diff --git a/kse/src/main/java/org/kse/crypto/x509/X509ExtensionSetUpdater.java b/kse/src/main/java/org/kse/crypto/x509/X509ExtensionSetUpdater.java index b97c6172e..514016785 100644 --- a/kse/src/main/java/org/kse/crypto/x509/X509ExtensionSetUpdater.java +++ b/kse/src/main/java/org/kse/crypto/x509/X509ExtensionSetUpdater.java @@ -52,11 +52,12 @@ private X509ExtensionSetUpdater() { * @param issuerPublicKey New issuer public key * @param issuerCertName New issuer DN * @param issuerCertSerialNumber New SN + * @param issuerSkiExt New issuer SKI extension * @throws CryptoException For example when hash value cannot be calculated * @throws IOException If the content cannot be encoded */ public static void update(X509ExtensionSet extensionSet, PublicKey subjectPublicKey, PublicKey issuerPublicKey, - X500Name issuerCertName, BigInteger issuerCertSerialNumber) + X500Name issuerCertName, BigInteger issuerCertSerialNumber, byte[] issuerSkiExt) throws CryptoException, IOException { Set allExtensions = new HashSet<>(extensionSet.getCriticalExtensionOIDs()); @@ -66,7 +67,7 @@ public static void update(X509ExtensionSet extensionSet, PublicKey subjectPublic switch (X509ExtensionType.resolveOid(extensionOid)) { case AUTHORITY_KEY_IDENTIFIER: - updateAKI(extensionSet, extensionOid, issuerPublicKey, issuerCertName, issuerCertSerialNumber); + updateAKI(extensionSet, extensionOid, issuerPublicKey, issuerCertName, issuerCertSerialNumber, issuerSkiExt); break; case SUBJECT_KEY_IDENTIFIER: updateSKI(extensionSet, extensionOid, subjectPublicKey); @@ -91,7 +92,7 @@ private static void updateSKI(X509ExtensionSet extensionSet, String extensionOid } private static void updateAKI(X509ExtensionSet extensionSet, String extensionOid, PublicKey newIssuerPublicKey, - X500Name newIssuerCertName, BigInteger newIssuerSerialNumber) + X500Name newIssuerCertName, BigInteger newIssuerSerialNumber, byte[] issuerSkiExt) throws CryptoException, IOException { // extract old AKI data @@ -102,6 +103,11 @@ private static void updateAKI(X509ExtensionSet extensionSet, String extensionOid // generate new values byte[] newKeyIdentifier = new KeyIdentifierGenerator(newIssuerPublicKey).generate160BitHashId(); + if (issuerSkiExt != null) { + // The *issuer* subject key identifier is the *issued* cert's authority key identifier + newKeyIdentifier = SubjectKeyIdentifier.getInstance(X509Ext.unwrapExtension(issuerSkiExt)) + .getKeyIdentifier(); + } GeneralNames newCertIssuer = new GeneralNames(new GeneralName[] { new GeneralName(newIssuerCertName) }); // create new AKI object with same components as before diff --git a/kse/src/main/java/org/kse/gui/dialogs/DGenerateKeyPairCert.java b/kse/src/main/java/org/kse/gui/dialogs/DGenerateKeyPairCert.java index 0d34f2a5f..d98c6cea8 100644 --- a/kse/src/main/java/org/kse/gui/dialogs/DGenerateKeyPairCert.java +++ b/kse/src/main/java/org/kse/gui/dialogs/DGenerateKeyPairCert.java @@ -324,12 +324,13 @@ private void transferNameExtPressed() { String serialNumberStr = jtfSerialNumber.getText().trim(); BigInteger serialNumber = SerialNumbers.parse(serialNumberStr); X509ExtensionSetUpdater.update(extensions, keyPair.getPublic(), keyPair.getPublic(), - jdnName.getDistinguishedName(), serialNumber); + jdnName.getDistinguishedName(), serialNumber, null); } else { X509ExtensionSetUpdater.update(extensions, keyPair.getPublic(), issuerCert.getPublicKey(), X500NameUtils.x500PrincipalToX500Name( issuerCert.getSubjectX500Principal()), - issuerCert.getSerialNumber()); + issuerCert.getSerialNumber(), + issuerCert.getExtensionValue(X509ExtensionType.SUBJECT_KEY_IDENTIFIER.oid())); } } catch (CryptoException | IOException | NumberFormatException e) { DError.displayError(this, e); diff --git a/kse/src/main/java/org/kse/gui/dialogs/extensions/DAddExtensions.java b/kse/src/main/java/org/kse/gui/dialogs/extensions/DAddExtensions.java index 5cac7c59f..c0b9d0689 100644 --- a/kse/src/main/java/org/kse/gui/dialogs/extensions/DAddExtensions.java +++ b/kse/src/main/java/org/kse/gui/dialogs/extensions/DAddExtensions.java @@ -764,7 +764,7 @@ private void loadTemplatePressed() { extensions = X509ExtensionSet.load(new FileInputStream(loadFile)); X509ExtensionSetUpdater.update(extensions, subjectPublicKey, issuerPublicKey, issuerCertName, - issuerCertSerialNumber); + issuerCertSerialNumber, issuerSki); reloadExtensionsTable(); selectFirstExtensionInTable(); diff --git a/kse/src/main/java/org/kse/gui/dialogs/sign/DSignCsr.java b/kse/src/main/java/org/kse/gui/dialogs/sign/DSignCsr.java index cdb9ca047..f0fa043c2 100644 --- a/kse/src/main/java/org/kse/gui/dialogs/sign/DSignCsr.java +++ b/kse/src/main/java/org/kse/gui/dialogs/sign/DSignCsr.java @@ -656,7 +656,8 @@ protected void transferExtensionsPressed() { X509ExtensionSetUpdater.update(extensions, csrPublicKey, issuerCertificate.getPublicKey(), X500NameUtils.x500PrincipalToX500Name( issuerCertificate.getSubjectX500Principal()), - issuerCertificate.getSerialNumber()); + issuerCertificate.getSerialNumber(), + issuerCertificate.getExtensionValue(X509ExtensionType.SUBJECT_KEY_IDENTIFIER.oid())); } catch (CryptoException | IOException e) { DError.displayError(this, e); }