Class ProxyGeneratorHelper
java.lang.Object
eu.emi.security.authn.x509.helpers.proxy.ProxyGeneratorHelper
Actual implementation of the Proxy generation. The object is for one use only,
i.e. it should not be reused to generate first certificate. It is strongly suggested
to use
ProxyGenerator
.-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate X509v3CertificateBuilder
private X509Certificate
private PrivateKey
private org.bouncycastle.asn1.x509.SubjectPublicKeyInfo
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprivate void
private void
buildCertificate
(X509Certificate issuingCert, PrivateKey privateKey) private void
private org.bouncycastle.asn1.x509.KeyUsage
static BigInteger
For LEGACY proxies returns the serial from the issuing certificate.generate
(ProxyCertificateOptions param, PrivateKey privateKey) Generate the proxy certificate object from the local certificate.generate
(ProxyRequestOptions param, PrivateKey privateKey) Generate the proxy certificate object from the received Certificate Signing Request.private ProxyCertificate
generateCommon
(BaseProxyCertificateOptions param, PrivateKey privateKey) static org.bouncycastle.asn1.x500.X500Name
generateDN
(X500Principal parentSubject, ProxyType type, boolean limited, BigInteger serial) Generate a correct DN for the proxy, depending on its type.static KeyPair
generateKeyPair
(int len) static Integer
getChainKeyUsage
(X509Certificate[] chain) If the input chain has no KeyUsage extension null is returned.private void
private ProxyCertificate
wrapResult
(X509Certificate[] originalChain)
-
Field Details
-
proxyPublicKeyInfo
private org.bouncycastle.asn1.x509.SubjectPublicKeyInfo proxyPublicKeyInfo -
proxyPrivateKey
-
certBuilder
-
proxy
-
-
Constructor Details
-
ProxyGeneratorHelper
public ProxyGeneratorHelper()
-
-
Method Details
-
generate
public ProxyCertificate generate(ProxyCertificateOptions param, PrivateKey privateKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateParsingException, IOException Generate the proxy certificate object from the local certificate.- Parameters:
param
- proxy parametersprivateKey
- key to sign the proxy- Returns:
- a newly created proxy certificate, wrapped together with a private key if it was also generated.
- Throws:
InvalidKeyException
- invalid key exceptionSignatureException
- signature exceptionNoSuchAlgorithmException
- no such algorithm exceptionCertificateParsingException
- certificate parsing exceptionIOException
- IO exception
-
generate
public X509Certificate[] generate(ProxyRequestOptions param, PrivateKey privateKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateParsingException, IOException Generate the proxy certificate object from the received Certificate Signing Request.- Parameters:
param
- proxy parametersprivateKey
- key to sign the proxy- Returns:
- chain with the new proxy on the first position
- Throws:
InvalidKeyException
- invalid key exceptionSignatureException
- signature exceptionNoSuchAlgorithmException
- no such algorithm exceptionCertificateParsingException
- certificate encoding exceptionIOException
- IO exception
-
generateCommon
private ProxyCertificate generateCommon(BaseProxyCertificateOptions param, PrivateKey privateKey) throws InvalidKeyException, SignatureException, NoSuchAlgorithmException, CertificateParsingException, IOException -
establishKeys
- Throws:
InvalidKeyException
-
setupCertBuilder
- Throws:
InvalidKeyException
-
getChainKeyUsage
If the input chain has no KeyUsage extension null is returned. If at least one certificate in the chain has the Key Usage extension then a KeyUsage is returned which contains bitwise AND of KeyUsage flags from all certificates. The CA certificates are ignored in the computation.- Parameters:
chain
- certificate chain- Returns:
- chain key usage
-
establishKeyUsage
-
addExtensions
- Throws:
IOException
-
buildCertificate
private void buildCertificate(X509Certificate issuingCert, PrivateKey privateKey) throws CertificateParsingException, InvalidKeyException, NoSuchProviderException, NoSuchAlgorithmException, SignatureException, IOException -
wrapResult
- Throws:
InvalidKeyException
-
establishSerial
For LEGACY proxies returns the serial from the issuing certificate. For the Draft/rfc proxies returns the manually set serial, or generateas a random one if not set.- Parameters:
param
- proxy certificate options- Returns:
- serial number
-
generateDN
public static org.bouncycastle.asn1.x500.X500Name generateDN(X500Principal parentSubject, ProxyType type, boolean limited, BigInteger serial) Generate a correct DN for the proxy, depending on its type.- Parameters:
parentSubject
- parent subjecttype
- proxy typelimited
- true if limited proxyserial
- serial number- Returns:
- generated proxy DN
-
generateKeyPair
-