1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
package org.spongycastle.cert;
import java.io.IOException;
import java.io.OutputStream;
import org.spongycastle.asn1.ASN1OctetString;
import org.spongycastle.asn1.x509.AuthorityKeyIdentifier;
import org.spongycastle.asn1.x509.Extension;
import org.spongycastle.asn1.x509.GeneralName;
import org.spongycastle.asn1.x509.GeneralNames;
import org.spongycastle.asn1.x509.SubjectKeyIdentifier;
import org.spongycastle.asn1.x509.SubjectPublicKeyInfo;
import org.spongycastle.operator.DigestCalculator;
/**
* General utility class for creating calculated extensions using the standard methods.
* <p>
* <b>Note:</b> This class is not thread safe!
* </p>
*/
public class X509ExtensionUtils
{
private DigestCalculator calculator;
public X509ExtensionUtils(DigestCalculator calculator)
{
this.calculator = calculator;
}
public AuthorityKeyIdentifier createAuthorityKeyIdentifier(
X509CertificateHolder certHolder)
{
if (certHolder.getVersionNumber() != 3)
{
GeneralName genName = new GeneralName(certHolder.getIssuer());
SubjectPublicKeyInfo info = certHolder.getSubjectPublicKeyInfo();
return new AuthorityKeyIdentifier(
calculateIdentifier(info), new GeneralNames(genName), certHolder.getSerialNumber());
}
else
{
GeneralName genName = new GeneralName(certHolder.getIssuer());
Extension ext = certHolder.getExtension(Extension.subjectKeyIdentifier);
if (ext != null)
{
ASN1OctetString str = ASN1OctetString.getInstance(ext.getParsedValue());
return new AuthorityKeyIdentifier(
str.getOctets(), new GeneralNames(genName), certHolder.getSerialNumber());
}
else
{
SubjectPublicKeyInfo info = certHolder.getSubjectPublicKeyInfo();
return new AuthorityKeyIdentifier(
calculateIdentifier(info), new GeneralNames(genName), certHolder.getSerialNumber());
}
}
}
public AuthorityKeyIdentifier createAuthorityKeyIdentifier(SubjectPublicKeyInfo publicKeyInfo)
{
return new AuthorityKeyIdentifier(calculateIdentifier(publicKeyInfo));
}
/**
* Return a RFC 3280 type 1 key identifier. As in:
* <pre>
* (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
* value of the BIT STRING subjectPublicKey (excluding the tag,
* length, and number of unused bits).
* </pre>
* @param publicKeyInfo the key info object containing the subjectPublicKey field.
* @return the key identifier.
*/
public SubjectKeyIdentifier createSubjectKeyIdentifier(
SubjectPublicKeyInfo publicKeyInfo)
{
return new SubjectKeyIdentifier(calculateIdentifier(publicKeyInfo));
}
/**
* Return a RFC 3280 type 2 key identifier. As in:
* <pre>
* (2) The keyIdentifier is composed of a four bit type field with
* the value 0100 followed by the least significant 60 bits of the
* SHA-1 hash of the value of the BIT STRING subjectPublicKey.
* </pre>
* @param publicKeyInfo the key info object containing the subjectPublicKey field.
* @return the key identifier.
*/
public SubjectKeyIdentifier createTruncatedSubjectKeyIdentifier(SubjectPublicKeyInfo publicKeyInfo)
{
byte[] digest = calculateIdentifier(publicKeyInfo);
byte[] id = new byte[8];
System.arraycopy(digest, digest.length - 8, id, 0, id.length);
id[0] &= 0x0f;
id[0] |= 0x40;
return new SubjectKeyIdentifier(id);
}
private byte[] calculateIdentifier(SubjectPublicKeyInfo publicKeyInfo)
{
byte[] bytes = publicKeyInfo.getPublicKeyData().getBytes();
OutputStream cOut = calculator.getOutputStream();
try
{
cOut.write(bytes);
cOut.close();
}
catch (IOException e)
{ // it's hard to imagine this happening, but yes it does!
throw new CertRuntimeException("unable to calculate identifier: " + e.getMessage(), e);
}
return calculator.getDigest();
}
}
|
