Class CertificateUtil


  • public class CertificateUtil
    extends java.lang.Object
    This class contains a series of static methods that allow you to retrieve information from a Certificate.
    • Constructor Summary

      Constructors 
      Constructor Description
      CertificateUtil()  
    • Method Summary

      All Methods Static Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      static boolean checkIfIssuersMatch​(ICertificateID certID, java.security.cert.X509Certificate issuerCert)
      Checks if the issuer of the provided certID (specified in the OCSP response) and provided issuer of the certificate in question matches, i.e.
      private static IBasicOCSPResponse createOcsp​(IASN1Sequence seq)
      Helper method that creates the IBasicOCSPResponse object from the response bytes.
      static IDERSet createRevocationInfoChoices​(java.util.Collection<java.security.cert.CRL> crls, java.util.Collection<IBasicOCSPResponse> ocsps, java.util.Collection<IASN1Sequence> otherRevocationInfoFormats)
      Creates the revocation info (crls field) for SignedData structure: RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoice ::= CHOICE { crl CertificateList, other [1] IMPLICIT OtherRevocationInfoFormat } OtherRevocationInfoFormat ::= SEQUENCE { otherRevInfoFormat OBJECT IDENTIFIER, otherRevInfo ANY DEFINED BY otherRevInfoFormat } CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }
      static java.security.cert.Certificate generateCertificate​(java.io.InputStream data)
      Generates a certificate object and initializes it with the data read from the input stream inStream.
      static java.security.cert.CRL getCRL​(java.lang.String url)
      Gets the CRL object using a CRL URL.
      static java.security.cert.CRL getCRL​(java.security.cert.X509Certificate certificate)
      Deprecated.
      static java.util.List<java.security.cert.CRL> getCRLs​(java.security.cert.X509Certificate certificate)
      Gets a CRLs from the X509 certificate.
      static java.lang.String getCRLURL​(java.security.cert.X509Certificate certificate)
      Deprecated.
      static java.util.List<java.lang.String> getCRLURLs​(java.security.cert.X509Certificate certificate)
      Gets the list of the Certificate Revocation List URLs for a Certificate.
      static IDistributionPoint getDistributionPointByName​(java.security.cert.X509Certificate certificate, IDistributionPointName issuingDistributionPointName)
      Gets the Distribution Point from the certificate by name specified in the Issuing Distribution Point from the Certificate Revocation List for a Certificate.
      private static IDistributionPoint[] getDistributionPoints​(java.security.cert.X509Certificate certificate)  
      static IASN1Primitive getExtensionValue​(java.security.cert.CRL crl, java.lang.String oid)
      Gets CRL extension value.
      static IASN1Primitive getExtensionValue​(java.security.cert.X509Certificate certificate, java.lang.String oid)
      Gets certificate extension value.
      static byte[] getExtensionValueByOid​(java.security.cert.X509Certificate certificate, java.lang.String id)
      Retrieves certificate extension value by its OID.
      private static IASN1Primitive getExtensionValueFromByteArray​(byte[] extensionValue)
      Converts extension value represented as byte array to IASN1Primitive object.
      static java.lang.String getIssuerCertURL​(java.security.cert.CRL crl)
      Retrieves the URL for the issuer certificate for the given CRL.
      static java.lang.String getIssuerCertURL​(java.security.cert.X509Certificate certificate)
      Retrieves the URL for the issuer lists certificates for the given certificate.
      static java.lang.String getOCSPURL​(java.security.cert.X509Certificate certificate)
      Retrieves the OCSP URL from the given certificate.
      private static java.lang.String getStringFromGeneralName​(IASN1Primitive names)
      Gets a String from an ASN1Primitive
      static java.lang.String getTSAURL​(java.security.cert.X509Certificate certificate)
      Gets the URL of the TSA if it's available on the certificate
      private static java.lang.String getValueFromAIAExtension​(IASN1Primitive extensionValue, java.lang.String accessMethod)
      Retrieves accessLocation value for specified accessMethod from the Authority Information Access extension.
      (package private) static boolean isIssuerCertificate​(java.security.cert.X509Certificate subjectCertificate, java.security.cert.X509Certificate issuerCertificate)
      Checks if the certificate is signed by provided issuer certificate.
      static boolean isSelfSigned​(java.security.cert.X509Certificate certificate)
      Checks if the certificate is self-signed.
      static boolean isSignatureValid​(IBasicOCSPResp ocspResp, java.security.cert.Certificate responderCert)
      Checks if an OCSP response is genuine.
      static java.security.cert.CRL parseCrlFromBytes​(byte[] crlBytes)
      Parses a CRL from bytes.
      static java.security.cert.CRL parseCrlFromStream​(java.io.InputStream input)
      Parses a CRL from an InputStream.
      static void retrieveRevocationInfoFromSignedData​(IASN1TaggedObject taggedObj, java.util.Collection<java.security.cert.CRL> crls, java.util.Collection<IBasicOCSPResponse> ocsps, java.util.Collection<IASN1Sequence> otherRevocationInfoFormats)
      Try to retrieve CRL and OCSP responses from the signed data crls field.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • LOGGER

