Java tutorial
/* * Portions of this file Copyright 1999-2005 University of Chicago Portions of * this file Copyright 1999-2005 The University of Southern California. This * file or a portion of this file is licensed under the terms of the Globus * Toolkit Public License, found at * http://www.globus.org/toolkit/download/license.html. If you redistribute this * file, with or without modifications, you must include this notice in the * file. */ package org.cagrid.gaards.pki; import java.io.IOException; import java.io.InputStream; import java.math.BigInteger; import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.KeyPairGenerator; import java.security.PrivateKey; import java.security.PublicKey; import java.security.cert.X509Certificate; import java.util.Calendar; import java.util.GregorianCalendar; import java.util.Iterator; import java.util.Random; import java.util.TimeZone; import org.bouncycastle.asn1.ASN1Sequence; import org.bouncycastle.asn1.DERBitString; import org.bouncycastle.asn1.DERConstructedSet; import org.bouncycastle.asn1.DERInputStream; import org.bouncycastle.asn1.DERObject; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.asn1.x509.TBSCertificateStructure; import org.bouncycastle.asn1.x509.X509CertificateStructure; import org.bouncycastle.asn1.x509.X509Extension; import org.bouncycastle.asn1.x509.X509Extensions; import org.bouncycastle.asn1.x509.X509Name; import org.bouncycastle.jce.PKCS10CertificationRequest; import org.bouncycastle.jce.X509V3CertificateGenerator; import org.bouncycastle.jce.provider.X509CertificateObject; import org.globus.gsi.CertUtil; import org.globus.gsi.GSIConstants; import org.globus.gsi.GlobusCredential; import org.globus.gsi.X509ExtensionSet; import org.globus.gsi.bc.BouncyCastleUtil; import org.globus.gsi.bc.X509NameHelper; import org.globus.gsi.proxy.ext.GlobusProxyCertInfoExtension; import org.globus.gsi.proxy.ext.ProxyCertInfo; import org.globus.gsi.proxy.ext.ProxyCertInfoExtension; import org.globus.gsi.proxy.ext.ProxyPolicy; /** * Provides certificate processing API such as creating new certificates, * certificate requests, etc. */ public class BouncyCastleCertProcessingFactory { private static BouncyCastleCertProcessingFactory factory; protected BouncyCastleCertProcessingFactory() { } /** * Returns an instance of this class.. * * @return <code>BouncyCastleCertProcessingFactory</code> instance. */ public static synchronized BouncyCastleCertProcessingFactory getDefault() { if (factory == null) { factory = new BouncyCastleCertProcessingFactory(); } return factory; } /** * Creates a proxy certificate from the certificate request. * * @see #createCertificate(InputStream, X509Certificate, PrivateKey, int, * int, X509ExtensionSet, String) createCertificate */ public X509Certificate createCertificate(String provider, InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, String signatureAlgorithm) throws IOException, GeneralSecurityException { return createCertificate(provider, certRequestInputStream, cert, privateKey, lifetime, delegationMode, (X509ExtensionSet) null, null, signatureAlgorithm); } /** * Creates a proxy certificate from the certificate request. * * @see #createCertificate(InputStream, X509Certificate, PrivateKey, int, * int, X509ExtensionSet, String) createCertificate */ public X509Certificate createCertificate(String provider, InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, X509ExtensionSet extSet, String signatureAlgorithm) throws IOException, GeneralSecurityException { return createCertificate(provider, certRequestInputStream, cert, privateKey, lifetime, delegationMode, extSet, null, signatureAlgorithm); } /** * Creates a proxy certificate from the certificate request. (Signs a * certificate request creating a new certificate) * * @see #createProxyCertificate(X509Certificate, PrivateKey, PublicKey, int, * int, X509ExtensionSet, String) createProxyCertificate * @param certRequestInputStream * the input stream to read the certificate request from. * @param cert * the issuer certificate * @param privateKey * the private