Class CertUtils


  • public class CertUtils
    extends java.lang.Object
    Utility class with assorted methods to check for smime pairs, determining the type of cert - signature or encryption ..etc.
    Version:
    $Revision$, $Date$
    Author:
    kanda
    • Constructor Summary

      Constructors 
      Constructor Description
      CertUtils()  
    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      protected void audit​(LogEvent event)  
      static void buildSANSSLserverURLExtension​(IConfigStore config, javax.ws.rs.core.MultivaluedMap<java.lang.String,​java.lang.String> content)  
      static boolean certInCertChain​(java.security.cert.X509Certificate[] certChain, java.security.cert.X509Certificate cert)  
      static org.mozilla.jss.netscape.security.util.ObjectIdentifier checkOID​(java.lang.String attrName, java.lang.String value)
      Check if a object identifier in string form is valid, that is a string in the form n.n.n.n and der encode and decode-able.
      static org.mozilla.jss.netscape.security.x509.X509CertInfo createCertInfo​(int ver, java.math.BigInteger serialno, java.lang.String alg, java.lang.String issuerName, java.util.Date notBefore, java.util.Date notAfter)  
      static org.mozilla.jss.netscape.security.x509.X509CertInfo createCertInfo​(java.lang.String dn, java.lang.String issuerdn, java.lang.String keyAlgorithm, org.mozilla.jss.netscape.security.x509.X509Key x509key, java.lang.String type)  
      static void createCertRecord​(IRequest request, CertInfoProfile profile, java.security.cert.X509Certificate cert)  
      static void createCertRecord​(IRequest request, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertImpl cert)  
      static org.mozilla.jss.netscape.security.x509.X509CertImpl createLocalCert​(IRequest req, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertInfo info, java.security.PrivateKey signingPrivateKey, java.lang.String caSigningKeyAlgo)  
      static IRequest createLocalRequest​(IRequestQueue queue, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertInfo info, org.mozilla.jss.netscape.security.x509.X509Key x509key, java.lang.String[] sanHostnames, boolean installAdjustValidity)  
      static org.mozilla.jss.netscape.security.x509.X509CertImpl createRemoteCert​(PKIClient client, javax.ws.rs.core.MultivaluedMap<java.lang.String,​java.lang.String> content)  
      static org.mozilla.jss.netscape.security.pkcs.PKCS10 decodePKCS10​(java.lang.String req)  
      static java.lang.String getAdminProfileAlgorithm​(java.lang.String caSigningKeyType, java.lang.String profileFilename, java.lang.String defaultSigningAlgsAllowed)
      reads from the admin cert profile caAdminCert.profile and determines the algorithm as follows: 1.
      static org.mozilla.jss.CertificateUsage getCertificateUsage​(java.lang.String certusage)  
      static int getCertIndex​(org.mozilla.jss.netscape.security.x509.X509CertImpl[] certArray, org.mozilla.jss.netscape.security.x509.X509CertImpl givenCert)
      Returns the index of the given cert in an array of certs.
      static java.lang.String getCertsDisplayInfo​(org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts)  
      static java.lang.String getCertType​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)  
      static java.lang.String getExpiredCertsDisplayInfo​(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] expiredCerts)  
      static java.lang.String getFingerPrint​(java.security.cert.Certificate cert)
      Returns a string that represents a cert's fingerprint.
      static java.lang.String getFingerPrints​(byte[] certDer)
      Returns a string that has the certificate's fingerprint using MD5, MD2 and SHA1 hashes.
      static java.lang.String getFingerPrints​(java.security.cert.Certificate cert)
      Returns a string that has the certificate's fingerprint using MD5, MD2 and SHA1 hashes.
      static java.lang.String getNSExtensionInfo​(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension nsExtn)  
      static org.mozilla.jss.netscape.security.x509.X509CertImpl getRecentSigningCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl[] certArray, org.mozilla.jss.netscape.security.x509.X509CertImpl currentCert)
      Returns the most recently issued signing certificate from an an array of certs.
      static java.lang.String getRenewedCertsDisplayInfo​(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts, org.mozilla.jss.netscape.security.x509.X509CertImpl[] renewedCerts)  
      static java.lang.String getValidCertsDisplayInfo​(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts)  
      static boolean haveSameValidityPeriod​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert1, org.mozilla.jss.netscape.security.x509.X509CertImpl cert2)  
      static boolean isAlgorithmValid​(java.lang.String signingKeyType, java.lang.String algorithm)  
      static boolean isEncryptionCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)  
      static boolean isExpiredCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)  
      static boolean isNotYetValidCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)  
      static boolean isSigningCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)  
      static boolean isSmimePair​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert1, org.mozilla.jss.netscape.security.x509.X509CertImpl cert2, boolean matchSubjectDN)  
      static boolean isValidCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)  
      static java.security.cert.X509Certificate mapCert​(java.lang.String mime64)  
      static java.security.cert.X509Certificate[] mapCertFromPKCS7​(java.lang.String mime64)  
      static java.security.cert.X509CRL mapCRL​(java.lang.String mime64)  
      static java.security.cert.X509CRL mapCRL1​(java.lang.String mime64)  
      static java.lang.String normalizeCertStr​(java.lang.String s)  
      static org.mozilla.jss.pkix.crmf.CertReqMsg[] parseCRMF​(java.util.Locale locale, java.lang.String certreq)  
      static org.mozilla.jss.netscape.security.util.DerInputStream parseKeyGen​(java.util.Locale locale, java.lang.String certreq)  
      static org.mozilla.jss.netscape.security.pkcs.PKCS10 parsePKCS10​(java.util.Locale locale, java.lang.String certreq)  
      static byte[] readFromFile​(java.lang.String fileName)  
      static boolean sameSubjectDN​(java.lang.String dn1, java.lang.String dn2)  
      static void setRSAKeyToCertInfo​(org.mozilla.jss.netscape.security.x509.X509CertInfo info, byte[] encoded)  
      static void sortCerts​(org.mozilla.jss.netscape.security.x509.X509CertImpl[] arr)  
      static void storeInFile​(java.lang.String fileName, byte[] ba)  
      static java.lang.String stripCertBrackets​(java.lang.String s)
      strips out the begin and end certificate brackets
      static java.lang.String stripCRLBrackets​(java.lang.String s)  
      static java.lang.String toLowerCaseSubsystemType​(java.lang.String s)  
      static java.lang.String trimB64E​(java.lang.String b64e)  
      static java.lang.String unwrapPKCS10​(java.lang.String request, boolean checkHeader)
      Remove the header and footer in the PKCS10 request.
      static void updateLocalRequest​(java.lang.String reqId, byte[] certReq, java.lang.String reqType, java.lang.String subjectName)
      update local cert request with the actual request called from CertRequestPanel.java
      static void verifySystemCertByNickname​(java.lang.String nickname, java.lang.String certusage)  
      static void verifySystemCertByTag​(java.lang.String tag)  
      static void verifySystemCertByTag​(java.lang.String tag, boolean checkValidityOnly)  
      static void verifySystemCerts​(boolean checkValidityOnly)  
      static void verifySystemCertValidityByNickname​(java.lang.String nickname)  
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • logger

