util-testing/club/wpia/gigi/util/SimpleSigner.java

   1 package club.wpia.gigi.util;
   2
   3 import java.io.File;
   4 import java.io.FileInputStream;
   5 import java.io.FileNotFoundException;
   6 import java.io.FileOutputStream;
   7 import java.io.IOException;
   8 import java.io.InputStream;
   9 import java.io.InputStreamReader;
  10 import java.io.PrintWriter;
  11 import java.io.Reader;
  12 import java.math.BigInteger;
  13 import java.nio.file.Paths;
  14 import java.security.GeneralSecurityException;
  15 import java.security.KeyFactory;
  16 import java.security.NoSuchAlgorithmException;
  17 import java.security.PrivateKey;
  18 import java.security.PublicKey;
  19 import java.security.Signature;
  20 import java.security.cert.CertificateFactory;
  21 import java.security.cert.X509Certificate;
  22 import java.security.spec.InvalidKeySpecException;
  23 import java.security.spec.PKCS8EncodedKeySpec;
  24 import java.sql.SQLException;
  25 import java.sql.Timestamp;
  26 import java.text.ParseException;
  27 import java.text.SimpleDateFormat;
  28 import java.util.Base64;
  29 import java.util.Calendar;
  30 import java.util.Date;
  31 import java.util.GregorianCalendar;
  32 import java.util.HashMap;
  33 import java.util.LinkedList;
  34 import java.util.List;
  35 import java.util.Map;
  36 import java.util.Map.Entry;
  37 import java.util.Properties;
  38 import java.util.TimeZone;
  39
  40 import javax.security.auth.x500.X500Principal;
  41
  42 import club.wpia.gigi.crypto.SPKAC;
  43 import club.wpia.gigi.database.DatabaseConnection;
  44 import club.wpia.gigi.database.DatabaseConnection.Link;
  45 import club.wpia.gigi.database.GigiPreparedStatement;
  46 import club.wpia.gigi.database.GigiResultSet;
  47 import club.wpia.gigi.dbObjects.Certificate.CSRType;
  48 import club.wpia.gigi.dbObjects.Certificate.SANType;
  49 import club.wpia.gigi.dbObjects.Certificate.SubjectAlternateName;
  50 import club.wpia.gigi.dbObjects.CertificateProfile;
  51 import club.wpia.gigi.dbObjects.Digest;
  52 import club.wpia.gigi.output.DateSelector;
  53 import club.wpia.gigi.util.ServerConstants.Host;
  54 import sun.security.pkcs10.PKCS10;
  55 import sun.security.util.DerOutputStream;
  56 import sun.security.util.DerValue;
  57 import sun.security.util.ObjectIdentifier;
  58 import sun.security.x509.AVA;
  59 import sun.security.x509.AlgorithmId;
  60 import sun.security.x509.GeneralNameInterface;
  61 import sun.security.x509.RDN;
  62 import sun.security.x509.X500Name;
  63
  64 public class SimpleSigner {
  65
  66     private static GigiPreparedStatement warnMail;
  67
  68     private static GigiPreparedStatement updateMail;
  69
  70     private static GigiPreparedStatement readyCerts;
  71
  72     private static GigiPreparedStatement getSANSs;
  73
  74     private static GigiPreparedStatement revoke;
  75
  76     private static GigiPreparedStatement revokeCompleted;
  77
  78     private static GigiPreparedStatement finishJob;
  79
  80     private static GigiPreparedStatement locateCA;
  81
  82     private static volatile boolean running = true;
  83
  84     private static Thread runner;
  85
  86     private static SimpleDateFormat sdf = new SimpleDateFormat("yyMMddHHmmss'Z'");
  87
  88     static {
  89         TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
  90         sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
  91     }
  92
  93     public static void main(String[] args) throws IOException, SQLException, InterruptedException {
  94         Properties p = new Properties();
  95         try (Reader reader = new InputStreamReader(new FileInputStream("config/gigi.properties"), "UTF-8")) {
  96             p.load(reader);
  97         }
  98         ServerConstants.init(p);
  99         DatabaseConnection.init(p);
 100
 101         runSigner();
 102     }
 103
 104     public static void stopSigner() throws InterruptedException {
 105         Thread capturedRunner;
 106         synchronized (SimpleSigner.class) {
 107             if (runner == null) {
 108                 throw new IllegalStateException("already stopped");
 109             }
 110             capturedRunner = runner;
 111             running = false;
 112             SimpleSigner.class.notifyAll();
 113         }
 114         capturedRunner.join();
 115     }
 116
 117     public synchronized static void runSigner() throws SQLException, IOException, InterruptedException {
 118         if (runner != null) {
 119             throw new IllegalStateException("already running");
 120         }
 121         running = true;
 122
 123         runner = new Thread() {
 124
 125             @Override
 126             public void run() {
 127                 try (Link l = DatabaseConnection.newLink(false)) {
