Examples of org.bouncycastle.x509.X509V3CertificateGenerator

• org.bouncycastle.x509.X509V3CertificateGenerator
  class to produce an X.509 Version 3 certificate. @deprecated use org.bouncycastle.cert.X509v3CertificateBuilder.

        //

        //
        // create the certificate - version 3
        //
        X509V3CertificateGenerator  certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(new X509Principal(attrs));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal(attrs));
        certGen.setPublicKey(pubKey);
        certGen.setSignatureAlgorithm("SHA1withDSA");

        try
        {
            X509Certificate cert = certGen.generate(privKey);

            cert.checkValidity(new Date());

            cert.verify(pubKey);

            ByteArrayInputStream    bIn = new ByteArrayInputStream(cert.getEncoded());
            CertificateFactory      fact = CertificateFactory.getInstance("X.509", "BC");

            cert = (X509Certificate)fact.generateCertificate(bIn);

            // System.out.println(cert);
        }
        catch (Exception e)
        {
            fail("error setting generating cert - " + e.toString());
        }

        //
        // create the certificate - version 1
        //
        X509V1CertificateGenerator  certGen1 = new X509V1CertificateGenerator();

        certGen1.setSerialNumber(BigInteger.valueOf(1));
        certGen1.setIssuerDN(new X509Principal(attrs));
        certGen1.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen1.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen1.setSubjectDN(new X509Principal(attrs));
        certGen1.setPublicKey(pubKey);
        certGen1.setSignatureAlgorithm("SHA1withDSA");

        try
        {
            X509Certificate cert = certGen1.generate(privKey);

            cert.checkValidity(new Date());

            cert.verify(pubKey);

            ByteArrayInputStream    bIn = new ByteArrayInputStream(cert.getEncoded());
            CertificateFactory      fact = CertificateFactory.getInstance("X.509", "BC");

            cert = (X509Certificate)fact.generateCertificate(bIn);

            //System.out.println(cert);
        }
        catch (Exception e)
        {
            fail("error setting generating cert - " + e.toString());
        }

        //
        // exception test
        //
        try
        {
            certGen.setPublicKey(dudPublicKey);

            fail("key without encoding not detected in v1");
        }
        catch (IllegalArgumentException e)
        {

        }

        //
        // create the certificate - version 3
        //
        X509V3CertificateGenerator  certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(new X509Principal(order, attrs));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal(order, attrs));
        certGen.setPublicKey(pubKey);
        certGen.setSignatureAlgorithm("SHA1withECDSA");

        try
        {
            X509Certificate cert = certGen.generate(privKey);

            cert.checkValidity(new Date());

            cert.verify(pubKey);

            ByteArrayInputStream    bIn = new ByteArrayInputStream(cert.getEncoded());
            CertificateFactory      fact = CertificateFactory.getInstance("X.509", "BC");

            cert = (X509Certificate)fact.generateCertificate(bIn);

            //
            // try with point compression turned off
            //
            ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED");

            certGen.setPublicKey(pubKey);

            cert = certGen.generate(privKey, "BC");

            cert.checkValidity(new Date());

            cert.verify(pubKey);

        order.addElement(X509Principal.E);

        //
        // create the certificate - version 3
        //
        X509V3CertificateGenerator  certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(new X509Principal(order, attrs));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal(order, attrs));
        certGen.setPublicKey(pubKey);
        certGen.setSignatureAlgorithm(algorithm);


        X509Certificate cert = certGen.generate(privKey, "BC");

        cert.checkValidity(new Date());

        cert.verify(pubKey);

        ByteArrayInputStream    bIn = new ByteArrayInputStream(cert.getEncoded());
        CertificateFactory      certFact = CertificateFactory.getInstance("X.509", "BC");

        cert = (X509Certificate)certFact.generateCertificate(bIn);

        //
        // try with point compression turned off
        //
        ((ECPointEncoder)pubKey).setPointFormat("UNCOMPRESSED");

        certGen.setPublicKey(pubKey);

        cert = certGen.generate(privKey, "BC");

        cert.checkValidity(new Date());

        cert.verify(pubKey);

