Package net.maritimeconnectivity.pki
Class CertificateHandler
- java.lang.Object
-
- net.maritimeconnectivity.pki.CertificateHandler
-
public class CertificateHandler extends Object
Class that holds functions for handling certificates.
-
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static byte[]createOutputKeystore(String type, String alias, String password, PrivateKey privateKey, X509Certificate certificate)Place a cert/key in a PKCS12 or JKS keystorestatic X509CertificategetCertFromNginxHeader(String certificateHeader)Extract a certificate from a nginx header containing a PEM formatted certificatestatic X509CertificategetCertFromPem(String pemCertificate)Converts a PEM encoded certificate to a X509Certificatestatic StringgetElement(org.bouncycastle.asn1.x500.RDN[] rdns, org.bouncycastle.asn1.ASN1ObjectIdentifier objectId)Extract a value from the DN extracted from a certificatestatic StringgetElement(org.bouncycastle.asn1.x500.X500Name x500name, org.bouncycastle.asn1.ASN1ObjectIdentifier objectId)Extract a value from the DN extracted from a certificatestatic PKIIdentitygetIdentityFromCert(X509Certificate userCertificate)Extracts a PKIIdentity from a certificate using the MCP PKI certificate "format"static StringgetPemFromEncoded(String type, byte[] encoded)Convert a cert/key to PEM from "encoded" format (byte[])static booleanverifyCertificate(PublicKey verificationPubKey, X509Certificate certToVerify, Date verificationDate)Verify a single certificate against the public key of the issueing certificate.static booleanverifyCertificateChain(X509Certificate certificate, KeyStore ks)Verify a single certificate against trust chain in the keystore.
-
-
-
Method Detail
-
verifyCertificate
public static boolean verifyCertificate(PublicKey verificationPubKey, X509Certificate certToVerify, Date verificationDate)
Verify a single certificate against the public key of the issueing certificate. Does *not* check revocation status against CRL/OCSP. In most cases you should probably useverifyCertificateChaininstead to verify the complete chain.- Parameters:
verificationPubKey- Public key of the issuing certificatecertToVerify- The certificate to verifyverificationDate- Date the certificate must be valid. If null the present day is used.- Returns:
- true if valid else false
-
verifyCertificateChain
public static boolean verifyCertificateChain(X509Certificate certificate, KeyStore ks) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, InvalidAlgorithmParameterException, CertPathValidatorException
Verify a single certificate against trust chain in the keystore. If the certificate is invalid a CertPathValidatorException is thrown. Checks certificate validity and revocation status.- Parameters:
certificate- The certificate to verifyks- The truststore that contains the trust chain- Returns:
- true if valid.
- Throws:
KeyStoreException- if keystore loading failsNoSuchAlgorithmException- if PKIX initialization failsCertificateException- if certificate cannot be loadedInvalidAlgorithmParameterException- if keystore loading failsCertPathValidatorException- if certificate is invalid.
-
getPemFromEncoded
public static String getPemFromEncoded(String type, byte[] encoded)
Convert a cert/key to PEM from "encoded" format (byte[])- Parameters:
type- The type, currently "CERTIFICATE", "PUBLIC KEY", "PRIVATE KEY" or "X509 CRL" are usedencoded- The encoded byte[]- Returns:
- The PEM formatted cert/key
-
createOutputKeystore
public static byte[] createOutputKeystore(String type, String alias, String password, PrivateKey privateKey, X509Certificate certificate)
Place a cert/key in a PKCS12 or JKS keystore- Parameters:
type- The keystore type to use (PKCS12 or JKS)alias- The alias of the certificate in the keystorepassword- The password used to protect the keyprivateKey- Private key of the certificatecertificate- The certificate- Returns:
- Byte array of the p12 keystore.
-
getCertFromNginxHeader
public static X509Certificate getCertFromNginxHeader(String certificateHeader) throws UnsupportedEncodingException
Extract a certificate from a nginx header containing a PEM formatted certificate- Parameters:
certificateHeader- The header containing the certificate- Returns:
- The extracted certificate. Returns null on failure.
- Throws:
UnsupportedEncodingException- if given certificate cannot be URL decoded
-
getCertFromPem
public static X509Certificate getCertFromPem(String pemCertificate)
Converts a PEM encoded certificate to a X509Certificate- Parameters:
pemCertificate- String containing the PEM encoded certificate- Returns:
- The converted certificate
-
getIdentityFromCert
public static PKIIdentity getIdentityFromCert(X509Certificate userCertificate)
Extracts a PKIIdentity from a certificate using the MCP PKI certificate "format"- Parameters:
userCertificate- The certificate- Returns:
- The extracted identity
-
getElement
public static String getElement(org.bouncycastle.asn1.x500.X500Name x500name, org.bouncycastle.asn1.ASN1ObjectIdentifier objectId)
Extract a value from the DN extracted from a certificate- Parameters:
x500name- The full DN from certificateobjectId- The Identifier to find- Returns:
- the value of the identifier, or null if not found.
-
getElement
public static String getElement(org.bouncycastle.asn1.x500.RDN[] rdns, org.bouncycastle.asn1.ASN1ObjectIdentifier objectId)
Extract a value from the DN extracted from a certificate- Parameters:
rdns- The full DN from certificateobjectId- The Identifier to find- Returns:
- the value of the identifier, or null if not found.
-
-