        private static final org.slf4j.Logger LOGGER
    • Constructor Detail

      • CertificateUtil

        public CertificateUtil()
    • Method Detail

      • getCRL

        @Deprecated
        public static java.security.cert.CRL getCRL​(java.security.cert.X509Certificate certificate)
                                             throws java.security.cert.CertificateException,
                                                    java.security.cert.CRLException,
                                                    java.io.IOException
        Deprecated.
        Gets a CRL from an X509 certificate.
        Parameters:
        certificate - the X509Certificate to extract the CRL from
        Returns:
        CRL or null if there's no CRL available
        Throws:
        java.io.IOException - thrown when the URL couldn't be opened properly.
        java.security.cert.CertificateException - thrown if there's no X509 implementation in the provider.
        java.security.cert.CRLException - thrown when encountering errors when parsing the CRL.
      • getCRLs

        public static java.util.List<java.security.cert.CRL> getCRLs​(java.security.cert.X509Certificate certificate)
                                                              throws java.security.cert.CertificateException,
                                                                     java.security.cert.CRLException,
                                                                     java.io.IOException
        Gets a CRLs from the X509 certificate.
        Parameters:
        certificate - the X509Certificate to extract the CRLs from
        Returns:
        CRL list or null if there's no CRL available
        Throws:
        java.io.IOException - thrown when the URL couldn't be opened properly.
        java.security.cert.CertificateException - thrown if there's no X509 implementation in the provider.
        java.security.cert.CRLException - thrown when encountering errors when parsing the CRL.
      • getCRLURL

        @Deprecated
        public static java.lang.String getCRLURL​(java.security.cert.X509Certificate certificate)
        Deprecated.
        Gets the URL of the Certificate Revocation List for a Certificate
        Parameters:
        certificate - the Certificate
        Returns:
        the String where you can check if the certificate was revoked.
      • getCRLURLs

        public static java.util.List<java.lang.String> getCRLURLs​(java.security.cert.X509Certificate certificate)
        Gets the list of the Certificate Revocation List URLs for a Certificate.
        Parameters:
        certificate - the Certificate to get CRL URLs for
        Returns:
        the list of URL strings where you can check if the certificate is revoked.
      • getDistributionPointByName

        public static IDistributionPoint getDistributionPointByName​(java.security.cert.X509Certificate certificate,
                                                                    IDistributionPointName issuingDistributionPointName)
        Gets the Distribution Point from the certificate by name specified in the Issuing Distribution Point from the Certificate Revocation List for a Certificate.
        Parameters:
        certificate - the certificate to retrieve Distribution Points
        issuingDistributionPointName - distributionPointName retrieved from the IDP of the CRL
        Returns:
        distribution point withthe same name as specified in the IDP.
      • getCRL

        public static java.security.cert.CRL getCRL​(java.lang.String url)
                                             throws java.io.IOException,
                                                    java.security.cert.CertificateException,
                                                    java.security.cert.CRLException
        Gets the CRL object using a CRL URL.
        Parameters:
        url - the URL where the CRL is located
        Returns:
        CRL object
        Throws:
        java.io.IOException - thrown when the URL couldn't be opened properly.
        java.security.cert.CertificateException - thrown if there's no X509 implementation in the provider.
        java.security.cert.CRLException - thrown when encountering errors when parsing the CRL.
      • parseCrlFromStream

        public static java.security.cert.CRL parseCrlFromStream​(java.io.InputStream input)
                                                         throws java.security.cert.CertificateException,
                                                                java.security.cert.CRLException
        Parses a CRL from an InputStream.
        Parameters:
        input - the InputStream holding the unparsed CRL
        Returns:
        the parsed CRL object.
        Throws:
        java.security.cert.CertificateException - thrown if there's no X509 implementation in the provider.
        java.security.cert.CRLException - thrown when encountering errors when parsing the CRL.
      • parseCrlFromBytes

