Merge "Merge remote-tracking branch 'aosp/upstream-master' into merge-152-from-upstream"

19 files changed, 1072 insertions, 0 deletions

diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/CertHelper.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/CertHelper.java
new file mode 100644
index 0000000..dee6996
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/CertHelper.java
@@ -0,0 +1,17 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.NoSuchProviderException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+
+abstract class CertHelper
+{
+    public CertificateFactory getCertificateFactory(String type)
+        throws NoSuchProviderException, CertificateException
+    {
+        return createCertificateFactory(type);
+    }
+
+    protected abstract CertificateFactory createCertificateFactory(String type)
+        throws CertificateException, NoSuchProviderException;
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/DefaultCertHelper.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/DefaultCertHelper.java
new file mode 100644
index 0000000..3966b49
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/DefaultCertHelper.java
@@ -0,0 +1,14 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+
+class DefaultCertHelper
+    extends CertHelper
+{
+    protected CertificateFactory createCertificateFactory(String type)
+        throws CertificateException
+    {
+        return CertificateFactory.getInstance(type);
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaAttrCertStore.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaAttrCertStore.java
new file mode 100644
index 0000000..b857d96
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaAttrCertStore.java
@@ -0,0 +1,62 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+
+import org.bouncycastle.util.CollectionStore;
+import org.bouncycastle.x509.X509AttributeCertificate;
+
+/**
+ * Class for storing Attribute Certificates for later lookup.
+ * <p>
+ * The class will convert X509AttributeCertificate objects into X509AttributeCertificateHolder objects.
+ * </p>
+ */
+public class JcaAttrCertStore
+    extends CollectionStore
+{
+    /**
+     * Basic constructor.
+     *
+     * @param collection - initial contents for the store, this is copied.
+     */
+    public JcaAttrCertStore(Collection collection)
+        throws IOException
+    {
+        super(convertCerts(collection));
+    }
+
+    public JcaAttrCertStore(X509AttributeCertificate attrCert)
+        throws IOException
+    {
+        this(Collections.singletonList(attrCert));
+    }
+
+    private static Collection convertCerts(Collection collection)
+        throws IOException
+    {
+        List list = new ArrayList(collection.size());
+
+        for (Iterator it = collection.iterator(); it.hasNext();)
+        {
+            Object o = it.next();
+
+            if (o instanceof X509AttributeCertificate)
+            {
+                X509AttributeCertificate cert = (X509AttributeCertificate)o;
+
+                list.add(new JcaX509AttributeCertificateHolder(cert));
+            }
+            else
+            {
+                list.add(o);
+            }
+        }
+
+        return list;
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaAttributeCertificateIssuer.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaAttributeCertificateIssuer.java
new file mode 100644
index 0000000..f5bfa68
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaAttributeCertificateIssuer.java
@@ -0,0 +1,32 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.cert.X509Certificate;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.cert.AttributeCertificateIssuer;
+
+public class JcaAttributeCertificateIssuer
+    extends AttributeCertificateIssuer
+{
+    /**
+     * Base constructor.
+     *
+     * @param issuerCert certificate for the issuer of the attribute certificate.
+     */
+    public JcaAttributeCertificateIssuer(X509Certificate issuerCert)
+    {
+        this(issuerCert.getIssuerX500Principal());
+    }
+
+    /**
+     * Base constructor.
+     *
+     * @param issuerDN X.500 DN for the issuer of the attribute certificate.
+     */
+    public JcaAttributeCertificateIssuer(X500Principal issuerDN)
+    {
+        super(X500Name.getInstance(issuerDN.getEncoded()));
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaCRLStore.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaCRLStore.java
new file mode 100644
index 0000000..2e8209e
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaCRLStore.java
@@ -0,0 +1,63 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.io.IOException;
+import java.security.cert.CRLException;
+import java.security.cert.X509CRL;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+
+import org.bouncycastle.cert.X509CRLHolder;
+import org.bouncycastle.util.CollectionStore;
+
+/**
+ * Class for storing CRLs for later lookup.
+ * <p>
+ * The class will convert X509CRL objects into X509CRLHolder objects.
+ * </p>
+ */
+public class JcaCRLStore
+    extends CollectionStore
+{
+    /**
+     * Basic constructor.
