use of org.xwiki.crypto.pkix.X509ExtensionBuilder in project xwiki-platform by xwiki.
the class RSACryptoScriptService method issueCertificate.
/**
* Create an end entity certificate. By default, the key can be used for encryption and signing. If the end entity
* contains some alternate subject names of type X509Rfc822Name a extended email protection usage is added. If the
* end entity contains some alternate subject names of type X509DnsName or X509IpAddress extended server and client
* authentication usages are added.
*
* @param issuer the keypair for issuing the certificate
* @param publicKey the public key to certify
* @param dn the distinguished name for the new the certificate.
* @param validity the validity of the certificate from now in days.
* @param subjectAltName the alternative names for the certificate
* @return a certified public key.
* @throws IOException in case on error while reading the public key.
* @throws GeneralSecurityException in case of error.
*/
public CertifiedPublicKey issueCertificate(CertifiedKeyPair issuer, PublicKeyParameters publicKey, String dn, int validity, List<X509GeneralName> subjectAltName) throws IOException, GeneralSecurityException {
X509CertificateParameters params;
X509ExtensionBuilder builder = extensionBuilder.get().addKeyUsage(EnumSet.of(KeyUsage.digitalSignature, KeyUsage.dataEncipherment));
if (subjectAltName != null) {
params = new X509CertificateParameters(extensionBuilder.get().addSubjectAltName(false, subjectAltName.toArray(new X509GeneralName[] {})).build());
Set<String> extUsage = new HashSet<String>();
for (X509GeneralName genName : subjectAltName) {
if (genName instanceof X509Rfc822Name) {
extUsage.add(ExtendedKeyUsages.EMAIL_PROTECTION);
} else if (genName instanceof X509DnsName || genName instanceof X509IpAddress) {
extUsage.add(ExtendedKeyUsages.SERVER_AUTH);
extUsage.add(ExtendedKeyUsages.CLIENT_AUTH);
}
builder.addExtendedKeyUsage(false, new ExtendedKeyUsages(extUsage));
}
} else {
params = new X509CertificateParameters();
}
return certificateGeneratorFactory.getInstance(CertifyingSigner.getInstance(true, issuer, signerFactory), new X509CertificateGenerationParameters(validity, builder.build())).generate(new DistinguishedName(dn), publicKey, params);
}
Aggregations