org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator Class Reference

Wrap BouncyCastle's X.509 certificate generator in a slightly more user-friendly way. More...

List of all members.

Public Member Functions

 MinimalCertificateGenerator (String subjectDN, PublicKey subjectPublicKey, X509Certificate issuerCertificate, long duration, boolean isCA, Integer chainLength, boolean allUsage) throws CertificateEncodingException, IOException
 Certificate issued under an existing CA.
 MinimalCertificateGenerator (String subjectDN, PublicKey subjectPublicKey, long duration, boolean isCA, boolean allUsage)
 Self-signed certificate (which may or may not be a CA).
 MinimalCertificateGenerator (String subjectDN, PublicKey subjectPublicKey, X500Principal issuerDN, long duration, boolean isCA, Integer chainLength, boolean allUsage)
 Basic common path.
void setServerAuthenticationUsage (String serverDNSName)
 Both adds the server authentication OID to the EKU extension, and adds the DNS name to the subject alt name extension (not marked critical).
void setClientAuthenticationUsage ()
 Adds client authentication as a usage for this certificate.
void setSecureEmailUsage (String subjectEmailAddress)
 Both adds the secure email OID to the EKU extension, and adds the email address to the subject alt name extension (not marked critical).
void setIPSecUsage (String ipAddress)
 Adds ip address to subjectAltName and IPSec usage to EKU.
void setExtendedKeyUsage (String usageOID)
void addSubjectAltName (URI subjectURI)
void addAuthorityName (URI authorityName)
 Add additional AuthorityKeyIdentifier information.
X509Certificate sign (String digestAlgorithm, PrivateKey signingKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException
 Generate an X509 certificate, based on the current issuer and subject using the default provider.
void addExtension (String oid, boolean critical, byte[] value)
 Open up the ability to add additional extensions that aren't EKU or SubjectAltName (which we manage).

Static Public Member Functions

static X509Certificate GenerateUserCertificate (PublicKey userPublicKey, String subjectDN, long duration, PrivateKey signingKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException
 Generates a X509 certificate for a specified user , subject distinguished name and duration.
static X509Certificate GenerateUserCertificate (String subjectDN, PublicKey userPublicKey, X509Certificate issuerCertificate, long duration, PrivateKey signingKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, IOException
 Generates a X509 certificate for a specified user , subject distinguished name and duration.
static X509Certificate GenerateUserCertificate (KeyPair userKeyPair, String subjectDN, long duration) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException
 Helper method.
static X509Certificate GenerateUserCertificate (PublicKey userPublicKey, String subjectDN, String emailAddress, long duration, PrivateKey signingKey) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException
 Generates an X509 certificate for a specified user key, subject distinguished name, email address and duration.
static X509Certificate GenerateUserCertificate (KeyPair userKeyPair, String subjectDN, String emailAddress, long duration) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException
 Helper method.
static void writeCertificateChain (File targetFile, X509Certificate userCertificate, List< X509Certificate > chain, int chainOffset, int chainCount) throws CertificateEncodingException, FileNotFoundException
 Writes file of certificates in the form expected by SSL_CTX_load_verify_locations() and (if in the right order) SSL_CTX_use_certificate_chain_file Quoting from the OpenSSL documentation: If CAfile is not NULL, it points to a file of CA certificates in PEM format.
static void writePEMCertificate (PrintWriter writer, X509Certificate certificate) throws CertificateEncodingException

Static Public Attributes

static final DERObjectIdentifier id_kp_serverAuth = new DERObjectIdentifier("1.3.6.1.5.5.7.3.1")
 A few useful OIDs that aren't in X509Extension, plus those that are (because they're protected there).
static final DERObjectIdentifier id_kp_clientAuth = new DERObjectIdentifier("1.3.6.1.5.5.7.3.2")
static final DERObjectIdentifier id_kp_emailProtection = new DERObjectIdentifier("1.3.6.1.5.5.7.3.4")
static final DERObjectIdentifier id_kp_ipsec = new DERObjectIdentifier("1.3.6.1.5.5.8.2.2")
static final String SUN_PROVIDER = "SUN"
 We can't just use null to get the default provider and have any assurance of what it is, as a user can change the default provider.
static long MSEC_IN_YEAR = 1000 * 60 * 60 * 24 * 365
static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----"
static final String END_CERTIFICATE = "-----END CERTIFICATE-----"
static final int CERTIFICATE_WRAP_LENGTH = 40

Protected Member Functions

void addExtendedKeyUsageExtension ()
 Adds an extended key usage extension to the certificate.
void addAuthorityKeyIdentifierExtension ()
 Adds an authority key identifier extension to the certificate.
void addSubjectAltNamesExtension ()
 Adds an subject alternative name extension to the certificate.

