Package org.opensaml.security.x509

Class X509Support

  • public class X509Support
extends Object
    Utility class for working with X509 objects.

    • Field Detail

      • OTHER_ALT_NAME

        public static final Integer OTHER_ALT_NAME
        RFC 2459 Other Subject Alt Name type.

      • RFC822_ALT_NAME

        public static final Integer RFC822_ALT_NAME
        RFC 2459 RFC 822 (email address) Subject Alt Name type.

      • DNS_ALT_NAME

        public static final Integer DNS_ALT_NAME
        RFC 2459 DNS Subject Alt Name type.

      • X400ADDRESS_ALT_NAME

        public static final Integer X400ADDRESS_ALT_NAME
        RFC 2459 X.400 Address Subject Alt Name type.

      • DIRECTORY_ALT_NAME

        public static final Integer DIRECTORY_ALT_NAME
        RFC 2459 Directory Name Subject Alt Name type.

      • EDI_PARTY_ALT_NAME

        public static final Integer EDI_PARTY_ALT_NAME
        RFC 2459 EDI Party Name Subject Alt Name type.

      • URI_ALT_NAME

        public static final Integer URI_ALT_NAME
        RFC 2459 URI Subject Alt Name type.

      • IP_ADDRESS_ALT_NAME

        public static final Integer IP_ADDRESS_ALT_NAME
        RFC 2459 IP Address Subject Alt Name type.

      • REGISTERED_ID_ALT_NAME

        public static final Integer REGISTERED_ID_ALT_NAME
        RFC 2459 Registered ID Subject Alt Name type.

    • Constructor Detail

      • X509Support

        protected X509Support()
        Constructed.

    • Method Detail

      • determineEntityCertificate

        @Nullable
public static X509Certificate determineEntityCertificate​(@Nullable
                                                         Collection<X509Certificate> certs,
                                                         @Nullable
                                                         PrivateKey privateKey)
                                                  throws SecurityException
        Determines the certificate, from the collection, associated with the private key.
        Parameters:
        certs - certificates to check
        privateKey - entity's private key
        Returns:
        the certificate associated with entity's private key or null if no certificate in the collection is associated with the given private key
        Throws:
        SecurityException - thrown if the public or private keys checked are of an unsupported type
        Since:
        1.2

      • getCommonNames

        @Nullable
public static List<String> getCommonNames​(@Nullable
                                          X500Principal dn)
        Gets the commons names that appear within the given distinguished name.

        The returned list provides the names in the order they appeared in the DN, according to RFC 1779/2253 encoding. In this encoding the "most specific" name would typically appear in the left-most position, and would appear first in the returned list.

        Parameters:
        dn - the DN to extract the common names from
        Returns:
        the common names that appear in the DN in the order they appear, or null if the given DN is null

      • getAltNames

        @Nullable
public static List<?> getAltNames​(@Nullable
                                  X509Certificate certificate,
                                  @Nullable
                                  Integer[] nameTypes)
        Gets the list of alternative names of a given name type.
        Parameters:
        certificate - the certificate to extract the alternative names from
        nameTypes - the name types
        Returns:
        the alt names, of the given type, within the cert

      • getSubjectNames

        @Nullable
public static List<?> getSubjectNames​(@Nullable
                                      X509Certificate certificate,
                                      @Nullable
                                      Integer[] altNameTypes)
        Gets the common name components of the issuer and all the subject alt names of a given type.
        Parameters:
        certificate - certificate to extract names from
        altNameTypes - type of alt names to extract
        Returns:
        list of subject names in the certificate

      • getSubjectKeyIdentifier

        @Nullable
public static byte[] getSubjectKeyIdentifier​(@Nonnull
                                             X509Certificate certificate)
        Get the plain (non-DER encoded) value of the Subject Key Identifier extension of an X.509 certificate, if present.
        Parameters:
        certificate - an X.509 certificate possibly containing a subject key identifier
        Returns:
        the plain (non-DER encoded) value of the Subject Key Identifier extension, or null if the certificate does not contain the extension

      • getX509Digest

        @Nonnull
public static byte[] getX509Digest​(@Nonnull
                                   X509Certificate certificate,
                                   @Nonnull
                                   String jcaAlgorithm)
                            throws SecurityException
        Get the XML Signature-compliant digest of an X.509 certificate.
        Parameters:
        certificate - an X.509 certificate
        jcaAlgorithm - JCA algorithm identifier
        Returns:
        the raw digest of the certificate
        Throws:
        SecurityException - is algorithm is unsupported or encoding is not possible

      • decodeCertificates

        @Nullable
public static Collection<X509Certificate> decodeCertificates​(@Nonnull
                                                             InputStream certs)
                                                      throws CertificateException
        Decodes X.509 certificates in DER or PEM format. Note this does not close the inout handle
        Parameters:
        certs - encoded certs
        Returns:
        decoded certs
        Throws:
        CertificateException - thrown if the certificates cannot be decoded
        Since:
        1.2

