Package org.globus.gsi.util
Class CertificateUtil
java.lang.Object
org.globus.gsi.util.CertificateUtil
FILL ME
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic KeyPair
generateKeyPair
(String algorithm, int bits) Generates a key pair of given algorithm and strength.static org.bouncycastle.asn1.x509.BasicConstraints
getBasicConstraints
(org.bouncycastle.asn1.x509.X509Extension ext) Creates aBasicConstraints
object from given extension.static int
getCAPathConstraint
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) Return CA Path constraintstatic GSIConstants.CertificateType
getCertificateType
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) Returns certificate type of the given TBS certificate.static CertPath
getCertPath
(X509Certificate[] certs) static org.bouncycastle.asn1.ASN1Primitive
getExtensionObject
(org.bouncycastle.asn1.x509.X509Extension ext) Extracts the value of a certificate extension.getKeyUsage
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) getKeyUsage
(org.bouncycastle.asn1.x509.X509Extension ext) Gets a boolean array representing bits of the KeyUsage extension.static org.bouncycastle.asn1.x509.TBSCertificateStructure
Extracts the TBS certificate from the given certificate.static void
init()
A no-op function that can be used to force the class to load and initialize.static void
Installs SecureRandom provider.private static GSIConstants.CertificateType
processCN
(org.bouncycastle.asn1.x509.X509Extensions extensions, GSIConstants.CertificateType type, org.bouncycastle.asn1.ASN1Sequence ava) private static GSIConstants.CertificateType
processCriticalExtension
(org.bouncycastle.asn1.x509.X509Extension ext, boolean gsi4) static void
setProvider
(String providerName) Sets a provider name to use for loading certificates and for generating key pairs.static org.bouncycastle.asn1.ASN1Primitive
toASN1Primitive
(byte[] data) Converts the DER-encoded byte array into aDERObject
.static String
toGlobusID
(String dn) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C".
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.static String
toGlobusID
(String dn, boolean noreverse) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on thenoreverse
option.static String
toGlobusID
(Principal name) Converts the specified principal into Globus format.static String
toGlobusID
(X500Principal principal) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A"
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.static X500Principal
toPrincipal
(String globusID) Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g.
-
Field Details
-
provider
-
logger
private static org.apache.commons.logging.Log logger -
KEYWORD_MAP
-
OID_MAP
-
-
Constructor Details
-
CertificateUtil
private CertificateUtil()
-
-
Method Details
-
init
public static void init()A no-op function that can be used to force the class to load and initialize. -
setProvider
Sets a provider name to use for loading certificates and for generating key pairs.- Parameters:
providerName
- provider name to use.
-
installSecureRandomProvider
public static void installSecureRandomProvider()Installs SecureRandom provider. This function is automatically called when this class is loaded. -
getCAPathConstraint
public static int getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException Return CA Path constraint- Parameters:
crt
-- Returns:
- the CA path constraint
- Throws:
IOException
-
generateKeyPair
Generates a key pair of given algorithm and strength.- Parameters:
algorithm
- the algorithm of the key pair.bits
- the strength- Returns:
KeyPair
the generated key pair.- Throws:
GeneralSecurityException
- if something goes wrong.
-
getCertificateType
public static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws CertificateException, IOException Returns certificate type of the given TBS certificate.
The certificate type isGSIConstants.CertificateType.CA
only if the certificate contains a BasicConstraints extension and it is marked as CA.
A certificate is a GSI-2 proxy when the subject DN of the certificate ends with "CN=proxy" (certificate typeGSIConstants.CertificateType.GSI_2_PROXY
) or "CN=limited proxy" (certificate typeGSIConstants.CertificateType.LIMITED_PROXY
) component and the issuer DN of the certificate matches the subject DN without the last proxy CN component.
A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a CN component, the issuer DN of the certificate matches the subject DN without the last CN component and the certificate containsProxyCertInfo
critical extension. The certificate type isGSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.IMPERSONATION
OID. The certificate type isGSIConstants.CertificateType.GSI_3_LIMITED_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.LIMITED
OID. The certificate type isGSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.INDEPENDENT
OID. The certificate type isGSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY
if the policy language of theProxyCertInfo
extension is set to any other OID then the above.
The certificate type isGSIConstants.CertificateType.EEC
if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.- Parameters:
crt
- the TBS certificate to get the type of.- Returns:
- the certificate type. The certificate type is determined by rules described above.
- Throws:
IOException
- if something goes wrong.CertificateException
- for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when theProxyCertInfo
extension is not marked as critical.
-
processCN
private static GSIConstants.CertificateType processCN(org.bouncycastle.asn1.x509.X509Extensions extensions, GSIConstants.CertificateType type, org.bouncycastle.asn1.ASN1Sequence ava) throws CertificateException - Throws:
CertificateException
-
processCriticalExtension
private static GSIConstants.CertificateType processCriticalExtension(org.bouncycastle.asn1.x509.X509Extension ext, boolean gsi4) -
getBasicConstraints
public static org.bouncycastle.asn1.x509.BasicConstraints getBasicConstraints(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Creates aBasicConstraints
object from given extension.- Parameters:
ext
- the extension.- Returns:
- the
BasicConstraints
object. - Throws:
IOException
- if something fails.
-
toASN1Primitive
Converts the DER-encoded byte array into aDERObject
.- Parameters:
data
- the DER-encoded byte array to convert.- Returns:
- the DERObject.
- Throws:
IOException
- if conversion fails
-
getTBSCertificateStructure
public static org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert) throws CertificateEncodingException, IOException Extracts the TBS certificate from the given certificate.- Parameters:
cert
- the X.509 certificate to extract the TBS certificate from.- Returns:
- the TBS certificate
- Throws:
IOException
- if extraction fails.CertificateEncodingException
- if extraction fails.
-
getKeyUsage
public static EnumSet<KeyUsage> getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException - Throws:
IOException
-
getKeyUsage
public static EnumSet<KeyUsage> getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Gets a boolean array representing bits of the KeyUsage extension.- Throws:
IOException
- if failed to extract the KeyUsage extension value.- See Also:
-
getExtensionObject
public static org.bouncycastle.asn1.ASN1Primitive getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Extracts the value of a certificate extension.- Parameters:
ext
- the certificate extension to extract the value from.- Throws:
IOException
- if extraction fails.
-
toGlobusID
Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C".
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.- Parameters:
dn
- the DN to convert to Globus format.- Returns:
- the converted DN in Globus format.
- See Also:
-
toGlobusID
Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on thenoreverse
option. Ifnoreverse
is true the order of the DN components is not reveresed - "/CN=A/OU=B/O=C" is returned. Ifnoreverse
is false, the order of the DN components is reversed - "/O=C/OU=B/CN=A" is returned.
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.- Parameters:
dn
- the DN to convert to Globus format.noreverse
- the direction of the conversion.- Returns:
- the converted DN in Globus format.
-
toGlobusID
Converts the specified principal into Globus format. If the principal is of unrecognized type a simple string-based conversion is made using thetoGlobusID()
function.- Parameters:
name
- the principal to convert to Globus format.- Returns:
- the converted DN in Globus format.
- See Also:
-
toGlobusID
Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A"
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.- Returns:
- the converted DN in Globus format.
-
toPrincipal
Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g. "CN=A,OU=B,O=C"). This method should allow the forward slash, "/", to occur in attribute values (see GFD.125 section 3.2.2 -- RFC 2252 allows "/" in PrintableStrings).- Parameters:
globusID
- DN in Globus format- Returns:
- the X500Principal representation of the given DN
-
getCertPath
- Throws:
CertificateException
-