Package eu.emi.security.authn.x509.proxy

Class ProxyCSRGenerator

  • public class ProxyCSRGenerator
extends java.lang.Object
    Generates a proxy certificate signing request. The request parameters may contain extensions which are passed in the generated Certificate Signing Request. Of course the peer issuing the proxy certificate may ignore them.

    The following rules are applied basing on the parameters object:

    • [RFC proxy only] If the serial number is set then it is used as requested CN part of the proxy. Otherwise the CN part is set to the serial number of the issuing certificate. Note that this value most probably will be ignored anyway by the part which issues the actual proxy, as this is this party responsibility to guarantee uniqueness of serial numbers across all proxies issued.
    • All additional extensions, SAML, tracing and address restrictions are added as Attributes of extensionRequest type (PKCS 9) if are set.
    • Proxy path limit and policy (if set) are wrapped into the proxy extension and then included in the Attributes list (as above). If only one of the values is set then the second receives the default value. If the type is set to the legacy proxy then those parameters are ignored.
    • There is no way to request a validity time of the generated proxy, therefore the lifetime parameter is ignored.
    Author:
    K. Benedyczak

    • Constructor Detail

      • ProxyCSRGenerator

        public ProxyCSRGenerator()

    • Method Detail

      • generate

        public static ProxyCSR generate​(ProxyCertificateOptions param)
                         throws java.security.InvalidKeyException,
                                java.security.SignatureException,
                                java.security.NoSuchAlgorithmException,
                                java.security.cert.CertificateEncodingException
        Generate the proxy certificate object. Use this method if you want to sign the proxy with the key which will be autogenerated together with the public part which will be included in the proxy itself. This method will throw an exception if used with parameter which has public key manually set.
        Parameters:
        param - request creation parameters
        Returns:
        Proxy certificate signing request
        Throws:
        java.security.InvalidKeyException - invalid key exception
        java.security.SignatureException - signature exception
        java.security.NoSuchAlgorithmException - no such algorithm exception
        java.security.cert.CertificateEncodingException - certificate encoding exception
        java.lang.IllegalArgumentException - when signingKey is null and public key was manully set

      • generate

        public static ProxyCSR generate​(ProxyCertificateOptions param,
                                java.security.PrivateKey signingKey)
                         throws java.security.InvalidKeyException,
                                java.security.SignatureException,
                                java.security.NoSuchAlgorithmException,
                                java.security.cert.CertificateEncodingException
        Generate the proxy certificate object. Use this method if you want to manually specify the CSR signing key. This is normally the case when the ProxyCertificateOptions parameter contains a manually set public key.
        Parameters:
        param - request creation parameters
        signingKey - private key
        Returns:
        Proxy certificate signing request
        Throws:
        java.security.InvalidKeyException - invalid key exception
        java.security.SignatureException - signature exception
        java.security.NoSuchAlgorithmException - no such algorithm exception
        java.security.cert.CertificateEncodingException - certificate encoding exception
        java.lang.IllegalArgumentException - when signingKey is null and public key was manually set