net.maritimecloud.pki

Class CertificateHandler

java.lang.Object

net.maritimecloud.pki.CertificateHandler

public class CertificateHandler
extends Object

Constructor Summary

Constructors

Constructor and Description
CertificateHandler()

Method Summary

Modifier and Type	Method and Description
static byte[]	createOutputKeystore(String type, String alias, String password, PrivateKey privateKey, X509Certificate certificate) Place a cert/key in a PKCS12 or JKS keystore
static X509Certificate	getCertFromNginxHeader(String certificateHeader) Extract a certificate from a nginx header containing a PEM formatet certificate
static X509Certificate	getCertFromPem(String pemCertificate) Converts a PEM encoded certificate to a X509Certificate
static String	getElement(org.bouncycastle.asn1.x500.X500Name x500name, org.bouncycastle.asn1.ASN1ObjectIdentifier objectId) Extract a value from the DN extracted from a certificate
static PKIIdentity	getIdentityFromCert(X509Certificate userCertificate) Extracts a PKIIdentity from a certificate using the MC PKI certificate "format"
static String	getPemFromEncoded(String type, byte[] encoded) Convert a cert/key to pem from "encoded" format (byte[])
static boolean	verifyCertificate(PublicKey verificationPubKey, X509Certificate certToVerify, Date verificationDate) Verify a single certificate against the public key of the issueing certificate.
static boolean	verifyCertificateChain(X509Certificate certificate, KeyStore ks) Verify a single certificate against trust chain in the keystore.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertificateHandler

public CertificateHandler()

Method Detail

verifyCertificate

public static boolean verifyCertificate(PublicKey verificationPubKey,
                                        X509Certificate certToVerify,
                                        Date verificationDate)

Verify a single certificate against the public key of the issueing certificate. Does *not* check revocation status against CRL/OCSP. In most cases you should probably use verifyCertificateChain instead to verify the complete chain.

Parameters:

verificationPubKey - Public key of the issuing certificate

certToVerify - The certificate to verify

verificationDate - Date the certificate must be valid. If null the present day is used.

Returns:

true if valid else false

verifyCertificateChain

public static boolean verifyCertificateChain(X509Certificate certificate,
                                             KeyStore ks)
                                      throws KeyStoreException,
                                             NoSuchAlgorithmException,
                                             CertificateException,
                                             InvalidAlgorithmParameterException,
                                             CertPathValidatorException

Verify a single certificate against trust chain in the keystore. If the certificate is invalid a CertPathValidatorException is thrown. Checks certificate validity and revocation status.

Parameters:

certificate - The certificate to verify

ks - The truststore that contains the trust chain

Returns:

true if valid.

Throws:

KeyStoreException - Thrown if keystore loading fails

NoSuchAlgorithmException - Thrown if PKIX initialization fails

CertificateException - Thrown if certificate cannot be loaded

InvalidAlgorithmParameterException - Thrown if keystore loading fails

CertPathValidatorException - Thrown if certificate is invalid.

getPemFromEncoded

public static String getPemFromEncoded(String type,
                                       byte[] encoded)

Convert a cert/key to pem from "encoded" format (byte[])

Parameters:

type - The type, currently "CERTIFICATE", "PUBLIC KEY", "PRIVATE KEY" or "X509 CRL" are used

encoded - The encoded byte[]

Returns:

The Pem formated cert/key

createOutputKeystore

public static byte[] createOutputKeystore(String type,
                                          String alias,
                                          String password,
                                          PrivateKey privateKey,
                                          X509Certificate certificate)

Place a cert/key in a PKCS12 or JKS keystore

Parameters:

type - The keystore type to use (PKCS12 or JKS)

alias - The alias of the certificate in the keystore

password - The password used to protect the key

privateKey - Private key of the certificate

certificate - The certificate

Returns:

Byte array of the p12 keystore.

getCertFromNginxHeader

public static X509Certificate getCertFromNginxHeader(String certificateHeader)

Extract a certificate from a nginx header containing a PEM formatet certificate

Parameters:

certificateHeader - The header containing the certificate

Returns:

The extracted certificate. Returns null on failure.

getCertFromPem

public static X509Certificate getCertFromPem(String pemCertificate)

Converts a PEM encoded certificate to a X509Certificate

Parameters:

pemCertificate - String containing the PEM encoded certificate

Returns:

The converted certificate

getIdentityFromCert

public static PKIIdentity getIdentityFromCert(X509Certificate userCertificate)

Extracts a PKIIdentity from a certificate using the MC PKI certificate "format"

Parameters:

userCertificate - The certificate

Returns:

The extracted identity

getElement

public static String getElement(org.bouncycastle.asn1.x500.X500Name x500name,
                                org.bouncycastle.asn1.ASN1ObjectIdentifier objectId)

Extract a value from the DN extracted from a certificate

Parameters:

x500name - The full DN from certificate

objectId - The Identifier to find

Returns:

the value of the identifier, or null if not found.