"jason.greene(a)jboss.com" wrote : | 1. Ability to generate a v3 cert, bouncy castle does support this. Right now I tell people to use openssl. | We should just look at whether bouncy castle/ejbca can be leveraged to get a sufficient cert generation capability into our codebase. "jason.greene(a)jboss.com" wrote : | 2. Support for subject key identifier code follows (Although, ideally all v3 attributes would be supported) | | | | public static byte[] getSubjectKeyIdentifier(X509Certificate cert) | | { | | // Maybee we should make one ourselves if it isn't there? | | byte[] encoded = cert.getExtensionValue("2.5.29.14"); | | if (encoded == null) | | return null; | | | | // We need to skip 4 bytes [(OCTET STRING) (LENGTH)[(OCTET STRING) (LENGTH) (Actual data)]] | | int trunc = encoded.length - 4; | | | | byte[] identifier = new byte[trunc]; | | System.arraycopy(encoded, 4, identifier, 0, trunc); | | | | return identifier; | | } | | | Access to any raw attribute seems to exist. What is not generally available is a mechanism to control how to decode a given attribute. I would assume this is going to require ASN/DER classes (should exist in bc or even opends), along with a OID to format handler registry. The latter is core to ldap and so maybe we can leverage the opends schema handling pieces as a way to externalize the cert attribute handling as well. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3980154#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...