util-testing/org/cacert/gigi/util/SimpleSigner.java

   1 package org.cacert.gigi.util;
   2
   3 import java.io.File;
   4 import java.io.FileInputStream;
   5 import java.io.FileNotFoundException;
   6 import java.io.FileOutputStream;
   7 import java.io.IOException;
   8 import java.io.InputStream;
   9 import java.io.InputStreamReader;
  10 import java.io.PrintWriter;
  11 import java.io.Reader;
  12 import java.math.BigInteger;
  13 import java.nio.file.Paths;
  14 import java.security.GeneralSecurityException;
  15 import java.security.KeyFactory;
  16 import java.security.NoSuchAlgorithmException;
  17 import java.security.PrivateKey;
  18 import java.security.PublicKey;
  19 import java.security.Signature;
  20 import java.security.cert.CertificateFactory;
  21 import java.security.cert.X509Certificate;
  22 import java.security.spec.InvalidKeySpecException;
  23 import java.security.spec.PKCS8EncodedKeySpec;
  24 import java.sql.SQLException;
  25 import java.sql.Timestamp;
  26 import java.text.ParseException;
  27 import java.text.SimpleDateFormat;
  28 import java.util.Base64;
  29 import java.util.Calendar;
  30 import java.util.Date;
  31 import java.util.HashMap;
  32 import java.util.LinkedList;
  33 import java.util.List;
  34 import java.util.Map;
  35 import java.util.Map.Entry;
  36 import java.util.Properties;
  37 import java.util.TimeZone;
  38
  39 import javax.security.auth.x500.X500Principal;
  40
  41 import org.cacert.gigi.crypto.SPKAC;
  42 import org.cacert.gigi.database.DatabaseConnection;
  43 import org.cacert.gigi.database.DatabaseConnection.Link;
  44 import org.cacert.gigi.database.GigiPreparedStatement;
  45 import org.cacert.gigi.database.GigiResultSet;
  46 import org.cacert.gigi.dbObjects.Certificate.CSRType;
  47 import org.cacert.gigi.dbObjects.Certificate.SANType;
  48 import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
  49 import org.cacert.gigi.dbObjects.CertificateProfile;
  50 import org.cacert.gigi.dbObjects.Digest;
  51 import org.cacert.gigi.output.DateSelector;
  52
  53 import sun.security.pkcs10.PKCS10;
  54 import sun.security.util.DerOutputStream;
  55 import sun.security.util.DerValue;
  56 import sun.security.util.ObjectIdentifier;
  57 import sun.security.x509.AVA;
  58 import sun.security.x509.AlgorithmId;
  59 import sun.security.x509.GeneralNameInterface;
  60 import sun.security.x509.RDN;
  61 import sun.security.x509.X500Name;
  62
  63 public class SimpleSigner {
  64
  65     private static GigiPreparedStatement warnMail;
  66
  67     private static GigiPreparedStatement updateMail;
  68
  69     private static GigiPreparedStatement readyCerts;
  70
  71     private static GigiPreparedStatement getSANSs;
  72
  73     private static GigiPreparedStatement revoke;
  74
  75     private static GigiPreparedStatement revokeCompleted;
  76
  77     private static GigiPreparedStatement finishJob;
  78
  79     private static GigiPreparedStatement locateCA;
  80
  81     private static volatile boolean running = true;
  82
  83     private static Thread runner;
  84
  85     private static SimpleDateFormat sdf = new SimpleDateFormat("yyMMddHHmmss'Z'");
  86
  87     static {
  88         TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
  89         sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
  90     }
  91
  92     public static void main(String[] args) throws IOException, SQLException, InterruptedException {
  93         Properties p = new Properties();
  94         try (Reader reader = new InputStreamReader(new FileInputStream("config/gigi.properties"), "UTF-8")) {
  95             p.load(reader);
  96         }
  97         DatabaseConnection.init(p);
  98
  99         runSigner();
 100     }
 101
 102     public static void stopSigner() throws InterruptedException {
 103         Thread capturedRunner;
 104         synchronized (SimpleSigner.class) {
 105             if (runner == null) {
 106                 throw new IllegalStateException("already stopped");
 107             }
 108             capturedRunner = runner;
 109             running = false;
 110             SimpleSigner.class.notifyAll();
 111         }
 112         capturedRunner.join();
 113     }
 114
 115     public synchronized static void runSigner() throws SQLException, IOException, InterruptedException {
 116         if (runner != null) {
 117             throw new IllegalStateException("already running");
 118         }
 119         running = true;
