package org.bouncycastle.x509;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.asn1.x509.V3TBSCertificateGenerator;
import org.bouncycastle.asn1.x509.X509ExtensionsGenerator;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory;
import org.bouncycastle.jcajce.util.BCJcaJceHelper;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.x509.extension.X509ExtensionUtil;
class to produce an X.509 Version 3 certificate.
@deprecated use org.bouncycastle.cert.X509v3CertificateBuilder.
/**
* class to produce an X.509 Version 3 certificate.
* @deprecated use org.bouncycastle.cert.X509v3CertificateBuilder.
*/
public class X509V3CertificateGenerator
{
private final JcaJceHelper bcHelper = new BCJcaJceHelper(); // needed to force provider loading
private final CertificateFactory certificateFactory = new CertificateFactory();
private V3TBSCertificateGenerator tbsGen;
private ASN1ObjectIdentifier sigOID;
private AlgorithmIdentifier sigAlgId;
private String signatureAlgorithm;
private X509ExtensionsGenerator extGenerator;
public X509V3CertificateGenerator()
{
tbsGen = new V3TBSCertificateGenerator();
extGenerator = new X509ExtensionsGenerator();
}
reset the generator
/**
* reset the generator
*/
public void reset()
{
tbsGen = new V3TBSCertificateGenerator();
extGenerator.reset();
}
set the serial number for the certificate.
/**
* set the serial number for the certificate.
*/
public void setSerialNumber(
BigInteger serialNumber)
{
if (serialNumber.compareTo(BigInteger.ZERO) <= 0)
{
throw new IllegalArgumentException("serial number must be a positive integer");
}
tbsGen.setSerialNumber(new ASN1Integer(serialNumber));
}
Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the
certificate.
/**
* Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the
* certificate.
*/
public void setIssuerDN(
X500Principal issuer)
{
try
{
tbsGen.setIssuer(new X509Principal(issuer.getEncoded()));
}
catch (IOException e)
{
throw new IllegalArgumentException("can't process principal: " + e);
}
}
Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the
certificate.
/**
* Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the
* certificate.
*/
public void setIssuerDN(
X509Name issuer)
{
tbsGen.setIssuer(issuer);
}
public void setNotBefore(
Date date)
{
tbsGen.setStartDate(new Time(date));
}
public void setNotAfter(
Date date)
{
tbsGen.setEndDate(new Time(date));
}
Set the subject distinguished name. The subject describes the entity associated with the public key.
/**
* Set the subject distinguished name. The subject describes the entity associated with the public key.
*/
public void setSubjectDN(
X500Principal subject)
{
try
{
tbsGen.setSubject(new X509Principal(subject.getEncoded()));
}
catch (IOException e)
{
throw new IllegalArgumentException("can't process principal: " + e);
}
}
Set the subject distinguished name. The subject describes the entity associated with the public key.
/**
* Set the subject distinguished name. The subject describes the entity associated with the public key.
*/
public void setSubjectDN(
X509Name subject)
{
tbsGen.setSubject(subject);
}
public void setPublicKey(
PublicKey key)
throws IllegalArgumentException
{
try
{
tbsGen.setSubjectPublicKeyInfo(
SubjectPublicKeyInfo.getInstance(new ASN1InputStream(key.getEncoded()).readObject()));
}
catch (Exception e)
{
throw new IllegalArgumentException("unable to process key - " + e.toString());
}
}
Set the signature algorithm. This can be either a name or an OID, names
are treated as case insensitive.
Params: - signatureAlgorithm – string representation of the algorithm name.
/**
* Set the signature algorithm. This can be either a name or an OID, names
* are treated as case insensitive.
*
* @param signatureAlgorithm string representation of the algorithm name.
*/
public void setSignatureAlgorithm(
String signatureAlgorithm)
{
this.signatureAlgorithm = signatureAlgorithm;
try
{
sigOID = X509Util.getAlgorithmOID(signatureAlgorithm);
}
catch (Exception e)
{
throw new IllegalArgumentException("Unknown signature type requested: " + signatureAlgorithm);
}
sigAlgId = X509Util.getSigAlgID(sigOID, signatureAlgorithm);
tbsGen.setSignature(sigAlgId);
}
Set the subject unique ID - note: it is very rare that it is correct to do this.
/**
* Set the subject unique ID - note: it is very rare that it is correct to do this.
*/
public void setSubjectUniqueID(boolean[] uniqueID)
{
tbsGen.setSubjectUniqueID(booleanToBitString(uniqueID));
}
Set the issuer unique ID - note: it is very rare that it is correct to do this.
