Use the new X.509 cert generator API
The previous API has been deprecated within Bouncycastle for a while.
Switch to the newer one to avoid the deprecation warnings.
Test: cts-tradefed run cts -m CtsLibcoreTestCases
Change-Id: I24b1340185876f90730d362019f202431c94d4a2
diff --git a/support/src/test/java/libcore/java/security/TestKeyStore.java b/support/src/test/java/libcore/java/security/TestKeyStore.java
index ef62a44..96c9487 100644
--- a/support/src/test/java/libcore/java/security/TestKeyStore.java
+++ b/support/src/test/java/libcore/java/security/TestKeyStore.java
@@ -17,9 +17,11 @@
package libcore.java.security;
import com.android.org.bouncycastle.asn1.DEROctetString;
+import com.android.org.bouncycastle.asn1.x500.X500Name;
import com.android.org.bouncycastle.asn1.x509.BasicConstraints;
import com.android.org.bouncycastle.asn1.x509.CRLReason;
import com.android.org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import com.android.org.bouncycastle.asn1.x509.Extension;
import com.android.org.bouncycastle.asn1.x509.GeneralName;
import com.android.org.bouncycastle.asn1.x509.GeneralNames;
import com.android.org.bouncycastle.asn1.x509.GeneralSubtree;
@@ -27,23 +29,20 @@
import com.android.org.bouncycastle.asn1.x509.KeyUsage;
import com.android.org.bouncycastle.asn1.x509.NameConstraints;
import com.android.org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
-import com.android.org.bouncycastle.asn1.x509.X509Extensions;
import com.android.org.bouncycastle.cert.X509CertificateHolder;
+import com.android.org.bouncycastle.cert.X509v3CertificateBuilder;
import com.android.org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import com.android.org.bouncycastle.cert.ocsp.BasicOCSPResp;
import com.android.org.bouncycastle.cert.ocsp.BasicOCSPRespBuilder;
import com.android.org.bouncycastle.cert.ocsp.CertificateID;
import com.android.org.bouncycastle.cert.ocsp.CertificateStatus;
-import com.android.org.bouncycastle.cert.ocsp.OCSPException;
import com.android.org.bouncycastle.cert.ocsp.OCSPResp;
import com.android.org.bouncycastle.cert.ocsp.OCSPRespBuilder;
import com.android.org.bouncycastle.cert.ocsp.RevokedStatus;
import com.android.org.bouncycastle.jce.provider.BouncyCastleProvider;
import com.android.org.bouncycastle.operator.DigestCalculatorProvider;
-import com.android.org.bouncycastle.operator.OperatorCreationException;
import com.android.org.bouncycastle.operator.bc.BcDigestCalculatorProvider;
import com.android.org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
-import com.android.org.bouncycastle.x509.X509V3CertificateGenerator;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.PrintStream;
@@ -707,43 +706,40 @@
throw new IllegalArgumentException("Unknown key algorithm " + keyAlgorithm);
}
- X509V3CertificateGenerator x509cg = new X509V3CertificateGenerator();
- x509cg.setSubjectDN(subject);
- x509cg.setIssuerDN(issuer);
- x509cg.setNotBefore(start);
- x509cg.setNotAfter(end);
- x509cg.setPublicKey(publicKey);
- x509cg.setSignatureAlgorithm(signatureAlgorithm);
if (serialNumber == null) {
byte[] serialBytes = new byte[16];
new SecureRandom().nextBytes(serialBytes);
serialNumber = new BigInteger(1, serialBytes);
}
- x509cg.setSerialNumber(serialNumber);
+
+ X509v3CertificateBuilder x509cg = new X509v3CertificateBuilder(
+ X500Name.getInstance(issuer.getEncoded()), serialNumber, start, end,
+ X500Name.getInstance(subject.getEncoded()),
+ SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
if (keyUsage != 0) {
- x509cg.addExtension(X509Extensions.KeyUsage,
+ x509cg.addExtension(Extension.keyUsage,
true,
new KeyUsage(keyUsage));
}
if (ca) {
- x509cg.addExtension(X509Extensions.BasicConstraints,
+ x509cg.addExtension(Extension.basicConstraints,
true,
new BasicConstraints(true));
}
for (int i = 0; i < extendedKeyUsages.size(); i++) {
KeyPurposeId keyPurposeId = extendedKeyUsages.get(i);
boolean critical = criticalExtendedKeyUsages.get(i);
- x509cg.addExtension(X509Extensions.ExtendedKeyUsage,
+ x509cg.addExtension(Extension.extendedKeyUsage,
critical,
new ExtendedKeyUsage(keyPurposeId));
}
for (GeneralName subjectAltName : subjectAltNames) {
- x509cg.addExtension(X509Extensions.SubjectAlternativeName,
+ x509cg.addExtension(Extension.subjectAlternativeName,
false,
new GeneralNames(subjectAltName).getEncoded());
}
if (!permittedNameConstraints.isEmpty() || !excludedNameConstraints.isEmpty()) {
- x509cg.addExtension(X509Extensions.NameConstraints,
+ x509cg.addExtension(Extension.nameConstraints,
true,
new NameConstraints(permittedNameConstraints.toArray(
new GeneralSubtree[
@@ -753,7 +749,12 @@
excludedNameConstraints.size()])));
}
- X509Certificate x509c = x509cg.generateX509Certificate(privateKey);
+ X509CertificateHolder x509holder = x509cg.build(
+ new JcaContentSignerBuilder(signatureAlgorithm).build(privateKey));
+ CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+ X509Certificate x509c = (X509Certificate) certFactory.generateCertificate(
+ new ByteArrayInputStream(x509holder.getEncoded()));
+
if (StandardNames.IS_RI) {
/*
* The RI can't handle the BC EC signature algorithm