        //

        //
        // create the certificate - version 3
        //
        X509V3CertificateGenerator  certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(new X509Principal(attrs));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal(attrs));
        certGen.setPublicKey(pubKey);
        certGen.setSignatureAlgorithm("GOST3411withGOST3410");

        X509Certificate cert = certGen.generate(privKey, "BC");

        cert.checkValidity(new Date());

        //
        // check verifies in general

        values.addElement("feedback-crypto@bouncycastle.org");

        //
        // create base certificate - version 3
        //
        X509V3CertificateGenerator  certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(new X509Principal(attrs));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal(attrs));
        certGen.setPublicKey(pubKey);
        certGen.setSignatureAlgorithm("MD5WithRSAEncryption");
        certGen.addExtension("2.5.29.15", true,
            new X509KeyUsage(X509KeyUsage.encipherOnly));
        certGen.addExtension("2.5.29.37", true,
            new DERSequence(KeyPurposeId.anyExtendedKeyUsage));
        certGen.addExtension("2.5.29.17", true,
            new GeneralNames(new GeneralName(GeneralName.rfc822Name, "test@test.test")));

        X509Certificate baseCert = certGen.generate(privKey, "BC");

        //
        // copy certificate
        //
        certGen = new X509V3CertificateGenerator();

        certGen.setSerialNumber(BigInteger.valueOf(1));
        certGen.setIssuerDN(new X509Principal(attrs));
        certGen.setNotBefore(new Date(System.currentTimeMillis() - 50000));
        certGen.setNotAfter(new Date(System.currentTimeMillis() + 50000));
        certGen.setSubjectDN(new X509Principal(attrs));
        certGen.setPublicKey(pubKey);
        certGen.setSignatureAlgorithm("MD5WithRSAEncryption");

        certGen.copyAndAddExtension(new DERObjectIdentifier("2.5.29.15"), true, baseCert);
        certGen.copyAndAddExtension("2.5.29.37", false, baseCert);

        X509Certificate cert = certGen.generate(privKey, "BC");

        cert.checkValidity(new Date());

        cert.verify(pubKey);

        if (!areEqual(baseCert.getExtensionValue("2.5.29.15"), cert.getExtensionValue("2.5.29.15")))
        {
            fail("2.5.29.15 differs");
        }

        if (!areEqual(baseCert.getExtensionValue("2.5.29.37"), cert.getExtensionValue("2.5.29.37")))
        {
            fail("2.5.29.37 differs");
        }

        //
        // exception test
        //
        try
        {
            certGen.copyAndAddExtension("2.5.99.99", true, baseCert);

            fail("exception not thrown on dud extension copy");
        }
        catch (CertificateParsingException e)
        {
            // expected
        }

        try
        {
            certGen.setPublicKey(dudPublicKey);

            certGen.generate(privKey, "BC");

            fail("key without encoding not detected in v3");
        }
        catch (IllegalArgumentException e)
        {

      CertificateNotYetValidException,
      CertificateException,
      NoSuchAlgorithmException,
      NoSuchProviderException
  {
    X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();

    v3CertGen.setSubjectDN(new X500Principal(subject));
    v3CertGen.setSignatureAlgorithm(CertificateCreator.SIGN_ALGO);
    v3CertGen.setPublicKey(newPubKey);
    v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + 30L * 60 * 60 * 24 * 30 * 12));
    v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30 *12));
    v3CertGen.setIssuerDN(caCert.getSubjectX500Principal());

    // Firefox actually tracks serial numbers within a CA and refuses to validate if it sees duplicates
    // This is not a secure serial number generator, (duh!) but it's good enough for our purposes.
    v3CertGen.setSerialNumber(new BigInteger(Long.toString(System.currentTimeMillis())));

    v3CertGen.addExtension(
        X509Extensions.BasicConstraints,
        true,
        new BasicConstraints(false) );

    v3CertGen.addExtension(
        X509Extensions.SubjectKeyIdentifier,
        false,
        new SubjectKeyIdentifierStructure(newPubKey));


    v3CertGen.addExtension(
        X509Extensions.AuthorityKeyIdentifier,
        false,
        new AuthorityKeyIdentifierStructure(caCert.getPublicKey()));