        public static java.security.cert.CRL parseCrlFromBytes​(byte[] crlBytes)
                                                        throws java.security.cert.CertificateException,
                                                               java.security.cert.CRLException
        Parses a CRL from bytes.
        Parameters:
        crlBytes - the bytes holding the unparsed CRL
        Returns:
        the parsed CRL object.
        Throws:
        java.security.cert.CertificateException - thrown if there's no X509 implementation in the provider.
        java.security.cert.CRLException - thrown when encountering errors when parsing the CRL.
      • getIssuerCertURL

        public static java.lang.String getIssuerCertURL​(java.security.cert.CRL crl)
        Retrieves the URL for the issuer certificate for the given CRL.
        Parameters:
        crl - the CRL response
        Returns:
        the URL or null.
      • getOCSPURL

        public static java.lang.String getOCSPURL​(java.security.cert.X509Certificate certificate)
        Retrieves the OCSP URL from the given certificate.
        Parameters:
        certificate - the certificate
        Returns:
        the URL or null
      • getIssuerCertURL

        public static java.lang.String getIssuerCertURL​(java.security.cert.X509Certificate certificate)
        Retrieves the URL for the issuer lists certificates for the given certificate.
        Parameters:
        certificate - the certificate
        Returns:
        the URL or null.
      • getTSAURL

        public static java.lang.String getTSAURL​(java.security.cert.X509Certificate certificate)
        Gets the URL of the TSA if it's available on the certificate
        Parameters:
        certificate - a certificate
        Returns:
        a TSA URL
      • generateCertificate

        public static java.security.cert.Certificate generateCertificate​(java.io.InputStream data)
                                                                  throws java.security.cert.CertificateException
        Generates a certificate object and initializes it with the data read from the input stream inStream.
        Parameters:
        data - the input stream with the certificates.
        Returns:
        a certificate object initialized with the data from the input stream.
        Throws:
        java.security.cert.CertificateException - on parsing errors.
      • retrieveRevocationInfoFromSignedData

        public static void retrieveRevocationInfoFromSignedData​(IASN1TaggedObject taggedObj,
                                                                java.util.Collection<java.security.cert.CRL> crls,
                                                                java.util.Collection<IBasicOCSPResponse> ocsps,
                                                                java.util.Collection<IASN1Sequence> otherRevocationInfoFormats)
                                                         throws java.io.IOException,
                                                                java.security.cert.CertificateException
        Try to retrieve CRL and OCSP responses from the signed data crls field.
        Parameters:
        taggedObj - signed data crls field as IASN1TaggedObject.
        crls - collection to store retrieved CRL responses.
        ocsps - collection of IBasicOCSPResponse wrappers to store retrieved OCSP responses.
        otherRevocationInfoFormats - collection of revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response, stored as IASN1Sequence.
        Throws:
        java.io.IOException - if some I/O error occurred.
        java.security.cert.CertificateException - if CertificateFactory instance wasn't created.
      • createRevocationInfoChoices

        public static IDERSet createRevocationInfoChoices​(java.util.Collection<java.security.cert.CRL> crls,
                                                          java.util.Collection<IBasicOCSPResponse> ocsps,
                                                          java.util.Collection<IASN1Sequence> otherRevocationInfoFormats)
                                                   throws java.security.cert.CRLException,
                                                          java.io.IOException
        Creates the revocation info (crls field) for SignedData structure: RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoice ::= CHOICE { crl CertificateList, other [1] IMPLICIT OtherRevocationInfoFormat } OtherRevocationInfoFormat ::= SEQUENCE { otherRevInfoFormat OBJECT IDENTIFIER, otherRevInfo ANY DEFINED BY otherRevInfoFormat } CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }
        Parameters:
        crls - collection of CRL revocation status information.
        ocsps - collection of OCSP revocation status information.
        otherRevocationInfoFormats - collection of revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response, stored as IASN1Sequence.
        Returns:
        crls [1] RevocationInfoChoices field of SignedData structure. Null if SignedData has no revocation data.
        Throws:
        java.security.cert.CRLException - if an encoding error occurs.
        java.io.IOException - if an I/O error occurs.
        See Also:
        RFC 5652 ยง10.2.1
      • checkIfIssuersMatch

        public static boolean checkIfIssuersMatch​(ICertificateID certID,
                                                  java.security.cert.X509Certificate issuerCert)
                                           throws AbstractOperatorCreationException,
                                                  AbstractOCSPException,
                                                  java.security.cert.CertificateEncodingException,
                                                  java.io.IOException
        Checks if the issuer of the provided certID (specified in the OCSP response) and provided issuer of the certificate in question matches, i.e. checks that issuerNameHash and issuerKeyHash fields of the certID is the hash of the issuer's name and public key.

