org.jivesoftware.util

Class CertificateManager

java.lang.Object

org.jivesoftware.util.CertificateManager

public class CertificateManager
extends Object

Utility class that provides similar functionality to the keytool tool. Generated certificates conform to the XMPP spec where domains are kept in the subject alternative names extension.

Author:

Gaston Dombiak

Constructor Summary

Constructors

Constructor and Description
CertificateManager()

Method Summary

Methods

Modifier and Type	Method and Description
static void	addListener(CertificateEventListener listener) Registers a listener to receive events.
static String	createSigningRequest(X509Certificate cert, PrivateKey privKey) Creates and returns the content of a new singing request for the specified certificate.
static X509Certificate	createX509V3Certificate(KeyPair kp, int months, String issuerDN, String subjectDN, String domain, String signAlgoritm) Creates an X509 version3 certificate.
static List<String>	getClientIdentities(X509Certificate x509Certificate) Returns the identities of the remote client as defined in the specified certificate.
static X509Certificate	getEndEntityCertificate(Certificate[] chain, KeyStore certStore, KeyStore trustStore) Decide whether or not to trust the given supplied certificate chain, returning the End Entity Certificate in this case where it can, and null otherwise.
static List<String>	getServerIdentities(X509Certificate x509Certificate) Returns the identities of the remote server as defined in the specified certificate.
static boolean	installCert(KeyStore keyStore, KeyStore trustStore, String keyPassword, String alias, InputStream pkInputStream, String passPhrase, InputStream inputStream) Imports a new signed certificate and its private key into the keystore.
static boolean	installReply(KeyStore keyStore, KeyStore trustStore, String keyPassword, String alias, InputStream inputStream) Installs the Certificate Authority reply returned as part of the signing request.
static boolean	isDSACertificate(CertificateStore storeConfig, String domain) Returns true if an DSA certificate was found in the specified keystore for the specified domain.
static boolean	isDSACertificate(X509Certificate certificate) Returns true if the specified certificate is using the DSA algorithm.
static boolean	isRSACertificate(CertificateStore storeConfig, String domain) Returns true if an RSA certificate was found in the specified keystore for the specified domain.
static boolean	isSelfSignedCertificate(KeyStore keyStore, String alias) Returns true if the specified certificate is a self-signed certificate.
static boolean	isSelfSignedCertificate(KeyStore keyStore, X509Certificate certificate) Returns true if the specified certificate is a self-signed certificate.
static boolean	isSigningRequestPending(KeyStore keyStore, String alias) Returns true if the specified certificate is ready to be signed by a Certificate Authority.
static List<X509Certificate>	order(Collection<X509Certificate> certificates) Deprecated. Moved to CertificateUtils
static Collection<X509Certificate>	parseCertificates(InputStream pemRepresentation) Deprecated. Use parseCertificates(String) instead.
static Collection<X509Certificate>	parseCertificates(String pemRepresentation) Parses a certificate chain from a PEM representation.
static PrivateKey	parsePrivateKey(InputStream pemRepresentation, String passPhrase) Deprecated. Use parsePrivateKey(String, String) instead.
static PrivateKey	parsePrivateKey(String pemRepresentation, String passPhrase) Parses a PrivateKey instance from a PEM representation.
static void	removeListener(CertificateEventListener listener) Unregisters a listener to receive events.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertificateManager

public CertificateManager()

Method Detail

getEndEntityCertificate

public static X509Certificate getEndEntityCertificate(Certificate[] chain,
                                      KeyStore certStore,
                                      KeyStore trustStore)

Decide whether or not to trust the given supplied certificate chain, returning the End Entity Certificate in this case where it can, and null otherwise. A self-signed certificate will, for example, return null. For certain failures, we SHOULD generate an exception - revocations and the like, but we currently do not.

Parameters:

chain - an array of X509Certificate where the first one is the endEntityCertificate.

certStore - a keystore containing untrusted certificates (including ICAs, etc).

trustStore - a keystore containing Trust Anchors (most-trusted CA certificates).

Returns:

trusted end-entity certificate, or null.

getClientIdentities

public static List<String> getClientIdentities(X509Certificate x509Certificate)

Returns the identities of the remote client as defined in the specified certificate. The identities are mapped by the classes in the "provider.clientCertIdentityMap.classList" property. By default, the subjectDN of the certificate is used.

Parameters:

x509Certificate - the certificate the holds the identities of the remote server.

