X-Git-Url: https://code.wpia.club/?p=gigi.git;a=blobdiff_plain;f=util-testing%2Forg%2Fcacert%2Fgigi%2Futil%2FSimpleSigner.java;h=1cc9e9eeae6e8e7851e540113a6cc1da1fda9ce8;hp=1c635c2e73a55082ea17124d3a8468293c3cb4ad;hb=19e3cf0a9d14c0a8658b7e9058ac6fbdf581a32e;hpb=9474df27407dd99134876f2c8a2a3b6e7d1fae6a

diff --git a/util-testing/org/cacert/gigi/util/SimpleSigner.java b/util-testing/org/cacert/gigi/util/SimpleSigner.java
index 1c635c2e..1cc9e9ee 100644
--- a/util-testing/org/cacert/gigi/util/SimpleSigner.java
+++ b/util-testing/org/cacert/gigi/util/SimpleSigner.java
@@ -1,34 +1,65 @@
 package org.cacert.gigi.util;
 
-import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.PrintWriter;
 import java.io.Reader;
 import java.math.BigInteger;
+import java.nio.file.Paths;
 import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
 import java.sql.SQLException;
 import java.sql.Timestamp;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
+import java.util.Base64;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.TimeZone;
 
+import javax.security.auth.x500.X500Principal;
+
+import org.cacert.gigi.crypto.SPKAC;
 import org.cacert.gigi.database.DatabaseConnection;
+import org.cacert.gigi.database.DatabaseConnection.Link;
 import org.cacert.gigi.database.GigiPreparedStatement;
 import org.cacert.gigi.database.GigiResultSet;
-import org.cacert.gigi.dbObjects.Certificate;
 import org.cacert.gigi.dbObjects.Certificate.CSRType;
+import org.cacert.gigi.dbObjects.Certificate.SANType;
+import org.cacert.gigi.dbObjects.Certificate.SubjectAlternateName;
+import org.cacert.gigi.dbObjects.CertificateProfile;
+import org.cacert.gigi.dbObjects.Digest;
 import org.cacert.gigi.output.DateSelector;
 
+import sun.security.pkcs10.PKCS10;
+import sun.security.util.DerOutputStream;
+import sun.security.util.DerValue;
+import sun.security.util.ObjectIdentifier;
+import sun.security.x509.AVA;
+import sun.security.x509.AlgorithmId;
+import sun.security.x509.GeneralNameInterface;
+import sun.security.x509.RDN;
+import sun.security.x509.X500Name;
+
 public class SimpleSigner {
 
     private static GigiPreparedStatement warnMail;
@@ -45,7 +76,9 @@ public class SimpleSigner {
 
     private static GigiPreparedStatement finishJob;
 
-    private static boolean running = true;
+    private static GigiPreparedStatement locateCA;
+
+    private static volatile boolean running = true;
 
     private static Thread runner;
 
@@ -66,14 +99,17 @@ public class SimpleSigner {
         runSigner();
     }
 
-    public synchronized static void stopSigner() throws InterruptedException {
-        if (runner == null) {
-            throw new IllegalStateException("already stopped");
+    public static void stopSigner() throws InterruptedException {
+        Thread capturedRunner;
+        synchronized (SimpleSigner.class) {
+            if (runner == null) {
+                throw new IllegalStateException("already stopped");
+            }
+            capturedRunner = runner;
+            running = false;
+            SimpleSigner.class.notifyAll();
         }
-        running = false;
-        runner.interrupt();
-        runner.join();
-        runner = null;
+        capturedRunner.join();
     }
 
     public synchronized static void runSigner() throws SQLException, IOException, InterruptedException {
@@ -81,35 +117,53 @@ public class SimpleSigner {
             throw new IllegalStateException("already running");
         }
         running = true;
-        readyCerts = DatabaseConnection.getInstance().prepare("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, keyUsage, extendedKeyUsage, executeFrom, executeTo, rootcert FROM jobs " + //
-                "INNER JOIN certs ON certs.id=jobs.targetId " + //
-                "INNER JOIN profiles ON profiles.id=certs.profile " + //
-                "WHERE jobs.state='open' "//
-                + "AND task='sign'");
 
