Package de.trustable.ca3s.core.service.util

Class CertificateUtil

java.lang.Object

de.trustable.ca3s.core.service.util.CertificateUtil

@Service
public class CertificateUtil
extends Object

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	CertificateUtil.KeyStoreAndPassphrase

Field Summary

Fields

Modifier and Type	Field	Description
static int	CURRENT_ATTRIBUTES_VERSION

Constructor Summary

Constructors

Constructor

Description

CertificateUtil(CertificateRepository certificateRepository, CertificateAttributeRepository certificateAttributeRepository, CertificateCommentRepository certificateCommentRepository, ProtectedContentRepository protContentRepository, ProtectedContentUtil protUtil, PreferenceUtil preferenceUtil, CryptoService cryptoUtil, UserRepository userRepository, AcmeAccountRepository acmeAccountRepository, AuditService auditService, ReplacementCandidateUtil replacementCandidateUtil)

Method Summary

Modifier and Type	Method	Description
void	addAdditionalCertificateAttributes(X509Certificate x509Cert, Certificate cert)
static org.bouncycastle.asn1.x509.GeneralName	buildGeneralNameFromName(String rawName)
CRLUpdateInfo	checkAllCRLsForCertificate(Certificate cert, X509Certificate x509Cert, CRLUtil crlUtil, HashSet<String> brokenCrlUrlList)
static X509Certificate	convertPemToCertificate(String pem)
static org.bouncycastle.cert.X509CertificateHolder	convertPemToCertificateHolder(String pem)
PrivateKey	convertPemToPrivateKey(String pem)
Certificate	createCertificate(byte[] encodedCert, CSR csr, String executionId, boolean reimport)
Certificate	createCertificate(byte[] encodedCert, CSR csr, String executionId, boolean reimport, String importUrl)
Certificate	createCertificate(String pemCert, CSR csr, String executionId)
Certificate	createCertificate(String pemCert, CSR csr, String executionId, boolean reimport)
Certificate	createCertificate(String pemCert, CSR csr, String executionId, boolean reimport, String importUrl)
static String	deriveCurveName(PrivateKey privateKey)
static String	deriveCurveName(PublicKey publicKey)
static String	deriveCurveName(org.bouncycastle.jce.spec.ECParameterSpec ecParameterSpec)	derive the curve name
List<Certificate>	findCertsBySubjectRFC2253(String subject)
Certificate	findIssuingCertificate(Certificate cert)
Certificate	findIssuingCertificate(org.bouncycastle.cert.X509CertificateHolder x509CertHolder)
static byte[]	generateSHA1Fingerprint(byte[] ba)	Generate a SHA1 fingerprint from a byte array containing a X.509 certificate
static String	getAlgoName(de.trustable.util.Pkcs10RequestHolder p10ReqHolder)
static int	getAlignedKeyLength(PublicKey pk)
String	getCertAttribute(Certificate certDao, String name)
String	getCertAttribute(Certificate certDao, String name, String defaultValue)
List<String>	getCertAttributes(Certificate certDao, String name)
Certificate	getCertificateByBase64(String b64Cert)
Certificate	getCertificateByPEM(String pemCert)
Certificate	getCertificateByX509(X509Certificate x509Cert)
List<Certificate>	getCertificateChain(Certificate startCertDao)
List<String>	getCertificatePolicies(X509Certificate x509Cert)
@NotNull CertificateUtil.KeyStoreAndPassphrase	getContainer(Certificate certDao, String entryAlias, char[] passphraseChars, String passwordProtectionAlgo)
@NotNull CertificateUtil.KeyStoreAndPassphrase	getContainer(Certificate certDao, String entryAlias, char[] passphraseChars, PrivateKey key, String passwordProtectionAlgo)
@NotNull CertificateUtil.KeyStoreAndPassphrase	getContainer(Certificate certDao, String entryAlias, CSR csr, String passwordProtectionAlgo)
byte[]	getContainerBytes(Certificate certDao, String entryAlias, CSR csr, String passwordProtectionAlgo)
List<String>	getCrlDistributionPoints(X509Certificate cert)	Extracts all CRL distribution point URLs from the "CRL Distribution Point" extension in a X.509 certificate.
Certificate	getCurrentSCEPRecipient(Pipeline pipeline)
static String	getDownloadFilename(Certificate cert)
static int	getKeyLength(PublicKey pk)	Gets the key length of supported keys
static String	getNormalizedName(String inputName)
static String	getPaddedSerial(String serial)	bloat the string-typed serial to a defined length to ensure ordering works out fine.
static String	getPaddedTimestamp(String timestamp)	bloat the string-typed timestamp to a defined length to ensure ordering works out fine
PrivateKey	getPrivateKey(Certificate cert)
PrivateKey	getPrivateKey(CSR csr)
PrivateKey	getPrivateKey(ProtectedContentType type, ContentRelationType relationType, Long id)
static String	getSAN(org.bouncycastle.asn1.x509.GeneralName gn)
Set<org.bouncycastle.asn1.x509.GeneralName>	getSANList(de.trustable.util.Pkcs10RequestHolder p10ReqHolder)
Set<org.bouncycastle.asn1.x509.GeneralName>	getSANList(org.bouncycastle.cert.X509CertificateHolder x509CertHolder)
static String	getTypedSAN(int altNameType, String sanValue)
static String	getTypedSAN(org.bouncycastle.asn1.x509.GeneralName gn)
X509Certificate[]	getX509CertificateChain(Certificate startCert)
List<X509Certificate>	getX509CertificateChainAsList(Certificate startCert)
boolean	hasIssuedActiveCertificates(Certificate issuingCertificate)
void	insertNameAttributes(Certificate cert, String attributeName, org.bouncycastle.asn1.x500.X500Name x500NameSubject)
void	interpretBasicConstraint(X509Certificate x509Cert, Certificate cert)
static boolean	isHashRequired(String algoName)
static boolean	isIPAddress(String rawName)
void	setCertAttribute(Certificate certDao, String name, long value)
void	setCertAttribute(Certificate cert, String name, String value)
void	setCertAttribute(Certificate cert, String name, String value, boolean multiValue)
void	setCertificateComment(Certificate cert, String comment)
void	setCertMultiValueAttribute(Certificate cert, String name, String value)
void	setRevocationStatus(Certificate cert, String revocationReason, Instant revocationDate)
void	setRevocationStatus(Certificate cert, String revocationReason, Date revocationDate)
static org.bouncycastle.asn1.x509.GeneralName[]	splitSANString(String sans, String hostname)
void	storePrivateKey(Certificate cert, KeyPair keyPair)
void	storePrivateKey(Certificate cert, KeyPair keyPair, Instant validTo)
void	storePrivateKey(CSR csr, KeyPair keyPair, int leftUsages, Instant validTo)
void	usageAsCertAttributes(boolean[] usage, Certificate cert)	convert the usage-bits to a readable string
static String	usageAsString(boolean[] usage)	convert the usage-bits to a readable string

