Package org.globus.gsi.bc
Class BouncyCastleCertProcessingFactory
java.lang.Object
org.globus.gsi.bc.BouncyCastleCertProcessingFactory
Provides certificate processing API such as creating new certificates, certificate requests, etc.
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptioncreateCertificate
(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode) Deprecated.createCertificate
(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, X509ExtensionSet extSet) Deprecated.createCertificate
(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, X509ExtensionSet extSet, String cnValue) Deprecated.createCertificate
(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, GSIConstants.CertificateType certType) Creates a proxy certificate from the certificate request.createCertificate
(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet) Creates a proxy certificate from the certificate request.createCertificate
(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet, String cnValue) Creates a proxy certificate from the certificate request.byte[]
createCertificateRequest
(String subject, KeyPair keyPair) Creates a certificate request from the specified subject DN and a key pair.byte[]
createCertificateRequest
(X509Certificate cert, KeyPair keyPair) Creates a certificate request from the specified certificate and a key pair.byte[]
createCertificateRequest
(org.bouncycastle.asn1.x509.X509Name subjectDN, String sigAlgName, KeyPair keyPair) Creates a certificate request from the specified subject name, signing algorithm, and a key pair.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode) Deprecated.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, X509ExtensionSet extSet) Deprecated.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, X509ExtensionSet extSet, String cnValue) Deprecated.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.CertificateType certType) Creates a new proxy credential from the specified certificate chain and a private key.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet) Creates a new proxy credential from the specified certificate chain and a private key.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet, String cnValue) Creates a new proxy credential from the specified certificate chain and a private key.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.DelegationType delegType) Creates a new proxy credential from the specified certificate chain and a private key, using the given delegation mode.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.DelegationType delegType, X509ExtensionSet extSet) Creates a new proxy credential from the specified certificate chain and a private key, using the given delegation mode.createCredential
(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.DelegationType delegType, X509ExtensionSet extSet, String cnValue) Creates a new proxy credential from the specified certificate chain and a private key, using the given delegation mode.createProxyCertificate
(X509Certificate issuerCert_, PrivateKey issuerKey, PublicKey publicKey, int lifetime, int proxyType, X509ExtensionSet extSet, String cnValue) Deprecated.createProxyCertificate
(X509Certificate issuerCert_, PrivateKey issuerKey, PublicKey publicKey, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet, String cnValue) Creates a proxy certificate.static GSIConstants.CertificateType
decideProxyType
(X509Certificate issuerCert, GSIConstants.DelegationType delegType) Given a delegation mode and an issuing certificate, decides an appropriate certificate type to use for proxiesReturns an instance of this class..protected X509Certificate[]
Returns a chain of X509Certificate's that are instances of X509CertificateObject This is related to http://bugzilla.globus.org/globus/show_bug.cgi?id=4933Loads a X509 certificate from the specified input stream.
-
Constructor Details
-
BouncyCastleCertProcessingFactory
protected BouncyCastleCertProcessingFactory()
-
-
Method Details
-
getDefault
Returns an instance of this class..- Returns:
BouncyCastleCertProcessingFactory
instance.
-
createCertificate
public X509Certificate createCertificate(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode) throws IOException, GeneralSecurityException Deprecated.Creates a proxy certificate from the certificate request.- Throws:
IOException
GeneralSecurityException
- See Also:
-
createCertificate
public X509Certificate createCertificate(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, X509ExtensionSet extSet) throws IOException, GeneralSecurityException Deprecated.Creates a proxy certificate from the certificate request.- Throws:
IOException
GeneralSecurityException
- See Also:
-
createCertificate
public X509Certificate createCertificate(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, X509ExtensionSet extSet, String cnValue) throws IOException, GeneralSecurityException Deprecated.Creates a proxy certificate from the certificate request. (Signs a certificate request creating a new certificate)- Parameters:
certRequestInputStream
- the input stream to read the certificate request from.cert
- the issuer certificateprivateKey
- the private key to sign the new certificate with.lifetime
- lifetime of the new certificate in seconds. If 0 (or less then) the new certificate will have the same lifetime as the issuing certificate.delegationMode
- the type of proxy credential to createextSet
