Wrap BouncyCastle's X.509 certificate generator in a slightly more user-friendly way. More...
Public Member Functions | |
MinimalCertificateGenerator (String subjectDN, PublicKey subjectPublicKey, X509Certificate issuerCertificate, long duration, boolean isCA, Integer chainLength, boolean allUsage) throws CertificateEncodingException, IOException | |
Certificate issued under an existing CA. | |
MinimalCertificateGenerator (String subjectDN, PublicKey subjectPublicKey, long duration, boolean isCA, boolean allUsage) | |
Self-signed certificate (which may or may not be a CA). | |
MinimalCertificateGenerator (String subjectDN, PublicKey subjectPublicKey, X500Principal issuerDN, long duration, boolean isCA, Integer chainLength, boolean allUsage) | |
Basic common path. | |
void | setServerAuthenticationUsage (String serverDNSName) |
Both adds the server authentication OID to the EKU extension, and adds the DNS name to the subject alt name extension (not marked critical). | |
void | setClientAuthenticationUsage () |
Adds client authentication as a usage for this certificate. | |
void | setSecureEmailUsage (String subjectEmailAddress) |
Both adds the secure email OID to the EKU extension, and adds the email address to the subject alt name extension (not marked critical). | |
void | setIPSecUsage (String ipAddress) |
Adds ip address to subjectAltName and IPSec usage to EKU. | |
void | setExtendedKeyUsage (String usageOID) |
void | addSubjectAltName (URI subjectURI) |
void | addAuthorityName (URI authorityName) |
Add additional AuthorityKeyIdentifier information. | |
X509Certificate | sign (String digestAlgorithm, PrivateKey signingKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException |
Generate an X509 certificate, based on the current issuer and subject using the default provider. | |
void | addExtension (String oid, boolean critical, byte[] value) |
Open up the ability to add additional extensions that aren't EKU or SubjectAltName (which we manage). | |
Static Public Member Functions | |
static X509Certificate | GenerateUserCertificate (PublicKey userPublicKey, String subjectDN, long duration, PrivateKey signingKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException |
Generates a X509 certificate for a specified user , subject distinguished name and duration. | |
static X509Certificate | GenerateUserCertificate (String subjectDN, PublicKey userPublicKey, X509Certificate issuerCertificate, long duration, PrivateKey signingKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, IOException |
Generates a X509 certificate for a specified user , subject distinguished name and duration. | |
static X509Certificate | GenerateUserCertificate (KeyPair userKeyPair, String subjectDN, long duration) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException |
Helper method. | |
static X509Certificate | GenerateUserCertificate (PublicKey userPublicKey, String subjectDN, String emailAddress, long duration, PrivateKey signingKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException |
Generates an X509 certificate for a specified user key, subject distinguished name, email address and duration. | |
static X509Certificate | GenerateUserCertificate (KeyPair userKeyPair, String subjectDN, String emailAddress, long duration) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException |
Helper method. | |
static void | writeCertificateChain (File targetFile, X509Certificate userCertificate, List< X509Certificate > chain, int chainOffset, int chainCount) throws CertificateEncodingException, FileNotFoundException |
Writes file of certificates in the form expected by SSL_CTX_load_verify_locations() and (if in the right order) SSL_CTX_use_certificate_chain_file Quoting from the OpenSSL documentation: If CAfile is not NULL, it points to a file of CA certificates in PEM format. | |
static void | writePEMCertificate (PrintWriter writer, X509Certificate certificate) throws CertificateEncodingException |
Static Public Attributes | |
static final DERObjectIdentifier | id_kp_serverAuth = new DERObjectIdentifier("1.3.6.1.5.5.7.3.1") |
A few useful OIDs that aren't in X509Extension, plus those that are (because they're protected there). | |
