org.globus.gsi.util

Class CertificateUtil

java.lang.Object

org.globus.gsi.util.CertificateUtil

public final class CertificateUtil
extends Object

FILL ME

Author:

ranantha@mcs.anl.gov

Field Summary

Fields

Modifier and Type	Field and Description
static int	CRL_SIGN
static int	DATA_ENCIPHERMENT
static int	DECIPHER_ONLY
static int	DEFAULT_USAGE_LENGTH
static int	DIGITAL_SIGNATURE
static int	ENCIPHER_ONLY
static int	KEY_AGREEMENT
static int	KEY_CERTSIGN
static int	KEY_ENCIPHERMENT
static int	NON_REPUDIATION

Method Summary

Methods

Modifier and Type	Method and Description
static KeyPair	generateKeyPair(String algorithm, int bits) Generates a key pair of given algorithm and strength.
static org.bouncycastle.asn1.x509.BasicConstraints	getBasicConstraints(org.bouncycastle.asn1.x509.X509Extension ext) Creates a BasicConstraints object from given extension.
static int	getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) Return CA Path constraint
static GSIConstants.CertificateType	getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) Returns certificate type of the given TBS certificate.
static CertPath	getCertPath(X509Certificate[] certs)
static org.bouncycastle.asn1.DERObject	getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext) Extracts the value of a certificate extension.
static boolean[]	getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
static boolean[]	getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext) Gets a boolean array representing bits of the KeyUsage extension.
static org.bouncycastle.asn1.x509.TBSCertificateStructure	getTBSCertificateStructure(X509Certificate cert) Extracts the TBS certificate from the given certificate.
static void	init() A no-op function that can be used to force the class to load and initialize.
static void	installSecureRandomProvider() Installs SecureRandom provider.
static void	setProvider(String providerName) Sets a provider name to use for loading certificates and for generating key pairs.
static org.bouncycastle.asn1.DERObject	toDERObject(byte[] data) Converts the DER-encoded byte array into a DERObject.
static String	toGlobusID(Principal name) Converts the specified principal into Globus format.
static String	toGlobusID(String dn) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C". This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.
static String	toGlobusID(String dn, boolean noreverse) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on the noreverse option.
static String	toGlobusID(X500Principal principal) Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A" This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.
static X500Principal	toPrincipal(String globusID) Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DIGITAL_SIGNATURE

public static final int DIGITAL_SIGNATURE

See Also:

Constant Field Values

NON_REPUDIATION

public static final int NON_REPUDIATION

See Also:

Constant Field Values

KEY_ENCIPHERMENT

public static final int KEY_ENCIPHERMENT

See Also:

Constant Field Values

DATA_ENCIPHERMENT

public static final int DATA_ENCIPHERMENT

See Also:

Constant Field Values

KEY_AGREEMENT

public static final int KEY_AGREEMENT

See Also:

Constant Field Values

KEY_CERTSIGN

public static final int KEY_CERTSIGN

See Also:

Constant Field Values

CRL_SIGN

public static final int CRL_SIGN

See Also:

Constant Field Values

ENCIPHER_ONLY

public static final int ENCIPHER_ONLY

See Also:

Constant Field Values

DECIPHER_ONLY

public static final int DECIPHER_ONLY

See Also:

Constant Field Values

DEFAULT_USAGE_LENGTH

public static final int DEFAULT_USAGE_LENGTH

See Also:

Constant Field Values

Method Detail

init

public static void init()

A no-op function that can be used to force the class to load and initialize.

setProvider

public static void setProvider(String providerName)

Sets a provider name to use for loading certificates and for generating key pairs.

Parameters:

providerName - provider name to use.

installSecureRandomProvider

public static void installSecureRandomProvider()

Installs SecureRandom provider. This function is automatically called when this class is loaded.

getCAPathConstraint

public static int getCAPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                               throws IOException

Return CA Path constraint

Parameters:

crt -

Returns:

Throws:

IOException

generateKeyPair

public static KeyPair generateKeyPair(String algorithm,
                      int bits)
                               throws GeneralSecurityException

Generates a key pair of given algorithm and strength.

Parameters:

algorithm - the algorithm of the key pair.

bits - the strength

Returns:

KeyPair the generated key pair.

