Package org.globus.gsi.util

Class CertificateUtil

java.lang.Object

org.globus.gsi.util.CertificateUtil

public final class CertificateUtil
extends java.lang.Object

FILL ME

Author:

ranantha@mcs.anl.gov

Method Summary

Modifier and Type	Method	Description
static java.security.KeyPair	generateKeyPair(java.lang.String algorithm, int bits)	Generates a key pair of given algorithm and strength.
static org.bouncycastle.asn1.x509.BasicConstraints	getBasicConstraints(org.bouncycastle.asn1.x509.X509Extension ext)	Creates a BasicConstraints object from given extension.
static int	getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)	Return CA Path constraint
static GSIConstants.CertificateType	getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)	Returns certificate type of the given TBS certificate.
static java.security.cert.CertPath	getCertPath(java.security.cert.X509Certificate[] certs)
static org.bouncycastle.asn1.ASN1Primitive	getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext)	Extracts the value of a certificate extension.
static java.util.EnumSet<KeyUsage>	getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
static java.util.EnumSet<KeyUsage>	getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext)	Gets a boolean array representing bits of the KeyUsage extension.
static org.bouncycastle.asn1.x509.TBSCertificateStructure	getTBSCertificateStructure(java.security.cert.X509Certificate cert)	Extracts the TBS certificate from the given certificate.
static void	init()	A no-op function that can be used to force the class to load and initialize.
static void	installSecureRandomProvider()	Installs SecureRandom provider.
static void	setProvider(java.lang.String providerName)	Sets a provider name to use for loading certificates and for generating key pairs.
static org.bouncycastle.asn1.ASN1Primitive	toASN1Primitive(byte[] data)	Converts the DER-encoded byte array into a DERObject.
static java.lang.String	toGlobusID(java.lang.String dn)	Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C". This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.
static java.lang.String	toGlobusID(java.lang.String dn, boolean noreverse)	Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on the noreverse option.
static java.lang.String	toGlobusID(java.security.Principal name)	Converts the specified principal into Globus format.
static java.lang.String	toGlobusID(javax.security.auth.x500.X500Principal principal)	Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A" This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.
static javax.security.auth.x500.X500Principal	toPrincipal(java.lang.String globusID)	Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

init

public static void init()

A no-op function that can be used to force the class to load and initialize.

setProvider

public static void setProvider(java.lang.String providerName)

Sets a provider name to use for loading certificates and for generating key pairs.

Parameters:

providerName - provider name to use.

installSecureRandomProvider

public static void installSecureRandomProvider()

Installs SecureRandom provider. This function is automatically called when this class is loaded.

getCAPathConstraint

public static int getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                               throws java.io.IOException

Return CA Path constraint

Parameters:

crt -

Returns:

the CA path constraint

Throws:

java.io.IOException

generateKeyPair

public static java.security.KeyPair generateKeyPair(java.lang.String algorithm,
                                                    int bits)
                                             throws java.security.GeneralSecurityException

Generates a key pair of given algorithm and strength.

Parameters:

algorithm - the algorithm of the key pair.

bits - the strength

Returns:

KeyPair the generated key pair.

Throws:

java.security.GeneralSecurityException - if something goes wrong.

getCertificateType

public static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                                                       throws java.security.cert.CertificateException,
                                                              java.io.IOException

Returns certificate type of the given TBS certificate.
The certificate type is GSIConstants.CertificateType.CA only if the certificate contains a BasicConstraints extension and it is marked as CA.
A certificate is a GSI-2 proxy when the subject DN of the certificate ends with "CN=proxy" (certificate type GSIConstants.CertificateType.GSI_2_PROXY) or "CN=limited proxy" (certificate type GSIConstants.CertificateType.LIMITED_PROXY) component and the issuer DN of the certificate matches the subject DN without the last proxy CN component.
A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a CN component, the issuer DN of the certificate matches the subject DN without the last CN component and the certificate contains ProxyCertInfo critical extension. The certificate type is GSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.IMPERSONATION OID. The certificate type is GSIConstants.CertificateType.GSI_3_LIMITED_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.LIMITED OID. The certificate type is GSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.INDEPENDENT OID. The certificate type is GSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY if the policy language of the ProxyCertInfo extension is set to any other OID then the above.
The certificate type is GSIConstants.CertificateType.EEC if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.

