Package com.itextpdf.signatures
Class CertificateUtil
- java.lang.Object
-
- com.itextpdf.signatures.CertificateUtil
-
public class CertificateUtil extends java.lang.Object
This class contains a series of static methods that allow you to retrieve information from a Certificate.
-
-
Field Summary
Fields Modifier and Type Field Description private static IBouncyCastleFactory
FACTORY
private static org.slf4j.Logger
LOGGER
-
Constructor Summary
Constructors Constructor Description CertificateUtil()
-
Method Summary
All Methods Static Methods Concrete Methods Deprecated Methods Modifier and Type Method Description static boolean
checkIfIssuersMatch(ICertificateID certID, java.security.cert.X509Certificate issuerCert)
Checks if the issuer of the provided certID (specified in the OCSP response) and provided issuer of the certificate in question matches, i.e.private static IBasicOCSPResponse
createOcsp(IASN1Sequence seq)
Helper method that creates theIBasicOCSPResponse
object from the response bytes.static IDERSet
createRevocationInfoChoices(java.util.Collection<java.security.cert.CRL> crls, java.util.Collection<IBasicOCSPResponse> ocsps, java.util.Collection<IASN1Sequence> otherRevocationInfoFormats)
Creates the revocation info (crls field) for SignedData structure: RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoice ::= CHOICE { crl CertificateList, other [1] IMPLICIT OtherRevocationInfoFormat } OtherRevocationInfoFormat ::= SEQUENCE { otherRevInfoFormat OBJECT IDENTIFIER, otherRevInfo ANY DEFINED BY otherRevInfoFormat } CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }static java.security.cert.Certificate
generateCertificate(java.io.InputStream data)
Generates a certificate object and initializes it with the data read from the input stream inStream.static java.security.cert.CRL
getCRL(java.lang.String url)
Gets the CRL object using a CRL URL.static java.security.cert.CRL
getCRL(java.security.cert.X509Certificate certificate)
Deprecated.static java.util.List<java.security.cert.CRL>
getCRLs(java.security.cert.X509Certificate certificate)
Gets a CRLs from the X509 certificate.static java.lang.String
getCRLURL(java.security.cert.X509Certificate certificate)
Deprecated.static java.util.List<java.lang.String>
getCRLURLs(java.security.cert.X509Certificate certificate)
Gets the list of the Certificate Revocation List URLs for a Certificate.static IDistributionPoint
getDistributionPointByName(java.security.cert.X509Certificate certificate, IDistributionPointName issuingDistributionPointName)
Gets the Distribution Point from the certificate by name specified in the Issuing Distribution Point from the Certificate Revocation List for a Certificate.private static IDistributionPoint[]
getDistributionPoints(java.security.cert.X509Certificate certificate)
static IASN1Primitive
getExtensionValue(java.security.cert.CRL crl, java.lang.String oid)
Gets CRL extension value.static IASN1Primitive
getExtensionValue(java.security.cert.X509Certificate certificate, java.lang.String oid)
Gets certificate extension value.static byte[]
getExtensionValueByOid(java.security.cert.X509Certificate certificate, java.lang.String id)
Retrieves certificate extension value by its OID.private static IASN1Primitive
getExtensionValueFromByteArray(byte[] extensionValue)
Converts extension value represented as byte array toIASN1Primitive
object.static java.lang.String
getIssuerCertURL(java.security.cert.CRL crl)
Retrieves the URL for the issuer certificate for the given CRL.static java.lang.String
getIssuerCertURL(java.security.cert.X509Certificate certificate)
Retrieves the URL for the issuer lists certificates for the given certificate.static java.lang.String
getOCSPURL(java.security.cert.X509Certificate certificate)
Retrieves the OCSP URL from the given certificate.private static java.lang.String
getStringFromGeneralName(IASN1Primitive names)
Gets a String from an ASN1Primitivestatic java.lang.String
getTSAURL(java.security.cert.X509Certificate certificate)
Gets the URL of the TSA if it's available on the certificateprivate static java.lang.String
getValueFromAIAExtension(IASN1Primitive extensionValue, java.lang.String accessMethod)
Retrieves accessLocation value for specified accessMethod from the Authority Information Access extension.(package private) static boolean
isIssuerCertificate(java.security.cert.X509Certificate subjectCertificate, java.security.cert.X509Certificate issuerCertificate)
Checks if the certificate is signed by provided issuer certificate.static boolean
isSelfSigned(java.security.cert.X509Certificate certificate)
Checks if the certificate is self-signed.static boolean
isSignatureValid(IBasicOCSPResp ocspResp, java.security.cert.Certificate responderCert)
Checks if an OCSP response is genuine.static java.security.cert.CRL
parseCrlFromBytes(byte[] crlBytes)
Parses a CRL from bytes.static java.security.cert.CRL
parseCrlFromStream(java.io.InputStream input)
Parses a CRL from an InputStream.static void
retrieveRevocationInfoFromSignedData(IASN1TaggedObject taggedObj, java.util.Collection<java.security.cert.CRL> crls, java.util.Collection<IBasicOCSPResponse> ocsps, java.util.Collection<IASN1Sequence> otherRevocationInfoFormats)
Try to retrieve CRL and OCSP responses from the signed data crls field.
