Class CertificateUtil

java.lang.Object
org.globus.gsi.util.CertificateUtil

public final class CertificateUtil extends Object
FILL ME
  • Field Details

    • provider

      private static String provider
    • logger

      private static org.apache.commons.logging.Log logger
    • KEYWORD_MAP

      private static final Map<String,String> KEYWORD_MAP
    • OID_MAP

      private static final Map<String,String> OID_MAP
  • Constructor Details

    • CertificateUtil

      private CertificateUtil()
  • Method Details

    • init

      public static void init()
      A no-op function that can be used to force the class to load and initialize.
    • setProvider

      public static void setProvider(String providerName)
      Sets a provider name to use for loading certificates and for generating key pairs.
      Parameters:
      providerName - provider name to use.
    • installSecureRandomProvider

      public static void installSecureRandomProvider()
      Installs SecureRandom provider. This function is automatically called when this class is loaded.
    • getCAPathConstraint

      public static int getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException
      Return CA Path constraint
      Parameters:
      crt -
      Returns:
      the CA path constraint
      Throws:
      IOException
    • generateKeyPair

      public static KeyPair generateKeyPair(String algorithm, int bits) throws GeneralSecurityException
      Generates a key pair of given algorithm and strength.
      Parameters:
      algorithm - the algorithm of the key pair.
      bits - the strength
      Returns:
      KeyPair the generated key pair.
      Throws:
      GeneralSecurityException - if something goes wrong.
    • getCertificateType

      public static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws CertificateException, IOException
      Returns certificate type of the given TBS certificate.
      The certificate type is GSIConstants.CertificateType.CA only if the certificate contains a BasicConstraints extension and it is marked as CA.
      A certificate is a GSI-2 proxy when the subject DN of the certificate ends with "CN=proxy" (certificate type GSIConstants.CertificateType.GSI_2_PROXY) or "CN=limited proxy" (certificate type GSIConstants.CertificateType.LIMITED_PROXY) component and the issuer DN of the certificate matches the subject DN without the last proxy CN component.
      A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a CN component, the issuer DN of the certificate matches the subject DN without the last CN component and the certificate contains ProxyCertInfo critical extension. The certificate type is GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.IMPERSONATION OID. The certificate type is GSIConstants.CertificateType.GSI_3_LIMITED_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.LIMITED OID. The certificate type is GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.INDEPENDENT OID. The certificate type is GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY if the policy language of the ProxyCertInfo extension is set to any other OID then the above.
      The certificate type is GSIConstants.CertificateType.EEC if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
      Parameters:
      crt - the TBS certificate to get the type of.
      Returns:
      the certificate type. The certificate type is determined by rules described above.
      Throws:
      IOException - if something goes wrong.
      CertificateException - for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when the ProxyCertInfo extension is not marked as critical.
    • processCN

      private static GSIConstants.CertificateType processCN(org.bouncycastle.asn1.x509.X509Extensions extensions, GSIConstants.CertificateType type, org.bouncycastle.asn1.ASN1Sequence ava) throws CertificateException
      Throws:
      CertificateException
    • processCriticalExtension

      private static GSIConstants.CertificateType processCriticalExtension(org.bouncycastle.asn1.x509.X509Extension ext, boolean gsi4)
    • getBasicConstraints

      public static org.bouncycastle.asn1.x509.BasicConstraints getBasicConstraints(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException
      Creates a BasicConstraints object from given extension.
      Parameters:
      ext - the extension.
      Returns:
      the BasicConstraints object.
      Throws:
      IOException - if something fails.
    • toASN1Primitive

      public static org.bouncycastle.asn1.ASN1Primitive toASN1Primitive(byte[] data) throws IOException
      Converts the DER-encoded byte array into a DERObject.
      Parameters:
      data - the DER-encoded byte array to convert.
      Returns:
      the DERObject.
      Throws:
      IOException - if conversion fails
    • getTBSCertificateStructure

      public static org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert) throws CertificateEncodingException, IOException
      Extracts the TBS certificate from the given certificate.
      Parameters:
      cert - the X.509 certificate to extract the TBS certificate from.
      Returns:
      the TBS certificate
      Throws:
      IOException - if extraction fails.
      CertificateEncodingException - if extraction fails.
    • getKeyUsage

      public static EnumSet<KeyUsage> getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException
      Throws:
      IOException
    • getKeyUsage

      public static EnumSet<KeyUsage> getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException
      Gets a boolean array representing bits of the KeyUsage extension.
      Throws:
      IOException - if failed to extract the KeyUsage extension value.
      See Also:
    • getExtensionObject

      public static org.bouncycastle.asn1.ASN1Primitive getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException
      Extracts the value of a certificate extension.
      Parameters:
      ext - the certificate extension to extract the value from.
      Throws:
      IOException - if extraction fails.
    • toGlobusID

      public static String toGlobusID(String dn)
      Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C".
      This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.
      Parameters:
      dn - the DN to convert to Globus format.
      Returns:
      the converted DN in Globus format.
      See Also:
    • toGlobusID

      public static String toGlobusID(String dn, boolean noreverse)
      Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on the noreverse option. If noreverse is true the order of the DN components is not reveresed - "/CN=A/OU=B/O=C" is returned. If noreverse is false, the order of the DN components is reversed - "/O=C/OU=B/CN=A" is returned.
      This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.
      Parameters:
      dn - the DN to convert to Globus format.
      noreverse - the direction of the conversion.
      Returns:
      the converted DN in Globus format.
    • toGlobusID

      public static String toGlobusID(Principal name)
      Converts the specified principal into Globus format. If the principal is of unrecognized type a simple string-based conversion is made using the toGlobusID() function.
      Parameters:
      name - the principal to convert to Globus format.
      Returns:
      the converted DN in Globus format.
      See Also:
    • toGlobusID

      public static String toGlobusID(X500Principal principal)
      Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A"
      This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.
      Returns:
      the converted DN in Globus format.
    • toPrincipal

      public static X500Principal toPrincipal(String globusID)
      Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g. "CN=A,OU=B,O=C"). This method should allow the forward slash, "/", to occur in attribute values (see GFD.125 section 3.2.2 -- RFC 2252 allows "/" in PrintableStrings).
      Parameters:
      globusID - DN in Globus format
      Returns:
      the X500Principal representation of the given DN
    • getCertPath

      public static CertPath getCertPath(X509Certificate[] certs) throws CertificateException
      Throws:
      CertificateException