-        getSANSs = DatabaseConnection.getInstance().prepare("SELECT contents, type FROM subjectAlternativeNames " + //
-                "WHERE certId=?");
+        runner = new Thread() {
 
-        updateMail = DatabaseConnection.getInstance().prepare("UPDATE certs SET crt_name=?," + " created=NOW(), serial=? WHERE id=?");
-        warnMail = DatabaseConnection.getInstance().prepare("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?");
+            @Override
+            public void run() {
+                try (Link l = DatabaseConnection.newLink(false)) {
+                    readyCerts = new GigiPreparedStatement("SELECT certs.id AS id, certs.csr_name, jobs.id AS jobid, csr_type, md, `executeFrom`, `executeTo`, profile FROM jobs " + //
+                            "INNER JOIN certs ON certs.id=jobs.`targetId` " + //
+                            "INNER JOIN profiles ON profiles.id=certs.profile " + //
+                            "WHERE jobs.state='open' "//
+                            + "AND task='sign'");
 
-        revoke = DatabaseConnection.getInstance().prepare("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.targetId=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
-        revokeCompleted = DatabaseConnection.getInstance().prepare("UPDATE certs SET revoked=NOW() WHERE id=?");
+                    getSANSs = new GigiPreparedStatement("SELECT contents, type FROM `subjectAlternativeNames` " + //
+                            "WHERE `certId`=?");
 
-        finishJob = DatabaseConnection.getInstance().prepare("UPDATE jobs SET state='done' WHERE id=?");
+                    updateMail = new GigiPreparedStatement("UPDATE certs SET crt_name=?," + " created=NOW(), serial=?, caid=? WHERE id=?");
+                    warnMail = new GigiPreparedStatement("UPDATE jobs SET warning=warning+1, state=IF(warning<3, 'open','error') WHERE id=?");
 
-        runner = new Thread() {
+                    revoke = new GigiPreparedStatement("SELECT certs.id, certs.csr_name,jobs.id FROM jobs INNER JOIN certs ON jobs.`targetId`=certs.id" + " WHERE jobs.state='open' AND task='revoke'");
+                    revokeCompleted = new GigiPreparedStatement("UPDATE certs SET revoked=NOW() WHERE id=?");
 
-            @Override
-            public void run() {
-                work();
+                    finishJob = new GigiPreparedStatement("UPDATE jobs SET state='done' WHERE id=?");
+
+                    locateCA = new GigiPreparedStatement("SELECT id FROM cacerts WHERE keyname=?");
+
+                    work();
+                } catch (InterruptedException e) {
+                    throw new Error(e);
+                }
             }
 
         };
         runner.start();
     }
 
-    private static void work() {
+    public static void ping() {
+        synchronized (SimpleSigner.class) {
+            SimpleSigner.class.notifyAll();
+            try {
+                SimpleSigner.class.wait(2000);
+            } catch (InterruptedException e) {
+                e.printStackTrace();
+            }
+        }
+    }
+
+    private synchronized static void work() {
         try {
             gencrl();
         } catch (IOException e2) {
@@ -117,11 +171,14 @@ public class SimpleSigner {
         } catch (InterruptedException e2) {
             e2.printStackTrace();
         }
+
         while (running) {
             try {
                 signCertificates();
                 revokeCertificates();
-                Thread.sleep(5000);
+
+                SimpleSigner.class.notifyAll();
+                SimpleSigner.class.wait(5000);
             } catch (IOException e) {
                 e.printStackTrace();
             } catch (SQLException e) {
@@ -129,6 +186,7 @@ public class SimpleSigner {
             } catch (InterruptedException e1) {
             }
         }
+        runner = null;
     }
 
