Thanks for the outputs Nelson, I finally got it figured out this
morning. Java has no unsigned types so the digital signature bit
generated an error about a possible loss of precision so I changed to
using the BitSet which, to me, is a lot clearer anyway. You just "set"
the bits that you want on.
If anyone is interested, here's how it all works:
//create the key usage Extension object
BitSet keyUsageBits = new BitSet(8);
keyUsageBits.set(0); //digital signature
keyUsageBits.set(1); //non-repudiation
OBJECT_IDENTIFIER keyUsageOid = new OBJECT_IDENTIFIER("2.5.29.15");
BIT_STRING keyUsage = new BIT_STRING(keyUsageBits, 8);
ByteArrayOutputStream oStream = new ByteArrayOutputStream();
keyUsage.encode(oStream);
OCTET_STRING os = new OCTET_STRING(oStream.toByteArray());
Extension keyUsageExtension = new Extension(keyUsageOid, true, os);
//build the "extensionRequest" attribute
OBJECT_IDENTIFIER extensionRequestOID = new
OBJECT_IDENTIFIER("1.2.840.113549.1.9.14");
SET set = new SET();
SEQUENCE seq = new SEQUENCE();
seq.addElement(keyUsageExtension);
set.addElement(seq);
extensionRequest = new Attribute(extensionRequestOID, set);
//add the extension to extensionRequest attribute
attributeSet.addElement(extensionRequest);
Now you just pass attributeSet as the 4th parameter to the
"CertificateRequest" constructor and you'll have keyUsage show up on the
PKCS10.
The funny thing is dumpasn1 says I have 1 error, "Spurious zero bits in
bitstring" for my key usage, but the CA is accepting all my requests so
I don't care.
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
