org.apache.nifi.security.util

Class CertificateUtils

java.lang.Object

org.apache.nifi.security.util.CertificateUtils

public final class CertificateUtils
extends Object

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CertificateUtils.ClientAuth

Field Summary

Fields

Modifier and Type	Field and Description
private static Map<org.bouncycastle.asn1.ASN1ObjectIdentifier,Integer>	dnOrderMap
private static long	lastSerialNumberMillis The time in milliseconds that the last unique serial number was generated
private static org.slf4j.Logger	logger
private static BigInteger	millisecondBigInteger BigInteger value to use for the base of the unique serial number
private static String	PEER_NOT_AUTHENTICATED_MSG
private static int	serialNumberIncrementor An incrementor to add uniqueness to serial numbers generated in the same millisecond

Constructor Summary

Constructors

Modifier	Constructor and Description
private	CertificateUtils()

Method Summary

Modifier and Type	Method and Description
static boolean	compareDNs(String dn1, String dn2) Returns true if the two provided DNs are equivalent, regardless of the order of the elements.
static X509Certificate	convertAbstractX509Certificate(Certificate abstractCertificate) Accepts an abstract Certificate and returns an X509Certificate.
static X509Certificate	convertLegacyX509Certificate(X509Certificate legacyCertificate) Accepts a legacy X509Certificate and returns an X509Certificate.
private static Map<org.bouncycastle.asn1.ASN1ObjectIdentifier,Integer>	createDnOrderMap()
private static String	extractPeerDNFromClientSSLSocket(SSLSocket sslSocket) Returns the DN extracted from the client certificate.
private static String	extractPeerDNFromServerSSLSocket(Socket socket) Returns the DN extracted from the server certificate.
static String	extractPeerDNFromSSLSocket(Socket socket) Returns the DN extracted from the peer certificate (the server DN if run on the client; the client DN (if available) if run on the server).
static String	extractUsername(String dn) Extracts the username from the specified DN.
private static X509Certificate	formX509Certificate(byte[] encodedCertificate)
static X509Certificate	generateIssuedCertificate(String dn, PublicKey publicKey, org.bouncycastle.asn1.x509.Extensions extensions, X509Certificate issuer, KeyPair issuerKeyPair, String signingAlgorithm, int days) Generates an issued X509Certificate from the given issuer certificate and KeyPair
static X509Certificate	generateIssuedCertificate(String dn, PublicKey publicKey, X509Certificate issuer, KeyPair issuerKeyPair, String signingAlgorithm, int days) Generates an issued X509Certificate from the given issuer certificate and KeyPair
static X509Certificate	generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) Generates a self-signed X509Certificate suitable for use as a Certificate Authority.
private static CertificateUtils.ClientAuth	getClientAuthStatus(SSLSocket sslSocket)
static org.bouncycastle.asn1.x509.Extensions	getExtensionsFromCSR(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest csr) Extract extensions from CSR object
static List<String>	getSubjectAlternativeNames(X509Certificate certificate) Returns a list of subject alternative names.
protected static BigInteger	getUniqueSerialNumber() Generates a unique serial number by using the current time in milliseconds left shifted 32 bits (to make room for incrementor) with an incrementor added
static boolean	isStoreValid(URL keystore, KeystoreType keystoreType, char[] password) Returns true if the given keystore can be loaded using the given keystore type and password.
static String	reorderDn(String dn) Reorders DN to the order the elements appear in the RFC 2253 table https://www.ietf.org/rfc/rfc2253.txt String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName O organizationName OU organizationalUnitName C countryName STREET streetAddress DC domainComponent UID userid
private static org.bouncycastle.asn1.x500.X500Name	reverseX500Name(org.bouncycastle.asn1.x500.X500Name x500Name) Reverses the X500Name in order make the certificate be in the right order [see http://stackoverflow.com/questions/7567837/attributes-reversed-in-certificate-subject-and-issuer/12645265]

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

logger

private static final org.slf4j.Logger logger

PEER_NOT_AUTHENTICATED_MSG

private static final String PEER_NOT_AUTHENTICATED_MSG

See Also:

