org.opensaml.security.x509

Class X509Support

java.lang.Object

org.opensaml.security.x509.X509Support

public class X509Support
extends java.lang.Object

Utility class for working with X509 objects.

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	CN_OID Common Name (CN) OID.
static java.lang.Integer	DIRECTORY_ALT_NAME RFC 2459 Directory Name Subject Alt Name type.
static java.lang.Integer	DNS_ALT_NAME RFC 2459 DNS Subject Alt Name type.
static java.lang.Integer	EDI_PARTY_ALT_NAME RFC 2459 EDI Party Name Subject Alt Name type.
static java.lang.Integer	IP_ADDRESS_ALT_NAME RFC 2459 IP Address Subject Alt Name type.
static java.lang.Integer	OTHER_ALT_NAME RFC 2459 Other Subject Alt Name type.
static java.lang.Integer	REGISTERED_ID_ALT_NAME RFC 2459 Registered ID Subject Alt Name type.
static java.lang.Integer	RFC822_ALT_NAME RFC 2459 RFC 822 (email address) Subject Alt Name type.
static java.lang.String	SKI_OID Subject Key Identifier (SKI) OID.
static java.lang.Integer	URI_ALT_NAME RFC 2459 URI Subject Alt Name type.
static java.lang.Integer	X400ADDRESS_ALT_NAME RFC 2459 X.400 Address Subject Alt Name type.

Constructor Summary

Constructors

Modifier	Constructor and Description
protected	X509Support() Constructed.

Method Summary

Modifier and Type	Method and Description
private static java.lang.Object	convertAltNameType(java.lang.Integer nameType, org.bouncycastle.asn1.ASN1Primitive nameValue) Convert types returned by Bouncy Castle X509ExtensionUtil.getSubjectAlternativeNames(X509Certificate) to be consistent with what is documented for: java.security.cert.X509Certificate#getSubjectAlternativeNames.
static java.security.cert.X509Certificate	decodeCertificate(byte[] cert) Decodes a single X.509 certificate in DER or PEM format.
static java.security.cert.X509Certificate	decodeCertificate(java.io.File cert) Decodes a single X.509 certificate in DER or PEM format.
static java.security.cert.X509Certificate	decodeCertificate(java.lang.String base64Cert) Decode a single Java certificate from base64 encoded form without PEM headers and footers.
static java.util.Collection<java.security.cert.X509Certificate>	decodeCertificates(byte[] certs) Decodes X.509 certificates in DER or PEM format.
static java.util.Collection<java.security.cert.X509Certificate>	decodeCertificates(java.io.File certs) Decodes X.509 certificates in DER or PEM format.
static java.security.cert.X509CRL	decodeCRL(java.lang.String base64CRL) Decode CRL in base64 encoded form without PEM headers and footers.
static java.util.Collection<java.security.cert.X509CRL>	decodeCRLs(byte[] crls) Decodes CRLs in DER or PKCS#7 format.
static java.util.Collection<java.security.cert.X509CRL>	decodeCRLs(java.io.File crls) Decodes CRLs in DER or PKCS#7 format.
static java.security.cert.X509Certificate	determineEntityCertificate(java.util.Collection<java.security.cert.X509Certificate> certs, java.security.PrivateKey privateKey) Determines the certificate, from the collection, associated with the private key.
static java.util.List	getAltNames(java.security.cert.X509Certificate certificate, java.lang.Integer[] nameTypes) Gets the list of alternative names of a given name type.
static java.util.List<java.lang.String>	getCommonNames(javax.security.auth.x500.X500Principal dn) Gets the commons names that appear within the given distinguished name.
static java.lang.String	getIdentifiersToken(X509Credential credential, X500DNHandler handler) Gets a formatted string representing identifier information from the supplied credential.
private static org.slf4j.Logger	getLogger() Get an SLF4J Logger.
static byte[]	getSubjectKeyIdentifier(java.security.cert.X509Certificate certificate) Get the plain (non-DER encoded) value of the Subject Key Identifier extension of an X.509 certificate, if present.
static java.util.List	getSubjectNames(java.security.cert.X509Certificate certificate, java.lang.Integer[] altNameTypes) Gets the common name components of the issuer and all the subject alt names of a given type.
static byte[]	getX509Digest(java.security.cert.X509Certificate certificate, java.lang.String jcaAlgorithm) Get the XML Signature-compliant digest of an X.509 certificate.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CN_OID

public static final java.lang.String CN_OID

Common Name (CN) OID.

See Also:

Constant Field Values

SKI_OID

public static final java.lang.String SKI_OID

Subject Key Identifier (SKI) OID.

