com.dstc.security.pki
Class X509CertGen

java.lang.Object
  |
  +--com.dstc.security.pki.X509CertGen

public class X509CertGen
extends Object

Class for generating X.509 certificates. The following code snippet illustrates the typical usage for this object:

 Signature caSignature = Signature.getInstance("RSA");
 caSignature.initSign(caPrivateKey);

 X509CertGen cg = new X509CertGen(caSignature, caCert);
 cg.setPublicKey(userPublicKey);
 cg.setSerialNumber(BigInteger.valueOf((long)12345678 ));
 cg.setSubjectDN("CN = John Smith, OU=Security, O=DSTC, C=AU");
 cg.setValidity(365);
 cg.setSubjectEmail("jsmith@dstc.qut.edu.au");

 X509Certificate userCert = cg.getCertificate();
 

Note: A self-signed (CA) certificate can be generated starting from the constructor X509CertGen(String issName, Signature sig)


Field Summary
static int MODE_BASE64_PKCS7
           
static int MODE_BASE64_X509
           
static int MODE_RAW_PKCS7
           
static int MODE_RAW_X509
           
 
Constructor Summary
X509CertGen()
          Default constructor
X509CertGen(PrivateKey key, String alg, String provider, X509Certificate cert)
           Constructs X509CertGen from the signer's private key, the signature algorithm, the provider for the Signature object to be used and the signer's certificate.
X509CertGen(PrivateKey key, String alg, X509Certificate cert)
           Constructs X509CertGen from the signer's private key, the signature algorithm and signer's certificate
X509CertGen(Signature sigObject, X509Certificate cert)
           Constructs X509CertGen from a(n initialized) Signature object.
X509CertGen(String issName, Signature sig)
          Constructor using IssuerName and Signature (useful for generating self-signed certificates)
 
Method Summary
 X509Certificate getCertificate()
           Returns the X.509 certificate being generated by this X509CertGen object.
 byte[] getEncoded(int mode)
           Returns the DER encoding of the certificate generated by this X509CertGen object.
 void processPKCS10(byte[] reqEncoding)
           Process a PKCS10 Certification Request.
 void reset()
           Resets X509CertGen object so that a new User Certificate can be generated.
 void setAuthorityKeyIdentifier(byte[] keyId)
           Set the issuer's AuthorityKeyIdentifier extension for this certificate.
 void setBasicConstraints(boolean isCA, int length)
           Set the Basic Constraints extension of this certificate.
 void setIssuerDirectoryName(String name)
           Set the issuer's DirectoryName as part of the IssuerAltName extension for this certificate.
 void setIssuerDNSName(String name)
           Set the issuer's DNSName as part of the IssuerAltName extension for this certificate.
 void setIssuerEmail(String email)
           Set the issuer's e-mail address as part of the IssuerAltName extension for this certificate.
 void setIssuerIPAddress(String name)
           Set the issuer's IP address as part of the IssuerAltName extension for this certificate.
 void setIssuerURL(String name)
           Set the issuer's URL as part of the IssuerAltName extension for this certificate.
 void setKeyUsage(boolean[] usage)
           Set the Key Usage extension of this certificate.
 void setNetscapeCertType(boolean[] usage)
           Set the NetscapeCertType extension for this certificate.
 void setPublicKey(PublicKey pubKey)
           Set the subject's PublicKey in this certificate.
 void setSerialNumber(BigInteger serial)
           Set the serial number of this certificate.
 void setSubjectDirectoryName(String name)
           Set the subject's DirectoryName as part of the SubjectAltName extension for this certificate.
 void setSubjectDN(String dn)
           Set the subject's Distinguished Name (DN).
 void setSubjectDNSName(String name)
           Set the subject's DNSName as part of the SubjectAltName extension for this certificate.
 void setSubjectEmail(String email)
           Set the subject's e-mail address as part of the SubjectAltName extension for this certificate.
 void setSubjectIPAddress(String name)
           Set the subject's IP address as part of the SubjectAltName extension for this certificate.
 void setSubjectKeyIdentifier(byte[] keyId)
           Set the subject's SubjectKeyIdentifier extension for this certificate.
 void setSubjectURL(String name)
           Set the subject's URL as part of the SubjectAltName extension for this certificate.
 void setValidity(Date notBefore, Date notAfter)
           Set the validity period of this certificate.
 void setValidity(int days)
           Set the validity period (in days) of this certificate.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

MODE_RAW_X509

public static final int MODE_RAW_X509

MODE_RAW_PKCS7

public static final int MODE_RAW_PKCS7

MODE_BASE64_X509

public static final int MODE_BASE64_X509

MODE_BASE64_PKCS7

public static final int MODE_BASE64_PKCS7
Constructor Detail

X509CertGen

public X509CertGen()
Default constructor

X509CertGen

public X509CertGen(PrivateKey key,
                   String alg,
                   X509Certificate cert)
            throws X509CertGenException

Constructs X509CertGen from the signer's private key, the signature algorithm and signer's certificate

Parameters:
key - the signer's private key.
alg - the algorithm used to sign the certificate.
cert - the signer's certificate (the CA cert).
Throws:
X509CertGenException - if no such algorithm is available or the key is invalid.

