private X509Certificate genCert(
PrivateKey signKey,
PublicKey pubKey,
String subjectDN,
String issuerDN,
Map<DERObjectIdentifier, DEREncodable> ext)
throws GeneralSecurityException {
gen.reset();
Date now = new Date();
gen.setSerialNumber(BigInteger.valueOf(0));
gen.setNotBefore(now);
gen.setNotAfter(new Date(now.getTime() + CA_CERT_LIFETIME));
gen.setIssuerDN(new X509Name(issuerDN));
gen.setSubjectDN(new X509Name(subjectDN));
gen.setPublicKey(pubKey);
gen.setSignatureAlgorithm(CA_CERT_SIGNATURE_ALGORITHM);
if (ext != null) {
for (Map.Entry<DERObjectIdentifier, DEREncodable> e : ext.entrySet()) {
gen.addExtension(e.getKey(), false, e.getValue());
}
}
try {
X509Certificate cert = gen.generateX509Certificate(signKey, "BC", new SecureRandom());
return cert;
} catch (Exception e) {
throw new GeneralSecurityException("Failed to create X509 certificate", e);
}
}
public boolean createSelfSignedKeystore(
String cn,
String keystoreFile,
String keystorePassword,
String privateKeyPassword,
String privateKeyAlias) {
KeyStore ks = null;
try {
ks = KeyStore.getInstance("JKS");
ks.load(null, null);
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA");
keyGen.initialize(1024, new SecureRandom());
KeyPair keypair = keyGen.generateKeyPair();
PrivateKey privkey = keypair.getPrivate();
PublicKey pubkey = keypair.getPublic();
Hashtable<DERObjectIdentifier, String> attrs = new Hashtable<DERObjectIdentifier, String>();
Vector<DERObjectIdentifier> ordering = new Vector<DERObjectIdentifier>();
ordering.add(X509Name.CN);
attrs.put(X509Name.CN, cn);
X509Name issuerDN = new X509Name(ordering, attrs);
X509Name subjectDN = new X509Name(ordering, attrs);
Date validFrom = new Date();
validFrom.setTime(validFrom.getTime() - (10 * 60 * 1000));
Date validTo = new Date();
validTo.setTime(validTo.getTime() + (20 * (24 * 60 * 60 * 1000)));
X509V3CertificateGenerator x509 = new X509V3CertificateGenerator();
x509.setSignatureAlgorithm("SHA1withDSA");
x509.setIssuerDN(issuerDN);
x509.setSubjectDN(subjectDN);
x509.setPublicKey(pubkey);
x509.setNotBefore(validFrom);
x509.setNotAfter(validTo);
x509.setSerialNumber(new BigInteger(128, new Random()));
X509Certificate[] cert = new X509Certificate[1];
cert[0] = x509.generate(privkey, "BC");
java.security.cert.Certificate[] chain = new java.security.cert.Certificate[1];
chain[0] = cert[0];
ks.setKeyEntry(privateKeyAlias, privkey, privateKeyPassword.toCharArray(), cert);
ks.setKeyEntry(privateKeyAlias, privkey, privateKeyPassword.toCharArray(), chain);
ks.store(new FileOutputStream(keystoreFile), keystorePassword.toCharArray());
String IDP_RFC_CERT = "WEB-INF/guanxi_idp/keystore/guanxi_idp_cert.txt";
PEMWriter pemWriter = new PEMWriter(new FileWriter(servletContext.getRealPath(IDP_RFC_CERT)));
pemWriter.writeObject(cert[0]);
pemWriter.close();
return true;
} catch (Exception se) {
return false;
}
}
/**
* Generowanie certyfikatu x509
*
* @param certInfo informacje ktore maja znalezc sie w certyfikacie
* @return
* @throws InvalidKeyException
* @throws NoSuchProviderException
* @throws SignatureException
* @throws CertificateEncodingException
* @throws IllegalStateException
* @throws NoSuchAlgorithmException
*/
public common.Pair<X509Certificate, KeyPair> generateV3Certificate(X500Principal certInfo)
throws InvalidKeyException, NoSuchProviderException, SignatureException,
CertificateEncodingException, IllegalStateException, NoSuchAlgorithmException,
KeyStoreException {
KeyPairGenerator keyGen;
keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(1024);
KeyPair keyPair = keyGen.generateKeyPair();
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
certGen.setIssuerDN(
((X509Certificate) this.keystore.getCertificate("servertrustedcert"))
.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis() - 7 * 24 * 3600 * 1000));
certGen.setNotAfter(new Date(System.currentTimeMillis() + 7 * 24 * 3600 * 1000));
certGen.setSubjectDN(certInfo);
certGen.setPublicKey(keyPair.getPublic());
certGen.setSignatureAlgorithm("SHA1withDSA");
// return new Pair(certGen.generate(this.caPrivKey), keyPair);
return new common.Pair<X509Certificate, KeyPair>(certGen.generate(this.caPrivKey), keyPair);
}
/**
* Creates a certificate.