 120
 121         runner = new Thread() {
 122
 123             @Override
 124             public void run() {
 125                 try (Link l = DatabaseConnection.newLink(false)) {
 126                     readyCerts = new GigiPreparedStatement("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, `executeFrom`, `executeTo`, profile FROM jobs " + //
 127                             "INNER JOIN certs ON certs.id=jobs.`targetId` " + //
 128                             "INNER JOIN profiles ON profiles.id=certs.profile " + //
 129                             "WHERE jobs.state='open' "//
 130                             + "AND task='sign'");
 131
 132                     getSANSs = new GigiPreparedStatement("SELECT contents, type FROM `subjectAlternativeNames` " + //
 133                             "WHERE `certId`=?");
 134
 135                     updateMail = new GigiPreparedStatement("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=? WHERE id=?");
 136                     warnMail = new GigiPreparedStatement("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?");
 137
 138                     revoke = new GigiPreparedStatement("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.`targetId`=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
 139                     revokeCompleted = new GigiPreparedStatement("UPDATE certs SET revoked=NOW() WHERE id=?");
 140
 141                     finishJob = new GigiPreparedStatement("UPDATE jobs SET state='done' WHERE id=?");
 142
 143                     locateCA = new GigiPreparedStatement("SELECT id FROM cacerts WHERE keyname=?");
 144
 145                     work();
 146                 } catch (InterruptedException e) {
 147                     throw new Error(e);
 148                 }
 149             }
 150
 151         };
 152         runner.start();
 153     }
 154
 155     public static void ping() {
 156         synchronized (SimpleSigner.class) {
 157             SimpleSigner.class.notifyAll();
 158             try {
 159                 SimpleSigner.class.wait(2000);
 160             } catch (InterruptedException e) {
 161                 e.printStackTrace();
 162             }
 163         }
 164     }
 165
 166     private synchronized static void work() {
 167         try {
 168             gencrl();
 169         } catch (IOException e2) {
 170             e2.printStackTrace();
 171         } catch (InterruptedException e2) {
 172             e2.printStackTrace();
 173         }
 174
 175         while (running) {
 176             try {
 177                 signCertificates();
 178                 revokeCertificates();
 179
 180                 SimpleSigner.class.notifyAll();
 181                 SimpleSigner.class.wait(5000);
 182             } catch (IOException e) {
 183                 e.printStackTrace();
 184             } catch (SQLException e) {
 185                 e.printStackTrace();
 186             } catch (InterruptedException e1) {
 187             }
 188         }
 189         runner = null;
 190     }
 191
 192     private static void revokeCertificates() throws SQLException, IOException, InterruptedException {
 193         GigiResultSet rs = revoke.executeQuery();
 194         boolean worked = false;
 195         while (rs.next()) {
 196             int id = rs.getInt(1);
 197             worked = true;
 198             System.out.println("Revoke faked: " + id);
 199             revokeCompleted.setInt(1, id);
 200             revokeCompleted.execute();
 201             finishJob.setInt(1, rs.getInt(3));
 202             finishJob.execute();
 203         }
 204         if (worked) {
 205             gencrl();
 206         }
 207     }
 208
 209     private static void gencrl() throws IOException, InterruptedException {
 210         if (true) {
 211             return;
 212         }
 213         String[] call = new String[] {
 214                 "openssl",
 215                 "ca",//
 216                 "-cert",
 217                 "../unassured.crt",//
 218                 "-keyfile",
 219                 "../unassured.key",//
 220                 "-gencrl",//
 221                 "-crlhours",//
 222                 "12",//
 223                 "-out",
 224                 "../unassured.crl",//
 225                 "-config",
 226                 "../selfsign.config"
 227
 228         };
 229         Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
 230         if (p1.waitFor() != 0) {
