generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(maxIntermediateCas)); encodableAltNames[i] = new GeneralName(tag, altName); generator.addExtension(X509Extensions.SubjectAlternativeName, true, new DERSequence(encodableAltNames));
/** * add a given extension field for the standard extensions tag (tag 3) */ public void addExtension( String oid, boolean critical, ASN1Encodable value) { this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); }
/** * add a given extension field for the standard extensions tag (tag 3) * The value parameter becomes the contents of the octet string associated * with the extension. */ public void addExtension( String oid, boolean critical, byte[] value) { this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); }
private static void addCACertificateExtensions( X509V3CertificateGenerator certGen) throws IOException { // Basic Constraints certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(0)); }
// generate a key pair KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC"); keyPairGenerator.initialize(4096, new SecureRandom()); KeyPair keyPair = keyPairGenerator.generateKeyPair(); // build a certificate generator X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); X500Principal dnName = new X500Principal("cn=example"); // add some options certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis())); certGen.setSubjectDN(new X509Name("dc=name")); certGen.setIssuerDN(dnName); // use the same // yesterday certGen.setNotBefore(new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000)); // in 2 years certGen.setNotAfter(new Date(System.currentTimeMillis() + 2 * 365 * 24 * 60 * 60 * 1000)); certGen.setPublicKey(keyPair.getPublic()); certGen.setSignatureAlgorithm("SHA256WithRSAEncryption"); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_timeStamping)); // finally, sign the certificate with the private key of the same KeyPair X509Certificate cert = certGen.generate(keyPair.getPrivate(), "BC");
certGen.setSignatureAlgorithm("SHA256WithRSA"); certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(false)); certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)); certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test")));
serverCertGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(serverPublicKey)); serverChain[0] = serverCertGen.generateX509Certificate(serverPrivateKey, "BC"); // note: private key of CA
private X509Certificate generateX509V3Certificate(final KeyPair keyPair, final X500Principal subject, final X500Principal issuer, final Date notBefore, final Date notAfter, final BigInteger serialNumber, final GeneralNames generalNames, final boolean isCA) throws GeneralSecurityException { Security.addProvider(new BouncyCastleProvider()); X509V3CertificateGenerator generator = new X509V3CertificateGenerator(); generator.setSerialNumber(serialNumber); generator.setIssuerDN(issuer); generator.setSubjectDN(subject); generator.setNotBefore(notBefore); generator.setNotAfter(notAfter); generator.setPublicKey(keyPair.getPublic()); generator.setSignatureAlgorithm("SHA256WithRSAEncryption"); generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(isCA)); generator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(160)); generator.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth)); if (generalNames != null) { generator.addExtension(X509Extensions.SubjectAlternativeName, false, generalNames); } return generator.generateX509Certificate(keyPair.getPrivate(), "BC"); }
v1CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption"); v1CertGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true)); v1CertGen.addExtension(X509Extensions.SubjectAlternativeName, false, subjectAltName);
public X509Certificate newCertificateFor(X500Principal subject, PublicKey keyToCertify) { try { X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); v3CertGen.setSerialNumber( serialNumber != null ? serialNumber : // must be positive BigInteger.valueOf(srand.nextLong()).abs().add(BigInteger.ONE)); v3CertGen.setIssuerDN(issuerPrincipal); v3CertGen.setNotBefore(validityStartDate); v3CertGen.setNotAfter(validityEndDate); v3CertGen.setSignatureAlgorithm(signatureAlgorithm); v3CertGen.setSubjectDN(subject); v3CertGen.setPublicKey(keyToCertify); v3CertGen.addExtension(X509Extension.subjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyToCertify)); if (authorityKeyIdentifier!=null) v3CertGen.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); X509Certificate pkCertificate = v3CertGen.generate(issuerKey.getPrivate(), "BC"); return pkCertificate; } catch (Exception e) { throw Exceptions.propagate(e); } }
