package org.bouncycastle.x509;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Iterator;

import javax.security.auth.x500.X500Principal;

import org.bouncycastle.asn1.ASN1Encodable;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1InputStream;
import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERBitString;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.asn1.x509.TBSCertificate;
import org.bouncycastle.asn1.x509.Time;
import org.bouncycastle.asn1.x509.V3TBSCertificateGenerator;
import org.bouncycastle.asn1.x509.X509ExtensionsGenerator;
import org.bouncycastle.asn1.x509.X509Name;
import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory;
import org.bouncycastle.jcajce.util.BCJcaJceHelper;
import org.bouncycastle.jcajce.util.JcaJceHelper;
import org.bouncycastle.jce.X509Principal;
import org.bouncycastle.x509.extension.X509ExtensionUtil;

class to produce an X.509 Version 3 certificate. @deprecated use org.bouncycastle.cert.X509v3CertificateBuilder.
/** * class to produce an X.509 Version 3 certificate. * @deprecated use org.bouncycastle.cert.X509v3CertificateBuilder. */
public class X509V3CertificateGenerator { private final JcaJceHelper bcHelper = new BCJcaJceHelper(); // needed to force provider loading private final CertificateFactory certificateFactory = new CertificateFactory(); private V3TBSCertificateGenerator tbsGen; private ASN1ObjectIdentifier sigOID; private AlgorithmIdentifier sigAlgId; private String signatureAlgorithm; private X509ExtensionsGenerator extGenerator; public X509V3CertificateGenerator() { tbsGen = new V3TBSCertificateGenerator(); extGenerator = new X509ExtensionsGenerator(); }
reset the generator
/** * reset the generator */
public void reset() { tbsGen = new V3TBSCertificateGenerator(); extGenerator.reset(); }
set the serial number for the certificate.
/** * set the serial number for the certificate. */
public void setSerialNumber( BigInteger serialNumber) { if (serialNumber.compareTo(BigInteger.ZERO) <= 0) { throw new IllegalArgumentException("serial number must be a positive integer"); } tbsGen.setSerialNumber(new ASN1Integer(serialNumber)); }
Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the certificate.
/** * Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the * certificate. */
public void setIssuerDN( X500Principal issuer) { try { tbsGen.setIssuer(new X509Principal(issuer.getEncoded())); } catch (IOException e) { throw new IllegalArgumentException("can't process principal: " + e); } }
Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the certificate.
/** * Set the issuer distinguished name - the issuer is the entity whose private key is used to sign the * certificate. */
public void setIssuerDN( X509Name issuer) { tbsGen.setIssuer(issuer); } public void setNotBefore( Date date) { tbsGen.setStartDate(new Time(date)); } public void setNotAfter( Date date) { tbsGen.setEndDate(new Time(date)); }
Set the subject distinguished name. The subject describes the entity associated with the public key.
/** * Set the subject distinguished name. The subject describes the entity associated with the public key. */
public void setSubjectDN( X500Principal subject) { try { tbsGen.setSubject(new X509Principal(subject.getEncoded())); } catch (IOException e) { throw new IllegalArgumentException("can't process principal: " + e); } }
Set the subject distinguished name. The subject describes the entity associated with the public key.
/** * Set the subject distinguished name. The subject describes the entity associated with the public key. */
public void setSubjectDN( X509Name subject) { tbsGen.setSubject(subject); } public void setPublicKey( PublicKey key) throws IllegalArgumentException { try { tbsGen.setSubjectPublicKeyInfo( SubjectPublicKeyInfo.getInstance(new ASN1InputStream(key.getEncoded()).readObject())); } catch (Exception e) { throw new IllegalArgumentException("unable to process key - " + e.toString()); } }
Set the signature algorithm. This can be either a name or an OID, names are treated as case insensitive.
Params:
  • signatureAlgorithm – string representation of the algorithm name.
/** * Set the signature algorithm. This can be either a name or an OID, names * are treated as case insensitive. * * @param signatureAlgorithm string representation of the algorithm name. */
public void setSignatureAlgorithm( String signatureAlgorithm) { this.signatureAlgorithm = signatureAlgorithm; try { sigOID = X509Util.getAlgorithmOID(signatureAlgorithm); } catch (Exception e) { throw new IllegalArgumentException("Unknown signature type requested: " + signatureAlgorithm); } sigAlgId = X509Util.getSigAlgID(sigOID, signatureAlgorithm); tbsGen.setSignature(sigAlgId); }
Set the subject unique ID - note: it is very rare that it is correct to do this.
/** * Set the subject unique ID - note: it is very rare that it is correct to do this. */
public void setSubjectUniqueID(boolean[] uniqueID) { tbsGen.setSubjectUniqueID(booleanToBitString(uniqueID)); }
Set the issuer unique ID - note: it is very rare that it is correct to do this.
/** * Set the issuer unique ID - note: it is very rare that it is correct to do this. */
public void setIssuerUniqueID(boolean[] uniqueID) { tbsGen.setIssuerUniqueID(booleanToBitString(uniqueID)); } private DERBitString booleanToBitString(boolean[] id) { byte[] bytes = new byte[(id.length + 7) / 8]; for (int i = 0; i != id.length; i++) { bytes[i / 8] |= (id[i]) ? (1 << ((7 - (i % 8)))) : 0; } int pad = id.length % 8; if (pad == 0) { return new DERBitString(bytes); } else { return new DERBitString(bytes, 8 - pad); } }