/**
* Set the issuer unique ID - note: it is very rare that it is correct to do this.
*/
public void setIssuerUniqueID(boolean[] uniqueID)
{
tbsGen.setIssuerUniqueID(booleanToBitString(uniqueID));
}
private DERBitString booleanToBitString(boolean[] id)
{
byte[] bytes = new byte[(id.length + 7) / 8];
for (int i = 0; i != id.length; i++)
{
bytes[i / 8] |= (id[i]) ? (1 << ((7 - (i % 8)))) : 0;
}
int pad = id.length % 8;
if (pad == 0)
{
return new DERBitString(bytes);
}
else
{
return new DERBitString(bytes, 8 - pad);
}
}
add a given extension field for the standard extensions tag (tag 3)
/**
* add a given extension field for the standard extensions tag (tag 3)
*/
public void addExtension(
String oid,
boolean critical,
ASN1Encodable value)
{
this.addExtension(new ASN1ObjectIdentifier(oid), critical, value);
}
add a given extension field for the standard extensions tag (tag 3)
/**
* add a given extension field for the standard extensions tag (tag 3)
*/
public void addExtension(
ASN1ObjectIdentifier oid,
boolean critical,
ASN1Encodable value)
{
extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value);
}
add a given extension field for the standard extensions tag (tag 3)
The value parameter becomes the contents of the octet string associated
with the extension.
/**
* add a given extension field for the standard extensions tag (tag 3)
* The value parameter becomes the contents of the octet string associated
* with the extension.
*/
public void addExtension(
String oid,
boolean critical,
byte[] value)
{
this.addExtension(new ASN1ObjectIdentifier(oid), critical, value);
}
add a given extension field for the standard extensions tag (tag 3)
/**
* add a given extension field for the standard extensions tag (tag 3)
*/
public void addExtension(
ASN1ObjectIdentifier oid,
boolean critical,
byte[] value)
{
extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value);
}
add a given extension field for the standard extensions tag (tag 3)
copying the extension value from another certificate.
Throws: - CertificateParsingException – if the extension cannot be extracted.
/**
* add a given extension field for the standard extensions tag (tag 3)
* copying the extension value from another certificate.
* @throws CertificateParsingException if the extension cannot be extracted.
*/
public void copyAndAddExtension(
String oid,
boolean critical,
X509Certificate cert)
throws CertificateParsingException
{
byte[] extValue = cert.getExtensionValue(oid);
if (extValue == null)
{
throw new CertificateParsingException("extension " + oid + " not present");
}
try
{
ASN1Encodable value = X509ExtensionUtil.fromExtensionValue(extValue);
this.addExtension(oid, critical, value);
}
catch (IOException e)
{
throw new CertificateParsingException(e.toString());
}
}
add a given extension field for the standard extensions tag (tag 3)
copying the extension value from another certificate.
Throws: - CertificateParsingException – if the extension cannot be extracted.
/**
* add a given extension field for the standard extensions tag (tag 3)
* copying the extension value from another certificate.
* @throws CertificateParsingException if the extension cannot be extracted.
*/
public void copyAndAddExtension(
ASN1ObjectIdentifier oid,
boolean critical,
X509Certificate cert)
throws CertificateParsingException
{
this.copyAndAddExtension(oid.getId(), critical, cert);
}
generate an X509 certificate, based on the current issuer and subject
using the default provider "BC".
Deprecated: use generate(key, "BC")
/**
* generate an X509 certificate, based on the current issuer and subject
* using the default provider "BC".
* @deprecated use generate(key, "BC")
*/
public X509Certificate generateX509Certificate(
PrivateKey key)
throws SecurityException, SignatureException, InvalidKeyException
{
try
{
return generateX509Certificate(key, "BC", null);
}
catch (NoSuchProviderException e)
{
throw new SecurityException("BC provider not installed!");
}
}
generate an X509 certificate, based on the current issuer and subject
using the default provider "BC", and the passed in source of randomness
(if required).
Deprecated: use generate(key, random, "BC")
/**
* generate an X509 certificate, based on the current issuer and subject
* using the default provider "BC", and the passed in source of randomness
* (if required).
* @deprecated use generate(key, random, "BC")
*/
public X509Certificate generateX509Certificate(
PrivateKey key,
SecureRandom random)
throws SecurityException, SignatureException, InvalidKeyException
{
try
{
return generateX509Certificate(key, "BC", random);
}
catch (NoSuchProviderException e)
{
throw new SecurityException("BC provider not installed!");
}
}
generate an X509 certificate, based on the current issuer and subject,
using the passed in provider for the signing.