Returns:

the identities of the remote client as defined in the specified certificate.

getServerIdentities

public static List<String> getServerIdentities(X509Certificate x509Certificate)

Returns the identities of the remote server as defined in the specified certificate. The identities are mapped by the classes in the "provider.serverCertIdentityMap.classList" property. By default, the identities are defined in the subjectDN of the certificate and it can also be defined in the subjectAltName extensions of type "xmpp". When the extension is being used then the identities defined in the extension are going to be returned. Otherwise, the value stored in the subjectDN is returned.

Parameters:

x509Certificate - the certificate the holds the identities of the remote server.

Returns:

the identities of the remote server as defined in the specified certificate.

isRSACertificate

public static boolean isRSACertificate(CertificateStore storeConfig,
                       String domain)
                                throws KeyStoreException

Returns true if an RSA certificate was found in the specified keystore for the specified domain.

Parameters:

storeConfig - the store to use for searching the certificate.

domain - domain of the server signed by the certificate.

Returns:

true if an RSA certificate was found in the specified keystore for the specified domain.

Throws:

KeyStoreException

isDSACertificate

public static boolean isDSACertificate(CertificateStore storeConfig,
                       String domain)
                                throws KeyStoreException

Returns true if an DSA certificate was found in the specified keystore for the specified domain.

Parameters:

storeConfig - the store to use for searching the certificate.

domain - domain of the server signed by the certificate.

Returns:

true if an DSA certificate was found in the specified keystore for the specified domain.

Throws:

KeyStoreException

isDSACertificate

public static boolean isDSACertificate(X509Certificate certificate)
                                throws KeyStoreException

Returns true if the specified certificate is using the DSA algorithm. The DSA algorithm is not good for encryption but only for authentication. On the other hand, the RSA algorithm is good for encryption and authentication.

Parameters:

certificate - the certificate to analyze.

Returns:

true if the specified certificate is using the DSA algorithm.

Throws:

KeyStoreException

isSelfSignedCertificate

public static boolean isSelfSignedCertificate(KeyStore keyStore,
                              String alias)
                                       throws KeyStoreException

Returns true if the specified certificate is a self-signed certificate.

Parameters:

keyStore - key store that holds the certificate to verify.

alias - alias of the certificate in the key store.

Returns:

true if the specified certificate is a self-signed certificate.

Throws:

KeyStoreException - if an error happens while usign the keystore

isSelfSignedCertificate

public static boolean isSelfSignedCertificate(KeyStore keyStore,
                              X509Certificate certificate)
                                       throws KeyStoreException

Returns true if the specified certificate is a self-signed certificate. If the certificate was not found in the store then a KeyStoreException is returned.

Parameters:

keyStore - key store that holds the certificate to verify.

certificate - the certificate in the key store.

Returns:

true if the specified certificate is a self-signed certificate.

Throws:

KeyStoreException - if an error happens while usign the keystore

isSigningRequestPending

public static boolean isSigningRequestPending(KeyStore keyStore,
                              String alias)
                                       throws KeyStoreException

Returns true if the specified certificate is ready to be signed by a Certificate Authority. Self-signed certificates need to get their issuer information entered to be able to generate a Certificate Signing Request (CSR).

Parameters:

keyStore - key store that holds the certificate to verify.

alias - alias of the certificate in the key store.

Returns:

true if the specified certificate is ready to be signed by a Certificate Authority.

Throws:

KeyStoreException - if an error happens while usign the keystore

createSigningRequest

public static String createSigningRequest(X509Certificate cert,
                          PrivateKey privKey)
                                   throws InvalidKeyException,
                                          NoSuchAlgorithmException,
                                          NoSuchProviderException,
                                          SignatureException,
                                          IOException

Creates and returns the content of a new singing request for the specified certificate. Signing requests are required by Certificate Authorities as part of their signing process. The signing request contains information about the certificate issuer, subject DN, subject alternative names and public key. Private keys are not included. After the Certificate Authority verified and signed the certificate a new certificate is going to be returned. Use installReply(java.security.KeyStore, java.security.KeyStore, String, String, java.io.InputStream) to import the CA reply.

Parameters:

cert - the certificate to create a signing request.

privKey - the private key of the certificate.

Returns:

the content of a new singing request for the specified certificate.

