com.itextpdf.signatures

Class CertificateUtil

java.lang.Object

com.itextpdf.signatures.CertificateUtil

public class CertificateUtil
extends Object

This class contains a series of static methods that allow you to retrieve information from a Certificate.

Constructor Summary

Constructors

Constructor and Description
CertificateUtil()

Method Summary

Modifier and Type	Method and Description
static boolean	checkIfIssuersMatch(com.itextpdf.commons.bouncycastle.cert.ocsp.ICertificateID certID, X509Certificate issuerCert) Checks if the issuer of the provided certID (specified in the OCSP response) and provided issuer of the certificate in question matches, i.e.
static X509Certificate	createCertificateFromEncodedData(String encodedCertificateBytes) Reads certificate from der encoded string.
static com.itextpdf.commons.bouncycastle.asn1.IDERSet	createRevocationInfoChoices(Collection<CRL> crls, Collection<com.itextpdf.commons.bouncycastle.asn1.ocsp.IBasicOCSPResponse> ocsps, Collection<com.itextpdf.commons.bouncycastle.asn1.IASN1Sequence> otherRevocationInfoFormats) Creates the revocation info (crls field) for SignedData structure: RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoice ::= CHOICE { crl CertificateList, other [1] IMPLICIT OtherRevocationInfoFormat } OtherRevocationInfoFormat ::= SEQUENCE { otherRevInfoFormat OBJECT IDENTIFIER, otherRevInfo ANY DEFINED BY otherRevInfoFormat } CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }
static Certificate	generateCertificate(InputStream data) Generates a certificate object and initializes it with the data read from the input stream inStream.
static CRL	getCRL(String url) Gets the CRL object using a CRL URL.
static List<CRL>	getCRLs(X509Certificate certificate) Gets a CRLs from the X509 certificate.
static List<String>	getCRLURLs(X509Certificate certificate) Gets the list of the Certificate Revocation List URLs for a Certificate.
static com.itextpdf.commons.bouncycastle.asn1.x509.IDistributionPoint	getDistributionPointByName(X509Certificate certificate, com.itextpdf.commons.bouncycastle.asn1.x509.IDistributionPointName issuingDistributionPointName) Gets the Distribution Point from the certificate by name specified in the Issuing Distribution Point from the Certificate Revocation List for a Certificate.
static com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive	getExtensionValue(CRL crl, String oid) Gets CRL extension value.
static com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive	getExtensionValue(X509Certificate certificate, String oid) Gets certificate extension value.
static byte[]	getExtensionValueByOid(X509Certificate certificate, String id) Retrieves certificate extension value by its OID.
static String	getIssuerCertURL(CRL crl) Retrieves the URL for the issuer certificate for the given CRL.
static String	getIssuerCertURL(X509Certificate certificate) Retrieves the URL for the issuer lists certificates for the given certificate.
static String	getOCSPURL(X509Certificate certificate) Retrieves the OCSP URL from the given certificate.
static String	getTSAURL(X509Certificate certificate) Gets the URL of the TSA if it's available on the certificate
static boolean	isSelfSigned(X509Certificate certificate) Checks if the certificate is self-signed.
static boolean	isSignatureValid(com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp ocspResp, Certificate responderCert) Checks if an OCSP response is genuine.
static CRL	parseCrlFromBytes(byte[] crlBytes) Parses a CRL from bytes.
static CRL	parseCrlFromStream(InputStream input) Parses a CRL from an InputStream.
static Certificate[]	readCertificatesFromPem(InputStream pemFileStream) Read all certificates from an input stream in PEM format.
static void	retrieveRevocationInfoFromSignedData(com.itextpdf.commons.bouncycastle.asn1.IASN1TaggedObject taggedObj, Collection<CRL> crls, Collection<com.itextpdf.commons.bouncycastle.asn1.ocsp.IBasicOCSPResponse> ocsps, Collection<com.itextpdf.commons.bouncycastle.asn1.IASN1Sequence> otherRevocationInfoFormats) Try to retrieve CRL and OCSP responses from the signed data crls field.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertificateUtil

public CertificateUtil()

Method Detail

getCRLs

public static List<CRL> getCRLs(X509Certificate certificate)
                         throws CertificateException,
                                CRLException,
                                IOException

Gets a CRLs from the X509 certificate.

Parameters:

certificate - the X509Certificate to extract the CRLs from

Returns:

CRL list or null if there's no CRL available

Throws:

IOException - thrown when the URL couldn't be opened properly.

CertificateException - thrown if there's no X509 implementation in the provider.