 128                     readyCerts = new GigiPreparedStatement("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, `executeFrom`, `executeTo`, profile FROM jobs " + //
 129                             "INNER JOIN certs ON certs.id=jobs.`targetId` " + //
 130                             "INNER JOIN profiles ON profiles.id=certs.profile " + //
 131                             "WHERE jobs.state='open' " + //
 132                             "AND task='sign'");
 133
 134                     getSANSs = new GigiPreparedStatement("SELECT contents, type FROM `subjectAlternativeNames` " + //
 135                             "WHERE `certId`=?");
 136
 137                     updateMail = new GigiPreparedStatement("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=?, expire=? WHERE id=?");
 138                     warnMail = new GigiPreparedStatement("UPDATE jobs SET warning=warning+1, state=CASE WHEN warning<3 THEN 'open'::`jobState` ELSE 'error'::`jobState` END WHERE id=?");
 139
 140                     revoke = new GigiPreparedStatement("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.`targetId`=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
 141                     revokeCompleted = new GigiPreparedStatement("UPDATE `certs` SET revoked=NOW() WHERE id=?");
 142
 143                     finishJob = new GigiPreparedStatement("UPDATE jobs SET state='done' WHERE id=?");
 144
 145                     locateCA = new GigiPreparedStatement("SELECT id FROM cacerts WHERE keyname=?");
 146
 147                     work();
 148                 } catch (InterruptedException e) {
 149                     throw new Error(e);
 150                 }
 151             }
 152
 153         };
 154         runner.start();
 155     }
 156
 157     public static void ping() {
 158         synchronized (SimpleSigner.class) {
 159             SimpleSigner.class.notifyAll();
 160             try {
 161                 SimpleSigner.class.wait(2000);
 162             } catch (InterruptedException e) {
 163                 e.printStackTrace();
 164             }
 165         }
 166     }
 167
 168     private synchronized static void work() {
 169         try {
 170             gencrl();
 171         } catch (IOException e2) {
 172             e2.printStackTrace();
 173         } catch (InterruptedException e2) {
 174             e2.printStackTrace();
 175         }
 176
 177         while (running) {
 178             try {
 179                 signCertificates();
 180                 revokeCertificates();
 181
 182                 SimpleSigner.class.notifyAll();
 183                 SimpleSigner.class.wait(5000);
 184             } catch (IOException e) {
 185                 e.printStackTrace();
 186             } catch (SQLException e) {
 187                 e.printStackTrace();
 188             } catch (InterruptedException e1) {
 189             }
 190         }
 191         runner = null;
 192     }
 193
 194     private static void revokeCertificates() throws SQLException, IOException, InterruptedException {
 195         GigiResultSet rs = revoke.executeQuery();
 196         boolean worked = false;
 197         while (rs.next()) {
 198             int id = rs.getInt(1);
 199             worked = true;
 200             System.out.println("Revoke faked: " + id);
 201             revokeCompleted.setInt(1, id);
 202             revokeCompleted.executeUpdate();
 203             finishJob.setInt(1, rs.getInt(3));
 204             finishJob.executeUpdate();
 205         }
 206         if (worked) {
 207             gencrl();
 208         }
 209     }
 210
 211     private static void gencrl() throws IOException, InterruptedException {
 212         if (true) {
 213             return;
 214         }
 215         String[] call = new String[] {
 216                 "openssl",
 217                 "ca",//
 218                 "-cert",
 219                 "../unassured.crt",//
 220                 "-keyfile",
 221                 "../unassured.key",//
 222                 "-gencrl",//
 223                 "-crlhours",//
 224                 "12",//
 225                 "-out",
 226                 "../unassured.crl",//
 227                 "-config",
 228                 "../selfsign.config"
 229
 230         };
 231         Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
 232         if (p1.waitFor() != 0) {
 233             System.out.println("Error while generating crl.");
 234         }
 235     }
 236
 237     private static void signCertificates() throws SQLException {
 238         GigiResultSet rs = readyCerts.executeQuery();
 239
 240         Calendar c = Calendar.getInstance();
 241         c.setTimeZone(TimeZone.getTimeZone("UTC"));
 242         while (rs.next()) {
 243             String csrname = rs.getString("csr_name");
 244             int id = rs.getInt("id");