- a set of X.509 extensions to be included in the new proxy certificate. Can be null. If delegation mode isGSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY
orGSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY
thenProxyCertInfoExtension
must be present in the extension set.cnValue
- the value of the CN component of the subject of the new certificate. If null, the defaults will be used depending on the proxy certificate type created.- Returns:
X509Certificate
the new proxy certificate- Throws:
IOException
- if error reading the certificate requestGeneralSecurityException
- if a security error occurs.- See Also:
-
createCredential
public GlobusCredential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode) throws GeneralSecurityException Deprecated.Creates a new proxy credential from the specified certificate chain and a private key.- Throws:
GeneralSecurityException
- See Also:
-
createCredential
public GlobusCredential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, X509ExtensionSet extSet) throws GeneralSecurityException Deprecated.Creates a new proxy credential from the specified certificate chain and a private key.- Throws:
GeneralSecurityException
- See Also:
-
createCredential
public GlobusCredential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, X509ExtensionSet extSet, String cnValue) throws GeneralSecurityException Deprecated.Creates a new proxy credential from the specified certificate chain and a private key. A set of X.509 extensions can be optionally included in the new proxy certificate. This function automatically creates a "RSA"-based key pair.- Parameters:
certs
- the certificate chain for the new proxy credential. The top-most certificatecert[0]
will be designated as the issuing certificate.privateKey
- the private key of the issuing certificate. The new proxy certificate will be signed with that private key.bits
- the strength of the key pair for the new proxy certificate.lifetime
- lifetime of the new certificate in seconds. If 0 (or less then) the new certificate will have the same lifetime as the issuing certificate.delegationMode
- the type of proxy credential to createextSet
- a set of X.509 extensions to be included in the new proxy certificate. Can be null. If delegation mode isGSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY
orGSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY
thenProxyCertInfoExtension
must be present in the extension set.cnValue
- the value of the CN component of the subject of the new proxy credential. If null, the defaults will be used depending on the proxy certificate type created.- Returns:
GlobusCredential
the new proxy credential.- Throws:
GeneralSecurityException
- if a security error occurs.- See Also:
-
createProxyCertificate
public X509Certificate createProxyCertificate(X509Certificate issuerCert_, PrivateKey issuerKey, PublicKey publicKey, int lifetime, int proxyType, X509ExtensionSet extSet, String cnValue) throws GeneralSecurityException Deprecated.Creates a proxy certificate. A set of X.509 extensions can be optionally included in the new proxy certificate.
If a GSI-2 proxy is created, the serial number of the proxy certificate will be the same as of the issuing certificate. Also, none of the extensions in the issuing certificate will be copied into the proxy certificate.
If a GSI-3 or GSI 4 proxy is created, the serial number of the proxy certificate will be picked randomly. If the issuing certificate contains a KeyUsage extension, the extension will be copied into the proxy certificate with keyCertSign and nonRepudiation bits turned off. No other extensions are currently copied. The methods defaults to creating GSI 4 proxy- Parameters:
issuerCert_
- the issuing certificateissuerKey
- private key matching the public key of issuer certificate. The new proxy certificate will be signed by that key.publicKey
- the public key of the new certificatelifetime
- lifetime of the new certificate in seconds. If 0 (or less then) the new certificate will have the same lifetime as the issuing certificate.proxyType
- can be one ofGSIConstants.DELEGATION_LIMITED
,GSIConstants.DELEGATION_FULL
,GSIConstants.GSI_2_LIMITED_PROXY
,GSIConstants.GSI_2_PROXY
,GSIConstants.GSI_3_IMPERSONATION_PROXY
,GSIConstants.GSI_3_LIMITED_PROXY
,GSIConstants.GSI_3_INDEPENDENT_PROXY
,GSIConstants.GSI_3_RESTRICTED_PROXY
.GSIConstants.GSI_4_IMPERSONATION_PROXY
,GSIConstants.GSI_3_LIMITED_PROXY
,GSIConstants.GSI_4_INDEPENDENT_PROXY
,GSIConstants.GSI_4_RESTRICTED_PROXY
. IfGSIConstants.DELEGATION_LIMITED
and ifCertUtil.isGsi2Enabled
returns true then a GSI-2 limited proxy will be created. Else ifCertUtil.isGsi3Enabled
returns true then a GSI-3 limited proxy will be created. If not, a GSI-4 limited proxy will be created. IfGSIConstants.DELEGATION_FULL
and ifCertUtil.isGsi2Enabled
returns true then a GSI-2 full proxy will be created. Else ifCertUtil.isGsi3Enabled
returns true then a GSI-3 full proxy will be created. If not, a GSI-4 full proxy will be created.extSet
- a set of X.509 extensions to be included in the new proxy certificate. Can be null. If delegation mode isGSIConstants.GSI_3_RESTRICTED_PROXY
orGSIConstants.GSI_4_RESTRICTED_PROXY
thenProxyCertInfoExtension
must be present in the extension set.cnValue
- the value of the CN component of the subject of the new certificate. If null, the defaults will be used depending on the proxy certificate type created.- Returns:
X509Certificate
the new proxy certificate.- Throws:
GeneralSecurityException
- if a security error occurs.