Protected Attributes

X509V3CertificateGenerator _generator = new X509V3CertificateGenerator()
Vector< DERObjectIdentifier > _ekus = new Vector<DERObjectIdentifier>()
 Cons up a list of EKUs and SubjectAltNames, then add them en masse just before signing.
ASN1EncodableVector _subjectAltNames = new ASN1EncodableVector()
AuthorityKeyIdentifier _aki = null

Static Protected Attributes

static final String DEFAULT_DIGEST_ALGORITHM = "SHA"
 SHA is the official JCA name for SHA1.
static Random cachedRandom = new Random()
 Cache a random number generator (non-secure, used for generating certificate serial numbers.
static SimpleDateFormat DATE_FORMAT = new SimpleDateFormat("yyMMddHHmmss")
static SimpleTimeZone TZ = new SimpleTimeZone(0, "Z")

Static Package Functions

 [static initializer]

Detailed Description

Wrap BouncyCastle's X.509 certificate generator in a slightly more user-friendly way.


Constructor & Destructor Documentation

org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.MinimalCertificateGenerator ( String  subjectDN,
PublicKey  subjectPublicKey,
X509Certificate  issuerCertificate,
long  duration,
boolean  isCA,
Integer  chainLength,
boolean  allUsage 
) throws CertificateEncodingException, IOException

Certificate issued under an existing CA.

Parameters:
subjectDN the distinguished name of the subject.
subjectPublicKey the public key of the subject.
issuerCertificate the certificate of the issuer.
duration the validity duration of the certificate.
isCA 
allUsage if isCA is true, add "regular" KeyUsage flags, for dual-use cert
Exceptions:
CertificateEncodingException 
IOException 
org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.MinimalCertificateGenerator ( String  subjectDN,
PublicKey  subjectPublicKey,
long  duration,
boolean  isCA,
boolean  allUsage 
)

Self-signed certificate (which may or may not be a CA).

Parameters:
subjectDN the distinguished name of the subject.
subjectPublicKey the public key of the subject.
duration the validity duration of the certificate.
isCA add basic constraints
allUsage if isCA is true, add "regular" KeyUsage flags, for dual-use cert
org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.MinimalCertificateGenerator ( String  subjectDN,
PublicKey  subjectPublicKey,
X500Principal  issuerDN,
long  duration,
boolean  isCA,
Integer  chainLength,
boolean  allUsage 
)

Basic common path.

Parameters:
subjectDN the distinguished name of the subject.
subjectPublicKey the public key of the subject.
issuerDN the distinguished name of the issuer.
duration the validity duration of the certificate.
isCA 
allUsage if isCA is true, add "regular" KeyUsage flags, for dual-use cert

Member Function Documentation

void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.addAuthorityName ( URI  authorityName  ) 

Add additional AuthorityKeyIdentifier information.

We've already set key ID.

static X509Certificate org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.GenerateUserCertificate ( PublicKey  userPublicKey,
String  subjectDN,
String  emailAddress,
long  duration,
PrivateKey  signingKey 
) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException [static]

Generates an X509 certificate for a specified user key, subject distinguished name, email address and duration.

Parameters:
userKeyPair the user key pair.
subjectDN the distinguished name of the subject.
emailAddress the email address.
duration the validity duration of the certificate.
Returns:
the X509 certificate.
Exceptions:
CertificateEncodingException 
InvalidKeyException 
IllegalStateException 
NoSuchAlgorithmException 
SignatureException 
static X509Certificate org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.GenerateUserCertificate ( String  subjectDN,
PublicKey  userPublicKey,
X509Certificate  issuerCertificate,
long  duration,
PrivateKey  signingKey 
) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException, IOException [static]

Generates a X509 certificate for a specified user , subject distinguished name and duration.

