Package org.globus.gsi.bc
Class BouncyCastleUtil
java.lang.Object
org.globus.gsi.bc.BouncyCastleUtil
A collection of various utility functions.
-
Field Summary
Fields -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic org.bouncycastle.asn1.ASN1Primitive
duplicate
(org.bouncycastle.asn1.ASN1Primitive obj) Replicates a givenDERObject
.static GSIConstants.CertificateType
Returns certificate type of the given certificate.static GSIConstants.CertificateType
getCertificateType
(X509Certificate cert, CertStore trustedCerts) Returns the certificate type of the given certificate.static GSIConstants.CertificateType
getCertificateType
(X509Certificate cert, TrustedCertificates trustedCerts) Deprecated.private static GSIConstants.CertificateType
getCertificateType
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) Returns certificate type of the given TBS certificate.static GSIConstants.CertificateType
getCertificateType
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt, TrustedCertificates trustedCerts) static org.bouncycastle.asn1.ASN1Primitive
getExtensionObject
(org.bouncycastle.asn1.x509.X509Extension ext) Extracts the value of a certificate extension.static byte[]
getExtensionValue
(byte[] certExtValue) Retrieves the actual value of the X.509 extension.static byte[]
getExtensionValue
(X509Certificate cert, String oid) Returns the actual value of the extension.static String
getIdentity
(X509Certificate cert) Returns the subject DN of the given certificate in the Globus format.static String
getIdentity
(X509Certificate[] chain) Finds the identity certificate in the given chain and returns the subject DN of that certificate in the Globus format.static X509Certificate
getIdentityCertificate
(X509Certificate[] chain) Finds the identity certificate in the given chain.static String
static boolean[]
getKeyUsage
(org.bouncycastle.asn1.x509.X509Extension ext) Gets a boolean array representing bits of the KeyUsage extension.static ProxyCertInfo
getProxyCertInfo
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) static ProxyCertInfo
getProxyCertInfo
(org.bouncycastle.asn1.x509.X509Extension ext) Creates aProxyCertInfo
object from given extension.static int
static int
getProxyPathConstraint
(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) static org.bouncycastle.asn1.x509.TBSCertificateStructure
Extracts the TBS certificate from the given certificate.static org.bouncycastle.asn1.ASN1Primitive
toASN1Primitive
(byte[] data) Converts the DER-encoded byte array into aDERObject
.static byte[]
toByteArray
(org.bouncycastle.asn1.ASN1Primitive obj) Converts givenDERObject
into a DER-encoded byte array.
-
Field Details
-
i18n
-
-
Constructor Details
-
BouncyCastleUtil
public BouncyCastleUtil()
-
-
Method Details
-
toByteArray
Converts givenDERObject
into a DER-encoded byte array.- Parameters:
obj
- DERObject to convert.- Returns:
- the DER-encoded byte array
- Throws:
IOException
- if conversion fails
-
toASN1Primitive
Converts the DER-encoded byte array into aDERObject
.- Parameters:
data
- the DER-encoded byte array to convert.- Returns:
- the DERObject.
- Throws:
IOException
- if conversion fails
-
duplicate
public static org.bouncycastle.asn1.ASN1Primitive duplicate(org.bouncycastle.asn1.ASN1Primitive obj) throws IOException Replicates a givenDERObject
.- Parameters:
obj
- the DERObject to replicate.- Returns:
- a copy of the DERObject.
- Throws:
IOException
- if replication fails
-
getTBSCertificateStructure
public static org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert) throws CertificateEncodingException, IOException Extracts the TBS certificate from the given certificate.- Parameters:
cert
- the X.509 certificate to extract the TBS certificate from.- Returns:
- the TBS certificate
- Throws:
IOException
- if extraction fails.CertificateEncodingException
- if extraction fails.
-
getExtensionObject
public static org.bouncycastle.asn1.ASN1Primitive getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Extracts the value of a certificate extension.- Parameters:
ext
- the certificate extension to extract the value from.- Throws:
IOException
- if extraction fails.
-
getCertificateType
public static GSIConstants.CertificateType getCertificateType(X509Certificate cert, TrustedCertificates trustedCerts) throws CertificateException Deprecated.Returns certificate type of the given certificate. Please seegetCertificateType
for details for determining the certificate type.- Parameters:
cert
- the certificate to get the type of.trustedCerts
- the trusted certificates to double check theGSIConstants.EEC
certificate against.- Returns:
- the certificate type as determined by
getCertificateType
. - Throws:
CertificateException
- if something goes wrong.
