incubator-clerezza-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bblf...@apache.org
Subject svn commit: r1089650 - in /incubator/clerezza/trunk/parent: platform.accountcontrolpanel/platform.accountcontrolpanel.core/src/main/scala/org/apache/clerezza/platform/accountcontrolpanel/ ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/ ss...
Date Wed, 06 Apr 2011 22:21:46 GMT
Author: bblfish
Date: Wed Apr  6 22:21:46 2011
New Revision: 1089650

URL: http://svn.apache.org/viewvc?rev=1089650&view=rev
Log:
CLEREZZA-487: "deal with Certificates that contain mailto and other URIs in SAN field". The
first thing is to make it easy to create certificates with mailtos in the URL field in order
then be able to test behavior.

Modified:
    incubator/clerezza/trunk/parent/platform.accountcontrolpanel/platform.accountcontrolpanel.core/src/main/scala/org/apache/clerezza/platform/accountcontrolpanel/ProfilePanel.scala
    incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/Certificate.java
    incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/bouncy/DefaultCertificate.java
    incubator/clerezza/trunk/parent/ssl.keygen/base/src/test/java/org/apache/clerezza/ssl/keygen/bouncy/CertificateServiceTest.java
    incubator/clerezza/trunk/parent/ssl.keygen/samplewebapp/src/main/java/org/apache/clerezza/ssl/keygen/webapp/MiniCaServlet.java

Modified: incubator/clerezza/trunk/parent/platform.accountcontrolpanel/platform.accountcontrolpanel.core/src/main/scala/org/apache/clerezza/platform/accountcontrolpanel/ProfilePanel.scala
URL: http://svn.apache.org/viewvc/incubator/clerezza/trunk/parent/platform.accountcontrolpanel/platform.accountcontrolpanel.core/src/main/scala/org/apache/clerezza/platform/accountcontrolpanel/ProfilePanel.scala?rev=1089650&r1=1089649&r2=1089650&view=diff
==============================================================================
--- incubator/clerezza/trunk/parent/platform.accountcontrolpanel/platform.accountcontrolpanel.core/src/main/scala/org/apache/clerezza/platform/accountcontrolpanel/ProfilePanel.scala
(original)
+++ incubator/clerezza/trunk/parent/platform.accountcontrolpanel/platform.accountcontrolpanel.core/src/main/scala/org/apache/clerezza/platform/accountcontrolpanel/ProfilePanel.scala
Wed Apr  6 22:21:46 2011
@@ -30,7 +30,6 @@ import org.apache.clerezza.jaxrs.utils.R
 import org.apache.clerezza.jaxrs.utils.TrailingSlash
 import org.apache.clerezza.platform.accountcontrolpanel.ontologies.CONTROLPANEL
 import org.apache.clerezza.platform.config.PlatformConfig
-import org.apache.clerezza.platform.typerendering.RenderletManager
 import org.apache.clerezza.platform.usermanager.UserManager
 import org.apache.clerezza.rdf.core._
 import org.apache.clerezza.rdf.core.impl.SimpleMGraph
@@ -56,6 +55,7 @@ import java.security.interfaces.RSAPubli
 import org.apache.clerezza.rdf.ontologies.RDFS
 import org.apache.clerezza.ssl.keygen.KeygenService
 import org.apache.clerezza.platform.users.WebIdGraphsService
+import java.net.URI
 
 object ProfilePanel {
 	private val logger: Logger = LoggerFactory.getLogger(classOf[ProfilePanel])
@@ -75,7 +75,7 @@ class ProfilePanel {
 