 231             System.out.println("Error while generating crl.");
 232         }
 233     }
 234
 235     private static void signCertificates() throws SQLException {
 236         GigiResultSet rs = readyCerts.executeQuery();
 237
 238         Calendar c = Calendar.getInstance();
 239         c.setTimeZone(TimeZone.getTimeZone("UTC"));
 240         while (rs.next()) {
 241             String csrname = rs.getString("csr_name");
 242             int id = rs.getInt("id");
 243             System.out.println("sign: " + csrname);
 244             try {
 245                 String csrType = rs.getString("csr_type");
 246                 CSRType ct = CSRType.valueOf(csrType);
 247                 File crt = KeyStorage.locateCrt(id);
 248
 249                 Timestamp from = rs.getTimestamp("executeFrom");
 250                 String length = rs.getString("executeTo");
 251                 Date fromDate;
 252                 Date toDate;
 253                 if (from == null) {
 254                     fromDate = new Date(System.currentTimeMillis());
 255                 } else {
 256                     fromDate = new Date(from.getTime());
 257                 }
 258                 if (length.endsWith("m") || length.endsWith("y")) {
 259                     String num = length.substring(0, length.length() - 1);
 260                     int inter = Integer.parseInt(num);
 261                     c.setTime(fromDate);
 262                     if (length.endsWith("m")) {
 263                         c.add(Calendar.MONTH, inter);
 264                     } else {
 265                         c.add(Calendar.YEAR, inter);
 266                     }
 267                     toDate = c.getTime();
 268                 } else {
 269                     toDate = DateSelector.getDateFormat().parse(length);
 270                 }
 271
 272                 getSANSs.setInt(1, id);
 273                 GigiResultSet san = getSANSs.executeQuery();
 274
 275                 LinkedList<SubjectAlternateName> altnames = new LinkedList<>();
 276                 while (san.next()) {
 277                     altnames.add(new SubjectAlternateName(SANType.valueOf(san.getString("type").toUpperCase()), san.getString("contents")));
 278                 }
 279                 // TODO look them up!
 280                 // cfg.println("keyUsage=critical," +
 281                 // "digitalSignature, keyEncipherment, keyAgreement");
 282                 // cfg.println("extendedKeyUsage=critical," + "clientAuth");
 283                 // cfg.close();
 284
 285                 int profile = rs.getInt("profile");
 286                 CertificateProfile cp = CertificateProfile.getById(profile);
 287                 String s = cp.getId() + "";
 288                 while (s.length() < 4) {
 289                     s = "0" + s;
 290                 }
 291                 s += "-" + cp.getKeyName() + ".cfg";
 292                 Properties caP = new Properties();
 293                 try (FileInputStream inStream = new FileInputStream("signer/profiles/" + s)) {
 294                     caP.load(inStream);
 295                 }
 296
 297                 HashMap<String, String> subj = new HashMap<>();
 298                 try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT name, value FROM `certAvas` WHERE `certId`=?")) {
 299                     ps.setInt(1, rs.getInt("id"));
 300                     GigiResultSet rs2 = ps.executeQuery();
 301                     while (rs2.next()) {
 302                         String name = rs2.getString("name");
 303                         if (name.equals("EMAIL")) {
 304                             name = "emailAddress";
 305                         }
 306                         subj.put(name, rs2.getString("value"));
 307                     }
 308                 }
 309                 if (subj.size() == 0) {
 310                     subj.put("CN", "<empty>");
 311                     System.out.println("WARNING: DN was empty");
 312                 }
 313                 System.out.println(subj);
 314
 315                 PublicKey pk;
 316                 byte[] data = IOUtils.readURL(new FileInputStream(csrname));
 317                 if (ct == CSRType.SPKAC) {
 318                     String dt = new String(data, "UTF-8");
 319                     if (dt.startsWith("SPKAC=")) {
 320                         dt = dt.substring(6);
 321                         data = dt.getBytes("UTF-8");
