jdk-sandbox: test/jdk/java/security/testlibrary/CertificateBuilder.java@b2f046ae8eb6 (annotated)

32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	1	/*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	2	* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	4	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	7	* published by the Free Software Foundation. Oracle designates this
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	10	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	15	* accompanied this code).
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	16	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	20	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	22	* or visit www.oracle.com if you need additional information or have any
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	23	* questions.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	24	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	25
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	26	package sun.security.testlibrary;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	27
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	28	import java.io.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	29	import java.util.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	30	import java.security.*;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	31	import java.security.cert.X509Certificate;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	32	import java.security.cert.CertificateException;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	33	import java.security.cert.CertificateFactory;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	34	import java.security.cert.Extension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	35	import javax.security.auth.x500.X500Principal;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	36	import java.math.BigInteger;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	37
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	38	import sun.security.util.DerOutputStream;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	39	import sun.security.util.DerValue;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	40	import sun.security.util.ObjectIdentifier;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	41	import sun.security.x509.AccessDescription;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	42	import sun.security.x509.AlgorithmId;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	43	import sun.security.x509.AuthorityInfoAccessExtension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	44	import sun.security.x509.AuthorityKeyIdentifierExtension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	45	import sun.security.x509.SubjectKeyIdentifierExtension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	46	import sun.security.x509.BasicConstraintsExtension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	47	import sun.security.x509.ExtendedKeyUsageExtension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	48	import sun.security.x509.DNSName;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	49	import sun.security.x509.GeneralName;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	50	import sun.security.x509.GeneralNames;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	51	import sun.security.x509.KeyUsageExtension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	52	import sun.security.x509.SerialNumber;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	53	import sun.security.x509.SubjectAlternativeNameExtension;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	54	import sun.security.x509.URIName;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	55	import sun.security.x509.KeyIdentifier;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	56
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	57	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	58	* Helper class that builds and signs X.509 certificates.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	59	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	60	* A CertificateBuilder is created with a default constructor, and then
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	61	* uses additional public methods to set the public key, desired validity
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	62	* dates, serial number and extensions. It is expected that the caller will
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	63	* have generated the necessary key pairs prior to using a CertificateBuilder
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	64	* to generate certificates.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	65	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	66	* The following methods are mandatory before calling build():
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	67	* <UL>
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	68	* <LI>{@link #setSubjectName(java.lang.String)}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	69	* <LI>{@link #setPublicKey(java.security.PublicKey)}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	70	* <LI>{@link #setNotBefore(java.util.Date)} and
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	71	* {@link #setNotAfter(java.util.Date)}, or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	72	* {@link #setValidity(java.util.Date, java.util.Date)}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	73	* <LI>{@link #setSerialNumber(java.math.BigInteger)}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	74	* </UL><BR>
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	75	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	76	* Additionally, the caller can either provide a {@link List} of
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	77	* {@link Extension} objects, or use the helper classes to add specific
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	78	* extension types.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	79	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	80	* When all required and desired parameters are set, the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	81	* {@link #build(java.security.cert.X509Certificate, java.security.PrivateKey,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	82	* java.lang.String)} method can be used to create the {@link X509Certificate}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	83	* object.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	84	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	85	* Multiple certificates may be cut from the same settings using subsequent
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	86	* calls to the build method. Settings may be cleared using the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	87	* {@link #reset()} method.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	88	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	89	public class CertificateBuilder {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	90	private final CertificateFactory factory;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	91
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	92	private X500Principal subjectName = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	93	private BigInteger serialNumber = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	94	private PublicKey publicKey = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	95	private Date notBefore = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	96	private Date notAfter = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	97	private final Map<String, Extension> extensions = new HashMap<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	98	private byte[] tbsCertBytes;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	99	private byte[] signatureBytes;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	100
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	101	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	102	* Default constructor for a {@code CertificateBuilder} object.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	103	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	104	* @throws CertificateException if the underlying {@link CertificateFactory}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	105	* cannot be instantiated.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	106	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	107	public CertificateBuilder() throws CertificateException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	108	factory = CertificateFactory.getInstance("X.509");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	109	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	110
