org.nhindirect.config.model.utils

Class CertUtils

java.lang.Object

org.nhindirect.config.model.utils.CertUtils

public class CertUtils
extends Object

Certificate utility methods.

Since:

1.0

Author:

Greg Meyer

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CertUtils.CertContainer

Constructor Summary

Constructors

Constructor and Description
CertUtils()

Method Summary

Modifier and Type	Method and Description
static byte[]	certAndWrappedKeyToRawByteFormat(byte[] wrappedKey, X509Certificate cert)
X509Certificate	certFromFile(String certFile) Creates an X509Certificate object from an existing file.
static byte[]	changePkcs12Protection(byte[] bytes, char[] oldKeyStorePassPhrase, char[] oldPrivateKeyPassPhrase, char[] newKeystorePassPhrase, char[] newPrivateKeyPassPhrase) Modifies the keystore and private key protection on a PKCS12 keystore.
static String	getJCEProviderName() Gets the configured JCE crypto provider string for crypto operations.
static String	getOwner(X509Certificate certificate) Gets the owner of the certificate with is the email address of domain bound to the certificate.
protected static boolean	isByteDataWrappedKeyPair(byte[] data)
static byte[]	pkcs12ToStrippedPkcs12(byte[] bytes, String passphrase) Takes a PKCS12 byte stream and returns a PKCS12 byte stream with the pass phrase protection and encryption removed.
static void	setJCEProviderName(String name) Overrides the configured JCE crypto provider string.
static CertUtils.CertContainer	toCertContainer(byte[] data) Converts a raw byte array that is in the Certificate data store format to a CertContainer.
static CertUtils.CertContainer	toCertContainer(byte[] data, boolean loadPrivateKey)
static CertUtils.CertContainer	toCertContainer(byte[] data, char[] keyStorePassPhrase, char[] privateKeyPassPhrase)
static CertUtils.CertContainer	toCertContainer(byte[] data, char[] keyStorePassPhrase, char[] privateKeyPassPhrase, boolean loadPrivateKey) Creates a certificate container that consists of the X509 certificate and its private key (if it exists).
static X509Certificate	toX509Certificate(byte[] data) Converts a byte stream to an X509Certificate.
static X509Certificate	toX509Certificate(byte[] data, String passPhrase) Converts a byte stream to an X509Certificate.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertUtils

public CertUtils()

Method Detail

getJCEProviderName

public static String getJCEProviderName()

Gets the configured JCE crypto provider string for crypto operations. This is configured using the -Dorg.nhindirect.config.JCEProviderName JVM parameters. If the parameter is not set or is empty, then the default string "BC" (BouncyCastle provider) is returned. By default the agent installs the BouncyCastle provider.

Returns:

The name of the JCE provider string.

setJCEProviderName

public static void setJCEProviderName(String name)

Overrides the configured JCE crypto provider string. If the name is empty or null, the default string "BC" (BouncyCastle provider) is used.

Parameters:

name - The name of the JCE provider.

getOwner

public static String getOwner(X509Certificate certificate)

Gets the owner of the certificate with is the email address of domain bound to the certificate. The subject alt name is checked first, then the legacy email field, and lastsly the common name field.

Parameters:

certificate - The certificate of the to get the owner of.

Returns:

The owner of the certificate

pkcs12ToStrippedPkcs12

public static byte[] pkcs12ToStrippedPkcs12(byte[] bytes,
                                            String passphrase)

Takes a PKCS12 byte stream and returns a PKCS12 byte stream with the pass phrase protection and encryption removed.

Parameters:

bytes - The PKCS12 byte stream that will be stripped.

passphrase - The pass phrase of the PKCS12 byte stream. This is used to decrypt the PKCS12 stream.