Parameters:
userKeyPair the user key pair.
subjectDN the distinguished name of the user.
duration the duration of validity of the certificate.
Returns:
the X509 certificate.
Exceptions:
CertificateEncodingException 
InvalidKeyException 
IllegalStateException 
NoSuchAlgorithmException 
SignatureException 
IOException 
static X509Certificate org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.GenerateUserCertificate ( PublicKey  userPublicKey,
String  subjectDN,
long  duration,
PrivateKey  signingKey 
) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException [static]

Generates a X509 certificate for a specified user , subject distinguished name and duration.

Parameters:
userKeyPair the user key pair.
subjectDN the distinguished name of the user.
duration the duration of validity of the certificate.
Returns:
the X509 certificate.
Exceptions:
CertificateEncodingException 
InvalidKeyException 
IllegalStateException 
NoSuchAlgorithmException 
SignatureException 
void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.setIPSecUsage ( String  ipAddress  ) 

Adds ip address to subjectAltName and IPSec usage to EKU.

Parameters:
ipAddress string form of the IP address. Assumed to be in either IPv4 form, "n.n.n.n", with 0<=n<256, orIPv6 form, "n.n.n.n.n.n.n.n", where the n's are the HEXADECIMAL form of the 16-bit address components.
void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.setSecureEmailUsage ( String  subjectEmailAddress  ) 

Both adds the secure email OID to the EKU extension, and adds the email address to the subject alt name extension (not marked critical).

(Combines addSecureEmailEKU and addEmailSubjectAltName).

Parameters:
subjectEmailAddress the email address of the subject.
void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.setServerAuthenticationUsage ( String  serverDNSName  ) 

Both adds the server authentication OID to the EKU extension, and adds the DNS name to the subject alt name extension (not marked critical).

(Combines addServerAuthenticationEKU and addDNSNameSubjectAltName).

Parameters:
serverDNSName the DNS name of the server.
X509Certificate org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.sign ( String  digestAlgorithm,
PrivateKey  signingKey 
) throws CertificateEncodingException, InvalidKeyException, IllegalStateException, NoSuchAlgorithmException, SignatureException

Generate an X509 certificate, based on the current issuer and subject using the default provider.

Use the old form of the BC certificate generation call for compatibility with older versions of BouncyCastle; suppress the deprecation warning on newer platforms.

Parameters:
digestAlgorithm the digest algorithm.
signingKey the signing key.
Returns:
the X509 certificate.
Exceptions:
CertificateEncodingException 
InvalidKeyException 
IllegalStateException 
NoSuchAlgorithmException 
SignatureException 

Finalize extensions.

static void org.ccnx.ccn.impl.security.crypto.util.MinimalCertificateGenerator.writeCertificateChain ( File  targetFile,
X509Certificate  userCertificate,
List< X509Certificate >  chain,
int  chainOffset,
int  chainCount 
) throws CertificateEncodingException, FileNotFoundException [static]

Writes file of certificates in the form expected by SSL_CTX_load_verify_locations() and (if in the right order) SSL_CTX_use_certificate_chain_file Quoting from the OpenSSL documentation: If CAfile is not NULL, it points to a file of CA certificates in PEM format.

The file can contain several CA certificates identified by -----BEGIN CERTIFICATE----- ... (CA certificate in base64 encoding) ... -----END CERTIFICATE----- sequences. Before, between, and after the certificates text is allowed which can be used e.g. for descriptions of the certificates.

From documentation: SSL_CTX_use_certificate_chain_file loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA. There is no corresponding function working on a single SSL object. This method assumes the caller already has ordered the chain.

Parameters:
userDirectory 
userCertificate if not null, the first cert to write in the chain
chain a set of certificates to write after any user certificate. Written in order given, can be used to write an ordered chain or a set of roots where order doesn't matter.
chainOffset the index into chain to start writing
chainCount the number of certs to output.
Exceptions:
CertificateEncodingException 
FileNotFoundException 

Member Data Documentation

Cache a random number generator (non-secure, used for generating certificate serial numbers.

)


The documentation for this class was generated from the following file:
Generated on Fri May 13 16:27:42 2011 for Content-Centric Networking in Java by  doxygen 1.6.3