        public static org.slf4j.Logger logger
      • CERT_NEW_REQUEST_HEADER

        public static final java.lang.String CERT_NEW_REQUEST_HEADER
        See Also:
        Constant Field Values
      • CERT_NEW_REQUEST_TRAILER

        public static final java.lang.String CERT_NEW_REQUEST_TRAILER
        See Also:
        Constant Field Values
      • CERT_RENEWAL_HEADER

        public static final java.lang.String CERT_RENEWAL_HEADER
        See Also:
        Constant Field Values
      • CERT_RENEWAL_TRAILER

        public static final java.lang.String CERT_RENEWAL_TRAILER
        See Also:
        Constant Field Values
      • BEGIN_CRL_HEADER

        public static final java.lang.String BEGIN_CRL_HEADER
        See Also:
        Constant Field Values
    • Constructor Detail

      • CertUtils

        public CertUtils()
    • Method Detail

      • parseKeyGen

        public static org.mozilla.jss.netscape.security.util.DerInputStream parseKeyGen​(java.util.Locale locale,
                                                                                        java.lang.String certreq)
                                                                                 throws java.lang.Exception
        Throws:
        java.lang.Exception
      • unwrapPKCS10

        public static java.lang.String unwrapPKCS10​(java.lang.String request,
                                                    boolean checkHeader)
                                             throws EBaseException
        Remove the header and footer in the PKCS10 request.
        Throws:
        EBaseException
      • decodePKCS10

        public static org.mozilla.jss.netscape.security.pkcs.PKCS10 decodePKCS10​(java.lang.String req)
                                                                          throws EBaseException
        Throws:
        EBaseException
      • parsePKCS10

        public static org.mozilla.jss.netscape.security.pkcs.PKCS10 parsePKCS10​(java.util.Locale locale,
                                                                                java.lang.String certreq)
                                                                         throws java.lang.Exception
        Throws:
        java.lang.Exception
      • parseCRMF

