private X509Certificate createAll(int index) throws GeneralSecurityException, IOException {
logger.info("Generating CA key pair");
KeyPair ca = CertUtil.generateKeyPair(CA_CERT_ALGORITHM, CA_CERT_BITS);
OpenSSLKey caKey = new BouncyCastleOpenSSLKey(ca.getPrivate());
logger.info("Self-signing CA certificate");
X509Certificate caCert = genCert(ca.getPrivate(), ca.getPublic(), CA_CERT_DN, CA_CERT_DN, null);
logger.info("Generating user key pair");
KeyPair user = CertUtil.generateKeyPair(CA_CERT_ALGORITHM, CA_CERT_BITS);
OpenSSLKey userKey = new BouncyCastleOpenSSLKey(user.getPrivate());
logger.info("Signing user certificate");
X509Certificate userCert =
genCert(
ca.getPrivate(),
user.getPublic(),
USER_CERT_DN,
CA_CERT_DN,
createExtensions(ca.getPublic(), user.getPublic()));
logger.info("Generating proxy certificate");
GlobusCredential proxy = makeProxy(user, userCert);
try {
logger.info("Writing keys, certificates, and proxy");
writeKey(caKey, makeFile(CA_KEY_NAME_PREFIX, index));
writeCert(caCert, makeFile(CA_CRT_NAME_PREFIX, index));
writeKey(userKey, makeFile(USER_KEY_NAME_PREFIX, index));
writeCert(userCert, makeFile(USER_CRT_NAME_PREFIX, index));
writeProxy(proxy, makeFile(PROXY_NAME_PREFIX, index));
copySigningPolicy(index);
} catch (GeneralSecurityException e) {
deleteAll(index);
throw e;
}
return cert;
}
private GlobusCredential makeProxy(KeyPair kp, X509Certificate issuerCert)
throws GeneralSecurityException {
BouncyCastleCertProcessingFactory factory = BouncyCastleCertProcessingFactory.getDefault();
KeyPair newKeyPair = CertUtil.generateKeyPair(CA_CERT_ALGORITHM, CA_CERT_BITS);
return factory.createCredential(
new X509Certificate[] {issuerCert},
kp.getPrivate(),
CA_CERT_BITS,
(int) (CA_CERT_LIFETIME / 1000),
GSIConstants.DELEGATION_FULL,
(X509ExtensionSet) null);
}
/**
* Creates an X509 version3 certificate
*
* @param algorithm (e.g RSA, DSA, etc...)
* @param bits Cet strength e.g 1024
* @param issuer Issuer string e.g "O=Grid,OU=OGSA,CN=ACME"
* @param subject Subject string e.g "O=Grid,OU=OGSA,CN=John Doe"
* @param months time to live
* @param outPrivKey OutputStream to the private key in PKCS#8 format (Note: this key will not be
* encrypted)
* @return X509 V3 Certificate
* @throws GeneralSecurityException
*/
public static X509Certificate createX509Cert(
String algorithm,
int bits,
String issuer,
String subject,
int months,
OutputStream outPrivKey,
String sigAlg,
String pwd)
throws GeneralSecurityException, IOException {
// String sigAlg = "SHA1WithRSAEncryption";
// Priv key is in PKCS#8 format
KeyPair kp = CertUtil.generateKeyPair(algorithm, bits);
// must convert from PKCS#8 to PKCS#1 to encrypt with BouncyCastleOpenSSLKey
// Priv key must be DER encoded key data in PKCS#1 format to be encrypted.
OpenSSLKey PKCS_8key = new BouncyCastleOpenSSLKey(kp.getPrivate());
long serial = 0;
logger.debug(
"createX509Cert Alg: "
+ algorithm
+ " bits:"
+ bits
+ " Issuer: "
+ issuer
+ " Subject: "
+ subject);
logger.debug(
"createX509Cert Sig alg:"
+ sigAlg
+ " Priv key format:"
+ PKCS_8key.getPrivateKey().getFormat());
// if ( pwd != null && ! PKCS_8key.isEncrypted())
// PKCS_8key.encrypt(pwd);
// write private key
PKCS_8key.writeTo(outPrivKey);
// return X509 Cert
return createX509V3Certificate(
kp.getPublic(), kp.getPrivate(), months, issuer, subject, serial, sigAlg);
}