
示例7: generateCRL
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
@SuppressWarnings("deprecation")
public X509CRL generateCRL(String caName) {
try {
CertificateAuthority ca = this.caRepository.findOneByName(caName);
if(ca == null) {
throw new RuntimeException("Error getting CRL for non existing CA: " + caName);
}
Date now = new Date();
Date nextUpdate = new Date(now.getYear(), now.getMonth(), now.getDate(), now.getHours() + 3, now.getMinutes());
X509V2CRLGenerator crlGenerator = new X509V2CRLGenerator();
String caDN = getCADN(ca);
crlGenerator.setIssuerDN(new X500Principal(caDN));
crlGenerator.setThisUpdate(now);
crlGenerator.setNextUpdate(nextUpdate);
crlGenerator.setSignatureAlgorithm("SHA256withRSA");
X509Certificate caCertificate = new JcaX509CertificateConverter().getCertificate(ca.getIdentityContainer().getCertificate());
crlGenerator.addExtension(Extension.authorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCertificate));
crlGenerator.addExtension(Extension.cRLNumber, false, new CRLNumber(BigInteger.ONE));
X509CRL crl = crlGenerator.generateX509CRL(ca.getIdentityContainer().getPrivateKey(), BouncyCastleProvider.PROVIDER_NAME);
return crl;
} catch (Exception e) {
throw new RuntimeException("Error while generating CRL: " + e.getMessage(), e);
}
}
示例8: generateSignedCertificate
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
@SuppressWarnings("deprecation")
public static X509Certificate generateSignedCertificate(String dn, KeyPair pair, int days, String algorithm,
PrivateKey caKey, X509Certificate caCert) throws CertificateParsingException,
CertificateEncodingException,
NoSuchAlgorithmException,
SignatureException,
InvalidKeyException,
NoSuchProviderException {
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000l);
BigInteger sn = new BigInteger(64, new SecureRandom());
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X500Principal subjectName = new X500Principal(dn);
certGen.setSerialNumber(sn);
certGen.setIssuerDN(caCert.getSubjectX500Principal());
certGen.setNotBefore(from);
certGen.setNotAfter(to);
certGen.setSubjectDN(subjectName);
certGen.setPublicKey(pair.getPublic());
certGen.setSignatureAlgorithm(algorithm);
certGen.addExtension(new ASN1ObjectIdentifier("2.5.29.35"), false,
new AuthorityKeyIdentifierStructure(caCert));
certGen.addExtension(new ASN1ObjectIdentifier("2.5.29.14"), false,
new SubjectKeyIdentifierStructure(pair.getPublic()));
return certGen.generate(caKey);
}
示例9: createIntermediateCert
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
/**
* we generate an intermediate certificate signed by our CA
*/
public static Certificate createIntermediateCert(
PublicKey pubKey,
PrivateKey caPrivKey,
X509Certificate caCert)
throws Exception
{
//
// subject name table.
//
Hashtable attrs = new Hashtable();
Vector order = new Vector();
attrs.put(X509Principal.C, "AU");
attrs.put(X509Principal.O, "The Legion of the Bouncy Castle");
attrs.put(X509Principal.OU, "Bouncy Intermediate Certificate");
attrs.put(X509Principal.EmailAddress, "[email protected]");
order.addElement(X509Principal.C);
order.addElement(X509Principal.O);
order.addElement(X509Principal.OU);
order.addElement(X509Principal.EmailAddress);
//
// create the certificate - version 3
//
v3CertGen.reset();
v3CertGen.setSerialNumber(BigInteger.valueOf(2));
v3CertGen.setIssuerDN(PrincipalUtil.getSubjectX509Principal(caCert));
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 30)));
v3CertGen.setSubjectDN(new X509Principal(order, attrs));
v3CertGen.setPublicKey(pubKey);
v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
//
// extensions
//
v3CertGen.addExtension(
X509Extensions.SubjectKeyIdentifier,
false,
new SubjectKeyIdentifierStructure(pubKey));
v3CertGen.addExtension(
X509Extensions.AuthorityKeyIdentifier,
false,
new AuthorityKeyIdentifierStructure(caCert));
v3CertGen.addExtension(
X509Extensions.BasicConstraints,
true,
new BasicConstraints(0));
X509Certificate cert = v3CertGen.generate(caPrivKey);
cert.checkValidity(new Date());
cert.verify(caCert.getPublicKey());
PKCS12BagAttributeCarrier bagAttr = (PKCS12BagAttributeCarrier)cert;
//
// this is actually optional - but if you want to have control
// over setting the friendly name this is the way to do it...