 245             System.out.println("sign: " + csrname);
 246             try {
 247                 String csrType = rs.getString("csr_type");
 248                 CSRType ct = CSRType.valueOf(csrType);
 249                 File crt = KeyStorage.locateCrt(id);
 250
 251                 Timestamp from = rs.getTimestamp("executeFrom");
 252                 String length = rs.getString("executeTo");
 253                 Date fromDate;
 254                 Date toDate;
 255                 if (from == null) {
 256                     fromDate = new Date(System.currentTimeMillis());
 257                 } else {
 258                     fromDate = new Date(from.getTime());
 259                 }
 260                 if (length.endsWith("m") || length.endsWith("y")) {
 261                     String num = length.substring(0, length.length() - 1);
 262                     int inter = Integer.parseInt(num);
 263                     c.setTime(fromDate);
 264                     if (length.endsWith("m")) {
 265                         c.add(Calendar.MONTH, inter);
 266                     } else {
 267                         c.add(Calendar.YEAR, inter);
 268                     }
 269                     toDate = c.getTime();
 270                 } else {
 271                     toDate = DateSelector.getDateFormat().parse(length);
 272                 }
 273
 274                 getSANSs.setInt(1, id);
 275                 GigiResultSet san = getSANSs.executeQuery();
 276
 277                 LinkedList<SubjectAlternateName> altnames = new LinkedList<>();
 278                 while (san.next()) {
 279                     altnames.add(new SubjectAlternateName(SANType.valueOf(san.getString("type").toUpperCase()), san.getString("contents")));
 280                 }
 281                 // TODO look them up!
 282                 // cfg.println("keyUsage=critical," +
 283                 // "digitalSignature, keyEncipherment, keyAgreement");
 284                 // cfg.println("extendedKeyUsage=critical," + "clientAuth");
 285                 // cfg.close();
 286
 287                 int profile = rs.getInt("profile");
 288                 CertificateProfile cp = CertificateProfile.getById(profile);
 289                 String s = cp.getId() + "";
 290                 while (s.length() < 4) {
 291                     s = "0" + s;
 292                 }
 293                 s += "-" + cp.getKeyName() + ".cfg";
 294                 Properties caP = new Properties();
 295                 try (FileInputStream inStream = new FileInputStream("signer/profiles/" + s)) {
 296                     caP.load(inStream);
 297                 }
 298
 299                 HashMap<String, String> subj = new HashMap<>();
 300                 try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT name, value FROM `certAvas` WHERE `certId`=?")) {
 301                     ps.setInt(1, rs.getInt("id"));
 302                     GigiResultSet rs2 = ps.executeQuery();
 303                     while (rs2.next()) {
 304                         String name = rs2.getString("name");
 305                         if (name.equals("EMAIL")) {
 306                             name = "emailAddress";
 307                         }
 308                         subj.put(name, rs2.getString("value"));
 309                     }
 310                 }
 311                 if (subj.size() == 0) {
 312                     subj.put("CN", "<empty>");
 313                     System.out.println("WARNING: DN was empty");
 314                 }
 315                 System.out.println(subj);
 316
 317                 PublicKey pk;
 318                 byte[] data = IOUtils.readURL(new FileInputStream(csrname));
 319                 if (ct == CSRType.SPKAC) {
 320                     String dt = new String(data, "UTF-8");
 321                     if (dt.startsWith("SPKAC=")) {
 322                         dt = dt.substring(6);
 323                         data = dt.getBytes("UTF-8");
 324                         System.out.println(dt);
 325                     }
 326                     SPKAC sp = new SPKAC(Base64.getDecoder().decode(data));
 327                     pk = sp.getPubkey();
 328                 } else {
 329                     PKCS10 p10 = new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", new String(data, "UTF-8")));
 330                     pk = p10.getSubjectPublicKeyInfo();
 331                 }
 332                 Calendar cal = GregorianCalendar.getInstance();
 333                 String ca = caP.getProperty("ca") + "_" + cal.get(Calendar.YEAR) + (cal.get(Calendar.MONTH) >= 6 ? "_2" : "_1");
 334                 File parent = new File("signer/ca");
 335                 File[] caFiles = parent.listFiles();
 336                 if (null == caFiles) {
