java.lang.Object
- net.ripe.rpki.commons.crypto.x509cert.X509CertificateBuilderHelper

```
public final class X509CertificateBuilderHelper
extends Object
```
Fairly generic helper for X509CertificateBuilders. Intended to be used by (delegated to, not extended) specific certificate builders. Because we want to maintain the pattern where a specific Certificate builder can be chained like: builder.withValidity(val).withSubjectDn(subject) etc... dynamic typing would be required.. hence delegation. Even though RPKI is all about resource certificates, there is not resource-specific version of this builder helper as it is not so easy to make sure that resources are set in a compile-time guaranteed fashion. Resources can be set - using withResources; - using withInheritedResourceTypes. There are complicated relationships between these two ways of setting resources (@see X509CertificateBuilderHelper.validateResource) which results in an inevitable runtime check. Thus moving resource setting into a separate resource-specialised builder doesn't make sense.

Field Summary

Fields
Modifier and Type Field Description

static String DEFAULT_SIGNATURE_ALGORITHM

static String DEFAULT_SIGNATURE_PROVIDER

Constructor Summary

Constructors
Constructor Description

X509CertificateBuilderHelper()

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method	Description
`protected org.bouncycastle.cert.X509v3CertificateBuilder`	`createCertificateGenerator()`	Override this to add your extensions to the certificate generator
`X509Certificate`	`generateCertificate()`	Build the X509 certificate.
`protected void`	`validateResource(net.ripe.ipresource.IpResourceSet resources)`	https://tools.ietf.org/html/rfc6487#section-7 Resource extension validation implies that at least IP or ASN extension must be present.
`X509CertificateBuilderHelper`	`withAuthorityInformationAccess(X509CertificateInformationAccessDescriptor... descriptors)`
`X509CertificateBuilderHelper`	`withAuthorityKeyIdentifier(boolean add)`
`X509CertificateBuilderHelper`	`withCa(boolean ca)`
`X509CertificateBuilderHelper`	`withCrlDistributionPoints(URI... uris)`
`X509CertificateBuilderHelper`	`withInheritedResourceTypes(EnumSet<net.ripe.ipresource.IpResourceType> resourceTypes)`
`X509CertificateBuilderHelper`	`withIssuerDN(X500Principal issuerDN)`
`X509CertificateBuilderHelper`	`withKeyUsage(int keyUsage)`
`X509CertificateBuilderHelper`	`withPolicies(org.bouncycastle.asn1.x509.PolicyInformation... policies)`
`X509CertificateBuilderHelper`	`withPublicKey(PublicKey publicKey)`
`X509CertificateBuilderHelper`	`withResources(net.ripe.ipresource.IpResourceSet resources)`
`X509CertificateBuilderHelper`	`withRouter(boolean router)`
`X509CertificateBuilderHelper`	`withSerial(BigInteger serial)`
`X509CertificateBuilderHelper`	`withSignatureAlgorithm(String signatureAlgorithm)`	Careful! You probably want to stick to the default.
`X509CertificateBuilderHelper`	`withSignatureProvider(String signatureProvider)`
`X509CertificateBuilderHelper`	`withSigningKeyPair(KeyPair signingKey)`
`X509CertificateBuilderHelper`	`withSubjectDN(X500Principal subjectDN)`
`X509CertificateBuilderHelper`	`withSubjectInformationAccess(X509CertificateInformationAccessDescriptor... descriptors)`
`X509CertificateBuilderHelper`	`withValidityPeriod(ValidityPeriod validityPeriod)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail
- DEFAULT_SIGNATURE_ALGORITHM
```
public static final String DEFAULT_SIGNATURE_ALGORITHM
```
  See Also:
  
  Constant Field Values
- DEFAULT_SIGNATURE_PROVIDER
```
public static final String DEFAULT_SIGNATURE_PROVIDER
```
  See Also:
  
  Constant Field Values

Constructor Detail
- X509CertificateBuilderHelper
```
public X509CertificateBuilderHelper()
```

Method Detail

withSignatureProvider

public X509CertificateBuilderHelper withSignatureProvider(String signatureProvider)

withSerial

public X509CertificateBuilderHelper withSerial(BigInteger serial)

withSubjectDN

public X509CertificateBuilderHelper withSubjectDN(X500Principal subjectDN)

withIssuerDN

public X509CertificateBuilderHelper withIssuerDN(X500Principal issuerDN)

withValidityPeriod

public X509CertificateBuilderHelper withValidityPeriod(ValidityPeriod validityPeriod)

withResources

public X509CertificateBuilderHelper withResources(net.ripe.ipresource.IpResourceSet resources)

withPublicKey

public X509CertificateBuilderHelper withPublicKey(PublicKey publicKey)

withSigningKeyPair

public X509CertificateBuilderHelper withSigningKeyPair(KeyPair signingKey)

withSignatureAlgorithm
```
public X509CertificateBuilderHelper withSignatureAlgorithm(String signatureAlgorithm)
```
Careful! You probably want to stick to the default. This method is here mainly to allow for testing the parser. The parser should reject signature algorithms not allowed by RFC.

withKeyUsage

public X509CertificateBuilderHelper withKeyUsage(int keyUsage)

withCa

public X509CertificateBuilderHelper withCa(boolean ca)

withRouter

public X509CertificateBuilderHelper withRouter(boolean router)

withAuthorityKeyIdentifier

public X509CertificateBuilderHelper withAuthorityKeyIdentifier(boolean add)

withCrlDistributionPoints

public X509CertificateBuilderHelper withCrlDistributionPoints(URI... uris)

withAuthorityInformationAccess

public X509CertificateBuilderHelper withAuthorityInformationAccess(X509CertificateInformationAccessDescriptor... descriptors)

withSubjectInformationAccess

public X509CertificateBuilderHelper withSubjectInformationAccess(X509CertificateInformationAccessDescriptor... descriptors)

withPolicies

public X509CertificateBuilderHelper withPolicies(org.bouncycastle.asn1.x509.PolicyInformation... policies)

Parameters:: policies - new certificate policies to apply.
Returns:: the builder

withInheritedResourceTypes

public X509CertificateBuilderHelper withInheritedResourceTypes(EnumSet<net.ripe.ipresource.IpResourceType> resourceTypes)

generateCertificate

public X509Certificate generateCertificate()

Build the X509 certificate.

createCertificateGenerator
```
protected org.bouncycastle.cert.X509v3CertificateBuilder createCertificateGenerator()
```
Override this to add your extensions to the certificate generator

validateResource
```
protected void validateResource(net.ripe.ipresource.IpResourceSet resources)
```
https://tools.ietf.org/html/rfc6487#section-7 Resource extension validation implies that at least IP or ASN extension must be present. This means at least one IPvX or ASN must be either set explicitly or inherited..

Modifier and Type	Field	Description
`static String`	`DEFAULT_SIGNATURE_ALGORITHM`
`static String`	`DEFAULT_SIGNATURE_PROVIDER`

Class X509CertificateBuilderHelper

Field Summary

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Field Detail

DEFAULT_SIGNATURE_ALGORITHM

DEFAULT_SIGNATURE_PROVIDER

Constructor Detail

X509CertificateBuilderHelper

Method Detail

withSignatureProvider

withSerial

withSubjectDN

withIssuerDN

withValidityPeriod

withResources

withPublicKey

withSigningKeyPair

withSignatureAlgorithm

withKeyUsage

withCa

withRouter

withAuthorityKeyIdentifier

withCrlDistributionPoints

withAuthorityInformationAccess

withSubjectInformationAccess

withPolicies

withInheritedResourceTypes

generateCertificate

createCertificateGenerator

validateResource