-
-
-
Field Detail
-
FACTORY
private static final IBouncyCastleFactory FACTORY
-
LOGGER
private static final org.slf4j.Logger LOGGER
-
-
Method Detail
-
getCRL
@Deprecated public static java.security.cert.CRL getCRL(java.security.cert.X509Certificate certificate) throws java.security.cert.CertificateException, java.security.cert.CRLException, java.io.IOException
Deprecated.Gets a CRL from an X509 certificate.- Parameters:
certificate
- the X509Certificate to extract the CRL from- Returns:
- CRL or null if there's no CRL available
- Throws:
java.io.IOException
- thrown when the URL couldn't be opened properly.java.security.cert.CertificateException
- thrown if there's no X509 implementation in the provider.java.security.cert.CRLException
- thrown when encountering errors when parsing the CRL.
-
getCRLs
public static java.util.List<java.security.cert.CRL> getCRLs(java.security.cert.X509Certificate certificate) throws java.security.cert.CertificateException, java.security.cert.CRLException, java.io.IOException
Gets a CRLs from the X509 certificate.- Parameters:
certificate
- the X509Certificate to extract the CRLs from- Returns:
- CRL list or null if there's no CRL available
- Throws:
java.io.IOException
- thrown when the URL couldn't be opened properly.java.security.cert.CertificateException
- thrown if there's no X509 implementation in the provider.java.security.cert.CRLException
- thrown when encountering errors when parsing the CRL.
-
getCRLURL
@Deprecated public static java.lang.String getCRLURL(java.security.cert.X509Certificate certificate)
Deprecated.Gets the URL of the Certificate Revocation List for a Certificate- Parameters:
certificate
- the Certificate- Returns:
- the String where you can check if the certificate was revoked.
-
getCRLURLs
public static java.util.List<java.lang.String> getCRLURLs(java.security.cert.X509Certificate certificate)
Gets the list of the Certificate Revocation List URLs for a Certificate.- Parameters:
certificate
- the Certificate to get CRL URLs for- Returns:
- the list of URL strings where you can check if the certificate is revoked.
-
getDistributionPointByName
public static IDistributionPoint getDistributionPointByName(java.security.cert.X509Certificate certificate, IDistributionPointName issuingDistributionPointName)
Gets the Distribution Point from the certificate by name specified in the Issuing Distribution Point from the Certificate Revocation List for a Certificate.- Parameters:
certificate
- the certificate to retrieve Distribution PointsissuingDistributionPointName
- distributionPointName retrieved from the IDP of the CRL- Returns:
- distribution point withthe same name as specified in the IDP.
-
getCRL
public static java.security.cert.CRL getCRL(java.lang.String url) throws java.io.IOException, java.security.cert.CertificateException, java.security.cert.CRLException
Gets the CRL object using a CRL URL.- Parameters:
url
- the URL where the CRL is located- Returns:
- CRL object
- Throws:
java.io.IOException
- thrown when the URL couldn't be opened properly.java.security.cert.CertificateException
- thrown if there's no X509 implementation in the provider.java.security.cert.CRLException
- thrown when encountering errors when parsing the CRL.
-
parseCrlFromStream
public static java.security.cert.CRL parseCrlFromStream(java.io.InputStream input) throws java.security.cert.CertificateException, java.security.cert.CRLException
Parses a CRL from an InputStream.- Parameters:
input
- the InputStream holding the unparsed CRL- Returns:
- the parsed CRL object.
- Throws:
java.security.cert.CertificateException
- thrown if there's no X509 implementation in the provider.java.security.cert.CRLException
- thrown when encountering errors when parsing the CRL.