static final DERObjectIdentifier | id_kp_clientAuth = new DERObjectIdentifier("1.3.6.1.5.5.7.3.2") |
static final DERObjectIdentifier | id_kp_emailProtection = new DERObjectIdentifier("1.3.6.1.5.5.7.3.4") |
static final DERObjectIdentifier | id_kp_ipsec = new DERObjectIdentifier("1.3.6.1.5.5.8.2.2") |
static final String | SUN_PROVIDER = "SUN" |
We can't just use null to get the default provider and have any assurance of what it is, as a user can change the default provider. | |
static long | MSEC_IN_YEAR = 1000 * 60 * 60 * 24 * 365 |
static final String | BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----" |
static final String | END_CERTIFICATE = "-----END CERTIFICATE-----" |
static final int | CERTIFICATE_WRAP_LENGTH = 40 |
Protected Member Functions | |
void | addExtendedKeyUsageExtension () |
Adds an extended key usage extension to the certificate. | |
void | addAuthorityKeyIdentifierExtension () |
Adds an authority key identifier extension to the certificate. | |
void | addSubjectAltNamesExtension () |
Adds an subject alternative name extension to the certificate. | |
Protected Attributes | |
X509V3CertificateGenerator | _generator = new X509V3CertificateGenerator() |
Vector< DERObjectIdentifier > | _ekus = new Vector<DERObjectIdentifier>() |
Cons up a list of EKUs and SubjectAltNames, then add them en masse just before signing. | |
ASN1EncodableVector | _subjectAltNames = new ASN1EncodableVector() |
AuthorityKeyIdentifier | _aki = null |
Static Protected Attributes | |
static final String | DEFAULT_DIGEST_ALGORITHM = "SHA" |
SHA is the official JCA name for SHA1. | |
static Random | cachedRandom = new Random() |
Cache a random number generator (non-secure, used for generating certificate serial numbers. | |
static SimpleDateFormat | DATE_FORMAT = new SimpleDateFormat("yyMMddHHmmss") |
static SimpleTimeZone | TZ = new SimpleTimeZone(0, "Z") |
Static Package Functions | |
[static initializer] |
Wrap BouncyCastle's X.509 certificate generator in a slightly more user-friendly way.
org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.MinimalCertificateGenerator | ( | String | subjectDN, | |
PublicKey | subjectPublicKey, | |||
X509Certificate | issuerCertificate, | |||
long | duration, | |||
boolean | isCA, | |||
Integer | chainLength, | |||
boolean | allUsage | |||
) | throws CertificateEncodingException, IOException |
Certificate issued under an existing CA.
subjectDN | the distinguished name of the subject. | |
subjectPublicKey | the public key of the subject. | |
issuerCertificate | the certificate of the issuer. | |
duration | the validity duration of the certificate. | |
isCA | ||
allUsage | if isCA is true, add "regular" KeyUsage flags, for dual-use cert |
CertificateEncodingException | ||
IOException |
org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.MinimalCertificateGenerator | ( | String | subjectDN, | |
PublicKey | subjectPublicKey, | |||
long | duration, | |||
boolean | isCA, | |||
boolean | allUsage | |||
) |
Self-signed certificate (which may or may not be a CA).
subjectDN | the distinguished name of the subject. | |
subjectPublicKey | the public key of the subject. | |
duration | the validity duration of the certificate. | |
isCA | add basic constraints | |
allUsage | if isCA is true, add "regular" KeyUsage flags, for dual-use cert |
org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.MinimalCertificateGenerator | ( | String | subjectDN, | |
PublicKey | subjectPublicKey, | |||
X500Principal | issuerDN, | |||
long | duration, | |||
boolean | isCA, | |||
Integer | chainLength, | |||
boolean | allUsage | |||
) |
Basic common path.
subjectDN | the distinguished name of the subject. | |
subjectPublicKey | the public key of the subject. | |
issuerDN | the distinguished name of the issuer. | |
duration | the validity duration of the certificate. | |
isCA | ||
allUsage | if isCA is true, add "regular" KeyUsage flags, for dual-use cert |
void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.addAuthorityName | ( | URI | authorityName | ) |
Add additional AuthorityKeyIdentifier information.
