Examples of sun.security.x509.CertificateExtensions

• sun.security.x509.CertificateSerialNumber
  This class defines the Extensions attribute for the Certificate. @author Amit Kapoor @author Hemma Prafullchandra @see CertAttrSet

            // break unnecessary

        case 14:     // ExtensionRequest
            {
                DerOutputStream temp2 = new DerOutputStream();
                CertificateExtensions exts = (CertificateExtensions)value;
                try {
                    exts.encode(temp2, true);
                } catch (CertificateException ex) {
                    throw new IOException(ex.toString());
                }
                temp.write(DerValue.tag_Set, temp2.toByteArray());
            }

    }
  }

  private static CertificateExtensions getCACertificateExtensions()
      throws IOException {
    CertificateExtensions ext = new CertificateExtensions();

    // Basic Constraints
    ext.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(
    /* isCritical */Boolean.TRUE, /* isCA */true, 0));

    return ext;
  }

    return ext;
  }

  private static CertificateExtensions getCertificateExtensions(
      PublicKey pubKey, PublicKey caPubKey) throws IOException {
    CertificateExtensions ext = new CertificateExtensions();

    ext.set(SubjectKeyIdentifierExtension.NAME,
        new SubjectKeyIdentifierExtension(new KeyIdentifier(pubKey)
            .getIdentifier()));

    ext.set(AuthorityKeyIdentifierExtension.NAME,
        new AuthorityKeyIdentifierExtension(
            new KeyIdentifier(caPubKey), null, null));

    // Basic Constraints
    ext.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(
    /* isCritical */Boolean.TRUE, /* isCA */false, /* pathLen */5));

    // Netscape Cert Type Extension
    boolean[] ncteOk = new boolean[8];
    ncteOk[0] = true; // SSL_CLIENT
    ncteOk[1] = true; // SSL_SERVER
    NetscapeCertTypeExtension ncte = new NetscapeCertTypeExtension(ncteOk);
    ncte = new NetscapeCertTypeExtension(Boolean.FALSE, ncte.getExtensionValue());
    ext.set(NetscapeCertTypeExtension.NAME, ncte);

    // Key Usage Extension
    boolean[] kueOk = new boolean[9];
    kueOk[0] = true;
    kueOk[2] = true;
    // "digitalSignature", // (0),
    // "nonRepudiation", // (1)
    // "keyEncipherment", // (2),
    // "dataEncipherment", // (3),
    // "keyAgreement", // (4),
    // "keyCertSign", // (5),
    // "cRLSign", // (6),
    // "encipherOnly", // (7),
    // "decipherOnly", // (8)
    // "contentCommitment" // also (1)
    KeyUsageExtension kue = new KeyUsageExtension(kueOk);
    ext.set(KeyUsageExtension.NAME, kue);

    // Extended Key Usage Extension
    int[] serverAuthOidData = { 1, 3, 6, 1, 5, 5, 7, 3, 1 };
    ObjectIdentifier serverAuthOid = new ObjectIdentifier(serverAuthOidData);
    int[] clientAuthOidData = { 1, 3, 6, 1, 5, 5, 7, 3, 2 };
    ObjectIdentifier clientAuthOid = new ObjectIdentifier(clientAuthOidData);
    Vector v = new Vector();
    v.add(serverAuthOid);
    v.add(clientAuthOid);
    ExtendedKeyUsageExtension ekue = new ExtendedKeyUsageExtension(Boolean.FALSE, v);
    ext.set(ExtendedKeyUsageExtension.NAME, ekue);

    return ext;

  }

        info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
        info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
        AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
        info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

        CertificateExtensions ext = new CertificateExtensions();
        // Critical: Not CA, max path len 0
        ext.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(true, false, 0));
        // Critical: only allow TLS ("serverAuth" = 1.3.6.1.5.5.7.3.1)
        ext.set(ExtendedKeyUsageExtension.NAME, new ExtendedKeyUsageExtension(true,
                new Vector<ObjectIdentifier>(Arrays.asList(new ObjectIdentifier("1.3.6.1.5.5.7.3.1")))));

        if (san != null) {
            int colonpos;
            String[] ps = san.split(",");
            GeneralNames gnames = new GeneralNames();
            for(String item: ps) {
                colonpos = item.indexOf(':');
                if (colonpos < 0) {
                    throw new IllegalArgumentException("Illegal item " + item + " in " + san);
                }
                String t = item.substring(0, colonpos);
                String v = item.substring(colonpos+1);
                gnames.add(createGeneralName(t, v));
            }
            // Non critical
            ext.set(SubjectAlternativeNameExtension.NAME, new SubjectAlternativeNameExtension(false, gnames));
        }

        info.set(X509CertInfo.EXTENSIONS, ext);

        // Sign the cert to identify the algorithm that's used.

      info.set(X509CertInfo.VALIDITY, valid);
      info.set(X509CertInfo.ISSUER, new CertificateIssuerName(signer
          .getSigner()));

      // add Extensions
      CertificateExtensions ext = (subject == issuer) ? getCACertificateExtensions()
          : getCertificateExtensions(pubKey, caPubKey);
      info.set(X509CertInfo.EXTENSIONS, ext);

      X509CertImpl cert = new X509CertImpl(info);
      cert.sign(caKey, SIGALG);

    X500Name owner = new X500Name(dn);

    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
    info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

    X500Name owner = new X500Name(dn);

    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
    info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
    info
      .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);
    info.set(X509CertInfo.ALGORITHM_ID, new CertificateAlgorithmId(algo));

    CertificateValidity interval = new CertificateValidity(from, to);
    BigInteger sn = new BigInteger(64, new SecureRandom());
    X500Name owner = new X500Name(dn);

    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
    info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
    info.set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));
    AlgorithmId algo = new AlgorithmId(AlgorithmId.md5WithRSAEncryption_oid);

        CertificateValidity interval = new CertificateValidity(firstDate,
                                                               lastDate);
        certInfo.set(X509CertInfo.VALIDITY, interval);

        // Make new serial number
        certInfo.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber
            ((int)(firstDate.getTime()/1000)));

        // Set owner and issuer fields
        X500Name owner;
        // Get the owner name from the certificate

    CertificateValidity interval = new CertificateValidity(from, to);
    BigInteger sn = new BigInteger(64, new SecureRandom());
    X500Name owner = new X500Name(dn);

    info.set(X509CertInfo.VALIDITY, interval);
    info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(sn));
    info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(owner));
    info.set(X509CertInfo.ISSUER, new CertificateIssuerName(owner));
    info.set(X509CertInfo.KEY, new CertificateX509Key(pair.getPublic()));
    info
      .set(X509CertInfo.VERSION, new CertificateVersion(CertificateVersion.V3));