//     Firefox 2 disallows these extensions in an SSL server cert.  IE7 doesn't care.
//    v3CertGen.addExtension(
//        X509Extensions.KeyUsage,
//        false,
//        new KeyUsage(KeyUsage.dataEncipherment | KeyUsage.digitalSignature ) );


    DEREncodableVector typicalSSLServerExtendedKeyUsages = new DEREncodableVector();

    typicalSSLServerExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.serverAuth));
    typicalSSLServerExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.clientAuth));
    typicalSSLServerExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.netscapeServerGatedCrypto));
    typicalSSLServerExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.msServerGatedCrypto));

    v3CertGen.addExtension(
        X509Extensions.ExtendedKeyUsage,
        false,
        new DERSequence(typicalSSLServerExtendedKeyUsages));

//  Disabled by default.  Left in comments in case this is desired.
//
//    v3CertGen.addExtension(
//        X509Extensions.AuthorityInfoAccess,
//        false,
//        new AuthorityInformationAccess(new DERObjectIdentifier(OID_ID_AD_CAISSUERS),
//            new GeneralName(GeneralName.uniformResourceIdentifier, "http://" + subject + "/aia")));

//    v3CertGen.addExtension(
//        X509Extensions.CRLDistributionPoints,
//        false,
//        new CRLDistPoint(new DistributionPoint[] {}));



    X509Certificate cert = v3CertGen.generate(caPrivateKey, "BC");

    return cert;
  }

    if(extensionOidsNotToCopy == null)
    {
      extensionOidsNotToCopy = new HashSet<String>();
    }

    X509V3CertificateGenerator  v3CertGen = new X509V3CertificateGenerator();

    v3CertGen.setSubjectDN(originalCert.getSubjectX500Principal());
    v3CertGen.setSignatureAlgorithm(CertificateCreator.SIGN_ALGO); // needs to be the same as the signing cert, not the copied cert
    v3CertGen.setPublicKey(newPubKey);
    v3CertGen.setNotAfter(originalCert.getNotAfter());
    v3CertGen.setNotBefore(originalCert.getNotBefore());
    v3CertGen.setIssuerDN(caCert.getSubjectX500Principal());
    v3CertGen.setSerialNumber(originalCert.getSerialNumber());

    // copy other extensions:
    Set<String> critExts = originalCert.getCriticalExtensionOIDs();

    // get extensions returns null, not an empty set!
    if(critExts != null) {
      for (String oid : critExts) {
        if(!clientCertOidsNeverToCopy.contains(oid)
            && !extensionOidsNotToCopy.contains(oid)) {
          v3CertGen.copyAndAddExtension(new DERObjectIdentifier(oid), true, originalCert);
        }
      }
    }
    Set<String> nonCritExs = originalCert.getNonCriticalExtensionOIDs();

    if(nonCritExs != null) {
      for(String oid: nonCritExs) {

        if(!clientCertOidsNeverToCopy.contains(oid)
            && !extensionOidsNotToCopy.contains(oid)){
          v3CertGen.copyAndAddExtension(new DERObjectIdentifier(oid), false, originalCert);
        }
      }
    }

    v3CertGen.addExtension(
        X509Extensions.SubjectKeyIdentifier,
        false,
        new SubjectKeyIdentifierStructure(newPubKey));


    v3CertGen.addExtension(
        X509Extensions.AuthorityKeyIdentifier,
        false,
        new AuthorityKeyIdentifierStructure(caCert.getPublicKey()));

    X509Certificate cert = v3CertGen.generate(caPrivateKey, "BC");

