Package org.certificateservices.messages.utils

Class CertUtils

  • public class CertUtils
extends java.lang.Object
    Certificate related utilities. Most of the method is copied from EJBCA 3.5 branch since 3.9 and up is dependent of cvs libs that isn't necessary.

    • Constructor Summary

      Constructors 
      Constructor Description
      CertUtils()  

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.util.List<java.security.cert.X509Certificate> buildCertificateChain​(java.util.Collection<java.security.cert.X509Certificate> certificates)
      Builds a certificate chain for given certificate set
      static org.bouncycastle.jce.PKCS10CertificationRequest genPKCS10RequestMessageFromPEM​(byte[] b64Encoded)
      Generates a pkcs10 of the given data or returns null if no valid p10 request could be found in the data.
      static java.security.Provider getBCProvider()
      Help method to find BC Provider
      static byte[] getBytesFromPEM​(byte[] inbuf, java.lang.String beginKey, java.lang.String endKey)
      Reads binary bytes from a PEM-file.
      static java.security.cert.X509Certificate getCertfromByteArray​(byte[] cert)
      Creates X509Certificate from byte[].
      static java.util.List<java.security.cert.X509Certificate> getCertificateChainfromPem​(byte[] certChain)
      Creates List of X509Certificate from byte[].
      static java.security.cert.CertificateFactory getCertificateFactory()  
      static java.lang.String getCertificateUniqueId​(java.security.cert.X509Certificate cert)
      Help method used to fetch the unique identity of a certificate.
      static java.lang.String getCertSerialnumberAsString​(java.security.cert.Certificate cert)  
      static java.security.cert.X509CRL getCRLfromByteArray​(byte[] crl)
      Creates X509CRL from byte[].
      static int getDNHashCode​(java.lang.String x500Name)
      Method to strictly calculate a hashcode of a X500 Name
      static java.lang.String getEmailFromAlternativeName​(java.security.cert.X509Certificate certificate)
      Help method that fetches the first email address subject alternative name from the certificate or null of no email address could be found.
      static java.lang.String getFirstSubjectField​(org.bouncycastle.asn1.ASN1ObjectIdentifier dnField, java.lang.String subjectDN)
      Returns the first subject dnField of the specified type from a subject DN
      static java.lang.String getGUIDFromAlternativeName​(java.security.cert.X509Certificate cert)
      Returns the Microsoft specific GUID altName, that is encoded as an octect string.
      static java.lang.String getIssuer​(java.security.cert.X509Certificate certificate)
      Returns the issuer distinguished name in a strict, comparable X500 format format.
      static java.lang.String getIssuer​(java.security.cert.X509CRL crl)
      Returns the issuer distinguished name in a strict, comparable X500 format format.
      static java.lang.String getNormalizedSubject​(java.lang.String subject)
      Help method used to normalise a subject string to a standard BC style X500Name
      static java.lang.String getPartFromDN​(java.lang.String dn, java.lang.String dnpart)
      Gets a specified part of a DN.
      static java.lang.String getPEMCertFromByteArray​(byte[] cert)
      Converts certificate from binary DER-format into a PEM-encoded string that is safe to view in a text editor / send as an email.
      static java.lang.String getPemCertificateRequestFromByteArray​(byte[] certificateRequest)
      Converts certificate request from binary DER-format into a PEM-encoded
      static int getPublicKeyLengthFromCertificate​(java.security.cert.Certificate certificate)
      Helper method to read public key length from certificate.
      static java.lang.String getSubject​(java.security.cert.X509Certificate certificate)
      Returns the subject distinguished name in a strict, comparable X500 format format.
      static java.lang.String getSubjectDNField​(java.lang.String subject, org.bouncycastle.asn1.ASN1ObjectIdentifier fieldName)
      Returns first field value of a X500 name given the asn1 oid.
      static java.lang.String getSubjectDNField​(java.security.cert.X509Certificate cert, org.bouncycastle.asn1.ASN1ObjectIdentifier fieldName)
      Returns first field value of a X500 name given the asn1 oid.
      static java.util.List<java.lang.String> getSubjectDNFields​(java.lang.String subject, org.bouncycastle.asn1.ASN1ObjectIdentifier fieldName)
      Returns all field value of a X500 name given the asn1 oid.
      static java.lang.String getSubjectDNFromCSR​(byte[] certRequest)
      Returns the subject distinguished name in a strict, comparable X500 format format.
      static java.security.cert.X509Certificate getX509CertificateFromPEMorDER​(byte[] certData)
      Method used to get the certificate for binary data and try different encodings to parse the certificate.
      static void installBCProvider()
      Method that installs the BC provider into java.
      static boolean isDeltaCRL​(java.security.cert.X509CRL crl)
      Returns true if the given CRL is a delta CRL, i.e have and extension X509Extensions.DeltaCRLIndicator
      static boolean isDNsEqual​(java.lang.String x500Name1, java.lang.String x500Name2)
      Method used to check if two x500 name are equal.
      static boolean isSelfSigned​(java.security.cert.X509Certificate cert)
      Checks if a certificate is self signed by verifying if subject and issuer are the same.
      static java.security.cert.X509Certificate normalizeCertificate​(java.security.cert.X509Certificate certificate)
      Method that converts a certificate to a BC certificate if needed.
      static java.lang.Long readCRLNumberFromCRL​(java.security.cert.X509CRL crl)
      Help method that reads the CRL number extension from an CRL, or returns null if no CRL number extension could be found.
      static org.bouncycastle.asn1.x500.X500Name toX500Name​(java.lang.String dNName)
      Help method used to convert a DN string to a standard BC style X500Name