Throws:

GeneralSecurityException - if something goes wrong.

getCertificateType

public static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                                                       throws CertificateException,
                                                              IOException

Returns certificate type of the given TBS certificate.
The certificate type is CertificateType.CA only if the certificate contains a BasicConstraints extension and it is marked as CA.
A certificate is a GSI-2 proxy when the subject DN of the certificate ends with "CN=proxy" (certificate type CertificateType.GSI_2_PROXY) or "CN=limited proxy" (certificate type CertificateType.LIMITED_PROXY) component and the issuer DN of the certificate matches the subject DN without the last proxy CN component.
A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a CN component, the issuer DN of the certificate matches the subject DN without the last CN component and the certificate contains ProxyCertInfo critical extension. The certificate type is CertificateType.GSI_3_IMPERSONATION_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.IMPERSONATION OID. The certificate type is CertificateType.GSI_3_LIMITED_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.LIMITED OID. The certificate type is CertificateType.GSI_3_INDEPENDENT_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.INDEPENDENT OID. The certificate type is CertificateType.GSI_3_RESTRICTED_PROXY if the policy language of the ProxyCertInfo extension is set to any other OID then the above.
The certificate type is CertificateType.EEC if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.

Parameters:

crt - the TBS certificate to get the type of.

Returns:

the certificate type. The certificate type is determined by rules described above.

Throws:

IOException - if something goes wrong.

CertificateException - for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when the ProxyCertInfo extension is not marked as critical.

getBasicConstraints

public static org.bouncycastle.asn1.x509.BasicConstraints getBasicConstraints(org.bouncycastle.asn1.x509.X509Extension ext)
                                                                       throws IOException

Creates a BasicConstraints object from given extension.

Parameters:

ext - the extension.

Returns:

the BasicConstraints object.

Throws:

IOException - if something fails.

toDERObject

public static org.bouncycastle.asn1.DERObject toDERObject(byte[] data)
                                                   throws IOException

Converts the DER-encoded byte array into a DERObject.

Parameters:

data - the DER-encoded byte array to convert.

Returns:

the DERObject.

Throws:

IOException - if conversion fails

getTBSCertificateStructure

public static org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert)
                                                                                     throws CertificateEncodingException,
                                                                                            IOException

Extracts the TBS certificate from the given certificate.

Parameters:

cert - the X.509 certificate to extract the TBS certificate from.

Returns:

the TBS certificate

Throws:

IOException - if extraction fails.

CertificateEncodingException - if extraction fails.

getKeyUsage

public static boolean[] getKeyUsage(org.bouncycastle.asn1.x509.TBSCertificateStructure crt)
                             throws IOException

Throws:

IOException

getKeyUsage

public static boolean[] getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext)
                             throws IOException

Gets a boolean array representing bits of the KeyUsage extension.

Throws:

IOException - if failed to extract the KeyUsage extension value.

See Also:

X509Certificate.getKeyUsage()

getExtensionObject

public static org.bouncycastle.asn1.DERObject getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext)
                                                          throws IOException

Extracts the value of a certificate extension.

Parameters:

ext - the certificate extension to extract the value from.

Throws:

IOException - if extraction fails.

toGlobusID

public static String toGlobusID(String dn)

Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C".
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.

Parameters:

dn - the DN to convert to Globus format.

Returns:

the converted DN in Globus format.

See Also:

toGlobusID(String, boolean)

toGlobusID

public static String toGlobusID(String dn,
                boolean noreverse)

Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/CN=A/OU=B/O=C" or "/O=C/OU=B/CN=A" depending on the noreverse option. If noreverse is true the order of the DN components is not reveresed - "/CN=A/OU=B/O=C" is returned. If noreverse is false, the order of the DN components is reversed - "/O=C/OU=B/CN=A" is returned.
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.

Parameters:

dn - the DN to convert to Globus format.

noreverse - the direction of the conversion.

Returns:

the converted DN in Globus format.

toGlobusID

public static String toGlobusID(Principal name)

Converts the specified principal into Globus format. If the principal is of unrecognized type a simple string-based conversion is made using the toGlobusID() function.

Parameters:

name - the principal to convert to Globus format.

Returns:

the converted DN in Globus format.

See Also:

toGlobusID(String)

toGlobusID

public static String toGlobusID(X500Principal principal)

Converts DN of the form "CN=A, OU=B, O=C" into Globus format "/O=C/OU=B/CN=A"
This function might return incorrect Globus-formatted ID when one of the RDNs in the DN contains commas.

Returns:

the converted DN in Globus format.

toPrincipal

public static X500Principal toPrincipal(String globusID)

Converts Globus DN format "/O=C/OU=B/CN=A" into an X500Principal representation, which accepts RFC 2253 or 1779 formatted DN's and also attribute types as defined in RFC 2459 (e.g. "CN=A,OU=B,O=C"). This method should allow the forward slash, "/", to occur in attribute values (see GFD.125 section 3.2.2 -- RFC 2252 allows "/" in PrintableStrings).

Parameters:

globusID - DN in Globus format

Returns:

the X500Principal representation of the given DN

getCertPath

public static CertPath getCertPath(X509Certificate[] certs)
                            throws CertificateException

Throws:

CertificateException