Class CertificateUtils
- java.lang.Object
-
- org.jivesoftware.openfire.keystore.CertificateUtils
-
public class CertificateUtils extends Object
Utility methods for working withCertificate
instances.- Author:
- Guus der Kinderen, guus.der.kinderen@gmail.com
-
-
Constructor Summary
Constructors Constructor Description CertificateUtils()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static Set<X509Certificate>
filterValid(X509Certificate... certificates)
Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate.static Set<X509Certificate>
filterValid(Collection<X509Certificate> certificates)
Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate.static Date
findValidPointInTime(X509Certificate... chain)
Attempts to find a point in time on which each of the certificates in the chain will passX509Certificate.checkValidity(Date)
static X509Certificate
identifyEndEntityCertificate(Collection<X509Certificate> chain)
Identifies the End Entity (or 'target') certificate in a chain.static List<X509Certificate>
order(Collection<X509Certificate> certificates)
Orders certificates, starting from the entity to be validated and progressing back toward the CA root.static Set<TrustAnchor>
toTrustAnchors(X509Certificate... certificates)
Transforms an array of certificates into TrustAnchor instances.static Set<TrustAnchor>
toTrustAnchors(Collection<X509Certificate> certificates)
Transforms a collection of certificates into TrustAnchor instances.
-
-
-
Method Detail
-
filterValid
public static Set<X509Certificate> filterValid(X509Certificate... certificates)
Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate. This method returns all certificates from the input for whichX509Certificate.checkValidity()
returns true. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.- Parameters:
certificates
- An array of certificates (possibly empty, possibly null).- Returns:
- A Set of valid certificates (possibly empty, but never null).
-
filterValid
public static Set<X509Certificate> filterValid(Collection<X509Certificate> certificates)
Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate. This method returns all certificates from the input for whichX509Certificate.checkValidity()
returns true. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.- Parameters:
certificates
- A Collection of certificates (possibly empty, possibly null).- Returns:
- A Set of valid certificates (possibly empty, but never null).
-
toTrustAnchors
public static Set<TrustAnchor> toTrustAnchors(X509Certificate... certificates)
Transforms an array of certificates into TrustAnchor instances. This method does not set the nameConstraints parameter of the generated TrustAnchors. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.- Parameters:
certificates
- An array of certificates (possibly empty, possibly null).- Returns:
- A Set of valid certificates (possibly empty, but never null).
-
toTrustAnchors
public static Set<TrustAnchor> toTrustAnchors(Collection<X509Certificate> certificates)
Transforms a collection of certificates into TrustAnchor instances. This method does not set the nameConstraints parameter of the generated TrustAnchors. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.- Parameters:
certificates
- An array of certificates (possibly empty, possibly null).- Returns:
- A Set of valid certificates (possibly empty, but never null).
-
order
public static List<X509Certificate> order(Collection<X509Certificate> certificates) throws CertificateException
Orders certificates, starting from the entity to be validated and progressing back toward the CA root. This implementation matches "issuers" to "subjects" of certificates in such a way that "issuer" value of a certificate matches the "subject" value of the next certificate. When certificates are provided that do not belong to the same chain, a CertificateException is thrown.- Parameters:
certificates
- an unordered collection of certificates (cannot be null).- Returns:
- An ordered list of certificates (possibly empty, but never null).
- Throws:
CertificateException
- if there were multiple CA root certs
-
identifyEndEntityCertificate
public static X509Certificate identifyEndEntityCertificate(Collection<X509Certificate> chain) throws CertificateException
Identifies the End Entity (or 'target') certificate in a chain. In an ordered chain, this is the certificate on the opposite end of the CA / Root Certificate. This implementation can work with incomplete and unordered chains, as long as the provided certificates are all part of the same chain (or chain segment). Each certificate in the chain is expected to have issued another certificate from the chain, except for one. That one certificate is returned. When ordering the chain fails (for example, when the collection of certificates do not belong to one linear list) the first certificate from the chain is returned.- Parameters:
chain
- The chain (possibly incomplete or unordered, but not null, empty or malformed).- Returns:
- The end entity certificate (never null).
- Throws:
CertificateException
- When no valid chain was provided.
-
findValidPointInTime
public static Date findValidPointInTime(X509Certificate... chain)
Attempts to find a point in time on which each of the certificates in the chain will passX509Certificate.checkValidity(Date)
- Parameters:
chain
- The chain for which to find a valid point in time (cannot be null, or empty).- Returns:
- A date on which all certificates in the chain are valid, or null of no such date is available.
-
-