     private static void revokeCertificates() throws SQLException, IOException, InterruptedException {
@@ -136,31 +194,12 @@ public class SimpleSigner {
         boolean worked = false;
         while (rs.next()) {
             int id = rs.getInt(1);
-            File crt = KeyStorage.locateCrt(id);
-            String[] call = new String[] {
-                    "openssl", "ca",//
-                    "-cert",
-                    "../unassured.crt",//
-                    "-keyfile",
-                    "../unassured.key",//
-                    "-revoke",
-                    "../../" + crt.getPath(),//
-                    "-batch",//
-                    "-config",
-                    "../selfsign.config"
-
-            };
-            Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
-            System.out.println("revoking: " + crt.getPath());
-            if (p1.waitFor() == 0) {
-                worked = true;
-                revokeCompleted.setInt(1, id);
-                revokeCompleted.execute();
-                finishJob.setInt(1, rs.getInt(3));
-                finishJob.execute();
-            } else {
-                System.out.println("Failed");
-            }
+            worked = true;
+            System.out.println("Revoke faked: " + id);
+            revokeCompleted.setInt(1, id);
+            revokeCompleted.execute();
+            finishJob.setInt(1, rs.getInt(3));
+            finishJob.execute();
         }
         if (worked) {
             gencrl();
@@ -168,8 +207,12 @@ public class SimpleSigner {
     }
 
     private static void gencrl() throws IOException, InterruptedException {
+        if (true) {
+            return;
+        }
         String[] call = new String[] {
-                "openssl", "ca",//
+                "openssl",
+                "ca",//
                 "-cert",
                 "../unassured.crt",//
                 "-keyfile",
@@ -189,14 +232,11 @@ public class SimpleSigner {
         }
     }
 
-    private static int counter = 0;
-
     private static void signCertificates() throws SQLException {
         GigiResultSet rs = readyCerts.executeQuery();
 
         Calendar c = Calendar.getInstance();
         c.setTimeZone(TimeZone.getTimeZone("UTC"));
-
         while (rs.next()) {
             String csrname = rs.getString("csr_name");
             int id = rs.getInt("id");
@@ -206,9 +246,6 @@ public class SimpleSigner {
                 CSRType ct = CSRType.valueOf(csrType);
                 File crt = KeyStorage.locateCrt(id);
 
-                String keyUsage = rs.getString("keyUsage");
-                String ekeyUsage = rs.getString("extendedKeyUsage");
-
                 Timestamp from = rs.getTimestamp("executeFrom");
                 String length = rs.getString("executeTo");
                 Date fromDate;
@@ -235,107 +272,112 @@ public class SimpleSigner {
                 getSANSs.setInt(1, id);
                 GigiResultSet san = getSANSs.executeQuery();
 