-
createCertificate
public X509Certificate createCertificate(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, GSIConstants.CertificateType certType) throws IOException, GeneralSecurityException Creates a proxy certificate from the certificate request.- Throws:
IOException
GeneralSecurityException
- See Also:
-
createCertificate
public X509Certificate createCertificate(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet) throws IOException, GeneralSecurityException Creates a proxy certificate from the certificate request.- Throws:
IOException
GeneralSecurityException
- See Also:
-
createCertificate
public X509Certificate createCertificate(InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet, String cnValue) throws IOException, GeneralSecurityException Creates a proxy certificate from the certificate request. (Signs a certificate request creating a new certificate)- Parameters:
certRequestInputStream
- the input stream to read the certificate request from.cert
- the issuer certificateprivateKey
- the private key to sign the new certificate with.lifetime
- lifetime of the new certificate in seconds. If 0 (or less then) the new certificate will have the same lifetime as the issuing certificate.certType
- the type of proxy credential to createextSet
- a set of X.509 extensions to be included in the new proxy certificate. Can be null. If delegation mode isGSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY
orGSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY
thenProxyCertInfoExtension
must be present in the extension set.cnValue
- the value of the CN component of the subject of the new certificate. If null, the defaults will be used depending on the proxy certificate type created.- Returns:
X509Certificate
the new proxy certificate- Throws:
IOException
- if error reading the certificate requestGeneralSecurityException
- if a security error occurs.- See Also:
-
createCredential
public X509Credential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.CertificateType certType) throws GeneralSecurityException Creates a new proxy credential from the specified certificate chain and a private key.- Throws:
GeneralSecurityException
- See Also:
-
createCredential
public X509Credential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet) throws GeneralSecurityException Creates a new proxy credential from the specified certificate chain and a private key.- Throws:
GeneralSecurityException
- See Also:
-
createCredential
public X509Credential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet, String cnValue) throws GeneralSecurityException Creates a new proxy credential from the specified certificate chain and a private key. A set of X.509 extensions can be optionally included in the new proxy certificate. This function automatically creates a "RSA"-based key pair.- Parameters:
certs
- the certificate chain for the new proxy credential. The top-most certificatecert[0]
will be designated as the issuing certificate.privateKey
- the private key of the issuing certificate. The new proxy certificate will be signed with that private key.bits
- the strength of the key pair for the new proxy certificate.lifetime
- lifetime of the new certificate in seconds. If 0 (or less then) the new certificate will have the same lifetime as the issuing certificate.certType
- the type of proxy credential to createextSet
- a set of X.509 extensions to be included in the new proxy certificate. Can be null. If delegation mode isGSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY
orGSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY
thenProxyCertInfoExtension
must be present in the extension set.cnValue
- the value of the CN component of the subject of the new proxy credential. If null, the defaults will be used depending on the proxy certificate type created.- Returns:
GlobusCredential
the new proxy credential.- Throws:
GeneralSecurityException
- if a security error occurs.- See Also:
-
createCredential
public X509Credential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.DelegationType delegType) throws GeneralSecurityException Creates a new proxy credential from the specified certificate chain and a private key, using the given delegation mode.- Throws:
GeneralSecurityException
- See Also:
-
createCredential
public X509Credential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.DelegationType delegType, X509ExtensionSet extSet) throws GeneralSecurityException Creates a new proxy credential from the specified certificate chain and a private key, using the given delegation mode.- Throws:
GeneralSecurityException
- See Also:
-
createCredential
public X509Credential createCredential(X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, GSIConstants.DelegationType delegType, X509ExtensionSet extSet, String cnValue) throws GeneralSecurityException Creates a new proxy credential from the specified certificate chain and a private key, using the given delegation mode.- Throws:
GeneralSecurityException
- See Also:
-
createProxyCertificate
public X509Certificate createProxyCertificate(X509Certificate issuerCert_, PrivateKey issuerKey, PublicKey publicKey, int lifetime, GSIConstants.CertificateType certType, X509ExtensionSet extSet, String cnValue) throws GeneralSecurityException Creates a proxy certificate. A set of X.509 extensions can be optionally included in the new proxy certificate.
If a GSI-2 proxy is created, the serial number of the proxy certificate will be the same as of the issuing certificate. Also, none of the extensions in the issuing certificate will be copied into the proxy certificate.
