private void parseCert() {
try {
FileInputStream fis = new FileInputStream("e:\\rongyifu.der");
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate c = (X509Certificate) cf.generateCertificate(fis);
System.out.println("Certficate for " + c.getSubjectDN().getName());
System.out.println("Generated with " + c.getSigAlgName());
System.out.println("== " + c.getSubjectDN().toString());
String publicKey = Base64.encode(c.getPublicKey().getEncoded());
System.out.println("publicKey=" + publicKey);
// Map<String, String> map = parseSubjectDN(c.getSubjectDN().toString());
// System.out.println("map: "+map);
// String notBefore =c.getNotBefore().toString();//得到开始有效日期
// String notAfter = c.getNotAfter().toString();//得到截止日期
String serialNumber = c.getSerialNumber().toString(16); // 得到序列号
String dn = c.getIssuerDN().getName(); // 得到发行者名
String sigAlgName = c.getSigAlgName(); // 得到签名算法
String algorithm = c.getPublicKey().getAlgorithm(); // 得到公钥算法
SimpleDateFormat intSDF = new SimpleDateFormat("yyyyMMdd");
System.out.println("notBefore=" + intSDF.format(c.getNotBefore()));
System.out.println("notAfter=" + intSDF.format(c.getNotAfter()));
System.out.println("serialNumber=" + serialNumber);
System.out.println("dn=" + dn);
System.out.println("sigAlgName=" + sigAlgName);
System.out.println("algorithm=" + algorithm);
fis.close();
} catch (Exception ex) {
ex.printStackTrace();
}
}
/*
* Check for a valid certificate pair
*/
private void checkPair() throws CertificateException {
/* if either of pair is missing, return w/o error */
if (forward == null || reverse == null) {
return;
}
/*
* If both elements of the pair are present, check that they
* are a valid pair.
*/
X500Principal fwSubject = forward.getSubjectX500Principal();
X500Principal fwIssuer = forward.getIssuerX500Principal();
X500Principal rvSubject = reverse.getSubjectX500Principal();
X500Principal rvIssuer = reverse.getIssuerX500Principal();
if (!fwIssuer.equals(rvSubject) || !rvIssuer.equals(fwSubject)) {
throw new CertificateException(
"subject and issuer names in " + "forward and reverse certificates do not match");
}
/* check signatures unless key parameters are missing */
try {
PublicKey pk = reverse.getPublicKey();
if (!(pk instanceof DSAPublicKey) || ((DSAPublicKey) pk).getParams() != null) {
forward.verify(pk);
}
pk = forward.getPublicKey();
if (!(pk instanceof DSAPublicKey) || ((DSAPublicKey) pk).getParams() != null) {
reverse.verify(pk);
}
} catch (GeneralSecurityException e) {
throw new CertificateException("invalid signature: " + e.getMessage());
}
}
public static boolean isPre2011IdCard(X509Certificate cert) {
return ((cert != null)
&& (cert.getPublicKey() instanceof RSAPublicKey)
&& (((RSAPublicKey) cert.getPublicKey()).getModulus().bitLength() == 1024)
&&
// cert.getPublicKey().getEncoded().length <= PRE2011_KEYLEN);
!certHasPolicy(cert, DIGI_OID_LIVE_TEST)
&& !certHasPolicy(cert, DIGI_OID_TEST_TEST));
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
calledCheckServerTrusted = true;
if (!authType.equals("RSA") && !authType.equals("DHE_RSA"))
throw new CertificateException("Only RSA and DHE_RSA supported, not " + authType);
if (chain.length != 3) throw new CertificateException("Need three certificates");
X509Certificate cert0 = chain[0];
X509Certificate cert1 = chain[1];
X509Certificate cert2 = chain[2];
int failedCert = 0;
try {
// NOTE: cert0 is a self-signed key used only for SSL