key to sign the new certificate with. * @param lifetime * lifetime of the new certificate in seconds. If 0 (or less * then) the new certificate will have the same lifetime as the * issuing certificate. * @param delegationMode * the type of proxy credential to create * @param extSet * a set of X.509 extensions to be included in the new proxy * certificate. Can be null. If delegation mode is * {@link GSIConstants#GSI_3_RESTRICTED_PROXY * GSIConstants.GSI_3_RESTRICTED_PROXY} then * {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension * ProxyCertInfoExtension} must be present in the extension set. * @param cnValue * the value of the CN component of the subject of the new * certificate. If null, the defaults will be used depending on * the proxy certificate type created. * @return <code>X509Certificate</code> the new proxy certificate * @exception IOException * if error reading the certificate request * @exception GeneralSecurityException * if a security error occurs. */ public X509Certificate createCertificate(String provider, InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, X509ExtensionSet extSet, String cnValue, String signatureAlgorithm) throws IOException, GeneralSecurityException { DERInputStream derin = new DERInputStream(certRequestInputStream); DERObject reqInfo = derin.readObject(); PKCS10CertificationRequest certReq = new PKCS10CertificationRequest((ASN1Sequence) reqInfo); boolean rs = certReq.verify(); if (!rs) { throw new GeneralSecurityException("Certificate request verification failed!"); } return createProxyCertificate(provider, cert, privateKey, certReq.getPublicKey(), lifetime, delegationMode, extSet, cnValue, signatureAlgorithm); } /** * Loads a X509 certificate from the specified input stream. Input stream * must contain DER-encoded certificate. * * @param in * the input stream to read the certificate from. * @return <code>X509Certificate</code> the loaded certificate. * @exception GeneralSecurityException * if certificate failed to load. */ public X509Certificate loadCertificate(InputStream in) throws IOException, GeneralSecurityException { DERInputStream derin = new DERInputStream(in); DERObject certInfo = derin.readObject(); ASN1Sequence seq = ASN1Sequence.getInstance(certInfo); return new X509CertificateObject(new X509CertificateStructure(seq)); } /** * Creates a new proxy credential from the specified certificate chain and a * private key. * * @see #createCredential(X509Certificate[], PrivateKey, int, int, int, * X509ExtensionSet, String) createCredential */ public GlobusCredential createCredential(String provider, X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, String signatureAlgorithm) throws GeneralSecurityException { return createCredential(provider, certs, privateKey, bits, lifetime, delegationMode, (X509ExtensionSet) null, null, signatureAlgorithm); } /** * Creates a new proxy credential from the specified certificate chain and a * private key. * * @see #createCredential(X509Certificate[], PrivateKey, int, int, int, * X509ExtensionSet, String) createCredential */ public GlobusCredential createCredential(String provider, X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, X509ExtensionSet extSet, String signatureAlgorithm) throws GeneralSecurityException { return createCredential(provider, certs, privateKey, bits, lifetime, delegationMode, extSet, null, signatureAlgorithm); } /** * Creates a new proxy credential from the specified certificate chain and a * private key. A set of X.509 extensions can be optionally included in the * new proxy certificate. This function automatically creates a "RSA"-based * key pair. * * @see #createProxyCertificate(X509Certificate, PrivateKey, PublicKey, int, * int, X509ExtensionSet, String) createProxyCertificate * @param certs * the certificate chain for the new proxy credential. The * top-most certificate <code>cert[0]</code> will be designated * as the issuing certificate. * @param privateKey * the private key of the issuing certificate. The new proxy * certificate will be signed with that private