 322                         System.out.println(dt);
 323                     }
 324                     SPKAC sp = new SPKAC(Base64.getDecoder().decode(data));
 325                     pk = sp.getPubkey();
 326                 } else {
 327                     PKCS10 p10 = new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", new String(data, "UTF-8")));
 328                     pk = p10.getSubjectPublicKeyInfo();
 329                 }
 330                 String ca = caP.getProperty("ca") + "_2015_1";
 331                 File parent = new File("signer/ca");
 332                 for (File f : parent.listFiles()) {
 333                     if (f.getName().startsWith(caP.getProperty("ca"))) {
 334                         ca = f.getName();
 335                         break;
 336                     }
 337                 }
 338                 File caKey = new File(parent, ca + "/ca.key");
 339                 PrivateKey i = loadOpensslKey(caKey);
 340
 341                 X509Certificate root = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new FileInputStream("signer/ca/" + ca + "/ca.crt"));
 342                 byte[] cert = generateCert(pk, i, subj, root.getSubjectX500Principal(), altnames, fromDate, toDate, Digest.valueOf(rs.getString("md").toUpperCase()), caP.getProperty("eku"));
 343                 PrintWriter out = new PrintWriter(crt);
 344                 out.println("-----BEGIN CERTIFICATE-----");
 345                 out.println(Base64.getMimeEncoder().encodeToString(cert));
 346                 out.println("-----END CERTIFICATE-----");
 347                 out.close();
 348
 349                 try (InputStream is = new FileInputStream(crt)) {
 350                     locateCA.setString(1, ca);
 351                     GigiResultSet caRs = locateCA.executeQuery();
 352                     if ( !caRs.next()) {
 353                         throw new Error("ca " + ca + " was not found");
 354                     }
 355
 356                     CertificateFactory cf = CertificateFactory.getInstance("X.509");
 357                     X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
 358                     BigInteger serial = crtp.getSerialNumber();
 359                     updateMail.setString(1, crt.getPath());
 360                     updateMail.setString(2, serial.toString(16));
 361                     updateMail.setInt(3, caRs.getInt("id"));
 362                     updateMail.setInt(4, id);
 363                     updateMail.execute();
 364
 365                     finishJob.setInt(1, rs.getInt("jobid"));
 366                     finishJob.execute();
 367                     System.out.println("signed: " + id);
 368                     continue;
 369                 }
 370
 371             } catch (GeneralSecurityException e) {
 372                 e.printStackTrace();
 373             } catch (IOException e) {
 374                 e.printStackTrace();
 375             } catch (ParseException e) {
 376                 e.printStackTrace();
 377             }
 378             System.out.println("Error with: " + id);
 379             warnMail.setInt(1, rs.getInt("jobid"));
 380             warnMail.execute();
 381
 382         }
 383         rs.close();
 384     }
 385
 386     private static PrivateKey loadOpensslKey(File f) throws FileNotFoundException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
 387         byte[] p8b = PEM.decode("RSA PRIVATE KEY", new String(IOUtils.readURL(new FileInputStream(f))));
 388         DerOutputStream dos = new DerOutputStream();
 389         dos.putInteger(0);
 390         new AlgorithmId(new ObjectIdentifier(new int[] {
 391                 1, 2, 840, 113549, 1, 1, 1
 392         })).encode(dos);
 393         dos.putOctetString(p8b);
 394         byte[] ctx = dos.toByteArray();
 395         dos.reset();
 396         dos.write(DerValue.tag_Sequence, ctx);
 397         PKCS8EncodedKeySpec p8 = new PKCS8EncodedKeySpec(dos.toByteArray());
 398         PrivateKey i = KeyFactory.getInstance("RSA").generatePrivate(p8);
 399         return i;
 400     }
 401
 402     public static synchronized byte[] generateCert(PublicKey pk, PrivateKey prk, Map<String, String> subj, X500Principal issuer, List<SubjectAlternateName> altnames, Date fromDate, Date toDate, Digest digest, String eku) throws IOException, GeneralSecurityException {
 403         File f = Paths.get("signer", "serial").toFile();
 404         if ( !f.exists()) {
 405             try (FileOutputStream fos = new FileOutputStream(f)) {
