Package com.netscape.cmscore.cert
Class CertUtils
- java.lang.Object
-
- com.netscape.cmscore.cert.CertUtils
-
public class CertUtils extends java.lang.Object
Utility class with assorted methods to check for smime pairs, determining the type of cert - signature or encryption ..etc.- Version:
- $Revision$, $Date$
- Author:
- kanda
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
BEGIN_CRL_HEADER
static java.lang.String
CERT_NEW_REQUEST_HEADER
static java.lang.String
CERT_NEW_REQUEST_TRAILER
static java.lang.String
CERT_RENEWAL_HEADER
static java.lang.String
CERT_RENEWAL_TRAILER
static boolean
CT_POISON_CRITICAL
static byte[]
CT_POISON_DATA
static java.lang.String
CT_POISON_OID
static java.lang.String
END_CRL_HEADER
static org.slf4j.Logger
logger
-
Constructor Summary
Constructors Constructor Description CertUtils()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static void
addCTv1PoisonExt(org.mozilla.jss.netscape.security.x509.X509CertInfo certinfo)
protected void
audit(com.netscape.certsrv.logging.LogEvent event)
static java.lang.String
bytesToHex(byte[] bytes)
static boolean
certInCertChain(java.security.cert.X509Certificate[] certChain, java.security.cert.X509Certificate cert)
static org.mozilla.jss.netscape.security.util.ObjectIdentifier
checkOID(java.lang.String attrName, java.lang.String value)
Check if a object identifier in string form is valid, that is a string in the form n.n.n.n and der encode and decode-able.static org.mozilla.jss.netscape.security.x509.X509CertInfo
createCertInfo(int ver, java.math.BigInteger serialno, java.lang.String alg, java.lang.String issuerName, java.util.Date notBefore, java.util.Date notAfter)
static org.mozilla.jss.netscape.security.x509.X509CertInfo
createCertInfo(java.lang.String dn, java.lang.String issuerdn, java.lang.String keyAlgorithm, org.mozilla.jss.netscape.security.x509.X509Key x509key, java.lang.String type)
static void
createCertRecord(com.netscape.certsrv.request.IRequest request, CertInfoProfile profile, java.security.cert.X509Certificate cert)
static void
createCertRecord(com.netscape.certsrv.request.IRequest request, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
static org.mozilla.jss.netscape.security.x509.X509CertImpl
createLocalCert(com.netscape.certsrv.request.IRequest req, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertInfo info, java.security.PrivateKey signingPrivateKey, java.lang.String caSigningKeyAlgo)
static com.netscape.certsrv.request.IRequest
createLocalRequest(com.netscape.certsrv.request.IRequestQueue queue, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertInfo info, org.mozilla.jss.netscape.security.x509.X509Key x509key, java.lang.String[] sanHostnames, boolean installAdjustValidity)
static org.mozilla.jss.netscape.security.x509.X509CertImpl
createRemoteCert(com.netscape.certsrv.client.PKIClient client, javax.ws.rs.core.MultivaluedMap<java.lang.String,java.lang.String> content)
static org.mozilla.jss.netscape.security.pkcs.PKCS10
decodePKCS10(java.lang.String req)
static java.lang.String
getAdminProfileAlgorithm(java.lang.String caSigningKeyType, java.lang.String profileFilename, java.lang.String defaultSigningAlgsAllowed)
reads from the admin cert profile caAdminCert.profile and determines the algorithm as follows: 1.static org.mozilla.jss.CertificateUsage
getCertificateUsage(java.lang.String certusage)
static int
getCertIndex(org.mozilla.jss.netscape.security.x509.X509CertImpl[] certArray, org.mozilla.jss.netscape.security.x509.X509CertImpl givenCert)
Returns the index of the given cert in an array of certs.static java.lang.String
getCertsDisplayInfo(org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts)
static java.lang.String
getCertType(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
static java.lang.String
getExpiredCertsDisplayInfo(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] expiredCerts)
static java.lang.String
getFingerPrint(java.security.cert.Certificate cert)
Returns a string that represents a cert's fingerprint.static java.lang.String
getFingerPrints(byte[] certDer)
Returns a string that has the certificate's fingerprint using MD5, MD2 and SHA1 hashes.static java.lang.String
getFingerPrints(java.security.cert.Certificate cert)
Returns a string that has the certificate's fingerprint using MD5, MD2 and SHA1 hashes.static java.lang.String
getNSExtensionInfo(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension nsExtn)