failedCert = 0;
cert0.verify(cert0.getPublicKey());
// NOTE: cert1 is the SSL key signed by the server's Martus key
failedCert = 1;
cert1.verify(cert2.getPublicKey());
// NOTE: cert2 is a self-signed key of and by the server's Martus key
failedCert = 2;
cert2.verify(cert2.getPublicKey());
failedCert = -1;
PublicKey tryPublicKey = expectedPublicKey;
if (tryPublicKey == null) {
if (expectedPublicCode == null) throw new CertificateException("No key or code is trusted");
String certPublicKeyString = SimpleX509TrustManager.getKeyString(cert2.getPublicKey());
String certPublicCode = MartusCrypto.computePublicCode(certPublicKeyString);
if (expectedPublicCode.equals(certPublicCode)) {
tryPublicKey = cert2.getPublicKey();
}
}
if (tryPublicKey == null) throw new CertificateException("Key is not trusted");
cert1.verify(tryPublicKey);
String keyString = SimpleX509TrustManager.getKeyString(tryPublicKey);
setExpectedPublicKey(keyString);
} catch (SignatureException e) {
MartusLogger.logException(e);
MartusLogger.log("Failed cert: " + failedCert);
String key0 = SimpleX509TrustManager.getKeyString(cert0.getPublicKey());
String key1 = SimpleX509TrustManager.getKeyString(cert1.getPublicKey());
String key2 = SimpleX509TrustManager.getKeyString(cert2.getPublicKey());
MartusLogger.log("Cert0 public: " + key0);
if (!key0.equals(key1)) MartusLogger.log("Cert1 public: " + key1);
MartusLogger.log("Cert2 public: " + key2);
MartusLogger.log("Cert2 public code: " + MartusCrypto.formatAccountIdForLog(key2));
String expectedKeyString = SimpleX509TrustManager.getKeyString(expectedPublicKey);
MartusLogger.log(
"Expected public code: " + MartusCrypto.formatAccountIdForLog(expectedKeyString));
throw new CertificateException(e.toString());
} catch (Exception e) {
// Tests will cause this to fire
MartusLogger.logException(e);
throw new CertificateException(e.toString());
}
}
public void testSubKeyId() throws Exception {
MimeBodyPart msg = SMIMETestUtil.makeMimeBodyPart("WallaWallaWashington");
SMIMEEnvelopedGenerator gen = new SMIMEEnvelopedGenerator();
//
// create a subject key id - this has to be done the same way as
// it is done in the certificate associated with the private key
//
MessageDigest dig = MessageDigest.getInstance("SHA1", BC);
dig.update(
SubjectPublicKeyInfo.getInstance(_reciCert.getPublicKey().getEncoded())
.getPublicKeyData()
.getBytes());
gen.addRecipientInfoGenerator(
new JceKeyTransRecipientInfoGenerator(dig.digest(), _reciCert.getPublicKey())
.setProvider(BC));
//
// generate a MimeBodyPart object which encapsulates the content
// we want encrypted.
//
MimeBodyPart mp =
gen.generate(
msg,
new JceCMSContentEncryptorBuilder(CMSAlgorithm.DES_EDE3_CBC).setProvider(BC).build());
SMIMEEnveloped m = new SMIMEEnveloped(mp);
dig.update(
SubjectPublicKeyInfo.getInstance(_reciCert.getPublicKey().getEncoded())
.getPublicKeyData()
.getBytes());
RecipientId recId = new KeyTransRecipientId(dig.digest());
RecipientInformationStore recipients = m.getRecipientInfos();
RecipientInformation recipient = recipients.get(recId);
MimeBodyPart res =
SMIMEUtil.toMimeBodyPart(
recipient.getContent(
new JceKeyTransEnvelopedRecipient(_reciKP.getPrivate()).setProvider(BC)));
verifyMessageBytes(msg, res);
}
/**
* create from an issuer certificate and the serial number of the certificate it signed.
*
* @exception OCSPException if any problems occur creating the id fields.