 406                 fos.write("1".getBytes("UTF-8"));
 407             }
 408         }
 409         try (FileInputStream fr = new FileInputStream(f)) {
 410             byte[] serial = IOUtils.readURL(fr);
 411             BigInteger ser = new BigInteger(new String(serial).trim());
 412             ser = ser.add(BigInteger.ONE);
 413
 414             PrintWriter pw = new PrintWriter(f);
 415             pw.println(ser);
 416             pw.close();
 417             if (digest != Digest.SHA256 && digest != Digest.SHA512) {
 418                 System.err.println("assuming sha256 either way ;-): " + digest);
 419                 digest = Digest.SHA256;
 420             }
 421             ObjectIdentifier sha512withrsa = new ObjectIdentifier(new int[] {
 422                     1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : 13
 423             });
 424             AlgorithmId aid = new AlgorithmId(sha512withrsa);
 425             Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : "SHA512withRSA");
 426
 427             DerOutputStream cert = new DerOutputStream();
 428             DerOutputStream content = new DerOutputStream();
 429             {
 430                 DerOutputStream version = new DerOutputStream();
 431                 version.putInteger(2); // v3
 432                 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), version);
 433             }
 434             content.putInteger(ser); // Serial
 435             aid.encode(content);
 436
 437             {
 438                 content.write(issuer.getEncoded());
 439             }
 440             {
 441                 DerOutputStream notAround = new DerOutputStream();
 442                 notAround.putUTCTime(fromDate);
 443                 notAround.putUTCTime(toDate);
 444                 content.write(DerValue.tag_Sequence, notAround);
 445             }
 446             {
 447
 448                 X500Name xn = genX500Name(subj);
 449                 content.write(xn.getEncoded());
 450             }
 451             {
 452                 content.write(pk.getEncoded());
 453             }
 454             {
 455                 DerOutputStream extensions = new DerOutputStream();
 456                 {
 457                     addExtension(extensions, new ObjectIdentifier(new int[] {
 458                             2, 5, 29, 17
 459                     }), generateSAN(altnames));
 460                     addExtension(extensions, new ObjectIdentifier(new int[] {
 461                             2, 5, 29, 15
 462                     }), generateKU());
 463                     addExtension(extensions, new ObjectIdentifier(new int[] {
 464                             2, 5, 29, 37
 465                     }), generateEKU(eku));
 466                 }
 467                 DerOutputStream extensionsSeq = new DerOutputStream();
 468                 extensionsSeq.write(DerValue.tag_Sequence, extensions);
 469                 content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 3), extensionsSeq);
 470             }
 471
 472             DerOutputStream contentSeq = new DerOutputStream();
 473
 474             contentSeq.write(DerValue.tag_Sequence, content.toByteArray());
 475
 476             s.initSign(prk);
 477             s.update(contentSeq.toByteArray());
 478
 479             aid.encode(contentSeq);
 480             contentSeq.putBitString(s.sign());
 481             cert.write(DerValue.tag_Sequence, contentSeq);
 482
 483             // X509Certificate c = (X509Certificate)
 484             // CertificateFactory.getInstance("X509").generateCertificate(new
 485             // ByteArrayInputStream(cert.toByteArray()));
 486             // c.verify(pk); only for self-signeds
 487
 488             byte[] res = cert.toByteArray();
 489             cert.close();
 490             return res;
 491         }
 492
 493     }
 494
 495     private static byte[] generateKU() throws IOException {
 496         try (DerOutputStream dos = new DerOutputStream()) {
 497             dos.putBitString(new byte[] {
 498                     (byte) 0b10101000
 499             });
 500             return dos.toByteArray();
 501         }
 502     }
 503
 504     private static byte[] generateEKU(String eku) throws IOException {
 505
 506         DerOutputStream dos = new DerOutputStream();
 507         for (String name : eku.split(",")) {
 508             ObjectIdentifier oid;
 509             switch (name) {