Deprecated: use generate()
/**
* generate an X509 certificate, based on the current issuer and subject,
* using the passed in provider for the signing.
* @deprecated use generate()
*/
public X509Certificate generateX509Certificate(
PrivateKey key,
String provider)
throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException
{
return generateX509Certificate(key, provider, null);
}
generate an X509 certificate, based on the current issuer and subject,
using the passed in provider for the signing and the supplied source
of randomness, if required.
Deprecated: use generate()
/**
* generate an X509 certificate, based on the current issuer and subject,
* using the passed in provider for the signing and the supplied source
* of randomness, if required.
* @deprecated use generate()
*/
public X509Certificate generateX509Certificate(
PrivateKey key,
String provider,
SecureRandom random)
throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException
{
try
{
return generate(key, provider, random);
}
catch (NoSuchProviderException e)
{
throw e;
}
catch (SignatureException e)
{
throw e;
}
catch (InvalidKeyException e)
{
throw e;
}
catch (GeneralSecurityException e)
{
throw new SecurityException("exception: " + e);
}
}
generate an X509 certificate, based on the current issuer and subject
using the default provider.
Note: this differs from the deprecated method in that the default provider is
used - not "BC".
/**
* generate an X509 certificate, based on the current issuer and subject
* using the default provider.
* <p>
* <b>Note:</b> this differs from the deprecated method in that the default provider is
* used - not "BC".
* </p>
*/
public X509Certificate generate(
PrivateKey key)
throws CertificateEncodingException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException
{
return generate(key, (SecureRandom)null);
}
generate an X509 certificate, based on the current issuer and subject
using the default provider, and the passed in source of randomness
(if required).
Note: this differs from the deprecated method in that the default provider is
used - not "BC".
/**
* generate an X509 certificate, based on the current issuer and subject
* using the default provider, and the passed in source of randomness
* (if required).
* <p>
* <b>Note:</b> this differs from the deprecated method in that the default provider is
* used - not "BC".
* </p>
*/
public X509Certificate generate(
PrivateKey key,
SecureRandom random)
throws CertificateEncodingException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException
{
TBSCertificate tbsCert = generateTbsCert();
byte[] signature;
try
{
signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, key, random, tbsCert);
}
catch (IOException e)
{
throw new ExtCertificateEncodingException("exception encoding TBS cert", e);
}
try
{
return generateJcaObject(tbsCert, signature);
}
catch (Exception e)
{
throw new ExtCertificateEncodingException("exception producing certificate object", e);
}
}
generate an X509 certificate, based on the current issuer and subject,
using the passed in provider for the signing.
/**
* generate an X509 certificate, based on the current issuer and subject,
* using the passed in provider for the signing.
*/
public X509Certificate generate(
PrivateKey key,
String provider)
throws CertificateEncodingException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException
{
return generate(key, provider, null);
}
generate an X509 certificate, based on the current issuer and subject,
using the passed in provider for the signing and the supplied source
of randomness, if required.
/**
* generate an X509 certificate, based on the current issuer and subject,
* using the passed in provider for the signing and the supplied source
* of randomness, if required.
*/
public X509Certificate generate(
PrivateKey key,
String provider,
SecureRandom random)
throws CertificateEncodingException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException
{
TBSCertificate tbsCert = generateTbsCert();
byte[] signature;
try
{
signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, provider, key, random, tbsCert);
}
catch (IOException e)
{
throw new ExtCertificateEncodingException("exception encoding TBS cert", e);
}
try
{
return generateJcaObject(tbsCert, signature);
}
catch (Exception e)
{
throw new ExtCertificateEncodingException("exception producing certificate object", e);
}
}
private TBSCertificate generateTbsCert()
{
if (!extGenerator.isEmpty())
{
tbsGen.setExtensions(extGenerator.generate());
}
return tbsGen.generateTBSCertificate();
}
private X509Certificate generateJcaObject(TBSCertificate tbsCert, byte[] signature)
throws Exception
{
ASN1EncodableVector v = new ASN1EncodableVector();
v.add(tbsCert);
v.add(sigAlgId);
v.add(new DERBitString(signature));
return (X509Certificate)certificateFactory.engineGenerateCertificate(
new ByteArrayInputStream(new DERSequence(v).getEncoded(ASN1Encoding.DER)));
}
Return an iterator of the signature names supported by the generator.
Returns: an iterator containing recognised names.
/**
* Return an iterator of the signature names supported by the generator.
*
* @return an iterator containing recognised names.
*/
public Iterator getSignatureAlgNames()
{
return X509Util.getAlgNames();
}
}