static org.mozilla.jss.netscape.security.x509.X509CertImpl
getRecentSigningCert(org.mozilla.jss.netscape.security.x509.X509CertImpl[] certArray, org.mozilla.jss.netscape.security.x509.X509CertImpl currentCert)
Returns the most recently issued signing certificate from an an array of certs.static java.lang.String
getRenewedCertsDisplayInfo(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts, org.mozilla.jss.netscape.security.x509.X509CertImpl[] renewedCerts)
static java.lang.String
getValidCertsDisplayInfo(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts)
static boolean
haveSameValidityPeriod(org.mozilla.jss.netscape.security.x509.X509CertImpl cert1, org.mozilla.jss.netscape.security.x509.X509CertImpl cert2)
static byte[]
intToFixedWidthBytes(int n, int width)
Write the int as a big-endian byte[] of fixed width (in bytes).static boolean
isAlgorithmValid(java.lang.String signingKeyType, java.lang.String algorithm)
static boolean
isEncryptionCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
static boolean
isExpiredCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
static boolean
isNotYetValidCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
static boolean
isSigningCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
static boolean
isSmimePair(org.mozilla.jss.netscape.security.x509.X509CertImpl cert1, org.mozilla.jss.netscape.security.x509.X509CertImpl cert2, boolean matchSubjectDN)
static boolean
isValidCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
static java.security.cert.X509Certificate
mapCert(java.lang.String mime64)
static java.security.cert.X509Certificate[]
mapCertFromPKCS7(java.lang.String mime64)
static java.security.cert.X509CRL
mapCRL(java.lang.String mime64)
static java.security.cert.X509CRL
mapCRL1(java.lang.String mime64)
static java.lang.String
normalizeCertStr(java.lang.String s)
static org.mozilla.jss.pkix.crmf.CertReqMsg[]
parseCRMF(java.util.Locale locale, java.lang.String certreq)
static org.mozilla.jss.netscape.security.util.DerInputStream
parseKeyGen(java.util.Locale locale, java.lang.String certreq)
static org.mozilla.jss.netscape.security.pkcs.PKCS10
parsePKCS10(java.util.Locale locale, java.lang.String certreq)
static void
printExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions exts)
static void
printRequestContent(com.netscape.certsrv.request.IRequest request)
static byte[]
readFromFile(java.lang.String fileName)
static boolean
sameSubjectDN(java.lang.String dn1, java.lang.String dn2)
static void
setRSAKeyToCertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo info, byte[] encoded)
static void
sortCerts(org.mozilla.jss.netscape.security.x509.X509CertImpl[] arr)
static void
storeInFile(java.lang.String fileName, byte[] ba)
static java.lang.String
stripCertBrackets(java.lang.String s)
strips out the begin and end certificate bracketsstatic java.lang.String
stripCRLBrackets(java.lang.String s)
static java.lang.String
toLowerCaseSubsystemType(java.lang.String s)
static java.lang.String
trimB64E(java.lang.String b64e)
static java.lang.String
unwrapPKCS10(java.lang.String request, boolean checkHeader)
Remove the header and footer in the PKCS10 request.static void
verifySystemCertByNickname(java.lang.String nickname, java.lang.String certusage)
static void
verifySystemCertByTag(java.lang.String tag)
static void
verifySystemCertByTag(java.lang.String tag, boolean checkValidityOnly)
static void
verifySystemCerts(boolean checkValidityOnly)
static void
verifySystemCertValidityByNickname(java.lang.String nickname)
-
-
-
Field Detail
-
logger
public static org.slf4j.Logger logger
-
CERT_NEW_REQUEST_HEADER
public static final java.lang.String CERT_NEW_REQUEST_HEADER
- See Also:
- Constant Field Values
-
CERT_NEW_REQUEST_TRAILER
public static final java.lang.String CERT_NEW_REQUEST_TRAILER
- See Also:
- Constant Field Values
-
CERT_RENEWAL_HEADER
public static final java.lang.String CERT_RENEWAL_HEADER
- See Also:
- Constant Field Values
-
CERT_RENEWAL_TRAILER
public static final java.lang.String CERT_RENEWAL_TRAILER
- See Also:
- Constant Field Values
-
BEGIN_CRL_HEADER
public static final java.lang.String BEGIN_CRL_HEADER
- See Also:
- Constant Field Values
-
END_CRL_HEADER
public static final java.lang.String END_CRL_HEADER
- See Also:
- Constant Field Values
-
CT_POISON_OID
public static final java.lang.String CT_POISON_OID