CRLException - thrown when encountering errors when parsing the CRL.

getCRLURLs

public static List<String> getCRLURLs(X509Certificate certificate)

Gets the list of the Certificate Revocation List URLs for a Certificate.

Parameters:

certificate - the Certificate to get CRL URLs for

Returns:

the list of URL strings where you can check if the certificate is revoked.

getDistributionPointByName

public static com.itextpdf.commons.bouncycastle.asn1.x509.IDistributionPoint getDistributionPointByName(X509Certificate certificate,
                                                                                                        com.itextpdf.commons.bouncycastle.asn1.x509.IDistributionPointName issuingDistributionPointName)

Gets the Distribution Point from the certificate by name specified in the Issuing Distribution Point from the Certificate Revocation List for a Certificate.

Parameters:

certificate - the certificate to retrieve Distribution Points

issuingDistributionPointName - distributionPointName retrieved from the IDP of the CRL

Returns:

distribution point withthe same name as specified in the IDP.

getCRL

public static CRL getCRL(String url)
                  throws IOException,
                         CertificateException,
                         CRLException

Gets the CRL object using a CRL URL.

Parameters:

url - the URL where the CRL is located

Returns:

CRL object

Throws:

IOException - thrown when the URL couldn't be opened properly.

CertificateException - thrown if there's no X509 implementation in the provider.

CRLException - thrown when encountering errors when parsing the CRL.

parseCrlFromStream

public static CRL parseCrlFromStream(InputStream input)
                              throws CertificateException,
                                     CRLException

Parses a CRL from an InputStream.

Parameters:

input - the InputStream holding the unparsed CRL

Returns:

the parsed CRL object.

Throws:

CertificateException - thrown if there's no X509 implementation in the provider.

CRLException - thrown when encountering errors when parsing the CRL.

parseCrlFromBytes

public static CRL parseCrlFromBytes(byte[] crlBytes)
                             throws CertificateException,
                                    CRLException

Parses a CRL from bytes.

Parameters:

crlBytes - the bytes holding the unparsed CRL

Returns:

the parsed CRL object.

Throws:

CertificateException - thrown if there's no X509 implementation in the provider.

CRLException - thrown when encountering errors when parsing the CRL.

getIssuerCertURL

public static String getIssuerCertURL(CRL crl)

Retrieves the URL for the issuer certificate for the given CRL.

Parameters:

crl - the CRL response

Returns:

the URL or null.

getOCSPURL

public static String getOCSPURL(X509Certificate certificate)

Retrieves the OCSP URL from the given certificate.

Parameters:

certificate - the certificate

Returns:

the URL or null

getIssuerCertURL

public static String getIssuerCertURL(X509Certificate certificate)

Retrieves the URL for the issuer lists certificates for the given certificate.

Parameters:

certificate - the certificate

Returns:

the URL or null.

getTSAURL

public static String getTSAURL(X509Certificate certificate)

Gets the URL of the TSA if it's available on the certificate

Parameters:

certificate - a certificate

Returns:

a TSA URL

generateCertificate

public static Certificate generateCertificate(InputStream data)
                                       throws CertificateException

Generates a certificate object and initializes it with the data read from the input stream inStream.

Parameters:

data - the input stream with the certificates.

Returns:

a certificate object initialized with the data from the input stream.

Throws:

CertificateException - on parsing errors.

retrieveRevocationInfoFromSignedData

public static void retrieveRevocationInfoFromSignedData(com.itextpdf.commons.bouncycastle.asn1.IASN1TaggedObject taggedObj,
                                                        Collection<CRL> crls,
                                                        Collection<com.itextpdf.commons.bouncycastle.asn1.ocsp.IBasicOCSPResponse> ocsps,
                                                        Collection<com.itextpdf.commons.bouncycastle.asn1.IASN1Sequence> otherRevocationInfoFormats)
                                                 throws IOException,
                                                        CertificateException

Try to retrieve CRL and OCSP responses from the signed data crls field.

Parameters:

taggedObj - signed data crls field as IASN1TaggedObject.

crls - collection to store retrieved CRL responses.

ocsps - collection of IBasicOCSPResponse wrappers to store retrieved OCSP responses.

otherRevocationInfoFormats - collection of revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response, stored as IASN1Sequence.

Throws:

IOException - if some I/O error occurred.