    // For debugging purposes.
    //cert.checkValidity(new Date());
    //cert.verify(caCert.getPublicKey());

  @SuppressWarnings("deprecation")
    public static X509Certificate createTypicalMasterCert(final KeyPair keyPair)
  throws SignatureException, InvalidKeyException, SecurityException, CertificateException, NoSuchAlgorithmException, NoSuchProviderException
  {

    X509V3CertificateGenerator  v3CertGen = new X509V3CertificateGenerator();

    X509Principal issuer=new X509Principal("O=CyberVillians.com,OU=CyberVillians Certification Authority,C=US");

    // Create
    v3CertGen.setSerialNumber(BigInteger.valueOf(1));
    v3CertGen.setIssuerDN(issuer);
    v3CertGen.setSubjectDN(issuer);

    //Set validity period
    v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 12 /* months */ *(1000L * 60 * 60 * 24 * 30)));
    v3CertGen.setNotAfter (new Date(System.currentTimeMillis() + 240 /* months */ *(1000L * 60 * 60 * 24 * 30)));

    //Set signature algorithm & public key
    v3CertGen.setPublicKey(keyPair.getPublic());
    v3CertGen.setSignatureAlgorithm(CertificateCreator.SIGN_ALGO);

    // Add typical extensions for signing cert
    v3CertGen.addExtension(
        X509Extensions.SubjectKeyIdentifier,
        false,
        new SubjectKeyIdentifierStructure(keyPair.getPublic()));

    v3CertGen.addExtension(
        X509Extensions.BasicConstraints,
        true,
        new BasicConstraints(0));

    v3CertGen.addExtension(
        X509Extensions.KeyUsage,
        false,
        new KeyUsage(KeyUsage.cRLSign | KeyUsage.keyCertSign) );

    DEREncodableVector typicalCAExtendedKeyUsages = new DEREncodableVector();

    typicalCAExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.serverAuth));
    typicalCAExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.OCSPSigning));
    typicalCAExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.verisignUnknown));

    v3CertGen.addExtension(
        X509Extensions.ExtendedKeyUsage,
        false,
        new DERSequence(typicalCAExtendedKeyUsages));

    X509Certificate cert = v3CertGen.generate(keyPair.getPrivate(), "BC");

    cert.checkValidity(new Date());

    cert.verify(keyPair.getPublic());

      CertificateNotYetValidException,
      CertificateException,
      NoSuchAlgorithmException,
      NoSuchProviderException
  {
    X509V3CertificateGenerator  v3CertGen = new X509V3CertificateGenerator();

    v3CertGen.setSubjectDN(new X500Principal(subject));
    v3CertGen.setSignatureAlgorithm(CertificateCreator.SIGN_ALGO);
    v3CertGen.setPublicKey(newPubKey);
    v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + 30L * 60 * 60 * 24 * 30 * 12));
    v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30 *12));
    v3CertGen.setIssuerDN(caCert.getSubjectX500Principal());

    // Firefox actually tracks serial numbers within a CA and refuses to validate if it sees duplicates
    // This is not a secure serial number generator, (duh!) but it's good enough for our purposes.
    v3CertGen.setSerialNumber(new BigInteger(Long.toString(System.currentTimeMillis())));

    v3CertGen.addExtension(
        X509Extensions.BasicConstraints,
        true,
        new BasicConstraints(false) );

    v3CertGen.addExtension(
        X509Extensions.SubjectKeyIdentifier,
        false,
        new SubjectKeyIdentifierStructure(newPubKey));


    v3CertGen.addExtension(
        X509Extensions.AuthorityKeyIdentifier,
        false,
        new AuthorityKeyIdentifierStructure(caCert.getPublicKey()));

//     Firefox 2 disallows these extensions in an SSL server cert.  IE7 doesn't care.
//    v3CertGen.addExtension(
//        X509Extensions.KeyUsage,
//        false,
//        new KeyUsage(KeyUsage.dataEncipherment | KeyUsage.digitalSignature ) );