        SingleResp contains the basic information of the status of the certificate identified by the certID. The issuer name and serial number identify a unique certificate, so if serial numbers of the certificate in question and certID serial number are equals and issuers match, then SingleResp contains the information about the status of the certificate in question.

        Parameters:
        certID - certID specified in the OCSP response
        issuerCert - the issuer of the certificate in question
        Returns:
        true if the issuers are the same, false otherwise.
        Throws:
        AbstractOperatorCreationException - in case some digest calculator creation error.
        AbstractOCSPException - in case some digest calculator creation error.
        java.security.cert.CertificateEncodingException - if an encoding error occurs.
        java.io.IOException - if input-output exception occurs.
      • getExtensionValueByOid

        public static byte[] getExtensionValueByOid​(java.security.cert.X509Certificate certificate,
                                                    java.lang.String id)
        Retrieves certificate extension value by its OID.
        Parameters:
        certificate - to get extension from
        id - extension OID to retrieve
        Returns:
        encoded extension value.
      • isSignatureValid

        public static boolean isSignatureValid​(IBasicOCSPResp ocspResp,
                                               java.security.cert.Certificate responderCert)
        Checks if an OCSP response is genuine.
        Parameters:
        ocspResp - IBasicOCSPResp the OCSP response wrapper
        responderCert - the responder certificate
        Returns:
        true if the OCSP response verifies against the responder certificate.
      • isIssuerCertificate

        static boolean isIssuerCertificate​(java.security.cert.X509Certificate subjectCertificate,
                                           java.security.cert.X509Certificate issuerCertificate)
        Checks if the certificate is signed by provided issuer certificate.
        Parameters:
        subjectCertificate - a certificate to check
        issuerCertificate - an issuer certificate to check
        Returns:
        true if the first passed certificate is signed by next passed certificate.
      • isSelfSigned

        public static boolean isSelfSigned​(java.security.cert.X509Certificate certificate)
        Checks if the certificate is self-signed.
        Parameters:
        certificate - a certificate to check
        Returns:
        true if the certificate is self-signed.
      • getExtensionValue

        public static IASN1Primitive getExtensionValue​(java.security.cert.X509Certificate certificate,
                                                       java.lang.String oid)
                                                throws java.io.IOException
        Gets certificate extension value.
        Parameters:
        certificate - the certificate from which we need the ExtensionValue
        oid - the Object Identifier value for the extension
        Returns:
        the extension value as an IASN1Primitive object.
        Throws:
        java.io.IOException - on processing exception.
      • getExtensionValue

        public static IASN1Primitive getExtensionValue​(java.security.cert.CRL crl,
                                                       java.lang.String oid)
                                                throws java.io.IOException
        Gets CRL extension value.
        Parameters:
        crl - the CRL from which we need the ExtensionValue
        oid - the Object Identifier value for the extension
        Returns:
        the extension value as an IASN1Primitive object.
        Throws:
        java.io.IOException - on processing exception.
      • getExtensionValueFromByteArray

        private static IASN1Primitive getExtensionValueFromByteArray​(byte[] extensionValue)
                                                              throws java.io.IOException
        Converts extension value represented as byte array to IASN1Primitive object.
        Parameters:
        extensionValue - the extension value as byte array
        Returns:
        the extension value as an IASN1Primitive object.
        Throws:
        java.io.IOException - on processing exception.
      • getStringFromGeneralName

        private static java.lang.String getStringFromGeneralName​(IASN1Primitive names)
        Gets a String from an ASN1Primitive
        Parameters:
        names - the IASN1Primitive primitive wrapper
        Returns:
        a human-readable String
      • getValueFromAIAExtension

        private static java.lang.String getValueFromAIAExtension​(IASN1Primitive extensionValue,
                                                                 java.lang.String accessMethod)
        Retrieves accessLocation value for specified accessMethod from the Authority Information Access extension.
        Parameters:
        extensionValue - Authority Information Access extension value
        accessMethod - accessMethod OID; usually id-ad-caIssuers or id-ad-ocsp
        Returns:
        the location (URI) of the information.
      • getDistributionPoints

        private static IDistributionPoint[] getDistributionPoints​(java.security.cert.X509Certificate certificate)