 	@GET
 	def getPersonalProfilePage(@Context uriInfo: UriInfo,
-										@PathParam(value = "id") userName: String): GraphNode = {
+	                           @PathParam(value = "id") userName: String): GraphNode = {
 		TrailingSlash.enforceNotPresent(uriInfo)
 		var resultNode: GraphNode = getPersonalProfile(userName, new UriRef(uriInfo.getAbsolutePath.toString))
 		resultNode.addProperty(RDF.`type`, PLATFORM.HeadedPage)
@@ -84,7 +84,7 @@ class ProfilePanel {
 	}
 
 	private def getPersonalProfile(userName: String,
-											 profile: UriRef): GraphNode = {
+	                               profile: UriRef): GraphNode = {
 		return AccessController.doPrivileged(new PrivilegedAction[GraphNode] {
 			def run: GraphNode = {
 				var userInSystemGraph: GraphNode = userManager.getUserInSystemGraph(userName)
@@ -135,8 +135,8 @@ class ProfilePanel {
 	@POST
 	@Path("set-existing-webid")
 	def setExistingWebId(@Context uriInfo: UriInfo,
-								@FormParam("webid") webId: UriRef,
-								@PathParam(value = "id") userName: String): Response = {
+	                     @FormParam("webid") webId: UriRef,
+	                     @PathParam(value = "id") userName: String): Response = {
 		return AccessController.doPrivileged(new PrivilegedAction[Response] {
 			def run: Response = {
 				var userInSystemGraph: GraphNode = userManager.getUserInSystemGraph(userName)
@@ -149,14 +149,14 @@ class ProfilePanel {
 	@POST
 	@Path("create-new-web-id")
 	def createNewWebId(@Context uriInfo: UriInfo,
-							 @PathParam(value = "id") userName: String): Response = {
+	                   @PathParam(value = "id") userName: String): Response = {
 		val ppd: UriRef = getSuggestedPPDUri(userName)
 		val webId: UriRef = new UriRef(ppd.getUnicodeString + "#me")
 		val webIDInfo = webIdGraphsService.getWebIDInfo(webId)
 		webIDInfo.localGraph.addAll(
 			Arrays.asList(
-			new TripleImpl(ppd, RDF.`type`, FOAF.PersonalProfileDocument),
-			new TripleImpl(ppd, FOAF.primaryTopic, webId))
+				new TripleImpl(ppd, RDF.`type`, FOAF.PersonalProfileDocument),
+				new TripleImpl(ppd, FOAF.primaryTopic, webId))
 		)
 		return AccessController.doPrivileged(new PrivilegedAction[Response] {
 			def run: Response = {
@@ -170,9 +170,9 @@ class ProfilePanel {
 	@POST
 	@Path("addContact")
 	def addContact(@Context uriInfo: UriInfo,
-						@FormParam("webId") newContacts: java.util.List[UriRef]): Response = {
+	               @FormParam("webId") newContacts: java.util.List[UriRef]): Response = {
 		import collection.JavaConversions._
-		if (newContacts.size >0) {
+		if (newContacts.size > 0) {
 			val userName: String = UserUtil.getCurrentUserName
 			var me: GraphNode = AccessController.doPrivileged(new PrivilegedAction[GraphNode] {
 				def run: GraphNode = {
@@ -188,24 +188,27 @@ class ProfilePanel {
 		return RedirectUtil.createSeeOtherResponse("../profile", uriInfo)
 	}
 