add a given extension field for the standard extensions tag (tag 3)
/** * add a given extension field for the standard extensions tag (tag 3) */
public void addExtension( String oid, boolean critical, ASN1Encodable value) { this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); }
add a given extension field for the standard extensions tag (tag 3)
/** * add a given extension field for the standard extensions tag (tag 3) */
public void addExtension( ASN1ObjectIdentifier oid, boolean critical, ASN1Encodable value) { extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value); }
add a given extension field for the standard extensions tag (tag 3) The value parameter becomes the contents of the octet string associated with the extension.
/** * add a given extension field for the standard extensions tag (tag 3) * The value parameter becomes the contents of the octet string associated * with the extension. */
public void addExtension( String oid, boolean critical, byte[] value) { this.addExtension(new ASN1ObjectIdentifier(oid), critical, value); }
add a given extension field for the standard extensions tag (tag 3)
/** * add a given extension field for the standard extensions tag (tag 3) */
public void addExtension( ASN1ObjectIdentifier oid, boolean critical, byte[] value) { extGenerator.addExtension(new ASN1ObjectIdentifier(oid.getId()), critical, value); }
add a given extension field for the standard extensions tag (tag 3) copying the extension value from another certificate.
Throws:
  • CertificateParsingException – if the extension cannot be extracted.
/** * add a given extension field for the standard extensions tag (tag 3) * copying the extension value from another certificate. * @throws CertificateParsingException if the extension cannot be extracted. */
public void copyAndAddExtension( String oid, boolean critical, X509Certificate cert) throws CertificateParsingException { byte[] extValue = cert.getExtensionValue(oid); if (extValue == null) { throw new CertificateParsingException("extension " + oid + " not present"); } try { ASN1Encodable value = X509ExtensionUtil.fromExtensionValue(extValue); this.addExtension(oid, critical, value); } catch (IOException e) { throw new CertificateParsingException(e.toString()); } }
add a given extension field for the standard extensions tag (tag 3) copying the extension value from another certificate.
Throws:
  • CertificateParsingException – if the extension cannot be extracted.
/** * add a given extension field for the standard extensions tag (tag 3) * copying the extension value from another certificate. * @throws CertificateParsingException if the extension cannot be extracted. */
public void copyAndAddExtension( ASN1ObjectIdentifier oid, boolean critical, X509Certificate cert) throws CertificateParsingException { this.copyAndAddExtension(oid.getId(), critical, cert); }
generate an X509 certificate, based on the current issuer and subject using the default provider "BC".
Deprecated:use generate(key, "BC")
/** * generate an X509 certificate, based on the current issuer and subject * using the default provider "BC". * @deprecated use generate(key, "BC") */
public X509Certificate generateX509Certificate( PrivateKey key) throws SecurityException, SignatureException, InvalidKeyException { try { return generateX509Certificate(key, "BC", null); } catch (NoSuchProviderException e) { throw new SecurityException("BC provider not installed!"); } }
generate an X509 certificate, based on the current issuer and subject using the default provider "BC", and the passed in source of randomness (if required).
Deprecated:use generate(key, random, "BC")
/** * generate an X509 certificate, based on the current issuer and subject * using the default provider "BC", and the passed in source of randomness * (if required). * @deprecated use generate(key, random, "BC") */
public X509Certificate generateX509Certificate( PrivateKey key, SecureRandom random) throws SecurityException, SignatureException, InvalidKeyException { try { return generateX509Certificate(key, "BC", random); } catch (NoSuchProviderException e) { throw new SecurityException("BC provider not installed!"); } }
generate an X509 certificate, based on the current issuer and subject, using the passed in provider for the signing.
Deprecated:use generate()
/** * generate an X509 certificate, based on the current issuer and subject, * using the passed in provider for the signing. * @deprecated use generate() */
public X509Certificate generateX509Certificate( PrivateKey key, String provider) throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException { return generateX509Certificate(key, provider, null); }
generate an X509 certificate, based on the current issuer and subject, using the passed in provider for the signing and the supplied source of randomness, if required.
Deprecated:use generate()
/** * generate an X509 certificate, based on the current issuer and subject, * using the passed in provider for the signing and the supplied source * of randomness, if required. * @deprecated use generate() */
public X509Certificate generateX509Certificate( PrivateKey key, String provider, SecureRandom random) throws NoSuchProviderException, SecurityException, SignatureException, InvalidKeyException { try { return generate(key, provider, random); } catch (NoSuchProviderException e) { throw e; } catch (SignatureException e) { throw e; } catch (InvalidKeyException e) { throw e; } catch (GeneralSecurityException e) { throw new SecurityException("exception: " + e); } }
generate an X509 certificate, based on the current issuer and subject using the default provider.