*/
public CertificateID(
String hashAlgorithm, X509Certificate issuerCert, BigInteger number, String provider)
throws OCSPException {
try {
MessageDigest digest = MessageDigest.getInstance(hashAlgorithm, provider);
AlgorithmIdentifier hashAlg =
new AlgorithmIdentifier(new DERObjectIdentifier(hashAlgorithm), new DERNull());
X509Principal issuerName = PrincipalUtil.getSubjectX509Principal(issuerCert);
digest.update(issuerName.getEncoded());
ASN1OctetString issuerNameHash = new DEROctetString(digest.digest());
PublicKey issuerKey = issuerCert.getPublicKey();
ASN1InputStream aIn = new ASN1InputStream(issuerKey.getEncoded());
SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject());
digest.update(info.getPublicKeyData().getBytes());
ASN1OctetString issuerKeyHash = new DEROctetString(digest.digest());
DERInteger serialNumber = new DERInteger(number);
this.id = new CertID(hashAlg, issuerNameHash, issuerKeyHash, serialNumber);
} catch (Exception e) {
throw new OCSPException("problem creating ID: " + e, e);
}
}
private int getAsymmetricKeyLength(X509Certificate certificate) {
PublicKey publicKey = certificate != null ? certificate.getPublicKey() : null;
return (publicKey instanceof RSAPublicKey)
? ((RSAPublicKey) publicKey).getModulus().bitLength()
: 0;
}
@Test(expected = IllegalArgumentException.class)
public void testWithNullForPrivateKey()
throws CertificateException, NoSuchAlgorithmException, KeyStoreException,
NoSuchProviderException, UnrecoverableEntryException, IOException {
HybridCrypto hybridCrypto =
new HybridCrypto(SecurityProviderConnectorFactory.getSecurityProviderConnector());
Certificates certificates =
new Certificates(SecurityProviderConnectorFactory.getSecurityProviderConnector());
StringWriter stringWriter = new StringWriter();
ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
String id = "test";
char[] password = "******".toCharArray();
X509Certificate cert = certificates.create(id, password, stringWriter, byteArrayOutputStream);
hybridCrypto.addRecipient("test", cert);
String message = "I am hybrid encrypted!";
HybridEncrypted hybridEncrypted =
hybridCrypto.build(
message.getBytes(),
new PrivateKeyExtractor()
.extractPrivateKey(
password, new ByteArrayInputStream(byteArrayOutputStream.toByteArray())));
HybridCrypto freshHybridCrypto =
new HybridCrypto(SecurityProviderConnectorFactory.getSecurityProviderConnector());
byte[] decryptedMessage = freshHybridCrypto.decrypt(hybridEncrypted, id, null);
Assert.assertArrayEquals(message.getBytes(), decryptedMessage);
Signature signature =
new Signature(SecurityProviderConnectorFactory.getSecurityProviderConnector());
Assert.assertTrue(
signature.verify(
hybridEncrypted.getEncryptedBody(),
hybridEncrypted.getSignature(),
cert.getPublicKey()));
}
/**
* Method engineResolvePublicKey
*
* @inheritDoc
* @param element
* @param BaseURI
* @param storage
*/
public PublicKey engineLookupAndResolvePublicKey(
Element element, String BaseURI, StorageResolver storage) {
if (!XMLUtils.elementIsInSignatureSpace(element, Constants._TAG_RETRIEVALMETHOD)) {
return null;
}
try {
// Create a retrieval method over the given element
RetrievalMethod rm = new RetrievalMethod(element, BaseURI);
String type = rm.getType();
XMLSignatureInput resource = resolveInput(rm, BaseURI);
if (RetrievalMethod.TYPE_RAWX509.equals(type)) {
// a raw certificate, direct parsing is done!