X509CertGen

public X509CertGen(PrivateKey key,
                   String alg,
                   String provider,
                   X509Certificate cert)
            throws X509CertGenException

Constructs X509CertGen from the signer's private key, the signature algorithm, the provider for the Signature object to be used and the signer's certificate.

Parameters:
key - the signer's private key.
alg - the algorithm used to sign the certificate.
provider - the provider to use for the internal Signature instance.
cert - the signer's certificate (the CA cert).
Throws:
X509CertGenException - if no such algorithm is available, no such provider is available or the key is invalid.

X509CertGen

public X509CertGen(Signature sigObject,
                   X509Certificate cert)

Constructs X509CertGen from a(n initialized) Signature object.

Parameters:
sigObject - the (initialized) Signature object used to sign the certificate.
cert - the signer's certificate (the CA cert).

X509CertGen

public X509CertGen(String issName,
                   Signature sig)
Constructor using IssuerName and Signature (useful for generating self-signed certificates)
Parameters:
issName - String representing the X500Name of the issuer.
sig - the (initialized) Signature object used to sign the certificate.
Method Detail

setPublicKey

public void setPublicKey(PublicKey pubKey)

Set the subject's PublicKey in this certificate.

Parameters:
pubkey - the subject's public key.

setSerialNumber

public void setSerialNumber(BigInteger serial)

Set the serial number of this certificate.

Parameters:
serial - the serial number of this certificate.

setSubjectDN

public void setSubjectDN(String dn)

Set the subject's Distinguished Name (DN).

The Distinguished Name is a String consisting of a sequence of type-value pairs separated by commas. Currently, the following types are supported:

 
    CN            - common name
    C             - country
    S(T)          - state
    L             - locality
    O             - organization
    OU            - organizational unit
    EmailAddress  - e-mail address
  

Note: It is recommended that e-mail addresses are set using the setSubjectEmail() method, which places the e-mail address in the SubjectAltName extension to the certificate, rather than in the subject's DN.

Parameters:
dn - the subject's Distinguished Name (DN).

setValidity

public void setValidity(int days)

Set the validity period (in days) of this certificate.

Parameters:
days - the validity period of this certificate.

setValidity

public void setValidity(Date notBefore,
                        Date notAfter)

Set the validity period of this certificate.

Parameters:
notBefore - the date before which the certificate is invalid.
notAfter - the date after which the certificate is invalid.

setBasicConstraints

public void setBasicConstraints(boolean isCA,
                                int length)

Set the Basic Constraints extension of this certificate.

Parameters:
isCA - true if this certificate is a CA certificate.
length - if isCA == true this parameter sets the maximum number of CA certificates that may follow this certificate in the certification path.

setKeyUsage

public void setKeyUsage(boolean[] usage)
                 throws X509CertGenException

Set the Key Usage extension of this certificate.

The Key Usage extension is described by a boolean array indicating the purposes for which the public key in this certificate can be used. The entries of the array are described as follows:

        digitalSignature  [0]
        nonRepudiation    [1]
        keyEncipherment   [2]
        dataEncipherment  [3]
        keyAgreement      [4]
        keyCertSign       [5]
        cRLSign           [6]
        encipherOnly      [7]
        decipherOnly      [8]
  
Parameters:
usage - an array of boolean values indicating the usage of the public key in this certificate.
Throws:
X509CertGenException -  

setSubjectEmail

public void setSubjectEmail(String email)

Set the subject's e-mail address as part of the SubjectAltName extension for this certificate.

Parameters:
email - the subject's e-mail address.

setSubjectDNSName

public void setSubjectDNSName(String name)

Set the subject's DNSName as part of the SubjectAltName extension for this certificate.

Parameters:
name - the subject's DNSName.

setSubjectDirectoryName

public void setSubjectDirectoryName(String name)

Set the subject's DirectoryName as part of the SubjectAltName extension for this certificate.

