jdk/test/java/security/testlibrary/CertificateBuilder.java
author jnimeh
Wed, 05 Aug 2015 12:19:38 -0700
changeset 32032 22badc53802f
permissions -rw-r--r--
8046321: OCSP Stapling for TLS Summary: Initial feature commit for OCSP stapling in JSSE Reviewed-by: xuelei, mullan
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
32032
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     1
/*
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     2
 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     4
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     5
 * This code is free software; you can redistribute it and/or modify it
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     6
 * under the terms of the GNU General Public License version 2 only, as
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     7
 * published by the Free Software Foundation.  Oracle designates this
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     8
 * particular file as subject to the "Classpath" exception as provided
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
     9
 * by Oracle in the LICENSE file that accompanied this code.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    10
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    11
 * This code is distributed in the hope that it will be useful, but WITHOUT
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    14
 * version 2 for more details (a copy is included in the LICENSE file that
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    15
 * accompanied this code).
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    16
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    17
 * You should have received a copy of the GNU General Public License version
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    18
 * 2 along with this work; if not, write to the Free Software Foundation,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    20
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    22
 * or visit www.oracle.com if you need additional information or have any
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    23
 * questions.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    24
 */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    25
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    26
package sun.security.testlibrary;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    27
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    28
import java.io.*;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    29
import java.util.*;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    30
import java.security.*;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    31
import java.security.cert.X509Certificate;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    32
import java.security.cert.CertificateException;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    33
import java.security.cert.CertificateFactory;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    34
import java.security.cert.Extension;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    35
import javax.security.auth.x500.X500Principal;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    36
import java.math.BigInteger;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    37
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    38
import sun.security.util.DerOutputStream;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    39
import sun.security.util.DerValue;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    40
import sun.security.util.ObjectIdentifier;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    41
import sun.security.x509.AccessDescription;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    42
import sun.security.x509.AlgorithmId;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    43
import sun.security.x509.AuthorityInfoAccessExtension;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    44
import sun.security.x509.AuthorityKeyIdentifierExtension;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    45
import sun.security.x509.SubjectKeyIdentifierExtension;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    46
import sun.security.x509.BasicConstraintsExtension;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    47
import sun.security.x509.ExtendedKeyUsageExtension;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    48
import sun.security.x509.DNSName;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    49
import sun.security.x509.GeneralName;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    50
import sun.security.x509.GeneralNames;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    51
import sun.security.x509.KeyUsageExtension;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    52
import sun.security.x509.SerialNumber;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    53
import sun.security.x509.SubjectAlternativeNameExtension;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    54
import sun.security.x509.URIName;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    55
import sun.security.x509.KeyIdentifier;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    56
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    57
/**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    58
 * Helper class that builds and signs X.509 certificates.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    59
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    60
 * A CertificateBuilder is created with a default constructor, and then
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    61
 * uses additional public methods to set the public key, desired validity
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    62
 * dates, serial number and extensions.  It is expected that the caller will
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    63
 * have generated the necessary key pairs prior to using a CertificateBuilder
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    64
 * to generate certificates.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    65
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    66
 * The following methods are mandatory before calling build():
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    67
 * <UL>
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    68
 * <LI>{@link #setSubjectName(java.lang.String)}
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    69
 * <LI>{@link #setPublicKey(java.security.PublicKey)}
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    70
 * <LI>{@link #setNotBefore(java.util.Date)} and
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    71
 * {@link #setNotAfter(java.util.Date)}, or
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    72
 * {@link #setValidity(java.util.Date, java.util.Date)}
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    73
 * <LI>{@link #setSerialNumber(java.math.BigInteger)}
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    74
 * </UL><BR>
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    75
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    76
 * Additionally, the caller can either provide a {@link List} of
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    77
 * {@link Extension} objects, or use the helper classes to add specific
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    78
 * extension types.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    79
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    80
 * When all required and desired parameters are set, the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    81
 * {@link #build(java.security.cert.X509Certificate, java.security.PrivateKey,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    82
 * java.lang.String)} method can be used to create the {@link X509Certificate}
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    83
 * object.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    84
 *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    85
 * Multiple certificates may be cut from the same settings using subsequent
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    86
 * calls to the build method.  Settings may be cleared using the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    87
 * {@link #reset()} method.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    88
 */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    89
public class CertificateBuilder {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    90
    private final CertificateFactory factory;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    91
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    92
    private X500Principal subjectName = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    93
    private BigInteger serialNumber = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    94
    private PublicKey publicKey = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    95
    private Date notBefore = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    96
    private Date notAfter = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    97
    private final Map<String, Extension> extensions = new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    98
    private byte[] tbsCertBytes;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
    99
    private byte[] signatureBytes;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   100
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   101
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   102