-
+	/**
+	 * @parm webId: A list of WebIDs to be added as Subject Alternative Names
+	 * @param cn Common Name, the name that usually appears in the certificate selection box
+	 * @param spkac key request in format generated by  Netscape, Safari, Opera
+	 * @param crmf hey request in format generated by M$ Explorer
+	 * @param csr key request as generated by Javascript of Netscape
+	 * @param hours the certificate should last  (hours and days add up)
+	 * @param days the certificate should last
+	 * @param comment a comment to be attached to the public key in the database
+	 */
 	@POST
 	@Path("keygen")
-	def createCert(@FormParam("webId") webId: UriRef,
-						@FormParam("cn") commonName: String,
-						@FormParam("spkac") spkac: String,
-						@FormParam("crmf") crmf: String,
-						@FormParam("hours") hours: String,
-						@FormParam("days") days: String,
-						@FormParam("csr") csr: String,
-						@FormParam("comment") comment: String): Response = {
-		logger.info("in keygen code. webId={}", webId)
-		logger.info("cn={}", commonName)
-		logger.info("hours={}", hours)
-		logger.info("days={}", days)
-		logger.info("spkac={}", spkac)
-		logger.info("crmf={}", crmf)
-		logger.info("csr={}", csr)
+	def createCert(@FormParam("webId") webIds: java.util.List[URI],
+	               @FormParam("cn") commonName: String,
+	               @FormParam("spkac") spkac: String,
+	               @FormParam("crmf") crmf: String,
+	               @FormParam("csr") csr: String,
+	               @FormParam("hours") hours: String,
+	               @FormParam("days") days: String,
+	               @FormParam("comment") comment: String): Response = {
+		import scala.collection.JavaConversions._
 		var cert: Certificate = null
 		if (spkac != null && spkac.length > 0) {
 			cert = keygenSrvc.createFromSpkac(spkac)
@@ -232,7 +235,9 @@ class ProfilePanel {
 		cert.addDurationInHours(hours)
 		cert.addDurationInDays(days)
 		cert.startEarlier("2")
-		cert.setSubjectWebID(webId.getUnicodeString)
+		for(san: URI<-webIds) {
+		  cert.addSubjectAlternativeName(san.toString)
+		}
 		var ser: CertSerialisation = null
 		try {
 			ser = cert.getSerialisation
@@ -245,16 +250,23 @@ class ProfilePanel {
 		var pubKey: RSAPublicKey = cert.getSubjectPublicKey.getPublicKey.asInstanceOf[RSAPublicKey]
 		var publicExponent: BigInteger = pubKey.getPublicExponent
 		var modulus: BigInteger = pubKey.getModulus
-		val webIdInfo: WebIdGraphsService#WebIDInfo = webIdGraphsService.getWebIDInfo(webId)
-		val certNode: GraphNode = new GraphNode(new BNode, webIdInfo.localGraph)
-		certNode.addProperty(RDF.`type`, RSA.RSAPublicKey)
-		certNode.addProperty(CERT.identity, webId)
-		certNode.addPropertyValue(RSA.modulus, modulus)
-		certNode.addPropertyValue(RSA.public_exponent, publicExponent)
-		if (comment != null && comment.length > 0) {
-			certNode.addPropertyValue(RDFS.comment, comment)
+
+		for (webid: URI<-webIds
+		     if (webid.getScheme=="https"||webid.getScheme=="http");
+	  		  val webidRef = new UriRef(webid.toString);
+		     val webIdInfo = webIdGraphsService.getWebIDInfo(webidRef);
+		     if (webIdInfo.isLocal)
+		) {
+			val certNode: GraphNode = new GraphNode(new BNode, webIdInfo.localGraph)
+			certNode.addProperty(RDF.`type`, RSA.RSAPublicKey)
+			certNode.addProperty(CERT.identity, webidRef)
+			certNode.addPropertyValue(RSA.modulus, modulus)
+			certNode.addPropertyValue(RSA.public_exponent, publicExponent)
+			if (comment != null && comment.length > 0) {
+				certNode.addPropertyValue(RDFS.comment, comment)
+			}
+			certNode.addPropertyValue(DC.date, cert.getStartDate)
 		}
-		certNode.addPropertyValue(DC.date, cert.getStartDate)
 		var resBuild: Response.ResponseBuilder = Response.ok(ser.getContent, MediaType.valueOf(ser.getMimeType))
 		return resBuild.build
 	}
@@ -262,8 +274,8 @@ class ProfilePanel {
 	@POST
 	@Path("deletekey")
 	def deleteKey(@Context uriInfo: UriInfo,
-					  @FormParam("webId") webId: UriRef,
-					  @FormParam("keyhash") keys: List[String]): Response = {
+	              @FormParam("webId") webId: UriRef,
+	              @FormParam("keyhash") keys: List[String]): Response = {
 		val webIDInfo = webIdGraphsService.getWebIDInfo(webId)
 		val agent: GraphNode = new GraphNode(webId, webIDInfo.localGraph)
 		var subjects: Iterator[GraphNode] = agent.getSubjectNodes(CERT.identity)
@@ -295,10 +307,10 @@ class ProfilePanel {
 	@POST
 	@Path("modify")
 	def modifyProfile(@Context uriInfo: UriInfo,
-							@PathParam(value = "id") userName: String,
-							@FormParam("webId") webId: UriRef,
-							@FormParam("name") name: String,
-							@FormParam("description") description: String): Response = {
+	                  @PathParam("id") userName: String,
+	                  @FormParam("webId") webId: UriRef,
+	                  @FormParam("name") name: String,
+	                  @FormParam("description") description: String): Response = {
 		val webIDInfo = webIdGraphsService.getWebIDInfo(webId)
 		val agent: GraphNode = new GraphNode(webId, webIDInfo.localGraph)
 		agent.deleteProperties(FOAF.name)

