/** Build a sample V3 certificate to use as an end entity certificate */
public static X509Certificate buildEndEntityCert(
PublicKey entityKey, PrivateKey caKey, X509Certificate caCert) throws Exception {
X509v3CertificateBuilder certBldr =
new JcaX509v3CertificateBuilder(
caCert.getSubjectX500Principal(),
BigInteger.valueOf(1),
new Date(System.currentTimeMillis()),
new Date(System.currentTimeMillis() + VALIDITY_PERIOD),
new X500Principal("CN=Test End Entity Certificate"),
entityKey);
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
certBldr
.addExtension(
Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
.addExtension(
Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(entityKey))
.addExtension(Extension.basicConstraints, true, new BasicConstraints(false))
.addExtension(
Extension.keyUsage,
true,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment));
ContentSigner signer =
new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(caKey);
return new JcaX509CertificateConverter()
.setProvider("BC")
.getCertificate(certBldr.build(signer));
}
/** Build a sample V3 certificate to use as an intermediate CA certificate */
public static X509Certificate buildIntermediateCert(
PublicKey intKey, PrivateKey caKey, X509Certificate caCert) throws Exception {
X509v3CertificateBuilder certBldr =
new JcaX509v3CertificateBuilder(
caCert.getSubjectX500Principal(),
BigInteger.valueOf(1),
new Date(),
sdf.parse("2016-07-06 06:06:06"),
new X500Principal("CN=Test CA Certificate"),
intKey);
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
certBldr
.addExtension(
Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
.addExtension(
Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(intKey))
.addExtension(Extension.basicConstraints, true, new BasicConstraints(0))
.addExtension(
Extension.keyUsage,
true,
new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyCertSign | KeyUsage.cRLSign));
ContentSigner signer =
new JcaContentSignerBuilder("SHA1withRSA").setProvider("BC").build(caKey);
return new JcaX509CertificateConverter()
.setProvider("BC")
.getCertificate(certBldr.build(signer));
}
public static void genPKCS12File(OutputStream pfxOut, PrivateKey key, Certificate[] chain)
throws Exception {
OutputEncryptor encOut =
new JcePKCSPBEOutputEncryptorBuilder(NISTObjectIdentifiers.id_aes256_CBC)
.setProvider("BC")
.build(KEY_PASSWD);
PKCS12SafeBagBuilder taCertBagBuilder = new JcaPKCS12SafeBagBuilder((X509Certificate) chain[2]);
taCertBagBuilder.addBagAttribute(
PKCS12SafeBag.friendlyNameAttribute, new DERBMPString("Bouncy Primary Certificate"));
// PKCS12SafeBagBuilder caCertBagBuilder = new
// JcaPKCS12SafeBagBuilder((X509Certificate)chain[1]);
// caCertBagBuilder.addBagAttribute(PKCS12SafeBag.friendlyNameAttribute, new
// DERBMPString("Bouncy Intermediate Certificate"));
PKCS12SafeBagBuilder eeCertBagBuilder = new JcaPKCS12SafeBagBuilder((X509Certificate) chain[0]);
eeCertBagBuilder.addBagAttribute(
PKCS12SafeBag.friendlyNameAttribute, new DERBMPString("Eric's Key"));
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
SubjectKeyIdentifier pubKeyId = extUtils.createSubjectKeyIdentifier(chain[0].getPublicKey());
eeCertBagBuilder.addBagAttribute(PKCS12SafeBag.localKeyIdAttribute, pubKeyId);
PKCS12SafeBagBuilder keyBagBuilder = new JcaPKCS12SafeBagBuilder(key, encOut);
keyBagBuilder.addBagAttribute(
PKCS12SafeBag.friendlyNameAttribute, new DERBMPString("Eric's Key"));
keyBagBuilder.addBagAttribute(PKCS12SafeBag.localKeyIdAttribute, pubKeyId);
PKCS12PfxPduBuilder builder = new PKCS12PfxPduBuilder();
builder.addData(keyBagBuilder.build());
builder.addEncryptedData(
new JcePKCSPBEOutputEncryptorBuilder(PKCSObjectIdentifiers.pbeWithSHAAnd128BitRC2_CBC)
.setProvider("BC")
.build(KEY_PASSWD),
new PKCS12SafeBag[] {
eeCertBagBuilder.build(),
// caCertBagBuilder.build(),
taCertBagBuilder.build()
});
PKCS12PfxPdu pfx =
builder.build(
new JcePKCS12MacCalculatorBuilder(NISTObjectIdentifiers.id_sha256), KEY_PASSWD);
// make sure we don't include indefinite length encoding
pfxOut.write(pfx.getEncoded(ASN1Encoding.DL));
pfxOut.close();
}