in modules/jretools/src/main/java/org/apache/harmony/jretools/keytool/KeyCertGenerator.java [99:256]
private static void generatePrivateKey(KeytoolParameters param)
throws NoSuchAlgorithmException, KeyStoreException,
NoSuchProviderException, InvalidKeyException, SignatureException,
IOException, KeytoolException, UnrecoverableKeyException,
CertificateException {
KeyStore keyStore = param.getKeyStore();
PrivateKey issuerPrivateKey = null;
Certificate[] issuerCertChain = null;
String issuerDN = null;
// if the generated certificate shouldn't be self-signed
// but should be signed with a chain.
boolean selfSigned = (param.getIssuerAlias() == null);
if (!selfSigned) {
String issuerAlias = param.getIssuerAlias();
if (!keyStore.containsAlias(issuerAlias)) {
throw new KeytoolException("Certificate issuer alias <"
+ issuerAlias + "> does not exist.");
}
if (!keyStore.entryInstanceOf(issuerAlias,
KeyStore.PrivateKeyEntry.class)) {
throw new KeytoolException("Issuer alias <" + issuerAlias
+ "> is not a private key entry. ");
}
issuerCertChain = keyStore.getCertificateChain(issuerAlias);
issuerPrivateKey = (PrivateKey) keyStore.getKey(issuerAlias, param
.getIssuerPass());
issuerDN = ((X509Certificate) issuerCertChain[0])
.getSubjectX500Principal().getName();
}
KeyPairGenerator kpg = null;
String keyAlg = param.getKeyAlg();
// key algorithm is DSA by default
if (keyAlg == null) {
keyAlg = "DSA";
}
String sigAlgName = null;
// if signature algorithm is not set, use a default
if (param.getSigAlg() != null) {
sigAlgName = param.getSigAlg();
} else if (selfSigned) {
if (keyAlg.equalsIgnoreCase("DSA")) {
sigAlgName = "SHA1withDSA";
} else if (keyAlg.equalsIgnoreCase("RSA")) {
sigAlgName = "MD5withRSA";
}else {
sigAlgName = keyAlg;
}
} else {
String issuerKeyAlg = issuerPrivateKey.getAlgorithm();
if (issuerKeyAlg.equalsIgnoreCase("DSA")) {
sigAlgName = "SHA1withDSA";
} else if (issuerKeyAlg.equalsIgnoreCase("RSA")) {
sigAlgName = "MD5withRSA";
} else {
sigAlgName = issuerKeyAlg;
}
}
// set the certificate validity period
// 90 days by default
long validity = (param.getValidity() != 0) ? param.getValidity() : 90;
// set the X.509 version to use with the certificate
int version = (param.getX509version() != 0) ?
// TBSCertificate needs 0, 1 or 2 as version in constructor (not 1,2,3);
// X.509 v.3 certificates by default
param.getX509version() - 1 : 2;
// set certificate serial number
BigInteger serialNr;
if (param.getCertSerialNr() != 0) {
serialNr = BigInteger.valueOf(param.getCertSerialNr());
} else {
int randomInt = new Random().nextInt();
if (randomInt < 0) {
randomInt = -randomInt;
}
serialNr = BigInteger.valueOf(randomInt);
}
int keySize = param.getKeySize();
if (param.isVerbose()) {
StringBuffer strBuf = new StringBuffer("Generating a " + keyAlg
+ " key pair, key length " + keySize + " bit \nand a ");
if (selfSigned) {
strBuf.append("self-signed ");
}
strBuf.append("certificate (signature algorithm is " + sigAlgName
+ ")\n for " + param.getDName());
System.out.println(strBuf);
}
// generate a pair of keys
String provider = param.getProvider();
String keyProvider = (param.getKeyProvider() != null) ? param
.getKeyProvider() : provider;
try {
if (keyProvider == null) {
kpg = KeyPairGenerator.getInstance(keyAlg);
} else {
kpg = KeyPairGenerator.getInstance(keyAlg, keyProvider);
}
} catch (NoSuchAlgorithmException e) {
throw new NoSuchAlgorithmException("The algorithm " + keyAlg
+ " is not available in current environment.");
} catch (NoSuchProviderException e) {
throw (NoSuchProviderException) new NoSuchProviderException(
"The provider " + keyProvider
+ " is not found in the environment.").initCause(e);
}
// initialize the KeyPairGenerator with the key size
kpg.initialize(keySize);
KeyPair keyPair = kpg.genKeyPair();
PrivateKey privateKey = keyPair.getPrivate();
String subjectDN = param.getDName();
String sigProvider = (param.getSigProvider() != null) ? param
.getSigProvider() : provider;
if (selfSigned) {
// generate the certificate
X509CertImpl x509cert = genX509CertImpl(sigAlgName, version,
serialNr, subjectDN, subjectDN, validity, keyPair
.getPublic(), privateKey, sigProvider,
param.isCA());
// put the key pair with the newly created cert into the keystore
keyStore.setKeyEntry(param.getAlias(), privateKey, param
.getKeyPass(), new X509Certificate[] { x509cert });
} else {
// generate the certificate
X509CertImpl x509cert = genX509CertImpl(sigAlgName, version,
serialNr, subjectDN, issuerDN, validity, keyPair
.getPublic(), issuerPrivateKey,
sigProvider, param.isCA());
// construct the certificate chain
int issuerChainLength = issuerCertChain.length;
X509Certificate[] certChain = new X509Certificate[issuerChainLength + 1];
certChain[0] = x509cert;
System.arraycopy(issuerCertChain, 0, certChain, 1,
issuerChainLength);
// put the key pair with the newly created cert into the keystore
keyStore.setKeyEntry(param.getAlias(), privateKey, param
.getKeyPass(), certChain);
}
param.setNeedSaveKS(true);
}