/** Build a sample V3 certificate to use as an end entity certificate */
public static X509Certificate buildEndEntityCert(
PublicKey entityKey, PrivateKey caKey, X509Certificate caCert) throws Exception {
X509v3CertificateBuilder certBldr =
new JcaX509v3CertificateBuilder(
caCert.getSubjectX500Principal(),
BigInteger.valueOf(1),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + VALIDITY_PERIOD),
new X500Principal("CN=Test End Entity Certificate"),
entityKey);
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
certBldr
.addExtension(
Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
.addExtension(
Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKey))
.addExtension(Extension.basicConstraints, true, new BasicConstraints(false))
.addExtension(
Extension.keyUsage,
true,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
ContentSigner signer =
new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(caKey);
return new JcaX509CertificateConverter()
.setProvider("BC")
.getCertificate(certBldr.build(signer));
}
/** Build a sample V3 certificate to use as an intermediate CA certificate */
public static X509Certificate buildIntermediateCert(
PublicKey intKey, PrivateKey caKey, X509Certificate caCert) throws Exception {
X509v3CertificateBuilder certBldr =
new JcaX509v3CertificateBuilder(
caCert.getSubjectX500Principal(),
BigInteger.valueOf(1),
new Date(),
sdf.parse("2016-07-06 06:06:06"),
new X500Principal("CN=Test CA Certificate"),
intKey);
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
certBldr
.addExtension(
Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
.addExtension(
Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(intKey))
.addExtension(Extension.basicConstraints, true, new BasicConstraints(0))
.addExtension(
Extension.keyUsage,
true,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
ContentSigner signer =
new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(caKey);
return new JcaX509CertificateConverter()
.setProvider("BC")
.getCertificate(certBldr.build(signer));
}
public X509v3CertificateBuilder applyExtension(X509v3CertificateBuilder certificateGenerator)
throws CertIOException {
BasicConstraints bc = null;
if (((BasicConstraintField) certificateField).getIsCA() == false) {
bc = new BasicConstraints(false);
} else {
bc = new BasicConstraints(((BasicConstraintField) certificateField).getPathLength());
}
certificateGenerator.addExtension(
X509Extension.basicConstraints, certificateField.getCritical(), bc);
return (certificateGenerator);
}
/**
* Generates version 3 {@link java.security.cert.X509Certificate}.
*
* @param keyPair the key pair
* @param caPrivateKey the CA private key
* @param caCert the CA certificate
* @param subject the subject name
* @return the x509 certificate
* @throws Exception the exception
*/
public static X509Certificate generateV3Certificate(
KeyPair keyPair, PrivateKey caPrivateKey, X509Certificate caCert, String subject)
throws Exception {
try {
X500Name subjectDN = new X500Name("CN=" + subject);
// Serial Number
SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
BigInteger serialNumber = BigInteger.valueOf(Math.abs(random.nextInt()));
// Validity
Date notBefore = new Date(System.currentTimeMillis());
Date notAfter =
new Date(System.currentTimeMillis() + (((1000L * 60 * 60 * 24 * 30)) * 12) * 3);
// SubjectPublicKeyInfo
SubjectPublicKeyInfo subjPubKeyInfo =
new SubjectPublicKeyInfo(ASN1Sequence.getInstance(keyPair.getPublic().getEncoded()));
X509v3CertificateBuilder certGen =
new X509v3CertificateBuilder(
new X500Name(caCert.getSubjectDN().getName()),
serialNumber,
notBefore,
notAfter,
subjectDN,
subjPubKeyInfo);
DigestCalculator digCalc =
new BcDigestCalculatorProvider()
.get(new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1));
X509ExtensionUtils x509ExtensionUtils = new X509ExtensionUtils(digCalc);
// Subject Key Identifier
certGen.addExtension(
Extension.subjectKeyIdentifier,
false,
x509ExtensionUtils.createSubjectKeyIdentifier(subjPubKeyInfo));
// Authority Key Identifier
certGen.addExtension(
Extension.authorityKeyIdentifier,
false,
x509ExtensionUtils.createAuthorityKeyIdentifier(subjPubKeyInfo));
// Key Usage
certGen.addExtension(
Extension.keyUsage,
false,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
// Extended Key Usage
KeyPurposeId[] EKU = new KeyPurposeId[2];
EKU[0] = KeyPurposeId.id_kp_emailProtection;
EKU[1] = KeyPurposeId.id_kp_serverAuth;
certGen.addExtension(Extension.extendedKeyUsage, false, new ExtendedKeyUsage(EKU));
// Basic Constraints
certGen.addExtension(Extension.basicConstraints, true, new BasicConstraints(0));
// Content Signer
ContentSigner sigGen =
new JcaContentSignerBuilder("SHA1WithRSAEncryption")
.setProvider("BC")
.build(caPrivateKey);
// Certificate
return new JcaX509CertificateConverter()
.setProvider("BC")
.getCertificate(certGen.build(sigGen));
} catch (Exception e) {
throw new RuntimeException("Error creating X509v3Certificate.", e);
}
}
private X509Certificate buildRootCert(String domain, KeyPair _keyPair) throws Exception {
X509v3CertificateBuilder certificateBuilder = createX509v3CertificateBuilder(domain, _keyPair);
certificateBuilder.addExtension(Extension.basicConstraints, true, new BasicConstraints(true));
return createX509Certificate(certificateBuilder, _keyPair.getPrivate());
}