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CURRENT_ATTRIBUTES_VERSION

public static final int CURRENT_ATTRIBUTES_VERSION

See Also:

Constant Field Values

Constructor Detail

CertificateUtil

@Autowired
public CertificateUtil(CertificateRepository certificateRepository,
                       CertificateAttributeRepository certificateAttributeRepository,
                       CertificateCommentRepository certificateCommentRepository,
                       ProtectedContentRepository protContentRepository,
                       ProtectedContentUtil protUtil,
                       PreferenceUtil preferenceUtil,
                       CryptoService cryptoUtil,
                       UserRepository userRepository,
                       AcmeAccountRepository acmeAccountRepository,
                       AuditService auditService,
                       ReplacementCandidateUtil replacementCandidateUtil)

Method Detail

getNormalizedName

public static String getNormalizedName(String inputName)
                                throws InvalidNameException

Throws:

InvalidNameException

setCertificateComment

public void setCertificateComment(Certificate cert,
                                  String comment)

createCertificate

public Certificate createCertificate(byte[] encodedCert,
                                     CSR csr,
                                     String executionId,
                                     boolean reimport)
                              throws GeneralSecurityException

Throws:

GeneralSecurityException

createCertificate

public Certificate createCertificate(byte[] encodedCert,
                                     CSR csr,
                                     String executionId,
                                     boolean reimport,
                                     String importUrl)
                              throws GeneralSecurityException

