org.nhindirect.stagent

Class CryptoExtensions

java.lang.Object

org.nhindirect.stagent.CryptoExtensions

public class CryptoExtensions
extends Object

Utility functions for searching for certificates.

Author:

Greg Meyer, Umesh Madan

Constructor Summary

Constructors

Constructor and Description
CryptoExtensions()

Method Summary

Methods

Modifier and Type	Method and Description
static boolean	certSubjectContainsName(X509Certificate cert, String name) Checks if a name is contained in a certificate's DN or alt subjects.
static boolean	containsEmailAddressInSubjectAltName(X509Certificate cert, String subjectName) Deprecated. As of 1.1.5. Use certSubjectContainsName(X509Certificate, String)
static X509Certificate	findCertByName(Collection<X509Certificate> certs, String name) Searches a collection of X509Certificates for a certificate that matches the provided name.
static SignerCertPair	findSignerByCert(org.bouncycastle.cms.CMSSignedData signedData, X509Certificate searchCert) Searches CMS signed data for a specific X509 certificate.
static Collection<SignerCertPair>	findSignersByName(org.bouncycastle.cms.CMSSignedData signedData, String name, Collection<String> excludeNames) Searches CMS signed data for a given email name.
static String	getJCEProviderName() Gets the configured JCE crypto provider string for crypto operations.
static String	getJCEProviderNameForTypeAndAlgorithm(String type, String algorithm) Gets the configured JCE crypto provider that supports the combination of the requested type and algorithm.
static String	getJCESensitiveProviderName() Gets the configured JCE sensitive crypto provider string for crypto operations that need access to sensitive cryptogrophy information such as secret and private keys.
static String	getSubjectAddress(X509Certificate certificate) Gets the address name associated with the certificate.
static boolean	isEqualThumbprint(X509Certificate cert1, X509Certificate cert2) Compares the thumbprints of two certificates for equality.
static boolean	matchName(X509Certificate cert, String name) Deprecated. As of 1.1.5. Use certSubjectContainsName(X509Certificate, String)
static void	registerJCEProviders() Typically JCE providers are registered through JVM properties files or statically calling Security.addProvider(Provider).
static void	setJCEProviderName(String name) Overrides the configured JCE crypto provider string.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CryptoExtensions

public CryptoExtensions()

Method Detail

registerJCEProviders

public static void registerJCEProviders()

Typically JCE providers are registered through JVM properties files or statically calling Security.addProvider(Provider). The method allows for configuration of JCE Providers through the OptionsManager classes. This method iterates through a comma delimited set of providers, dynamically loads the provider class, and and registered each one if it has not already been registered.

If a provider is not configured via the OptionsManager, then the default BouncyCastle provider is registered (if it has not been already registered).

getJCEProviderName

public static String getJCEProviderName()

Gets the configured JCE crypto provider string for crypto operations. This is configured using the -Dorg.nhindirect.stagent.cryptography.JCEProviderName JVM parameters. If the parameter is not set or is empty, then the default string "BC" (BouncyCastle provider) is returned. By default the agent installs the BouncyCastle provider.

Returns:

The name of the JCE provider string.

getJCESensitiveProviderName

public static String getJCESensitiveProviderName()

Gets the configured JCE sensitive crypto provider string for crypto operations that need access to sensitive cryptogrophy information such as secret and private keys. This is configured using the -Dorg.nhindirect.stagent.cryptography.JCESensitiveProviderName JVM parameters. If the parameter is not set or is empty, then the default string "BC" (BouncyCastle provider) is returned. By default the agent installs the BouncyCastle provider.

Returns:

The name of the JCE provider string.

getJCEProviderNameForTypeAndAlgorithm

public static String getJCEProviderNameForTypeAndAlgorithm(String type,
                                           String algorithm)

Gets the configured JCE crypto provider that supports the combination of the requested type and algorithm. If a custom set of providers has not been configured, this method will always return the default BouncyCatle provider string regardless if it matches the request type/algorithm pair.

