Class CertUtil

java.lang.Object
org.cryptacular.util.CertUtil

public final class CertUtil extends Object
Utility class providing convenience methods for common operations on X.509 certificates.
Author:
Middleware Services
  • Method Details

    • subjectCN

      public static String subjectCN(X509Certificate cert) throws EncodingException
      Gets the common name attribute (CN) of the certificate subject distinguished name.
      Parameters:
      cert - Certificate to examine.
      Returns:
      Subject CN or null if no CN attribute is defined in the subject DN.
      Throws:
      EncodingException - on cert field extraction.
    • subjectAltNames

      public static org.bouncycastle.asn1.x509.GeneralNames subjectAltNames(X509Certificate cert) throws EncodingException
      Gets all subject alternative names defined on the given certificate.
      Parameters:
      cert - X.509 certificate to examine.
      Returns:
      List of subject alternative names or null if no subject alt names are defined.
      Throws:
      EncodingException - on cert field extraction.
    • subjectAltNames

      public static org.bouncycastle.asn1.x509.GeneralNames subjectAltNames(X509Certificate cert, GeneralNameType... types) throws EncodingException
      Gets all subject alternative names of the given type(s) on the given cert.
      Parameters:
      cert - X.509 certificate to examine.
      types - One or more subject alternative name types to fetch.
      Returns:
      List of subject alternative names of the matching type(s) or null if none found.
      Throws:
      EncodingException - on cert field extraction.
    • subjectNames

      public static List<String> subjectNames(X509Certificate cert) throws EncodingException
      Gets a list of all subject names defined for the given certificate. The list includes the first common name (CN) specified in the subject distinguished name (if defined) and all subject alternative names.
      Parameters:
      cert - X.509 certificate to examine.
      Returns:
      List of subject names.
      Throws:
      EncodingException - on cert field extraction.
    • subjectNames

      public static List<String> subjectNames(X509Certificate cert, GeneralNameType... types) throws EncodingException
      Gets a list of subject names defined for the given certificate. The list includes the first common name (CN) specified in the subject distinguished name (if defined) and all subject alternative names of the given type.
      Parameters:
      cert - X.509 certificate to examine.
      types - One or more subject alternative name types to fetch.
      Returns:
      List of subject names.
      Throws:
      EncodingException - on cert field extraction.
    • findEntityCertificate

      public static X509Certificate findEntityCertificate(PrivateKey key, X509Certificate... candidates) throws EncodingException
      Finds a certificate whose public key is paired with the given private key.
      Parameters:
      key - Private key used to find matching public key.
      candidates - Array of candidate certificates.
      Returns:
      Certificate whose public key forms a keypair with the private key or null if no match is found.
      Throws:
      EncodingException - on cert field extraction.
    • findEntityCertificate

      public static X509Certificate findEntityCertificate(PrivateKey key, Collection<X509Certificate> candidates) throws EncodingException
      Finds a certificate whose public key is paired with the given private key.
      Parameters:
      key - Private key used to find matching public key.
      candidates - Collection of candidate certificates.
      Returns:
      Certificate whose public key forms a keypair with the private key or null if no match is found.
      Throws:
      EncodingException - on cert field extraction.
    • readCertificate

      public static X509Certificate readCertificate(String path) throws EncodingException, StreamException
      Reads an X.509 certificate from ASN.1 encoded format in the file at the given location.
      Parameters:
      path - Path to file containing an DER or PEM encoded X.509 certificate.
      Returns:
      Certificate.
      Throws:
      EncodingException - on cert parsing errors.
      StreamException - on IO errors.
    • readCertificate

      public static X509Certificate readCertificate(File file) throws EncodingException, StreamException
      Reads an X.509 certificate from ASN.1 encoded format from the given file.
      Parameters:
      file - File containing an DER or PEM encoded X.509 certificate.
      Returns:
      Certificate.
      Throws:
      EncodingException - on cert parsing errors.
      StreamException - on IO errors.
    • readCertificate

      public static X509Certificate readCertificate(InputStream in) throws EncodingException, StreamException
      Reads an X.509 certificate from ASN.1 encoded data in the given stream.
      Parameters:
      in - Input stream containing PEM or DER encoded X.509 certificate.
      Returns:
      Certificate.
      Throws:
      EncodingException - on cert parsing errors.
      StreamException - on IO errors.
    • decodeCertificate