X509Certificate cert = getRawCertificate(resource);
if (cert != null) {
return cert.getPublicKey();
}
return null;
}
;
Element e = obtainRefrenceElement(resource);
return resolveKey(e, BaseURI, storage);
} catch (XMLSecurityException ex) {
log.log(java.util.logging.Level.FINE, "XMLSecurityException", ex);
} catch (CertificateException ex) {
log.log(java.util.logging.Level.FINE, "CertificateException", ex);
} catch (IOException ex) {
log.log(java.util.logging.Level.FINE, "IOException", ex);
} catch (ParserConfigurationException e) {
log.log(java.util.logging.Level.FINE, "ParserConfigurationException", e);
} catch (SAXException e) {
log.log(java.util.logging.Level.FINE, "SAXException", e);
}
return null;
}
private X509CRL checkAndExtractCRL(TrustedAuthority ta, X509Certificate signer)
throws IllegalTrustedAuthorityFault {
X509CRL crl = null;
if (ta.getCRL() != null) {
if (ta.getCRL().getCrlEncodedString() != null) {
try {
crl = CertUtil.loadCRL(ta.getCRL().getCrlEncodedString());
} catch (Exception ex) {
IllegalTrustedAuthorityFault fault = new IllegalTrustedAuthorityFault();
fault.setFaultString("Invalid CRL provided!!!");
throw fault;
}
try {
crl.verify(signer.getPublicKey());
} catch (Exception e) {
IllegalTrustedAuthorityFault fault = new IllegalTrustedAuthorityFault();
fault.setFaultString("The CRL provided is not signed by the Trusted Authority!!!");
throw fault;
}
}
}
return crl;
}
public void testProtectedMessage() throws Exception {
KeyPairGenerator kGen = KeyPairGenerator.getInstance("RSA", BC);
kGen.initialize(512);
KeyPair kp = kGen.generateKeyPair();
X509CertificateHolder cert = makeV3Certificate(kp, "CN=Test", kp, "CN=Test");
GeneralName sender = new GeneralName(new X500Name("CN=Sender"));
GeneralName recipient = new GeneralName(new X500Name("CN=Recip"));
ContentSigner signer =
new JcaContentSignerBuilder("MD5WithRSAEncryption").setProvider(BC).build(kp.getPrivate());
ProtectedPKIMessage message =
new ProtectedPKIMessageBuilder(sender, recipient)
.setBody(
new PKIBody(
PKIBody.TYPE_INIT_REP,
CertRepMessage.getInstance(new DERSequence(new DERSequence()))))
.addCMPCertificate(cert)
.build(signer);
X509Certificate jcaCert =
new JcaX509CertificateConverter()
.setProvider(BC)
.getCertificate(message.getCertificates()[0]);
ContentVerifierProvider verifierProvider =
new JcaContentVerifierProviderBuilder().setProvider(BC).build(jcaCert.getPublicKey());
assertTrue(message.verify(verifierProvider));
assertEquals(sender, message.getHeader().getSender());
assertEquals(recipient, message.getHeader().getRecipient());
}
public String encryptRSA(String toEncrypt) throws Exception {
Cipher cipher = Cipher.getInstance("RSA");
PublicKey pubKey = x509.getPublicKey();
cipher.init(Cipher.ENCRYPT_MODE, pubKey);
byte[] encryptedBytes = cipher.doFinal(toEncrypt.getBytes("UTF-8"));
return Base64.encodeBase64String(encryptedBytes);
}
/**
* java.security.KeyStore#setCertificateEntry(java.lang.String, java.security.cert.Certificate)
*/
public void test_setCertificateEntryLjava_lang_StringLjava_security_cert_Certificate()
throws Exception {
// Test for method void
// java.security.KeyStore.setCertificateEntry(java.lang.String,
// java.security.cert.Certificate)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) cf.generateCertificate(certArray);
KeyStore keyTest = KeyStore.getInstance(KeyStore.getDefaultType());
try {
keyTest.setCertificateEntry("alias", cert);
fail();
} catch (KeyStoreException expected) {
}
keyTest.load(null, null);
PublicKey pub = cert.getPublicKey();
keyTest.setCertificateEntry("alias1", cert);
assertTrue(
"the entry specified by the alias alias1 is not a certificate",
keyTest.isCertificateEntry("alias1"));
Certificate resultCert = keyTest.getCertificate("alias1");
assertEquals(
"the public key of the certificate from getCertificate() "
+ "did not equal the original certificate",
pub,
resultCert.getPublicKey());
}
/**
* Add a recipient based on the passed in certificate's public key and its issuer and serial
* number.