+     *
+     * @param collection - initial contents for the store, this is copied.
+     */
+    public JcaCRLStore(Collection collection)
+        throws CRLException
+    {
+        super(convertCRLs(collection));
+    }
+
+    private static Collection convertCRLs(Collection collection)
+        throws CRLException
+    {
+        List list = new ArrayList(collection.size());
+
+        for (Iterator it = collection.iterator(); it.hasNext();)
+        {
+            Object crl = it.next();
+
+            if (crl instanceof X509CRL)
+            {
+                try
+                {
+                    list.add(new X509CRLHolder(((X509CRL)crl).getEncoded()));
+                }
+                catch (IOException e)
+                {
+                    throw new CRLException("cannot read encoding: " + e.getMessage());
+                    
+                }
+            }
+            else
+            {
+                list.add((X509CRLHolder)crl);
+            }
+        }
+
+        return list;
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaCertStoreBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaCertStoreBuilder.java
new file mode 100644
index 0000000..3051a45
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaCertStoreBuilder.java
@@ -0,0 +1,148 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.GeneralSecurityException;
+import java.security.Provider;
+import java.security.cert.CRLException;
+import java.security.cert.CertStore;
+import java.security.cert.CertificateException;
+import java.security.cert.CollectionCertStoreParameters;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
+import org.bouncycastle.cert.X509CRLHolder;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.util.Store;
+
+/**
+ * Builder to create a CertStore from certificate and CRL stores.
+ */
+public class JcaCertStoreBuilder
+{
+    private List certs = new ArrayList();
+    private List crls = new ArrayList();
+    private Object provider;
+    private JcaX509CertificateConverter certificateConverter = new JcaX509CertificateConverter();
+    private JcaX509CRLConverter crlConverter = new JcaX509CRLConverter();
+    private String type = "Collection";
+
+    /**
+     *  Add a store full of X509CertificateHolder objects.
+     *
+     * @param certStore a store of X509CertificateHolder objects.
+     */
+    public JcaCertStoreBuilder addCertificates(Store certStore)
+    {
+        certs.addAll(certStore.getMatches(null));
+
+        return this;
+    }
+
+    /**
+     * Add a single certificate.
+     *
+     * @param cert  the X509 certificate holder containing the certificate.
+     */
+    public JcaCertStoreBuilder addCertificate(X509CertificateHolder cert)
+    {
+        certs.add(cert);
+
+        return this;
+    }
+
+    /**
+     * Add a store full of X509CRLHolder objects.
+     * @param crlStore  a store of X509CRLHolder objects.
+     */
+    public JcaCertStoreBuilder addCRLs(Store crlStore)
+    {
+        crls.addAll(crlStore.getMatches(null));
+
+        return this;
+    }
+
+    /**
+     * Add a single CRL.
+     *
+     * @param crl  the X509 CRL holder containing the CRL.
+     */
+    public JcaCertStoreBuilder addCRL(X509CRLHolder crl)
+    {
+        crls.add(crl);
+
+        return this;
+    }
+
+    public JcaCertStoreBuilder setProvider(String providerName)
+    {
+        certificateConverter.setProvider(providerName);
+        crlConverter.setProvider(providerName);
+        this.provider = providerName;
+
+        return this;
+    }
+
+    public JcaCertStoreBuilder setProvider(Provider provider)
+    {
+        certificateConverter.setProvider(provider);
+        crlConverter.setProvider(provider);
+        this.provider = provider;
+
+        return this;
+    }
+
+    /**
+     * Set the type of the CertStore generated. By default it is "Collection".
+     *
+     * @param type type of CertStore passed to CertStore.getInstance().
+     * @return the current builder.
+     */
+    public JcaCertStoreBuilder setType(String type)
+    {
+        this.type = type;
+
+        return this;
+    }
+
+    /**
+     * Build the CertStore from the current inputs.
+     *
+     * @return  a CertStore.