      public static X509Certificate decodeCertificate(byte[] encoded) throws EncodingException
      Creates an X.509 certificate from its ASN.1 encoded form.
      Parameters:
      encoded - PEM or DER encoded ASN.1 data.
      Returns:
      Certificate.
      Throws:
      EncodingException - on cert parsing errors.
    • readCertificateChain

      public static X509Certificate[] readCertificateChain(String path) throws EncodingException, StreamException
      Reads an X.509 certificate chain from ASN.1 encoded format in the file at the given location.
      Parameters:
      path - Path to file containing a sequence of PEM or DER encoded certificates or PKCS#7 certificate chain.
      Returns:
      Certificate.
      Throws:
      EncodingException - on cert parsing errors.
      StreamException - on IO errors.
    • readCertificateChain

      public static X509Certificate[] readCertificateChain(File file) throws EncodingException, StreamException
      Reads an X.509 certificate chain from ASN.1 encoded format from the given file.
      Parameters:
      file - File containing a sequence of PEM or DER encoded certificates or PKCS#7 certificate chain.
      Returns:
      Certificate.
      Throws:
      EncodingException - on cert parsing errors.
      StreamException - on IO errors.
    • readCertificateChain

      public static X509Certificate[] readCertificateChain(InputStream in) throws EncodingException, StreamException
      Reads an X.509 certificate chain from ASN.1 encoded data in the given stream.
      Parameters:
      in - Input stream containing a sequence of PEM or DER encoded certificates or PKCS#7 certificate chain.
      Returns:
      Certificate.
      Throws:
      EncodingException - on cert parsing errors.
      StreamException - on IO errors.
    • decodeCertificateChain

      public static X509Certificate[] decodeCertificateChain(byte[] encoded) throws EncodingException
      Creates an X.509 certificate chain from its ASN.1 encoded form.
      Parameters:
      encoded - Sequence of PEM or DER encoded certificates or PKCS#7 certificate chain.
      Returns:
      Certificate.
      Throws:
      EncodingException - on cert parsing errors.
    • allowsUsage

      public static boolean allowsUsage(X509Certificate cert, KeyUsageBits... bits) throws EncodingException
      Determines whether the certificate allows the given basic key usages.
      Parameters:
      cert - Certificate to check.
      bits - One or more basic key usage types to check.
      Returns:
      True if certificate allows all given usage types, false otherwise.
      Throws:
      EncodingException - on cert field extraction.
    • allowsUsage

      public static boolean allowsUsage(X509Certificate cert, org.bouncycastle.asn1.x509.KeyPurposeId... purposes) throws EncodingException
      Determines whether the certificate allows the given extended key usages.
      Parameters:
      cert - Certificate to check.
      purposes - One ore more extended key usage purposes to check.
      Returns:
      True if certificate allows all given purposes, false otherwise.
      Throws:
      EncodingException - on cert field extraction.
    • hasPolicies

      public static boolean hasPolicies(X509Certificate cert, String... policyOidsToCheck) throws EncodingException
      Determines whether the certificate defines all of the given certificate policies.
      Parameters:
      cert - Certificate to check.
      policyOidsToCheck - One or more certificate policy OIDs to check.
      Returns:
      True if certificate defines all given policy OIDs, false otherwise.
      Throws:
      EncodingException - on cert field extraction.
    • subjectKeyId

      public static String subjectKeyId(X509Certificate cert) throws EncodingException
      Gets the subject key identifier of the given certificate in delimited hexadecimal format, e.g. 25:48:2f:28:ec:5d:19:bb:1d:25:ae:94:93:b1:7b:b5:35:96:24:66.
      Parameters:
      cert - Certificate to process.
      Returns:
      Subject key identifier in colon-delimited hex format.
      Throws:
      EncodingException - on cert field extraction.
    • authorityKeyId

      public static String authorityKeyId(X509Certificate cert) throws EncodingException
      Gets the authority key identifier of the given certificate in delimited hexadecimal format, e.g. 25:48:2f:28:ec:5d:19:bb:1d:25:ae:94:93:b1:7b:b5:35:96:24:66.
      Parameters:
      cert - Certificate to process.
      Returns:
      Authority key identifier in colon-delimited hex format.
      Throws:
      EncodingException - on cert field extraction.