|
|||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||||
org.globus.security
Class CertUtil
java.lang.Object | +--org.globus.security.CertUtil
- public class CertUtil
- extends java.lang.Object
Contains various utility methods for dealing with X509 certificates (as well as keys). Including performing the following operations:
- Loading certificates
- Loading user keys
- Loading a Globus proxy file (containg two certs and one key)
- Checking certificates for validity
- Signing certificate requests
| Constructor Summary | |
CertUtil()
|
|
| Method Summary | |
static void |
checkCertificate(java.security.cert.X509Certificate cert)
Checks a X509 certificate for validity, expiration, and other problems. |
static void |
checkCertificates(java.security.cert.X509Certificate[] certs)
Checks an array of X509 certicates for validity, expiration, and other problems. |
static iaik.x509.X509Certificate |
createCertificate(java.security.cert.X509Certificate userCert,
iaik.asn1.structures.Name subject,
java.security.PublicKey pk,
iaik.asn1.structures.Name issuer,
java.security.PrivateKey sk,
int hours)
Creates a new certificate with given subject and issuer DN, public key, for specified amount of time (from current time) and signs it with a given private key. |
static GlobusProxy |
createProxy(java.security.cert.X509Certificate userCert,
java.security.PrivateKey userKey,
int bits,
int hours,
boolean limited)
This is an internal function used by the ProxyInit. |
static iaik.asn1.structures.Name |
dupName(iaik.asn1.structures.Name name)
Creates another copy of the existing Name object. |
static java.security.KeyPair |
generateKeyPair(java.lang.String algorithm,
int bits)
Generates a new key pair of specified algorithm and number of bits |
static java.lang.String |
getUserDN(GlobusProxy proxy)
Returns the subject name of the user certificate. |
static java.lang.String |
getUserDN(java.security.cert.X509Certificate cert)
Returns subject DN of the given certificate |
static void |
installProvider()
If the security provider has not already been installed, will install the default security provider in the top position (ahead of all other installed providers). |
static java.security.cert.X509Certificate |
loadCert(java.lang.String file)
Loads an X509 Certificate from the specified file. |
static java.security.cert.X509Certificate |
loadCertificate(java.io.InputStream in)
|
static GlobusProxy |
loadDefaultUserProxy()
Deprecated. Use Globus.getDefaultProxy() instead. |
static GlobusProxy |
loadPKCS12Proxy(java.lang.String file,
java.lang.String pwd)
Loads a proxy which is in PKCS12 format. |
static java.security.PrivateKey |
loadUserKey(java.lang.String file,
java.lang.String pwd)
Deprecated. Use SSLeayKeyHolder class instead. |
static java.security.cert.X509Certificate |
proxy_sign(java.security.cert.X509Certificate ucert,
java.security.PrivateKey upkey,
iaik.pkcs.pkcs10.CertificateRequest req,
boolean doLimited)
Responsible for responding to a certificate request and doing limited delegation if requested. |
static void |
startSeedGenerationThread()
This method will start a thread to initialize the secure random number generator. |
static java.lang.String |
toGlobusDN(java.lang.String certDN)
Converts the regural dn into globus dn representation: 'cn=proxy, o=globus' into '/o=globus/cn=proxy' |
static java.lang.String |
toGlobusID(java.lang.String certDN)
Converts certificate dn into globus dn (with "/") and returns the base dn without CN=proxy or CN=limited proxy |
static void |
verifyCertificates(java.security.cert.X509Certificate[] certs,
boolean checkVadility)
Verifies a chain of X509 certificates (checks signatures) Optionally, can also check for vadility, expiration of individual certificates. |
| Methods inherited from class java.lang.Object |
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
| Constructor Detail |
CertUtil
public CertUtil()
| Method Detail |
loadCertificate
public static java.security.cert.X509Certificate loadCertificate(java.io.InputStream in)
throws java.security.cert.CertificateException
java.security.cert.CertificateException
loadCert
public static java.security.cert.X509Certificate loadCert(java.lang.String file)
throws java.io.IOException,
java.security.GeneralSecurityException
- Loads an X509 Certificate from the specified file. It
reads only what is in between the lines containing "BEGIN CERTIFICATE"
and "END".
Question: Is this method certificate format specific? (PEM? DER?)
- Parameters:
file- the certificate file to load the certificate from- Returns:
java.security.cert.X509Certificatethe loaded certificatejava.io.IOExceptionjava.security.GeneralSecurityException
loadDefaultUserProxy
public static GlobusProxy loadDefaultUserProxy() throws GlobusProxyException
- Deprecated. Use Globus.getDefaultProxy() instead.
- Use GlobusProxy.getDefaultUserProxy() instead. It is used by a lot of functions still.
- Use GlobusProxy.getDefaultUserProxy() instead. It is used by a lot of functions still.
verifyCertificates
public static void verifyCertificates(java.security.cert.X509Certificate[] certs,
boolean checkVadility)
throws java.security.GeneralSecurityException
- Verifies a chain of X509 certificates (checks signatures)
Optionally, can also check for vadility, expiration of
individual certificates.
- Parameters:
certs- X509 certificate chaincheckVadility- if true, the vadility of each certificate will be checked.- Throws:
GeneralSecurityExceptionjava.security.GeneralSecurityException
checkCertificates
public static void checkCertificates(java.security.cert.X509Certificate[] certs)
throws GlobusProxyException
- Checks an array of X509 certicates for validity,
expiration, and other problems.