-
getCertificateType
public static GSIConstants.CertificateType getCertificateType(X509Certificate cert, CertStore trustedCerts) throws CertificateException Returns the certificate type of the given certificate. Please seegetCertificateType
for details for determining the certificate type.- Parameters:
cert
- the certificate to get the type of.trustedCerts
- the trusted certificates to double check theGSIConstants.EEC
certificate against.- Returns:
- the certificate type as determined by
getCertificateType
. - Throws:
CertificateException
- if something goes wrong.
-
getCertificateType
public static GSIConstants.CertificateType getCertificateType(X509Certificate cert) throws CertificateException Returns certificate type of the given certificate. Please seegetCertificateType
for details for determining the certificate type.- Parameters:
cert
- the certificate to get the type of.- Returns:
- the certificate type as determined by
getCertificateType
. - Throws:
CertificateException
- if something goes wrong.
-
getCertificateType
public static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt, TrustedCertificates trustedCerts) throws CertificateException, IOException - Throws:
CertificateException
IOException
-
getCertificateType
private static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws CertificateException, IOException Returns certificate type of the given TBS certificate.
The certificate type isGSIConstants.CA
only if the certificate contains a BasicConstraints extension and it is marked as CA.
A certificate is a GSI-2 proxy when the subject DN of the certificate ends with "CN=proxy" (certificate typeGSIConstants.GSI_2_PROXY
) or "CN=limited proxy" (certificate typeGSIConstants.LIMITED_PROXY
) component and the issuer DN of the certificate matches the subject DN without the last proxy CN component.
A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a CN component, the issuer DN of the certificate matches the subject DN without the last CN component and the certificate containsProxyCertInfo
critical extension. The certificate type isGSIConstants.GSI_3_IMPERSONATION_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.IMPERSONATION
OID. The certificate type isGSIConstants.GSI_3_LIMITED_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.LIMITED
OID. The certificate type isGSIConstants.GSI_3_INDEPENDENT_PROXY
if the policy language of theProxyCertInfo
extension is set toProxyPolicy.INDEPENDENT
OID. The certificate type isGSIConstants.GSI_3_RESTRICTED_PROXY
if the policy language of theProxyCertInfo
extension is set to any other OID then the above.
The certificate type isGSIConstants.EEC
if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.- Parameters:
crt
- the TBS certificate to get the type of.- Returns:
- the certificate type. The certificate type is determined by rules described above.
- Throws:
IOException
- if something goes wrong.CertificateException
- for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when theProxyCertInfo
extension is not marked as critical.
-
getKeyUsage
public static boolean[] getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Gets a boolean array representing bits of the KeyUsage extension.- Throws:
IOException
- if failed to extract the KeyUsage extension value.- See Also:
-
getProxyCertInfo
public static ProxyCertInfo getProxyCertInfo(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException Creates aProxyCertInfo
object from given extension.- Parameters:
ext
- the extension.- Returns:
- the
ProxyCertInfo
object. - Throws:
IOException
- if something fails.
-
getIdentity
Returns the subject DN of the given certificate in the Globus format.- Parameters:
cert
- the certificate to get the subject of. The certificate must be ofX509CertificateObject
type.- Returns:
- the subject DN of the certificate in the Globus format.
-
getIdentityPrefix
-
getIdentity
Finds the identity certificate in the given chain and returns the subject DN of that certificate in the Globus format.- Parameters:
chain
- the certificate chain to find the identity certificate in. The certificates must be ofX509CertificateObject
type.- Returns:
- the subject DN of the identity certificate in the Globus format.
- Throws:
CertificateException
- if something goes wrong.
-
getIdentityCertificate
public static X509Certificate getIdentityCertificate(X509Certificate[] chain) throws CertificateException Finds the identity certificate in the given chain. The identity certificate is the first certificate in the chain that is not an impersonation proxy (full or limited)- Parameters:
chain
- the certificate chain to find the identity certificate in.- Returns:
- the identity certificate.
- Throws:
CertificateException
- if something goes wrong.
-
getExtensionValue
Retrieves the actual value of the X.509 extension.- Parameters:
certExtValue
- the DER-encoded OCTET string value of the extension.- Returns:
- the decoded/actual value of the extension (the octets).
- Throws:
IOException
-
getExtensionValue
Returns the actual value of the extension.- Parameters:
cert
- the certificate that contains the extensions to retrieve.oid
- the oid of the extension to retrieve.- Returns:
- the actual value of the extension (not octet string encoded)
- Throws:
IOException
- if decoding the extension fails.
-
getProxyPathConstraint
public static int getProxyPathConstraint(X509Certificate cert) throws IOException, CertificateEncodingException -
getProxyPathConstraint
public static int getProxyPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException - Throws:
IOException
-
getProxyCertInfo
public static ProxyCertInfo getProxyCertInfo(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException - Throws:
IOException
-