 510             case "serverAuth":
 511                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.1");
 512                 break;
 513             case "clientAuth":
 514                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.2");
 515                 break;
 516             case "codeSigning":
 517                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.3");
 518                 break;
 519             case "emailProtection":
 520                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
 521                 break;
 522             case "OCSPSigning":
 523                 oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9");
 524                 break;
 525
 526             default:
 527                 throw new Error(name);
 528             }
 529             dos.putOID(oid);
 530         }
 531         byte[] data = dos.toByteArray();
 532         dos.reset();
 533         dos.write(DerValue.tag_Sequence, data);
 534         return dos.toByteArray();
 535     }
 536
 537     public static X500Name genX500Name(Map<String, String> subj) throws IOException {
 538         LinkedList<RDN> rdns = new LinkedList<>();
 539         for (Entry<String, String> i : subj.entrySet()) {
 540             RDN rdn = genRDN(i);
 541             rdns.add(rdn);
 542         }
 543         return new X500Name(rdns.toArray(new RDN[rdns.size()]));
 544     }
 545
 546     private static RDN genRDN(Entry<String, String> i) throws IOException {
 547         DerOutputStream dos = new DerOutputStream();
 548         dos.putUTF8String(i.getValue());
 549         int[] oid;
 550         String key = i.getKey();
 551         switch (key) {
 552         case "CN":
 553             oid = new int[] {
 554                     2, 5, 4, 3
 555             };
 556             break;
 557         case "EMAIL":
 558         case "emailAddress":
 559             oid = new int[] {
 560                     1, 2, 840, 113549, 1, 9, 1
 561             };
 562             break;
 563         case "O":
 564             oid = new int[] {
 565                     2, 5, 4, 10
 566             };
 567             break;
 568         case "OU":
 569             oid = new int[] {
 570                     2, 5, 4, 11
 571             };
 572             break;
 573         case "ST":
 574             oid = new int[] {
 575                     2, 5, 4, 8
 576             };
 577             break;
 578         case "L":
 579             oid = new int[] {
 580                     2, 5, 4, 7
 581             };
 582             break;
 583         case "C":
 584             oid = new int[] {
 585                     2, 5, 4, 6
 586             };
 587             break;
 588         default:
 589             dos.close();
 590             throw new Error("unknown RDN-type: " + key);
 591         }
 592         RDN rdn = new RDN(new AVA(new ObjectIdentifier(oid), new DerValue(dos.toByteArray())));
 593         dos.close();
 594         return rdn;
 595     }
 596
 597     private static void addExtension(DerOutputStream extensions, ObjectIdentifier oid, byte[] extContent) throws IOException {
 598         DerOutputStream SANs = new DerOutputStream();
 599         SANs.putOID(oid);
 600         SANs.putOctetString(extContent);
 601
 602         extensions.write(DerValue.tag_Sequence, SANs);
 603     }
 604
 605     private static byte[] generateSAN(List<SubjectAlternateName> altnames) throws IOException {
 606         DerOutputStream SANContent = new DerOutputStream();
 607         for (SubjectAlternateName san : altnames) {
 608             byte type = 0;
 609             if (san.getType() == SANType.DNS) {
 610                 type = (byte) GeneralNameInterface.NAME_DNS;
 611             } else if (san.getType() == SANType.EMAIL) {
 612                 type = (byte) GeneralNameInterface.NAME_RFC822;
 613             } else {
 614                 SANContent.close();
 615                 throw new Error("" + san.getType());
 616             }
 617             SANContent.write(DerValue.createTag(DerValue.TAG_CONTEXT, false, type), san.getName().getBytes("UTF-8"));
 618         }
 619         DerOutputStream SANSeqContent = new DerOutputStream();
 620         SANSeqContent.write(DerValue.tag_Sequence, SANContent);
 621         byte[] byteArray = SANSeqContent.toByteArray();
 622         SANContent.close();
 623         SANSeqContent.close();
 624         return byteArray;
 625     }
 626 }