Returns:

A PKCS12 byte stream representation of the original PKCS12 stream with the pass phrase protection and encryption removed.

changePkcs12Protection

public static byte[] changePkcs12Protection(byte[] bytes,
                                            char[] oldKeyStorePassPhrase,
                                            char[] oldPrivateKeyPassPhrase,
                                            char[] newKeystorePassPhrase,
                                            char[] newPrivateKeyPassPhrase)

Modifies the keystore and private key protection on a PKCS12 keystore.

Parameters:

bytes - The PKCS12 encoded as byte array that will be modified.

oldKeyStorePassPhrase - The current pass phrase protecting the keystore file.

oldPrivateKeyPassPhrase - The current pass phrase protecting the private key.

newKeystorePassPhrase - The new pass phrase protecting the keystore file.

newPrivateKeyPassPhrase - The new pass phrase protecting the private key.

Returns:

The modified PKCS12 key store encoded as a byte array/

toX509Certificate

public static X509Certificate toX509Certificate(byte[] data)

Converts a byte stream to an X509Certificate. The byte stream can either be an encoded X509Certificate or a PKCS12 byte stream.

If the stream is a PKCS12 representation, then an empty ("") pass phrase is used to decrypt the stream. In addition the resulting X509Certificate implementation will contain the private key.

Parameters:

data - The byte stream representation to convert.

Returns:

An X509Certificate representation of the byte stream.

toX509Certificate

public static X509Certificate toX509Certificate(byte[] data,
                                                String passPhrase)

Converts a byte stream to an X509Certificate. The byte stream can either be an encoded X509Certificate or a PKCS12 byte stream.

If the stream is a PKCS12 representation, then the pass phrase is used to decrypt the stream. In addition the resulting X509Certificate implementation will contain the private key.

Parameters:

data - The byte stream representation to convert.

passPhrase - If the byte stream is a PKCS12 representation, then the then the pass phrase is used to decrypt the stream. Can be null if the stream is an encoded X509Certificate and not a PKCS12 byte stream.

Returns:

An X509Certificate representation of the byte stream.

certFromFile

public X509Certificate certFromFile(String certFile)

Creates an X509Certificate object from an existing file. The file should be a DER encoded representation of the certificate.

Parameters:

certFile - The file to load into a certificate object.

Returns:

An X509Certificate loaded from the file.

toCertContainer

public static CertUtils.CertContainer toCertContainer(byte[] data)
                                               throws CertificateConversionException

Converts a raw byte array that is in the Certificate data store format to a CertContainer.

Parameters:

data - The raw byte data that is stored in the Certificate data store.

Returns:

A CertContainer object representation of the byte data.

Throws:

CertificateConversionException

toCertContainer

public static CertUtils.CertContainer toCertContainer(byte[] data,
                                                      boolean loadPrivateKey)
                                               throws CertificateConversionException

Throws:

CertificateConversionException

isByteDataWrappedKeyPair

protected static boolean isByteDataWrappedKeyPair(byte[] data)

toCertContainer

public static CertUtils.CertContainer toCertContainer(byte[] data,
                                                      char[] keyStorePassPhrase,
                                                      char[] privateKeyPassPhrase)
                                               throws CertificateConversionException

Throws:

CertificateConversionException

toCertContainer

public static CertUtils.CertContainer toCertContainer(byte[] data,
                                                      char[] keyStorePassPhrase,
                                                      char[] privateKeyPassPhrase,
                                                      boolean loadPrivateKey)
                                               throws CertificateConversionException

Creates a certificate container that consists of the X509 certificate and its private key (if it exists).

Parameters:

data - A DER encoded representation of either an X509 certificate, an unencrypted PKCS12 container, or a combination of an X509Certificate and wrapped private key.

Returns:

A container object with the X509 certificate and private key (it it exists).

Throws:

CertificateConversionException

certAndWrappedKeyToRawByteFormat

public static byte[] certAndWrappedKeyToRawByteFormat(byte[] wrappedKey,
                                                      X509Certificate cert)
                                               throws CertificateConversionException

Throws:

CertificateConversionException