key. * @param bits * the strength of the key pair for the new proxy certificate. * @param lifetime * lifetime of the new certificate in seconds. If 0 (or less * then) the new certificate will have the same lifetime as the * issuing certificate. * @param delegationMode * the type of proxy credential to create * @param extSet * a set of X.509 extensions to be included in the new proxy * certificate. Can be null. If delegation mode is * {@link GSIConstants#GSI_3_RESTRICTED_PROXY * GSIConstants.GSI_3_RESTRICTED_PROXY} then * {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension * ProxyCertInfoExtension} must be present in the extension set. * @param cnValue * the value of the CN component of the subject of the new proxy * credential. If null, the defaults will be used depending on * the proxy certificate type created. * @return <code>GlobusCredential</code> the new proxy credential. * @exception GeneralSecurityException * if a security error occurs. */ public GlobusCredential createCredential(String provider, X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, X509ExtensionSet extSet, String cnValue, String signatureAlgorithm) throws GeneralSecurityException { KeyPairGenerator keyGen = null; keyGen = KeyPairGenerator.getInstance("RSA", "BC"); keyGen.initialize(bits); KeyPair keyPair = keyGen.genKeyPair(); X509Certificate newCert = createProxyCertificate(provider, certs[0], privateKey, keyPair.getPublic(), lifetime, delegationMode, extSet, cnValue, signatureAlgorithm); X509Certificate[] newCerts = new X509Certificate[certs.length + 1]; newCerts[0] = newCert; System.arraycopy(certs, 0, newCerts, 1, certs.length); return new GlobusCredential(keyPair.getPrivate(), newCerts); } /** * Creates a certificate request from the specified subject DN and a key * pair. The <I>"MD5WithRSAEncryption"</I> is used as the signing algorithm * of the certificate request. * * @param subject * the subject of the certificate request * @param keyPair * the key pair of the certificate request * @return the certificate request. * @exception GeneralSecurityException * if security error occurs. */ public byte[] createCertificateRequest(String subject, KeyPair keyPair) throws GeneralSecurityException { X509Name name = new X509Name(subject); return createCertificateRequest(name, "MD5WithRSA", keyPair); } /** * Creates a certificate request from the specified certificate and a key * pair. The certificate's subject DN with <I>"CN=proxy"</I> name component * appended to the subject is used as the subject of the certificate * request. Also the certificate's signing algorithm is used as the * certificate request signing algorithm. * * @param cert * the certificate to create the certificate request from. * @param keyPair * the key pair of the certificate request * @return the certificate request. * @exception GeneralSecurityException * if security error occurs. */ public byte[] createCertificateRequest(X509Certificate cert, KeyPair keyPair) throws GeneralSecurityException { String issuer = cert.getSubjectDN().getName(); X509Name subjectDN = new X509Name(issuer + ",CN=proxy"); String sigAlgName = cert.getSigAlgName(); return createCertificateRequest(subjectDN, sigAlgName, keyPair); } /** * Creates a certificate request from the specified subject name, signing * algorithm, and a key pair. * * @param subjectDN * the subject name of the certificate request. * @param sigAlgName * the signing algorithm name. * @param keyPair * the key pair of the certificate request * @return the certificate request. * @exception GeneralSecurityException * if security error occurs. */ public byte[] createCertificateRequest(X509Name subjectDN, String sigAlgName, KeyPair keyPair) throws GeneralSecurityException { DERConstructedSet attrs = null; PKCS10CertificationRequest certReq = null; certReq = new PKCS10CertificationRequest(sigAlgName, subjectDN, keyPair.getPublic(), attrs, keyPair.getPrivate()); return certReq.getEncoded(); } /** * Creates a proxy certificate. A set of X.509 extensions can be optionally * included in the new proxy certificate. <BR> * If a GSI-2 proxy is created, the serial number of the proxy certificate * will be the same as of the issuing certificate. Also, none of the * extensions in the issuing certificate will be copied into the proxy * certificate.