diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-03 15:11:36 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-09-03 15:15:22 +0200 |
commit | 5923a9a5e37052029ac4de951820cdef58213a21 (patch) | |
tree | 93046e2dbe8e72e198236b23ffbc45bf21c4231c /vespajlib/src/main | |
parent | ab53c918fc4645ba67ea9791a8d54890c03dad5b (diff) |
Make serial number a BigInteger to allow for >64-bit values
Diffstat (limited to 'vespajlib/src/main')
-rw-r--r-- | vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java b/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java index 826284d2229..54d7d39253e 100644 --- a/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java +++ b/vespajlib/src/main/java/com/yahoo/security/X509CertificateBuilder.java @@ -21,6 +21,7 @@ import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.PrivateKey; import java.security.PublicKey; +import java.security.SecureRandom; import java.security.cert.X509Certificate; import java.sql.Date; import java.time.Instant; @@ -35,7 +36,7 @@ import static com.yahoo.security.SubjectAlternativeName.Type.DNS_NAME; */ public class X509CertificateBuilder { - private final long serialNumber; + private final BigInteger serialNumber; private final SignatureAlgorithm signingAlgorithm; private final PrivateKey caPrivateKey; private final Instant notBefore; @@ -53,7 +54,7 @@ public class X509CertificateBuilder { PublicKey certPublicKey, PrivateKey caPrivateKey, SignatureAlgorithm signingAlgorithm, - long serialNumber) { + BigInteger serialNumber) { this.issuer = issuer; this.subject = subject; this.notBefore = notBefore; @@ -70,7 +71,7 @@ public class X509CertificateBuilder { Instant notAfter, PrivateKey caPrivateKey, SignatureAlgorithm signingAlgorithm, - long serialNumber) { + BigInteger serialNumber) { try { PKCS10CertificationRequest bcCsr = csr.getBcCsr(); PublicKey publicKey = new JcaPKCS10CertificationRequest(bcCsr) @@ -96,7 +97,7 @@ public class X509CertificateBuilder { Instant notBefore, Instant notAfter, SignatureAlgorithm signingAlgorithm, - long serialNumber) { + BigInteger serialNumber) { return new X509CertificateBuilder(subject, subject, notBefore, @@ -107,6 +108,13 @@ public class X509CertificateBuilder { serialNumber); } + /** + * @return generates a cryptographically secure positive serial number up to 128 bits + */ + public static BigInteger generateRandomSerialNumber() { + return new BigInteger(128, new SecureRandom()); + } + public X509CertificateBuilder addSubjectAlternativeName(String dnsName) { this.subjectAlternativeNames.add(new SubjectAlternativeName(DNS_NAME, dnsName)); return this; @@ -129,7 +137,7 @@ public class X509CertificateBuilder { public X509Certificate build() { try { JcaX509v3CertificateBuilder jcaCertBuilder = new JcaX509v3CertificateBuilder( - issuer, BigInteger.valueOf(serialNumber), Date.from(notBefore), Date.from(notAfter), subject, certPublicKey); + issuer, serialNumber, Date.from(notBefore), Date.from(notAfter), subject, certPublicKey); if (basicConstraintsExtension != null) { jcaCertBuilder.addExtension( Extension.basicConstraints, |