- See Also:
- Constant Field Values
-
CT_POISON_CRITICAL
public static final boolean CT_POISON_CRITICAL
- See Also:
- Constant Field Values
-
CT_POISON_DATA
public static final byte[] CT_POISON_DATA
-
-
Method Detail
-
parseKeyGen
public static org.mozilla.jss.netscape.security.util.DerInputStream parseKeyGen(java.util.Locale locale, java.lang.String certreq) throws java.lang.Exception
- Throws:
java.lang.Exception
-
unwrapPKCS10
public static java.lang.String unwrapPKCS10(java.lang.String request, boolean checkHeader) throws EBaseException
Remove the header and footer in the PKCS10 request.- Throws:
EBaseException
-
decodePKCS10
public static org.mozilla.jss.netscape.security.pkcs.PKCS10 decodePKCS10(java.lang.String req) throws EBaseException
- Throws:
EBaseException
-
parsePKCS10
public static org.mozilla.jss.netscape.security.pkcs.PKCS10 parsePKCS10(java.util.Locale locale, java.lang.String certreq) throws java.lang.Exception
- Throws:
java.lang.Exception
-
parseCRMF
public static org.mozilla.jss.pkix.crmf.CertReqMsg[] parseCRMF(java.util.Locale locale, java.lang.String certreq) throws java.lang.Exception
- Throws:
java.lang.Exception
-
setRSAKeyToCertInfo
public static void setRSAKeyToCertInfo(org.mozilla.jss.netscape.security.x509.X509CertInfo info, byte[] encoded) throws EBaseException
- Throws:
EBaseException
-
createCertInfo
public static org.mozilla.jss.netscape.security.x509.X509CertInfo createCertInfo(int ver, java.math.BigInteger serialno, java.lang.String alg, java.lang.String issuerName, java.util.Date notBefore, java.util.Date notAfter) throws EBaseException
- Throws:
EBaseException
-
sortCerts
public static void sortCerts(org.mozilla.jss.netscape.security.x509.X509CertImpl[] arr)
-
isSigningCert
public static boolean isSigningCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
-
isEncryptionCert
public static boolean isEncryptionCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
-
haveSameValidityPeriod
public static boolean haveSameValidityPeriod(org.mozilla.jss.netscape.security.x509.X509CertImpl cert1, org.mozilla.jss.netscape.security.x509.X509CertImpl cert2)
-
isSmimePair
public static boolean isSmimePair(org.mozilla.jss.netscape.security.x509.X509CertImpl cert1, org.mozilla.jss.netscape.security.x509.X509CertImpl cert2, boolean matchSubjectDN)
-
isNotYetValidCert
public static boolean isNotYetValidCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
-
isValidCert
public static boolean isValidCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
-
isExpiredCert
public static boolean isExpiredCert(org.mozilla.jss.netscape.security.x509.X509CertImpl cert)
-
sameSubjectDN
public static boolean sameSubjectDN(java.lang.String dn1, java.lang.String dn2)
-
getValidCertsDisplayInfo
public static java.lang.String getValidCertsDisplayInfo(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts)
-
getExpiredCertsDisplayInfo
public static java.lang.String getExpiredCertsDisplayInfo(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] expiredCerts)
-
getRenewedCertsDisplayInfo
public static java.lang.String getRenewedCertsDisplayInfo(java.lang.String cn, org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts, org.mozilla.jss.netscape.security.x509.X509CertImpl[] renewedCerts)
-
getCertsDisplayInfo
public static java.lang.String getCertsDisplayInfo(org.mozilla.jss.netscape.security.x509.X509CertImpl[] validCerts)
-
getCertIndex
public static int getCertIndex(org.mozilla.jss.netscape.security.x509.X509CertImpl[] certArray, org.mozilla.jss.netscape.security.x509.X509CertImpl givenCert)
Returns the index of the given cert in an array of certs. Assumptions: The certs are issued by the same CA- Parameters:
certArray
- The array of certs.givenCert
- The certificate we are lokking for in the array.- Returns:
- -1 if not found or the index of the given cert in the array.
-
getRecentSigningCert
public static org.mozilla.jss.netscape.security.x509.X509CertImpl getRecentSigningCert(org.mozilla.jss.netscape.security.x509.X509CertImpl[] certArray, org.mozilla.jss.netscape.security.x509.X509CertImpl currentCert)
Returns the most recently issued signing certificate from an an array of certs. Assumptions: The certs are issued by the same CA- Parameters:
certArray
- The array of certs.givenCert
- The certificate we are lokking for in the array.- Returns:
- null if there is no recent cert or the most recent cert.