+     * @throws GeneralSecurityException
+     */
+    public CertStore build()
+        throws GeneralSecurityException
+    {
+        CollectionCertStoreParameters params = convertHolders(certificateConverter, crlConverter);
+
+        if (provider instanceof String)
+        {
+            return CertStore.getInstance(type, params, (String)provider);
+        }
+
+        if (provider instanceof Provider)
+        {
+            return CertStore.getInstance(type, params, (Provider)provider);
+        }
+
+        return CertStore.getInstance(type, params);
+    }
+
+    private CollectionCertStoreParameters convertHolders(JcaX509CertificateConverter certificateConverter, JcaX509CRLConverter crlConverter)
+        throws CertificateException, CRLException
+    {
+        List jcaObjs = new ArrayList(certs.size() + crls.size());
+
+        for (Iterator it = certs.iterator(); it.hasNext();)
+        {
+            jcaObjs.add(certificateConverter.getCertificate((X509CertificateHolder)it.next()));
+        }
+
+        for (Iterator it = crls.iterator(); it.hasNext();)
+        {
+            jcaObjs.add(crlConverter.getCRL((X509CRLHolder)it.next()));
+        }
+
+        return new CollectionCertStoreParameters(jcaObjs);
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX500NameUtil.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX500NameUtil.java
new file mode 100644
index 0000000..2b64340
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX500NameUtil.java
@@ -0,0 +1,29 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.cert.X509Certificate;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x500.X500NameStyle;
+
+public class JcaX500NameUtil
+{
+    public static X500Name getIssuer(X509Certificate certificate)
+    {
+        return X500Name.getInstance(certificate.getIssuerX500Principal().getEncoded());
+    }
+
+    public static X500Name getSubject(X509Certificate certificate)
+    {
+        return X500Name.getInstance(certificate.getSubjectX500Principal().getEncoded());
+    }
+
+    public static X500Name getIssuer(X500NameStyle style, X509Certificate certificate)
+    {
+        return X500Name.getInstance(style, certificate.getIssuerX500Principal().getEncoded());
+    }
+
+    public static X500Name getSubject(X500NameStyle style, X509Certificate certificate)
+    {
+        return X500Name.getInstance(style, certificate.getSubjectX500Principal().getEncoded());
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509AttributeCertificateHolder.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509AttributeCertificateHolder.java
new file mode 100644
index 0000000..1ceafce
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509AttributeCertificateHolder.java
@@ -0,0 +1,26 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.io.IOException;
+
+import org.bouncycastle.asn1.x509.AttributeCertificate;
+import org.bouncycastle.cert.X509AttributeCertificateHolder;
+import org.bouncycastle.x509.X509AttributeCertificate;
+
+/**
+ * JCA helper class for converting an old style X509AttributeCertificate into a X509AttributeCertificateHolder object.
+ */
+public class JcaX509AttributeCertificateHolder
+    extends X509AttributeCertificateHolder
+{
+    /**
+     * Base constructor.
+     *
+     * @param cert AttributeCertificate to be used a the source for the holder creation.
+     * @throws IOException if there is a problem extracting the attribute certificate information.
+     */
+    public JcaX509AttributeCertificateHolder(X509AttributeCertificate cert)
+        throws IOException
+    {
+        super(AttributeCertificate.getInstance(cert.getEncoded()));
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CRLConverter.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CRLConverter.java
new file mode 100644
index 0000000..ae06334
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CRLConverter.java
@@ -0,0 +1,103 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509CRL;
+
+import org.bouncycastle.cert.X509CRLHolder;
+
+/**
+ * Class for converting an X509CRLHolder into a corresponding X509CRL object tied to a
+ * particular JCA provider.
+ */
+public class JcaX509CRLConverter
+{
+    private CertHelper helper = new DefaultCertHelper();
+
+    /**
+     * Base constructor, configure with the default provider.
+     */
+    public JcaX509CRLConverter()
+    {
+        this.helper = new DefaultCertHelper();
+    }
+
+    /**
+     * Set the provider to use from a Provider object.
+     *
+     * @param provider the provider to use.
+     * @return the converter instance.
+     */
+    public JcaX509CRLConverter setProvider(Provider provider)
+    {
+        this.helper = new ProviderCertHelper(provider);
+
+        return this;
+    }
+
+    /**
+     * Set the provider to use by name.
+     *
+     * @param providerName name of the provider to use.
+     * @return the converter instance.