Modified: incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/Certificate.java
URL: http://svn.apache.org/viewvc/incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/Certificate.java?rev=1089650&r1=1089649&r2=1089650&view=diff
==============================================================================
--- incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/Certificate.java
(original)
+++ incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/Certificate.java
Wed Apr  6 22:21:46 2011
@@ -55,10 +55,11 @@ public interface Certificate {
 
 	/**
 	 * Set the <a href="http://esw.w3.org/topic/webid">WebID</a> for the certificate.
+     * The first SAN added will appear in the Distinguished Name
 	 *
-	 * @param url the webID. Must be a full URL
+	 * @param san, a Subject Alternative Name to add. Must be a full URL, usually the WebID
 	 */
-	public void setSubjectWebID(String url);
+	public void addSubjectAlternativeName(String san);
 
 
 	/**

Modified: incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/bouncy/DefaultCertificate.java
URL: http://svn.apache.org/viewvc/incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/bouncy/DefaultCertificate.java?rev=1089650&r1=1089649&r2=1089650&view=diff
==============================================================================
--- incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/bouncy/DefaultCertificate.java
(original)
+++ incubator/clerezza/trunk/parent/ssl.keygen/base/src/main/java/org/apache/clerezza/ssl/keygen/bouncy/DefaultCertificate.java
Wed Apr  6 22:21:46 2011
@@ -30,12 +30,14 @@ POSSIBILITY OF SUCH DAMAGE.
   Author: Henry Story
  */
 
+
 package org.apache.clerezza.ssl.keygen.bouncy;
 
 import org.apache.clerezza.ssl.keygen.CertSerialisation;
 import org.apache.clerezza.ssl.keygen.Certificate;
 import org.apache.clerezza.ssl.keygen.PubKey;
 import org.bouncycastle.asn1.DERObjectIdentifier;
+import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.misc.MiscObjectIdentifiers;
 import org.bouncycastle.asn1.misc.NetscapeCertType;
 import org.bouncycastle.asn1.x509.*;
@@ -46,6 +48,8 @@ import java.net.MalformedURLException;
 import java.net.URL;
 import java.security.cert.X509Certificate;
 import java.util.Date;
+import java.util.Iterator;
+import java.util.LinkedList;
 import java.util.Vector;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -53,13 +57,16 @@ import java.util.logging.Logger;
 /**
  * Default implementation of Certificate
  *
+ * useful reference: "X.509 Style Guide" by Peter Gutmann
+ * http://www.cs.auckland.ac.nz/~pgut001/pubs/x509guide.txt
+ *
  * @author Henry Story
  */
 
 public class DefaultCertificate implements Certificate {
 	static final Logger log = Logger.getLogger(DefaultCertificate.class.getName());
 
-	String webId;
+	LinkedList<String> sans = new LinkedList<String>();
 	String CN;
 	Date startDate;
 	Date endDate;
@@ -82,7 +89,7 @@ public class DefaultCertificate implemen
 
 
 	@Override
-	public void setSubjectWebID(String urlStr) {
+	public void addSubjectAlternativeName(String urlStr) {
 		URL url = null;
 		try {
 			url = new URL(urlStr);
@@ -91,13 +98,13 @@ public class DefaultCertificate implemen
 				//everything probably ok, though really https should be the default
 			} else {
 				//could very well be a mistake
-				log.log(Level.WARNING, "using WebId with protocol " + protocol + ". Could be a mistake.
WebId=" + url);
+				log.log(Level.INFO, "using WebId with protocol " + protocol + ". Could be a mistake.
WebId=" + url);
 			}
 