-
getCertType
public static java.lang.String getCertType(org.mozilla.jss.netscape.security.x509.X509CertImpl cert) throws java.security.cert.CertificateParsingException, java.io.IOException
- Throws:
java.security.cert.CertificateParsingException
java.io.IOException
-
getNSExtensionInfo
public static java.lang.String getNSExtensionInfo(org.mozilla.jss.netscape.security.extensions.NSCertTypeExtension nsExtn)
-
readFromFile
public static byte[] readFromFile(java.lang.String fileName) throws java.io.IOException
- Throws:
java.io.IOException
-
storeInFile
public static void storeInFile(java.lang.String fileName, byte[] ba) throws java.io.IOException
- Throws:
java.io.IOException
-
mapCert
public static java.security.cert.X509Certificate mapCert(java.lang.String mime64) throws java.io.IOException
- Throws:
java.io.IOException
-
mapCertFromPKCS7
public static java.security.cert.X509Certificate[] mapCertFromPKCS7(java.lang.String mime64) throws java.io.IOException
- Throws:
java.io.IOException
-
mapCRL
public static java.security.cert.X509CRL mapCRL(java.lang.String mime64) throws java.io.IOException
- Throws:
java.io.IOException
-
mapCRL1
public static java.security.cert.X509CRL mapCRL1(java.lang.String mime64) throws java.io.IOException
- Throws:
java.io.IOException
-
normalizeCertStr
public static java.lang.String normalizeCertStr(java.lang.String s)
-
stripCRLBrackets
public static java.lang.String stripCRLBrackets(java.lang.String s)
-
stripCertBrackets
public static java.lang.String stripCertBrackets(java.lang.String s)
strips out the begin and end certificate brackets- Parameters:
s
- the string potentially bracketed with "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"- Returns:
- string without the brackets
-
getFingerPrint
public static java.lang.String getFingerPrint(java.security.cert.Certificate cert) throws java.security.cert.CertificateEncodingException, java.security.NoSuchAlgorithmException
Returns a string that represents a cert's fingerprint. The fingerprint is a MD5 digest of the DER encoded certificate.- Parameters:
cert
- Certificate to get the fingerprint of.- Returns:
- a String that represents the cert's fingerprint.
- Throws:
java.security.cert.CertificateEncodingException
java.security.NoSuchAlgorithmException
-
getFingerPrints
public static java.lang.String getFingerPrints(java.security.cert.Certificate cert) throws java.security.NoSuchAlgorithmException, java.security.cert.CertificateEncodingException
Returns a string that has the certificate's fingerprint using MD5, MD2 and SHA1 hashes. A certificate's fingerprint is a hash digest of the DER encoded certificate.- Parameters:
cert
- Certificate to get the fingerprints of.- Returns:
- a String with fingerprints using the MD5, MD2 and SHA1 hashes.
For example,
MD2: 78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71 MD5: 0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75 SHA1: DC:D9:F7:AF:E2:83:10:B2:F7:0A:77:E8:50:E2:F7:D1:15:9A:9D:00
- Throws:
java.security.NoSuchAlgorithmException
java.security.cert.CertificateEncodingException
-
getFingerPrints
public static java.lang.String getFingerPrints(byte[] certDer) throws java.security.NoSuchAlgorithmException
Returns a string that has the certificate's fingerprint using MD5, MD2 and SHA1 hashes. A certificate's fingerprint is a hash digest of the DER encoded certificate.- Parameters:
cert
- Certificate to get the fingerprints of.- Returns:
- a String with fingerprints using the MD5, MD2 and SHA1 hashes.
