Openfire 3.6.3 Javadoc

org.jivesoftware.util
Class CertificateManager

java.lang.Object
  extended by org.jivesoftware.util.CertificateManager

public class CertificateManager
extends Object

Utility class that provides similar functionality to the keytool tool. Generated certificates conform to the XMPP spec where domains are kept in the subject alternative names extension.

Author:
Gaston Dombiak

Constructor Summary
CertificateManager()
           
 
Method Summary
static void addListener(CertificateEventListener listener)
          Registers a listener to receive events.
static X509Certificate createDSACert(KeyStore ksKeys, String keyPassword, String alias, String issuerDN, String subjectDN, String domain)
          Creates a new X509 certificate using the DSA algorithm.
static X509Certificate createRSACert(KeyStore ksKeys, String keyPassword, String alias, String issuerDN, String subjectDN, String domain)
          Creates a new X509 certificate using the RSA algorithm.
static String createSigningRequest(X509Certificate cert, PrivateKey privKey)
          Creates and returns the content of a new singing request for the specified certificate.
static void deleteCertificate(KeyStore ksKeys, String alias)
          Deletes the specified certificate from the
static List<String> getPeerIdentities(X509Certificate x509Certificate)
          Returns the identities of the remote server as defined in the specified certificate.
static boolean installCert(KeyStore keyStore, KeyStore trustStore, String keyPassword, String alias, InputStream pkInputStream, String passPhrase, InputStream inputStream, boolean trustCACerts, boolean validateRoot)
          Imports a new signed certificate and its private key into the keystore.
static boolean installReply(KeyStore keyStore, KeyStore trustStore, String keyPassword, String alias, InputStream inputStream, boolean trustCACerts, boolean validateRoot)
          Installs the Certificate Authority reply returned as part of the signing request.
static boolean isDSACertificate(KeyStore ksKeys, String domain)
          Returns true if an DSA certificate was found in the specified keystore for the specified domain.
static boolean isDSACertificate(X509Certificate certificate)
          Returns true if the specified certificate is using the DSA algorithm.
static boolean isRSACertificate(KeyStore ksKeys, String domain)
          Returns true if an RSA certificate was found in the specified keystore for the specified domain.
static boolean isSelfSignedCertificate(KeyStore keyStore, String alias)
          Returns true if the specified certificate is a self-signed certificate.
static boolean isSelfSignedCertificate(KeyStore keyStore, X509Certificate certificate)
          Returns true if the specified certificate is a self-signed certificate.
static boolean isSigningRequestPending(KeyStore keyStore, String alias)
          Returns true if the specified certificate is ready to be signed by a Certificate Authority.
static void removeListener(CertificateEventListener listener)
          Unregisters a listener to receive events.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

CertificateManager

public CertificateManager()
Method Detail

createDSACert

public static X509Certificate createDSACert(KeyStore ksKeys,
                                            String keyPassword,
                                            String alias,
                                            String issuerDN,
                                            String subjectDN,
                                            String domain)
                                     throws GeneralSecurityException,
                                            IOException
Creates a new X509 certificate using the DSA algorithm. The new certificate together with its private key are stored in the specified key store. However, the key store is not saved to the disk. This means that it is up to the "caller" to save the key store to disk after new certificates have been added to the store.

Parameters:
ksKeys - key store where the new certificate and private key are going to be stored.
keyPassword - password of the keystore.
alias - name to use when storing the certificate in the key store.
issuerDN - Issuer string e.g "O=Grid,OU=OGSA,CN=ACME"
subjectDN - Subject string e.g "O=Grid,OU=OGSA,CN=John Doe"
domain - domain of the server to store in the subject alternative name extension.
Returns:
the new X509 V3 Certificate.
Throws:
GeneralSecurityException
IOException

createRSACert

public static X509Certificate createRSACert(KeyStore ksKeys,
                                            String keyPassword,
                                            String alias,
                                            String issuerDN,
                                            String subjectDN,
                                            String domain)
                                     throws GeneralSecurityException,
                                            IOException
Creates a new X509 certificate using the RSA algorithm. The new certificate together with its private key are stored in the specified key store. However, the key store is not saved to the disk. This means that it is up to the "caller" to save the key store to disk after new certificates have been added to the store.