Throws:

GeneralSecurityException

createCertificate

public Certificate createCertificate(String pemCert,
                                     CSR csr,
                                     String executionId)
                              throws GeneralSecurityException,
                                     IOException

Parameters:

pemCert -

csr -

executionId -

Returns:

certificate

Throws:

GeneralSecurityException

IOException

createCertificate

public Certificate createCertificate(String pemCert,
                                     CSR csr,
                                     String executionId,
                                     boolean reimport)
                              throws GeneralSecurityException,
                                     IOException

Parameters:

pemCert -

csr -

executionId -

reimport -

Returns:

Throws:

GeneralSecurityException

IOException

getCertificateByBase64

public Certificate getCertificateByBase64(String b64Cert)
                                   throws GeneralSecurityException,
                                          IOException

Parameters:

b64Cert -

Returns:

Throws:

GeneralSecurityException

IOException

getCertificateByPEM

public Certificate getCertificateByPEM(String pemCert)
                                throws GeneralSecurityException,
                                       IOException

Parameters:

pemCert -

Returns:

Throws:

GeneralSecurityException

IOException

getCertificateByX509

public Certificate getCertificateByX509(X509Certificate x509Cert)
                                 throws GeneralSecurityException

Parameters:

x509Cert -

Returns:

Throws:

GeneralSecurityException

getCurrentSCEPRecipient

public Certificate getCurrentSCEPRecipient(Pipeline pipeline)

createCertificate

public Certificate createCertificate(String pemCert,
                                     CSR csr,
                                     String executionId,
                                     boolean reimport,
                                     String importUrl)
                              throws GeneralSecurityException,
                                     IOException

Parameters:

pemCert -

csr -

executionId -

reimport -

Returns:

certificate

Throws:

GeneralSecurityException

IOException

interpretBasicConstraint

public void interpretBasicConstraint(X509Certificate x509Cert,
                                     Certificate cert)

addAdditionalCertificateAttributes

public void addAdditionalCertificateAttributes(X509Certificate x509Cert,
                                               Certificate cert)
                                        throws CertificateParsingException,
                                               IOException

Parameters:

x509Cert -

cert -

Throws:

CertificateParsingException

IOException

getCertificatePolicies

public List<String> getCertificatePolicies(X509Certificate x509Cert)

getSAN

public static String getSAN(org.bouncycastle.asn1.x509.GeneralName gn)

getTypedSAN

public static String getTypedSAN(org.bouncycastle.asn1.x509.GeneralName gn)

getTypedSAN

public static String getTypedSAN(int altNameType,
                                 String sanValue)

getAlgoName

public static String getAlgoName(de.trustable.util.Pkcs10RequestHolder p10ReqHolder)

Parameters:

p10ReqHolder -

Returns:

getAlignedKeyLength

public static int getAlignedKeyLength(PublicKey pk)

Parameters:

pk -

Returns:

isHashRequired

public static boolean isHashRequired(String algoName)

getKeyLength

public static int getKeyLength(PublicKey pk)

Gets the key length of supported keys

Parameters:

pk - PublicKey used to derive the keysize

Returns:

-1 if key is unsupported, otherwise a number >= 0. 0 usually means the length can not be calculated, for example if the key is an EC key and the "implicitlyCA" encoding is used.

deriveCurveName

public static String deriveCurveName(org.bouncycastle.jce.spec.ECParameterSpec ecParameterSpec)
                              throws GeneralSecurityException

derive the curve name

Parameters:

ecParameterSpec -

Returns:

Throws:

GeneralSecurityException

deriveCurveName

public static String deriveCurveName(PublicKey publicKey)
                              throws GeneralSecurityException

Throws:

GeneralSecurityException

deriveCurveName

public static String deriveCurveName(PrivateKey privateKey)
                              throws GeneralSecurityException

Throws:

GeneralSecurityException

insertNameAttributes

public void insertNameAttributes(Certificate cert,
                                 String attributeName,
                                 org.bouncycastle.asn1.x500.X500Name x500NameSubject)

