org.glite.security.util.proxy
Class ProxyCertificateGenerator

java.lang.Object
  extended by org.glite.security.util.proxy.ProxyCertificateGenerator

public class ProxyCertificateGenerator
extends java.lang.Object

A class to make proxy certificates.

Author:
Joni Hahkala

Field Summary
static int DEFAULT_KEY_LENGTH
          The default key length for the proxy (1024 bits).
static int DEFAULT_PROXY_TYPE
          The default proxy type if none is set and the cert given is end entity cert.
 
Constructor Summary
ProxyCertificateGenerator(java.security.cert.X509Certificate parentCert)
          Create a new proxy cert generator based on the parent cert.
ProxyCertificateGenerator(java.security.cert.X509Certificate[] parentCertChain)
          Create a new proxy cert generator based on the parent cert chain.
ProxyCertificateGenerator(java.security.cert.X509Certificate[] parentCertChain, org.bouncycastle.jce.PKCS10CertificationRequest certReq)
          Create a new proxy cert generator based on certification request and a certificate chain.
ProxyCertificateGenerator(java.security.cert.X509Certificate parentCert, org.bouncycastle.jce.PKCS10CertificationRequest certReq)
          Create a new proxy cert generator based on certification request and a certificate.
 
Method Summary
 void addExtension(java.lang.String oid, boolean critical, org.bouncycastle.asn1.DEREncodable value)
          Add an extension to the proxy certificate to be generated.
 void generate(java.security.PrivateKey privateKey)
          Generate the proxy certificate object.
 org.bouncycastle.asn1.x509.X509Name generateDN(org.bouncycastle.asn1.x509.X509Name basename, java.lang.String inputCN, boolean limited)
          Generates a new proxy DN based on the basename.
 java.security.cert.X509Certificate[] getCertChain()
          Returns the certificate chain of the proxy.
 java.lang.String getCertChainAsPEM()
          Gives the certificate chain containing the proxy in PEM format.
 java.security.PrivateKey getPrivateKey()
          Returns the generated or set private key of this proxy.
 java.lang.String getPrivateKeyAsPEM()
          Gives the private key of the proxy if the keys were generated or set using setPrivateKey.
 java.lang.String getProxyAsPEM()
          Gives the proxy credentials in PEM encoded certificate chain containing the private key in unencrypted format.
 void setKeyLength(int length)
          Sets the length of the keys to be generated, only used if the keys are not set separately.
 void setLifetime(int lifetime)
          Set the proxy lifetime.
 void setLimited()
          Defines that the resulting proxy will be limited proxy, meaning job submission with is prevented.
 void setPolicy(java.lang.String oid, org.bouncycastle.asn1.DEROctetString octets)
          Set the RFC proxy proxy extension policy OID and octets of the policy.
 void setProxyPathLimit(int pathLen)
          Sets the proxy path length limit of this certificate.
 void setProxySourceRestrictions(ProxyRestrictionData data)
          Sets the proxy source restriction data.
 void setProxyTargetRestrictions(ProxyRestrictionData data)
          Sets the proxy target restriction data.
 void setProxyTracingIssuer(java.lang.String url)
          Sets the issuer URL for the proxy tracing.
 void setProxyTracingSubject(java.lang.String url)
          Sets the subject URL for the proxy tracing.
 void setSerialNumber(java.math.BigInteger sn)
          Sets the new proxy serial number.
 void setType(int type)
          Used to set the type of the proxy.
 
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

DEFAULT_PROXY_TYPE

public static final int DEFAULT_PROXY_TYPE
The default proxy type if none is set and the cert given is end entity cert. Default is RFC3820 proxy.

See Also:
Constant Field Values

DEFAULT_KEY_LENGTH

public static final int DEFAULT_KEY_LENGTH
The default key length for the proxy (1024 bits).

