Package org.jivesoftware.util

Class CertificateManager

java.lang.Object
org.jivesoftware.util.CertificateManager
public class CertificateManager extends Object
Utility class that provides similar functionality to the keytool tool. Generated certificates conform to the XMPP spec where domains are kept in the subject alternative names extension.
Author:
Gaston Dombiak

  • Constructor Details

    • CertificateManager

      public CertificateManager()

  • Method Details

    • getClientIdentities

      public static List<String> getClientIdentities(X509Certificate x509Certificate)
      Returns the identities of the remote client as defined in the specified certificate. The identities are mapped by the classes in the "provider.clientCertIdentityMap.classList" property. By default, the subjectDN of the certificate is used.
      Parameters:
      x509Certificate - the certificate the holds the identities of the remote server.
      Returns:
      the identities of the remote client as defined in the specified certificate.

    • getServerIdentities

      public static List<String> getServerIdentities(X509Certificate x509Certificate)
      Returns the identities of the remote server as defined in the specified certificate. The identities are mapped by the classes in the "provider.serverCertIdentityMap.classList" property. By default, the identities are defined in the subjectDN of the certificate and it can also be defined in the subjectAltName extensions of type "xmpp". When the extension is being used then the identities defined in the extension are going to be returned. Otherwise, the value stored in the subjectDN is returned.
      Parameters:
      x509Certificate - the certificate the holds the identities of the remote server.
      Returns:
      the identities of the remote server as defined in the specified certificate.

    • isSelfSignedCertificate

      public static boolean isSelfSignedCertificate(X509Certificate certificate)
      Returns true if the specified certificate is a self-signed certificate.
      Parameters:
      certificate - the certificate to check
      Returns:
      true if the specified certificate is a self-signed certificate.

    • isSigningRequestPending

      public static boolean isSigningRequestPending(X509Certificate certificate)
      Returns true if the specified certificate is ready to be signed by a Certificate Authority. Self-signed certificates need to get their issuer information entered to be able to generate a Certificate Signing Request (CSR).
      Parameters:
      certificate - the certificate to check
      Returns:
      true if the specified certificate is ready to be signed by a Certificate Authority.

    • createSigningRequest

      public static String createSigningRequest(X509Certificate cert, PrivateKey privKey) throws org.bouncycastle.operator.OperatorCreationException, IOException, CertificateParsingException
      Creates and returns the content of a new singing request for the specified certificate. Signing requests are required by Certificate Authorities as part of their signing process. The signing request contains information about the certificate issuer, subject DN, subject alternative names and public key. Private keys are not included. After the Certificate Authority verified and signed the certificate a new certificate is going to be returned.
      Parameters:
      cert - the certificate to create a signing request.
      privKey - the private key of the certificate.
      Returns:
      the content of a new singing request for the specified certificate.
      Throws:
      org.bouncycastle.operator.OperatorCreationException - if there was a problem creating the CSR
      IOException - if there was a problem creating the CSR
      CertificateParsingException - if there was a problem creating the CSR

    • toPemRepresentation

      public static String toPemRepresentation(Object object) throws IOException
      Generates a PEM representation of the input argument.
      Parameters:
      object - the input argument (cannot be null).
      Returns:
      PEM representation of the input argument.
      Throws:
      IOException - When a PEM representation of the input could not be created.

    • parsePrivateKey

      public static PrivateKey parsePrivateKey(String pemRepresentation, String passPhrase) throws IOException
      Throws:
      IOException

    • parsePrivateKey

      public static PrivateKey parsePrivateKey(InputStream pemRepresentation, String passPhrase) throws IOException
      Parses a PrivateKey instance from a PEM representation. When the provided key is encrypted, the provided pass phrase is applied.
      Parameters:
      pemRepresentation - a PEM representation of a private key (cannot be null or empty)
      passPhrase - optional pass phrase (must be present if the private key is encrypted).
      Returns:
      a PrivateKey instance (never null)
      Throws:
      IOException - if there was a problem parsing the key