        public static org.mozilla.jss.pkix.crmf.CertReqMsg[] parseCRMF​(java.util.Locale locale,
                                                                       java.lang.String certreq)
                                                                throws java.lang.Exception
        Throws:
        java.lang.Exception
      • setRSAKeyToCertInfo

        public static void setRSAKeyToCertInfo​(org.mozilla.jss.netscape.security.x509.X509CertInfo info,
                                               byte[] encoded)
                                        throws EBaseException
        Throws:
        EBaseException
      • createCertInfo

        public static org.mozilla.jss.netscape.security.x509.X509CertInfo createCertInfo​(int ver,
                                                                                         java.math.BigInteger serialno,
                                                                                         java.lang.String alg,
                                                                                         java.lang.String issuerName,
                                                                                         java.util.Date notBefore,
                                                                                         java.util.Date notAfter)
                                                                                  throws EBaseException
        Throws:
        EBaseException
      • sortCerts

        public static void sortCerts​(org.mozilla.jss.netscape.security.x509.X509CertImpl[] arr)
      • isSigningCert

        public static boolean isSigningCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
      • isEncryptionCert

        public static boolean isEncryptionCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
      • haveSameValidityPeriod

        public static boolean haveSameValidityPeriod​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert1,
                                                     org.mozilla.jss.netscape.security.x509.X509CertImpl cert2)
      • isSmimePair

        public static boolean isSmimePair​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert1,
                                          org.mozilla.jss.netscape.security.x509.X509CertImpl cert2,
                                          boolean matchSubjectDN)
      • isNotYetValidCert

        public static boolean isNotYetValidCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
      • isValidCert

        public static boolean isValidCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
      • isExpiredCert

        public static boolean isExpiredCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
      • sameSubjectDN

        public static boolean sameSubjectDN​(java.lang.String dn1,
                                            java.lang.String dn2)
      • getValidCertsDisplayInfo

        public static java.lang.String getValidCertsDisplayInfo​(java.lang.String cn,
                                                                org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts)
      • getExpiredCertsDisplayInfo

        public static java.lang.String getExpiredCertsDisplayInfo​(java.lang.String cn,
                                                                  org.mozilla.jss.netscape.security.x509.X509CertImpl[] expiredCerts)
      • getRenewedCertsDisplayInfo

        public static java.lang.String getRenewedCertsDisplayInfo​(java.lang.String cn,
                                                                  org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts,
                                                                  org.mozilla.jss.netscape.security.x509.X509CertImpl[] renewedCerts)
      • getCertsDisplayInfo

        public static java.lang.String getCertsDisplayInfo​(org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts)
      • getCertIndex

        public static int getCertIndex​(org.mozilla.jss.netscape.security.x509.X509CertImpl[] certArray,
                                       org.mozilla.jss.netscape.security.x509.X509CertImpl givenCert)
        Returns the index of the given cert in an array of certs. Assumptions: The certs are issued by the same CA
        Parameters:
        certArray - The array of certs.
        givenCert - The certificate we are lokking for in the array.
        Returns:
        -1 if not found or the index of the given cert in the array.
      • getRecentSigningCert

        public static org.mozilla.jss.netscape.security.x509.X509CertImpl getRecentSigningCert​(org.mozilla.jss.netscape.security.x509.X509CertImpl[] certArray,
                                                                                               org.mozilla.jss.netscape.security.x509.X509CertImpl currentCert)
        Returns the most recently issued signing certificate from an an array of certs. Assumptions: The certs are issued by the same CA
        Parameters:
        certArray - The array of certs.
        givenCert - The certificate we are lokking for in the array.
        Returns:
        null if there is no recent cert or the most recent cert.
      • getCertType

        public static java.lang.String getCertType​(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
                                            throws java.security.cert.CertificateParsingException,
                                                   java.io.IOException
        Throws:
        java.security.cert.CertificateParsingException
        java.io.IOException
      • getNSExtensionInfo

        public static java.lang.String getNSExtensionInfo​(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension nsExtn)
      • readFromFile

        public static byte[] readFromFile​(java.lang.String fileName)
                                   throws java.io.IOException
        Throws:
        java.io.IOException
      • storeInFile

        public static void storeInFile​(java.lang.String fileName,
                                       byte[] ba)
                                throws java.io.IOException
        Throws:
        java.io.IOException
      • mapCert

        public static java.security.cert.X509Certificate mapCert​(java.lang.String mime64)
                                                          throws java.io.IOException
        Throws:
        java.io.IOException
      • mapCertFromPKCS7

