private static X509Certificate createSignedCertificate(X509Certificate certificate, X509Certificate issuerCertificate, PrivateKey issuerPrivateKey, boolean isLeaf) throws CertificateException, IOException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeyException, SignatureException { Principal issuer = issuerCertificate.getSubjectDN(); String issuerSigAlg = issuerCertificate.getSigAlgName(); byte[] inCertBytes = certificate.getTBSCertificate(); X509CertInfo info = new X509CertInfo(inCertBytes); info.set(X509CertInfo.ISSUER, issuer); if (!isLeaf) { CertificateExtensions exts = new CertificateExtensions(); BasicConstraintsExtension bce = new BasicConstraintsExtension(true, -1); exts.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(false, bce.getExtensionValue())); info.set(X509CertInfo.EXTENSIONS, exts); } X509CertImpl outCert = new X509CertImpl(info); outCert.sign(issuerPrivateKey, issuerSigAlg); return outCert; }
public X509Builder keyUsageCertificateAuthority() { try { v3(); // certificate authority basic constraint BasicConstraintsExtension constraintsExtension = new BasicConstraintsExtension(true,-1); // true indicates this is a CA; -1 means no restriction on path length; 0 or more to set a restriction on max number of certs under this one in the chain // certificate signing extension if( keyUsageExtension == null ) { keyUsageExtension = new KeyUsageExtension(); } keyUsageExtension.set(KeyUsageExtension.KEY_CERTSIGN, true); // add both if( certificateExtensions == null ) { certificateExtensions = new CertificateExtensions(); } certificateExtensions.set(keyUsageExtension.getExtensionId().toString(), keyUsageExtension); certificateExtensions.set(constraintsExtension.getExtensionId().toString(), constraintsExtension); info.set(X509CertInfo.EXTENSIONS, certificateExtensions); } catch(Exception e) { fault(e, "keyUsageCertificateAuthority"); } return this; }
ext.set(BasicConstraintsExtension.NAME, new BasicConstraintsExtension(Boolean.TRUE, true, 0)); // Critical|isCA|pathLen ext.set(SubjectKeyIdentifierExtension.NAME, new SubjectKeyIdentifierExtension(new KeyIdentifier(pair.getPublic()).getIdentifier()));