See Also:
Constant Field Values
Constructor Detail

ProxyCertificateGenerator

public ProxyCertificateGenerator(java.security.cert.X509Certificate[] parentCertChain)
Create a new proxy cert generator based on the parent cert chain. Useful when locally creating a proxy from existing cert chain.

Parameters:
parentCertChain - the parent certificate chain of the proxy.

ProxyCertificateGenerator

public ProxyCertificateGenerator(java.security.cert.X509Certificate parentCert)
Create a new proxy cert generator based on the parent cert. Useful when locally creating a proxy from existing cert.

Parameters:
parentCert - the parent certificate chain of the proxy.

ProxyCertificateGenerator

public ProxyCertificateGenerator(java.security.cert.X509Certificate[] parentCertChain,
                                 org.bouncycastle.jce.PKCS10CertificationRequest certReq)
                          throws java.security.InvalidKeyException,
                                 java.security.NoSuchAlgorithmException,
                                 java.security.NoSuchProviderException
Create a new proxy cert generator based on certification request and a certificate chain. Used for example when creating a proxy certificate on the client side from certificate request coming from a service.

Parameters:
parentCertChain - The parent cert chain of the proxy.
certReq - The certification request to generate the certificate from.
Throws:
java.security.InvalidKeyException - Thrown if the public key in the request is invalid.
java.security.NoSuchAlgorithmException - Thrown if the request uses unsupported algorithm.
java.security.NoSuchProviderException - Thrown if the bouncycastle provider was not found.

ProxyCertificateGenerator

public ProxyCertificateGenerator(java.security.cert.X509Certificate parentCert,
                                 org.bouncycastle.jce.PKCS10CertificationRequest certReq)
                          throws java.security.InvalidKeyException,
                                 java.security.NoSuchAlgorithmException,
                                 java.security.NoSuchProviderException
Create a new proxy cert generator based on certification request and a certificate. Used for example when creating a proxy certificate on the client side from certificate request coming from a service.

Parameters:
parentCert -
certReq -
Throws:
java.security.NoSuchProviderException
java.security.NoSuchAlgorithmException
java.security.InvalidKeyException
Method Detail

setLifetime

public void setLifetime(int lifetime)
Set the proxy lifetime. If not set, the default is 12h.

Parameters:
lifetime - the lifetime in seconds. (+-5min grace period will be added to the lifetime.)

addExtension

public void addExtension(java.lang.String oid,
                         boolean critical,
                         org.bouncycastle.asn1.DEREncodable value)
Add an extension to the proxy certificate to be generated.

Parameters:
oid - the object identifier of the extension.
critical - whether the extension is critical or not.
value - The extension value.

generate

public void generate(java.security.PrivateKey privateKey)
              throws java.security.InvalidKeyException,
                     java.security.SignatureException,
                     java.security.NoSuchAlgorithmException,
                     java.security.cert.CertificateEncodingException
Generate the proxy certificate object.

Parameters:
privateKey - the private key used to sign the proxy certificate.
Throws:
java.security.InvalidKeyException
java.security.SignatureException
java.security.NoSuchAlgorithmException
java.security.cert.CertificateEncodingException

getCertChain

public java.security.cert.X509Certificate[] getCertChain()
Returns the certificate chain of the proxy.

Returns:
the Certificate chain starting with the CA or end entity certificate and ending with the latest proxy.

getPrivateKey

public java.security.PrivateKey getPrivateKey()
Returns the generated or set private key of this proxy.

Returns:
The private key.

getCertChainAsPEM

public java.lang.String getCertChainAsPEM()
                                   throws java.io.IOException
Gives the certificate chain containing the proxy in PEM format.

Returns:
the Certificate chain in PEM format, starting with the latest proxy and ending with either the end entity user certificate or CA certificate, depending on the input given chen callin the constructor.
Throws:
java.io.IOException - In case there are string manipulation problems.

getPrivateKeyAsPEM

public java.lang.String getPrivateKeyAsPEM()
Gives the private key of the proxy if the keys were generated or set using setPrivateKey.