Parameters:
name - the subject's DirectoryName.

setSubjectURL

public void setSubjectURL(String name)

Set the subject's URL as part of the SubjectAltName extension for this certificate.

Parameters:
name - the subject's URL.

setSubjectIPAddress

public void setSubjectIPAddress(String name)

Set the subject's IP address as part of the SubjectAltName extension for this certificate.

Parameters:
name - the subject's IP address.

setIssuerEmail

public void setIssuerEmail(String email)

Set the issuer's e-mail address as part of the IssuerAltName extension for this certificate.

Parameters:
email - the issuer's e-mail address.

setIssuerDNSName

public void setIssuerDNSName(String name)

Set the issuer's DNSName as part of the IssuerAltName extension for this certificate.

Parameters:
name - the issuer's DNSName.

setIssuerDirectoryName

public void setIssuerDirectoryName(String name)

Set the issuer's DirectoryName as part of the IssuerAltName extension for this certificate.

Parameters:
name - the issuer's DirectoryName.

setIssuerURL

public void setIssuerURL(String name)

Set the issuer's URL as part of the IssuerAltName extension for this certificate.

Parameters:
name - the issuer's URL.

setIssuerIPAddress

public void setIssuerIPAddress(String name)

Set the issuer's IP address as part of the IssuerAltName extension for this certificate.

Parameters:
name - the issuer's IP address.

setSubjectKeyIdentifier

public void setSubjectKeyIdentifier(byte[] keyId)
                             throws X509CertGenException

Set the subject's SubjectKeyIdentifier extension for this certificate.

Parameters:
keyId - a byte array which identifies the subject's key pair.
Throws:
X509CertGenException -  

setAuthorityKeyIdentifier

public void setAuthorityKeyIdentifier(byte[] keyId)
                               throws X509CertGenException

Set the issuer's AuthorityKeyIdentifier extension for this certificate.

Parameters:
keyId - a byte array which identifies the issuer's key pair.
Throws:
X509CertGenException -  

setNetscapeCertType

public void setNetscapeCertType(boolean[] usage)

Set the NetscapeCertType extension for this certificate.

The NetscapeCertType extension is described by a boolean array indicating the purposes for which this certificate should be used. The entries of the array are described as follows:

        SSL_CLIENT          [0]
        SSL_SERVER          [1]
        SMIME               [2]
        OBJECT_SIGNING      [3]
        SSL_CA              [4]
        SMIME_CA            [5]
        OBJECT_SIGNING_CA   [6]
  
Parameters:
usage - an array of boolean values indicating the usage of the this certificate in a Netscape application.

processPKCS10

public void processPKCS10(byte[] reqEncoding)
                   throws X509CertGenException

Process a PKCS10 Certification Request.

Note: CA must still manually set the Validity and Serial Number.

Parameters:
reqEncoding - the DER encoding of the PKCS10 Certification Request.
Throws:
X509CertGenException - if the Certificate Request has a bad signature or contains bad keys.

getCertificate

public X509Certificate getCertificate()
                               throws X509CertGenException

Returns the X.509 certificate being generated by this X509CertGen object.

Returns:
the java.security.cert.X509Certificate generated by this object.
Throws:
X509CertGenException -  

getEncoded

public byte[] getEncoded(int mode)
                  throws X509CertGenException

Returns the DER encoding of the certificate generated by this X509CertGen object.

The certificate can be returned in one of 4 different ways: in either X.509 or PKCS7 (generated certificate + CA certificate) format, and either as a raw DER encoding, or as a Base64 encoding with the contents bounded by -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- (for X.509) or -----BEGIN PKCS7----- -----END PKCS7----- (for PKCS7). The return mode is described by the following input arguments:

 MODE_RAW_X509      = 0
 MODE_RAW_PKCS7     = 1
 MODE_BASE64_X509   = 2
 MODE_BASE64_PKCS7  = 3
 
For example, to create an ascii file "foo.crt" containing the base64 encoding of the certificate, one might use the following code:
 
 X509CertGen cg = new X509CertGen(sig, caCert);

 // set the various fields here

 byte[] c = cg.getEncoded(2);
 FileOutputStream fos = new FileOutputStream("foo.crt");
 fos.write(c);
 fos.close();
  
Parameters:
mode - the mode describing the format of the returned certificate.
Throws:
X509CertGenException - if the required fields aren't set.

reset

public void reset()
           throws X509CertGenException

Resets X509CertGen object so that a new User Certificate can be generated.

Throws:
X509CertGenException - if the IssuerDN wasn't set in the previously generated certificate.