     * Default constructor for a {@code CertificateBuilder} object.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   103
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   104
     * @throws CertificateException if the underlying {@link CertificateFactory}
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   105
     * cannot be instantiated.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   106
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   107
    public CertificateBuilder() throws CertificateException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   108
        factory = CertificateFactory.getInstance("X.509");
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   109
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   110
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   111
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   112
     * Set the subject name for the certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   113
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   114
     * @param name An {@link X500Principal} to be used as the subject name
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   115
     * on this certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   116
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   117
    public void setSubjectName(X500Principal name) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   118
        subjectName = name;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   119
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   120
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   121
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   122
     * Set the subject name for the certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   123
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   124
     * @param name The subject name in RFC 2253 format
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   125
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   126
    public void setSubjectName(String name) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   127
        subjectName = new X500Principal(name);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   128
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   129
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   130
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   131
     * Set the public key for this certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   132
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   133
     * @param pubKey The {@link PublicKey} to be used on this certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   134
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   135
    public void setPublicKey(PublicKey pubKey) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   136
        publicKey = Objects.requireNonNull(pubKey, "Caught null public key");
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   137
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   138
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   139
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   140
     * Set the NotBefore date on the certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   141
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   142
     * @param nbDate A {@link Date} object specifying the start of the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   143
     * certificate validity period.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   144
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   145
    public void setNotBefore(Date nbDate) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   146
        Objects.requireNonNull(nbDate, "Caught null notBefore date");
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   147
        notBefore = (Date)nbDate.clone();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   148
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   149
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   150
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   151
     * Set the NotAfter date on the certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   152
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   153
     * @param naDate A {@link Date} object specifying the end of the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   154
     * certificate validity period.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   155
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   156
    public void setNotAfter(Date naDate) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   157
        Objects.requireNonNull(naDate, "Caught null notAfter date");
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   158
        notAfter = (Date)naDate.clone();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   159
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   160
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   161
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   162
     * Set the validity period for the certificate
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   163
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   164
     * @param nbDate A {@link Date} object specifying the start of the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   165
     * certificate validity period.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   166
     * @param naDate A {@link Date} object specifying the end of the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   167
     * certificate validity period.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   168
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   169
    public void setValidity(Date nbDate, Date naDate) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   170
        setNotBefore(nbDate);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   171
        setNotAfter(naDate);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   172
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   173
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   174
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   175
     * Set the serial number on the certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   176
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   177
     * @param serial A serial number in {@link BigInteger} form.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   178
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   179
    public void setSerialNumber(BigInteger serial) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   180
        Objects.requireNonNull(serial, "Caught null serial number");
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   181
        serialNumber = serial;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   182
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   183
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   184
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   185
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   186
     * Add a single extension to the certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   187
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   188
     * @param ext The extension to be added.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   189
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   190
    public void addExtension(Extension ext) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   191
        Objects.requireNonNull(ext, "Caught null extension");
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   192
        extensions.put(ext.getId(), ext);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   193
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   194
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   195
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   196
     * Add multiple extensions contained in a {@code List}.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   197
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   198
     * @param extList The {@link List} of extensions to be added to
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   199
     * the certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   200
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   201
    public void addExtensions(List<Extension> extList) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   202
        Objects.requireNonNull(extList, "Caught null extension list");
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   203
        for (Extension ext : extList) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   204
            extensions.put(ext.getId(), ext);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   205
        }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   206
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   207
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   208
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   209
     * Helper method to add DNSName types for the SAN extension
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   210
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   211
     * @param dnsNames A {@code List} of names to add as DNSName types
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   212
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   213
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   214
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   215
    public void addSubjectAltNameDNSExt(List<String> dnsNames) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   216
