public final class CertificateUtils extends Object
| Modifier and Type | Field and Description |
|---|---|
private static Map<org.bouncycastle.asn1.ASN1ObjectIdentifier,Integer> |
dnOrderMap |
static String |
JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION |
static String[] |
JAVA_11_SUPPORTED_TLS_PROTOCOL_VERSIONS |
static String |
JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION |
static String[] |
JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS |
private static long |
lastSerialNumberMillis
The time in milliseconds that the last unique serial number was generated
|
private static org.slf4j.Logger |
logger |
private static BigInteger |
millisecondBigInteger
BigInteger value to use for the base of the unique serial number
|
private static String |
PEER_NOT_AUTHENTICATED_MSG |
private static int |
serialNumberIncrementor
An incrementor to add uniqueness to serial numbers generated in the same millisecond
|
| Modifier | Constructor and Description |
|---|---|
private |
CertificateUtils() |
| Modifier and Type | Method and Description |
|---|---|
static boolean |
compareDNs(String dn1,
String dn2)
Returns true if the two provided DNs are equivalent, regardless of the order of the elements.
|
static X509Certificate |
convertAbstractX509Certificate(Certificate abstractCertificate)
Accepts an abstract
Certificate and returns an X509Certificate. |
static X509Certificate |
convertLegacyX509Certificate(X509Certificate legacyCertificate)
Accepts a legacy
X509Certificate and returns an X509Certificate. |
private static Map<org.bouncycastle.asn1.ASN1ObjectIdentifier,Integer> |
createDnOrderMap() |
private static String |
extractPeerDNFromClientSSLSocket(SSLSocket sslSocket)
Returns the DN extracted from the client certificate.
|
private static String |
extractPeerDNFromServerSSLSocket(Socket socket)
Returns the DN extracted from the server certificate.
|
static String |
extractPeerDNFromSSLSocket(Socket socket)
Returns the DN extracted from the peer certificate (the server DN if run on the client; the client DN (if available) if run on the server).
|
static String |
extractUsername(String dn)
Extracts the username from the specified DN.
|
private static X509Certificate |
formX509Certificate(byte[] encodedCertificate) |
static X509Certificate |
generateIssuedCertificate(String dn,
PublicKey publicKey,
org.bouncycastle.asn1.x509.Extensions extensions,
X509Certificate issuer,
KeyPair issuerKeyPair,
String signingAlgorithm,
int days)
Generates an issued
X509Certificate from the given issuer certificate and KeyPair |
static X509Certificate |
generateIssuedCertificate(String dn,
PublicKey publicKey,
X509Certificate issuer,
KeyPair issuerKeyPair,
String signingAlgorithm,
int days)
Generates an issued
X509Certificate from the given issuer certificate and KeyPair |
static X509Certificate |
generateSelfSignedX509Certificate(KeyPair keyPair,
String dn,
String signingAlgorithm,
int certificateDurationDays)
Generates a self-signed
X509Certificate suitable for use as a Certificate Authority. |
static X509Certificate |
generateSelfSignedX509Certificate(KeyPair keyPair,
String dn,
String signingAlgorithm,
int certificateDurationDays,
String[] dnsSubjectAlternativeNames)
Generates a self-signed
X509Certificate suitable for use as a Certificate Authority. |
private static ClientAuth |
getClientAuthStatus(SSLSocket sslSocket) |
static String |
getCommonName(String dn)
Extracts the common name from the given DN.
|
static org.bouncycastle.asn1.x509.Extensions |
getExtensionsFromCSR(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest csr)
Extract extensions from CSR object
|
static List<String> |
getSubjectAlternativeNames(X509Certificate certificate)
Returns a list of subject alternative names.
|
protected static BigInteger |
getUniqueSerialNumber()
Generates a unique serial number by using the current time in milliseconds left shifted 32 bits (to make room for incrementor) with an incrementor added
|
static boolean |
isTlsError(Throwable e)
Returns
true if this exception is due to a TLS problem (either directly or because of its cause, if present). |
static String |
reorderDn(String dn)
Reorders DN to the order the elements appear in the RFC 2253 table
|
private static org.bouncycastle.asn1.x500.X500Name |
reverseX500Name(org.bouncycastle.asn1.x500.X500Name x500Name)
Reverses the X500Name in order make the certificate be in the right order
[see http://stackoverflow.com/questions/7567837/attributes-reversed-in-certificate-subject-and-issuer/12645265]
|
private static final org.slf4j.Logger logger
private static final String PEER_NOT_AUTHENTICATED_MSG
public static final String JAVA_8_MAX_SUPPORTED_TLS_PROTOCOL_VERSION
public static final String JAVA_11_MAX_SUPPORTED_TLS_PROTOCOL_VERSION
public static final String[] JAVA_8_SUPPORTED_TLS_PROTOCOL_VERSIONS
public static final String[] JAVA_11_SUPPORTED_TLS_PROTOCOL_VERSIONS
private static long lastSerialNumberMillis
private static int serialNumberIncrementor
private static BigInteger millisecondBigInteger
private static Map<org.bouncycastle.asn1.ASN1ObjectIdentifier,Integer> createDnOrderMap()
public static String extractUsername(String dn)
dn - the dn to extract the username frompublic static List<String> getSubjectAlternativeNames(X509Certificate certificate) throws CertificateParsingException
certificate - a certificateCertificateParsingException - if parsing the certificate failedpublic static String extractPeerDNFromSSLSocket(Socket socket) throws CertificateException
If the client auth setting is WANT or NONE and a client certificate is not present, this method will return null.
