I'm currently writing a small helper to manager certificates. It also
contains a wrapper for build root/CA certificates. As by RFC 5280 a CA
certificate also has KeyUsage bit keyCertSign to be set. As my wrapper
accepts a Collection<Extension> and uses a for loop to add the given
Extensions to the X509v3CertificateBuilder it's up to the caller to
maybe provide a KeyUsage Extension. If no KeyUsage Extension is already
provided by the caller I just add one with at least the keyCertSign bit
set. Otherwise, if a KeyUsage Extension is provided in a root/CA
certificate I have to check if it contains the keyCertSign bit. If it
doesn't I either can set it myself or throw an Exception that the given
paramters are invalid. As I want to keep it simple and convenient I'd
prefer to just modify the KeyUsage Extension and add the missing
keyCertSign bit. The issue: I can't see an easy way to do it as the
KeyUsage class doesn't provide an easy way to modify bits of a given
By looking at the source I came up with these two ideas:
1) Calling KeyUsage.toASN1Primitive(), cast it to at least ASN1BitString
and call ASN1BitString.intValue() on it. This is a basic copy of how
KeyUsage.hasUsages(int) checks if a given bitmask is set.
2) Calling KeyUsage.getBytes(), do the check for its length as in
KeyUsage.toString() and create an int this way.
Either way I have to get the int contain the usages, modify it, create a
new KeyUsage Extension and call
X509v3CertificateBuilder.replaceExtension(Extension). Although the last
step can't be avoided adding a way to easily modify the bits of a
KeyUsage rather than extracting them and create a new Extension with a
modified version would make this a bit easier.
As the Extension class got the convenient helper Extension.create() by
a request I made earlier (can't remember anymore and don't have the
topic saved) I hope to see some similar response.
Thanks in advance and sorry if this topic had came up before.