/**
* create from an issuer certificate and the serial number of the certificate it signed.
*
* @exception OCSPException if any problems occur creating the id fields.
*/
public CertificateID(
String hashAlgorithm, X509Certificate issuerCert, BigInteger number, String provider)
throws OCSPException {
try {
MessageDigest digest = MessageDigest.getInstance(hashAlgorithm, provider);
AlgorithmIdentifier hashAlg =
new AlgorithmIdentifier(new DERObjectIdentifier(hashAlgorithm), new DERNull());
X509Principal issuerName = PrincipalUtil.getSubjectX509Principal(issuerCert);
digest.update(issuerName.getEncoded());
ASN1OctetString issuerNameHash = new DEROctetString(digest.digest());
PublicKey issuerKey = issuerCert.getPublicKey();
ASN1InputStream aIn = new ASN1InputStream(issuerKey.getEncoded());
SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject());
digest.update(info.getPublicKeyData().getBytes());
ASN1OctetString issuerKeyHash = new DEROctetString(digest.digest());
DERInteger serialNumber = new DERInteger(number);
this.id = new CertID(hashAlg, issuerNameHash, issuerKeyHash, serialNumber);
} catch (Exception e) {
throw new OCSPException("problem creating ID: " + e, e);
}
}
public X509Certificate create(String baseName, int months, KeyPair keyPair) throws Exception {
final X509Principal newprincipal = new X509Principal("O=Auto,OU=" + baseName + ",CN=CA");
this.certGen.reset();
/*
"The entity that created the certificate is responsible for assigning
it a serial number to distinguish it from other certificates it issues.
This information is used in numerous ways, for example when a
certificate is revoked its serial number is placed in a Certificate
Revocation List (CRL)"
*/
this.certGen.setSerialNumber(BigInteger.ZERO);
final Calendar expires = Calendar.getInstance();
expires.add(Calendar.MONTH, months);
this.certGen.setNotBefore(new Date(System.currentTimeMillis() - 10000));
this.certGen.setNotAfter(expires.getTime());
this.certGen.setSubjectDN(newprincipal);
this.certGen.setIssuerDN(newprincipal);
this.certGen.setSignatureAlgorithm("SHA1withRSA");
final PublicKey pubkey = keyPair.getPublic();
this.certGen.setPublicKey(pubkey);
// begin X509/BC security nastiness, not sure these are the very best
// choices but it is working...
final ByteArrayInputStream in = new ByteArrayInputStream(pubkey.getEncoded());
final SubjectPublicKeyInfo spki =
new SubjectPublicKeyInfo((ASN1Sequence) new DERInputStream(in).readObject());
final SubjectKeyIdentifier ski = new SubjectKeyIdentifier(spki);
final ByteArrayInputStream in2 = new ByteArrayInputStream(newprincipal.getEncoded());
final GeneralNames generalNames =
new GeneralNames((ASN1Sequence) new DERInputStream(in2).readObject());
final AuthorityKeyIdentifier aki =
new AuthorityKeyIdentifier(spki, generalNames, BigInteger.ZERO);
this.certGen.addExtension(X509Extensions.BasicConstraints, true, new BasicConstraints(true));
/*
this.certGen.addExtension(X509Extensions.KeyUsage,
true,
new KeyUsage(KeyUsage.digitalSignature |
KeyUsage.keyEncipherment));
*/
this.certGen.addExtension(X509Extensions.SubjectKeyIdentifier, false, ski);
this.certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, false, aki);
this.certGen.addExtension(
X509Extensions.KeyUsage, false, new KeyUsage(KeyUsage.cRLSign | KeyUsage.keyCertSign));
return this.certGen.generateX509Certificate(keyPair.getPrivate());
}