- Parameters:
certs- an array of X509 certificates- Throws:
GlobusProxyExceptionGlobusProxyException
checkCertificate
public static void checkCertificate(java.security.cert.X509Certificate cert)
throws GlobusProxyException
- Checks a X509 certificate for validity, expiration,
and other problems.
- Parameters:
cert- a X509 certificate to be checked- Throws:
GlobusProxyExceptionGlobusProxyException
generateKeyPair
public static java.security.KeyPair generateKeyPair(java.lang.String algorithm,
int bits)
- Generates a new key pair of specified algorithm and number of bits
getUserDN
public static java.lang.String getUserDN(GlobusProxy proxy)
- Returns the subject name of the user certificate.
Form must follow: cn=gawor, o=globus, o=grid
Different providers must default to this form.
getUserDN
public static java.lang.String getUserDN(java.security.cert.X509Certificate cert)
- Returns subject DN of the given certificate
- Returns:
- subject dn, null if error
toGlobusDN
public static java.lang.String toGlobusDN(java.lang.String certDN)
- Converts the regural dn into globus dn representation:
'cn=proxy, o=globus' into '/o=globus/cn=proxy'
- Parameters:
certDN- regural dn- Returns:
- globus dn representation
toGlobusID
public static java.lang.String toGlobusID(java.lang.String certDN)
- Converts certificate dn into globus dn (with "/")
and returns the base dn without CN=proxy or
CN=limited proxy
startSeedGenerationThread
public static void startSeedGenerationThread()
- This method will start a thread to initialize the secure random
number generator.
installProvider
public static void installProvider()
- If the security provider has not already been installed,
will install the default security provider in the top position (ahead
of all other installed providers).
loadUserKey
public static java.security.PrivateKey loadUserKey(java.lang.String file,
java.lang.String pwd)
throws java.io.IOException,
java.security.GeneralSecurityException
- Deprecated. Use SSLeayKeyHolder class instead.
- Loads a user key from a file into a PrivateKey object. Since the file is password-protected, a password is required to extract the private key. NOTE: This method appears to be specific to SSLEAY keys, and not specific to user keys -- perhaps it should be renamed loadSSLeaykey()?
- Parameters:
file- the file containing a private keypwd- the pwd for the password-protected key file- Returns:
PrivateKeythe private key now extractedjava.io.IOExceptionjava.security.GeneralSecurityException
- Loads a user key from a file into a PrivateKey object. Since the file is password-protected, a password is required to extract the private key. NOTE: This method appears to be specific to SSLEAY keys, and not specific to user keys -- perhaps it should be renamed loadSSLeaykey()?
loadPKCS12Proxy
public static GlobusProxy loadPKCS12Proxy(java.lang.String file, java.lang.String pwd)
- Loads a proxy which is in PKCS12 format. Unlike the method
loadGlobusProxy, loadPKCS12Proxy does not cache proxies at this time and
does not consider the CA cert file.
- Parameters:
file- the proxy file in PKCS12 formatpwd- the password protecting the PKCS12 proxy file- Returns:
GlobusProxya GlobusProxy object
dupName
public static iaik.asn1.structures.Name dupName(iaik.asn1.structures.Name name)
- Creates another copy of the existing Name object. Just
creating a Name object and setting it equal to an existing name
object causes modifications to one object to effect both. After
this method has executed, there will be two different Name objects,
and changes to one will only effect one.
- Parameters:
name- the Name object to be duplicated- Returns:
Namea new name object with all the properties of the Name object passed in
proxy_sign
public static java.security.cert.X509Certificate proxy_sign(java.security.cert.X509Certificate ucert,
java.security.PrivateKey upkey,
iaik.pkcs.pkcs10.CertificateRequest req,
boolean doLimited)
throws GlobusProxyException
- Responsible for responding to a certificate
request and doing limited delegation if requested. It requires more
documentation, and probably should be broken up, but here is a brief
description of what it is doing.
First, get the public key from the certificate request, the private key
from the proxy file and the proxy certificate from the user's proxy file.
Then create a new certificate, adding the information from the
user's proxy file except changing the public key of this new certificate
to be the public key from the certificate request. Also, if limited
delegation is requested, add "CN=limited proxy" to the subject name
of the newly generated certificate. Then sign this newly generated
certificate with the private key from the proxy file.
Issues: For the subject dn of the newly generated certificate: currently
this is the subject dn from the proxy file... the subject dn
should correctly come from the certificate request itself, but
this would cause problems since the certificate request dn
is malformed.
- Parameters:
req- the certificate request received from the serverdoLimited- whether a limited proxy should be used or not- Returns:
iaik.x509.X509Certificatenewly generated cert- Throws:
GlobusProxyExceptionGlobusProxyException
createCertificate
public static iaik.x509.X509Certificate createCertificate(java.security.cert.X509Certificate userCert,
iaik.asn1.structures.Name subject,
java.security.PublicKey pk,
iaik.asn1.structures.Name issuer,
java.security.PrivateKey sk,
int hours)
throws GlobusProxyException
- Creates a new certificate with given subject and issuer DN, public key,
for specified amount of time (from current time) and signs it with a given
private key.
createProxy
public static GlobusProxy createProxy(java.security.cert.X509Certificate userCert, java.security.PrivateKey userKey, int bits, int hours, boolean limited) throws GlobusProxyException
- This is an internal function used by the ProxyInit.
To get the user proxy use GlobusProxy.getDefaultUserProxy() function.
|
|||||||||||
| PREV CLASS NEXT CLASS | FRAMES NO FRAMES | ||||||||||
| SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD | ||||||||||