package org.bouncycastle.cert;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.asn1.x509.GeneralNames;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.operator.DigestCalculator;
General utility class for creating calculated extensions using the standard methods.
Note: This class is not thread safe!
/**
* General utility class for creating calculated extensions using the standard methods.
* <p>
* <b>Note:</b> This class is not thread safe!
* </p>
*/
public class X509ExtensionUtils
{
private DigestCalculator calculator;
Base constructor - for conformance to RFC 5280 use a calculator based on SHA-1.
Params: - calculator – a calculator for calculating subject key ids.
/**
* Base constructor - for conformance to RFC 5280 use a calculator based on SHA-1.
*
* @param calculator a calculator for calculating subject key ids.
*/
public X509ExtensionUtils(DigestCalculator calculator)
{
this.calculator = calculator;
}
Create an AuthorityKeyIdentifier from the passed in arguments.
Params: - certHolder – the issuer certificate that the AuthorityKeyIdentifier should refer to.
Returns: an AuthorityKeyIdentifier.
/**
* Create an AuthorityKeyIdentifier from the passed in arguments.
*
* @param certHolder the issuer certificate that the AuthorityKeyIdentifier should refer to.
* @return an AuthorityKeyIdentifier.
*/
public AuthorityKeyIdentifier createAuthorityKeyIdentifier(
X509CertificateHolder certHolder)
{
GeneralName genName = new GeneralName(certHolder.getIssuer());
return new AuthorityKeyIdentifier(
getSubjectKeyIdentifier(certHolder), new GeneralNames(genName), certHolder.getSerialNumber());
}
Create an AuthorityKeyIdentifier from the passed in SubjectPublicKeyInfo.
Params: - publicKeyInfo – the SubjectPublicKeyInfo to base the key identifier on.
Returns: an AuthorityKeyIdentifier.
/**
* Create an AuthorityKeyIdentifier from the passed in SubjectPublicKeyInfo.
*
* @param publicKeyInfo the SubjectPublicKeyInfo to base the key identifier on.
* @return an AuthorityKeyIdentifier.
*/
public AuthorityKeyIdentifier createAuthorityKeyIdentifier(SubjectPublicKeyInfo publicKeyInfo)
{
return new AuthorityKeyIdentifier(calculateIdentifier(publicKeyInfo));
}
Create an AuthorityKeyIdentifier from the passed in arguments.
Params: - publicKeyInfo – the SubjectPublicKeyInfo to base the key identifier on.
- generalNames – the general names to associate with the issuer cert's issuer.
- serial – the serial number of the issuer cert.
Returns: an AuthorityKeyIdentifier.
/**
* Create an AuthorityKeyIdentifier from the passed in arguments.
*
* @param publicKeyInfo the SubjectPublicKeyInfo to base the key identifier on.
* @param generalNames the general names to associate with the issuer cert's issuer.
* @param serial the serial number of the issuer cert.
* @return an AuthorityKeyIdentifier.
*/
public AuthorityKeyIdentifier createAuthorityKeyIdentifier(SubjectPublicKeyInfo publicKeyInfo, GeneralNames generalNames, BigInteger serial)
{
return new AuthorityKeyIdentifier(calculateIdentifier(publicKeyInfo), generalNames, serial);
}
Return a RFC 5280 type 1 key identifier. As in:
(1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).
Params: - publicKeyInfo – the key info object containing the subjectPublicKey field.
Returns: the key identifier.
/**
* Return a RFC 5280 type 1 key identifier. As in:
* <pre>
* (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
* value of the BIT STRING subjectPublicKey (excluding the tag,
* length, and number of unused bits).
* </pre>
* @param publicKeyInfo the key info object containing the subjectPublicKey field.
* @return the key identifier.
*/
public SubjectKeyIdentifier createSubjectKeyIdentifier(
SubjectPublicKeyInfo publicKeyInfo)
{
return new SubjectKeyIdentifier(calculateIdentifier(publicKeyInfo));
}
Return a RFC 5280 type 2 key identifier. As in:
(2) The keyIdentifier is composed of a four bit type field with
the value 0100 followed by the least significant 60 bits of the
SHA-1 hash of the value of the BIT STRING subjectPublicKey.
Params: - publicKeyInfo – the key info object containing the subjectPublicKey field.
Returns: the key identifier.
/**
* Return a RFC 5280 type 2 key identifier. As in:
* <pre>
* (2) The keyIdentifier is composed of a four bit type field with
* the value 0100 followed by the least significant 60 bits of the
* SHA-1 hash of the value of the BIT STRING subjectPublicKey.
* </pre>
* @param publicKeyInfo the key info object containing the subjectPublicKey field.
* @return the key identifier.
*/
public SubjectKeyIdentifier createTruncatedSubjectKeyIdentifier(SubjectPublicKeyInfo publicKeyInfo)
{
byte[] digest = calculateIdentifier(publicKeyInfo);
byte[] id = new byte[8];
System.arraycopy(digest, digest.length - 8, id, 0, id.length);
id[0] &= 0x0f;
id[0] |= 0x40;
return new SubjectKeyIdentifier(id);
}
private byte[] getSubjectKeyIdentifier(X509CertificateHolder certHolder)
{
if (certHolder.getVersionNumber() != 3)
{
return calculateIdentifier(certHolder.getSubjectPublicKeyInfo());
}
else
{
Extension ext = certHolder.getExtension(Extension.subjectKeyIdentifier);
if (ext != null)
{
return ASN1OctetString.getInstance(ext.getParsedValue()).getOctets();
}
else
{
return calculateIdentifier(certHolder.getSubjectPublicKeyInfo());
}
}
}
private byte[] calculateIdentifier(SubjectPublicKeyInfo publicKeyInfo)
{
byte[] bytes = publicKeyInfo.getPublicKeyData().getBytes();
OutputStream cOut = calculator.getOutputStream();
try
{
cOut.write(bytes);
cOut.close();
}
catch (IOException e)
{ // it's hard to imagine this happening, but yes it does!
throw new CertRuntimeException("unable to calculate identifier: " + e.getMessage(), e);
}
return calculator.getDigest();
}
}