        if (!dnsNames.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   217
            GeneralNames gNames = new GeneralNames();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   218
            for (String name : dnsNames) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   219
                gNames.add(new GeneralName(new DNSName(name)));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   220
            }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   221
            addExtension(new SubjectAlternativeNameExtension(false,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   222
                    gNames));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   223
        }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   224
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   225
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   226
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   227
     * Helper method to add one or more OCSP URIs to the Authority Info Access
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   228
     * certificate extension.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   229
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   230
     * @param locations A list of one or more OCSP responder URIs as strings
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   231
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   232
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   233
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   234
    public void addAIAExt(List<String> locations)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   235
            throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   236
        if (!locations.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   237
            List<AccessDescription> acDescList = new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   238
            for (String ocspUri : locations) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   239
                acDescList.add(new AccessDescription(
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   240
                        AccessDescription.Ad_OCSP_Id,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   241
                        new GeneralName(new URIName(ocspUri))));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   242
            }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   243
            addExtension(new AuthorityInfoAccessExtension(acDescList));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   244
        }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   245
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   246
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   247
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   248
     * Set a Key Usage extension for the certificate.  The extension will
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   249
     * be marked critical.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   250
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   251
     * @param bitSettings Boolean array for all nine bit settings in the order
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   252
     * documented in RFC 5280 section 4.2.1.3.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   253
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   254
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   255
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   256
    public void addKeyUsageExt(boolean[] bitSettings) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   257
        addExtension(new KeyUsageExtension(bitSettings));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   258
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   259
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   260
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   261
     * Set the Basic Constraints Extension for a certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   262
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   263
     * @param crit {@code true} if critical, {@code false} otherwise
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   264
     * @param isCA {@code true} if the extension will be on a CA certificate,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   265
     * {@code false} otherwise
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   266
     * @param maxPathLen The maximum path length issued by this CA.  Values
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   267
     * less than zero will omit this field from the resulting extension and
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   268
     * no path length constraint will be asserted.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   269
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   270
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   271
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   272
    public void addBasicConstraintsExt(boolean crit, boolean isCA,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   273
            int maxPathLen) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   274
        addExtension(new BasicConstraintsExtension(crit, isCA, maxPathLen));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   275
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   276
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   277
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   278
     * Add the Authority Key Identifier extension.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   279
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   280
     * @param authorityCert The certificate of the issuing authority.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   281
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   282
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   283
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   284
    public void addAuthorityKeyIdExt(X509Certificate authorityCert)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   285
            throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   286
        addAuthorityKeyIdExt(authorityCert.getPublicKey());
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   287
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   288
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   289
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   290
     * Add the Authority Key Identifier extension.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   291
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   292
     * @param authorityKey The public key of the issuing authority.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   293
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   294
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   295
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   296
    public void addAuthorityKeyIdExt(PublicKey authorityKey) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   297
        KeyIdentifier kid = new KeyIdentifier(authorityKey);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   298
        addExtension(new AuthorityKeyIdentifierExtension(kid, null, null));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   299
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   300
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   301
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   302
     * Add the Subject Key Identifier extension.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   303
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   304
     * @param subjectKey The public key to be used in the resulting certificate
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   305
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   306
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   307
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   308
    public void addSubjectKeyIdExt(PublicKey subjectKey) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   309
        byte[] keyIdBytes = new KeyIdentifier(subjectKey).getIdentifier();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   310
        addExtension(new SubjectKeyIdentifierExtension(keyIdBytes));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   311
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   312
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   313
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   314
     * Add the Extended Key Usage extension.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   315
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   316
     * @param ekuOids A {@link List} of object identifiers in string form.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   317
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   318
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   319
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   320
    public void addExtendedKeyUsageExt(List<String> ekuOids)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   321
            throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   322
        if (!ekuOids.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   323
            Vector<ObjectIdentifier> oidVector = new Vector<>();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   324
            for (String oid : ekuOids) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   325
                oidVector.add(new ObjectIdentifier(oid));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   326
            }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   327