Constant Field Values

dnOrderMap

private static final Map<org.bouncycastle.asn1.ASN1ObjectIdentifier,Integer> dnOrderMap

lastSerialNumberMillis

private static long lastSerialNumberMillis

The time in milliseconds that the last unique serial number was generated

serialNumberIncrementor

private static int serialNumberIncrementor

An incrementor to add uniqueness to serial numbers generated in the same millisecond

millisecondBigInteger

private static BigInteger millisecondBigInteger

BigInteger value to use for the base of the unique serial number

Constructor Detail

CertificateUtils

private CertificateUtils()

Method Detail

createDnOrderMap

private static Map<org.bouncycastle.asn1.ASN1ObjectIdentifier,Integer> createDnOrderMap()

isStoreValid

public static boolean isStoreValid(URL keystore,
                                   KeystoreType keystoreType,
                                   char[] password)

Returns true if the given keystore can be loaded using the given keystore type and password. Returns false otherwise.

Parameters:

keystore - the keystore to validate

keystoreType - the type of the keystore

password - the password to access the keystore

Returns:

true if valid; false otherwise

extractUsername

public static String extractUsername(String dn)

Extracts the username from the specified DN. If the username cannot be extracted because the CN is in an unrecognized format, the entire CN is returned. If the CN cannot be extracted because the DN is in an unrecognized format, the entire DN is returned.

Parameters:

dn - the dn to extract the username from

Returns:

the exatracted username

getSubjectAlternativeNames

public static List<String> getSubjectAlternativeNames(X509Certificate certificate)
                                               throws CertificateParsingException

Returns a list of subject alternative names. Any name that is represented as a String by X509Certificate.getSubjectAlternativeNames() is converted to lowercase and returned.

Parameters:

certificate - a certificate

Returns:

a list of subject alternative names; list is never null

Throws:

CertificateParsingException - if parsing the certificate failed

extractPeerDNFromSSLSocket

public static String extractPeerDNFromSSLSocket(Socket socket)
                                         throws CertificateException

Returns the DN extracted from the peer certificate (the server DN if run on the client; the client DN (if available) if run on the server). If the client auth setting is WANT or NONE and a client certificate is not present, this method will return null. If the client auth is NEED, it will throw a CertificateException.

Parameters:

socket - the SSL Socket

Returns:

the extracted DN

Throws:

CertificateException - if there is a problem parsing the certificate

extractPeerDNFromClientSSLSocket

private static String extractPeerDNFromClientSSLSocket(SSLSocket sslSocket)
                                                throws CertificateException

Returns the DN extracted from the client certificate. If the client auth setting is WANT or NONE and a certificate is not present (and respectClientAuth is true), this method will return null. If the client auth is NEED, it will throw a CertificateException.

Parameters:

sslSocket - the SSL Socket

Returns:

the extracted DN

Throws:

CertificateException - if there is a problem parsing the certificate

extractPeerDNFromServerSSLSocket

private static String extractPeerDNFromServerSSLSocket(Socket socket)
                                                throws CertificateException

Returns the DN extracted from the server certificate.

Parameters:

socket - the SSL Socket

Returns:

the extracted DN

Throws:

CertificateException - if there is a problem parsing the certificate

getClientAuthStatus

private static CertificateUtils.ClientAuth getClientAuthStatus(SSLSocket sslSocket)

convertLegacyX509Certificate

public static X509Certificate convertLegacyX509Certificate(X509Certificate legacyCertificate)
                                                    throws CertificateException

Accepts a legacy X509Certificate and returns an X509Certificate. The javax.* package certificate classes are for legacy compatibility and should not be used for new development.

Parameters:

legacyCertificate - the javax.security.cert.X509Certificate

Returns:

a new java.security.cert.X509Certificate

Throws:

CertificateException - if there is an error generating the new certificate

convertAbstractX509Certificate

public static X509Certificate convertAbstractX509Certificate(Certificate abstractCertificate)
                                                      throws CertificateException

Accepts an abstract Certificate and returns an X509Certificate. Because sslSocket.getSession().getPeerCertificates() returns an array of the abstract certificates, they must be translated to X.509 to replace the functionality of sslSocket.getSession().getPeerCertificateChain().