+     */
+    public JcaX509CRLConverter setProvider(String providerName)
+    {
+        this.helper = new NamedCertHelper(providerName);
+
+        return this;
+    }
+
+    /**
+     * Use the configured converter to produce a X509CRL object from a X509CRLHolder object.
+     *
+     * @param crlHolder  the holder to be converted
+     * @return a X509CRL object
+     * @throws CRLException if the conversion is unable to be made.
+     */
+    public X509CRL getCRL(X509CRLHolder crlHolder)
+        throws CRLException
+    {
+        try
+        {
+            CertificateFactory cFact = helper.getCertificateFactory("X.509");
+
+            return (X509CRL)cFact.generateCRL(new ByteArrayInputStream(crlHolder.getEncoded()));
+        }
+        catch (IOException e)
+        {
+            throw new ExCRLException("exception parsing certificate: " + e.getMessage(), e);
+        }
+        catch (NoSuchProviderException e)
+        {
+            throw new ExCRLException("cannot find required provider:" + e.getMessage(), e);
+        }
+        catch (CertificateException e)
+        {
+            throw new ExCRLException("cannot create factory: " + e.getMessage(), e);
+        }
+    }
+
+    private class ExCRLException
+        extends CRLException
+    {
+        private Throwable cause;
+
+        public ExCRLException(String msg, Throwable cause)
+        {
+            super(msg);
+
+            this.cause = cause;
+        }
+
+        public Throwable getCause()
+        {
+            return cause;
+        }
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CRLHolder.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CRLHolder.java
new file mode 100644
index 0000000..43665c0
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CRLHolder.java
@@ -0,0 +1,26 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.cert.CRLException;
+import java.security.cert.X509CRL;
+
+import org.bouncycastle.asn1.x509.CertificateList;
+import org.bouncycastle.cert.X509CRLHolder;
+
+/**
+ * JCA helper class for converting an X509CRL into a X509CRLHolder object.
+ */
+public class JcaX509CRLHolder
+    extends X509CRLHolder
+{
+    /**
+     * Base constructor.
+     *
+     * @param crl CRL to be used a the source for the holder creation.
+     * @throws CRLException if there is a problem extracting the CRL information.
+     */
+    public JcaX509CRLHolder(X509CRL crl)
+        throws CRLException
+    {
+        super(CertificateList.getInstance(crl.getEncoded()));
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CertificateConverter.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CertificateConverter.java
new file mode 100644
index 0000000..39e63aa
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509CertificateConverter.java
@@ -0,0 +1,116 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+
+import org.bouncycastle.cert.X509CertificateHolder;
+
+/**
+ * Converter for producing X509Certificate objects tied to a specific provider from X509CertificateHolder objects.
+ */
+public class JcaX509CertificateConverter
+{
+    private CertHelper helper = new DefaultCertHelper();
+
+    /**
+     * Base constructor, configure with the default provider.
+     */
+    public JcaX509CertificateConverter()
+    {
+        this.helper = new DefaultCertHelper();
+    }
+
+    /**
+     * Set the provider to use from a Provider object.
+     *
+     * @param provider the provider to use.
+     * @return the converter instance.
+     */
+    public JcaX509CertificateConverter setProvider(Provider provider)
+    {
+        this.helper = new ProviderCertHelper(provider);
+
+        return this;
+    }
+
+    /**
+     * Set the provider to use by name.
+     *
+     * @param providerName name of the provider to use.
+     * @return the converter instance.
+     */
+    public JcaX509CertificateConverter setProvider(String providerName)
+    {
+        this.helper = new NamedCertHelper(providerName);
+
+        return this;
+    }
+
+    /**
+     * Use the configured converter to produce a X509Certificate object from a X509CertificateHolder object.
+     *
+     * @param certHolder  the holder to be converted
+     * @return a X509Certificate object
+     * @throws CertificateException if the conversion is unable to be made.