/** * add a given extension field for the standard extensions tag (tag 3) * copying the extension value from another certificate. * @throws CertificateParsingException if the extension cannot be extracted. */ public void copyAndAddExtension( String oid, boolean critical, X509Certificate cert) throws CertificateParsingException { byte[] extValue = cert.getExtensionValue(oid); if (extValue == null) { throw new CertificateParsingException("extension " + oid + " not present"); } try { ASN1Encodable value = X509ExtensionUtil.fromExtensionValue(extValue); this.addExtension(oid, critical, value); } catch (IOException e) { throw new CertificateParsingException(e.toString()); } }
v3CertGen.setSignatureAlgorithm("MD5WithRSAEncryption"); v3CertGen.addExtension( X509Extensions.SubjectKeyIdentifier, false, createSubjectKeyId(subPub)); v3CertGen.addExtension( X509Extensions.AuthorityKeyIdentifier, false,
@SuppressWarnings("deprecation") public X509Certificate newCertificateFor(X500Principal subject, PublicKey keyToCertify) { try { X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator(); v3CertGen.setSerialNumber( serialNumber != null ? serialNumber : // must be positive BigInteger.valueOf(srand.nextLong()).abs().add(BigInteger.ONE)); v3CertGen.setIssuerDN(issuerPrincipal); v3CertGen.setNotBefore(validityStartDate); v3CertGen.setNotAfter(validityEndDate); v3CertGen.setSignatureAlgorithm(signatureAlgorithm); v3CertGen.setSubjectDN(subject); v3CertGen.setPublicKey(keyToCertify); JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils(); v3CertGen.addExtension(X509Extension.subjectKeyIdentifier, false, jcaX509ExtensionUtils.createSubjectKeyIdentifier(keyToCertify)); if (authorityKeyIdentifier!=null) v3CertGen.addExtension(X509Extension.authorityKeyIdentifier, false, authorityKeyIdentifier); X509Certificate pkCertificate = v3CertGen.generate(issuerKey.getPrivate(), "BC"); return pkCertificate; } catch (Exception e) { throw Exceptions.propagate(e); } }
generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(maxIntermediateCas));
generator.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(maxIntermediateCas)); encodableAltNames[i] = new GeneralName(tag, altName); generator.addExtension(X509Extensions.SubjectAlternativeName, true, new DERSequence(encodableAltNames));
v3CertGen.addExtension( X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(keyPair.getPublic())); v3CertGen.addExtension( X509Extensions.BasicConstraints, true, new BasicConstraints(0)); v3CertGen.addExtension( X509Extensions.KeyUsage, false, typicalCAExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.verisignUnknown)); v3CertGen.addExtension( X509Extensions.ExtendedKeyUsage, false,
certGen.setSignatureAlgorithm("SHA1withRSA"); certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, new AuthorityKeyIdentifierStructure(caCert)); certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, new SubjectKeyIdentifierStructure(key)); certGen.addExtension(X509Extensions.KeyUsage, false, ku);
@Override public X509Certificate generateX509Certificate( PrivateKey privateKey, DistinguishedName issuerDN, BigInteger serialNumber, DistinguishedName subjectDN, PublicKey publicKey, Duration validity, List<X509ExtensionHolder> x509Extensions ) { try { X509V3CertificateGenerator x509v3Generator = new X509V3CertificateGenerator(); DateTime now = new DateTime(); x509v3Generator.setSerialNumber( serialNumber ); x509v3Generator.setSubjectDN( subjectDN.toX500Principal() ); x509v3Generator.setIssuerDN( issuerDN.toX500Principal() ); x509v3Generator.setNotBefore( now.minus( Time.CLOCK_SKEW ).toDate() ); x509v3Generator.setNotAfter( now.plus( validity ).minus( Time.CLOCK_SKEW ).toDate() ); x509v3Generator.setSignatureAlgorithm( SignatureAlgorithm.SHA256withRSA.jcaString() ); x509v3Generator.setPublicKey( publicKey ); for ( X509ExtensionHolder eachExtensionHolder : x509Extensions ) { x509v3Generator.addExtension( eachExtensionHolder.getDerOID(), eachExtensionHolder.isCritical(), eachExtensionHolder.getValue() ); } return x509v3Generator.generate( privateKey, cryptoContext.providerName() ); } catch ( GeneralSecurityException ex ) { throw new CryptoFailure( "Unable to generate X509Certificate", ex ); } catch ( IllegalStateException ex ) { throw new CryptoFailure( "Unable to generate X509Certificate", ex ); } }
generator.addExtension( X509Extensions.BasicConstraints, true, new BasicConstraints(maxIntermediateCas)); encodableAltNames[i] = new GeneralName(tag, altName); generator.addExtension( X509Extensions.SubjectAlternativeName, true, new DERSequence(encodableAltNames));
if (bcExtensions != null) { for (ASN1ObjectIdentifier oid : bcExtensions.getNonCriticalExtensionOIDs()) { certGen.addExtension(oid.getId(), false, bcExtensions.getExtension(oid).getExtnValue().getOctets()); certGen.addExtension(oid.getId(), true, bcExtensions.getExtension(oid).getExtnValue().getOctets());