-                File f = new File("keys", "SANFile" + System.currentTimeMillis() + (counter++) + ".cfg");
-                PrintWriter cfg = new PrintWriter(f);
-                boolean first = true;
+                LinkedList<SubjectAlternateName> altnames = new LinkedList<>();
                 while (san.next()) {
-                    if ( !first) {
-                        cfg.print(", ");
-                    } else {
-                        cfg.print("subjectAltName=");
-                    }
-                    first = false;
-                    cfg.print(san.getString("type"));
-                    cfg.print(":");
-                    cfg.print(san.getString("contents"));
+                    altnames.add(new SubjectAlternateName(SANType.valueOf(san.getString("type").toUpperCase()), san.getString("contents")));
+                }
+                // TODO look them up!
+                // cfg.println("keyUsage=critical," +
+                // "digitalSignature, keyEncipherment, keyAgreement");
+                // cfg.println("extendedKeyUsage=critical," + "clientAuth");
+                // cfg.close();
+
+                int profile = rs.getInt("profile");
+                CertificateProfile cp = CertificateProfile.getById(profile);
+                String s = cp.getId() + "";
+                while (s.length() < 4) {
+                    s = "0" + s;
                 }
-                cfg.println();
-                cfg.println("keyUsage=critical," + keyUsage);
-                cfg.println("extendedKeyUsage=critical," + ekeyUsage);
-                cfg.close();
-
-                int rootcert = rs.getInt("rootcert");
-                String ca = "unassured";
-                if (rootcert == 0) {
-                    ca = "unassured";
-                } else if (rootcert == 1) {
-                    ca = "assured";
+                s += "-" + cp.getKeyName() + ".cfg";
+                Properties caP = new Properties();
+                try (FileInputStream inStream = new FileInputStream("signer/profiles/" + s)) {
+                    caP.load(inStream);
                 }
+
                 HashMap<String, String> subj = new HashMap<>();
-                GigiPreparedStatement ps = DatabaseConnection.getInstance().prepare("SELECT name, value FROM certAvas WHERE certId=?");
-                ps.setInt(1, rs.getInt("id"));
-                GigiResultSet rs2 = ps.executeQuery();
-                while (rs2.next()) {
-                    subj.put(rs2.getString("name"), rs2.getString("value"));
+                try (GigiPreparedStatement ps = new GigiPreparedStatement("SELECT name, value FROM `certAvas` WHERE `certId`=?")) {
+                    ps.setInt(1, rs.getInt("id"));
+                    GigiResultSet rs2 = ps.executeQuery();
+                    while (rs2.next()) {
+                        String name = rs2.getString("name");
+                        if (name.equals("EMAIL")) {
+                            name = "emailAddress";
+                        }
+                        subj.put(name, rs2.getString("value"));
+                    }
                 }
                 if (subj.size() == 0) {
                     subj.put("CN", "<empty>");
                     System.out.println("WARNING: DN was empty");
                 }
-                String[] call = new String[] {
-                        "openssl", "ca",//
-                        "-in",
-                        "../../" + csrname,//
-                        "-cert",
-                        "../" + ca + ".crt",//
-                        "-keyfile",
-                        "../" + ca + ".key",//
-                        "-out",
-                        "../../" + crt.getPath(),//
-                        "-utf8",
-                        "-startdate",
-                        sdf.format(fromDate),//
-                        "-enddate",
-                        sdf.format(toDate),//
-                        "-batch",//
-                        "-md",
-                        rs.getString("md"),//
-                        "-extfile",
-                        "../" + f.getName(),//
-
-                        "-subj",
-                        Certificate.stringifyDN(subj),//
-                        "-config",
-                        "../selfsign.config"//
-
-                };
+                System.out.println(subj);
+
+                PublicKey pk;
+                byte[] data = IOUtils.readURL(new FileInputStream(csrname));
                 if (ct == CSRType.SPKAC) {
-                    call[2] = "-spkac";
-                }
-                Process p1 = Runtime.getRuntime().exec(call, null, new File("keys/unassured.ca"));