    • parseCertificates

      public static Collection<X509Certificate> parseCertificates(String pemRepresentation) throws IOException, CertificateException
      Throws:
      IOException
      CertificateException

    • parseCertificates

      public static Collection<X509Certificate> parseCertificates(InputStream pemRepresentation) throws IOException, CertificateException
      Parses a certificate chain from a PEM representation.
      Parameters:
      pemRepresentation - a PEM representation of a certificate or certificate chain (cannot be null or empty)
      Returns:
      A collection of certificates (possibly empty, but never null).
      Throws:
      IOException - never
      CertificateException - if there was a problem parsing certificates

    • addListener

      public static void addListener(CertificateEventListener listener)
      Registers a listener to receive events.
      Parameters:
      listener - the listener.

    • removeListener

      public static void removeListener(CertificateEventListener listener)
      Unregisters a listener to receive events.
      Parameters:
      listener - the listener.

    • fireCertificateStoreChanged

      public static void fireCertificateStoreChanged(CertificateStore store)
      Notify listeners that a certificate store has been changed.
      Parameters:
      store - the store that has changed

    • createX509V3Certificate

      public static X509Certificate createX509V3Certificate(KeyPair kp, int days, String issuerCommonName, String subjectCommonName, String domain, String signAlgoritm) throws GeneralSecurityException, IOException
      Creates an X509 version3 certificate.
      Parameters:
      kp - KeyPair that keeps the public and private keys for the new certificate.
      days - time to live
      issuerCommonName - Issuer CN string
      subjectCommonName - Subject CN string
      domain - Domain of the server.
      signAlgoritm - Signature algorithm. This can be either a name or an OID.
      Returns:
      X509 V3 Certificate
      Throws:
      GeneralSecurityException - if there was a problem creating the certificate
      IOException - if there was a problem creating the certificate

    • createX509V3Certificate

      public static X509Certificate createX509V3Certificate(KeyPair kp, int days, String issuerCommonName, String subjectCommonName, String domain, String signAlgoritm, Set<String> sanDnsNames) throws GeneralSecurityException, IOException
      Throws:
      GeneralSecurityException
      IOException

    • createX509V3Certificate

      public static X509Certificate createX509V3Certificate(KeyPair kp, int days, org.bouncycastle.asn1.x500.X500NameBuilder issuerBuilder, org.bouncycastle.asn1.x500.X500NameBuilder subjectBuilder, String domain, String signAlgoritm) throws GeneralSecurityException, IOException
      Creates an X509 version3 certificate.
      Parameters:
      kp - KeyPair that keeps the public and private keys for the new certificate.
      days - time to live
      issuerBuilder - IssuerDN builder
      subjectBuilder - SubjectDN builder
      domain - Domain of the server.
      signAlgoritm - Signature algorithm. This can be either a name or an OID.
      Returns:
      X509 V3 Certificate
      Throws:
      GeneralSecurityException - if there was a problem creating the certificate
      IOException - if there was a problem creating the certificate

    • createX509V3Certificate

      public static X509Certificate createX509V3Certificate(KeyPair kp, int days, org.bouncycastle.asn1.x500.X500NameBuilder issuerBuilder, org.bouncycastle.asn1.x500.X500NameBuilder subjectBuilder, String domain, String signAlgoritm, Set<String> sanDnsNames) throws GeneralSecurityException, IOException
      Throws:
      GeneralSecurityException
      IOException

    • getSubjectAlternativeNames

      protected static org.bouncycastle.asn1.x509.GeneralNames getSubjectAlternativeNames(Set<String> sanDnsNames)

    • determineSubjectAlternateNameDnsNameValues

      public static Set<String> determineSubjectAlternateNameDnsNameValues()
      Finds all values that aught to be added as a Subject Alternate Name of the dnsName type to a certificate that identifies this XMPP server.
      Returns:
      A set of names, possibly empty, never null.