+     */
+    public X509Certificate getCertificate(X509CertificateHolder certHolder)
+        throws CertificateException
+    {
+        try
+        {
+            CertificateFactory cFact = helper.getCertificateFactory("X.509");
+
+            return (X509Certificate)cFact.generateCertificate(new ByteArrayInputStream(certHolder.getEncoded()));
+        }
+        catch (IOException e)
+        {
+            throw new ExCertificateParsingException("exception parsing certificate: " + e.getMessage(), e);
+        }
+        catch (NoSuchProviderException e)
+        {
+            throw new ExCertificateException("cannot find required provider:" + e.getMessage(), e);
+        }
+    }
+
+    private class ExCertificateParsingException
+        extends CertificateParsingException
+    {
+        private Throwable cause;
+
+        public ExCertificateParsingException(String msg, Throwable cause)
+        {
+            super(msg);
+
+            this.cause = cause;
+        }
+
+        public Throwable getCause()
+        {
+            return cause;
+        }
+    }
+    
+    private class ExCertificateException
+        extends CertificateException
+    {
+        private Throwable cause;
+
+        public ExCertificateException(String msg, Throwable cause)
+        {
+            super(msg);
+
+            this.cause = cause;
+        }
+
+        public Throwable getCause()
+        {
+            return cause;
+        }
+    }
+}
\ No newline at end of file
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ContentVerifierProviderBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ContentVerifierProviderBuilder.java
new file mode 100644
index 0000000..5f4c530
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ContentVerifierProviderBuilder.java
@@ -0,0 +1,50 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.Provider;
+import java.security.cert.CertificateException;
+
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509ContentVerifierProviderBuilder;
+import org.bouncycastle.operator.ContentVerifierProvider;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder;
+
+public class JcaX509ContentVerifierProviderBuilder
+    implements X509ContentVerifierProviderBuilder
+{
+    private JcaContentVerifierProviderBuilder builder = new JcaContentVerifierProviderBuilder();
+
+    public JcaX509ContentVerifierProviderBuilder setProvider(Provider provider)
+    {
+        this.builder.setProvider(provider);
+
+        return this;
+    }
+
+    public JcaX509ContentVerifierProviderBuilder setProvider(String providerName)
+    {
+        this.builder.setProvider(providerName);
+
+        return this;
+    }
+
+    public ContentVerifierProvider build(SubjectPublicKeyInfo validatingKeyInfo)
+        throws OperatorCreationException
+    {
+        return builder.build(validatingKeyInfo);
+    }
+
+    public ContentVerifierProvider build(X509CertificateHolder validatingKeyInfo)
+        throws OperatorCreationException
+    {
+        try
+        {
+            return builder.build(validatingKeyInfo);
+        }
+        catch (CertificateException e)
+        {
+            throw new OperatorCreationException("Unable to process certificate: " + e.getMessage(), e);
+        }
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ExtensionUtils.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ExtensionUtils.java
new file mode 100644
index 0000000..162c94f
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509ExtensionUtils.java
@@ -0,0 +1,145 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.math.BigInteger;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.PublicKey;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.bouncycastle.asn1.ASN1OctetString;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.oiw.OIWObjectIdentifiers;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
+import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509ExtensionUtils;
+import org.bouncycastle.operator.DigestCalculator;
+
+public class JcaX509ExtensionUtils
+    extends X509ExtensionUtils
+{
+    /**
+     * Create a utility class pre-configured with a SHA-1 digest calculator based on the
+     * default implementation.
+     *
+     * @throws NoSuchAlgorithmException
+     */
+    public JcaX509ExtensionUtils()
+        throws NoSuchAlgorithmException
+    {
+        super(new SHA1DigestCalculator(MessageDigest.getInstance("SHA1")));
+    }
+
+    public JcaX509ExtensionUtils(DigestCalculator calculator)
+    {
+        super(calculator);
+    }
+
+    public AuthorityKeyIdentifier createAuthorityKeyIdentifier(
+        X509Certificate cert)
+        throws CertificateEncodingException
+    {
+        return super.createAuthorityKeyIdentifier(new JcaX509CertificateHolder(cert));
+    }
+
+    public AuthorityKeyIdentifier createAuthorityKeyIdentifier(
+        PublicKey pubKey)
+    {
+        return super.createAuthorityKeyIdentifier(SubjectPublicKeyInfo.getInstance(pubKey.getEncoded()));
+    }
+
+    public AuthorityKeyIdentifier createAuthorityKeyIdentifier(PublicKey pubKey, X500Principal name, BigInteger serial)
+    {
+        return super.createAuthorityKeyIdentifier(SubjectPublicKeyInfo.getInstance(pubKey.getEncoded()), new GeneralNames(new GeneralName(X500Name.getInstance(name.getEncoded()))), serial);
+    }
+
+    public AuthorityKeyIdentifier createAuthorityKeyIdentifier(PublicKey pubKey, GeneralNames generalNames, BigInteger serial)
+    {
+        return super.createAuthorityKeyIdentifier(SubjectPublicKeyInfo.getInstance(pubKey.getEncoded()), generalNames, serial);
+    }
+
+    /**
+     * Return a RFC 3280 type 1 key identifier. As in:
+     * <pre>
+     * (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
+     * value of the BIT STRING subjectPublicKey (excluding the tag,
+     * length, and number of unused bits).
