return genCertReq(issuerDN, userDN, ",", keys, cacert, nonce, transid, raVerifiedPopo, extensions, notBefore, notAfter, customCertSerno);
protected PKIMessage genCertReq(String issuerDN, String userDN, String altNames, KeyPair keys, Certificate cacert, byte[] nonce, byte[] transid, boolean raVerifiedPopo, X509Extensions extensions, Date notBefore, Date notAfter, BigInteger customCertSerno) throws NoSuchAlgorithmException, NoSuchProviderException, IOException, InvalidKeyException, SignatureException {
OptionalValidity myOptionalValidity = new OptionalValidity();
org.bouncycastle.asn1.x509.Time nb = new org.bouncycastle.asn1.x509.Time(new DERGeneralizedTime("20030211002120Z"));
if (notBefore != null) {
nb = new org.bouncycastle.asn1.x509.Time(notBefore);
org.bouncycastle.asn1.x509.Time na = new org.bouncycastle.asn1.x509.Time(new Date());
if (notAfter != null) {
na = new org.bouncycastle.asn1.x509.Time(notAfter);
CertTemplate myCertTemplate = new CertTemplate();
myCertTemplate.setValidity( myOptionalValidity );
myCertTemplate.setIssuer(new X509Name(issuerDN));
myCertTemplate.setSubject(new X509Name(userDN));
byte[] bytes = keys.getPublic().getEncoded();
ByteArrayInputStream bIn = new ByteArrayInputStream(bytes);
ASN1InputStream dIn = new ASN1InputStream(bIn);
SubjectPublicKeyInfo keyInfo = new SubjectPublicKeyInfo((ASN1Sequence)dIn.readObject());
// If we did not pass any extensions as parameter, we will create some of our own, standard ones
X509Extensions exts = extensions;
if (exts == null) {
// SubjectAltName
// Some altNames
ByteArrayOutputStream bOut = new ByteArrayOutputStream();
DEROutputStream dOut = new DEROutputStream(bOut);
Vector<X509Extension> values = new Vector<X509Extension>();
Vector<DERObjectIdentifier> oids = new Vector<DERObjectIdentifier>();
if (altNames != null) {
GeneralNames san = CertTools.getGeneralNamesFromAltName(altNames);
byte[] value = bOut.toByteArray();
X509Extension sanext = new X509Extension(false, new DEROctetString(value));
// KeyUsage
int bcku = 0;
bcku = X509KeyUsage.digitalSignature | X509KeyUsage.keyEncipherment | X509KeyUsage.nonRepudiation;
X509KeyUsage ku = new X509KeyUsage(bcku);
bOut = new ByteArrayOutputStream();
dOut = new DEROutputStream(bOut);
byte[] value = bOut.toByteArray();
X509Extension kuext = new X509Extension(false, new DEROctetString(value));
// Make the complete extension package
exts = new X509Extensions(oids, values);
if (customCertSerno != null) {
// Add serialNumber to the certTemplate, it is defined as a MUST NOT be used in RFC4211, but we will use it anyway in order
// to request a custom certificate serial number (something not standard anyway)
myCertTemplate.setSerialNumber(new DERInteger(customCertSerno));
CertRequest myCertRequest = new CertRequest(new DERInteger(4), myCertTemplate);
// myCertRequest.addControls(new
// AttributeTypeAndValue(CRMFObjectIdentifiers.regInfo_utf8Pairs, new
// DERInteger(12345)));
CertReqMsg myCertReqMsg = new CertReqMsg(myCertRequest);
* PKMACValue myPKMACValue = new PKMACValue( new AlgorithmIdentifier(new
* DERObjectIdentifier(""), new DERBitString(new byte[] { 8,
* 1, 1, 2 })), new DERBitString(new byte[] { 12, 29, 37, 43 }));
* POPOPrivKey myPOPOPrivKey = new POPOPrivKey(new DERBitString(new
* byte[] { 44 }), 2); //take choice pos tag 2
* POPOSigningKeyInput myPOPOSigningKeyInput = new POPOSigningKeyInput(
* myPKMACValue, new SubjectPublicKeyInfo( new AlgorithmIdentifier(new
* DERObjectIdentifier(""), new DERBitString(new byte[] { 2,
* 9, 7, 3 })), new byte[] { 7, 7, 7, 4, 5, 6, 7, 7, 7 }));
ProofOfPossession myProofOfPossession = null;
if (raVerifiedPopo) {
// raVerified POPO (meaning there is no POPO)
myProofOfPossession = new ProofOfPossession(new DERNull(), 0);
} else {
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DEROutputStream mout = new DEROutputStream(baos);
byte[] popoProtectionBytes = baos.toByteArray();
Signature sig = Signature.getInstance(PKCSObjectIdentifiers.sha1WithRSAEncryption.getId(), "BC");
DERBitString bs = new DERBitString(sig.sign());
POPOSigningKey myPOPOSigningKey = new POPOSigningKey(new AlgorithmIdentifier(PKCSObjectIdentifiers.sha1WithRSAEncryption), bs);
// myPOPOSigningKey.setPoposkInput( myPOPOSigningKeyInput );
myProofOfPossession = new ProofOfPossession(myPOPOSigningKey, 1);
// myCertReqMsg.addRegInfo(new AttributeTypeAndValue(new
// DERObjectIdentifier(""), new
// DERInteger(1122334455)));
AttributeTypeAndValue av = new AttributeTypeAndValue(CRMFObjectIdentifiers.regCtrl_regToken, new DERUTF8String("foo123"));
CertReqMessages myCertReqMessages = new CertReqMessages(myCertReqMsg);
// myCertReqMessages.addCertReqMsg(myCertReqMsg);
// log.debug("CAcert subject name: "+cacert.getSubjectDN().getName());
PKIHeader myPKIHeader = new PKIHeader(new DERInteger(2), new GeneralName(new X509Name(userDN)), new GeneralName(new X509Name(((X509Certificate)cacert).getSubjectDN()
myPKIHeader.setMessageTime(new DERGeneralizedTime(new Date()));
// senderNonce
myPKIHeader.setSenderNonce(new DEROctetString(nonce));
// TransactionId
myPKIHeader.setTransactionID(new DEROctetString(transid));
// myPKIHeader.setRecipNonce(new DEROctetString(new