 		} catch (MalformedURLException e) {
 			log.log(Level.WARNING, "Malformed URL " + url, e);
 		}
-		this.webId = urlStr;
+		sans.add(urlStr);
 	}
 
 	@Override
@@ -129,7 +136,7 @@ public class DefaultCertificate implemen
 
 	@Override
 	public void startEarlier(String hours) {
-		if (null == hours  || "".equals(hours)) return;
+		if (null == hours || "".equals(hours)) return;
 		try {
 			this.earlier += Double.valueOf(hours);
 		} catch (NumberFormatException e) {
@@ -139,7 +146,7 @@ public class DefaultCertificate implemen
 
 	@Override
 	public void addDurationInHours(String hours) {
-		if (null ==hours || "".equals(hours)) return;
+		if (null == hours || "".equals(hours)) return;
 		try {
 			this.numHours += Double.valueOf(hours);
 		} catch (NumberFormatException e) {
@@ -176,14 +183,21 @@ public class DefaultCertificate implemen
 		return serialization;
 	}
 
+	/**
+	 * see: http://www.bouncycastle.org/wiki/display/JA1/X.509+Public+Key+Certificate+and+Certification+Request+Generation
+	 *
+	 * @throws Exception
+	 */
 	public void generate() throws Exception {
 		X509V3CertificateGenerator certGenerator = new X509V3CertificateGenerator();
 
 		certGenerator.reset();
-		/*
-					* Sets up the subject distinguished name. Since it's a self-signed
-					* certificate, issuer and subject are the same.
-					*/
+
+/*
+		Sets up the subject distinguished name.
+		The issuer should be the same for all self signed CAs as this then allows selection of
acceptable certificates
+		by the server
+*/
 		certGenerator.setIssuerDN(new X509Name(BouncyKeygenService.issuer));
 
 
@@ -194,7 +208,11 @@ public class DefaultCertificate implemen
 		subjectDnValues.add("FOAF+SSL");
 		subjectDnOids.add(X509Name.OU);
 		subjectDnValues.add("The Community Of Self Signers");
+
+		//DNs have to be unique, so we put a webID here. The first one
+		String webId = sans.getFirst();
 		subjectDnOids.add(X509Name.UID);
+
 		subjectDnValues.add(webId);
 		subjectDnOids.add(X509Name.CN);
 		subjectDnValues.add(CN);
@@ -202,26 +220,25 @@ public class DefaultCertificate implemen
 		X509Name DName = new X509Name(subjectDnOids, subjectDnValues);
 		certGenerator.setSubjectDN(DName);
 
-		/*
-					* Sets up the validity dates.
-					*/
+/*
+		Sets up the validity dates.
+*/
 		certGenerator.setNotBefore(getStartDate());
-
 		certGenerator.setNotAfter(getEndDate());
 
-		/*
-					* The serial-number of this certificate is 1. It makes sense because
-					* it's self-signed.
-					*/
+/*
+		set a random number for the serial number
+*/
 		certGenerator.setSerialNumber(service.nextRandom());
 
-		/*
-					* Sets the public-key to embed in this certificate.
-					*/
+/*
+	    Sets the public-key to embed in this certificate.
+*/
 		certGenerator.setPublicKey(getSubjectPublicKey().getPublicKey());
+
 		/*
-					* Sets the signature algorithm.
-					*/
+				  * Sets the signature algorithm.
+				  */
 //        String pubKeyAlgorithm = service.caPubKey.getAlgorithm();
 //        if (pubKeyAlgorithm.equals("DSA")) {
 //            certGenerator.setSignatureAlgorithm("SHA1WithDSA");
@@ -234,72 +251,93 @@ public class DefaultCertificate implemen
 //            throw re;
 //        }
 