-
parseCrlFromBytes
public static java.security.cert.CRL parseCrlFromBytes(byte[] crlBytes) throws java.security.cert.CertificateException, java.security.cert.CRLException
Parses a CRL from bytes.- Parameters:
crlBytes
- the bytes holding the unparsed CRL- Returns:
- the parsed CRL object.
- Throws:
java.security.cert.CertificateException
- thrown if there's no X509 implementation in the provider.java.security.cert.CRLException
- thrown when encountering errors when parsing the CRL.
-
getIssuerCertURL
public static java.lang.String getIssuerCertURL(java.security.cert.CRL crl)
Retrieves the URL for the issuer certificate for the given CRL.- Parameters:
crl
- the CRL response- Returns:
- the URL or null.
-
getOCSPURL
public static java.lang.String getOCSPURL(java.security.cert.X509Certificate certificate)
Retrieves the OCSP URL from the given certificate.- Parameters:
certificate
- the certificate- Returns:
- the URL or null
-
getIssuerCertURL
public static java.lang.String getIssuerCertURL(java.security.cert.X509Certificate certificate)
Retrieves the URL for the issuer lists certificates for the given certificate.- Parameters:
certificate
- the certificate- Returns:
- the URL or null.
-
getTSAURL
public static java.lang.String getTSAURL(java.security.cert.X509Certificate certificate)
Gets the URL of the TSA if it's available on the certificate- Parameters:
certificate
- a certificate- Returns:
- a TSA URL
-
generateCertificate
public static java.security.cert.Certificate generateCertificate(java.io.InputStream data) throws java.security.cert.CertificateException
Generates a certificate object and initializes it with the data read from the input stream inStream.- Parameters:
data
- the input stream with the certificates.- Returns:
- a certificate object initialized with the data from the input stream.
- Throws:
java.security.cert.CertificateException
- on parsing errors.
-
retrieveRevocationInfoFromSignedData
public static void retrieveRevocationInfoFromSignedData(IASN1TaggedObject taggedObj, java.util.Collection<java.security.cert.CRL> crls, java.util.Collection<IBasicOCSPResponse> ocsps, java.util.Collection<IASN1Sequence> otherRevocationInfoFormats) throws java.io.IOException, java.security.cert.CertificateException
Try to retrieve CRL and OCSP responses from the signed data crls field.- Parameters:
taggedObj
- signed data crls field asIASN1TaggedObject
.crls
- collection to store retrieved CRL responses.ocsps
- collection ofIBasicOCSPResponse
wrappers to store retrieved OCSP responses.otherRevocationInfoFormats
- collection of revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response, stored asIASN1Sequence
.- Throws:
java.io.IOException
- if some I/O error occurred.java.security.cert.CertificateException
- if CertificateFactory instance wasn't created.
-
createRevocationInfoChoices
public static IDERSet createRevocationInfoChoices(java.util.Collection<java.security.cert.CRL> crls, java.util.Collection<IBasicOCSPResponse> ocsps, java.util.Collection<IASN1Sequence> otherRevocationInfoFormats) throws java.security.cert.CRLException, java.io.IOException
Creates the revocation info (crls field) for SignedData structure: RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoice ::= CHOICE { crl CertificateList, other [1] IMPLICIT OtherRevocationInfoFormat } OtherRevocationInfoFormat ::= SEQUENCE { otherRevInfoFormat OBJECT IDENTIFIER, otherRevInfo ANY DEFINED BY otherRevInfoFormat } CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }- Parameters:
crls
- collection of CRL revocation status information.ocsps
- collection of OCSP revocation status information.otherRevocationInfoFormats
- collection of revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response, stored asIASN1Sequence
.- Returns:
crls [1] RevocationInfoChoices
field of SignedData structure. Null if SignedData has no revocation data.- Throws:
java.security.cert.CRLException
- if an encoding error occurs.java.io.IOException
- if an I/O error occurs.- See Also:
- RFC 5652 ยง10.2.1
-
checkIfIssuersMatch
public static boolean checkIfIssuersMatch(ICertificateID certID, java.security.cert.X509Certificate issuerCert) throws AbstractOperatorCreationException, AbstractOCSPException, java.security.cert.CertificateEncodingException, java.io.IOException
Checks if the issuer of the provided certID (specified in the OCSP response) and provided issuer of the certificate in question matches, i.e. checks that issuerNameHash and issuerKeyHash fields of the certID is the hash of the issuer's name and public key.SingleResp contains the basic information of the status of the certificate identified by the certID. The issuer name and serial number identify a unique certificate, so if serial numbers of the certificate in question and certID serial number are equals and issuers match, then SingleResp contains the information about the status of the certificate in question.