-
-                int waitFor = p1.waitFor();
-                f.delete();
-                if (waitFor == 0) {
-                    try (InputStream is = new FileInputStream(crt)) {
-                        CertificateFactory cf = CertificateFactory.getInstance("X.509");
-                        X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
-                        BigInteger serial = crtp.getSerialNumber();
-                        updateMail.setString(1, crt.getPath());
-                        updateMail.setString(2, serial.toString(16));
-                        updateMail.setInt(3, id);
-                        updateMail.execute();
-
-                        finishJob.setInt(1, rs.getInt("jobid"));
-                        finishJob.execute();
-                        System.out.println("signed: " + id);
-                        continue;
+                    String dt = new String(data, "UTF-8");
+                    if (dt.startsWith("SPKAC=")) {
+                        dt = dt.substring(6);
+                        data = dt.getBytes("UTF-8");
+                        System.out.println(dt);
                     }
+                    SPKAC sp = new SPKAC(Base64.getDecoder().decode(data));
+                    pk = sp.getPubkey();
                 } else {
-                    BufferedReader br = new BufferedReader(new InputStreamReader(p1.getErrorStream(), "UTF-8"));
-                    String s;
-                    while ((s = br.readLine()) != null) {
-                        System.out.println(s);
+                    PKCS10 p10 = new PKCS10(PEM.decode("(NEW )?CERTIFICATE REQUEST", new String(data, "UTF-8")));
+                    pk = p10.getSubjectPublicKeyInfo();
+                }
+                String ca = caP.getProperty("ca") + "_2015_1";
+                File parent = new File("signer/ca");
+                File[] caFiles = parent.listFiles();
+                if (null == caFiles) {
+                    caFiles = new File[0];
+                }
+                for (File f : caFiles) {
+                    if (f.getName().startsWith(caP.getProperty("ca"))) {
+                        ca = f.getName();
+                        break;
                     }
                 }
+                File caKey = new File(parent, ca + "/ca.key");
+                PrivateKey i = loadOpensslKey(caKey);
+
+                X509Certificate root = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(new FileInputStream("signer/ca/" + ca + "/ca.crt"));
+                byte[] cert = generateCert(pk, i, subj, root.getSubjectX500Principal(), altnames, fromDate, toDate, Digest.valueOf(rs.getString("md").toUpperCase()), caP.getProperty("eku"));
+                PrintWriter out = new PrintWriter(crt);
+                out.println("-----BEGIN CERTIFICATE-----");
+                out.println(Base64.getMimeEncoder().encodeToString(cert));
+                out.println("-----END CERTIFICATE-----");
+                out.close();
+
+                try (InputStream is = new FileInputStream(crt)) {
+                    locateCA.setString(1, ca);
+                    GigiResultSet caRs = locateCA.executeQuery();
+                    if ( !caRs.next()) {
+                        throw new Error("ca " + ca + " was not found");
+                    }
+
+                    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                    X509Certificate crtp = (X509Certificate) cf.generateCertificate(is);
+                    BigInteger serial = crtp.getSerialNumber();
+                    updateMail.setString(1, crt.getPath());
+                    updateMail.setString(2, serial.toString(16));
+                    updateMail.setInt(3, caRs.getInt("id"));
+                    updateMail.setInt(4, id);
+                    updateMail.execute();
+
+                    finishJob.setInt(1, rs.getInt("jobid"));
+                    finishJob.execute();
+                    System.out.println("signed: " + id);
+                    continue;
+                }
+
             } catch (GeneralSecurityException e) {
                 e.printStackTrace();
             } catch (IOException e) {
                 e.printStackTrace();
             } catch (ParseException e) {
                 e.printStackTrace();
-            } catch (InterruptedException e1) {
-                e1.printStackTrace();
             }
             System.out.println("Error with: " + id);
             warnMail.setInt(1, rs.getInt("jobid"));
@@ -344,4 +386,245 @@ public class SimpleSigner {
         }
         rs.close();
     }
+