Returns:
The private key of the proxy in PEM format.

getProxyAsPEM

public java.lang.String getProxyAsPEM()
                               throws java.io.IOException
Gives the proxy credentials in PEM encoded certificate chain containing the private key in unencrypted format. See: http://dev.globus.org/wiki/Security/ProxyFileFormat

Returns:
The PEM encoded proxy credentials as a String.
Throws:
java.io.IOException - In case the string manipulations fail.

generateDN

public org.bouncycastle.asn1.x509.X509Name generateDN(org.bouncycastle.asn1.x509.X509Name basename,
                                                      java.lang.String inputCN,
                                                      boolean limited)
Generates a new proxy DN based on the basename. If newCN is given, it is added to the end of the DN and the new DN is returned. If newCN is null, the basename is analyzed. In case of old proxy DN, either "CN=proxy" or "CN=limited proxy" is added depending on the value of limited argument. In case of new style proxy or nonproxy DN, new style proxy is assumed and "CN=" with random number following it is added.

Parameters:
basename - The DN to use as the basis of the new DN.
inputCN - If given, this is used as the new CN value.
limited - in case the newCN is not given and the basename is old style proxy, setting this to true will generate limited proxy.
Returns:
the new DN.

setType

public void setType(int type)
             throws java.lang.IllegalArgumentException
Used to set the type of the proxy. Useful only in case the parent certificate is user certificate, otherwise the generator will generate same type of proxy as the parent is. And trying to set different type here than in the parent will result in IllegalArgumentException. If the parent certificate is user certificate and this method is not used, BasicProxyCertificate.RFC3820_PROXY will be assumed.

Parameters:
type - The type, see the type definitions in BasicProxyCertificate class.
Throws:
java.lang.IllegalArgumentException - In case trying to set the type to a different one than parent, if it is a proxy certificate.

setKeyLength

public void setKeyLength(int length)
Sets the length of the keys to be generated, only used if the keys are not set separately. If this method is not used, the default is 1024 bits.

Parameters:
length - The key length in bits.

setLimited

public void setLimited()
Defines that the resulting proxy will be limited proxy, meaning job submission with is prevented.


setSerialNumber

public void setSerialNumber(java.math.BigInteger sn)
Sets the new proxy serial number. Only applicable for rfc proxies.

Parameters:
sn - The serial number for the new proxy.

setPolicy

public void setPolicy(java.lang.String oid,
                      org.bouncycastle.asn1.DEROctetString octets)
Set the RFC proxy proxy extension policy OID and octets of the policy. See RFC3820. Policy can be null in case the OID in it self defines the behaviour, like with "inherit all" policy or "independent" policy.

Parameters:
oid - The oid of the policy language.
octets - The actual policy info encoded as DEROctetString.

setProxyPathLimit

public void setProxyPathLimit(int pathLen)
Sets the proxy path length limit of this certificate. Only works on rfc3820 and RFC draft proxies.

Parameters:
pathLen - The number of allowed proxy certificates in the chain allowed after this certificate. ProxyCertInfoExtension.UNLIMITED if not set.

setProxySourceRestrictions

public void setProxySourceRestrictions(ProxyRestrictionData data)
Sets the proxy source restriction data.

Parameters:
data - The data for the source restriction extension.

setProxyTargetRestrictions

public void setProxyTargetRestrictions(ProxyRestrictionData data)
Sets the proxy target restriction data.

Parameters:
data - The data for the target restriction extension.

setProxyTracingIssuer

public void setProxyTracingIssuer(java.lang.String url)
Sets the issuer URL for the proxy tracing.

Parameters:
url - The proxy tracing issuer URL in String format.

setProxyTracingSubject

public void setProxyTracingSubject(java.lang.String url)
Sets the subject URL for the proxy tracing.

Parameters:
url - The proxy tracing subject URL in String format.