4-4 Oracle Fusion Middleware Reference for Oracle Security Developer Tools

4.3.2 The oracle.security.crypto.cert.X500Name Class

This class represents distinguished names as used in the X.500 series of specifications, defined in X.520. An X500Name object is made of X500RDN objects. An X500Name holds attributes defining an entity such as the common name, country, organization, and so on. To create an X500Name object, use the standard constructor and then populate the object with attributes. Once created, the object can then be DER-encoded to make it available to other processes: Example 4–2 Code Example for Creating an X500Name Object X500Name name = new X500Name; name.addComponentPKIX.id_at_commonName, Joe Smith; name.addComponentPKIX.id_at_countryName, USA; name.addComponentPKIX.id_at_stateOrProvinceName, NY; name.addComponentPKIX.id_at_localityName, New York; name.addComponentPKIX.id_at_organizationName, Oracle; name.addComponentPKIX.id_at_organizationalUnitName, Engineering; name.addComponentPKIX.emailAddress, joe.smithoracle.com; Make object DER-encoded so its available to other processes byte[] encodedName = Utils.toBytesname; X500Name n = new X500Namenew ByteArrayInputStreamencodedName; String name = n.getAttributePKIX.id_at_commonName.getValue.getValue; String email = n.getAttributePKIX.emailAddress.getValue.getValue;

4.3.3 The oracle.security.crypto.cert.CertificateRequest Class

This class represents a PKCS10 certificate request containing information about an entity and a signature of the content of the request. The certificate request is used to convey information and authentication data the signature that will be used by a Certificate Authority CA to generate a certificate for the corresponding entity. Creating a new certificate request involves the following high-level steps: 1. Create a new instance of CertificateRequest by using the empty constructor and setting the keys and the subject name, or by using the constructor taking an X500Name and a KeyPair object. 2. Add X.509 extensions to the certificate request. 3. Sign the certificate request and save it to a file. 4. Send the certificate request you created to a Certificate Authority. Example 4–3 Code Example for Creating a Certificate Request Create CertificateRequest by setting the keys and subject name CertificateRequest certReq = new CertificateRequest; certReq.setPrivateKeyprivKey; certReq.setPublicKeypubKey; certReq.setSubjectsubjectName; OR Create CertificateRequest by taking an X500Name and KeyPair object CertificateRequest certReq = new CertificateRequestsubjectName, keyPair; Oracle Security Engine 4-5 Add X.509 certificate extensions in a extensionRequest attribute X509ExtensionSet extSet = new X509ExtensionSet; Basic Constraints: non-CA, critical extSet.addExtensionnew BasicConstraintsExtensionfalse, true; Key Usage: signature, data encipherment, key agreement non-repudiation flags, critical extSet.addExtensionnew KeyUsageExtensionnew int[] { KeyUsageExtension.DIGITAL_SIGNATURE, KeyUsageExtension.DATA_ENCIPHERMENT, KeyUsageExtension.KEY_AGREEMENT, KeyUsageExtension.NON_REPUDIATION}, true; Subject Alternative Name: email address, non-critical if email.length 0 extSet.addExtensionnew SubjectAltNameExtension new GeneralNameGeneralName.Type.RFC822_NAME, email, false; Subject Key Identifier: key ID bytes, non-critical extSet.addExtensionnew SubjectKeyIDExtension CryptoUtils.generateKeyIDkp.getPublic; req.addAttributePKIX.extensionRequest, extSet; Sign the certificate request and save to file req.sign; req.outputreqOS; reqOS.close; } The certificate request can then be sent to a CA

4.3.4 The java.security.cert.X509Certificate Class