*
* @param commonName
* @param daysNotValidBefore
* @param daysNotValidAfter
* @return
*/
public static X509V3CertificateGenerator createCertificate(
String commonName, int daysNotValidBefore, int daysNotValidAfter) {
// BC sez X509V3CertificateGenerator is deprecated and the docs say to
// use another, but it seemingly isn't included jar...
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));
v3CertGen.setIssuerDN(
new X509Principal("CN=" + commonName + ", OU=None, O=None L=None, C=None"));
v3CertGen.setNotBefore(
new Date(System.currentTimeMillis() - (1000L * 60 * 60 * 24 * daysNotValidBefore)));
v3CertGen.setNotAfter(
new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * daysNotValidAfter)));
v3CertGen.setSubjectDN(
new X509Principal("CN=" + commonName + ", OU=None, O=None L=None, C=None"));
return v3CertGen;
}
/** Generate a sample V3 certificate to use as an intermediate CA certificate */
public static X509Certificate generateIntermediateCert(
PublicKey intKey, PrivateKey caKey, X509Certificate caCert) throws Exception {
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
certGen.setSerialNumber(BigInteger.valueOf(1));
certGen.setIssuerDN(caCert.getSubjectX500Principal());
certGen.setNotBefore(new Date(System.currentTimeMillis()));
certGen.setNotAfter(new Date(System.currentTimeMillis() + ConfigurationClass.VALIDITY_PERIOD));
certGen.setSubjectDN(new X500Principal("CN=Test Intermediate Certificate"));
certGen.setPublicKey(intKey);
certGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
certGen.addExtension(
X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert));
certGen.addExtension(
X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(intKey));
certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0));
certGen.addExtension(
X509Extensions.KeyUsage,
true,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
return certGen.generateX509Certificate(caKey, "BC");
}
private X509Certificate generateCertificate(
PublicKey subjectPublicKey,
String subjectDn,
DateTime notBefore,
DateTime notAfter,
X509Certificate issuerCertificate,
PrivateKey issuerPrivateKey)
throws Exception {
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.reset();
certificateGenerator.setPublicKey(subjectPublicKey);
certificateGenerator.setSignatureAlgorithm("SHA1WithRSAEncryption");
certificateGenerator.setNotBefore(notBefore.toDate());
certificateGenerator.setNotAfter(notAfter.toDate());
X509Principal issuerDN;
if (null != issuerCertificate) {
issuerDN = new X509Principal(issuerCertificate.getSubjectX500Principal().toString());
} else {
issuerDN = new X509Principal(subjectDn);
}
certificateGenerator.setIssuerDN(issuerDN);
certificateGenerator.setSubjectDN(new X509Principal(subjectDn));
certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom()));
certificateGenerator.addExtension(
X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey));
PublicKey issuerPublicKey;
if (null != issuerCertificate) {
issuerPublicKey = issuerCertificate.getPublicKey();
} else {
issuerPublicKey = subjectPublicKey;
}
certificateGenerator.addExtension(
X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey));
X509Certificate certificate;
certificate = certificateGenerator.generate(issuerPrivateKey);
/*
* Next certificate factory trick is needed to make sure that the
* certificate delivered to the caller is provided by the default
* security provider instead of BouncyCastle. If we don't do this trick
* we might run into trouble when trying to use the CertPath validator.
*/
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
certificate =
(X509Certificate)
certificateFactory.generateCertificate(
new ByteArrayInputStream(certificate.getEncoded()));
return certificate;
}
private void signCert(X509Certificate userCert, OpenSSLKey caKey, X509Certificate caCert) {
gen.reset();
}