+    private static PrivateKey loadOpensslKey(File f) throws FileNotFoundException, IOException, InvalidKeySpecException, NoSuchAlgorithmException {
+        byte[] p8b = PEM.decode("RSA PRIVATE KEY", new String(IOUtils.readURL(new FileInputStream(f))));
+        DerOutputStream dos = new DerOutputStream();
+        dos.putInteger(0);
+        new AlgorithmId(new ObjectIdentifier(new int[] {
+                1, 2, 840, 113549, 1, 1, 1
+        })).encode(dos);
+        dos.putOctetString(p8b);
+        byte[] ctx = dos.toByteArray();
+        dos.reset();
+        dos.write(DerValue.tag_Sequence, ctx);
+        PKCS8EncodedKeySpec p8 = new PKCS8EncodedKeySpec(dos.toByteArray());
+        PrivateKey i = KeyFactory.getInstance("RSA").generatePrivate(p8);
+        return i;
+    }
+
+    public static synchronized byte[] generateCert(PublicKey pk, PrivateKey prk, Map<String, String> subj, X500Principal issuer, List<SubjectAlternateName> altnames, Date fromDate, Date toDate, Digest digest, String eku) throws IOException, GeneralSecurityException {
+        File f = Paths.get("signer", "serial").toFile();
+        if ( !f.exists()) {
+            try (FileOutputStream fos = new FileOutputStream(f)) {
+                fos.write("1".getBytes("UTF-8"));
+            }
+        }
+        try (FileInputStream fr = new FileInputStream(f)) {
+            byte[] serial = IOUtils.readURL(fr);
+            BigInteger ser = new BigInteger(new String(serial).trim());
+            ser = ser.add(BigInteger.ONE);
+
+            PrintWriter pw = new PrintWriter(f);
+            pw.println(ser);
+            pw.close();
+            if (digest != Digest.SHA256 && digest != Digest.SHA512) {
+                System.err.println("assuming sha256 either way ;-): " + digest);
+                digest = Digest.SHA256;
+            }
+            ObjectIdentifier sha512withrsa = new ObjectIdentifier(new int[] {
+                    1, 2, 840, 113549, 1, 1, digest == Digest.SHA256 ? 11 : 13
+            });
+            AlgorithmId aid = new AlgorithmId(sha512withrsa);
+            Signature s = Signature.getInstance(digest == Digest.SHA256 ? "SHA256withRSA" : "SHA512withRSA");
+
+            DerOutputStream cert = new DerOutputStream();
+            DerOutputStream content = new DerOutputStream();
+            {
+                DerOutputStream version = new DerOutputStream();
+                version.putInteger(2); // v3
+                content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), version);
+            }
+            content.putInteger(ser); // Serial
+            aid.encode(content);
+
+            {
+                content.write(issuer.getEncoded());
+            }
+            {
+                DerOutputStream notAround = new DerOutputStream();
+                notAround.putUTCTime(fromDate);
+                notAround.putUTCTime(toDate);
+                content.write(DerValue.tag_Sequence, notAround);
+            }
+            {
+
+                X500Name xn = genX500Name(subj);
+                content.write(xn.getEncoded());
+            }
+            {
+                content.write(pk.getEncoded());
+            }
+            {
+                DerOutputStream extensions = new DerOutputStream();
+                {
+                    addExtension(extensions, new ObjectIdentifier(new int[] {
+                            2, 5, 29, 17
+                    }), generateSAN(altnames));
+                    addExtension(extensions, new ObjectIdentifier(new int[] {
+                            2, 5, 29, 15
+                    }), generateKU());
+                    addExtension(extensions, new ObjectIdentifier(new int[] {
+                            2, 5, 29, 37
+                    }), generateEKU(eku));
+                }
+                DerOutputStream extensionsSeq = new DerOutputStream();
+                extensionsSeq.write(DerValue.tag_Sequence, extensions);
+                content.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 3), extensionsSeq);
+            }
+
+            DerOutputStream contentSeq = new DerOutputStream();
+
+            contentSeq.write(DerValue.tag_Sequence, content.toByteArray());
+
+            s.initSign(prk);
+            s.update(contentSeq.toByteArray());
+
+            aid.encode(contentSeq);
+            contentSeq.putBitString(s.sign());
+            cert.write(DerValue.tag_Sequence, contentSeq);
+
+            // X509Certificate c = (X509Certificate)
+            // CertificateFactory.getInstance("X509").generateCertificate(new
+            // ByteArrayInputStream(cert.toByteArray()));
+            // c.verify(pk); only for self-signeds
