Package org.opensaml.security.x509

Class X509Support

java.lang.Object
org.opensaml.security.x509.X509Support
public class X509Support extends Object
Utility class for working with X509 objects.

  • Field Details

    • CN_OID

      public static final String CN_OID
      Common Name (CN) OID.
      See Also:

    • SKI_OID

      public static final String SKI_OID
      Subject Key Identifier (SKI) OID.
      See Also:

    • OTHER_ALT_NAME

      public static final Integer OTHER_ALT_NAME
      RFC 2459 Other Subject Alt Name type.

    • RFC822_ALT_NAME

      public static final Integer RFC822_ALT_NAME
      RFC 2459 RFC 822 (email address) Subject Alt Name type.

    • DNS_ALT_NAME

      public static final Integer DNS_ALT_NAME
      RFC 2459 DNS Subject Alt Name type.

    • X400ADDRESS_ALT_NAME

      public static final Integer X400ADDRESS_ALT_NAME
      RFC 2459 X.400 Address Subject Alt Name type.

    • DIRECTORY_ALT_NAME

      public static final Integer DIRECTORY_ALT_NAME
      RFC 2459 Directory Name Subject Alt Name type.

    • EDI_PARTY_ALT_NAME

      public static final Integer EDI_PARTY_ALT_NAME
      RFC 2459 EDI Party Name Subject Alt Name type.

    • URI_ALT_NAME

      public static final Integer URI_ALT_NAME
      RFC 2459 URI Subject Alt Name type.

    • IP_ADDRESS_ALT_NAME

      public static final Integer IP_ADDRESS_ALT_NAME
      RFC 2459 IP Address Subject Alt Name type.

    • REGISTERED_ID_ALT_NAME

      public static final Integer REGISTERED_ID_ALT_NAME
      RFC 2459 Registered ID Subject Alt Name type.

    • LOG

      @Nonnull private static final org.slf4j.Logger LOG
      Logger.

  • Constructor Details

    • X509Support

      protected X509Support()
      Constructed.

  • Method Details

    • determineEntityCertificate

      @Nullable public static X509Certificate determineEntityCertificate(@Nullable Collection<X509Certificate> certs, @Nullable PrivateKey privateKey) throws SecurityException
      Determines the certificate, from the collection, associated with the private key.
      Parameters:
      certs - certificates to check
      privateKey - entity's private key
      Returns:
      the certificate associated with entity's private key or null if no certificate in the collection is associated with the given private key
      Throws:
      SecurityException - thrown if the public or private keys checked are of an unsupported type
      Since:
      1.2

    • getCommonNames

      @Nullable public static List<String> getCommonNames(@Nullable X500Principal dn)
      Gets the commons names that appear within the given distinguished name.

      The returned list provides the names in the order they appeared in the DN, according to RFC 1779/2253 encoding. In this encoding the "most specific" name would typically appear in the left-most position, and would appear first in the returned list.

      Parameters:
      dn - the DN to extract the common names from
      Returns:
      the common names that appear in the DN in the order they appear, or null if the given DN is null

    • getAltNames

      @Nullable public static List<?> getAltNames(@Nullable X509Certificate certificate, @Nullable Integer[] nameTypes)
      Gets the list of alternative names of a given name type.
      Parameters:
      certificate - the certificate to extract the alternative names from
      nameTypes - the name types
      Returns:
      the alt names, of the given type, within the cert

    • getSubjectNames

      @Nullable public static List<?> getSubjectNames(@Nullable X509Certificate certificate, @Nullable Integer[] altNameTypes)
      Gets the common name components of the issuer and all the subject alt names of a given type.
      Parameters:
      certificate - certificate to extract names from
      altNameTypes - type of alt names to extract
      Returns:
      list of subject names in the certificate

    • getSubjectKeyIdentifier

      @Nullable public static byte[] getSubjectKeyIdentifier(@Nonnull X509Certificate certificate)
      Get the plain (non-DER encoded) value of the Subject Key Identifier extension of an X.509 certificate, if present.
      Parameters:
      certificate - an X.509 certificate possibly containing a subject key identifier
      Returns:
      the plain (non-DER encoded) value of the Subject Key Identifier extension, or null if the certificate does not contain the extension

    • getX509Digest

      @Nonnull public static byte[] getX509Digest(@Nonnull X509Certificate certificate, @Nonnull String jcaAlgorithm) throws SecurityException
      Get the XML Signature-compliant digest of an X.509 certificate.
      Parameters:
      certificate - an X.509 certificate
      jcaAlgorithm - JCA algorithm identifier
      Returns:
      the raw digest of the certificate
      Throws:
      SecurityException - is algorithm is unsupported or encoding is not possible