        public static java.security.cert.X509Certificate[] mapCertFromPKCS7​(java.lang.String mime64)
                                                                     throws java.io.IOException
        Throws:
        java.io.IOException
      • mapCRL

        public static java.security.cert.X509CRL mapCRL​(java.lang.String mime64)
                                                 throws java.io.IOException
        Throws:
        java.io.IOException
      • mapCRL1

        public static java.security.cert.X509CRL mapCRL1​(java.lang.String mime64)
                                                  throws java.io.IOException
        Throws:
        java.io.IOException
      • normalizeCertStr

        public static java.lang.String normalizeCertStr​(java.lang.String s)
      • stripCRLBrackets

        public static java.lang.String stripCRLBrackets​(java.lang.String s)
      • stripCertBrackets

        public static java.lang.String stripCertBrackets​(java.lang.String s)
        strips out the begin and end certificate brackets
        Parameters:
        s - the string potentially bracketed with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
        Returns:
        string without the brackets
      • getFingerPrint

        public static java.lang.String getFingerPrint​(java.security.cert.Certificate cert)
                                               throws java.security.cert.CertificateEncodingException,
                                                      java.security.NoSuchAlgorithmException
        Returns a string that represents a cert's fingerprint. The fingerprint is a MD5 digest of the DER encoded certificate.
        Parameters:
        cert - Certificate to get the fingerprint of.
        Returns:
        a String that represents the cert's fingerprint.
        Throws:
        java.security.cert.CertificateEncodingException
        java.security.NoSuchAlgorithmException
      • getFingerPrints

        public static java.lang.String getFingerPrints​(java.security.cert.Certificate cert)
                                                throws java.security.NoSuchAlgorithmException,
                                                       java.security.cert.CertificateEncodingException
        Returns a string that has the certificate's fingerprint using MD5, MD2 and SHA1 hashes. A certificate's fingerprint is a hash digest of the DER encoded certificate.
        Parameters:
        cert - Certificate to get the fingerprints of.
        Returns:
        a String with fingerprints using the MD5, MD2 and SHA1 hashes. For example,
         MD2:   78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71
        
         MD5:   0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75
        
         SHA1:  DC:D9:F7:AF:E2:83:10:B2:F7:0A:77:E8:50:E2:F7:D1:15:9A:9D:00
         
        Throws:
        java.security.NoSuchAlgorithmException
        java.security.cert.CertificateEncodingException
      • getFingerPrints

        public static java.lang.String getFingerPrints​(byte[] certDer)
                                                throws java.security.NoSuchAlgorithmException
        Returns a string that has the certificate's fingerprint using MD5, MD2 and SHA1 hashes. A certificate's fingerprint is a hash digest of the DER encoded certificate.
        Parameters:
        cert - Certificate to get the fingerprints of.
        Returns:
        a String with fingerprints using the MD5, MD2 and SHA1 hashes. For example,
         MD2:   78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71
        
         MD5:   0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75
        
         SHA1:  DC:D9:F7:AF:E2:83:10:B2:F7:0A:77:E8:50:E2:F7:D1:15:9A:9D:00
         
        Throws:
        java.security.NoSuchAlgorithmException
      • checkOID

        public static org.mozilla.jss.netscape.security.util.ObjectIdentifier checkOID​(java.lang.String attrName,
                                                                                       java.lang.String value)
                                                                                throws EBaseException
        Check if a object identifier in string form is valid, that is a string in the form n.n.n.n and der encode and decode-able.
        Parameters:
        attrName - attribute name (from the configuration file)
        value - object identifier string.
        Throws:
        EBaseException
      • trimB64E

        public static java.lang.String trimB64E​(java.lang.String b64e)
      • buildSANSSLserverURLExtension

        public static void buildSANSSLserverURLExtension​(IConfigStore config,
                                                         javax.ws.rs.core.MultivaluedMap<java.lang.String,​java.lang.String> content)
                                                  throws java.lang.Exception
        Throws:
        java.lang.Exception
      • createLocalRequest

        public static IRequest createLocalRequest​(IRequestQueue queue,
                                                  CertInfoProfile profile,
                                                  org.mozilla.jss.netscape.security.x509.X509CertInfo info,
                                                  org.mozilla.jss.netscape.security.x509.X509Key x509key,
                                                  java.lang.String[] sanHostnames,
                                                  boolean installAdjustValidity)
                                           throws java.lang.Exception
        Throws:
        java.lang.Exception
      • updateLocalRequest