For example,
MD2: 78:7E:D1:F9:3E:AF:50:18:68:A7:29:50:C3:21:1F:71 MD5: 0E:89:91:AC:40:50:F7:BE:6E:7B:39:4F:56:73:75:75 SHA1: DC:D9:F7:AF:E2:83:10:B2:F7:0A:77:E8:50:E2:F7:D1:15:9A:9D:00
- Throws:
java.security.NoSuchAlgorithmException
-
checkOID
public static org.mozilla.jss.netscape.security.util.ObjectIdentifier checkOID(java.lang.String attrName, java.lang.String value) throws EBaseException
Check if a object identifier in string form is valid, that is a string in the form n.n.n.n and der encode and decode-able.- Parameters:
attrName
- attribute name (from the configuration file)value
- object identifier string.- Throws:
EBaseException
-
trimB64E
public static java.lang.String trimB64E(java.lang.String b64e)
-
createLocalRequest
public static com.netscape.certsrv.request.IRequest createLocalRequest(com.netscape.certsrv.request.IRequestQueue queue, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertInfo info, org.mozilla.jss.netscape.security.x509.X509Key x509key, java.lang.String[] sanHostnames, boolean installAdjustValidity) throws java.lang.Exception
- Throws:
java.lang.Exception
-
createCertInfo
public static org.mozilla.jss.netscape.security.x509.X509CertInfo createCertInfo(java.lang.String dn, java.lang.String issuerdn, java.lang.String keyAlgorithm, org.mozilla.jss.netscape.security.x509.X509Key x509key, java.lang.String type) throws java.lang.Exception
- Throws:
java.lang.Exception
-
createCertRecord
public static void createCertRecord(com.netscape.certsrv.request.IRequest request, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertImpl cert) throws java.lang.Exception
- Throws:
java.lang.Exception
-
createCertRecord
public static void createCertRecord(com.netscape.certsrv.request.IRequest request, CertInfoProfile profile, java.security.cert.X509Certificate cert) throws java.lang.Exception
- Throws:
java.lang.Exception
-
createLocalCert
public static org.mozilla.jss.netscape.security.x509.X509CertImpl createLocalCert(com.netscape.certsrv.request.IRequest req, CertInfoProfile profile, org.mozilla.jss.netscape.security.x509.X509CertInfo info, java.security.PrivateKey signingPrivateKey, java.lang.String caSigningKeyAlgo) throws java.lang.Exception
- Throws:
java.lang.Exception
-
createRemoteCert
public static org.mozilla.jss.netscape.security.x509.X509CertImpl createRemoteCert(com.netscape.certsrv.client.PKIClient client, javax.ws.rs.core.MultivaluedMap<java.lang.String,java.lang.String> content) throws java.lang.Exception
- Throws:
java.lang.Exception
-
isAlgorithmValid
public static boolean isAlgorithmValid(java.lang.String signingKeyType, java.lang.String algorithm)
-
getAdminProfileAlgorithm
public static java.lang.String getAdminProfileAlgorithm(java.lang.String caSigningKeyType, java.lang.String profileFilename, java.lang.String defaultSigningAlgsAllowed) throws java.lang.Exception
reads from the admin cert profile caAdminCert.profile and determines the algorithm as follows: 1. First gets list of allowed algorithms from profile (constraint.params.signingAlgsAllowed) If entry does not exist, uses entry "ca.profiles.defaultSigningAlgsAllowed" from CS.cfg If that entry does not exist, uses basic default 2. Gets default.params.signingAlg from profile. If entry does not exist or equals "-", selects first algorithm in allowed algorithm list that matches CA signing key type Otherwise returns entry if it matches signing CA key type.- Throws:
EBaseException
java.io.IOException
java.io.FileNotFoundException
java.lang.Exception
-
verifySystemCertValidityByNickname
public static void verifySystemCertValidityByNickname(java.lang.String nickname) throws java.lang.Exception
- Throws:
java.lang.Exception
-
verifySystemCertByNickname
public static void verifySystemCertByNickname(java.lang.String nickname, java.lang.String certusage) throws java.lang.Exception
- Throws:
java.lang.Exception
-
verifySystemCertByTag
public static void verifySystemCertByTag(java.lang.String tag) throws java.lang.Exception
- Throws:
java.lang.Exception
-
verifySystemCertByTag
public static void verifySystemCertByTag(java.lang.String tag, boolean checkValidityOnly) throws java.lang.Exception
- Throws:
java.lang.Exception
-
getCertificateUsage
public static org.mozilla.jss.CertificateUsage getCertificateUsage(java.lang.String certusage)
-
verifySystemCerts
public static void verifySystemCerts(boolean checkValidityOnly) throws java.lang.Exception
- Throws:
java.lang.Exception
-
toLowerCaseSubsystemType
public static java.lang.String toLowerCaseSubsystemType(java.lang.String s)
-
printRequestContent
public static void printRequestContent(com.netscape.certsrv.request.IRequest request)
-
addCTv1PoisonExt
public static void addCTv1PoisonExt(org.mozilla.jss.netscape.security.x509.X509CertInfo certinfo) throws java.security.cert.CertificateException, java.io.IOException, EBaseException
- Throws:
java.security.cert.CertificateException
java.io.IOException
EBaseException
-
printExtensions
public static void printExtensions(org.mozilla.jss.netscape.security.x509.CertificateExtensions exts)
-
intToFixedWidthBytes
public static byte[] intToFixedWidthBytes(int n, int width)
Write the int as a big-endian byte[] of fixed width (in bytes).
-
bytesToHex
public static java.lang.String bytesToHex(byte[] bytes)
-
audit
protected void audit(com.netscape.certsrv.logging.LogEvent event)
-
certInCertChain
public static boolean certInCertChain(java.security.cert.X509Certificate[] certChain, java.security.cert.X509Certificate cert)
-
-