//
bagAttr.setBagAttribute(
PKCSObjectIdentifiers.pkcs_9_at_friendlyName,
new DERBMPString("Bouncy Intermediate Certificate"));
return cert;
}
示例10: addCertificateExtensions
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
private static void addCertificateExtensions(PublicKey pubKey,
PublicKey caPubKey, X509V3CertificateGenerator certGen)
throws IOException, InvalidKeyException {
// CertificateExtensions ext = new CertificateExtensions();
//
// ext.set(SubjectKeyIdentifierExtension.NAME,
// new SubjectKeyIdentifierExtension(new KeyIdentifier(pubKey)
// .getIdentifier()));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifierStructure(pubKey));
//
// ext.set(AuthorityKeyIdentifierExtension.NAME,
// new AuthorityKeyIdentifierExtension(
// new KeyIdentifier(caPubKey), null, null));
//
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(caPubKey));
// // Basic Constraints
// ext.set(BasicConstraintsExtension.NAME, new
// BasicConstraintsExtension(
// /* isCritical */true, /* isCA */false, /* pathLen */5));
//
certGen.addExtension(X509Extensions.BasicConstraints, true,
new BasicConstraints(false));
// Netscape Cert Type Extension
// boolean[] ncteOk = new boolean[8];
// ncteOk[0] = true; // SSL_CLIENT
// ncteOk[1] = true; // SSL_SERVER
// NetscapeCertTypeExtension ncte = new
// NetscapeCertTypeExtension(ncteOk);
// ncte = new NetscapeCertTypeExtension(false,
// ncte.getExtensionValue());
// ext.set(NetscapeCertTypeExtension.NAME, ncte);
// Key Usage Extension
// boolean[] kueOk = new boolean[9];
// kueOk[0] = true;
// kueOk[2] = true;
// "digitalSignature", // (0),
// "nonRepudiation", // (1)
// "keyEncipherment", // (2),
// "dataEncipherment", // (3),
// "keyAgreement", // (4),
// "keyCertSign", // (5),
// "cRLSign", // (6),
// "encipherOnly", // (7),
// "decipherOnly", // (8)
// "contentCommitment" // also (1)
// KeyUsageExtension kue = new KeyUsageExtension(kueOk);
// ext.set(KeyUsageExtension.NAME, kue);
certGen.addExtension(X509Extensions.KeyUsage, true, new X509KeyUsage(
X509KeyUsage.digitalSignature + X509KeyUsage.keyEncipherment));
// Extended Key Usage Extension
// int[] serverAuthOidData = { 1, 3, 6, 1, 5, 5, 7, 3, 1 };
// ObjectIdentifier serverAuthOid = new
// ObjectIdentifier(serverAuthOidData);
// int[] clientAuthOidData = { 1, 3, 6, 1, 5, 5, 7, 3, 2 };
// ObjectIdentifier clientAuthOid = new
// ObjectIdentifier(clientAuthOidData);
// Vector<ObjectIdentifier> v = new Vector<ObjectIdentifier>();
// v.add(serverAuthOid);
// v.add(clientAuthOid);
// ExtendedKeyUsageExtension ekue = new ExtendedKeyUsageExtension(false,
// v);
// ext.set(ExtendedKeyUsageExtension.NAME, ekue);
// ExtendedKeyUsage extendedKeyUsage = new
// ExtendedKeyUsage(KeyPurposeId.anyExtendedKeyUsage);
Vector<KeyPurposeId> usages = new Vector<KeyPurposeId>();
usages.add(KeyPurposeId.id_kp_serverAuth);
usages.add(KeyPurposeId.id_kp_clientAuth);
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true,
new ExtendedKeyUsage(usages));
}
示例11: checkCRLCreation1
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
public void checkCRLCreation1()
throws Exception
{
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
X509V2CRLGenerator crlGen = new X509V2CRLGenerator();
Date now = new Date();
KeyPair pair = kpGen.generateKeyPair();
crlGen.setIssuerDN(new X500Principal("CN=Test CA"));
crlGen.setThisUpdate(now);
crlGen.setNextUpdate(new Date(now.getTime() + 100000));
crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
crlGen.addCRLEntry(BigInteger.ONE, now, CRLReason.privilegeWithdrawn);
crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.getPublic()));
