com.dstc.security.pki
Class X509CertGen

java.lang.Object
  |
  +--com.dstc.security.pki.X509CertGen

public class X509CertGen
extends Object

Class for generating X.509 certificates. The following code snippet illustrates the typical usage for this object:

 Signature caSignature = Signature.getInstance("RSA");
 caSignature.initSign(caPrivateKey);

 X509CertGen cg = new X509CertGen(caSignature, caCert);
 cg.setPublicKey(userPublicKey);
 cg.setSerialNumber(BigInteger.valueOf((long)12345678 ));
 cg.setSubjectDN("CN = John Smith, OU=Security, O=DSTC, C=AU");
 cg.setValidity(365);
 cg.setSubjectEmail("jsmith@dstc.qut.edu.au");

 X509Certificate userCert = cg.generateCertificate();
 

Note: A self-signed (CA) certificate can be generated starting from the constructor X509CertGen(String issName, Signature sig)


Constructor Summary
X509CertGen()
          Default constructor
X509CertGen(PrivateKey key, String alg, String provider, X509Certificate cert)
           Constructs X509CertGen from the signer's private key, the signature algorithm, the provider for the Signature object to be used and the signer's certificate.
X509CertGen(PrivateKey key, String alg, X509Certificate cert)
           Constructs X509CertGen from the signer's private key, the signature algorithm and signer's certificate
X509CertGen(Signature sigObject, X509Certificate cert)
           Constructs X509CertGen from a(n initialized) Signature object.
X509CertGen(String issName, Signature sig)
          Constructor using IssuerName and Signature (useful for generating self-signed certificates)
 
Method Summary
 X509Certificate generateCertificate()
           Returns the X.509 certificate being generated by this X509CertGen object.
 void processPKCS10(PKCS10CertificationRequest certReq)
           Process a PKCS10 Certification Request.
 void reset()
           Resets X509CertGen object so that a new User Certificate can be generated.
 void setAuthorityKeyIdentifier(byte[] keyId)
           Set the issuer's AuthorityKeyIdentifier extension for this certificate.
 void setBasicConstraints(boolean isCA, int length)
           Set the Basic Constraints extension of this certificate.
 void setIssuerDirectoryName(String name)
           Set the issuer's DirectoryName as part of the IssuerAltName extension for this certificate.
 void setIssuerDNSName(String name)
           Set the issuer's DNSName as part of the IssuerAltName extension for this certificate.
 void setIssuerEmail(String email)
           Set the issuer's e-mail address as part of the IssuerAltName extension for this certificate.
 void setIssuerIPAddress(String name)
           Set the issuer's IP address as part of the IssuerAltName extension for this certificate.
 void setIssuerURL(String name)
           Set the issuer's URL as part of the IssuerAltName extension for this certificate.
 void setKeyUsage(boolean[] usage)
           Set the Key Usage extension of this certificate.
 void setNetscapeCertType(boolean[] usage)
           Set the NetscapeCertType extension for this certificate.
 void setPublicKey(PublicKey pubKey)
           Set the subject's PublicKey in this certificate.
 void setSerialNumber(BigInteger serial)
           Set the serial number of this certificate.
 void setSubjectDirectoryName(String name)
           Set the subject's DirectoryName as part of the SubjectAltName extension for this certificate.
 void setSubjectDN(String dn)
           Set the subject's Distinguished Name (DN).
 void setSubjectDNSName(String name)
           Set the subject's DNSName as part of the SubjectAltName extension for this certificate.
 void setSubjectEmail(String email)
           Set the subject's e-mail address as part of the SubjectAltName extension for this certificate.
 void setSubjectIPAddress(String name)
           Set the subject's IP address as part of the SubjectAltName extension for this certificate.
 void setSubjectKeyIdentifier(byte[] keyId)
           Set the subject's SubjectKeyIdentifier extension for this certificate.
 void setSubjectURL(String name)
           Set the subject's URL as part of the SubjectAltName extension for this certificate.
 void setValidity(Date notBefore, Date notAfter)
           Set the validity period of this certificate.
 void setValidity(int days)
           Set the validity period (in days) of this certificate.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