 337                     caFiles = new File[0];
 338                 }
 339                 if ( !new File(parent, ca).exists()) {
 340                     System.out.println("CA " + ca + " not found. Searching for anything other remotely fitting.");
 341                     for (File f : caFiles) {
 342                         if (f.getName().startsWith(caP.getProperty("ca"))) {
 343                             ca = f.getName();
 344                             break;
 345                         }
 346                     }
 347                 }
 348                 File caKey = new File(parent, ca + "/ca.key");
 349                 PrivateKey i = loadOpensslKey(caKey);
 350
 351                 X509Certificate root = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new FileInputStream("signer/ca/" + ca + "/ca.crt"));
 352                 byte[] cert = generateCert(pk, i, subj, root.getSubjectX500Principal(), altnames, fromDate, toDate, Digest.valueOf(rs.getString("md").toUpperCase()), caP.getProperty("eku"));
 353                 PrintWriter out = new PrintWriter(crt);
 354                 out.println("-----BEGIN CERTIFICATE-----");
 355                 out.println(Base64.getMimeEncoder().encodeToString(cert));
 356                 out.println("-----END CERTIFICATE-----");
 357                 out.close();
 358
 359                 try (InputStream is = new FileInputStream(crt)) {
 360                     locateCA.setString(1, ca);
 361                     GigiResultSet caRs = locateCA.executeQuery();
 362                     if ( !caRs.next()) {
 363                         throw new Error("ca " + ca + " was not found");
 364                     }
 365
 366                     CertificateFactory cf = CertificateFactory.getInstance("X.509");
 367                     X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
 368                     BigInteger serial = crtp.getSerialNumber();
 369                     updateMail.setString(1, crt.getPath());
 370                     updateMail.setString(2, serial.toString(16));
 371                     updateMail.setInt(3, caRs.getInt("id"));
 372                     updateMail.setTimestamp(4, new Timestamp(toDate.getTime()));
 373                     updateMail.setInt(5, id);
 374                     updateMail.executeUpdate();
 375
 376                     finishJob.setInt(1, rs.getInt("jobid"));
 377                     finishJob.executeUpdate();
 378                     System.out.println("signed: " + id);
 379                     continue;
 380                 }
 381
 382             } catch (GeneralSecurityException e) {
 383                 e.printStackTrace();
 384             } catch (IOException e) {
 385                 e.printStackTrace();
 386             } catch (ParseException e) {
 387                 e.printStackTrace();
 388             }
 389             System.out.println("Error with: " + id);
 390             warnMail.setInt(1, rs.getInt("jobid"));
 391             warnMail.executeUpdate();
 392
 393         }
 394         rs.close();
 395     }
 396
 397     private static PrivateKey loadOpensslKey(File f) throws FileNotFoundException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
 398         byte[] p8b = PEM.decode("RSA PRIVATE KEY", new String(IOUtils.readURL(new FileInputStream(f))));
 399         DerOutputStream dos = new DerOutputStream();
 400         dos.putInteger(0);
 401         new AlgorithmId(new ObjectIdentifier(new int[] {
 402                 1, 2, 840, 113549, 1, 1, 1
 403         })).encode(dos);
 404         dos.putOctetString(p8b);
 405         byte[] ctx = dos.toByteArray();
 406         dos.reset();
 407         dos.write(DerValue.tag_Sequence, ctx);
 408         PKCS8EncodedKeySpec p8 = new PKCS8EncodedKeySpec(dos.toByteArray());
 409         PrivateKey i = KeyFactory.getInstance("RSA").generatePrivate(p8);
 410         return i;
 411     }
 412
 413     public static synchronized byte[] generateCert(PublicKey pk, PrivateKey prk, Map<String, String> subj, X500Principal issuer, List<SubjectAlternateName> altnames, Date fromDate, Date toDate, Digest digest, String eku) throws IOException, GeneralSecurityException {
 414         File f = Paths.get("signer", "serial").toFile();
 415         if ( !f.exists()) {
 416             try (FileOutputStream fos = new FileOutputStream(f)) {
 417                 fos.write("1".getBytes("UTF-8"));
 418             }
 419         }
 420         try (FileInputStream fr = new FileInputStream(f)) {
 421             byte[] serial = IOUtils.readURL(fr);
 422             BigInteger ser = new BigInteger(new String(serial).trim());
 423             ser = ser.add(BigInteger.ONE);
 424
 425             PrintWriter pw = new PrintWriter(f);
 426             pw.println(ser);
 427             pw.close();