      • decodeCertificates

        @Nullable
public static Collection<X509Certificate> decodeCertificates​(@Nonnull
                                                             byte[] certs)
                                                      throws CertificateException
        Decodes X.509 certificates in DER or PEM format.
        Parameters:
        certs - encoded certs
        Returns:
        decoded certs
        Throws:
        CertificateException - thrown if the certificates cannot be decoded

      • decodeCertificate

        @Nullable
public static X509Certificate decodeCertificate​(@Nonnull
                                                File cert)
                                         throws CertificateException
        Decodes a single X.509 certificate in DER or PEM format.
        Parameters:
        cert - encoded cert
        Returns:
        decoded cert
        Throws:
        CertificateException - thrown if the certificate can not be decoded
        Since:
        1.2

      • decodeCertificate

        @Nullable
public static X509Certificate decodeCertificate​(@Nonnull
                                                byte[] cert)
                                         throws CertificateException
        Decodes a single X.509 certificate in DER or PEM format.
        Parameters:
        cert - encoded cert
        Returns:
        decoded cert
        Throws:
        CertificateException - thrown if the certificate cannot be decoded

      • decodeCertificate

        @Nullable
public static X509Certificate decodeCertificate​(@Nonnull
                                                String base64Cert)
                                         throws CertificateException
        Decode a single Java certificate from base64 encoded form without PEM headers and footers.
        Parameters:
        base64Cert - base64-encoded certificate
        Returns:
        a native Java X509 certificate
        Throws:
        CertificateException - thrown if there is an error constructing certificate

      • decodeCRLs

        @Nullable
public static Collection<X509CRL> decodeCRLs​(@Nonnull
                                             File crls)
                                      throws CRLException
        Decodes CRLs in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decoded; the rest of the content is ignored.
        Parameters:
        crls - encoded CRLs
        Returns:
        decoded CRLs
        Throws:
        CRLException - thrown if the CRLs can not be decoded
        Since:
        1.2

      • decodeCRLs

        @Nullable
public static Collection<X509CRL> decodeCRLs​(@Nonnull
                                             InputStream crls)
                                      throws CRLException
        Decodes CRLs in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decoded; the rest of the content is ignored. Note, this does not close the inout stream
        Parameters:
        crls - encoded CRLs
        Returns:
        decoded CRLs
        Throws:
        CRLException - thrown if the CRLs can not be decoded
        Since:
        1.2

      • decodeCRLs

        @Nullable
public static Collection<X509CRL> decodeCRLs​(@Nonnull
                                             byte[] crls)
                                      throws CRLException
        Decodes CRLs in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decoded; the rest of the content is ignored.
        Parameters:
        crls - encoded CRLs
        Returns:
        decoded CRLs
        Throws:
        CRLException - thrown if the CRLs can not be decoded

      • decodeCRL

        @Nullable
public static X509CRL decodeCRL​(@Nonnull
                                String base64CRL)
                         throws CertificateException,
                                CRLException
        Decode CRL in base64 encoded form without PEM headers and footers.
        Parameters:
        base64CRL - base64-encoded CRL
        Returns:
        a native Java X509 CRL
        Throws:
        CertificateException - thrown if there is an error constructing certificate
        CRLException - thrown if there is an error constructing CRL

      • getIdentifiersToken

        @Nonnull
public static String getIdentifiersToken​(@Nonnull
                                         X509Credential credential,
                                         @Nullable
                                         X500DNHandler handler)
        Gets a formatted string representing identifier information from the supplied credential.

        This could for example be used in logging messages.

        Often it will be the case that a given credential that is being evaluated will NOT have a value for the entity ID property. So extract the certificate subject DN, and if present, the credential's entity ID.

        Parameters:
        credential - the credential for which to produce a token.
        handler - the X.500 DN handler to use. If null, a new instance of InternalX500DNHandler will be used.
        Returns:
        a formatted string containing identifier information present in the credential

      • convertAltNameType

        @Nullable
private static Object convertAltNameType​(@Nonnull
                                         Integer nameType,
                                         @Nonnull
                                         org.bouncycastle.asn1.ASN1Primitive nameValue)
        Convert types returned by Bouncy Castle X509ExtensionUtil.getSubjectAlternativeNames(X509Certificate) to be consistent with what is documented for: java.security.cert.X509Certificate#getSubjectAlternativeNames.
        Parameters:
        nameType - the alt name type
        nameValue - the alt name value
        Returns:
        converted representation of name value, based on type

      • getLogger

        @Nonnull
private static org.slf4j.Logger getLogger()
        Get an SLF4J Logger.
        Returns:
        a Logger instance