            addExtension(new ExtendedKeyUsageExtension(oidVector));
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   328
        }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   329
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   330
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   331
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   332
     * Clear all settings and return the {@code CertificateBuilder} to
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   333
     * its default state.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   334
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   335
    public void reset() {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   336
        extensions.clear();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   337
        subjectName = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   338
        notBefore = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   339
        notAfter = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   340
        serialNumber = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   341
        publicKey = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   342
        signatureBytes = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   343
        tbsCertBytes = null;
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   344
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   345
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   346
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   347
     * Build the certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   348
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   349
     * @param issuerCert The certificate of the issuing authority, or
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   350
     * {@code null} if the resulting certificate is self-signed.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   351
     * @param issuerKey The private key of the issuing authority
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   352
     * @param algName The signature algorithm name
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   353
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   354
     * @return The resulting {@link X509Certificate}
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   355
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   356
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   357
     * @throws CertificateException If the certificate cannot be generated
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   358
     * by the underlying {@link CertificateFactory}
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   359
     * @throws NoSuchAlgorithmException If an invalid signature algorithm
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   360
     * is provided.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   361
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   362
    public X509Certificate build(X509Certificate issuerCert,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   363
            PrivateKey issuerKey, String algName)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   364
            throws IOException, CertificateException, NoSuchAlgorithmException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   365
        // TODO: add some basic checks (key usage, basic constraints maybe)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   366
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   367
        AlgorithmId signAlg = AlgorithmId.get(algName);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   368
        byte[] encodedCert = encodeTopLevel(issuerCert, issuerKey, signAlg);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   369
        ByteArrayInputStream bais = new ByteArrayInputStream(encodedCert);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   370
        return (X509Certificate)factory.generateCertificate(bais);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   371
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   372
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   373
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   374
     * Encode the contents of the outer-most ASN.1 SEQUENCE:
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   375
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   376
     * <PRE>
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   377
     *  Certificate  ::=  SEQUENCE  {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   378
     *      tbsCertificate       TBSCertificate,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   379
     *      signatureAlgorithm   AlgorithmIdentifier,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   380
     *      signatureValue       BIT STRING  }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   381
     * </PRE>
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   382
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   383
     * @param issuerCert The certificate of the issuing authority, or
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   384
     * {@code null} if the resulting certificate is self-signed.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   385
     * @param issuerKey The private key of the issuing authority
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   386
     * @param signAlg The signature algorithm object
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   387
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   388
     * @return The DER-encoded X.509 certificate
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   389
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   390
     * @throws CertificateException If an error occurs during the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   391
     * signing process.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   392
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   393
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   394
    private byte[] encodeTopLevel(X509Certificate issuerCert,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   395
            PrivateKey issuerKey, AlgorithmId signAlg)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   396
            throws CertificateException, IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   397
        DerOutputStream outerSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   398
        DerOutputStream topLevelItems = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   399
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   400
        tbsCertBytes = encodeTbsCert(issuerCert, signAlg);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   401
        topLevelItems.write(tbsCertBytes);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   402
        try {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   403
            signatureBytes = signCert(issuerKey, signAlg);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   404
        } catch (GeneralSecurityException ge) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   405
            throw new CertificateException(ge);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   406
        }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   407
        signAlg.derEncode(topLevelItems);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   408
        topLevelItems.putBitString(signatureBytes);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   409
        outerSeq.write(DerValue.tag_Sequence, topLevelItems);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   410
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   411
        return outerSeq.toByteArray();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   412
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   413
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   414
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   415
     * Encode the bytes for the TBSCertificate structure:
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   416
     * <PRE>
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   417
     *  TBSCertificate  ::=  SEQUENCE  {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   418
     *      version         [0]  EXPLICIT Version DEFAULT v1,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   419
     *      serialNumber         CertificateSerialNumber,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   420
     *      signature            AlgorithmIdentifier,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   421
     *      issuer               Name,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   422
     *      validity             Validity,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   423
     *      subject              Name,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   424
     *      subjectPublicKeyInfo SubjectPublicKeyInfo,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   425
     *      issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   426
     *                        -- If present, version MUST be v2 or v3
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   427
     *      subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   428
     *                        -- If present, version MUST be v2 or v3
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   429
     *      extensions      [3]  EXPLICIT Extensions OPTIONAL
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   430
     *                        -- If present, version MUST be v3