Note: this differs from the deprecated method in that the default provider is used - not "BC".

/** * generate an X509 certificate, based on the current issuer and subject * using the default provider. * <p> * <b>Note:</b> this differs from the deprecated method in that the default provider is * used - not "BC". * </p> */
public X509Certificate generate( PrivateKey key) throws CertificateEncodingException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, (SecureRandom)null); }
generate an X509 certificate, based on the current issuer and subject using the default provider, and the passed in source of randomness (if required).

Note: this differs from the deprecated method in that the default provider is used - not "BC".

/** * generate an X509 certificate, based on the current issuer and subject * using the default provider, and the passed in source of randomness * (if required). * <p> * <b>Note:</b> this differs from the deprecated method in that the default provider is * used - not "BC". * </p> */
public X509Certificate generate( PrivateKey key, SecureRandom random) throws CertificateEncodingException, IllegalStateException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { TBSCertificate tbsCert = generateTbsCert(); byte[] signature; try { signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, key, random, tbsCert); } catch (IOException e) { throw new ExtCertificateEncodingException("exception encoding TBS cert", e); } try { return generateJcaObject(tbsCert, signature); } catch (Exception e) { throw new ExtCertificateEncodingException("exception producing certificate object", e); } }
generate an X509 certificate, based on the current issuer and subject, using the passed in provider for the signing.
/** * generate an X509 certificate, based on the current issuer and subject, * using the passed in provider for the signing. */
public X509Certificate generate( PrivateKey key, String provider) throws CertificateEncodingException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { return generate(key, provider, null); }
generate an X509 certificate, based on the current issuer and subject, using the passed in provider for the signing and the supplied source of randomness, if required.
/** * generate an X509 certificate, based on the current issuer and subject, * using the passed in provider for the signing and the supplied source * of randomness, if required. */
public X509Certificate generate( PrivateKey key, String provider, SecureRandom random) throws CertificateEncodingException, IllegalStateException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, InvalidKeyException { TBSCertificate tbsCert = generateTbsCert(); byte[] signature; try { signature = X509Util.calculateSignature(sigOID, signatureAlgorithm, provider, key, random, tbsCert); } catch (IOException e) { throw new ExtCertificateEncodingException("exception encoding TBS cert", e); } try { return generateJcaObject(tbsCert, signature); } catch (Exception e) { throw new ExtCertificateEncodingException("exception producing certificate object", e); } } private TBSCertificate generateTbsCert() { if (!extGenerator.isEmpty()) { tbsGen.setExtensions(extGenerator.generate()); } return tbsGen.generateTBSCertificate(); } private X509Certificate generateJcaObject(TBSCertificate tbsCert, byte[] signature) throws Exception { ASN1EncodableVector v = new ASN1EncodableVector(); v.add(tbsCert); v.add(sigAlgId); v.add(new DERBitString(signature)); return (X509Certificate)certificateFactory.engineGenerateCertificate( new ByteArrayInputStream(new DERSequence(v).getEncoded(ASN1Encoding.DER))); }
Return an iterator of the signature names supported by the generator.
Returns:an iterator containing recognised names.
/** * Return an iterator of the signature names supported by the generator. * * @return an iterator containing recognised names. */
public Iterator getSignatureAlgNames() { return X509Util.getAlgNames(); } }