Parameters:

abstractCertificate - the java.security.cert.Certificate

Returns:

a new java.security.cert.X509Certificate

Throws:

CertificateException - if there is an error generating the new certificate

formX509Certificate

private static X509Certificate formX509Certificate(byte[] encodedCertificate)
                                            throws CertificateException

Throws:

CertificateException

reorderDn

public static String reorderDn(String dn)

Reorders DN to the order the elements appear in the RFC 2253 table https://www.ietf.org/rfc/rfc2253.txt String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName O organizationName OU organizationalUnitName C countryName STREET streetAddress DC domainComponent UID userid

Parameters:

dn - a possibly unordered DN

Returns:

the ordered dn

reverseX500Name

private static org.bouncycastle.asn1.x500.X500Name reverseX500Name(org.bouncycastle.asn1.x500.X500Name x500Name)

Reverses the X500Name in order make the certificate be in the right order [see http://stackoverflow.com/questions/7567837/attributes-reversed-in-certificate-subject-and-issuer/12645265]

Parameters:

x500Name - the X500Name created with the intended order

Returns:

the X500Name reversed

getUniqueSerialNumber

protected static BigInteger getUniqueSerialNumber()

Generates a unique serial number by using the current time in milliseconds left shifted 32 bits (to make room for incrementor) with an incrementor added

Returns:

a unique serial number (technically unique to this classloader)

generateSelfSignedX509Certificate

public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair,
                                                                String dn,
                                                                String signingAlgorithm,
                                                                int certificateDurationDays)
                                                         throws CertificateException

Generates a self-signed X509Certificate suitable for use as a Certificate Authority.

Parameters:

keyPair - the KeyPair to generate the X509Certificate for

dn - the distinguished name to user for the X509Certificate

signingAlgorithm - the signing algorithm to use for the X509Certificate

certificateDurationDays - the duration in days for which the X509Certificate should be valid

Returns:

a self-signed X509Certificate suitable for use as a Certificate Authority

Throws:

CertificateException - if there is an generating the new certificate

generateIssuedCertificate

public static X509Certificate generateIssuedCertificate(String dn,
                                                        PublicKey publicKey,
                                                        X509Certificate issuer,
                                                        KeyPair issuerKeyPair,
                                                        String signingAlgorithm,
                                                        int days)
                                                 throws CertificateException

Generates an issued X509Certificate from the given issuer certificate and KeyPair

Parameters:

dn - the distinguished name to use

publicKey - the public key to issue the certificate to

issuer - the issuer's certificate

issuerKeyPair - the issuer's keypair

signingAlgorithm - the signing algorithm to use

days - the number of days it should be valid for

Returns:

an issued X509Certificate from the given issuer certificate and KeyPair

Throws:

CertificateException - if there is an error issuing the certificate

generateIssuedCertificate

public static X509Certificate generateIssuedCertificate(String dn,
                                                        PublicKey publicKey,
                                                        org.bouncycastle.asn1.x509.Extensions extensions,
                                                        X509Certificate issuer,
                                                        KeyPair issuerKeyPair,
                                                        String signingAlgorithm,
                                                        int days)
                                                 throws CertificateException

Generates an issued X509Certificate from the given issuer certificate and KeyPair

Parameters:

dn - the distinguished name to use

publicKey - the public key to issue the certificate to

extensions - extensions extracted from the CSR

issuer - the issuer's certificate

issuerKeyPair - the issuer's keypair

signingAlgorithm - the signing algorithm to use

days - the number of days it should be valid for

Returns:

an issued X509Certificate from the given issuer certificate and KeyPair

Throws:

CertificateException - if there is an error issuing the certificate

compareDNs

public static boolean compareDNs(String dn1,
                                 String dn2)

Returns true if the two provided DNs are equivalent, regardless of the order of the elements. Returns false if one or both are invalid DNs. Example: CN=test1, O=testOrg, C=US compared to CN=test1, O=testOrg, C=US -> true CN=test1, O=testOrg, C=US compared to O=testOrg, CN=test1, C=US -> true CN=test1, O=testOrg, C=US compared to CN=test2, O=testOrg, C=US -> false CN=test1, O=testOrg, C=US compared to O=testOrg, CN=test2, C=US -> false CN=test1, O=testOrg, C=US compared to -> false compared to -> true

Parameters:

dn1 - the first DN to compare

dn2 - the second DN to compare

Returns:

true if the DNs are equivalent, false otherwise

getExtensionsFromCSR

public static org.bouncycastle.asn1.x509.Extensions getExtensionsFromCSR(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest csr)

Extract extensions from CSR object