X509CertGen

public X509CertGen()
Default constructor

X509CertGen

public X509CertGen(PrivateKey key,
                   String alg,
                   X509Certificate cert)
            throws X509CertGenException

Constructs X509CertGen from the signer's private key, the signature algorithm and signer's certificate

Parameters:
key - the signer's private key.
alg - the algorithm used to sign the certificate.
cert - the signer's certificate (the CA cert).
Throws:
X509CertGenException - if no such algorithm is available or the key is invalid.

X509CertGen

public X509CertGen(PrivateKey key,
                   String alg,
                   String provider,
                   X509Certificate cert)
            throws X509CertGenException

Constructs X509CertGen from the signer's private key, the signature algorithm, the provider for the Signature object to be used and the signer's certificate.

Parameters:
key - the signer's private key.
alg - the algorithm used to sign the certificate.
provider - the provider to use for the internal Signature instance.
cert - the signer's certificate (the CA cert).
Throws:
X509CertGenException - if no such algorithm is available, no such provider is available or the key is invalid.

X509CertGen

public X509CertGen(Signature sigObject,
                   X509Certificate cert)

Constructs X509CertGen from a(n initialized) Signature object.

Parameters:
sigObject - the (initialized) Signature object used to sign the certificate.
cert - the signer's certificate (the CA cert).

X509CertGen

public X509CertGen(String issName,
                   Signature sig)
Constructor using IssuerName and Signature (useful for generating self-signed certificates)
Parameters:
issName - String representing the X500Name of the issuer.
sig - the (initialized) Signature object used to sign the certificate.
Method Detail

setPublicKey

public void setPublicKey(PublicKey pubKey)

Set the subject's PublicKey in this certificate.

Parameters:
pubkey - the subject's public key.

setSerialNumber

public void setSerialNumber(BigInteger serial)

Set the serial number of this certificate.

Parameters:
serial - the serial number of this certificate.

setSubjectDN

public void setSubjectDN(String dn)

Set the subject's Distinguished Name (DN).

The Distinguished Name is a String consisting of a sequence of type-value pairs separated by commas. Currently, the following types are supported:

 
    CN            - common name
    C             - country
    S(T)          - state
    L             - locality
    O             - organization
    OU            - organizational unit
    EmailAddress  - e-mail address
  

Note: It is recommended that e-mail addresses are set using the setSubjectEmail() method, which places the e-mail address in the SubjectAltName extension to the certificate, rather than in the subject's DN.

Parameters:
dn - the subject's Distinguished Name (DN).

setValidity

public void setValidity(int days)

Set the validity period (in days) of this certificate.

Parameters:
days - the validity period of this certificate.

setValidity

public void setValidity(Date notBefore,
                        Date notAfter)

Set the validity period of this certificate.

Parameters:
notBefore - the date before which the certificate is invalid.
notAfter - the date after which the certificate is invalid.

setBasicConstraints

public void setBasicConstraints(boolean isCA,
                                int length)

Set the Basic Constraints extension of this certificate.

Parameters:
isCA - true if this certificate is a CA certificate.
length - if isCA == true this parameter sets the maximum number of CA certificates that may follow this certificate in the certification path.

setKeyUsage

public void setKeyUsage(boolean[] usage)
                 throws X509CertGenException

Set the Key Usage extension of this certificate.

The Key Usage extension is described by a boolean array indicating the purposes for which the public key in this certificate can be used. The entries of the array are described as follows:

        digitalSignature  [0]
        nonRepudiation    [1]
        keyEncipherment   [2]
        dataEncipherment  [3]
        keyAgreement      [4]
        keyCertSign       [5]
        cRLSign           [6]
        encipherOnly      [7]
        decipherOnly      [8]
  
Parameters:
usage - an array of boolean values indicating the usage of the public key in this certificate.
Throws:
X509CertGenException -  

setSubjectEmail

public void setSubjectEmail(String email)

Set the subject's e-mail address as part of the SubjectAltName extension for this certificate.