*
* @param recipientCert recipient's certificate
* @return the current instance.
* @throws CertificateEncodingException if the necessary data cannot be extracted from the
* certificate.
*/
public JceKeyAgreeRecipientInfoGenerator addRecipient(X509Certificate recipientCert)
throws CertificateEncodingException {
recipientIDs.add(
new KeyAgreeRecipientIdentifier(CMSUtils.getIssuerAndSerialNumber(recipientCert)));
recipientKeys.add(recipientCert.getPublicKey());
return this;
}
/**
* Extracts the presenter's key and/or certificate from the validation context.
*
* @param context current validation context
* @return the presenter's key/cert pair, information not available in the context is null
* @throws AssertionValidationException thrown if there is a problem obtaining the data
*/
@Nonnull
protected Pair<PublicKey, X509Certificate> getKeyAndCertificate(
@Nonnull final ValidationContext context) throws AssertionValidationException {
PublicKey presenterKey = null;
try {
presenterKey =
(PublicKey)
context
.getStaticParameters()
.get(SAML2AssertionValidationParameters.SC_HOK_PRESENTER_KEY);
} catch (ClassCastException e) {
throw new IllegalArgumentException(
String.format(
"The value of the static validation parameter '%s' was not of the required type '%s'",
SAML2AssertionValidationParameters.SC_HOK_PRESENTER_KEY, PublicKey.class.getName()));
}
X509Certificate presenterCert = null;
try {
presenterCert =
(X509Certificate)
context
.getStaticParameters()
.get(SAML2AssertionValidationParameters.SC_HOK_PRESENTER_CERT);
if (presenterCert != null) {
if (presenterKey != null) {
if (!presenterKey.equals(presenterCert.getPublicKey())) {
throw new IllegalArgumentException(
"Presenter's certificate contains a different public key "
+ "than the one explicitly given");
}
} else {
presenterKey = presenterCert.getPublicKey();
}
}
} catch (ClassCastException e) {
throw new IllegalArgumentException(
String.format(
"The value of the static validation parameter '%s' was not of the required type '%s'",
SAML2AssertionValidationParameters.SC_HOK_PRESENTER_CERT,
X509Certificate.class.getName()));
}
return new Pair<>(presenterKey, presenterCert);
}
@Override
public PublicKey getUserPublicKey() {
X509Certificate x509Certificate = getUserX509Certificate();
if (x509Certificate == null) {
return null;
} else {
return x509Certificate.getPublicKey();
}
}
public static PublicKey getEncryptCertPublicKey() {
try {
if (null == encryptCert) initEncryptCert();
return encryptCert.getPublicKey();
} catch (Exception e) {
logger.error(e.getMessage());
}
return null;
}
/**
* Method getPublicKey
*
* @return the publickey
* @throws XMLSecurityException
*/
public PublicKey getPublicKey() throws XMLSecurityException {
X509Certificate cert = this.getX509Certificate();
if (cert != null) {
return cert.getPublicKey();
}
return null;
}
private static String getFingerprint(X509Certificate cert) {
try {
MessageDigest dgst = MessageDigest.getInstance("SHA512");
byte[] encoded = cert.getPublicKey().getEncoded();
byte[] fingerprint = dgst.digest(encoded);
return IntegralToString.bytesToHexString(fingerprint, false);
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e);
}
}