Parameters:
ksKeys - key store where the new certificate and private key are going to be stored.
keyPassword - password of the keystore.
alias - name to use when storing the certificate in the key store.
issuerDN - Issuer string e.g "O=Grid,OU=OGSA,CN=ACME"
subjectDN - Subject string e.g "O=Grid,OU=OGSA,CN=John Doe"
domain - domain of the server to store in the subject alternative name extension.
Returns:
the new X509 V3 Certificate.
Throws:
GeneralSecurityException
IOException

deleteCertificate

public static void deleteCertificate(KeyStore ksKeys,
                                     String alias)
                              throws GeneralSecurityException,
                                     IOException
Deletes the specified certificate from the

Parameters:
ksKeys - key store where the certificate is stored.
alias - alias of the certificate to delete.
Throws:
GeneralSecurityException
IOException

getPeerIdentities

public static List<String> getPeerIdentities(X509Certificate x509Certificate)
Returns the identities of the remote server as defined in the specified certificate. The identities are defined in the subjectDN of the certificate and it can also be defined in the subjectAltName extensions of type "xmpp". When the extension is being used then the identities defined in the extension are going to be returned. Otherwise, the value stored in the subjectDN is returned.

Parameters:
x509Certificate - the certificate the holds the identities of the remote server.
Returns:
the identities of the remote server as defined in the specified certificate.

isRSACertificate

public static boolean isRSACertificate(KeyStore ksKeys,
                                       String domain)
                                throws KeyStoreException
Returns true if an RSA certificate was found in the specified keystore for the specified domain.

Parameters:
ksKeys - the keystore that contains the certificates.
domain - domain of the server signed by the certificate.
Returns:
true if an RSA certificate was found in the specified keystore for the specified domain.
Throws:
KeyStoreException

isDSACertificate

public static boolean isDSACertificate(KeyStore ksKeys,
                                       String domain)
                                throws KeyStoreException
Returns true if an DSA certificate was found in the specified keystore for the specified domain.

Parameters:
ksKeys - the keystore that contains the certificates.
domain - domain of the server signed by the certificate.
Returns:
true if an DSA certificate was found in the specified keystore for the specified domain.
Throws:
KeyStoreException

isDSACertificate

public static boolean isDSACertificate(X509Certificate certificate)
                                throws KeyStoreException
Returns true if the specified certificate is using the DSA algorithm. The DSA algorithm is not good for encryption but only for authentication. On the other hand, the RSA algorithm is good for encryption and authentication.

Parameters:
certificate - the certificate to analyze.
Returns:
true if the specified certificate is using the DSA algorithm.
Throws:
KeyStoreException

isSelfSignedCertificate

public static boolean isSelfSignedCertificate(KeyStore keyStore,
                                              String alias)
                                       throws KeyStoreException
Returns true if the specified certificate is a self-signed certificate.

Parameters:
keyStore - key store that holds the certificate to verify.
alias - alias of the certificate in the key store.
Returns:
true if the specified certificate is a self-signed certificate.
Throws:
KeyStoreException - if an error happens while usign the keystore

isSelfSignedCertificate

public static boolean isSelfSignedCertificate(KeyStore keyStore,
                                              X509Certificate certificate)
                                       throws KeyStoreException
Returns true if the specified certificate is a self-signed certificate. If the certificate was not found in the store then a KeyStoreException is returned.