+
+            byte[] res = cert.toByteArray();
+            cert.close();
+            return res;
+        }
+
+    }
+
+    private static byte[] generateKU() throws IOException {
+        try (DerOutputStream dos = new DerOutputStream()) {
+            dos.putBitString(new byte[] {
+                    (byte) 0b10101000
+            });
+            return dos.toByteArray();
+        }
+    }
+
+    private static byte[] generateEKU(String eku) throws IOException {
+
+        DerOutputStream dos = new DerOutputStream();
+        for (String name : eku.split(",")) {
+            ObjectIdentifier oid;
+            switch (name) {
+            case "serverAuth":
+                oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.1");
+                break;
+            case "clientAuth":
+                oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.2");
+                break;
+            case "codeSigning":
+                oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.3");
+                break;
+            case "emailProtection":
+                oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.4");
+                break;
+            case "OCSPSigning":
+                oid = new ObjectIdentifier("1.3.6.1.5.5.7.3.9");
+                break;
+
+            default:
+                throw new Error(name);
+            }
+            dos.putOID(oid);
+        }
+        byte[] data = dos.toByteArray();
+        dos.reset();
+        dos.write(DerValue.tag_Sequence, data);
+        return dos.toByteArray();
+    }
+
+    public static X500Name genX500Name(Map<String, String> subj) throws IOException {
+        LinkedList<RDN> rdns = new LinkedList<>();
+        for (Entry<String, String> i : subj.entrySet()) {
+            RDN rdn = genRDN(i);
+            rdns.add(rdn);
+        }
+        return new X500Name(rdns.toArray(new RDN[rdns.size()]));
+    }
+
+    private static RDN genRDN(Entry<String, String> i) throws IOException {
+        DerOutputStream dos = new DerOutputStream();
+        dos.putUTF8String(i.getValue());
+        int[] oid;
+        String key = i.getKey();
+        switch (key) {
+        case "CN":
+            oid = new int[] {
+                    2, 5, 4, 3
+            };
+            break;
+        case "EMAIL":
+        case "emailAddress":
+            oid = new int[] {
+                    1, 2, 840, 113549, 1, 9, 1
+            };
+            break;
+        case "O":
+            oid = new int[] {
+                    2, 5, 4, 10
+            };
+            break;
+        case "OU":
+            oid = new int[] {
+                    2, 5, 4, 11
+            };
+            break;
+        case "ST":
+            oid = new int[] {
+                    2, 5, 4, 8
+            };
+            break;
+        case "L":
+            oid = new int[] {
+                    2, 5, 4, 7
+            };
+            break;
+        case "C":
+            oid = new int[] {
+                    2, 5, 4, 6
+            };
+            break;
+        default:
+            dos.close();
+            throw new Error("unknown RDN-type: " + key);
+        }
+        RDN rdn = new RDN(new AVA(new ObjectIdentifier(oid), new DerValue(dos.toByteArray())));
+        dos.close();
+        return rdn;
+    }
+
+    private static void addExtension(DerOutputStream extensions, ObjectIdentifier oid, byte[] extContent) throws IOException {
+        DerOutputStream SANs = new DerOutputStream();
+        SANs.putOID(oid);
+        SANs.putOctetString(extContent);
+
+        extensions.write(DerValue.tag_Sequence, SANs);
+    }
+
+    private static byte[] generateSAN(List<SubjectAlternateName> altnames) throws IOException {
+        DerOutputStream SANContent = new DerOutputStream();
+        for (SubjectAlternateName san : altnames) {
+            byte type = 0;
+            if (san.getType() == SANType.DNS) {
+                type = (byte) GeneralNameInterface.NAME_DNS;
+            } else if (san.getType() == SANType.EMAIL) {
+                type = (byte) GeneralNameInterface.NAME_RFC822;
+            } else {
+                SANContent.close();
+                throw new Error("" + san.getType());
+            }
+            SANContent.write(DerValue.createTag(DerValue.TAG_CONTEXT, false, type), san.getName().getBytes("UTF-8"));
+        }
+        DerOutputStream SANSeqContent = new DerOutputStream();
+        SANSeqContent.write(DerValue.tag_Sequence, SANContent);
+        byte[] byteArray = SANSeqContent.toByteArray();
+        SANContent.close();
+        SANSeqContent.close();
+        return byteArray;
+    }
 }