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	111	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	112	* Set the subject name for the certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	113	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	114	* @param name An {@link X500Principal} to be used as the subject name
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	115	* on this certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	116	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	117	public void setSubjectName(X500Principal name) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	118	subjectName = name;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	119	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	120
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	121	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	122	* Set the subject name for the certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	123	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	124	* @param name The subject name in RFC 2253 format
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	125	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	126	public void setSubjectName(String name) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	127	subjectName = new X500Principal(name);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	128	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	129
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	130	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	131	* Set the public key for this certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	132	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	133	* @param pubKey The {@link PublicKey} to be used on this certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	134	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	135	public void setPublicKey(PublicKey pubKey) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	136	publicKey = Objects.requireNonNull(pubKey, "Caught null public key");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	137	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	138
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	139	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	140	* Set the NotBefore date on the certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	141	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	142	* @param nbDate A {@link Date} object specifying the start of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	143	* certificate validity period.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	144	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	145	public void setNotBefore(Date nbDate) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	146	Objects.requireNonNull(nbDate, "Caught null notBefore date");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	147	notBefore = (Date)nbDate.clone();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	148	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	149
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	150	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	151	* Set the NotAfter date on the certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	152	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	153	* @param naDate A {@link Date} object specifying the end of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	154	* certificate validity period.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	155	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	156	public void setNotAfter(Date naDate) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	157	Objects.requireNonNull(naDate, "Caught null notAfter date");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	158	notAfter = (Date)naDate.clone();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	159	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	160
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	161	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	162	* Set the validity period for the certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	163	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	164	* @param nbDate A {@link Date} object specifying the start of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	165	* certificate validity period.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	166	* @param naDate A {@link Date} object specifying the end of the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	167	* certificate validity period.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	168	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	169	public void setValidity(Date nbDate, Date naDate) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	170	setNotBefore(nbDate);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	171	setNotAfter(naDate);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	172	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	173
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	174	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	175	* Set the serial number on the certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	176	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	177	* @param serial A serial number in {@link BigInteger} form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	178	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	179	public void setSerialNumber(BigInteger serial) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	180	Objects.requireNonNull(serial, "Caught null serial number");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	181	serialNumber = serial;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	182	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	183
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	184
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	185	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	186	* Add a single extension to the certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	187	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	188	* @param ext The extension to be added.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	189	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	190	public void addExtension(Extension ext) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	191	Objects.requireNonNull(ext, "Caught null extension");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	192	extensions.put(ext.getId(), ext);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	193	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	194
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	195	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	196	* Add multiple extensions contained in a {@code List}.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	197	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	198	* @param extList The {@link List} of extensions to be added to
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	199	* the certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	200	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	201	public void addExtensions(List<Extension> extList) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	202	Objects.requireNonNull(extList, "Caught null extension list");
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	203	for (Extension ext : extList) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	204	extensions.put(ext.getId(), ext);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	205	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	206	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	207
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	208	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	209	* Helper method to add DNSName types for the SAN extension
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	210	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	211	* @param dnsNames A {@code List} of names to add as DNSName types
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	212	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	213	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	214	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	215	public void addSubjectAltNameDNSExt(List<String> dnsNames) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	216	if (!dnsNames.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	217	GeneralNames gNames = new GeneralNames();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	218	for (String name : dnsNames) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	219	gNames.add(new GeneralName(new DNSName(name)));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	220	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	221	addExtension(new SubjectAlternativeNameExtension(false,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	222	gNames));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	223	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	224	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	225
