/**
   * create from an issuer certificate and the serial number of the certificate it signed.
   *
   * @exception OCSPException if any problems occur creating the id fields.
   */
  public CertificateID(
      String hashAlgorithm, X509Certificate issuerCert, BigInteger number, String provider)
      throws OCSPException {
    try {
      MessageDigest digest = MessageDigest.getInstance(hashAlgorithm, provider);
      AlgorithmIdentifier hashAlg =
          new AlgorithmIdentifier(new DERObjectIdentifier(hashAlgorithm), new DERNull());

      X509Principal issuerName = PrincipalUtil.getSubjectX509Principal(issuerCert);

      digest.update(issuerName.getEncoded());

      ASN1OctetString issuerNameHash = new DEROctetString(digest.digest());
      PublicKey issuerKey = issuerCert.getPublicKey();

      ASN1InputStream aIn = new ASN1InputStream(issuerKey.getEncoded());
      SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject());

      digest.update(info.getPublicKeyData().getBytes());

      ASN1OctetString issuerKeyHash = new DEROctetString(digest.digest());

      DERInteger serialNumber = new DERInteger(number);

      this.id = new CertID(hashAlg, issuerNameHash, issuerKeyHash, serialNumber);
    } catch (Exception e) {
      throw new OCSPException("problem creating ID: " + e, e);
    }
  }
Example #2
0
  public X509Certificate create(String baseName, int months, KeyPair keyPair) throws Exception {

    final X509Principal newprincipal = new X509Principal("O=Auto,OU=" + baseName + ",CN=CA");

    this.certGen.reset();

    /*
      "The entity that created the certificate is responsible for  assigning
      it a serial number to distinguish it from other certificates it issues.
      This information is used in numerous ways, for example when a
      certificate is revoked its serial number is placed in a Certificate
      Revocation List (CRL)"
    */
    this.certGen.setSerialNumber(BigInteger.ZERO);

    final Calendar expires = Calendar.getInstance();
    expires.add(Calendar.MONTH, months);
    this.certGen.setNotBefore(new Date(System.currentTimeMillis() - 10000));
    this.certGen.setNotAfter(expires.getTime());

    this.certGen.setSubjectDN(newprincipal);
    this.certGen.setIssuerDN(newprincipal);
    this.certGen.setSignatureAlgorithm("SHA1withRSA");

    final PublicKey pubkey = keyPair.getPublic();
    this.certGen.setPublicKey(pubkey);

    // begin X509/BC security nastiness, not sure these are the very best
    // choices but it is working...

    final ByteArrayInputStream in = new ByteArrayInputStream(pubkey.getEncoded());
    final SubjectPublicKeyInfo spki =
        new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream(in).readObject());
    final SubjectKeyIdentifier ski = new SubjectKeyIdentifier(spki);

    final ByteArrayInputStream in2 = new ByteArrayInputStream(newprincipal.getEncoded());
    final GeneralNames generalNames =
        new GeneralNames((ASN1Sequence) new DERInputStream(in2).readObject());
    final AuthorityKeyIdentifier aki =
        new AuthorityKeyIdentifier(spki, generalNames, BigInteger.ZERO);

    this.certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));

    /*
    this.certGen.addExtension(X509Extensions.KeyUsage,
                              true,
                              new KeyUsage(KeyUsage.digitalSignature |
                                           KeyUsage.keyEncipherment));
    */

    this.certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, ski);

    this.certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, aki);

    this.certGen.addExtension(
        X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.cRLSign | KeyUsage.keyCertSign));

    return this.certGen.generateX509Certificate(keyPair.getPrivate());
  }