001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.oauth2.sdk.util; 019 020 021import java.security.Principal; 022import java.security.PublicKey; 023import java.security.cert.X509Certificate; 024import java.util.Arrays; 025 026 027/** 028 * X.509 certificate utilities. 029 */ 030public final class X509CertificateUtils { 031 032 033 /** 034 * Checks if the issuer DN and the subject DN of the specified X.509 035 * certificate match. The matched DNs are not normalised. 036 * 037 * @param cert The X.509 certificate. Must not be {@code null}. 038 * 039 * @return {@code true} if the issuer DN and and subject DN match, else 040 * {@code false}. 041 */ 042 public static boolean hasMatchingIssuerAndSubject(final X509Certificate cert) { 043 044 Principal issuer = cert.getIssuerDN(); 045 Principal subject = cert.getSubjectDN(); 046 047 return issuer != null && subject != null && issuer.equals(subject); 048 } 049 050 051 /** 052 * Checks if the specified X.509 certificate is self-issued, i.e. it 053 * has a matching issuer and subject, and the public key can be used to 054 * successfully validate the certificate's digital signature. 055 * 056 * @param cert The X.509 certificate. Must not be {@code null}. 057 * 058 * @return {@code true} if the X.509 certificate is self-issued, else 059 * {@code false}. 060 */ 061 public static boolean isSelfIssued(final X509Certificate cert) { 062 063 return hasMatchingIssuerAndSubject(cert) && isSelfSigned(cert); 064 } 065 066 067 /** 068 * Checks if the specified X.509 certificate is self-signed, i.e. the 069 * public key can be used to successfully validate the certificate's 070 * digital signature. 071 * 072 * @param cert The X.509 certificate. Must not be {@code null}. 073 * 074 * @return {@code true} if the X.509 certificate is self-signed, else 075 * {@code false}. 076 */ 077 public static boolean isSelfSigned(final X509Certificate cert) { 078 079 PublicKey publicKey = cert.getPublicKey(); 080 081 return hasValidSignature(cert, publicKey); 082 } 083 084 085 /** 086 * Validates the signature of a X.509 certificate with the specified 087 * public key. 088 * 089 * @param cert The X.509 certificate. Must not be {@code null}. 090 * @param pubKey The public key to use for the validation. Must not be 091 * {@code null}. 092 * 093 * @return {@code true} if the signature is valid, else {@code false}. 094 */ 095 public static boolean hasValidSignature(final X509Certificate cert, 096 final PublicKey pubKey) { 097 098 try { 099 cert.verify(pubKey); 100 } catch (Exception e) { 101 return false; 102 } 103 104 return true; 105 } 106 107 108 /** 109 * Returns {@code true} if the public key of the X.509 certificate 110 * matches the specified public key. 111 * 112 * @param cert The X.509 certificate. Must not be {@code null}. 113 * @param pubKey The public key to compare. Must not be {@code null}. 114 * 115 * @return {@code true} if the two public keys match, else 116 * {@code false}. 117 */ 118 public static boolean publicKeyMatches(final X509Certificate cert, 119 final PublicKey pubKey) { 120 121 PublicKey certPubKey = cert.getPublicKey(); 122 123 return Arrays.equals(certPubKey.getEncoded(), pubKey.getEncoded()); 124 } 125 126 127 /** 128 * Prevents public instantiation. 129 */ 130 private X509CertificateUtils() {} 131}