- Parameters:
certID
- certID specified in the OCSP responseissuerCert
- the issuer of the certificate in question- Returns:
- true if the issuers are the same, false otherwise.
- Throws:
AbstractOperatorCreationException
- in case some digest calculator creation error.AbstractOCSPException
- in case some digest calculator creation error.java.security.cert.CertificateEncodingException
- if an encoding error occurs.java.io.IOException
- if input-output exception occurs.
-
getExtensionValueByOid
public static byte[] getExtensionValueByOid(java.security.cert.X509Certificate certificate, java.lang.String id)
Retrieves certificate extension value by its OID.- Parameters:
certificate
- to get extension fromid
- extension OID to retrieve- Returns:
- encoded extension value.
-
isSignatureValid
public static boolean isSignatureValid(IBasicOCSPResp ocspResp, java.security.cert.Certificate responderCert)
Checks if an OCSP response is genuine.- Parameters:
ocspResp
-IBasicOCSPResp
the OCSP response wrapperresponderCert
- the responder certificate- Returns:
- true if the OCSP response verifies against the responder certificate.
-
isIssuerCertificate
static boolean isIssuerCertificate(java.security.cert.X509Certificate subjectCertificate, java.security.cert.X509Certificate issuerCertificate)
Checks if the certificate is signed by provided issuer certificate.- Parameters:
subjectCertificate
- a certificate to checkissuerCertificate
- an issuer certificate to check- Returns:
- true if the first passed certificate is signed by next passed certificate.
-
isSelfSigned
public static boolean isSelfSigned(java.security.cert.X509Certificate certificate)
Checks if the certificate is self-signed.- Parameters:
certificate
- a certificate to check- Returns:
- true if the certificate is self-signed.
-
getExtensionValue
public static IASN1Primitive getExtensionValue(java.security.cert.X509Certificate certificate, java.lang.String oid) throws java.io.IOException
Gets certificate extension value.- Parameters:
certificate
- the certificate from which we need the ExtensionValueoid
- the Object Identifier value for the extension- Returns:
- the extension value as an
IASN1Primitive
object. - Throws:
java.io.IOException
- on processing exception.
-
getExtensionValue
public static IASN1Primitive getExtensionValue(java.security.cert.CRL crl, java.lang.String oid) throws java.io.IOException
Gets CRL extension value.- Parameters:
crl
- the CRL from which we need the ExtensionValueoid
- the Object Identifier value for the extension- Returns:
- the extension value as an
IASN1Primitive
object. - Throws:
java.io.IOException
- on processing exception.
-
getExtensionValueFromByteArray
private static IASN1Primitive getExtensionValueFromByteArray(byte[] extensionValue) throws java.io.IOException
Converts extension value represented as byte array toIASN1Primitive
object.- Parameters:
extensionValue
- the extension value as byte array- Returns:
- the extension value as an
IASN1Primitive
object. - Throws:
java.io.IOException
- on processing exception.
-
getStringFromGeneralName
private static java.lang.String getStringFromGeneralName(IASN1Primitive names)
Gets a String from an ASN1Primitive- Parameters:
names
- theIASN1Primitive
primitive wrapper- Returns:
- a human-readable String
-
getValueFromAIAExtension
private static java.lang.String getValueFromAIAExtension(IASN1Primitive extensionValue, java.lang.String accessMethod)
Retrieves accessLocation value for specified accessMethod from the Authority Information Access extension.- Parameters:
extensionValue
- Authority Information Access extension valueaccessMethod
- accessMethod OID; usually id-ad-caIssuers or id-ad-ocsp- Returns:
- the location (URI) of the information.
-
createOcsp
private static IBasicOCSPResponse createOcsp(IASN1Sequence seq) throws java.io.IOException
Helper method that creates theIBasicOCSPResponse
object from the response bytes.- Parameters:
seq
- response bytes.- Returns:
IBasicOCSPResponse
object.- Throws:
java.io.IOException
- if some I/O error occurred.
-
getDistributionPoints
private static IDistributionPoint[] getDistributionPoints(java.security.cert.X509Certificate certificate)
-
-