Parameters:
keyStore - key store that holds the certificate to verify.
certificate - the certificate in the key store.
Returns:
true if the specified certificate is a self-signed certificate.
Throws:
KeyStoreException - if an error happens while usign the keystore

isSigningRequestPending

public static boolean isSigningRequestPending(KeyStore keyStore,
                                              String alias)
                                       throws KeyStoreException
Returns true if the specified certificate is ready to be signed by a Certificate Authority. Self-signed certificates need to get their issuer information entered to be able to generate a Certificate Signing Request (CSR).

Parameters:
keyStore - key store that holds the certificate to verify.
alias - alias of the certificate in the key store.
Returns:
true if the specified certificate is ready to be signed by a Certificate Authority.
Throws:
KeyStoreException - if an error happens while usign the keystore

createSigningRequest

public static String createSigningRequest(X509Certificate cert,
                                          PrivateKey privKey)
                                   throws Exception
Creates and returns the content of a new singing request for the specified certificate. Signing requests are required by Certificate Authorities as part of their signing process. The signing request contains information about the certificate issuer, subject DN, subject alternative names and public key. Private keys are not included. After the Certificate Authority verified and signed the certificate a new certificate is going to be returned. Use installReply(java.security.KeyStore, java.security.KeyStore, String, String, java.io.InputStream, boolean, boolean) to import the CA reply.

Parameters:
cert - the certificate to create a signing request.
privKey - the private key of the certificate.
Returns:
the content of a new singing request for the specified certificate.
Throws:
Exception

installReply

public static boolean installReply(KeyStore keyStore,
                                   KeyStore trustStore,
                                   String keyPassword,
                                   String alias,
                                   InputStream inputStream,
                                   boolean trustCACerts,
                                   boolean validateRoot)
                            throws Exception
Installs the Certificate Authority reply returned as part of the signing request. The certificate being signed will get its certificate chain updated with the imported certificate(s). An exception will be thrown if the replied certificate does not match a local certificate or if the signing authority is not known by the server (i.e. keystore and truststore files). When trustCACerts is set to true then certificates present in the truststore file will be used to verify the identity of the entity signing the certificate. In case the reply is composed of more than one certificate then you can also specify if you want to verify that the root certificate in the chain can be trusted.

Parameters:
keyStore - key store where the certificate is stored.
trustStore - key store where ca certificates are stored.
keyPassword - password of the keystore.
alias - the alias of the existing certificate being signed.
inputStream - the stream containing the CA reply.
trustCACerts - true if certificates present in the truststore file will be used to verify the identity of the entity signing the certificate.
validateRoot - true if you want to verify that the root certificate in the chain can be trusted based on the truststore.
Returns:
true if the CA reply was successfully processed.
Throws:
Exception

installCert

public static boolean installCert(KeyStore keyStore,
                                  KeyStore trustStore,
                                  String keyPassword,
                                  String alias,
                                  InputStream pkInputStream,
                                  String passPhrase,
                                  InputStream inputStream,
                                  boolean trustCACerts,
                                  boolean validateRoot)
                           throws Exception
Imports a new signed certificate and its private key into the keystore. The certificate input stream may contain the signed certificate as well as its CA chain.

Parameters:
keyStore - key store where the certificate will be stored.
trustStore - key store where ca certificates are stored.
keyPassword - password of the keystore.
alias - the alias of the the new signed certificate.
pkInputStream - the stream containing the private key.
passPhrase - is the password phrased used when creating the private key.
inputStream - the stream containing the signed certificate.
trustCACerts - true if certificates present in the truststore file will be used to verify the identity of the entity signing the certificate.
validateRoot - true if you want to verify that the root certificate in the chain can be trusted based on the truststore.
Returns:
true if the certificate was successfully imported.
Throws:
Exception - if no certificates were found in the inputStream.

addListener

public static void addListener(CertificateEventListener listener)
Registers a listener to receive events.

Parameters:
listener - the listener.

removeListener

public static void removeListener(CertificateEventListener listener)
Unregisters a listener to receive events.

Parameters:
listener - the listener.

Openfire 3.6.3 Javadoc

Copyright © 2003-2008 Jive Software.