If the client auth is NEED, it will throw a CertificateException.
socket - the SSL SocketCertificateException - if there is a problem parsing the certificateprivate static String extractPeerDNFromClientSSLSocket(SSLSocket sslSocket) throws CertificateException
If the client auth setting is WANT or NONE and a certificate is not present (and respectClientAuth is true), this method will return null.
If the client auth is NEED, it will throw a CertificateException.
sslSocket - the SSL SocketCertificateException - if there is a problem parsing the certificateprivate static String extractPeerDNFromServerSSLSocket(Socket socket) throws CertificateException
socket - the SSL SocketCertificateException - if there is a problem parsing the certificateprivate static ClientAuth getClientAuthStatus(SSLSocket sslSocket)
public static X509Certificate convertLegacyX509Certificate(X509Certificate legacyCertificate) throws CertificateException
X509Certificate and returns an X509Certificate. The javax.* package certificate classes are for legacy compatibility and should
not be used for new development.legacyCertificate - the javax.security.cert.X509Certificatejava.security.cert.X509CertificateCertificateException - if there is an error generating the new certificatepublic static X509Certificate convertAbstractX509Certificate(Certificate abstractCertificate) throws CertificateException
Certificate and returns an X509Certificate. Because sslSocket.getSession().getPeerCertificates() returns an array of the
abstract certificates, they must be translated to X.509 to replace the functionality of sslSocket.getSession().getPeerCertificateChain().abstractCertificate - the java.security.cert.Certificatejava.security.cert.X509CertificateCertificateException - if there is an error generating the new certificateprivate static X509Certificate formX509Certificate(byte[] encodedCertificate) throws CertificateException
CertificateExceptionpublic static String reorderDn(String dn)
https://www.ietf.org/rfc/rfc2253.txt
String X.500 AttributeType ------------------------------ CN commonName L localityName ST stateOrProvinceName O organizationName OU organizationalUnitName C countryName STREET streetAddress DC domainComponent UID userid
dn - a possibly unordered DNprivate static org.bouncycastle.asn1.x500.X500Name reverseX500Name(org.bouncycastle.asn1.x500.X500Name x500Name)
x500Name - the X500Name created with the intended orderprotected static BigInteger getUniqueSerialNumber()
public static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays) throws CertificateException
X509Certificate suitable for use as a Certificate Authority.keyPair - the KeyPair to generate the X509Certificate fordn - the distinguished name to user for the X509CertificatesigningAlgorithm - the signing algorithm to use for the X509CertificatecertificateDurationDays - the duration in days for which the X509Certificate should be validX509Certificate suitable for use as a Certificate AuthorityCertificateException - if there is an generating the new certificatepublic static X509Certificate generateSelfSignedX509Certificate(KeyPair keyPair, String dn, String signingAlgorithm, int certificateDurationDays, String[] dnsSubjectAlternativeNames) throws CertificateException
X509Certificate suitable for use as a Certificate Authority.keyPair - the KeyPair to generate the X509Certificate fordn - the distinguished name to user for the X509CertificatesigningAlgorithm - the signing algorithm to use for the X509CertificatecertificateDurationDays - the duration in days for which the X509Certificate should be validdnsSubjectAlternativeNames - An optional array of dnsName SANsX509Certificate suitable for use as a Certificate AuthorityCertificateException - if there is an generating the new certificatepublic static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, X509Certificate issuer, KeyPair issuerKeyPair, String signingAlgorithm, int days) throws CertificateException
X509Certificate from the given issuer certificate and KeyPairdn - the distinguished name to usepublicKey - the public key to issue the certificate toissuer - the issuer's certificateissuerKeyPair - the issuer's keypairsigningAlgorithm - the signing algorithm to usedays - the number of days it should be valid forX509Certificate from the given issuer certificate and KeyPairCertificateException - if there is an error issuing the certificatepublic static X509Certificate generateIssuedCertificate(String dn, PublicKey publicKey, org.bouncycastle.asn1.x509.Extensions extensions, X509Certificate issuer, KeyPair issuerKeyPair, String signingAlgorithm, int days) throws CertificateException
X509Certificate from the given issuer certificate and KeyPairdn - the distinguished name to usepublicKey - the public key to issue the certificate toextensions - extensions extracted from the CSRissuer - the issuer's certificateissuerKeyPair - the issuer's keypairsigningAlgorithm - the signing algorithm to usedays - the number of days it should be valid forX509Certificate from the given issuer certificate and KeyPairCertificateException - if there is an error issuing the certificatepublic static boolean compareDNs(String dn1, String dn2)
Example:
CN=test1, O=testOrg, C=US compared to CN=test1, O=testOrg, C=US -> true CN=test1, O=testOrg, C=US compared to O=testOrg, CN=test1, C=US -> true CN=test1, O=testOrg, C=US compared to CN=test2, O=testOrg, C=US -> false CN=test1, O=testOrg, C=US compared to O=testOrg, CN=test2, C=US -> false CN=test1, O=testOrg, C=US compared to -> false compared to -> true
dn1 - the first DN to comparedn2 - the second DN to comparepublic static org.bouncycastle.asn1.x509.Extensions getExtensionsFromCSR(org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequest csr)
public static boolean isTlsError(Throwable e)
true if this exception is due to a TLS problem (either directly or because of its cause, if present). Traverses the cause chain recursively.e - the exception to evaluateCopyright © 2022 Apache NiFi Project. All rights reserved.