+     * </pre>
+     * @param publicKey the key object containing the key identifier is to be based on.
+     * @return the key identifier.
+     */
+    public SubjectKeyIdentifier createSubjectKeyIdentifier(
+        PublicKey publicKey)
+    {
+        return super.createSubjectKeyIdentifier(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
+    }
+
+    /**
+     * Return a RFC 3280 type 2 key identifier. As in:
+     * <pre>
+     * (2) The keyIdentifier is composed of a four bit type field with
+     * the value 0100 followed by the least significant 60 bits of the
+     * SHA-1 hash of the value of the BIT STRING subjectPublicKey.
+     * </pre>
+     * @param publicKey the key object of interest.
+     * @return the key identifier.
+     */
+    public SubjectKeyIdentifier createTruncatedSubjectKeyIdentifier(PublicKey publicKey)
+    {
+       return super.createSubjectKeyIdentifier(SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
+    }
+
+    /**
+     * Return the ASN.1 object contained in a byte[] returned by a getExtensionValue() call.
+     *
+     * @param encExtValue DER encoded OCTET STRING containing the DER encoded extension object.
+     * @return an ASN.1 object
+     * @throws java.io.IOException on a parsing error.
+     */
+    public static ASN1Primitive parseExtensionValue(byte[] encExtValue)
+        throws IOException
+    {
+        return ASN1Primitive.fromByteArray(ASN1OctetString.getInstance(encExtValue).getOctets());
+    }
+
+    private static class SHA1DigestCalculator
+        implements DigestCalculator
+    {
+        private ByteArrayOutputStream bOut = new ByteArrayOutputStream();
+        private MessageDigest digest;
+
+        public SHA1DigestCalculator(MessageDigest digest)
+        {
+            this.digest = digest;
+        }
+
+        public AlgorithmIdentifier getAlgorithmIdentifier()
+        {
+            return new AlgorithmIdentifier(OIWObjectIdentifiers.idSHA1);
+        }
+
+        public OutputStream getOutputStream()
+        {
+            return bOut;
+        }
+
+        public byte[] getDigest()
+        {
+            byte[] bytes = digest.digest(bOut.toByteArray());
+
+            bOut.reset();
+
+            return bytes;
+        }
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v1CertificateBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v1CertificateBuilder.java
new file mode 100644
index 0000000..e453fc7
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v1CertificateBuilder.java
@@ -0,0 +1,48 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.math.BigInteger;
+import java.security.PublicKey;
+import java.util.Date;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.cert.X509v1CertificateBuilder;
+
+/**
+ * JCA helper class to allow JCA objects to be used in the construction of a Version 1 certificate.
+ */
+public class JcaX509v1CertificateBuilder
+    extends X509v1CertificateBuilder
+{
+    /**
+     * Initialise the builder using a PublicKey.
+     *
+     * @param issuer X500Name representing the issuer of this certificate.
+     * @param serial the serial number for the certificate.
+     * @param notBefore date before which the certificate is not valid.
+     * @param notAfter date after which the certificate is not valid.
+     * @param subject X500Name representing the subject of this certificate.
+     * @param publicKey the public key to be associated with the certificate.
+     */
+    public JcaX509v1CertificateBuilder(X500Name issuer, BigInteger serial, Date notBefore, Date notAfter, X500Name subject, PublicKey publicKey)
+    {
+        super(issuer, serial, notBefore, notAfter, subject, SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
+    }
+
+    /**
+     * Initialise the builder using X500Principal objects and a PublicKey.