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	226	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	227	* Helper method to add one or more OCSP URIs to the Authority Info Access
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	228	* certificate extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	229	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	230	* @param locations A list of one or more OCSP responder URIs as strings
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	231	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	232	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	233	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	234	public void addAIAExt(List<String> locations)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	235	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	236	if (!locations.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	237	List<AccessDescription> acDescList = new ArrayList<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	238	for (String ocspUri : locations) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	239	acDescList.add(new AccessDescription(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	240	AccessDescription.Ad_OCSP_Id,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	241	new GeneralName(new URIName(ocspUri))));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	242	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	243	addExtension(new AuthorityInfoAccessExtension(acDescList));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	244	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	245	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	246
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	247	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	248	* Set a Key Usage extension for the certificate. The extension will
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	249	* be marked critical.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	250	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	251	* @param bitSettings Boolean array for all nine bit settings in the order
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	252	* documented in RFC 5280 section 4.2.1.3.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	253	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	254	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	255	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	256	public void addKeyUsageExt(boolean[] bitSettings) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	257	addExtension(new KeyUsageExtension(bitSettings));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	258	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	259
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	260	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	261	* Set the Basic Constraints Extension for a certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	262	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	263	* @param crit {@code true} if critical, {@code false} otherwise
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	264	* @param isCA {@code true} if the extension will be on a CA certificate,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	265	* {@code false} otherwise
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	266	* @param maxPathLen The maximum path length issued by this CA. Values
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	267	* less than zero will omit this field from the resulting extension and
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	268	* no path length constraint will be asserted.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	269	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	270	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	271	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	272	public void addBasicConstraintsExt(boolean crit, boolean isCA,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	273	int maxPathLen) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	274	addExtension(new BasicConstraintsExtension(crit, isCA, maxPathLen));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	275	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	276
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	277	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	278	* Add the Authority Key Identifier extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	279	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	280	* @param authorityCert The certificate of the issuing authority.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	281	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	282	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	283	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	284	public void addAuthorityKeyIdExt(X509Certificate authorityCert)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	285	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	286	addAuthorityKeyIdExt(authorityCert.getPublicKey());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	287	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	288
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	289	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	290	* Add the Authority Key Identifier extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	291	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	292	* @param authorityKey The public key of the issuing authority.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	293	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	294	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	295	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	296	public void addAuthorityKeyIdExt(PublicKey authorityKey) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	297	KeyIdentifier kid = new KeyIdentifier(authorityKey);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	298	addExtension(new AuthorityKeyIdentifierExtension(kid, null, null));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	299	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	300
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	301	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	302	* Add the Subject Key Identifier extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	303	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	304	* @param subjectKey The public key to be used in the resulting certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	305	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	306	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	307	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	308	public void addSubjectKeyIdExt(PublicKey subjectKey) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	309	byte[] keyIdBytes = new KeyIdentifier(subjectKey).getIdentifier();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	310	addExtension(new SubjectKeyIdentifierExtension(keyIdBytes));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	311	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	312
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	313	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	314	* Add the Extended Key Usage extension.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	315	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	316	* @param ekuOids A {@link List} of object identifiers in string form.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	317	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	318	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	319	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	320	public void addExtendedKeyUsageExt(List<String> ekuOids)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	321	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	322	if (!ekuOids.isEmpty()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	323	Vector<ObjectIdentifier> oidVector = new Vector<>();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	324	for (String oid : ekuOids) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	325	oidVector.add(new ObjectIdentifier(oid));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	326	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	327	addExtension(new ExtendedKeyUsageExtension(oidVector));
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	328	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	329	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	330
