Class TlsUtils


  • public class TlsUtils
    extends java.lang.Object
    Utility to extract information from X509 certificates.
    Since:
    5.7.0
    • Field Summary

      Fields 
      Modifier and Type Field Description
      private static java.util.Map<java.lang.String,​java.lang.String> EXTENDED_KEY_USAGE  
      private static java.util.Map<java.lang.String,​java.util.function.BiFunction<byte[],​java.security.cert.X509Certificate,​java.lang.String>> EXTENSIONS  
      private static java.util.List<java.lang.String> KEY_USAGE  
      private static org.slf4j.Logger LOGGER  
      private static java.lang.String PARSING_ERROR  
    • Constructor Summary

      Constructors 
      Constructor Description
      TlsUtils()  
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      private static java.lang.String authorityKeyIdentifier​(byte[] derOctetString)  
      private static java.lang.String basicConstraints​(byte[] derOctetString)  
      private static java.lang.String extendedKeyUsage​(byte[] derOctetString, java.security.cert.X509Certificate certificate)  
      static java.lang.String extensionPrettyPrint​(java.lang.String oid, byte[] derOctetString, java.security.cert.X509Certificate certificate)
      Human-readable representation of an X509 certificate extension.
      private static java.lang.String extensions​(java.security.cert.X509Certificate certificate)  
      private static java.lang.String hexDump​(int start, byte[] derOctetString)  
      private static java.lang.String keyUsageBitString​(boolean[] keyUsage, byte[] derOctetString)  
      static void logPeerCertificateInfo​(javax.net.ssl.SSLSession session)
      Log details on peer certificate and certification chain.
      private static java.lang.String octetStringHexDump​(byte[] derOctetString)  
      static java.lang.String peerCertificateInfo​(java.security.cert.Certificate certificate, java.lang.String prefix)
      Get a string representation of certificate info.
      private static java.lang.String sans​(java.security.cert.X509Certificate c, java.lang.String separator)  
      static java.lang.String stripCRLF​(java.lang.String value)
      Strips carriage return (CR) and line feed (LF) characters to mitigate CWE-117.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • LOGGER

        private static final org.slf4j.Logger LOGGER
      • KEY_USAGE

        private static final java.util.List<java.lang.String> KEY_USAGE
      • EXTENDED_KEY_USAGE

        private static final java.util.Map<java.lang.String,​java.lang.String> EXTENDED_KEY_USAGE
      • PARSING_ERROR

        private static java.lang.String PARSING_ERROR
      • EXTENSIONS

        private static final java.util.Map<java.lang.String,​java.util.function.BiFunction<byte[],​java.security.cert.X509Certificate,​java.lang.String>> EXTENSIONS
    • Constructor Detail

      • TlsUtils

        public TlsUtils()
    • Method Detail

      • logPeerCertificateInfo

        public static void logPeerCertificateInfo​(javax.net.ssl.SSLSession session)
        Log details on peer certificate and certification chain.

        The log level is debug. Common X509 extensions are displayed in a best-effort fashion, a hexadecimal dump is made for less commonly used extensions.

        Parameters:
        session - the SSLSession to extract the certificates from
      • peerCertificateInfo

        public static java.lang.String peerCertificateInfo​(java.security.cert.Certificate certificate,
                                                           java.lang.String prefix)
        Get a string representation of certificate info.
        Parameters:
        certificate - the certificate to analyze
        prefix - the line prefix
        Returns:
        information about the certificate
      • sans

        private static java.lang.String sans​(java.security.cert.X509Certificate c,
                                             java.lang.String separator)
                                      throws java.security.cert.CertificateParsingException
        Throws:
        java.security.cert.CertificateParsingException
      • extensionPrettyPrint

        public static java.lang.String extensionPrettyPrint​(java.lang.String oid,
                                                            byte[] derOctetString,
                                                            java.security.cert.X509Certificate certificate)
        Human-readable representation of an X509 certificate extension.

        Common extensions are supported in a best-effort fashion, less commonly used extensions are displayed as an hexadecimal dump.

        Extensions come encoded as a DER Octet String, which itself can contain other DER-encoded objects, making a comprehensive support in this utility impossible.

        Parameters:
        oid - extension OID
        derOctetString - the extension value as a DER octet string
        certificate - the certificate
        Returns:
        the OID and the value
        See Also:
        A Layman's Guide to a Subset of ASN.1, BER, and DER, DER Encoding of ASN.1 Types
      • stripCRLF

        public static java.lang.String stripCRLF​(java.lang.String value)
        Strips carriage return (CR) and line feed (LF) characters to mitigate CWE-117.
        Returns:
        sanitised string value
      • extensions

        private static java.lang.String extensions​(java.security.cert.X509Certificate certificate)
      • octetStringHexDump

        private static java.lang.String octetStringHexDump​(byte[] derOctetString)
      • hexDump

        private static java.lang.String hexDump​(int start,
                                                byte[] derOctetString)
      • keyUsageBitString

        private static java.lang.String keyUsageBitString​(boolean[] keyUsage,
                                                          byte[] derOctetString)
      • basicConstraints

        private static java.lang.String basicConstraints​(byte[] derOctetString)
      • authorityKeyIdentifier

        private static java.lang.String authorityKeyIdentifier​(byte[] derOctetString)
      • extendedKeyUsage

        private static java.lang.String extendedKeyUsage​(byte[] derOctetString,
                                                         java.security.cert.X509Certificate certificate)