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • CertUtils

        public CertUtils()

    • Method Detail

      • getCertificateFactory

        public static java.security.cert.CertificateFactory getCertificateFactory()
                                                                   throws java.security.NoSuchProviderException
        Throws:
        java.security.NoSuchProviderException

      • getBCProvider

        public static java.security.Provider getBCProvider()
                                            throws java.security.NoSuchProviderException
        Help method to find BC Provider
        Returns:
        the BouncyCastle provider
        Throws:
        java.security.NoSuchProviderException - if "BC" provider couldn't be found among installed providers.

      • getCertfromByteArray

        public static java.security.cert.X509Certificate getCertfromByteArray​(byte[] cert)
                                                               throws java.security.cert.CertificateException
        Creates X509Certificate from byte[].
        Parameters:
        cert - byte array containing certificate in DER-format
        Returns:
        X509Certificate
        Throws:
        java.security.cert.CertificateException - if the byte array does not contain a proper certificate.
        java.io.IOException - if the byte array cannot be read.

      • getPEMCertFromByteArray

        public static java.lang.String getPEMCertFromByteArray​(byte[] cert)
        Converts certificate from binary DER-format into a PEM-encoded string that is safe to view in a text editor / send as an email.
        Parameters:
        cert - byte array containing certificate in DER-format
        Returns:
        Certificate in PEM-format (UTF8).

      • getPemCertificateRequestFromByteArray

        public static java.lang.String getPemCertificateRequestFromByteArray​(byte[] certificateRequest)
        Converts certificate request from binary DER-format into a PEM-encoded
        Parameters:
        certificateRequest - related certificate request.
        Returns:
        pem formatted certificate request.

      • getCRLfromByteArray

        public static java.security.cert.X509CRL getCRLfromByteArray​(byte[] crl)
                                                      throws java.security.cert.CRLException
        Creates X509CRL from byte[].
        Parameters:
        crl - byte array containing the encoded crl
        Returns:
        X509CRL
        Throws:
        java.security.cert.CertificateException - if the byte array does not contain a proper crl.
        java.io.IOException - if the byte array cannot be read.
        java.security.cert.CRLException

      • getBytesFromPEM

        public static byte[] getBytesFromPEM​(byte[] inbuf,
                                     java.lang.String beginKey,
                                     java.lang.String endKey)
                              throws java.io.IOException
        Reads binary bytes from a PEM-file. The PEM-file may contain other stuff, the first item between beginKey and endKey is read. Example: -----BEGIN CERTIFICATE REQUEST----- base64 encoded PKCS10 certification request -----END CERTIFICATE REQUEST-----
        Parameters:
        inbuf - input buffer containing PEM-formatted stuff.
        beginKey - begin line of PEM message
        endKey - end line of PEM message
        Returns:
        byte[] containing binary Base64 decoded bytes.
        Throws:
        java.io.IOException - if the PEM file does not contain the correct data.

      • genPKCS10RequestMessageFromPEM

        public static org.bouncycastle.jce.PKCS10CertificationRequest genPKCS10RequestMessageFromPEM​(byte[] b64Encoded)
        Generates a pkcs10 of the given data or returns null if no valid p10 request could be found in the data.
        Parameters:
        b64Encoded - the data to parse
        Returns:
        the pkcs10 object or null if no valid pkcs10 could be found in the PEM data.

      • getX509CertificateFromPEMorDER

        public static java.security.cert.X509Certificate getX509CertificateFromPEMorDER​(byte[] certData)
        Method used to get the certificate for binary data and try different encodings to parse the certificate.
        Parameters:
        certData - the certificate data.
        Returns:
        the certificate or null of no certificate could be parsed.

      • installBCProvider

        public static void installBCProvider()
        Method that installs the BC provider into java. Should be called once in the initialisation phase of the application.