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	331	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	332	* Clear all settings and return the {@code CertificateBuilder} to
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	333	* its default state.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	334	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	335	public void reset() {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	336	extensions.clear();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	337	subjectName = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	338	notBefore = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	339	notAfter = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	340	serialNumber = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	341	publicKey = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	342	signatureBytes = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	343	tbsCertBytes = null;
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	344	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	345
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	346	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	347	* Build the certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	348	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	349	* @param issuerCert The certificate of the issuing authority, or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	350	* {@code null} if the resulting certificate is self-signed.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	351	* @param issuerKey The private key of the issuing authority
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	352	* @param algName The signature algorithm name
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	353	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	354	* @return The resulting {@link X509Certificate}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	355	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	356	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	357	* @throws CertificateException If the certificate cannot be generated
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	358	* by the underlying {@link CertificateFactory}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	359	* @throws NoSuchAlgorithmException If an invalid signature algorithm
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	360	* is provided.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	361	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	362	public X509Certificate build(X509Certificate issuerCert,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	363	PrivateKey issuerKey, String algName)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	364	throws IOException, CertificateException, NoSuchAlgorithmException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	365	// TODO: add some basic checks (key usage, basic constraints maybe)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	366
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	367	AlgorithmId signAlg = AlgorithmId.get(algName);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	368	byte[] encodedCert = encodeTopLevel(issuerCert, issuerKey, signAlg);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	369	ByteArrayInputStream bais = new ByteArrayInputStream(encodedCert);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	370	return (X509Certificate)factory.generateCertificate(bais);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	371	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	372
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	373	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	374	* Encode the contents of the outer-most ASN.1 SEQUENCE:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	375	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	376	* <PRE>
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	377	* Certificate ::= SEQUENCE {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	378	* tbsCertificate TBSCertificate,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	379	* signatureAlgorithm AlgorithmIdentifier,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	380	* signatureValue BIT STRING }
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	381	* </PRE>
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	382	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	383	* @param issuerCert The certificate of the issuing authority, or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	384	* {@code null} if the resulting certificate is self-signed.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	385	* @param issuerKey The private key of the issuing authority
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	386	* @param signAlg The signature algorithm object
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	387	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	388	* @return The DER-encoded X.509 certificate
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	389	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	390	* @throws CertificateException If an error occurs during the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	391	* signing process.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	392	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	393	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	394	private byte[] encodeTopLevel(X509Certificate issuerCert,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	395	PrivateKey issuerKey, AlgorithmId signAlg)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	396	throws CertificateException, IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	397	DerOutputStream outerSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	398	DerOutputStream topLevelItems = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	399
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	400	tbsCertBytes = encodeTbsCert(issuerCert, signAlg);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	401	topLevelItems.write(tbsCertBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	402	try {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	403	signatureBytes = signCert(issuerKey, signAlg);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	404	} catch (GeneralSecurityException ge) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	405	throw new CertificateException(ge);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	406	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	407	signAlg.derEncode(topLevelItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	408	topLevelItems.putBitString(signatureBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	409	outerSeq.write(DerValue.tag_Sequence, topLevelItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	410
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	411	return outerSeq.toByteArray();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	412	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	413
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	414	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	415	* Encode the bytes for the TBSCertificate structure:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	416	* <PRE>
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	417	* TBSCertificate ::= SEQUENCE {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	418	* version [0] EXPLICIT Version DEFAULT v1,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	419	* serialNumber CertificateSerialNumber,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	420	* signature AlgorithmIdentifier,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	421	* issuer Name,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	422	* validity Validity,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	423	* subject Name,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	424	* subjectPublicKeyInfo SubjectPublicKeyInfo,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	425	* issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	426	* -- If present, version MUST be v2 or v3
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	427	* subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	428	* -- If present, version MUST be v2 or v3
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	429	* extensions [3] EXPLICIT Extensions OPTIONAL
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	430	* -- If present, version MUST be v3
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	431	* }
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	432	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	433	* @param issuerCert The certificate of the issuing authority, or