Parameters:
email - the subject's e-mail address.

setSubjectDNSName

public void setSubjectDNSName(String name)

Set the subject's DNSName as part of the SubjectAltName extension for this certificate.

Parameters:
name - the subject's DNSName.

setSubjectDirectoryName

public void setSubjectDirectoryName(String name)

Set the subject's DirectoryName as part of the SubjectAltName extension for this certificate.

Parameters:
name - the subject's DirectoryName.

setSubjectURL

public void setSubjectURL(String name)

Set the subject's URL as part of the SubjectAltName extension for this certificate.

Parameters:
name - the subject's URL.

setSubjectIPAddress

public void setSubjectIPAddress(String name)

Set the subject's IP address as part of the SubjectAltName extension for this certificate.

Parameters:
name - the subject's IP address.

setIssuerEmail

public void setIssuerEmail(String email)

Set the issuer's e-mail address as part of the IssuerAltName extension for this certificate.

Parameters:
email - the issuer's e-mail address.

setIssuerDNSName

public void setIssuerDNSName(String name)

Set the issuer's DNSName as part of the IssuerAltName extension for this certificate.

Parameters:
name - the issuer's DNSName.

setIssuerDirectoryName

public void setIssuerDirectoryName(String name)

Set the issuer's DirectoryName as part of the IssuerAltName extension for this certificate.

Parameters:
name - the issuer's DirectoryName.

setIssuerURL

public void setIssuerURL(String name)

Set the issuer's URL as part of the IssuerAltName extension for this certificate.

Parameters:
name - the issuer's URL.

setIssuerIPAddress

public void setIssuerIPAddress(String name)

Set the issuer's IP address as part of the IssuerAltName extension for this certificate.

Parameters:
name - the issuer's IP address.

setSubjectKeyIdentifier

public void setSubjectKeyIdentifier(byte[] keyId)
                             throws X509CertGenException

Set the subject's SubjectKeyIdentifier extension for this certificate.

Parameters:
keyId - a byte array which identifies the subject's key pair.
Throws:
X509CertGenException -  

setAuthorityKeyIdentifier

public void setAuthorityKeyIdentifier(byte[] keyId)
                               throws X509CertGenException

Set the issuer's AuthorityKeyIdentifier extension for this certificate.

Parameters:
keyId - a byte array which identifies the issuer's key pair.
Throws:
X509CertGenException -  

setNetscapeCertType

public void setNetscapeCertType(boolean[] usage)

Set the NetscapeCertType extension for this certificate.

The NetscapeCertType extension is described by a boolean array indicating the purposes for which this certificate should be used. The entries of the array are described as follows:

        SSL_CLIENT          [0]
        SSL_SERVER          [1]
        SMIME               [2]
        OBJECT_SIGNING      [3]
        SSL_CA              [4]
        SMIME_CA            [5]
        OBJECT_SIGNING_CA   [6]
  
Parameters:
usage - an array of boolean values indicating the usage of the this certificate in a Netscape application.

processPKCS10

public void processPKCS10(PKCS10CertificationRequest certReq)
                   throws X509CertGenException

Process a PKCS10 Certification Request.

This method can be used when a PKCS10 certification request is available, and will typically replace the calls to setSubjectDN(String) and setPublicKey(PublicKey).

Parameters:
reqEncoding - the DER encoding of the PKCS10 Certification Request.
Throws:
X509CertGenException - if the Certificate Request has a bad signature or contains bad keys.

generateCertificate

public X509Certificate generateCertificate()
                                    throws X509CertGenException

Returns the X.509 certificate being generated by this X509CertGen object.

Returns:
the java.security.cert.X509Certificate generated by this object.
Throws:
X509CertGenException -  

reset

public void reset()
           throws X509CertGenException

Resets X509CertGen object so that a new User Certificate can be generated.

Throws:
X509CertGenException - if the IssuerDN wasn't set in the previously generated certificate.