[Ejbca-develop] CA chains greater than two in createP12

[Justin W. <ju...@br...>]

Hi all

I see in the createP12 method of Keytools.java that there is a comment there 
re the two cert limit on CA chains.    In this method is the comment just a 
reminder? ... because it looks to me like this particular method could handle 
any number of certs in the CA chain.   Maybe I am missing something.

Is there a convention for ordering of cert chains?   

Like say

cert[0] certificate
cert[1] sub(n-2) CA certificate
...
cert[n-1] sub(0) CA certificate
cert[n] CA certificate

in other words certificate at array index 0 followed by the lowest level sub 
CA cert up to the root CA cert at the last array index? 

Regards
Justin

snipped from Keytools.java... 

    static public KeyStore createP12(String alias, PrivateKey privKey, 
X509Certificate cert, Certificate[] cachain)
    throws Exception {
        cat.debug(">createP12: privKey, cert=" + cert.getSubjectDN() + ", 
cachain.length=" + (cachain == null ? 0 : cachain.length) );

// ????????????
        // Certificate chain, only max two levels deep unforturnately, this is 
a TODO:
//????????????

        if (cert == null)
            throw new IllegalArgumentException("Parameter cert cannot be 
null.");
        int len = 1;
        if (cachain != null)
            len += cachain.length;
        Certificate[] chain = new Certificate[len];
        // To not get a ClassCastException we need to genereate a real new 
certificate with BC
        CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");
        chain[0] = (X509Certificate)cf.generateCertificate(new 
ByteArrayInputStream(cert.getEncoded()));
        if (cachain != null)
            for (int i=0;i<cachain.length;i++) {
                 X509Certificate tmpcert = 
(X509Certificate)cf.generateCertificate(new 
ByteArrayInputStream(cachain[i].getEncoded()));
                 chain[i+1] = tmpcert;
            }
... more