/**
* Prepare an unsigned identity certificate.
*
* @param keyName The key name, e.g., `/{identity_name}/ksk-123456`.
* @param publicKey The public key to sign.
* @param signingIdentity The signing identity.
* @param notBefore See IdentityCertificate.
* @param notAfter See IdentityCertificate.
* @param subjectDescription A list of CertificateSubjectDescription. See IdentityCertificate. If
* null or empty, this adds a an ATTRIBUTE_NAME based on the keyName.
* @param certPrefix The prefix before the `KEY` component. If null, this infers the certificate
* name according to the relation between the signingIdentity and the subject identity. If the
* signingIdentity is a prefix of the subject identity, `KEY` will be inserted after the
* signingIdentity, otherwise `KEY` is inserted after subject identity (i.e., before
* `ksk-...`).
* @return The unsigned IdentityCertificate, or null if the inputs are invalid.
*/
public final IdentityCertificate prepareUnsignedIdentityCertificate(
Name keyName,
PublicKey publicKey,
Name signingIdentity,
double notBefore,
double notAfter,
List subjectDescription,
Name certPrefix)
throws SecurityException {
if (keyName.size() < 1) return null;
String tempKeyIdPrefix = keyName.get(-1).toEscapedString();
if (tempKeyIdPrefix.length() < 4) return null;
String keyIdPrefix = tempKeyIdPrefix.substring(0, 4);
if (!keyIdPrefix.equals("ksk-") && !keyIdPrefix.equals("dsk-")) return null;
IdentityCertificate certificate = new IdentityCertificate();
Name certName = new Name();
if (certPrefix == null) {
// No certificate prefix hint, so infer the prefix.
if (signingIdentity.match(keyName))
certName
.append(signingIdentity)
.append("KEY")
.append(keyName.getSubName(signingIdentity.size()))
.append("ID-CERT")
.appendVersion((long) Common.getNowMilliseconds());
else
certName
.append(keyName.getPrefix(-1))
.append("KEY")
.append(keyName.get(-1))
.append("ID-CERT")
.appendVersion((long) Common.getNowMilliseconds());
} else {
// A cert prefix hint is supplied, so determine the cert name.
if (certPrefix.match(keyName) && !certPrefix.equals(keyName))
certName
.append(certPrefix)
.append("KEY")
.append(keyName.getSubName(certPrefix.size()))
.append("ID-CERT")
.appendVersion((long) Common.getNowMilliseconds());
else return null;
}
certificate.setName(certName);
certificate.setNotBefore(notBefore);
certificate.setNotAfter(notAfter);
certificate.setPublicKeyInfo(publicKey);
if (subjectDescription == null || subjectDescription.isEmpty())
certificate.addSubjectDescription(
new CertificateSubjectDescription("2.5.4.41", keyName.getPrefix(-1).toUri()));
else {
for (int i = 0; i < subjectDescription.size(); ++i)
certificate.addSubjectDescription(
(CertificateSubjectDescription) subjectDescription.get(i));
}
try {
certificate.encode();
} catch (DerEncodingException ex) {
throw new SecurityException("DerEncodingException: " + ex);
} catch (DerDecodingException ex) {
throw new SecurityException("DerDecodingException: " + ex);
}
return certificate;
}