-		/*
-					* Adds the Basic Constraint (CA: false) extension.
-					*/
-		certGenerator.addExtension(X509Extensions.BasicConstraints, true,
-			new BasicConstraints(false));
-
-		/*
-					* Adds the Key Usage extension.
-					*/
-		certGenerator.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(
-			KeyUsage.digitalSignature | KeyUsage.nonRepudiation
-				| KeyUsage.keyEncipherment | KeyUsage.keyAgreement
-				| KeyUsage.keyCertSign));
-
-		/*
-					* Adds the Netscape certificate type extension.
-					*/
+/*
+		 Adds the Basic Constraint (CA: false) extension.
+*/
+		certGenerator.addExtension(X509Extension.basicConstraints, true,
+				new BasicConstraints(false));
+
+/*
+		Adds the Key Usage extension.
+*/
+		certGenerator.addExtension(X509Extension.keyUsage, true, new KeyUsage(
+				KeyUsage.digitalSignature | KeyUsage.nonRepudiation
+						| KeyUsage.keyEncipherment | KeyUsage.keyAgreement
+						| KeyUsage.keyCertSign));
+
+/*
+      Adds the Netscape certificate type extension.
+      sslClient: the certificate is selectable by the client
+      the certificate can be used for mime encryption.
+      (perhaps the above should be settable. It is not clear that most certs should be used
that way, as their life
+		span could be very short)
+*/
 		certGenerator.addExtension(MiscObjectIdentifiers.netscapeCertType,
-			false, new NetscapeCertType(NetscapeCertType.sslClient
-				| NetscapeCertType.smime));
-
-		/*
-					* Adds the authority key identifier extension.
-					* Bruno pointed out that this is not needed, as the authority's key is never checked
in this setup!
-					* so I am commenting it out, to be removed at a later date.
-					*
-
-				  AuthorityKeyIdentifierStructure authorityKeyIdentifier;
-				  try {
-						authorityKeyIdentifier = new AuthorityKeyIdentifierStructure(
-								  service.certificate.getPublicKey());
-				  } catch (InvalidKeyException e) {
-						throw new Exception("failed to parse CA cert. This should never happen", e);
-				  }
-
-				  certGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier,
-							 false, authorityKeyIdentifier);
-				  */
+				false, new NetscapeCertType(NetscapeCertType.sslClient
+						| NetscapeCertType.smime));
 
 		/*
-					* Adds the subject key identifier extension.
-					*/
+				  * Adds the authority key identifier extension.
+				  * Bruno pointed out that this is not needed, as the authority's key is never checked
in this setup!
+				  * so I am commenting it out, to be removed at a later date.
+				  *
+
+				AuthorityKeyIdentifierStructure authorityKeyIdentifier;
+				try {
+					  authorityKeyIdentifier = new AuthorityKeyIdentifierStructure(
+								service.certificate.getPublicKey());
+				} catch (InvalidKeyException e) {
+					  throw new Exception("failed to parse CA cert. This should never happen", e);
+				}
+
+				certGenerator.addExtension(X509Extensions.AuthorityKeyIdentifier,
+						   false, authorityKeyIdentifier);
+				*/
+
+/*
+		Adds the subject key identifier extension.
+*/
 		SubjectKeyIdentifier subjectKeyIdentifier = new SubjectKeyIdentifierStructure(
-			getSubjectPublicKey().getPublicKey());
-		certGenerator.addExtension(X509Extensions.SubjectKeyIdentifier, false,
-			subjectKeyIdentifier);
-
-		/*
-					* Adds the subject alternative-name extension (critical).
-					*/
-		if (webId != null) {
+				getSubjectPublicKey().getPublicKey());
+		certGenerator.addExtension(X509Extension.subjectKeyIdentifier, false,
+				subjectKeyIdentifier);
+
+/*
+		Adds the subject alternative-name extension (critical).
+*/
+		if (sans.size() == 0) {
+			throw new Exception("WebId not set!");
+		}
+		if (sans.size() == 1) {
 			GeneralNames subjectAltNames = new GeneralNames(new GeneralName(
-				GeneralName.uniformResourceIdentifier, webId));
-			certGenerator.addExtension(X509Extensions.SubjectAlternativeName,
-				true, subjectAltNames);
-		} else throw new Exception("WebId not set!");
+					GeneralName.uniformResourceIdentifier, webId));
 