X509CRL crl = crlGen.generate(pair.getPrivate(), "BC");
if (!crl.getIssuerX500Principal().equals(new X500Principal("CN=Test CA")))
{
fail("failed CRL issuer test");
}
byte[] authExt = crl.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId());
if (authExt == null)
{
fail("failed to find CRL extension");
}
AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt);
X509CRLEntry entry = crl.getRevokedCertificate(BigInteger.ONE);
if (entry == null)
{
fail("failed to find CRL entry");
}
if (!entry.getSerialNumber().equals(BigInteger.ONE))
{
fail("CRL cert serial number does not match");
}
if (!entry.hasExtensions())
{
fail("CRL entry extension not found");
}
byte[] ext = entry.getExtensionValue(X509Extensions.ReasonCode.getId());
if (ext != null)
{
DEREnumerated reasonCode = (DEREnumerated)X509ExtensionUtil.fromExtensionValue(ext);
if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn)
{
fail("CRL entry reasonCode wrong");
}
}
else
{
fail("CRL entry reasonCode not found");
}
}
示例12: get
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
@NotNull
@Override
public X509Certificate get(UserInfo infos)
throws GeneralSecurityException, NamingException, SshPublicKey.SshPublicKeyLoadingException, ConfigProperties.ConfigLoadingException {
final UUID uuid = new UUID();
final X509V3CertificateGenerator generator = new X509V3CertificateGenerator();
final SshPublicKey sshKey = sshPublicKeyFactory.get(infos.getUid());
final Calendar calendar = Calendar.getInstance();
final Vector<DERObjectIdentifier> attrsVector = new Vector<DERObjectIdentifier>();
final Hashtable<DERObjectIdentifier, String> attrsHash = new Hashtable<DERObjectIdentifier, String>();
attrsHash.put(X509Principal.CN, infos.getCn());
attrsVector.add(X509Principal.CN);
attrsHash.put(X509Principal.UID, infos.getUid());
attrsVector.add(X509Principal.UID);
attrsHash.put(X509Principal.EmailAddress, infos.getMail());
attrsVector.add(X509Principal.EmailAddress);
attrsHash.put(X509Principal.OU, Joiner.on(',').join(infos.getGroups()));
attrsVector.add(X509Principal.OU);
generator.setSubjectDN(new X509Principal(attrsVector, attrsHash));
calendar.add(Calendar.HOUR, -hoursBefore);
generator.setNotBefore(calendar.getTime());
calendar.add(Calendar.HOUR, hoursBefore + hoursAfter);
generator.setNotAfter(calendar.getTime());
// Reuse the UUID time as a SN
generator.setSerialNumber(BigInteger.valueOf(uuid.getTime()).abs());
generator.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(caCert));
generator.addExtension(X509Extensions.SubjectKeyIdentifier, false,
new SubjectKeyIdentifierStructure(sshKey.getKey()));
StringBuilder hostnameAndUUIDBuilder = new StringBuilder(hostname);
hostnameAndUUIDBuilder.append(':');
hostnameAndUUIDBuilder.append(uuid.toString());
generator.addExtension(X509Extensions.IssuingDistributionPoint, false,
hostnameAndUUIDBuilder.toString().getBytes());
// Not a CA
generator.addExtension(X509Extensions.BasicConstraints, true,
new BasicConstraints(false));
generator.setIssuerDN(caCert.getSubjectX500Principal());
generator.setPublicKey(sshKey.getKey());
generator.setSignatureAlgorithm(SIGNATURE_ALGORITHM);
final java.security.cert.X509Certificate cert = generator.generate(caPrivateKey, BouncyCastleProvider.PROVIDER_NAME);
if (this.checkCert) {
cert.checkValidity();
cert.verify(caCert.getPublicKey());
}
return new X509Certificate(cert);
}
示例13: addAuthorityKeyIdExtension
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
public void addAuthorityKeyIdExtension(X509Certificate cert) throws CertificateParsingException {
v3CertGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false,
new AuthorityKeyIdentifierStructure(cert));