Parameters:

cert -

attributeName -

x500NameSubject -

getCertAttribute

public String getCertAttribute(Certificate certDao,
                               String name,
                               String defaultValue)

getCertAttribute

public String getCertAttribute(Certificate certDao,
                               String name)

getCertAttributes

public List<String> getCertAttributes(Certificate certDao,
                                      String name)

setCertAttribute

public void setCertAttribute(Certificate certDao,
                             String name,
                             long value)

Parameters:

certDao -

name -

value -

setCertMultiValueAttribute

public void setCertMultiValueAttribute(Certificate cert,
                                       String name,
                                       String value)

Parameters:

cert -

name -

value -

setCertAttribute

public void setCertAttribute(Certificate cert,
                             String name,
                             String value)

Parameters:

cert -

name -

value -

setCertAttribute

public void setCertAttribute(Certificate cert,
                             String name,
                             String value,
                             boolean multiValue)

Parameters:

cert -

name -

value -

multiValue -

getCertificateChain

public List<Certificate> getCertificateChain(Certificate startCertDao)
                                      throws GeneralSecurityException

Parameters:

startCertDao -

Returns:

Throws:

GeneralSecurityException

getX509CertificateChain

public X509Certificate[] getX509CertificateChain(Certificate startCert)
                                          throws GeneralSecurityException

Parameters:

startCert - end entity certificate for chain search

Returns:

X509Certificate Array

Throws:

GeneralSecurityException

getX509CertificateChainAsList

public List<X509Certificate> getX509CertificateChainAsList(Certificate startCert)
                                                    throws GeneralSecurityException

Parameters:

startCert - end entity certificate for chain search

Returns:

X509Certificate List

Throws:

GeneralSecurityException

getPaddedSerial

public static String getPaddedSerial(String serial)

bloat the string-typed serial to a defined length to ensure ordering works out fine. The length of serials has a wide range (1 .. 50 cahrs)

Parameters:

serial - a serial (e.g.'1' or '2586886443079766545651298663063516315029340169') encoded as a string.

Returns:

the padded serial string. If serial is null, return max number of zeroes

getPaddedTimestamp

public static String getPaddedTimestamp(String timestamp)

bloat the string-typed timestamp to a defined length to ensure ordering works out fine

Parameters:

timestamp - a timestamp (e.g.'1593080183000') encoded as a string

Returns:

the padded timestamp string. If timestamp is null, return max number of zeroes

generateSHA1Fingerprint

public static byte[] generateSHA1Fingerprint(byte[] ba)

Generate a SHA1 fingerprint from a byte array containing a X.509 certificate

Parameters:

ba - Byte array containing DER encoded X509Certificate.

Returns:

Byte array containing SHA1 hash of DER encoded certificate.

usageAsString

public static String usageAsString(boolean[] usage)

convert the usage-bits to a readable string

Parameters:

usage -

Returns:

descriptive text representing the key usage

usageAsCertAttributes

public void usageAsCertAttributes(boolean[] usage,
                                  Certificate cert)

convert the usage-bits to a readable string

Parameters:

usage - boolean array of usage

cert - certificate to set attributes

findIssuingCertificate

public Certificate findIssuingCertificate(Certificate cert)
                                   throws GeneralSecurityException

Throws:

GeneralSecurityException

convertPemToCertificateHolder

public static org.bouncycastle.cert.X509CertificateHolder convertPemToCertificateHolder(String pem)
                                                                                 throws GeneralSecurityException

Parameters:

pem - string that will be converted to X509Certificate

Returns:

X509CertificateHolder converted from PEM String

Throws:

GeneralSecurityException

convertPemToCertificate

public static X509Certificate convertPemToCertificate(String pem)
                                               throws GeneralSecurityException

Parameters:

pem - string that will be converted to X509Certificate

Returns:

X509Certificate converted from PEM String

Throws:

GeneralSecurityException

convertPemToPrivateKey

public PrivateKey convertPemToPrivateKey(String pem)
                                  throws GeneralSecurityException

Parameters:

pem - string that will be converted to PrivateKey

Returns:

PrivateKey converted from PEM String

Throws:

GeneralSecurityException

findIssuingCertificate

public Certificate findIssuingCertificate(org.bouncycastle.cert.X509CertificateHolder x509CertHolder)
                                   throws GeneralSecurityException

Parameters:

x509CertHolder - certificate to search issuning certificate

Returns:

issuing certificate from input certificate

Throws:

GeneralSecurityException

hasIssuedActiveCertificates

public boolean hasIssuedActiveCertificates(Certificate issuingCertificate)

findCertsBySubjectRFC2253

public List<Certificate> findCertsBySubjectRFC2253(String subject)

getSANList

public Set<org.bouncycastle.asn1.x509.GeneralName> getSANList(org.bouncycastle.cert.X509CertificateHolder x509CertHolder)

getSANList

public Set<org.bouncycastle.asn1.x509.GeneralName> getSANList(de.trustable.util.Pkcs10RequestHolder p10ReqHolder)

storePrivateKey

public void storePrivateKey(CSR csr,
                            KeyPair keyPair,
                            int leftUsages,
                            Instant validTo)
                     throws IOException

Throws:

IOException

storePrivateKey

public void storePrivateKey(Certificate cert,
                            KeyPair keyPair)
                     throws IOException

Parameters:

cert - certificate that needs to be stored in PEM format

keyPair - keypair that needs to be stored in PEM format

Throws:

IOException

storePrivateKey

public void storePrivateKey(Certificate cert,
                            KeyPair keyPair,
                            Instant validTo)
                     throws IOException

Throws:

IOException

getPrivateKey

public PrivateKey getPrivateKey(CSR csr)

Parameters:

csr -

Returns:

getPrivateKey

public PrivateKey getPrivateKey(Certificate cert)

Parameters:

cert -

Returns:

getPrivateKey

public PrivateKey getPrivateKey(ProtectedContentType type,
                                ContentRelationType relationType,
                                Long id)

Parameters:

type -

relationType -

id -

Returns:

getCrlDistributionPoints

public List<String> getCrlDistributionPoints(X509Certificate cert)
                                      throws IOException

Extracts all CRL distribution point URLs from the "CRL Distribution Point" extension in a X.509 certificate. If CRL distribution point extension is unavailable, returns an empty list.

Throws:

IOException

setRevocationStatus

public void setRevocationStatus(Certificate cert,
                                String revocationReason,
                                Date revocationDate)

setRevocationStatus

public void setRevocationStatus(Certificate cert,
                                String revocationReason,
                                Instant revocationDate)

getDownloadFilename

public static String getDownloadFilename(Certificate cert)

splitSANString

public static org.bouncycastle.asn1.x509.GeneralName[] splitSANString(String sans,
                                                                      String hostname)

isIPAddress

public static boolean isIPAddress(String rawName)

buildGeneralNameFromName

public static org.bouncycastle.asn1.x509.GeneralName buildGeneralNameFromName(String rawName)

checkAllCRLsForCertificate

public CRLUpdateInfo checkAllCRLsForCertificate(Certificate cert,
                                                X509Certificate x509Cert,
                                                CRLUtil crlUtil,
                                                HashSet<String> brokenCrlUrlList)

getContainerBytes

public byte[] getContainerBytes(Certificate certDao,
                                String entryAlias,
                                CSR csr,
                                String passwordProtectionAlgo)
                         throws IOException,
                                GeneralSecurityException

Throws:

IOException

GeneralSecurityException

getContainer

@NotNull
public @NotNull CertificateUtil.KeyStoreAndPassphrase getContainer(Certificate certDao,
                                                                   String entryAlias,
                                                                   CSR csr,
                                                                   String passwordProtectionAlgo)
                                                            throws IOException,
                                                                   GeneralSecurityException

Throws:

IOException

GeneralSecurityException

getContainer

@NotNull
public @NotNull CertificateUtil.KeyStoreAndPassphrase getContainer(Certificate certDao,
                                                                   String entryAlias,
                                                                   char[] passphraseChars,
                                                                   String passwordProtectionAlgo)
                                                            throws IOException,
                                                                   GeneralSecurityException

Throws:

IOException

GeneralSecurityException

getContainer

@NotNull
public @NotNull CertificateUtil.KeyStoreAndPassphrase getContainer(Certificate certDao,
                                                                   String entryAlias,
                                                                   char[] passphraseChars,
                                                                   PrivateKey key,
                                                                   String passwordProtectionAlgo)
                                                            throws IOException,
                                                                   GeneralSecurityException

Throws:

IOException

GeneralSecurityException