public void testSignatureVerificationRoundtrip() throws Exception {
String signatureBaseString =
"GET&https%3A%2F%2Fcheetah.dhcp.pgdev.sap.corp%2Foauth%2Ftest_consumer_request&oauth_consumer_key%3D1VMzOctCAidMaahS9yJU%26oauth_nonce%3DNtX9Gah3Bw%26oauth_signature_method%3DRSA-SHA1%26oauth_timestamp%3D1307748357%26oauth_token%3D%26oauth_version%3D1.0";
String signature =
OAuthUtils.calculateRsaSha1Signature(signatureBaseString, TEST_CONSUMER_PRIVATE_KEY);
boolean valid =
OAuthUtils.verifyRsaSha1Signature(
TEST_CONSUMER_CERTIFICATE.getPublicKey(), signature, signatureBaseString);
assertTrue(valid);
}
private static ASN1Sequence fromCertificate(X509Certificate certificate)
throws CertificateParsingException {
try {
if (certificate.getVersion() != 3) {
GeneralName genName = new GeneralName(PrincipalUtil.getIssuerX509Principal(certificate));
SubjectPublicKeyInfo info =
new SubjectPublicKeyInfo(
(ASN1Sequence)
new ASN1InputStream(certificate.getPublicKey().getEncoded()).readObject());
return (ASN1Sequence)
new AuthorityKeyIdentifier(
info, new GeneralNames(genName), certificate.getSerialNumber())
.toASN1Object();
} else {
GeneralName genName = new GeneralName(PrincipalUtil.getIssuerX509Principal(certificate));
byte[] ext = certificate.getExtensionValue(X509Extensions.SubjectKeyIdentifier.getId());
if (ext != null) {
ASN1OctetString str = (ASN1OctetString) X509ExtensionUtil.fromExtensionValue(ext);
return (ASN1Sequence)
new AuthorityKeyIdentifier(
str.getOctets(), new GeneralNames(genName), certificate.getSerialNumber())
.toASN1Object();
} else {
SubjectPublicKeyInfo info =
new SubjectPublicKeyInfo(
(ASN1Sequence)
new ASN1InputStream(certificate.getPublicKey().getEncoded()).readObject());
return (ASN1Sequence)
new AuthorityKeyIdentifier(
info, new GeneralNames(genName), certificate.getSerialNumber())
.toASN1Object();
}
}
} catch (Exception e) {
throw new CertificateParsingException(
"Exception extracting certificate details: " + e.toString());
}
}
/**
* verify that the given certificate successfully handles and confirms the signature associated
* with this signer and, if a signingTime attribute is available, that the certificate was valid
* at the time the signature was generated.
*
* @deprecated use verify(ContentVerifierProvider)
*/
public boolean verify(X509Certificate cert, Provider sigProvider)
throws NoSuchAlgorithmException, CertificateExpiredException, CertificateNotYetValidException,
CMSException {
Time signingTime = getSigningTime();
if (signingTime != null) {
cert.checkValidity(signingTime.getDate());
}
return doVerify(cert.getPublicKey(), sigProvider);
}
/**
* Method engineResolvePublicKey
*
* @param element
* @param BaseURI
* @param storage
* @return null if no {@link PublicKey} could be obtained
* @throws KeyResolverException
*/
public PublicKey engineLookupAndResolvePublicKey(
Element element, String BaseURI, StorageResolver storage) throws KeyResolverException {
X509Certificate cert = this.engineLookupResolveX509Certificate(element, BaseURI, storage);
if (cert != null) {
return cert.getPublicKey();
}
return null;
}
/**
* Resets the PKCS7SignedData object to it's initial state, ready to sign or verify a new buffer.