We've already set key ID.
static X509Certificate org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.GenerateUserCertificate | ( | PublicKey | userPublicKey, | |
String | subjectDN, | |||
String | emailAddress, | |||
long | duration, | |||
PrivateKey | signingKey | |||
) | throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException [static] |
Generates an X509 certificate for a specified user key, subject distinguished name, email address and duration.
userKeyPair | the user key pair. | |
subjectDN | the distinguished name of the subject. | |
emailAddress | the email address. | |
duration | the validity duration of the certificate. |
CertificateEncodingException | ||
InvalidKeyException | ||
IllegalStateException | ||
NoSuchAlgorithmException | ||
SignatureException |
static X509Certificate org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.GenerateUserCertificate | ( | String | subjectDN, | |
PublicKey | userPublicKey, | |||
X509Certificate | issuerCertificate, | |||
long | duration, | |||
PrivateKey | signingKey | |||
) | throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, IOException [static] |
Generates a X509 certificate for a specified user , subject distinguished name and duration.
userKeyPair | the user key pair. | |
subjectDN | the distinguished name of the user. | |
duration | the duration of validity of the certificate. |
CertificateEncodingException | ||
InvalidKeyException | ||
IllegalStateException | ||
NoSuchAlgorithmException | ||
SignatureException | ||
IOException |
static X509Certificate org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.GenerateUserCertificate | ( | PublicKey | userPublicKey, | |
String | subjectDN, | |||
long | duration, | |||
PrivateKey | signingKey | |||
) | throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException [static] |
Generates a X509 certificate for a specified user , subject distinguished name and duration.
userKeyPair | the user key pair. | |
subjectDN | the distinguished name of the user. | |
duration | the duration of validity of the certificate. |
CertificateEncodingException | ||
InvalidKeyException | ||
IllegalStateException | ||
NoSuchAlgorithmException | ||
SignatureException |
void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.setIPSecUsage | ( | String | ipAddress | ) |
Adds ip address to subjectAltName and IPSec usage to EKU.
ipAddress | string form of the IP address. Assumed to be in either IPv4 form, "n.n.n.n", with 0<=n<256, orIPv6 form, "n.n.n.n.n.n.n.n", where the n's are the HEXADECIMAL form of the 16-bit address components. |
void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.setSecureEmailUsage | ( | String | subjectEmailAddress | ) |
Both adds the secure email OID to the EKU extension, and adds the email address to the subject alt name extension (not marked critical).
(Combines addSecureEmailEKU and addEmailSubjectAltName).
subjectEmailAddress | the email address of the subject. |
void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.setServerAuthenticationUsage | ( | String | serverDNSName | ) |
Both adds the server authentication OID to the EKU extension, and adds the DNS name to the subject alt name extension (not marked critical).
(Combines addServerAuthenticationEKU and addDNSNameSubjectAltName).
serverDNSName | the DNS name of the server. |
X509Certificate org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.sign | ( | String | digestAlgorithm, | |
PrivateKey | signingKey | |||
) | throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException |
Generate an X509 certificate, based on the current issuer and subject using the default provider.
Use the old form of the BC certificate generation call for compatibility with older versions of BouncyCastle; suppress the deprecation warning on newer platforms.
digestAlgorithm | the digest algorithm. | |
signingKey | the signing key. |
CertificateEncodingException | ||
InvalidKeyException | ||
IllegalStateException | ||
NoSuchAlgorithmException | ||
SignatureException |
Finalize extensions.
static void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.writeCertificateChain | ( | File | targetFile, | |
X509Certificate | userCertificate, | |||
List< X509Certificate > | chain, | |||
int | chainOffset, | |||
int | chainCount | |||
) | throws CertificateEncodingException, FileNotFoundException [static] |
Writes file of certificates in the form expected by SSL_CTX_load_verify_locations() and (if in the right order) SSL_CTX_use_certificate_chain_file Quoting from the OpenSSL documentation: If CAfile is not NULL, it points to a file of CA certificates in PEM format.
The file can contain several CA certificates identified by -----BEGIN CERTIFICATE----- ... (CA certificate in base64 encoding) ... -----END CERTIFICATE----- sequences. Before, between, and after the certificates text is allowed which can be used e.g. for descriptions of the certificates.
From documentation: SSL_CTX_use_certificate_chain_file loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. There is no corresponding function working on a single SSL object. This method assumes the caller already has ordered the chain.
userDirectory | ||
userCertificate | if not null, the first cert to write in the chain | |
chain | a set of certificates to write after any user certificate. Written in order given, can be used to write an ordered chain or a set of roots where order doesn't matter. | |
chainOffset | the index into chain to start writing | |
chainCount | the number of certs to output. |
CertificateEncodingException | ||
FileNotFoundException |
Random org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.cachedRandom = new Random() [static, protected] |
Cache a random number generator (non-secure, used for generating certificate serial numbers.
)