org.jivesoftware.openfire.keystore

Class CertificateUtils

java.lang.Object

org.jivesoftware.openfire.keystore.CertificateUtils

public class CertificateUtils
extends Object

Utility methods for working with Certificate instances.

Author:

Guus der Kinderen, guus.der.kinderen@gmail.com

Constructor Summary

Constructors

Constructor and Description
CertificateUtils()

Method Summary

Modifier and Type	Method and Description
static Set<X509Certificate>	filterValid(Collection<X509Certificate> certificates) Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate.
static Set<X509Certificate>	filterValid(X509Certificate... certificates) Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate.
static Date	findValidPointInTime(X509Certificate... chain) Attempts to find a point in time on which each of the certificates in the chain will pass X509Certificate.checkValidity(Date)
static X509Certificate	identifyEndEntityCertificate(Collection<X509Certificate> chain) Identifies the End Entity (or 'target') certificate in a chain.
static List<X509Certificate>	order(Collection<X509Certificate> certificates) Orders certificates, starting from the entity to be validated and progressing back toward the CA root.
static Set<TrustAnchor>	toTrustAnchors(Collection<X509Certificate> certificates) Transforms a collection of certificates into TrustAnchor instances.
static Set<TrustAnchor>	toTrustAnchors(X509Certificate... certificates) Transforms an array of certificates into TrustAnchor instances.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CertificateUtils

public CertificateUtils()

Method Detail

filterValid

public static Set<X509Certificate> filterValid(X509Certificate... certificates)

Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate. This method returns all certificates from the input for which X509Certificate.checkValidity() returns true. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.

Parameters:

certificates - An array of certificates (possibly empty, possibly null).

Returns:

A Set of valid certificates (possibly empty, but never null).

filterValid

public static Set<X509Certificate> filterValid(Collection<X509Certificate> certificates)

Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate. This method returns all certificates from the input for which X509Certificate.checkValidity() returns true. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.

Parameters:

certificates - A Collection of certificates (possibly empty, possibly null).

Returns:

A Set of valid certificates (possibly empty, but never null).

toTrustAnchors

public static Set<TrustAnchor> toTrustAnchors(X509Certificate... certificates)

Transforms an array of certificates into TrustAnchor instances. This method does not set the nameConstraints parameter of the generated TrustAnchors. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.

Parameters:

certificates - An array of certificates (possibly empty, possibly null).

Returns:

A Set of valid certificates (possibly empty, but never null).

toTrustAnchors

public static Set<TrustAnchor> toTrustAnchors(Collection<X509Certificate> certificates)

Transforms a collection of certificates into TrustAnchor instances. This method does not set the nameConstraints parameter of the generated TrustAnchors. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.

Parameters:

certificates - An array of certificates (possibly empty, possibly null).

Returns:

A Set of valid certificates (possibly empty, but never null).

order

public static List<X509Certificate> order(Collection<X509Certificate> certificates)
                                   throws CertificateException

Orders certificates, starting from the entity to be validated and progressing back toward the CA root. This implementation matches "issuers" to "subjects" of certificates in such a way that "issuer" value of a certificate matches the "subject" value of the next certificate. When certificates are provided that do not belong to the same chain, a CertificateException is thrown.

Parameters:

certificates - an unordered collection of certificates (cannot be null).

Returns:

An ordered list of certificates (possibly empty, but never null).

Throws:

CertificateException - if there were multiple CA root certs

identifyEndEntityCertificate

public static X509Certificate identifyEndEntityCertificate(Collection<X509Certificate> chain)
                                                    throws CertificateException

Identifies the End Entity (or 'target') certificate in a chain. In an ordered chain, this is the certificate on the opposite end of the CA / Root Certificate. This implementation can work with incomplete and unordered chains, as long as the provided certificates are all part of the same chain (or chain segment). Each certificate in the chain is expected to have issued another certificate from the chain, except for one. That one certificate is returned. When ordering the chain fails (for example, when the collection of certificates do not belong to one linear list) the first certificate from the chain is returned.

Parameters:

chain - The chain (possibly incomplete or unordered, but not null, empty or malformed).

Returns:

The end entity certificate (never null).

Throws:

CertificateException - When no valid chain was provided.

findValidPointInTime

public static Date findValidPointInTime(X509Certificate... chain)

Attempts to find a point in time on which each of the certificates in the chain will pass X509Certificate.checkValidity(Date)

Parameters:

chain - The chain for which to find a valid point in time (cannot be null, or empty).

Returns:

A date on which all certificates in the chain are valid, or null of no such date is available.