org.dihedron.crypto.certificates

Class Certificates

java.lang.Object

org.dihedron.crypto.CryptoService

org.dihedron.crypto.certificates.Certificates

@License(copyright="Copyright (c) 2012-2014 Andrea Funto\', Svetlin Nakov")
public final class Certificates
extends CryptoService

Collection of utilities to manipulate certificates; it provides ways to get the certificate usage, to build a certification chain for a given certificate and to verify it. The verification process relies on a set of root CA certificates and intermediate certificates that will be used for building the certification chain; it assumes that all self-signed certificates in the set are trusted root CA certificates and all other certificates in the set are intermediate certificates.

Author:

Svetlin Nakov, Andrea Funto'

Method Summary

Methods

Modifier and Type	Method and Description
static org.bouncycastle.asn1.ASN1Primitive	getExtensionValue(X509Certificate certificate, String oid)
static boolean	hasCriticalExtension(X509Certificate certificate, String oid) Checks if the given certificate has the given OID among its critical extensions.
static boolean	isNonRepudiationX509Certificate(X509Certificate certificate) Checks if the given certificate has all the necessary extensions to be used as a signing certificate (non repudiation).
static boolean	isSelfSigned(X509Certificate certificate) Checks whether given X.509 certificate is self-signed.
static boolean	isSignatureX509Certificate(X509Certificate certificate) Checks if the given certificate has all the necessary extensions to be used as a signing certificate.
static CertStore	makeCertificateStore(Certificate certificate)
static org.bouncycastle.asn1.ess.ESSCertID	makeESSCertIdV1(X509Certificate x509certificate, org.bouncycastle.asn1.x509.IssuerSerial issuerSerial, DigestAlgorithm digestAlgorithm)
static org.bouncycastle.asn1.ess.ESSCertIDv2[]	makeESSCertIdV2(X509Certificate x509certificate, org.bouncycastle.asn1.x509.IssuerSerial issuerSerial, DigestAlgorithm digestAlgorithm)
static org.bouncycastle.asn1.x509.IssuerSerial	makeIssuerSerial(X509Certificate x509certificate) Creates an IssuerSerial object for the given certificate.
static PKIXCertPathBuilderResult	verifyCertificate(X509Certificate certificate, Collection<X509Certificate> additionalCerts) Attempts to build a certification chain for given certificate and to verify it.
static boolean	writeToFile(Certificate certificate, String filename)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

isSignatureX509Certificate

public static boolean isSignatureX509Certificate(X509Certificate certificate)

Checks if the given certificate has all the necessary extensions to be used as a signing certificate.

Parameters:

certificate - the certificate to test.

Returns:

whether the certificate is good for signing.

isNonRepudiationX509Certificate

public static boolean isNonRepudiationX509Certificate(X509Certificate certificate)

Checks if the given certificate has all the necessary extensions to be used as a signing certificate (non repudiation).

Parameters:

certificate - the certificate to test.

Returns:

whether the certificate is good for signing.

isSelfSigned

public static boolean isSelfSigned(X509Certificate certificate)
                            throws CertificateException,
                                   NoSuchAlgorithmException,
                                   NoSuchProviderException

Checks whether given X.509 certificate is self-signed.

Throws:

CertificateException

NoSuchAlgorithmException

NoSuchProviderException

hasCriticalExtension

public static boolean hasCriticalExtension(X509Certificate certificate,
                           String oid)

Checks if the given certificate has the given OID among its critical extensions.

Parameters:

certificate - the certificate on which to look for the critical extensio OID.

oid - the critical extension OID to lookup.

Returns:

whether the extension was found.

verifyCertificate

public static PKIXCertPathBuilderResult verifyCertificate(X509Certificate certificate,
                                          Collection<X509Certificate> additionalCerts)
                                                   throws CertificateVerificationException

Attempts to build a certification chain for given certificate and to verify it. Relies on a set of root CA certificates and intermediate certificates that will be used for building the certification chain. The verification process assumes that all self-signed certificates in the set are trusted root CA certificates and all other certificates in the set are intermediate certificates.

Parameters:

certificate - certificate for validation.

additionalCerts - set of trusted root CA certificates that will be used as "trust anchors" and intermediate CA certificates that will be used as part of the certification chain. All self-signed certificates are considered to be trusted root CA certificates. All the rest are considered to be intermediate CA certificates.

Returns:

the certification chain (if verification is successful).

Throws:

CertificateVerificationException - if the certification is not successful (e.g. certification path cannot be built or some certificate in the chain is expired or CRL checks are failed).

getExtensionValue

public static org.bouncycastle.asn1.ASN1Primitive getExtensionValue(X509Certificate certificate,
                                                    String oid)
                                                             throws IOException

Parameters:

certificate - the certificate in which to look to the extension value.

oid - the Object Identifier of the extension.

Returns:

the extension value as an ASN1Primitive object.

Throws:

IOException

makeIssuerSerial

public static org.bouncycastle.asn1.x509.IssuerSerial makeIssuerSerial(X509Certificate x509certificate)
                                                                throws CertificateEncodingException,
                                                                       IOException

Creates an IssuerSerial object for the given certificate.

Parameters:

x509certificate - the certificate whose issuer serial must be retrieved.

Returns:

the IssuerSerial object for the certificate.

Throws:

CertificateEncodingException

IOException

makeESSCertIdV1

public static org.bouncycastle.asn1.ess.ESSCertID makeESSCertIdV1(X509Certificate x509certificate,
                                                  org.bouncycastle.asn1.x509.IssuerSerial issuerSerial,
                                                  DigestAlgorithm digestAlgorithm)
                                                           throws NoSuchAlgorithmException,
                                                                  CertificateEncodingException

Throws:

NoSuchAlgorithmException

CertificateEncodingException

makeESSCertIdV2

public static org.bouncycastle.asn1.ess.ESSCertIDv2[] makeESSCertIdV2(X509Certificate x509certificate,
                                                      org.bouncycastle.asn1.x509.IssuerSerial issuerSerial,
                                                      DigestAlgorithm digestAlgorithm)
                                                               throws NoSuchAlgorithmException,
                                                                      CertificateEncodingException

Throws:

NoSuchAlgorithmException

CertificateEncodingException

makeCertificateStore

public static CertStore makeCertificateStore(Certificate certificate)
                                      throws InvalidAlgorithmParameterException,
                                             NoSuchAlgorithmException,
                                             NoSuchProviderException

Throws:

InvalidAlgorithmParameterException

NoSuchAlgorithmException

NoSuchProviderException

writeToFile

public static boolean writeToFile(Certificate certificate,
                  String filename)