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   431
     *      }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   432
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   433
     * @param issuerCert The certificate of the issuing authority, or
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   434
     * {@code null} if the resulting certificate is self-signed.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   435
     * @param signAlg The signature algorithm object
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   436
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   437
     * @return The DER-encoded bytes for the TBSCertificate structure
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   438
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   439
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   440
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   441
    private byte[] encodeTbsCert(X509Certificate issuerCert,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   442
            AlgorithmId signAlg) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   443
        DerOutputStream tbsCertSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   444
        DerOutputStream tbsCertItems = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   445
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   446
        // Hardcode to V3
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   447
        byte[] v3int = {0x02, 0x01, 0x02};
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   448
        tbsCertItems.write(DerValue.createTag(DerValue.TAG_CONTEXT, true,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   449
                (byte)0), v3int);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   450
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   451
        // Serial Number
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   452
        SerialNumber sn = new SerialNumber(serialNumber);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   453
        sn.encode(tbsCertItems);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   454
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   455
        // Algorithm ID
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   456
        signAlg.derEncode(tbsCertItems);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   457
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   458
        // Issuer Name
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   459
        if (issuerCert != null) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   460
            tbsCertItems.write(
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   461
                    issuerCert.getSubjectX500Principal().getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   462
        } else {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   463
            // Self-signed
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   464
            tbsCertItems.write(subjectName.getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   465
        }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   466
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   467
        // Validity period (set as UTCTime)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   468
        DerOutputStream valSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   469
        valSeq.putUTCTime(notBefore);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   470
        valSeq.putUTCTime(notAfter);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   471
        tbsCertItems.write(DerValue.tag_Sequence, valSeq);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   472
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   473
        // Subject Name
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   474
        tbsCertItems.write(subjectName.getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   475
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   476
        // SubjectPublicKeyInfo
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   477
        tbsCertItems.write(publicKey.getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   478
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   479
        // TODO: Extensions!
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   480
        encodeExtensions(tbsCertItems);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   481
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   482
        // Wrap it all up in a SEQUENCE and return the bytes
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   483
        tbsCertSeq.write(DerValue.tag_Sequence, tbsCertItems);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   484
        return tbsCertSeq.toByteArray();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   485
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   486
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   487
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   488
     * Encode the extensions segment for an X.509 Certificate:
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   489
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   490
     * <PRE>
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   491
     *  Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   492
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   493
     *  Extension  ::=  SEQUENCE  {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   494
     *      extnID      OBJECT IDENTIFIER,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   495
     *      critical    BOOLEAN DEFAULT FALSE,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   496
     *      extnValue   OCTET STRING
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   497
     *                  -- contains the DER encoding of an ASN.1 value
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   498
     *                  -- corresponding to the extension type identified
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   499
     *                  -- by extnID
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   500
     *      }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   501
     * </PRE>
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   502
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   503
     * @param tbsStream The {@code DerOutputStream} that holds the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   504
     * TBSCertificate contents.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   505
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   506
     * @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   507
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   508
    private void encodeExtensions(DerOutputStream tbsStream)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   509
            throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   510
        DerOutputStream extSequence = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   511
        DerOutputStream extItems = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   512
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   513
        for (Extension ext : extensions.values()) {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   514
            ext.encode(extItems);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   515
        }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   516
        extSequence.write(DerValue.tag_Sequence, extItems);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   517
        tbsStream.write(DerValue.createTag(DerValue.TAG_CONTEXT, true,
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   518
                (byte)3), extSequence);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   519
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   520
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   521
    /**
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   522
     * Digitally sign the X.509 certificate.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   523
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   524
     * @param issuerKey The private key of the issuing authority
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   525
     * @param signAlg The signature algorithm object
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   526
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   527
     * @return The digital signature bytes.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   528
     *
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   529
     * @throws GeneralSecurityException If any errors occur during the
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   530
     * digital signature process.
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   531
     */
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   532
    private byte[] signCert(PrivateKey issuerKey, AlgorithmId signAlg)
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   533
            throws GeneralSecurityException {
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   534
        Signature sig = Signature.getInstance(signAlg.getName());
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   535
        sig.initSign(issuerKey);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   536
        sig.update(tbsCertBytes);
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   537
        return sig.sign();
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   538
    }
22badc53802f 8046321: OCSP Stapling for TLS
jnimeh
parents:
diff changeset
   539
 }