See Also:

Constant Field Values

OTHER_ALT_NAME

public static final java.lang.Integer OTHER_ALT_NAME

RFC 2459 Other Subject Alt Name type.

RFC822_ALT_NAME

public static final java.lang.Integer RFC822_ALT_NAME

RFC 2459 RFC 822 (email address) Subject Alt Name type.

DNS_ALT_NAME

public static final java.lang.Integer DNS_ALT_NAME

RFC 2459 DNS Subject Alt Name type.

X400ADDRESS_ALT_NAME

public static final java.lang.Integer X400ADDRESS_ALT_NAME

RFC 2459 X.400 Address Subject Alt Name type.

DIRECTORY_ALT_NAME

public static final java.lang.Integer DIRECTORY_ALT_NAME

RFC 2459 Directory Name Subject Alt Name type.

EDI_PARTY_ALT_NAME

public static final java.lang.Integer EDI_PARTY_ALT_NAME

RFC 2459 EDI Party Name Subject Alt Name type.

URI_ALT_NAME

public static final java.lang.Integer URI_ALT_NAME

RFC 2459 URI Subject Alt Name type.

IP_ADDRESS_ALT_NAME

public static final java.lang.Integer IP_ADDRESS_ALT_NAME

RFC 2459 IP Address Subject Alt Name type.

REGISTERED_ID_ALT_NAME

public static final java.lang.Integer REGISTERED_ID_ALT_NAME

RFC 2459 Registered ID Subject Alt Name type.

Constructor Detail

X509Support

protected X509Support()

Constructed.

Method Detail

determineEntityCertificate

@Nullable
public static java.security.cert.X509Certificate determineEntityCertificate(@Nullable
                                                                                      java.util.Collection<java.security.cert.X509Certificate> certs,
                                                                                      @Nullable
                                                                                      java.security.PrivateKey privateKey)
                                                                               throws SecurityException

Determines the certificate, from the collection, associated with the private key.

Parameters:

certs - certificates to check

privateKey - entity's private key

Returns:

the certificate associated with entity's private key or null if no certificate in the collection is associated with the given private key

Throws:

SecurityException - thrown if the public or private keys checked are of an unsupported type

Since:

1.2

getCommonNames

@Nullable
public static java.util.List<java.lang.String> getCommonNames(@Nullable
                                                                        javax.security.auth.x500.X500Principal dn)

Gets the commons names that appear within the given distinguished name.

The returned list provides the names in the order they appeared in the DN, according to RFC 1779/2253 encoding. In this encoding the "most specific" name would typically appear in the left-most position, and would appear first in the returned list.

Parameters:

dn - the DN to extract the common names from

Returns:

the common names that appear in the DN in the order they appear, or null if the given DN is null

getAltNames

@Nullable
public static java.util.List getAltNames(@Nullable
                                                   java.security.cert.X509Certificate certificate,
                                                   @Nullable
                                                   java.lang.Integer[] nameTypes)

Gets the list of alternative names of a given name type.

Parameters:

certificate - the certificate to extract the alternative names from

nameTypes - the name types

Returns:

the alt names, of the given type, within the cert

getSubjectNames

@Nullable
public static java.util.List getSubjectNames(@Nullable
                                                       java.security.cert.X509Certificate certificate,
                                                       @Nullable
                                                       java.lang.Integer[] altNameTypes)

Gets the common name components of the issuer and all the subject alt names of a given type.

Parameters:

certificate - certificate to extract names from

altNameTypes - type of alt names to extract

Returns:

list of subject names in the certificate

getSubjectKeyIdentifier

@Nullable
public static byte[] getSubjectKeyIdentifier(@Nonnull
                                                       java.security.cert.X509Certificate certificate)

Get the plain (non-DER encoded) value of the Subject Key Identifier extension of an X.509 certificate, if present.

Parameters:

certificate - an X.509 certificate possibly containing a subject key identifier

Returns:

the plain (non-DER encoded) value of the Subject Key Identifier extension, or null if the certificate does not contain the extension

getX509Digest

@Nonnull
public static byte[] getX509Digest(@Nonnull
                                            java.security.cert.X509Certificate certificate,
                                            @Nonnull
                                            java.lang.String jcaAlgorithm)
                                     throws SecurityException

Get the XML Signature-compliant digest of an X.509 certificate.

Parameters:

certificate - an X.509 certificate

jcaAlgorithm - JCA algorithm identifier

Returns:

the raw digest of the certificate

Throws:

SecurityException - is algorithm is unsupported or encoding is not possible

decodeCertificates

@Nullable
public static java.util.Collection<java.security.cert.X509Certificate> decodeCertificates(@Nonnull
                                                                                                    java.io.File certs)
                                                                                             throws java.security.cert.CertificateException

Decodes X.509 certificates in DER or PEM format.