 428             if (digest != Digest.SHA256 && digest != Digest.SHA384 && digest != Digest.SHA512) {
 429                 System.err.println("assuming sha256 either way ;-): " + digest);
 430                 digest = Digest.SHA256;
 431             }
 432             ObjectIdentifier sha512withrsa = new ObjectIdentifier(new int[] {
 433                     1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : (digest == Digest.SHA384 ? 12 : 13)
 434             });
 435             AlgorithmId aid = new AlgorithmId(sha512withrsa);
 436             Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : (digest == Digest.SHA384 ? "SHA384withRSA" : "SHA512withRSA"));
 437
 438             DerOutputStream cert = new DerOutputStream();
 439             DerOutputStream content = new DerOutputStream();
 440             {
 441                 DerOutputStream version = new DerOutputStream();
 442                 version.putInteger(2); // v3
 443                 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), version);
 444             }
 445             content.putInteger(ser); // Serial
 446             aid.encode(content);
 447
 448             {
 449                 content.write(issuer.getEncoded());
 450             }
 451             {
 452                 DerOutputStream notAround = new DerOutputStream();
 453                 notAround.putUTCTime(fromDate);
 454                 notAround.putUTCTime(toDate);
 455                 content.write(DerValue.tag_Sequence, notAround);
 456             }
 457             {
 458
 459                 X500Name xn = genX500Name(subj);
 460                 content.write(xn.getEncoded());
 461             }
 462             {
 463                 content.write(pk.getEncoded());
 464             }
 465             {
 466                 DerOutputStream extensions = new DerOutputStream();
 467                 {
 468                     addExtension(extensions, new ObjectIdentifier(new int[] {
 469                             2, 5, 29, 17
 470                     }), generateSAN(altnames));
 471                     addExtension(extensions, new ObjectIdentifier(new int[] {
 472                             2, 5, 29, 15
 473                     }), generateKU());
 474                     addExtension(extensions, new ObjectIdentifier(new int[] {
 475                             2, 5, 29, 37
 476                     }), generateEKU(eku));
 477                     addExtension(extensions, new ObjectIdentifier(new int[] {
 478                             1, 3, 6, 1, 5, 5, 7, 1, 1
 479                     }), generateAIA());
 480                 }
 481                 DerOutputStream extensionsSeq = new DerOutputStream();
 482                 extensionsSeq.write(DerValue.tag_Sequence, extensions);
 483                 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 3), extensionsSeq);
 484             }
 485
 486             DerOutputStream contentSeq = new DerOutputStream();
 487
 488             contentSeq.write(DerValue.tag_Sequence, content.toByteArray());
 489
 490             s.initSign(prk);
 491             s.update(contentSeq.toByteArray());
 492
 493             aid.encode(contentSeq);
 494             contentSeq.putBitString(s.sign());
 495             cert.write(DerValue.tag_Sequence, contentSeq);
 496
 497             // X509Certificate c = (X509Certificate)
 498             // CertificateFactory.getInstance("X509").generateCertificate(new
 499             // ByteArrayInputStream(cert.toByteArray()));
 500             // c.verify(pk); only for self-signeds
 501
 502             byte[] res = cert.toByteArray();
 503             cert.close();
 504             return res;
 505         }
 506
 507     }
 508
 509     private static byte[] generateAIA() throws IOException {
 510         try (DerOutputStream dos = new DerOutputStream()) {
 511             try (DerOutputStream seq = new DerOutputStream()) {
 512                 seq.putOID(new ObjectIdentifier(new int[] {
 513                         1, 3, 6, 1, 5, 5, 7, 48, 2
 514                 }));
 515                 seq.write((byte) 0x86, ("http://" + ServerConstants.getHostName(Host.OCSP_RESPONDER)).getBytes("UTF-8"));
 516                 dos.write(DerValue.tag_Sequence, seq);
 517             }
 518             byte[] data = dos.toByteArray();
 519             dos.reset();
 520             dos.write(DerValue.tag_Sequence, data);
 521             return dos.toByteArray();
 522         }
 523     }
 524
 525     private static byte[] generateKU() throws IOException {
 526         try (DerOutputStream dos = new DerOutputStream()) {
 527             dos.putBitString(new byte[] {
 528                     (byte) 0b10101000
 529             });
 530             return dos.toByteArray();
 531         }
 532     }
 533
 534     private static byte[] generateEKU(String eku) throws IOException {