<BR> * If a GSI-3 proxy is created, the serial number of the proxy certificate * will be picked randomly. If the issuing certificate contains a * <i>KeyUsage</i> extension, the extension will be copied into the proxy * certificate with <i>keyCertSign</i> and <i>nonRepudiation</i> bits * turned off. No other extensions are currently copied. * * @param issuerCert * the issuing certificate * @param issuerKey * private key matching the public key of issuer certificate. The * new proxy certificate will be signed by that key. * @param publicKey * the public key of the new certificate * @param lifetime * lifetime of the new certificate in seconds. If 0 (or less * then) the new certificate will have the same lifetime as the * issuing certificate. * @param proxyType * can be one of {@link GSIConstants#DELEGATION_LIMITED * GSIConstants.DELEGATION_LIMITED}, * {@link GSIConstants#DELEGATION_FULL * GSIConstants.DELEGATION_FULL}, * {@link GSIConstants#GSI_2_LIMITED_PROXY * GSIConstants.GSI_2_LIMITED_PROXY}, * {@link GSIConstants#GSI_2_PROXY GSIConstants.GSI_2_PROXY}, * {@link GSIConstants#GSI_3_IMPERSONATION_PROXY * GSIConstants.GSI_3_IMPERSONATION_PROXY}, * {@link GSIConstants#GSI_3_LIMITED_PROXY * GSIConstants.GSI_3_LIMITED_PROXY}, * {@link GSIConstants#GSI_3_INDEPENDENT_PROXY * GSIConstants.GSI_3_INDEPENDENT_PROXY}, * {@link GSIConstants#GSI_3_RESTRICTED_PROXY * GSIConstants.GSI_3_RESTRICTED_PROXY}. If * {@link GSIConstants#DELEGATION_LIMITED * GSIConstants.DELEGATION_LIMITED} and if * {@link CertUtil#isGsi3Enabled() CertUtil.isGsi3Enabled} * returns true then a GSI-3 limited proxy will be created. If * not, a GSI-2 limited proxy will be created. If * {@link GSIConstants#DELEGATION_FULL * GSIConstants.DELEGATION_FULL} and if * {@link CertUtil#isGsi3Enabled() CertUtil.isGsi3Enabled} * returns true then a GSI-3 impersonation proxy will be created. * If not, a GSI-2 full proxy will be created. * @param extSet * a set of X.509 extensions to be included in the new proxy * certificate. Can be null. If delegation mode is * {@link GSIConstants#GSI_3_RESTRICTED_PROXY * GSIConstants.GSI_3_RESTRICTED_PROXY} then * {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension * ProxyCertInfoExtension} must be present in the extension set. * @param cnValue * the value of the CN component of the subject of the new * certificate. If null, the defaults will be used depending on * the proxy certificate type created. * @return <code>X509Certificate</code> the new proxy certificate. * @exception GeneralSecurityException * if a security error occurs. */ public X509Certificate createProxyCertificate(String provider, X509Certificate issuerCert, PrivateKey issuerKey, PublicKey publicKey, int lifetime, int proxyType, X509ExtensionSet extSet, String cnValue, String signatureAlgorithm) throws GeneralSecurityException { if (proxyType == GSIConstants.DELEGATION_LIMITED) { int type = BouncyCastleUtil.getCertificateType(issuerCert); if (CertUtil.isGsi4Proxy(type)) { proxyType = GSIConstants.GSI_4_LIMITED_PROXY; } else if (CertUtil.isGsi3Proxy(type)) { proxyType = GSIConstants.GSI_3_LIMITED_PROXY; } else if (CertUtil.isGsi2Proxy(type)) { proxyType = GSIConstants.GSI_2_LIMITED_PROXY; } else { // default to Globus OID proxyType = (CertUtil.isGsi3Enabled()) ? GSIConstants.GSI_3_LIMITED_PROXY : GSIConstants.GSI_2_LIMITED_PROXY; } } else if (proxyType == GSIConstants.DELEGATION_FULL) { int type = BouncyCastleUtil.getCertificateType(issuerCert); if (CertUtil.isGsi4Proxy(type)) { proxyType = GSIConstants.GSI_4_IMPERSONATION_PROXY; } else if (CertUtil.isGsi3Proxy(type)) { proxyType = GSIConstants.GSI_3_IMPERSONATION_PROXY; } else if (CertUtil.isGsi2Proxy(type)) { proxyType = GSIConstants.GSI_2_PROXY; } else { // Default to Globus OID proxyType = (CertUtil.isGsi3Enabled()) ? GSIConstants.GSI_3_IMPERSONATION_PROXY : GSIConstants.GSI_2_PROXY; } } X509V3CertificateGenerator certGen = new X509V3CertificateGenerator(); org.globus.gsi.X509Extension x509Ext = null; BigInteger serialNum = null; String delegDN = null; if (CertUtil.isGsi3Proxy(proxyType) || CertUtil.isGsi4Proxy(proxyType)) { Random rand = new Random(); delegDN = String.valueOf(Math.abs(rand.nextInt())); serialNum = new BigInteger(20, rand); if (extSet != null) { x509Ext = extSet.get(ProxyCertInfo.OID.getId()); if (x509Ext == null) { x509Ext = extSet.get(ProxyCertInfo.OLD_OID.getId()); } } if (x509Ext == null) { // create ProxyCertInfo extension ProxyPolicy policy = null; if (CertUtil.isLimitedProxy(proxyType)) { policy = new ProxyPolicy(ProxyPolicy.LIMITED); } else if (CertUtil.isIndependentProxy(proxyType)) { policy = new ProxyPolicy(ProxyPolicy.INDEPENDENT); } else if (CertUtil.isImpersonationProxy(proxyType)) { // since limited has already been checked, this should work. policy = new ProxyPolicy(ProxyPolicy.IMPERSONATION); } else if ((proxyType == GSIConstants.GSI_3_RESTRICTED_PROXY) || (proxyType == GSIConstants.GSI_4_RESTRICTED_PROXY)) { throw new IllegalArgumentException("Restricted proxy requires ProxyCertInfo extension"); } else { throw new IllegalArgumentException("Invalid proxyType"); } ProxyCertInfo proxyCertInfo = new ProxyCertInfo(policy); x509Ext = new ProxyCertInfoExtension(proxyCertInfo); if (CertUtil.isGsi4Proxy(proxyType)) { // RFC compliant OID x509Ext = new ProxyCertInfoExtension(proxyCertInfo); } else { // old OID x509Ext = new GlobusProxyCertInfoExtension(proxyCertInfo); } } try { // add ProxyCertInfo extension to the new cert certGen.addExtension(x509Ext.getOid(), x509Ext.isCritical(), x509Ext.getValue()); // handle KeyUsage in issuer cert TBSCertificateStructure crt = BouncyCastleUtil.getTBSCertificateStructure(issuerCert); X509Extensions extensions = crt.getExtensions(); if (extensions != null) { X509Extension ext; // handle key usage ext ext = extensions.getExtension(X509Extensions.KeyUsage); if (ext != null) { // TBD: handle this better if (extSet != null && (extSet.get(X509Extensions.KeyUsage.getId()) != null)) { throw new GeneralSecurityException("KeyUsage extension present in X509ExtensionSet " + "and in issuer certificate."); } DERBitString bits = (DERBitString) BouncyCastleUtil.getExtensionObject(ext); byte[] bytes = bits.getBytes(); // make sure they are disabled if ((bytes[0] & KeyUsage.nonRepudiation) != 0) { bytes[0] ^= KeyUsage.nonRepudiation; } if ((bytes[0] & KeyUsage.keyCertSign) != 0) { bytes[0] ^= KeyUsage.keyCertSign; } bits = new DERBitString(bytes, bits.getPadBits()); certGen.addExtension(X509Extensions.KeyUsage, ext.isCritical(), bits); } } } catch (IOException e) { // but this should not happen throw new GeneralSecurityException(e.getMessage()); } } else if (proxyType == GSIConstants.GSI_2_LIMITED_PROXY) { delegDN = "limited proxy"; serialNum = issuerCert.getSerialNumber(); } else if (proxyType == GSIConstants.GSI_2_PROXY) { delegDN = "proxy"; serialNum = issuerCert.getSerialNumber(); } else { throw new IllegalArgumentException("Unsupported proxyType : " + proxyType); } // add specified extensions if (extSet != null) { Iterator iter = extSet.oidSet().iterator(); while (iter.hasNext()) { String oid = (String) iter.next(); // skip ProxyCertInfo extension if (oid.equals(ProxyCertInfo.OID.getId()) || oid.equals(ProxyCertInfo.OLD_OID.getId())) { continue; } x509Ext = (org.globus.gsi.X509Extension) extSet.get(oid); certGen.addExtension(x509Ext.getOid(), x509Ext.isCritical(), x509Ext.getValue()); } } X509Name issuerDN = (X509Name) issuerCert.getSubjectDN(); X509NameHelper issuer = new X509NameHelper(issuerDN); X509NameHelper subject = new X509NameHelper(issuerDN); subject.add(X509Name.CN, (cnValue == null) ? delegDN : cnValue); certGen.setSubjectDN(subject.getAsName()); certGen.setIssuerDN(issuer.getAsName()); certGen.setSerialNumber(serialNum); certGen.setPublicKey(publicKey); certGen.setSignatureAlgorithm(signatureAlgorithm); GregorianCalendar date = new GregorianCalendar(TimeZone.getTimeZone("GMT")); /* Allow