    DEREncodableVector typicalSSLServerExtendedKeyUsages = new DEREncodableVector();

    typicalSSLServerExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.serverAuth));
    typicalSSLServerExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.clientAuth));
    typicalSSLServerExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.netscapeServerGatedCrypto));
    typicalSSLServerExtendedKeyUsages.add(new DERObjectIdentifier(ExtendedKeyUsageConstants.msServerGatedCrypto));

    v3CertGen.addExtension(
        X509Extensions.ExtendedKeyUsage,
        false,
        new DERSequence(typicalSSLServerExtendedKeyUsages));

//  Disabled by default.  Left in comments in case this is desired.
//
//    v3CertGen.addExtension(
//        X509Extensions.AuthorityInfoAccess,
//        false,
//        new AuthorityInformationAccess(new DERObjectIdentifier(OID_ID_AD_CAISSUERS),
//            new GeneralName(GeneralName.uniformResourceIdentifier, "http://" + subject + "/aia")));

//    v3CertGen.addExtension(
//        X509Extensions.CRLDistributionPoints,
//        false,
//        new CRLDistPoint(new DistributionPoint[] {}));



    X509Certificate cert = v3CertGen.generate(caPrivateKey, "BC");

    return cert;
  }

    if(criticalCustomExtensions == null)
    {
      criticalCustomExtensions = new HashMap<String, DEREncodable>();
    }

    X509V3CertificateGenerator  v3CertGen = new X509V3CertificateGenerator();

    v3CertGen.setSubjectDN(originalCert.getSubjectX500Principal());
    v3CertGen.setSignatureAlgorithm(CertificateCreator.SIGN_ALGO); // needs to be the same as the signing cert, not the copied cert
    v3CertGen.setPublicKey(newPubKey);
    v3CertGen.setNotAfter(originalCert.getNotAfter());
    v3CertGen.setNotBefore(originalCert.getNotBefore());
    v3CertGen.setIssuerDN(caCert.getSubjectX500Principal());
    v3CertGen.setSerialNumber(originalCert.getSerialNumber());

    // copy other extensions:
    Set<String> critExts = originalCert.getCriticalExtensionOIDs();

    // get extensions returns null, not an empty set!
    if(critExts != null) {
      for (String oid : critExts) {
        if(!clientCertOidsNeverToCopy.contains(oid)
            && !extensionOidsNotToCopy.contains(oid)
            && !criticalCustomExtensions.containsKey(oid)) {
          v3CertGen.copyAndAddExtension(new DERObjectIdentifier(oid), true, originalCert);
        }
      }
    }
    Set<String> nonCritExs = originalCert.getNonCriticalExtensionOIDs();

    if(nonCritExs != null) {
      for(String oid: nonCritExs) {

        if(!clientCertOidsNeverToCopy.contains(oid)
            && !extensionOidsNotToCopy.contains(oid)
            && !noncriticalCustomExtensions.containsKey(oid)){
          v3CertGen.copyAndAddExtension(new DERObjectIdentifier(oid), false, originalCert);
        }
      }
    }

    for(Map.Entry<String, DEREncodable> customExtension: criticalCustomExtensions.entrySet()) {
      v3CertGen.addExtension(customExtension.getKey(), true, customExtension.getValue());
    }

    for(Map.Entry<String, DEREncodable> customExtension: noncriticalCustomExtensions.entrySet()) {
      v3CertGen.addExtension(customExtension.getKey(), false, customExtension.getValue());
    }

    v3CertGen.addExtension(
        X509Extensions.SubjectKeyIdentifier,
        false,
        new SubjectKeyIdentifierStructure(newPubKey));


    v3CertGen.addExtension(
        X509Extensions.AuthorityKeyIdentifier,
        false,
        new AuthorityKeyIdentifierStructure(caCert.getPublicKey()));

    X509Certificate cert = v3CertGen.generate(caPrivateKey, "BC");

    // For debugging purposes.
    //cert.checkValidity(new Date());
    //cert.verify(caCert.getPublicKey());