+     *
+     * @param issuer principal representing the issuer of this certificate.
+     * @param serial the serial number for the certificate.
+     * @param notBefore date before which the certificate is not valid.
+     * @param notAfter date after which the certificate is not valid.
+     * @param subject principal representing the subject of this certificate.
+     * @param publicKey the public key to be associated with the certificate.
+     */
+    public JcaX509v1CertificateBuilder(X500Principal issuer, BigInteger serial, Date notBefore, Date notAfter, X500Principal subject, PublicKey publicKey)
+    {
+        super(X500Name.getInstance(issuer.getEncoded()), serial, notBefore, notAfter, X500Name.getInstance(subject.getEncoded()), SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v2CRLBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v2CRLBuilder.java
new file mode 100644
index 0000000..43c3918
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v2CRLBuilder.java
@@ -0,0 +1,23 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.cert.X509Certificate;
+import java.util.Date;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.cert.X509v2CRLBuilder;
+
+public class JcaX509v2CRLBuilder
+    extends X509v2CRLBuilder
+{
+    public JcaX509v2CRLBuilder(X500Principal issuer, Date now)
+    {
+        super(X500Name.getInstance(issuer.getEncoded()), now);
+    }
+
+    public JcaX509v2CRLBuilder(X509Certificate issuerCert, Date now)
+    {
+        this(issuerCert.getSubjectX500Principal(), now);
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v3CertificateBuilder.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v3CertificateBuilder.java
new file mode 100644
index 0000000..ae33009
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/JcaX509v3CertificateBuilder.java
@@ -0,0 +1,119 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.math.BigInteger;
+import java.security.PublicKey;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+
+import javax.security.auth.x500.X500Principal;
+
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.asn1.x509.Time;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+
+/**
+ * JCA helper class to allow JCA objects to be used in the construction of a Version 3 certificate.
+ */
+public class JcaX509v3CertificateBuilder
+    extends X509v3CertificateBuilder
+{
+    /**
+     * Initialise the builder using a PublicKey.
+     *
+     * @param issuer X500Name representing the issuer of this certificate.
+     * @param serial the serial number for the certificate.
+     * @param notBefore date before which the certificate is not valid.
+     * @param notAfter date after which the certificate is not valid.
+     * @param subject X500Name representing the subject of this certificate.
+     * @param publicKey the public key to be associated with the certificate.
+     */
+    public JcaX509v3CertificateBuilder(X500Name issuer, BigInteger serial, Date notBefore, Date notAfter, X500Name subject, PublicKey publicKey)
+    {
+        super(issuer, serial, notBefore, notAfter, subject, SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
+    }
+
+    /**
+     * Initialise the builder using a PublicKey.
+     *
+     * @param issuer X500Name representing the issuer of this certificate.
+     * @param serial the serial number for the certificate.
+     * @param notBefore Time before which the certificate is not valid.
+     * @param notAfter Time after which the certificate is not valid.
+     * @param subject X500Name representing the subject of this certificate.
+     * @param publicKey the public key to be associated with the certificate.
+     */
+    public JcaX509v3CertificateBuilder(X500Name issuer, BigInteger serial, Time notBefore, Time notAfter, X500Name subject, PublicKey publicKey)
+    {
+        super(issuer, serial, notBefore, notAfter, subject, SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
+    }
+
+    /**
+     * Initialise the builder using X500Principal objects and a PublicKey.
+     *
+     * @param issuer principal representing the issuer of this certificate.
+     * @param serial the serial number for the certificate.
+     * @param notBefore date before which the certificate is not valid.
+     * @param notAfter date after which the certificate is not valid.
+     * @param subject principal representing the subject of this certificate.
+     * @param publicKey the public key to be associated with the certificate.
+     */
+    public JcaX509v3CertificateBuilder(X500Principal issuer, BigInteger serial, Date notBefore, Date notAfter, X500Principal subject, PublicKey publicKey)
+    {
+        super(X500Name.getInstance(issuer.getEncoded()), serial, notBefore, notAfter, X500Name.getInstance(subject.getEncoded()), SubjectPublicKeyInfo.getInstance(publicKey.getEncoded()));
+    }
+
+    /**
+     * Initialise the builder using the subject from the passed in issuerCert as the issuer, as well as
+     * passing through and converting the other objects provided.