}
示例14: issueCertificate
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
/**
* Generates an SSL certificate
* @param cn Common name for certificate (eg: blah.mydomain.com)
* @param days Number of days the certificate should be valid for
* @param purposeId A {@link KeyPurposeId} that defines what the certificate can be used for
* @throws Exception
*/
public void issueCertificate(String cn, int days, KeyPurposeId purposeId) throws Exception {
this.issuedKeyPair = generateRSAKeyPair();
PKCS10CertificationRequest request = generateCSR(issuedKeyPair, cn);
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(caCertificate.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * days)));
certGen.setSubjectDN(request.getCertificationRequestInfo().getSubject());
certGen.setPublicKey(request.getPublicKey("BC"));
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCertificate));
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(request.getPublicKey("BC")));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false));
certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment ));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(purposeId));
ASN1Set attributes = request.getCertificationRequestInfo().getAttributes();
if(attributes != null){
for (int i = 0; i != attributes.size(); i++) {
org.bouncycastle.asn1.pkcs.Attribute attr = org.bouncycastle.asn1.pkcs.Attribute.getInstance(attributes.getObjectAt(i));
if (attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
X509Extensions extensions = X509Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
Enumeration e = extensions.oids();
while (e.hasMoreElements()) {
DERObjectIdentifier oid = (DERObjectIdentifier) e.nextElement();
X509Extension ext = extensions.getExtension(oid);
certGen.addExtension(oid, ext.isCritical(), ext.getValue().getOctets());
}
}
}
}
this.issuedCertificate = certGen.generate(caKeyPair.getPrivate());
}
示例15: checkCRLCreation1
import org.bouncycastle.x509.extension.AuthorityKeyIdentifierStructure; //导入依赖的package包/类
public void checkCRLCreation1()
throws Exception
{
KeyPairGenerator kpGen = KeyPairGenerator.getInstance("RSA", "BC");
X509V2CRLGenerator crlGen = new X509V2CRLGenerator();
Date now = new Date();
KeyPair pair = kpGen.generateKeyPair();
crlGen.setIssuerDN(new X509Principal("CN=Test CA"));
crlGen.setThisUpdate(now);
crlGen.setNextUpdate(new Date(now.getTime() + 100000));
crlGen.setSignatureAlgorithm("SHA256WithRSAEncryption");
crlGen.addCRLEntry(BigInteger.ONE, now, CRLReason.privilegeWithdrawn);
crlGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(pair.getPublic()));
X509CRL crl = crlGen.generate(pair.getPrivate(), "BC");
if (!crl.getIssuerDN().equals(new X509Principal("CN=Test CA")))
{
fail("failed CRL issuer test");
}
byte[] authExt = crl.getExtensionValue(X509Extensions.AuthorityKeyIdentifier.getId());
if (authExt == null)
{
fail("failed to find CRL extension");
}
AuthorityKeyIdentifier authId = new AuthorityKeyIdentifierStructure(authExt);
X509CRLEntry entry = crl.getRevokedCertificate(BigInteger.ONE);
if (entry == null)
{
fail("failed to find CRL entry");
}
if (!entry.getSerialNumber().equals(BigInteger.ONE))
{
fail("CRL cert serial number does not match");
}
if (!entry.hasExtensions())
{
fail("CRL entry extension not found");
}
byte[] ext = entry.getExtensionValue(X509Extensions.ReasonCode.getId());
if (ext != null)
{
DEREnumerated reasonCode = (DEREnumerated)X509ExtensionUtil.fromExtensionValue(ext);
if (reasonCode.getValue().intValue() != CRLReason.privilegeWithdrawn)
{
fail("CRL entry reasonCode wrong");
}
}
else
{
fail("CRL entry reasonCode not found");
}
}