Package com.peterphi.std.crypto

Class CertificateChainUtil

java.lang.Object

com.peterphi.std.crypto.CertificateChainUtil

public class CertificateChainUtil
extends Object

Utility class which helps manage certificate chains

Field Summary

Fields

Modifier and Type	Field	Description
static boolean	ALLOW_LOG_SELF_SIGN_TESTS

Method Summary

Modifier and Type	Method	Description
static List<X509Certificate>	buildChainFor(KeyPair keypair, Collection<X509Certificate> certs)
static List<X509Certificate>	buildChainFor(PublicKey key, Collection<X509Certificate> certs)
static X509Certificate	getCertificateFor(PublicKey publicKey, Collection<X509Certificate> certs)
static X509Certificate	getIssuer(X509Certificate subject, Collection<X509Certificate> certs)
static X500Principal[]	getIssuerDNsFromChain(List<X509Certificate> chain)	Extracts the DNs of the issuers from a certificate chain.
static X500Principal[]	getPrincipals(List<X509Certificate> chain)
static X500Principal	getSubjectDNFromChain(List<X509Certificate> chain)	Extracts the Subject: the final certificate in a chain
static boolean	isSelfSigned(X509Certificate certificate)	Determines if a certificate is a self signed certificate
static boolean	isSignedBy(X509Certificate subject, PublicKey signer)
static List<X509Certificate>	normaliseChain(List<X509Certificate> chain)	Take a chain and return a (Read-only) chain with the root certificate as the first entry
static List<X509Certificate>	toRootFirst(List<X509Certificate> chain)	Take a chain and return a (Read-only) chain with the root certificate as the first entry
static List<X509Certificate>	toRootLast(List<X509Certificate> chain)	Take a chain and return a (Read-only) chain with the root certificate as the last entry
static void	verifyChain(List<X509Certificate> chain)	Verifies that a certificate chain is valid

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

ALLOW_LOG_SELF_SIGN_TESTS

public static final boolean ALLOW_LOG_SELF_SIGN_TESTS

See Also:

Constant Field Values

Method Detail

getIssuerDNsFromChain

public static X500Principal[] getIssuerDNsFromChain(List<X509Certificate> chain)

Extracts the DNs of the issuers from a certificate chain. The last certificate in the chain will be ignored (since it is the subject)

Parameters:

chain - a normalised chain

Returns:

getSubjectDNFromChain

public static X500Principal getSubjectDNFromChain(List<X509Certificate> chain)

Extracts the Subject: the final certificate in a chain

Parameters:

chain - a normalised chain

Returns:

the subject (the final certificate in the chain)

Throws:

IllegalArgumentException - if the chain is null or empty

isSelfSigned

public static boolean isSelfSigned(X509Certificate certificate)

Determines if a certificate is a self signed certificate

Parameters:

certificate - the certificate to test

Returns:

true if the certificate is self-signed, otherwise false if the certificate was not self-signed or the certificate signature could not be verified

isSignedBy

public static boolean isSignedBy(X509Certificate subject,
                                 PublicKey signer)

buildChainFor

public static List<X509Certificate> buildChainFor(PublicKey key,
                                                  Collection<X509Certificate> certs)

buildChainFor

public static List<X509Certificate> buildChainFor(KeyPair keypair,
                                                  Collection<X509Certificate> certs)

getPrincipals

public static X500Principal[] getPrincipals(List<X509Certificate> chain)

getCertificateFor

public static X509Certificate getCertificateFor(PublicKey publicKey,
                                                Collection<X509Certificate> certs)

getIssuer

public static X509Certificate getIssuer(X509Certificate subject,
                                        Collection<X509Certificate> certs)

normaliseChain

public static List<X509Certificate> normaliseChain(List<X509Certificate> chain)

Take a chain and return a (Read-only) chain with the root certificate as the first entry

Parameters:

chain - a chain with the certificates in order (either leading away from root or leading towards root)

Returns:

a read-only chain leading away from the root certificate

Throws:

IllegalArgumentException - if the chain is null or empty

toRootFirst

public static List<X509Certificate> toRootFirst(List<X509Certificate> chain)

Take a chain and return a (Read-only) chain with the root certificate as the first entry

Parameters:

chain - a chain with the certificates in order (either leading away from root or leading towards root)

Returns:

a read-only chain leading away from the root certificate

Throws:

IllegalArgumentException - if the chain is null or empty

toRootLast

public static List<X509Certificate> toRootLast(List<X509Certificate> chain)

Take a chain and return a (Read-only) chain with the root certificate as the last entry

Parameters:

chain - a chain with the certificates in order (either leading away from root or leading towards root)

Returns:

a read-only chain leading towards the root certificate (i.e. with the root certificate

Throws:

IllegalArgumentException - if the chain is null or empty

verifyChain

public static void verifyChain(List<X509Certificate> chain)

Verifies that a certificate chain is valid

Parameters:

chain - a certificate chain with the root certificate first

Throws:

IllegalArgumentException - if the chain is invalid, null or empty