Parameters:

type - The crypto type such as CertStore or CertPathValidator

algorithm - The algorithm such as PKIX or MAC.

Returns:

The name of the JCE provider string supporting the type/algorithm pair.

setJCEProviderName

public static void setJCEProviderName(String name)

Overrides the configured JCE crypto provider string. If the name is empty or null, the default string "BC" (BouncyCastle provider) is used.

The provider name may be a comma delimited list of provider strings. The first string in the list will be the default provider string and returned when using getJCEProviderName(); however, the getJCEProviderNameForTypeAndAlgorithm(String, String) will search through the provider string until a valid provider that supports the requested type and algorithm is found. In this case, the first matching provider string will be used.

Parameters:

name - The name of the JCE provider.

isEqualThumbprint

public static boolean isEqualThumbprint(X509Certificate cert1,
                        X509Certificate cert2)

Compares the thumbprints of two certificates for equality.

Parameters:

cert1 - The first certificate to compare.

cert2 - The second certificate to compare.

Returns:

True if the certificates' thumbprints are equal. False other wise.

containsEmailAddressInSubjectAltName

public static boolean containsEmailAddressInSubjectAltName(X509Certificate cert,
                                           String subjectName)

Deprecated. As of 1.1.5. Use certSubjectContainsName(X509Certificate, String)

Checks if the subject is contained in the certificates alternate subject names. Specifically the rfc822Name name and DNSName types are checked.

Parameters:

cert - The certificate to check.

subjectName - The subject name to check in the alternate names.

Returns:

True if the subjectName is contained in the alternate subject names. False otherwise.

certSubjectContainsName

public static boolean certSubjectContainsName(X509Certificate cert,
                              String name)

Checks if a name is contained in a certificate's DN or alt subjects.

Parameters:

cert - The certificate to check.

name - The name to search for in the certificate.

Returns:

True if the name is found in the certificate. False otherwise.

matchName

public static boolean matchName(X509Certificate cert,
                String name)

Deprecated. As of 1.1.5. Use certSubjectContainsName(X509Certificate, String)

Matches a common name in a certificate.

Parameters:

cert - The certificate to check for the common name.

name - The common name to check for. This method automatically prefixes the name with "CN="

Returns:

True if the common name is contained in the certificate. False otherwise.

findSignersByName

public static Collection<SignerCertPair> findSignersByName(org.bouncycastle.cms.CMSSignedData signedData,
                                           String name,
                                           Collection<String> excludeNames)

Searches CMS signed data for a given email name. Signed data may consist of multiple signatures either from the same subject of from multiple subjects.

Parameters:

signedData - The signed data to search.

name - The name to search for in the list of signers.

excludeNames - A list of names to exclude from the list. Because the search uses a simple "contains" search, it is possible for the name parameter to be a substring of what is requested. The excludeNames contains a super string of the name to remove unwanted names from the returned list. This parameter may be null;

Returns:

A colllection of pairs consisting of the singer's X509 certificated and signer information that matches the provided name. Returns an empty collection if a signer matching the name cannot be found in the signed data.

findCertByName

public static X509Certificate findCertByName(Collection<X509Certificate> certs,
                             String name)

Searches a collection of X509Certificates for a certificate that matches the provided name.

Parameters:

certs - The collection of certificates to search.

name - The name to search for in the collection.

Returns:

A certificate that matches the provided name. Returns null if a matching certificate cannot be found in the collection.

findSignerByCert

public static SignerCertPair findSignerByCert(org.bouncycastle.cms.CMSSignedData signedData,
                              X509Certificate searchCert)

Searches CMS signed data for a specific X509 certificate.

Parameters:

signedData - The signed data to search.

name - The certificate to search for in the signed data.

Returns:

A pair consisting of the singer's X509 certificated and signer information that matches the provided certificate. Returns null if a signer matching the name cannot be found in the signed data.

getSubjectAddress

public static String getSubjectAddress(X509Certificate certificate)

Gets the address name associated with the certificate. It may be an email address or a domain name.

Parameters:

certificate - The certificate to search

Returns:

The address of domain associated with a certificate.