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	434	* {@code null} if the resulting certificate is self-signed.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	435	* @param signAlg The signature algorithm object
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	436	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	437	* @return The DER-encoded bytes for the TBSCertificate structure
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	438	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	439	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	440	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	441	private byte[] encodeTbsCert(X509Certificate issuerCert,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	442	AlgorithmId signAlg) throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	443	DerOutputStream tbsCertSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	444	DerOutputStream tbsCertItems = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	445
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	446	// Hardcode to V3
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	447	byte[] v3int = {0x02, 0x01, 0x02};
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	448	tbsCertItems.write(DerValue.createTag(DerValue.TAG_CONTEXT, true,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	449	(byte)0), v3int);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	450
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	451	// Serial Number
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	452	SerialNumber sn = new SerialNumber(serialNumber);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	453	sn.encode(tbsCertItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	454
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	455	// Algorithm ID
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	456	signAlg.derEncode(tbsCertItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	457
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	458	// Issuer Name
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	459	if (issuerCert != null) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	460	tbsCertItems.write(
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	461	issuerCert.getSubjectX500Principal().getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	462	} else {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	463	// Self-signed
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	464	tbsCertItems.write(subjectName.getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	465	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	466
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	467	// Validity period (set as UTCTime)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	468	DerOutputStream valSeq = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	469	valSeq.putUTCTime(notBefore);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	470	valSeq.putUTCTime(notAfter);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	471	tbsCertItems.write(DerValue.tag_Sequence, valSeq);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	472
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	473	// Subject Name
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	474	tbsCertItems.write(subjectName.getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	475
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	476	// SubjectPublicKeyInfo
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	477	tbsCertItems.write(publicKey.getEncoded());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	478
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	479	// TODO: Extensions!
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	480	encodeExtensions(tbsCertItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	481
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	482	// Wrap it all up in a SEQUENCE and return the bytes
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	483	tbsCertSeq.write(DerValue.tag_Sequence, tbsCertItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	484	return tbsCertSeq.toByteArray();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	485	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	486
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	487	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	488	* Encode the extensions segment for an X.509 Certificate:
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	489	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	490	* <PRE>
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	491	* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	492	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	493	* Extension ::= SEQUENCE {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	494	* extnID OBJECT IDENTIFIER,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	495	* critical BOOLEAN DEFAULT FALSE,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	496	* extnValue OCTET STRING
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	497	* -- contains the DER encoding of an ASN.1 value
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	498	* -- corresponding to the extension type identified
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	499	* -- by extnID
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	500	* }
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	501	* </PRE>
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	502	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	503	* @param tbsStream The {@code DerOutputStream} that holds the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	504	* TBSCertificate contents.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	505	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	506	* @throws IOException if an encoding error occurs.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	507	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	508	private void encodeExtensions(DerOutputStream tbsStream)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	509	throws IOException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	510	DerOutputStream extSequence = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	511	DerOutputStream extItems = new DerOutputStream();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	512
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	513	for (Extension ext : extensions.values()) {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	514	ext.encode(extItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	515	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	516	extSequence.write(DerValue.tag_Sequence, extItems);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	517	tbsStream.write(DerValue.createTag(DerValue.TAG_CONTEXT, true,
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	518	(byte)3), extSequence);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	519	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	520
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	521	/**
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	522	* Digitally sign the X.509 certificate.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	523	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	524	* @param issuerKey The private key of the issuing authority
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	525	* @param signAlg The signature algorithm object
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	526	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	527	* @return The digital signature bytes.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	528	*
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	529	* @throws GeneralSecurityException If any errors occur during the
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	530	* digital signature process.
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	531	*/
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	532	private byte[] signCert(PrivateKey issuerKey, AlgorithmId signAlg)
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	533	throws GeneralSecurityException {
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	534	Signature sig = Signature.getInstance(signAlg.getName());
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	535	sig.initSign(issuerKey);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	536	sig.update(tbsCertBytes);
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	537	return sig.sign();
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	538	}
22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: diff changeset	539	}

author	prr
	Fri, 25 May 2018 12:12:24 -0700
changeset 50347	b2f046ae8eb6
parent 47216	71c04702a3d5
permissions	-rw-r--r--