 535
 536         try (DerOutputStream dos = new DerOutputStream()) {
 537             for (String name : eku.split(",")) {
 538                 name = name.trim();
 539                 ObjectIdentifier oid;
 540                 switch (name) {
 541                 case "serverAuth":
 542                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.1");
 543                     break;
 544                 case "clientAuth":
 545                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.2");
 546                     break;
 547                 case "codeSigning":
 548                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.3");
 549                     break;
 550                 case "emailProtection":
 551                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
 552                     break;
 553                 case "OCSPSigning":
 554                     oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9");
 555                     break;
 556
 557                 default:
 558                     throw new Error(name);
 559                 }
 560                 dos.putOID(oid);
 561             }
 562             byte[] data = dos.toByteArray();
 563             dos.reset();
 564             dos.write(DerValue.tag_Sequence, data);
 565             return dos.toByteArray();
 566         }
 567     }
 568
 569     public static X500Name genX500Name(Map<String, String> subj) throws IOException {
 570         LinkedList<RDN> rdns = new LinkedList<>();
 571         for (Entry<String, String> i : subj.entrySet()) {
 572             RDN rdn = genRDN(i);
 573             rdns.add(rdn);
 574         }
 575         return new X500Name(rdns.toArray(new RDN[rdns.size()]));
 576     }
 577
 578     private static RDN genRDN(Entry<String, String> i) throws IOException {
 579         DerOutputStream dos = new DerOutputStream();
 580         dos.putUTF8String(i.getValue());
 581         int[] oid;
 582         String key = i.getKey();
 583         switch (key) {
 584         case "CN":
 585             oid = new int[] {
 586                     2, 5, 4, 3
 587             };
 588             break;
 589         case "EMAIL":
 590         case "emailAddress":
 591             oid = new int[] {
 592                     1, 2, 840, 113549, 1, 9, 1
 593             };
 594             break;
 595         case "O":
 596             oid = new int[] {
 597                     2, 5, 4, 10
 598             };
 599             break;
 600         case "OU":
 601             oid = new int[] {
 602                     2, 5, 4, 11
 603             };
 604             break;
 605         case "ST":
 606             oid = new int[] {
 607                     2, 5, 4, 8
 608             };
 609             break;
 610         case "L":
 611             oid = new int[] {
 612                     2, 5, 4, 7
 613             };
 614             break;
 615         case "C":
 616             oid = new int[] {
 617                     2, 5, 4, 6
 618             };
 619             break;
 620         default:
 621             dos.close();
 622             throw new Error("unknown RDN-type: " + key);
 623         }
 624         RDN rdn = new RDN(new AVA(new ObjectIdentifier(oid), new DerValue(dos.toByteArray())));
 625         dos.close();
 626         return rdn;
 627     }
 628
 629     private static void addExtension(DerOutputStream extensions, ObjectIdentifier oid, byte[] extContent) throws IOException {
 630         DerOutputStream SANs = new DerOutputStream();
 631         SANs.putOID(oid);
 632         SANs.putOctetString(extContent);
 633
 634         extensions.write(DerValue.tag_Sequence, SANs);
 635     }
 636
 637     private static byte[] generateSAN(List<SubjectAlternateName> altnames) throws IOException {
 638         DerOutputStream SANContent = new DerOutputStream();
 639         for (SubjectAlternateName san : altnames) {
 640             byte type = 0;
 641             if (san.getType() == SANType.DNS) {
 642                 type = (byte) GeneralNameInterface.NAME_DNS;
 643             } else if (san.getType() == SANType.EMAIL) {
 644                 type = (byte) GeneralNameInterface.NAME_RFC822;
 645             } else {
 646                 SANContent.close();
 647                 throw new Error("" + san.getType());
 648             }
 649             SANContent.write(DerValue.createTag(DerValue.TAG_CONTEXT, false, type), san.getName().getBytes("UTF-8"));
 650         }
 651         DerOutputStream SANSeqContent = new DerOutputStream();
 652         SANSeqContent.write(DerValue.tag_Sequence, SANContent);
 653         byte[] byteArray = SANSeqContent.toByteArray();
 654         SANContent.close();
 655         SANSeqContent.close();
 656         return byteArray;
 657     }
 658 }