Package org.globus.gsi.util
Class CertificateUtil
java.lang.Object
org.globus.gsi.util.CertificateUtil
FILL ME
- Author:
- ranantha@mcs.anl.gov
-
Method Summary
Modifier and TypeMethodDescriptionstatic KeyPair
generateKeyPair
(String algorithm, int bits) Generates a key pair of given algorithm and strength.static org.bouncycastle.asn1.x509.BasicConstraints
getBasicConstraints
(org.bouncycastle.asn1.x509.X509Extension ext) Creates aBasicConstraints
object from given extension.static int
getCAPathConstraint
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) Return CA Path constraintstatic GSIConstants.CertificateType
getCertificateType
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) Returns certificate type of the given TBS certificate.static CertPath
getCertPath
(X509Certificate[] certs) static org.bouncycastle.asn1.ASN1Primitive
getExtensionObject
(org.bouncycastle.asn1.x509.X509Extension ext) Extracts the value of a certificate extension.getKeyUsage
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) getKeyUsage
(org.bouncycastle.asn1.x509.X509Extension ext) Gets a boolean array representing bits of the KeyUsage extension.static org.bouncycastle.asn1.x509.TBSCertificateStructure
Extracts the TBS certificate from the given certificate.static void
init()
A no-op function that can be used to force the class to load and initialize.static void
Installs SecureRandom provider.static void
setProvider
(String providerName) Sets a provider name to use for loading certificates and for generating key pairs.static org.bouncycastle.asn1.ASN1Primitive
toASN1Primitive
(byte[] data) Converts the DER-encoded byte array into aDERObject
.static String
toGlobusID
(String dn) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C".
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.static String
toGlobusID
(String dn, boolean noreverse) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on thenoreverse
option.static String
toGlobusID
(Principal name) Converts the specified principal into Globus format.static String
toGlobusID
(X500Principal principal) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A"
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.static X500Principal
toPrincipal
(String globusID) Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g.
-
Method Details
-
init
public static void init()A no-op function that can be used to force the class to load and initialize. -
setProvider
Sets a provider name to use for loading certificates and for generating key pairs.- Parameters:
providerName
- provider name to use.
-
installSecureRandomProvider
public static void installSecureRandomProvider()Installs SecureRandom provider. This function is automatically called when this class is loaded. -
getCAPathConstraint
public static int getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException Return CA Path constraint- Parameters:
crt
-- Returns:
- the CA path constraint
- Throws:
IOException
-
generateKeyPair
Generates a key pair of given algorithm and strength.- Parameters:
algorithm
- the algorithm of the key pair.bits
- the strength- Returns:
KeyPair
the generated key pair.- Throws:
GeneralSecurityException
- if something goes wrong.
-
getCertificateType
public static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws CertificateException, IOException Returns certificate type of the given TBS certificate.
The certificate type isGSIConstants.CertificateType.CA
only if the certificate contains a BasicConstraints extension and it is marked as CA.
A certificate is a GSI-2 proxy when the subject DN of the certificate ends with "CN=proxy" (certificate typeGSIConstants.CertificateType.GSI_2_PROXY
) or "CN=limited proxy" (certificate typeGSIConstants.CertificateType.LIMITED_PROXY
) component and the issuer DN of the certificate matches the subject DN without the last proxy CN component.
A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a CN component, the issuer DN of the certificate matches the subject DN without the last CN component and the certificate containsProxyCertInfo
critical extension. The certificate type isGSIConstants.CertificateType.GSI_3_IMPERSONATION_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.IMPERSONATION
OID. The certificate type isGSIConstants.CertificateType.GSI_3_LIMITED_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.LIMITED
OID. The certificate type isGSIConstants.CertificateType.GSI_3_INDEPENDENT_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.INDEPENDENT
OID. The certificate type isGSIConstants.CertificateType.GSI_3_RESTRICTED_PROXY
if the policy language of theProxyCertInfo
extension is set to any other OID then the above.
The certificate type isGSIConstants.CertificateType.EEC
if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.- Parameters:
crt
- the TBS certificate to get the type of.- Returns:
- the certificate type. The certificate type is determined by rules described above.
- Throws:
IOException
- if something goes wrong.CertificateException
- for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when theProxyCertInfo
extension is not marked as critical.
-
getBasicConstraints
public static org.bouncycastle.asn1.x509.BasicConstraints getBasicConstraints(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Creates aBasicConstraints
object from given extension.- Parameters:
ext
- the extension.- Returns:
- the
BasicConstraints
object. - Throws:
IOException
- if something fails.
-
toASN1Primitive
Converts the DER-encoded byte array into aDERObject
.- Parameters:
data
- the DER-encoded byte array to convert.- Returns:
- the DERObject.
- Throws:
IOException
- if conversion fails
-
getTBSCertificateStructure
public static org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert) throws CertificateEncodingException, IOException Extracts the TBS certificate from the given certificate.- Parameters:
cert
- the X.509 certificate to extract the TBS certificate from.- Returns:
- the TBS certificate
- Throws:
IOException
- if extraction fails.CertificateEncodingException
- if extraction fails.
-
getKeyUsage
public static EnumSet<KeyUsage> getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException - Throws:
IOException
-
getKeyUsage
public static EnumSet<KeyUsage> getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Gets a boolean array representing bits of the KeyUsage extension.- Throws:
IOException
- if failed to extract the KeyUsage extension value.- See Also:
-
getExtensionObject
public static org.bouncycastle.asn1.ASN1Primitive getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Extracts the value of a certificate extension.- Parameters:
ext
- the certificate extension to extract the value from.- Throws:
IOException
- if extraction fails.
-
toGlobusID
Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C".
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.- Parameters:
dn
- the DN to convert to Globus format.- Returns:
- the converted DN in Globus format.
- See Also:
-
toGlobusID
Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on thenoreverse
option. Ifnoreverse
is true the order of the DN components is not reveresed - "/CN=A/OU=B/O=C" is returned. Ifnoreverse
is false, the order of the DN components is reversed - "/O=C/OU=B/CN=A" is returned.
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.- Parameters:
dn
- the DN to convert to Globus format.noreverse
- the direction of the conversion.- Returns:
- the converted DN in Globus format.
-
toGlobusID
Converts the specified principal into Globus format. If the principal is of unrecognized type a simple string-based conversion is made using thetoGlobusID()
function.- Parameters:
name
- the principal to convert to Globus format.- Returns:
- the converted DN in Globus format.
- See Also:
-
toGlobusID
Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A"
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.- Returns:
- the converted DN in Globus format.
-
toPrincipal
Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g. "CN=A,OU=B,O=C"). This method should allow the forward slash, "/", to occur in attribute values (see GFD.125 section 3.2.2 -- RFC 2252 allows "/" in PrintableStrings).- Parameters:
globusID
- DN in Globus format- Returns:
- the X500Principal representation of the given DN
-
getCertPath
- Throws:
CertificateException
-