+     *
+     * @param issuerCert certificate who's subject is the issuer of the certificate we are building.
+     * @param serial the serial number for the certificate.
+     * @param notBefore date before which the certificate is not valid.
+     * @param notAfter date after which the certificate is not valid.
+     * @param subject principal representing the subject of this certificate.
+     * @param publicKey the public key to be associated with the certificate.
+     */
+    public JcaX509v3CertificateBuilder(X509Certificate issuerCert, BigInteger serial, Date notBefore, Date notAfter, X500Principal subject, PublicKey publicKey)
+    {
+        this(issuerCert.getSubjectX500Principal(), serial, notBefore, notAfter, subject, publicKey);
+    }
+
+    /**
+     * Initialise the builder using the subject from the passed in issuerCert as the issuer, as well as
+     * passing through and converting the other objects provided.
+     *
+     * @param issuerCert certificate who's subject is the issuer of the certificate we are building.
+     * @param serial the serial number for the certificate.
+     * @param notBefore date before which the certificate is not valid.
+     * @param notAfter date after which the certificate is not valid.
+     * @param subject principal representing the subject of this certificate.
+     * @param publicKey the public key to be associated with the certificate.
+     */
+    public JcaX509v3CertificateBuilder(X509Certificate issuerCert, BigInteger serial, Date notBefore, Date notAfter, X500Name subject, PublicKey publicKey)
+    {
+        this(X500Name.getInstance(issuerCert.getSubjectX500Principal().getEncoded()), serial, notBefore, notAfter, subject, publicKey);
+    }
+
+    /**
+     * Add a given extension field for the standard extensions tag (tag 3)
+     * copying the extension value from another certificate.
+     *
+     * @param oid the type of the extension to be copied.
+     * @param critical true if the extension is to be marked critical, false otherwise.
+     * @param certificate the source of the extension to be copied.
+     * @return the builder instance.
+     */
+    public JcaX509v3CertificateBuilder copyAndAddExtension(
+        ASN1ObjectIdentifier oid,
+        boolean critical,
+        X509Certificate certificate)
+        throws CertificateEncodingException
+    {
+        this.copyAndAddExtension(oid, critical, new JcaX509CertificateHolder(certificate));
+
+        return this;
+    }
+}
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/NamedCertHelper.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/NamedCertHelper.java
new file mode 100644
index 0000000..5cd2feb
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/NamedCertHelper.java
@@ -0,0 +1,22 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.NoSuchProviderException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+
+class NamedCertHelper
+    extends CertHelper
+{
+    private final String providerName;
+
+    NamedCertHelper(String providerName)
+    {
+        this.providerName = providerName;
+    }
+
+    protected CertificateFactory createCertificateFactory(String type)
+        throws CertificateException, NoSuchProviderException
+    {
+        return CertificateFactory.getInstance(type, providerName);
+    }
+}
\ No newline at end of file
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/ProviderCertHelper.java b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/ProviderCertHelper.java
new file mode 100644
index 0000000..15c9e72
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/ProviderCertHelper.java
@@ -0,0 +1,22 @@
+package org.bouncycastle.cert.jcajce;
+
+import java.security.Provider;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+
+class ProviderCertHelper
+    extends CertHelper
+{
+    private final Provider provider;
+
+    ProviderCertHelper(Provider provider)
+    {
+        this.provider = provider;
+    }
+
+    protected CertificateFactory createCertificateFactory(String type)
+        throws CertificateException
+    {
+        return CertificateFactory.getInstance(type, provider);
+    }
+}
\ No newline at end of file
diff --git a/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/package.html b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/package.html
new file mode 100644
index 0000000..cc15e01
--- /dev/null
+++ b/bcpkix/src/main/java/org/bouncycastle/cert/jcajce/package.html
@@ -0,0 +1,7 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
+        "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<body bgcolor="#ffffff">
+JCA extensions to the certificate building and processing package.
+</body>
+</html>
\ No newline at end of file