Parameters:

crt - the TBS certificate to get the type of.

Returns:

the certificate type. The certificate type is determined by rules described above.

Throws:

java.io.IOException - if something goes wrong.

java.security.cert.CertificateException - for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when the ProxyCertInfo extension is not marked as critical.

getBasicConstraints

public static org.bouncycastle.asn1.x509.BasicConstraints getBasicConstraints(org.bouncycastle.asn1.x509.X509Extension ext)
                                                                       throws java.io.IOException

Creates a BasicConstraints object from given extension.

Parameters:

ext - the extension.

Returns:

the BasicConstraints object.

Throws:

java.io.IOException - if something fails.

toASN1Primitive

public static org.bouncycastle.asn1.ASN1Primitive toASN1Primitive(byte[] data)
                                                           throws java.io.IOException

Converts the DER-encoded byte array into a DERObject.

Parameters:

data - the DER-encoded byte array to convert.

Returns:

the DERObject.

Throws:

java.io.IOException - if conversion fails

getTBSCertificateStructure

public static org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(java.security.cert.X509Certificate cert)
                                                                                     throws java.security.cert.CertificateEncodingException,
                                                                                            java.io.IOException

Extracts the TBS certificate from the given certificate.

Parameters:

cert - the X.509 certificate to extract the TBS certificate from.

Returns:

the TBS certificate

Throws:

java.io.IOException - if extraction fails.

java.security.cert.CertificateEncodingException - if extraction fails.

getKeyUsage

public static java.util.EnumSet<KeyUsage> getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                                               throws java.io.IOException

Throws:

java.io.IOException

getKeyUsage

public static java.util.EnumSet<KeyUsage> getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext)
                                               throws java.io.IOException

Gets a boolean array representing bits of the KeyUsage extension.

Throws:

java.io.IOException - if failed to extract the KeyUsage extension value.

See Also:

X509Certificate.getKeyUsage()

getExtensionObject

public static org.bouncycastle.asn1.ASN1Primitive getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext)
                                                              throws java.io.IOException

Extracts the value of a certificate extension.

Parameters:

ext - the certificate extension to extract the value from.

Throws:

java.io.IOException - if extraction fails.

toGlobusID

public static java.lang.String toGlobusID(java.lang.String dn)

Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C".
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.

Parameters:

dn - the DN to convert to Globus format.

Returns:

the converted DN in Globus format.

See Also:

toGlobusID(String, boolean)

toGlobusID

public static java.lang.String toGlobusID(java.lang.String dn,
                                          boolean noreverse)

Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on the noreverse option. If noreverse is true the order of the DN components is not reveresed - "/CN=A/OU=B/O=C" is returned. If noreverse is false, the order of the DN components is reversed - "/O=C/OU=B/CN=A" is returned.
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.

Parameters:

dn - the DN to convert to Globus format.

noreverse - the direction of the conversion.

Returns:

the converted DN in Globus format.

toGlobusID

public static java.lang.String toGlobusID(java.security.Principal name)

Converts the specified principal into Globus format. If the principal is of unrecognized type a simple string-based conversion is made using the toGlobusID() function.

Parameters:

name - the principal to convert to Globus format.

Returns:

the converted DN in Globus format.

See Also:

toGlobusID(String)

toGlobusID

public static java.lang.String toGlobusID(javax.security.auth.x500.X500Principal principal)

Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A"
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.

Returns:

the converted DN in Globus format.

toPrincipal

public static javax.security.auth.x500.X500Principal toPrincipal(java.lang.String globusID)

Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g. "CN=A,OU=B,O=C"). This method should allow the forward slash, "/", to occur in attribute values (see GFD.125 section 3.2.2 -- RFC 2252 allows "/" in PrintableStrings).

Parameters:

globusID - DN in Globus format

Returns:

the X500Principal representation of the given DN

getCertPath

public static java.security.cert.CertPath getCertPath(java.security.cert.X509Certificate[] certs)
                                               throws java.security.cert.CertificateException

Throws:

java.security.cert.CertificateException