      • getNormalizedSubject

        public static java.lang.String getNormalizedSubject​(java.lang.String subject)
        Help method used to normalise a subject string to a standard BC style X500Name
        Parameters:
        subject - the subject name to normalise
        Returns:
        the strict comparable X500 format format of the issuer.

      • toX500Name

        public static org.bouncycastle.asn1.x500.X500Name toX500Name​(java.lang.String dNName)
        Help method used to convert a DN string to a standard BC style X500Name
        Parameters:
        dNName - the DN name to convert
        Returns:
        the strict comparable X500 format format of the name

      • getIssuer

        public static java.lang.String getIssuer​(java.security.cert.X509Certificate certificate)
        Returns the issuer distinguished name in a strict, comparable X500 format format.
        Parameters:
        certificate - the certificate to fetch the issuer DN for
        Returns:
        the strict comparable X500 format format of the issuer.

      • getIssuer

        public static java.lang.String getIssuer​(java.security.cert.X509CRL crl)
        Returns the issuer distinguished name in a strict, comparable X500 format format.
        Parameters:
        crl - the CRL to fetch the issuer DN for
        Returns:
        the strict comparable X500 format format of the issuer.

      • getSubject

        public static java.lang.String getSubject​(java.security.cert.X509Certificate certificate)
        Returns the subject distinguished name in a strict, comparable X500 format format.
        Parameters:
        certificate - the certificate to fetch the subject DN for
        Returns:
        the strict comparable X500 format format of the subject.

      • getSubjectDNFromCSR

        public static java.lang.String getSubjectDNFromCSR​(byte[] certRequest)
        Returns the subject distinguished name in a strict, comparable X500 format format.
        Parameters:
        certRequest - the DER encoded certificate request to fetch the subject DN for.
        Returns:
        the strict comparable X500 format format of the subject.

      • normalizeCertificate

        public static java.security.cert.X509Certificate normalizeCertificate​(java.security.cert.X509Certificate certificate)
        Method that converts a certificate to a BC certificate if needed.

      • isDNsEqual

        public static boolean isDNsEqual​(java.lang.String x500Name1,
                                 java.lang.String x500Name2)
        Method used to check if two x500 name are equal.
        Parameters:
        x500Name1 - the subject or issuer to compare.
        x500Name2 - the subject or issuer to compare.

      • getDNHashCode

        public static int getDNHashCode​(java.lang.String x500Name)
        Method to strictly calculate a hashcode of a X500 Name
        Parameters:
        x500Name - the subject or issuer distinguished name to calculate hashcode for.
        Returns:
        the hashcode or 0 if X500Name is null.

      • getSubjectDNField

        public static java.lang.String getSubjectDNField​(java.lang.String subject,
                                                 org.bouncycastle.asn1.ASN1ObjectIdentifier fieldName)
        Returns first field value of a X500 name given the asn1 oid. Example: getSubjectDNField("CN=Test User,O=TestOrt", BSStyle.CN) == "Test User"
        Parameters:
        subject - the X500 name to parse a given field value of
        fieldName - Should be one of BCStyle field constants
        Returns:
        the first found field value in the X500 name or null if no field value was found.

      • getSubjectDNFields

        public static java.util.List<java.lang.String> getSubjectDNFields​(java.lang.String subject,
                                                                  org.bouncycastle.asn1.ASN1ObjectIdentifier fieldName)
        Returns all field value of a X500 name given the asn1 oid. Example: getSubjectDNField("CN=Test User,O=TestOrt", BSStyle.CN) == "Test User"
        Parameters:
        subject - the X500 name to parse a given field value of
        fieldName - Should be one of BCStyle field constants
        Returns:
        the all found field value in the X500 name or empty list if no field value was found.

      • getSubjectDNField

        public static java.lang.String getSubjectDNField​(java.security.cert.X509Certificate cert,
                                                 org.bouncycastle.asn1.ASN1ObjectIdentifier fieldName)
        Returns first field value of a X500 name given the asn1 oid.
        Parameters:
        cert - having the subject X500 name to parse a given field value of
        fieldName - Should be one of BCStyle field constants
        Returns:
        the first found field value in the X500 name or null if no field value was found.

      • getCertificateUniqueId

        public static java.lang.String getCertificateUniqueId​(java.security.cert.X509Certificate cert)
        Help method used to fetch the unique identity of a certificate. i.e ';'
        Parameters:
        cert - the certificate to fetch unique identity of.
        Returns:
        a uniqu string of the certificate or null if cert was null.