*/
public void reset() {
try {
if (privKey == null) {
sig.initVerify(signCert.getPublicKey());
} else {
sig.initSign(privKey);
}
} catch (Exception e) {
throw new RuntimeException(e.toString());
}
}
protected void getClientPublicKey(byte[] clpubkey) throws Exception {
DERObject obj = BouncyCastleUtil.toDERObject(clpubkey);
byte[] pubkey = BouncyCastleUtil.toByteArray(obj);
ByteArrayInputStream in = new ByteArrayInputStream(pubkey);
X509Certificate cert = CertUtil.loadCertificate(in);
SCUtil.pathValidation(cert, trustedCerts);
logger.finest("path validated !!!");
clPubkey = cert.getPublicKey();
}
private X509Certificate generateCertificate(
PublicKey subjectPublicKey,
String subjectDn,
DateTime notBefore,
DateTime notAfter,
X509Certificate issuerCertificate,
PrivateKey issuerPrivateKey)
throws Exception {
X509V3CertificateGenerator certificateGenerator = new X509V3CertificateGenerator();
certificateGenerator.reset();
certificateGenerator.setPublicKey(subjectPublicKey);
certificateGenerator.setSignatureAlgorithm("SHA1WithRSAEncryption");
certificateGenerator.setNotBefore(notBefore.toDate());
certificateGenerator.setNotAfter(notAfter.toDate());
X509Principal issuerDN;
if (null != issuerCertificate) {
issuerDN = new X509Principal(issuerCertificate.getSubjectX500Principal().toString());
} else {
issuerDN = new X509Principal(subjectDn);
}
certificateGenerator.setIssuerDN(issuerDN);
certificateGenerator.setSubjectDN(new X509Principal(subjectDn));
certificateGenerator.setSerialNumber(new BigInteger(128, new SecureRandom()));
certificateGenerator.addExtension(
X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subjectPublicKey));
PublicKey issuerPublicKey;
if (null != issuerCertificate) {
issuerPublicKey = issuerCertificate.getPublicKey();
} else {
issuerPublicKey = subjectPublicKey;
}
certificateGenerator.addExtension(
X509Extensions.AuthorityKeyIdentifier, false, createAuthorityKeyId(issuerPublicKey));
X509Certificate certificate;
certificate = certificateGenerator.generate(issuerPrivateKey);
/*
* Next certificate factory trick is needed to make sure that the
* certificate delivered to the caller is provided by the default
* security provider instead of BouncyCastle. If we don't do this trick
* we might run into trouble when trying to use the CertPath validator.
*/
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
certificate =
(X509Certificate)
certificateFactory.generateCertificate(
new ByteArrayInputStream(certificate.getEncoded()));
return certificate;
}
private void verify(X509Certificate[] certs, String authType) throws CertificateException {
final int len = certs.length;
for (int i = 0; i < len; i++) {
final X509Certificate currentX509Cert = certs[i];
try {
if (i == len - 1) {
if (currentX509Cert.getSubjectDN().equals(currentX509Cert.getIssuerDN()))
currentX509Cert.verify(currentX509Cert.getPublicKey());
} else {
final X509Certificate nextX509Cert = certs[i + 1];
currentX509Cert.verify(nextX509Cert.getPublicKey());
}
} catch (final Exception e) {
final CertificateException ce =
new ECFCertificateException(
"Certificate chain is not valid", certs, authType); // $NON-NLS-1$
ce.initCause(e);
throw ce;
}
}
}
private static boolean isValidLink(X509Certificate parent, X509Certificate child) {
if (!parent.getSubjectX500Principal().equals(child.getIssuerX500Principal())) {
return false;
}
try {
child.verify(parent.getPublicKey());
} catch (GeneralSecurityException gse) {
return false;
}
return true;
}
public static void geneneratePublicKey() throws Exception {
String file = "C:\\ca\\client\\test02.der";
// String key = getPrivateKey("C:\\ca\\client\\test02.der");
FileInputStream inpri = new FileInputStream(file);
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate c = (X509Certificate) cf.generateCertificate(inpri);
System.out.println(c.getPublicKey());
// KeySpec keySpec = new X509EncodedKeySpec(key.getBytes());
// KeyFactory keyFactory = KeyFactory.getInstance("RSA");
// PublicKey pk = keyFactory.generatePublic(keySpec);
// System.out.println(pk);
}
public static boolean isRootCA(X509Certificate cert) {
boolean ret = false;
try {
cert.verify(cert.getPublicKey());
ret = true;
} catch (InvalidKeyException e) {
} catch (CertificateException e) {
} catch (NoSuchAlgorithmException e) {
} catch (NoSuchProviderException e) {
} catch (SignatureException e) {
}
return ret;
}