        public static void updateLocalRequest​(java.lang.String reqId,
                                              byte[] certReq,
                                              java.lang.String reqType,
                                              java.lang.String subjectName)
                                       throws java.lang.Exception
        update local cert request with the actual request called from CertRequestPanel.java
        Throws:
        EBaseException
        EPropertyNotFound
        java.lang.Exception
      • createCertInfo

        public static org.mozilla.jss.netscape.security.x509.X509CertInfo createCertInfo​(java.lang.String dn,
                                                                                         java.lang.String issuerdn,
                                                                                         java.lang.String keyAlgorithm,
                                                                                         org.mozilla.jss.netscape.security.x509.X509Key x509key,
                                                                                         java.lang.String type)
                                                                                  throws java.lang.Exception
        Throws:
        java.lang.Exception
      • createCertRecord

        public static void createCertRecord​(IRequest request,
                                            CertInfoProfile profile,
                                            org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
                                     throws java.lang.Exception
        Throws:
        java.lang.Exception
      • createCertRecord

        public static void createCertRecord​(IRequest request,
                                            CertInfoProfile profile,
                                            java.security.cert.X509Certificate cert)
                                     throws java.lang.Exception
        Throws:
        java.lang.Exception
      • createLocalCert

        public static org.mozilla.jss.netscape.security.x509.X509CertImpl createLocalCert​(IRequest req,
                                                                                          CertInfoProfile profile,
                                                                                          org.mozilla.jss.netscape.security.x509.X509CertInfo info,
                                                                                          java.security.PrivateKey signingPrivateKey,
                                                                                          java.lang.String caSigningKeyAlgo)
                                                                                   throws java.lang.Exception
        Throws:
        java.lang.Exception
      • createRemoteCert

        public static org.mozilla.jss.netscape.security.x509.X509CertImpl createRemoteCert​(PKIClient client,
                                                                                           javax.ws.rs.core.MultivaluedMap<java.lang.String,​java.lang.String> content)
                                                                                    throws java.lang.Exception
        Throws:
        java.lang.Exception
      • isAlgorithmValid

        public static boolean isAlgorithmValid​(java.lang.String signingKeyType,
                                               java.lang.String algorithm)
      • getAdminProfileAlgorithm

        public static java.lang.String getAdminProfileAlgorithm​(java.lang.String caSigningKeyType,
                                                                java.lang.String profileFilename,
                                                                java.lang.String defaultSigningAlgsAllowed)
                                                         throws java.lang.Exception
        reads from the admin cert profile caAdminCert.profile and determines the algorithm as follows: 1. First gets list of allowed algorithms from profile (constraint.params.signingAlgsAllowed) If entry does not exist, uses entry "ca.profiles.defaultSigningAlgsAllowed" from CS.cfg If that entry does not exist, uses basic default 2. Gets default.params.signingAlg from profile. If entry does not exist or equals "-", selects first algorithm in allowed algorithm list that matches CA signing key type Otherwise returns entry if it matches signing CA key type.
        Throws:
        EBaseException
        java.io.IOException
        java.io.FileNotFoundException
        java.lang.Exception
      • verifySystemCertValidityByNickname

        public static void verifySystemCertValidityByNickname​(java.lang.String nickname)
                                                       throws java.lang.Exception
        Throws:
        java.lang.Exception
      • verifySystemCertByNickname

        public static void verifySystemCertByNickname​(java.lang.String nickname,
                                                      java.lang.String certusage)
                                               throws java.lang.Exception
        Throws:
        java.lang.Exception
      • verifySystemCertByTag

        public static void verifySystemCertByTag​(java.lang.String tag)
                                          throws java.lang.Exception
        Throws:
        java.lang.Exception
      • verifySystemCertByTag

        public static void verifySystemCertByTag​(java.lang.String tag,
                                                 boolean checkValidityOnly)
                                          throws java.lang.Exception
        Throws:
        java.lang.Exception
      • getCertificateUsage

        public static org.mozilla.jss.CertificateUsage getCertificateUsage​(java.lang.String certusage)
      • verifySystemCerts

        public static void verifySystemCerts​(boolean checkValidityOnly)
                                      throws java.lang.Exception
        Throws:
        java.lang.Exception
      • toLowerCaseSubsystemType

        public static java.lang.String toLowerCaseSubsystemType​(java.lang.String s)
      • audit

        protected void audit​(LogEvent event)
      • certInCertChain

        public static boolean certInCertChain​(java.security.cert.X509Certificate[] certChain,
                                              java.security.cert.X509Certificate cert)