-		/*
-					* Creates and sign this certificate with the private key corresponding
-					* to the public key of the FOAF+SSL DN
-					*/
+			certGenerator.addExtension(X509Extension.subjectAlternativeName,
+					true, subjectAltNames);
+		} else {
+			// BouncyCastle has a pretty inflexible API. It would have made more sense to just
+			// pass an array of Names to the constructor.
+			GeneralName[] names = new GeneralName[sans.size()];
+			Iterator<String> sanIt = sans.iterator();
+			int i = 0;
+			while (sanIt.hasNext()) {
+				names[i] = new GeneralName(GeneralName.uniformResourceIdentifier, sanIt.next());
+				i++;
+			}
+			certGenerator.addExtension(X509Extension.subjectAlternativeName,
+					true, new DERSequence(names));
+
+		}
+
+/*
+		Creates and sign this certificate with the private key corresponding
+		to the public key of the FOAF+SSL DN
+*/
 		cert = certGenerator.generate(service.privateKey);
 
-		/*
-					* Checks that this certificate has indeed been correctly signed.
-					*/
+/*
+		Checks that this certificate has indeed been correctly signed.
+*/
 		cert.verify(service.certificate.getPublicKey());
 
 	}

Modified: incubator/clerezza/trunk/parent/ssl.keygen/base/src/test/java/org/apache/clerezza/ssl/keygen/bouncy/CertificateServiceTest.java
URL: http://svn.apache.org/viewvc/incubator/clerezza/trunk/parent/ssl.keygen/base/src/test/java/org/apache/clerezza/ssl/keygen/bouncy/CertificateServiceTest.java?rev=1089650&r1=1089649&r2=1089650&view=diff
==============================================================================
--- incubator/clerezza/trunk/parent/ssl.keygen/base/src/test/java/org/apache/clerezza/ssl/keygen/bouncy/CertificateServiceTest.java
(original)
+++ incubator/clerezza/trunk/parent/ssl.keygen/base/src/test/java/org/apache/clerezza/ssl/keygen/bouncy/CertificateServiceTest.java
Wed Apr  6 22:21:46 2011
@@ -85,7 +85,7 @@ public class CertificateServiceTest exte
 		Date now = new Date();
 		cert.addDurationInDays("3");
 		cert.setSubjectCommonName("Test");
-		cert.setSubjectWebID(WEBID);
+		cert.addSubjectAlternativeName(WEBID);
 		CertSerialisation certByte = cert.getSerialisation();
 
 		//test that the returned certificate contains the correct values...
@@ -146,7 +146,7 @@ public class CertificateServiceTest exte
 		Date now = new Date();
 
 		cert.setSubjectCommonName("Test");
-		cert.setSubjectWebID(WEBID);
+		cert.addSubjectAlternativeName(WEBID);
 		cert.startEarlier("2");
 		CertSerialisation certByte = cert.getSerialisation();
 

Modified: incubator/clerezza/trunk/parent/ssl.keygen/samplewebapp/src/main/java/org/apache/clerezza/ssl/keygen/webapp/MiniCaServlet.java
URL: http://svn.apache.org/viewvc/incubator/clerezza/trunk/parent/ssl.keygen/samplewebapp/src/main/java/org/apache/clerezza/ssl/keygen/webapp/MiniCaServlet.java?rev=1089650&r1=1089649&r2=1089650&view=diff
==============================================================================
--- incubator/clerezza/trunk/parent/ssl.keygen/samplewebapp/src/main/java/org/apache/clerezza/ssl/keygen/webapp/MiniCaServlet.java
(original)
+++ incubator/clerezza/trunk/parent/ssl.keygen/samplewebapp/src/main/java/org/apache/clerezza/ssl/keygen/webapp/MiniCaServlet.java
Wed Apr  6 22:21:46 2011
@@ -96,7 +96,7 @@ public class MiniCaServlet extends HttpS
                 cert = keygen.createFromPEM(pemCsrData);
             }
             cert.setSubjectCommonName(cn);
-            cert.setSubjectWebID(webId);
+            cert.addSubjectAlternativeName(webId);
             cert.addDurationInDays("365");
             cert.startEarlier("1"); //always start one hour earlier at least, to avoid clock
synchronisation issues
             cert.getSerialisation().writeTo(response);



Mime
View raw message