Throws:

InvalidKeyException

NoSuchAlgorithmException

NoSuchProviderException

SignatureException

IOException

installReply

public static boolean installReply(KeyStore keyStore,
                   KeyStore trustStore,
                   String keyPassword,
                   String alias,
                   InputStream inputStream)
                            throws Exception

Installs the Certificate Authority reply returned as part of the signing request. The certificate being signed will get its certificate chain updated with the imported certificate(s). An exception will be thrown if the replied certificate does not match a local certificate or if the signing authority is not known by the server (i.e. keystore and truststore files) The identity of the entity that has signed the reply is verified against the provided trust store. The

Parameters:

keyStore - key store where the certificate is stored.

trustStore - key store where ca certificates are stored.

keyPassword - password of the keystore.

alias - the alias of the existing certificate being signed.

inputStream - the stream containing the CA reply.

Returns:

true if the CA reply was successfully processed.

Throws:

Exception

installCert

public static boolean installCert(KeyStore keyStore,
                  KeyStore trustStore,
                  String keyPassword,
                  String alias,
                  InputStream pkInputStream,
                  String passPhrase,
                  InputStream inputStream)
                           throws Exception

Imports a new signed certificate and its private key into the keystore. The certificate input stream may contain the signed certificate as well as its CA chain.

Parameters:

keyStore - key store where the certificate will be stored.

trustStore - key store where ca certificates are stored.

keyPassword - password of the keystore.

alias - the alias of the the new signed certificate.

pkInputStream - the stream containing the private key.

passPhrase - is the password phrased used when creating the private key.

inputStream - the stream containing the signed certificate.

Returns:

true if the certificate was successfully imported.

Throws:

Exception - if no certificates were found in the inputStream.

parsePrivateKey

@Deprecated
public static PrivateKey parsePrivateKey(InputStream pemRepresentation,
                                    String passPhrase)
                                  throws IOException

Deprecated. Use parsePrivateKey(String, String) instead.

Throws:

IOException

parsePrivateKey

public static PrivateKey parsePrivateKey(String pemRepresentation,
                         String passPhrase)
                                  throws IOException

Parses a PrivateKey instance from a PEM representation. When the provided key is encrypted, the provided pass phrase is applied.

Parameters:

pemRepresentation - a PEM representation of a private key (cannot be null or empty)

passPhrase - optional pass phrase (must be present if the private key is encrypted).

Returns:

a PrivateKey instance (never null)

Throws:

IOException

parseCertificates

@Deprecated
public static Collection<X509Certificate> parseCertificates(InputStream pemRepresentation)
                                                     throws IOException,
                                                            CertificateException

Deprecated. Use parseCertificates(String) instead.

Throws:

IOException

CertificateException

parseCertificates

public static Collection<X509Certificate> parseCertificates(String pemRepresentation)
                                                     throws IOException,
                                                            CertificateException

Parses a certificate chain from a PEM representation.

Parameters:

pemRepresentation - a PEM representation of a certificate or certificate chain (cannot be null or empty)

Returns:

A collection of certificates (possibly empty, but never null).

Throws:

IOException

CertificateException

addListener

public static void addListener(CertificateEventListener listener)

Registers a listener to receive events.

Parameters:

listener - the listener.

removeListener

public static void removeListener(CertificateEventListener listener)

Unregisters a listener to receive events.

Parameters:

listener - the listener.

order

@Deprecated
public static List<X509Certificate> order(Collection<X509Certificate> certificates)
                                   throws CertificateException

Deprecated. Moved to CertificateUtils

Orders certificates, starting from the entity to be validated and progressing back toward the CA root. This implementation matches "issuers" to "subjects" of certificates in such a way that "issuer" value of a certificate matches the "subject" value of the next certificate. When certificates are provided that do not belong to the same chain, a CertificateException is thrown.

Parameters:

certificates - an unordered collection of certificates (cannot be null).

Returns:

An ordered list of certificates (possibly empty, but never null).

Throws:

CertificateException

createX509V3Certificate

public static X509Certificate createX509V3Certificate(KeyPair kp,
                                      int months,
                                      String issuerDN,
                                      String subjectDN,
                                      String domain,
                                      String signAlgoritm)
                                               throws GeneralSecurityException,
                                                      IOException

Creates an X509 version3 certificate.

Parameters:

kp - KeyPair that keeps the public and private keys for the new certificate.

months - time to live

issuerDN - Issuer string e.g "O=Grid,OU=OGSA,CN=ACME"

subjectDN - Subject string e.g "O=Grid,OU=OGSA,CN=John Doe"

domain - Domain of the server.

signAlgoritm - Signature algorithm. This can be either a name or an OID.

Returns:

X509 V3 Certificate

Throws:

GeneralSecurityException

IOException