CertificateException - if CertificateFactory instance wasn't created.

createRevocationInfoChoices

public static com.itextpdf.commons.bouncycastle.asn1.IDERSet createRevocationInfoChoices(Collection<CRL> crls,
                                                                                         Collection<com.itextpdf.commons.bouncycastle.asn1.ocsp.IBasicOCSPResponse> ocsps,
                                                                                         Collection<com.itextpdf.commons.bouncycastle.asn1.IASN1Sequence> otherRevocationInfoFormats)
                                                                                  throws CRLException,
                                                                                         IOException

Creates the revocation info (crls field) for SignedData structure: RevocationInfoChoices ::= SET OF RevocationInfoChoice RevocationInfoChoice ::= CHOICE { crl CertificateList, other [1] IMPLICIT OtherRevocationInfoFormat } OtherRevocationInfoFormat ::= SEQUENCE { otherRevInfoFormat OBJECT IDENTIFIER, otherRevInfo ANY DEFINED BY otherRevInfoFormat } CertificateList ::= SEQUENCE { tbsCertList TBSCertList, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING }

Parameters:

crls - collection of CRL revocation status information.

ocsps - collection of OCSP revocation status information.

otherRevocationInfoFormats - collection of revocation info other than OCSP and CRL responses, e.g. SCVP Request and Response, stored as IASN1Sequence.

Returns:

crls [1] RevocationInfoChoices field of SignedData structure. Null if SignedData has no revocation data.

Throws:

CRLException - if an encoding error occurs.

IOException - if an I/O error occurs.

See Also:

RFC 5652 §10.2.1

checkIfIssuersMatch

public static boolean checkIfIssuersMatch(com.itextpdf.commons.bouncycastle.cert.ocsp.ICertificateID certID,
                                          X509Certificate issuerCert)
                                   throws com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException,
                                          com.itextpdf.commons.bouncycastle.cert.ocsp.AbstractOCSPException,
                                          CertificateEncodingException,
                                          IOException

Checks if the issuer of the provided certID (specified in the OCSP response) and provided issuer of the certificate in question matches, i.e. checks that issuerNameHash and issuerKeyHash fields of the certID is the hash of the issuer's name and public key.

SingleResp contains the basic information of the status of the certificate identified by the certID. The issuer name and serial number identify a unique certificate, so if serial numbers of the certificate in question and certID serial number are equals and issuers match, then SingleResp contains the information about the status of the certificate in question.

Parameters:

certID - certID specified in the OCSP response

issuerCert - the issuer of the certificate in question

Returns:

true if the issuers are the same, false otherwise.

Throws:

com.itextpdf.commons.bouncycastle.operator.AbstractOperatorCreationException - in case some digest calculator creation error.

com.itextpdf.commons.bouncycastle.cert.ocsp.AbstractOCSPException - in case some digest calculator creation error.

CertificateEncodingException - if an encoding error occurs.

IOException - if input-output exception occurs.

getExtensionValueByOid

public static byte[] getExtensionValueByOid(X509Certificate certificate,
                                            String id)

Retrieves certificate extension value by its OID.

Parameters:

certificate - to get extension from

id - extension OID to retrieve

Returns:

encoded extension value.

isSignatureValid

public static boolean isSignatureValid(com.itextpdf.commons.bouncycastle.cert.ocsp.IBasicOCSPResp ocspResp,
                                       Certificate responderCert)

Checks if an OCSP response is genuine.

Parameters:

ocspResp - IBasicOCSPResp the OCSP response wrapper

responderCert - the responder certificate

Returns:

true if the OCSP response verifies against the responder certificate.

isSelfSigned

public static boolean isSelfSigned(X509Certificate certificate)

Checks if the certificate is self-signed.

Parameters:

certificate - a certificate to check

Returns:

true if the certificate is self-signed.

getExtensionValue

public static com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive getExtensionValue(X509Certificate certificate,
                                                                                      String oid)
                                                                               throws IOException

Gets certificate extension value.

Parameters:

certificate - the certificate from which we need the ExtensionValue

oid - the Object Identifier value for the extension

Returns:

the extension value as an IASN1Primitive object.

Throws:

IOException - on processing exception.

getExtensionValue

public static com.itextpdf.commons.bouncycastle.asn1.IASN1Primitive getExtensionValue(CRL crl,
                                                                                      String oid)
                                                                               throws IOException

Gets CRL extension value.

Parameters:

crl - the CRL from which we need the ExtensionValue

oid - the Object Identifier value for the extension

Returns:

the extension value as an IASN1Primitive object.

Throws:

IOException - on processing exception.

createCertificateFromEncodedData

public static X509Certificate createCertificateFromEncodedData(String encodedCertificateBytes)

Reads certificate from der encoded string.

Parameters:

encodedCertificateBytes - der encoded data

Returns:

X509Certificate object

readCertificatesFromPem

public static Certificate[] readCertificatesFromPem(InputStream pemFileStream)

Read all certificates from an input stream in PEM format.

Parameters:

pemFileStream - InputStream in PEM format

Returns:

Certificate array