Parameters:

certs - encoded certs

Returns:

decoded certs

Throws:

java.security.cert.CertificateException - thrown if the certificates cannot be decoded

Since:

1.2

decodeCertificates

@Nullable
public static java.util.Collection<java.security.cert.X509Certificate> decodeCertificates(@Nonnull
                                                                                                    byte[] certs)
                                                                                             throws java.security.cert.CertificateException

Decodes X.509 certificates in DER or PEM format.

Parameters:

certs - encoded certs

Returns:

decoded certs

Throws:

java.security.cert.CertificateException - thrown if the certificates cannot be decoded

decodeCertificate

@Nullable
public static java.security.cert.X509Certificate decodeCertificate(@Nonnull
                                                                             java.io.File cert)
                                                                      throws java.security.cert.CertificateException

Decodes a single X.509 certificate in DER or PEM format.

Parameters:

cert - encoded cert

Returns:

decoded cert

Throws:

java.security.cert.CertificateException - thrown if the certificate can not be decoded

Since:

1.2

decodeCertificate

@Nullable
public static java.security.cert.X509Certificate decodeCertificate(@Nonnull
                                                                             byte[] cert)
                                                                      throws java.security.cert.CertificateException

Decodes a single X.509 certificate in DER or PEM format.

Parameters:

cert - encoded cert

Returns:

decoded cert

Throws:

java.security.cert.CertificateException - thrown if the certificate cannot be decoded

decodeCertificate

@Nullable
public static java.security.cert.X509Certificate decodeCertificate(@Nonnull
                                                                             java.lang.String base64Cert)
                                                                      throws java.security.cert.CertificateException

Decode a single Java certificate from base64 encoded form without PEM headers and footers.

Parameters:

base64Cert - base64-encoded certificate

Returns:

a native Java X509 certificate

Throws:

java.security.cert.CertificateException - thrown if there is an error constructing certificate

decodeCRLs

@Nullable
public static java.util.Collection<java.security.cert.X509CRL> decodeCRLs(@Nonnull
                                                                                    java.io.File crls)
                                                                             throws java.security.cert.CRLException

Decodes CRLs in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decoded; the rest of the content is ignored.

Parameters:

crls - encoded CRLs

Returns:

decoded CRLs

Throws:

java.security.cert.CRLException - thrown if the CRLs can not be decoded

Since:

1.2

decodeCRLs

@Nullable
public static java.util.Collection<java.security.cert.X509CRL> decodeCRLs(@Nonnull
                                                                                    byte[] crls)
                                                                             throws java.security.cert.CRLException

Decodes CRLs in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decoded; the rest of the content is ignored.

Parameters:

crls - encoded CRLs

Returns:

decoded CRLs

Throws:

java.security.cert.CRLException - thrown if the CRLs can not be decoded

decodeCRL

@Nullable
public static java.security.cert.X509CRL decodeCRL(@Nonnull
                                                             java.lang.String base64CRL)
                                                      throws java.security.cert.CertificateException,
                                                             java.security.cert.CRLException

Decode CRL in base64 encoded form without PEM headers and footers.

Parameters:

base64CRL - base64-encoded CRL

Returns:

a native Java X509 CRL

Throws:

java.security.cert.CertificateException - thrown if there is an error constructing certificate

java.security.cert.CRLException - thrown if there is an error constructing CRL

getIdentifiersToken

@Nonnull
public static java.lang.String getIdentifiersToken(@Nonnull
                                                            X509Credential credential,
                                                            @Nullable
                                                            X500DNHandler handler)

Gets a formatted string representing identifier information from the supplied credential.

This could for example be used in logging messages.

Often it will be the case that a given credential that is being evaluated will NOT have a value for the entity ID property. So extract the certificate subject DN, and if present, the credential's entity ID.

Parameters:

credential - the credential for which to produce a token.

handler - the X.500 DN handler to use. If null, a new instance of InternalX500DNHandler will be used.

Returns:

a formatted string containing identifier information present in the credential

convertAltNameType

@Nullable
private static java.lang.Object convertAltNameType(@Nonnull
                                                             java.lang.Integer nameType,
                                                             @Nonnull
                                                             org.bouncycastle.asn1.ASN1Primitive nameValue)

Convert types returned by Bouncy Castle X509ExtensionUtil.getSubjectAlternativeNames(X509Certificate) to be consistent with what is documented for: java.security.cert.X509Certificate#getSubjectAlternativeNames.

Parameters:

nameType - the alt name type

nameValue - the alt name value

Returns:

converted representation of name value, based on type

getLogger

@Nonnull
private static org.slf4j.Logger getLogger()

Get an SLF4J Logger.

Returns:

a Logger instance