    • decodeCertificates

      @Nullable public static Collection<X509Certificate> decodeCertificates(@Nonnull File certs) throws CertificateException
      Decodes X.509 certificates in DER or PEM format.
      Parameters:
      certs - encoded certs
      Returns:
      decoded certs
      Throws:
      CertificateException - thrown if the certificates cannot be decoded
      Since:
      1.2

    • decodeCertificates

      @Nullable public static Collection<X509Certificate> decodeCertificates(@Nonnull InputStream certs) throws CertificateException
      Decodes X.509 certificates in DER or PEM format. Note this does not close the inout handle
      Parameters:
      certs - encoded certs
      Returns:
      decoded certs
      Throws:
      CertificateException - thrown if the certificates cannot be decoded
      Since:
      1.2

    • decodeCertificates

      @Nullable public static Collection<X509Certificate> decodeCertificates(@Nonnull byte[] certs) throws CertificateException
      Decodes X.509 certificates in DER or PEM format.
      Parameters:
      certs - encoded certs
      Returns:
      decoded certs
      Throws:
      CertificateException - thrown if the certificates cannot be decoded

    • decodeCertificate

      @Nullable public static X509Certificate decodeCertificate(@Nonnull File cert) throws CertificateException
      Decodes a single X.509 certificate in DER or PEM format.
      Parameters:
      cert - encoded cert
      Returns:
      decoded cert
      Throws:
      CertificateException - thrown if the certificate can not be decoded
      Since:
      1.2

    • decodeCertificate

      @Nullable public static X509Certificate decodeCertificate(@Nonnull byte[] cert) throws CertificateException
      Decodes a single X.509 certificate in DER or PEM format.
      Parameters:
      cert - encoded cert
      Returns:
      decoded cert
      Throws:
      CertificateException - thrown if the certificate cannot be decoded

    • decodeCertificate

      @Nullable public static X509Certificate decodeCertificate(@Nonnull String base64Cert) throws CertificateException
      Decode a single Java certificate from base64 encoded form without PEM headers and footers.
      Parameters:
      base64Cert - base64-encoded certificate
      Returns:
      a native Java X509 certificate
      Throws:
      CertificateException - thrown if there is an error constructing certificate

    • decodeCRLs

      @Nullable public static Collection<X509CRL> decodeCRLs(@Nonnull File crls) throws CRLException
      Decodes CRLs in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decoded; the rest of the content is ignored.
      Parameters:
      crls - encoded CRLs
      Returns:
      decoded CRLs
      Throws:
      CRLException - thrown if the CRLs can not be decoded
      Since:
      1.2

    • decodeCRLs

      @Nullable public static Collection<X509CRL> decodeCRLs(@Nonnull InputStream crls) throws CRLException
      Decodes CRLs in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decoded; the rest of the content is ignored. Note, this does not close the inout stream
      Parameters:
      crls - encoded CRLs
      Returns:
      decoded CRLs
      Throws:
      CRLException - thrown if the CRLs can not be decoded
      Since:
      1.2

    • decodeCRLs

      @Nullable public static Collection<X509CRL> decodeCRLs(@Nonnull byte[] crls) throws CRLException
      Decodes CRLs in DER or PKCS#7 format. If in PKCS#7 format only the CRLs are decoded; the rest of the content is ignored.
      Parameters:
      crls - encoded CRLs
      Returns:
      decoded CRLs
      Throws:
      CRLException - thrown if the CRLs can not be decoded

    • decodeCRL

      @Nullable public static X509CRL decodeCRL(@Nonnull String base64CRL) throws CertificateException, CRLException
      Decode CRL in base64 encoded form without PEM headers and footers.
      Parameters:
      base64CRL - base64-encoded CRL
      Returns:
      a native Java X509 CRL
      Throws:
      CertificateException - thrown if there is an error constructing certificate
      CRLException - thrown if there is an error constructing CRL

    • getIdentifiersToken

      @Nonnull public static String getIdentifiersToken(@Nonnull X509Credential credential, @Nullable X500DNHandler handler)
      Gets a formatted string representing identifier information from the supplied credential.

      This could for example be used in logging messages.

      Often it will be the case that a given credential that is being evaluated will NOT have a value for the entity ID property. So extract the certificate subject DN, and if present, the credential's entity ID.

      Parameters:
      credential - the credential for which to produce a token.
      handler - the X.500 DN handler to use. If null, a new instance of InternalX500DNHandler will be used.
      Returns:
      a formatted string containing identifier information present in the credential

    • convertAltNameType

      @Nullable private static Object convertAltNameType(@Nonnull Integer nameType, @Nonnull org.bouncycastle.asn1.ASN1Primitive nameValue)
      Convert types returned by Bouncy Castle X509ExtensionUtil.getSubjectAlternativeNames(X509Certificate) to be consistent with what is documented for: java.security.cert.X509Certificate#getSubjectAlternativeNames.
      Parameters:
      nameType - the alt name type
      nameValue - the alt name value
      Returns:
      converted representation of name value, based on type