Package com.nimbusds.oauth2.sdk.util

Class X509CertificateUtils

java.lang.Object
com.nimbusds.oauth2.sdk.util.X509CertificateUtils
public final class X509CertificateUtils extends Object
X.509 certificate utilities.

  • Method Details

    • hasMatchingIssuerAndSubject

      public static boolean hasMatchingIssuerAndSubject(X509Certificate cert)
      Checks if the issuer DN and the subject DN of the specified X.509 certificate match. The matched DNs are not normalised.
      Parameters:
      cert - The X.509 certificate. Must not be null.
      Returns:
      true if the issuer DN and and subject DN match, else false.

    • isSelfIssued

      public static boolean isSelfIssued(X509Certificate cert)
      Checks if the specified X.509 certificate is self-issued, i.e. it has a matching issuer and subject, and the public key can be used to successfully validate the certificate's digital signature.
      Parameters:
      cert - The X.509 certificate. Must not be null.
      Returns:
      true if the X.509 certificate is self-issued, else false.

    • isSelfSigned

      public static boolean isSelfSigned(X509Certificate cert)
      Checks if the specified X.509 certificate is self-signed, i.e. the public key can be used to successfully validate the certificate's digital signature.
      Parameters:
      cert - The X.509 certificate. Must not be null.
      Returns:
      true if the X.509 certificate is self-signed, else false.

    • hasValidSignature

      public static boolean hasValidSignature(X509Certificate cert, PublicKey pubKey)
      Validates the signature of a X.509 certificate with the specified public key.
      Parameters:
      cert - The X.509 certificate. Must not be null.
      pubKey - The public key to use for the validation. Must not be null.
      Returns:
      true if the signature is valid, else false.

    • publicKeyMatches

      public static boolean publicKeyMatches(X509Certificate cert, PublicKey pubKey)
      Returns true if the public key of the X.509 certificate matches the specified public key.
      Parameters:
      cert - The X.509 certificate. Must not be null.
      pubKey - The public key to compare. Must not be null.
      Returns:
      true if the two public keys match, else false.

    • generate

      public static X509Certificate generate(X500Principal issuer, X500Principal subject, Date nbf, Date exp, PublicKey certKey, PrivateKey signingKey) throws org.bouncycastle.operator.OperatorCreationException, IOException
      Generates a new X.509 certificate. The certificate is provisioned with a 64-bit random serial number.

      Signing algorithm:

      • For RSA signing keys: SHA256withRSA
      • For EC signing keys: SHA256withECDSA
      Parameters:
      issuer - The issuer. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
      subject - The subject. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
      nbf - Date before which the certificate is not valid. Must not be null.
      exp - Date after which the certificate is not valid. Must not be null.
      certKey - The public key to include in the certificate. Must not be null.
      signingKey - The signing private key. Must not be null.
      Returns:
      The X.509 certificate.
      Throws:
      org.bouncycastle.operator.OperatorCreationException - On a generation exception.
      IOException - On a byte buffer exception.

    • generate

      public static X509Certificate generate(Issuer issuer, Subject subject, Date nbf, Date exp, PublicKey certKey, PrivateKey signingKey) throws org.bouncycastle.operator.OperatorCreationException, IOException
      Generates a new X.509 certificate. The certificate is provisioned with a 64-bit random serial number.

      Signing algorithm:

      • For RSA signing keys: SHA256withRSA
      • For EC signing keys: SHA256withECDSA
      Parameters:
      issuer - The issuer. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
      subject - The subject. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
      nbf - Date before which the certificate is not valid. Must not be null.
      exp - Date after which the certificate is not valid. Must not be null.
      certKey - The public key to include in the certificate. Must not be null.
      signingKey - The signing private key. Must not be null.
      Returns:
      The X.509 certificate.
      Throws:
      org.bouncycastle.operator.OperatorCreationException - On a generation exception.
      IOException - On a byte buffer exception.

    • generateSelfSigned

      public static X509Certificate generateSelfSigned(Issuer issuer, Date nbf, Date exp, PublicKey certKey, PrivateKey signingKey) throws org.bouncycastle.operator.OperatorCreationException, IOException
      Generates a new self-signed and self-issued X.509 certificate. The certificate is provisioned with a 64-bit random serial number.

      Signing algorithm:

      • For RSA signing keys: SHA256withRSA
      • For EC signing keys: SHA256withECDSA
      Parameters:
      issuer - The issuer, also used to set the subject. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
      nbf - Date before which the certificate is not valid. Must not be null.
      exp - Date after which the certificate is not valid. Must not be null.
      certKey - The public key to include in the certificate. Must not be null.
      signingKey - The signing private key. Must not be null.
      Returns:
      The X.509 certificate.
      Throws:
      org.bouncycastle.operator.OperatorCreationException - On a generation exception.
      IOException - On a byte buffer exception.