for a five minute clock skew here. */ date.add(Calendar.MINUTE, -5); certGen.setNotBefore(date.getTime()); /* If hours = 0, then cert lifetime is set to user cert */ if (lifetime <= 0) { certGen.setNotAfter(issuerCert.getNotAfter()); } else { date.add(Calendar.MINUTE, 5); date.add(Calendar.SECOND, lifetime); certGen.setNotAfter(date.getTime()); } /** * FIXME: Copy appropriate cert extensions - this should NOT be done the * last time we talked to Doug E. This should investigated more. */ return certGen.generateX509Certificate(issuerKey, provider); } // ----------------- OLDER API ------------------------------ private X509ExtensionSet createExtensionSet(ProxyCertInfo proxyCertInfo) { X509ExtensionSet set = null; if (proxyCertInfo != null) { set = new X509ExtensionSet(); set.add(new ProxyCertInfoExtension(proxyCertInfo)); } return set; } /** * @deprecated Please use * {@link #createProxyCertificate(X509Certificate, PrivateKey, PublicKey, * int, int, X509ExtensionSet, String) createProxyCertificate()} * instead. The <code>ProxyCertInfo</code> parameter can be * passed in the <code>X509ExtensionSet</code> using * {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension * ProxyCertInfoExtension} class. */ public X509Certificate createProxyCertificate(String provider, X509Certificate issuerCert, PrivateKey issuerKey, PublicKey publicKey, int lifetime, int proxyType, ProxyCertInfo proxyCertInfo, String cnValue, String signatureAlgorithm) throws GeneralSecurityException { return createProxyCertificate(provider, issuerCert, issuerKey, publicKey, lifetime, proxyType, createExtensionSet(proxyCertInfo), cnValue, signatureAlgorithm); } /** * @deprecated Please use * {@link #createCredential(X509Certificate[], PrivateKey, int, * int, int, X509ExtensionSet, String) createCredential()} * instead. The <code>ProxyCertInfo</code> parameter can be * passed in the <code>X509ExtensionSet</code> using * {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension * ProxyCertInfoExtension} class. */ public GlobusCredential createCredential(String provider, X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, ProxyCertInfo proxyCertInfoExt, String cnValue) throws GeneralSecurityException { return createCredential(provider, certs, privateKey, bits, lifetime, delegationMode, createExtensionSet(proxyCertInfoExt), cnValue); } /** * @deprecated * @see #createCredential(X509Certificate[], PrivateKey, int, int, int, * ProxyCertInfo, String) createCredential */ public GlobusCredential createCredential(String provider, X509Certificate[] certs, PrivateKey privateKey, int bits, int lifetime, int delegationMode, ProxyCertInfo proxyCertInfoExt) throws GeneralSecurityException { return createCredential(provider, certs, privateKey, bits, lifetime, delegationMode, proxyCertInfoExt, null); } /** * @deprecated Please use * {@link #createCertificate(InputStream, X509Certificate, PrivateKey, int, * int, X509ExtensionSet, String) createCertificate()} instead. * The <code>ProxyCertInfo</code> parameter can be passed in * the <code>X509ExtensionSet</code> using * {@link org.globus.gsi.proxy.ext.ProxyCertInfoExtension * ProxyCertInfoExtension} class. */ public X509Certificate createCertificate(String provider, InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, ProxyCertInfo proxyCertInfoExt, String cnValue) throws IOException, GeneralSecurityException { return createCertificate(provider, certRequestInputStream, cert, privateKey, lifetime, delegationMode, createExtensionSet(proxyCertInfoExt), cnValue); } /** * @deprecated * @see #createCertificate(InputStream, X509Certificate, PrivateKey, int, * int, ProxyCertInfo, String) createCertificate */ public X509Certificate createCertificate(String provider, InputStream certRequestInputStream, X509Certificate cert, PrivateKey privateKey, int lifetime, int delegationMode, ProxyCertInfo proxyCertInfoExt) throws IOException, GeneralSecurityException { return createCertificate(provider, certRequestInputStream, cert, privateKey, lifetime, delegationMode, proxyCertInfoExt, null); } }