If a GSI-3 or GSI 4 proxy is created, the serial number of the proxy certificate will be picked randomly. If the issuing certificate contains a KeyUsage extension, the extension will be copied into the proxy certificate with keyCertSign and nonRepudiation bits turned off. No other extensions are currently copied. The methods defaults to creating GSI 4 proxy- Parameters:
issuerCert_
- the issuing certificateissuerKey
- private key matching the public key of issuer certificate. The new proxy certificate will be signed by that key.publicKey
- the public key of the new certificatelifetime
- lifetime of the new certificate in seconds. If 0 (or less then) the new certificate will have the same lifetime as the issuing certificate.certType
- can be one ofGSIConstants.CertificateType.GSI_2_LIMITED_PROXY
,GSIConstants.CertificateType.GSI_2_PROXY
,GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY
,GSIConstants.CertificateType.GSI_3_LIMITED_PROXY
,GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY
,GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY
.GSIConstants.CertificateType.GSI_4_IMPERSONATION_PROXY
,GSIConstants.CertificateType.GSI_3_LIMITED_PROXY
,GSIConstants.CertificateType.GSI_4_INDEPENDENT_PROXY
,GSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY
.extSet
- a set of X.509 extensions to be included in the new proxy certificate. Can be null. If delegation mode isGSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY
orGSIConstants.CertificateType.GSI_4_RESTRICTED_PROXY
thenProxyCertInfoExtension
must be present in the extension set.cnValue
- the value of the CN component of the subject of the new certificate. If null, the defaults will be used depending on the proxy certificate type created.- Returns:
X509Certificate
the new proxy certificate.- Throws:
GeneralSecurityException
- if a security error occurs.
-
loadCertificate
Loads a X509 certificate from the specified input stream. Input stream must contain DER-encoded certificate.- Parameters:
in
- the input stream to read the certificate from.- Returns:
X509Certificate
the loaded certificate.- Throws:
GeneralSecurityException
- if certificate failed to load.IOException
-
createCertificateRequest
public byte[] createCertificateRequest(String subject, KeyPair keyPair) throws GeneralSecurityException Creates a certificate request from the specified subject DN and a key pair. The "MD5WithRSAEncryption" is used as the signing algorithm of the certificate request.- Parameters:
subject
- the subject of the certificate requestkeyPair
- the key pair of the certificate request- Returns:
- the certificate request.
- Throws:
GeneralSecurityException
- if security error occurs.
-
createCertificateRequest
public byte[] createCertificateRequest(X509Certificate cert, KeyPair keyPair) throws GeneralSecurityException Creates a certificate request from the specified certificate and a key pair. The certificate's subject DN with "CN=proxy" name component appended to the subject is used as the subject of the certificate request. Also the certificate's signing algorithm is used as the certificate request signing algorithm.- Parameters:
cert
- the certificate to create the certificate request from.keyPair
- the key pair of the certificate request- Returns:
- the certificate request.
- Throws:
GeneralSecurityException
- if security error occurs.
-
createCertificateRequest
public byte[] createCertificateRequest(org.bouncycastle.asn1.x509.X509Name subjectDN, String sigAlgName, KeyPair keyPair) throws GeneralSecurityException Creates a certificate request from the specified subject name, signing algorithm, and a key pair.- Parameters:
subjectDN
- the subject name of the certificate request.sigAlgName
- the signing algorithm name.keyPair
- the key pair of the certificate request- Returns:
- the certificate request.
- Throws:
GeneralSecurityException
- if security error occurs.
-
decideProxyType
public static GSIConstants.CertificateType decideProxyType(X509Certificate issuerCert, GSIConstants.DelegationType delegType) throws CertificateException Given a delegation mode and an issuing certificate, decides an appropriate certificate type to use for proxies- Parameters:
issuerCert
- the issuing certificate of a prospective proxydelegType
- the desired delegation mode- Returns:
- the appropriate certificate type for proxies or GSIConstants.CertificateType.UNDEFINED when GSIConstants.DelegationType.NONE was specified
- Throws:
CertificateException
- when failing to get the certificate type of the issuing certificate
-
getX509CertificateObjectChain
protected X509Certificate[] getX509CertificateObjectChain(X509Certificate[] certs) throws GeneralSecurityException Returns a chain of X509Certificate's that are instances of X509CertificateObject This is related to http://bugzilla.globus.org/globus/show_bug.cgi?id=4933- Parameters:
certs
- input certificate chain- Returns:
- a new chain where all X509Certificate's are instances of X509CertificateObject
- Throws:
GeneralSecurityException
- when failing to get load certificate from encoding
-