      • getFirstSubjectField

        public static java.lang.String getFirstSubjectField​(org.bouncycastle.asn1.ASN1ObjectIdentifier dnField,
                                                    java.lang.String subjectDN)
        Returns the first subject dnField of the specified type from a subject DN
        Parameters:
        dnField - the subject dn field to use.
        subjectDN - the dn to lookup.
        Returns:
        the dn field of subject or null if no value is found.

      • getCertSerialnumberAsString

        public static java.lang.String getCertSerialnumberAsString​(java.security.cert.Certificate cert)
                                                    throws java.lang.IllegalArgumentException
        Parameters:
        cert - the certificate to fetch certificate serial number from.
        Returns:
        the serial number of a certificate is Hex encoded string, lower-case.
        Throws:
        java.lang.IllegalArgumentException - if unsupported Certificate or parameter was null.

      • getEmailFromAlternativeName

        public static java.lang.String getEmailFromAlternativeName​(java.security.cert.X509Certificate certificate)
                                                    throws java.security.cert.CertificateParsingException
        Help method that fetches the first email address subject alternative name from the certificate or null of no email address could be found.
        Parameters:
        certificate - the certificate to find email address from subject alternative name.
        Returns:
        the email address or null if no found.
        Throws:
        java.security.cert.CertificateParsingException

      • isDeltaCRL

        public static boolean isDeltaCRL​(java.security.cert.X509CRL crl)
        Returns true if the given CRL is a delta CRL, i.e have and extension X509Extensions.DeltaCRLIndicator
        Parameters:
        crl - the CRL to check
        Returns:
        true if CRL is a delta CRL.

      • readCRLNumberFromCRL

        public static java.lang.Long readCRLNumberFromCRL​(java.security.cert.X509CRL crl)
                                           throws java.security.cert.CRLException
        Help method that reads the CRL number extension from an CRL, or returns null if no CRL number extension could be found.
        Parameters:
        crl - the CRL to read the CRL number from
        Returns:
        the CRL number or null if no CRL number could be found.
        Throws:
        java.security.cert.CRLException - if parsing of CRL failed.

      • getGUIDFromAlternativeName

        public static java.lang.String getGUIDFromAlternativeName​(java.security.cert.X509Certificate cert)
                                                   throws java.io.IOException,
                                                          java.security.cert.CertificateParsingException
        Returns the Microsoft specific GUID altName, that is encoded as an octect string.
        Parameters:
        cert - certificate containing the extension
        Returns:
        String with the hex-encoded GUID byte array or null if the altName does not exist
        Throws:
        java.io.IOException
        java.security.cert.CertificateParsingException

      • getPartFromDN

        public static java.lang.String getPartFromDN​(java.lang.String dn,
                                             java.lang.String dnpart)
        Gets a specified part of a DN. Specifically the first occurrence it the DN contains several instances of a part (i.e. cn=x, cn=y returns x).
        Parameters:
        dn - String containing DN, The DN string has the format "C=SE, O=xx, OU=yy, CN=zz".
        dnpart - String specifying which part of the DN to get, should be "CN" or "OU" etc.
        Returns:
        String containing dnpart or null if dnpart is not present

      • isSelfSigned

        public static boolean isSelfSigned​(java.security.cert.X509Certificate cert)
        Checks if a certificate is self signed by verifying if subject and issuer are the same.
        Parameters:
        cert - the certificate that skall be checked.
        Returns:
        boolean true if the certificate has the same issuer and subject, false otherwise.

      • buildCertificateChain

        public static java.util.List<java.security.cert.X509Certificate> buildCertificateChain​(java.util.Collection<java.security.cert.X509Certificate> certificates)
                                                                                throws java.security.GeneralSecurityException
        Builds a certificate chain for given certificate set
        Parameters:
        certificates - - list of certificates from end to root CA to build a chain.
        Returns:
        the certificate chain if it is built successfully.
        Throws:
        java.security.GeneralSecurityException

      • getCertificateChainfromPem

        public static java.util.List<java.security.cert.X509Certificate> getCertificateChainfromPem​(byte[] certChain)
                                                                                     throws java.security.cert.CertificateException,
                                                                                            java.io.IOException
        Creates List of X509Certificate from byte[].
        Parameters:
        certChain - array containing certificate chain in PEM-format
        Returns:
        List
        Throws:
        java.security.cert.CertificateException - if the byte array does not contain proper certificate chain.
        java.io.IOException - if the byte array cannot be read.

      • getPublicKeyLengthFromCertificate

        public static int getPublicKeyLengthFromCertificate​(java.security.cert.Certificate certificate)
                                             throws java.security.cert.CertificateException
        Helper method to read public key length from certificate.
        Parameters:
        certificate -
        Returns:
        public key length
        Throws:
        java.security.cert.CertificateException - if problem occurs when getting public key length from certificate.