|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |
java.lang.Objecteu.emi.security.authn.x509.impl.CertificateUtils
public class CertificateUtils
Utility class with methods simplifying typical certificate related operations.
Nested Class Summary | |
---|---|
static class |
CertificateUtils.Encoding
Definition of the encoding that can be used for reading or writing certificates or keys. |
Field Summary | |
---|---|
static Charset |
ASCII
|
static String |
DEFAULT_KEYSTORE_ALIAS
|
Constructor Summary | |
---|---|
CertificateUtils()
|
Method Summary | |
---|---|
static void |
configureSecProvider()
Configures security providers which are used by the library. |
static X509Certificate[] |
convertToX509Chain(Certificate[] chain)
Performs a trivial conversion by use of casting of a Certificate array into X509Certificate array |
static String |
format(X509Certificate[] certChain,
FormatMode mode)
Produces a human readable text representation of the provided certificate chain. |
static String |
format(X509Certificate cert,
FormatMode mode)
Produces a human readable text representation of the provided certificate. |
static PasswordFinder |
getPF(char[] password)
|
static X509Certificate |
loadCertificate(InputStream is,
CertificateUtils.Encoding format)
Loads a single certificate from the provided input stream. |
static X509Certificate[] |
loadCertificateChain(InputStream is,
CertificateUtils.Encoding format)
Loads a chain of certificates from the provided input stream. |
static KeyStore |
loadPEMKeystore(InputStream is,
char[] password,
char[] ksPassword)
Loads certificates and private keys from the PEM input stream (usually from file). |
static KeyStore |
loadPEMKeystore(InputStream is,
PasswordFinder pf,
char[] ksPassword)
As loadPEMKeystore(InputStream, char[], char[]) but this version allows for providing input
key's encryption password only when needed. |
static PrivateKey |
loadPEMPrivateKey(InputStream is,
PasswordFinder pf)
Loads a private key from the provided input stream. |
static PrivateKey |
loadPrivateKey(InputStream is,
CertificateUtils.Encoding format,
char[] password)
Loads a private key from the provided input stream. |
static void |
saveCertificate(OutputStream os,
X509Certificate cert,
CertificateUtils.Encoding format)
Saves the provided certificate to the output file, using the requested encoding. |
static void |
saveCertificateChain(OutputStream os,
X509Certificate[] chain,
CertificateUtils.Encoding format)
Saves the provided certificate chain to the output stream, using the requested encoding. |
static void |
savePEMKeystore(OutputStream os,
KeyStore ks,
String alias,
String encryptionAlg,
char[] keyPassword,
char[] encryptionPassword)
See savePEMKeystore(OutputStream, KeyStore, String, String, char[], char[], boolean)
with the last argument equal to false. |
static void |
savePEMKeystore(OutputStream os,
KeyStore ks,
String alias,
String encryptionAlg,
char[] keyPassword,
char[] encryptionPassword,
boolean opensslLegacyFormat)
Saves the chosen private key entry from the provided keystore as a plain text PEM data. |
static void |
savePEMKeystore(OutputStream os,
X509Credential toSave,
String encryptionAlg,
char[] encryptionPassword,
boolean opensslLegacyFormat)
See savePEMKeystore(OutputStream, KeyStore, String, String, char[], char[], boolean) . |
static void |
savePrivateKey(OutputStream os,
PrivateKey pk,
CertificateUtils.Encoding format,
String encryptionAlg,
char[] encryptionPassword)
As savePrivateKey(OutputStream, PrivateKey, Encoding, String, char[], boolean) with
the last argument equal to false |
static void |
savePrivateKey(OutputStream os,
PrivateKey pk,
CertificateUtils.Encoding format,
String encryptionAlg,
char[] encryptionPassword,
boolean opensslLegacyFormat)
Saves the provided private key to the output file, using the requested encoding. |
Methods inherited from class java.lang.Object |
---|
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait |
Field Detail |
---|
public static final String DEFAULT_KEYSTORE_ALIAS
public static final Charset ASCII
Constructor Detail |
---|
public CertificateUtils()
Method Detail |
---|
public static void configureSecProvider()
This method must be called before any other usage of the code from canl API.
public static X509Certificate[] convertToX509Chain(Certificate[] chain) throws ClassCastException
chain
- to convert
ClassCastException
- if at least one entry in the source chain is not
an X509Certificate
public static String format(X509Certificate cert, FormatMode mode)
X509Formatter
internally.
cert
- input certificatemode
- controls how detailed the string representation should be
public static String format(X509Certificate[] certChain, FormatMode mode)
X509Formatter
internally.
certChain
- input certificatesmode
- controls how detailed the string representation should be
public static X509Certificate loadCertificate(InputStream is, CertificateUtils.Encoding format) throws IOException
is
- input stream to read encoded certificate fromformat
- encoding type
IOException
- if certificate can not be read or parsedpublic static PrivateKey loadPrivateKey(InputStream is, CertificateUtils.Encoding format, char[] password) throws IOException
Currently supported key encryption algorithms are DES and 3 DES. RC2 is unsupported.
NOTE: currently it is unsupported to load DER private keys which were encoded with openssl
legacy encoding (e.g. with
is
- input stream to read encoded key fromformat
- encoding type (PEM or DER)password
- key's encryption password (can be null is file is not encrypted)
IOException
- if key can not be read or parsedpublic static PrivateKey loadPEMPrivateKey(InputStream is, PasswordFinder pf) throws IOException
loadPrivateKey(InputStream, Encoding, char[])
. It allows to provide PasswordFinder
instead of the actual password. The PasswordFinder
implementation will be used only if
the source is encrypted.
All other limitations and features are as in the loadPrivateKey(InputStream, Encoding, char[])
method.
is
- input stream to read encoded key frompf
- password finder used to discover key's encryption password.
It is used only if the password is actually needed.
IOException
- if key can not be read or parsedpublic static X509Certificate[] loadCertificateChain(InputStream is, CertificateUtils.Encoding format) throws IOException
is
- input stream to read encoded certificates fromformat
- encoding type
IOException
- if certificates can not be read or parsedpublic static KeyStore loadPEMKeystore(InputStream is, char[] password, char[] ksPassword) throws IOException
is
- input stream to read frompassword
- private key's encryption password or null if key is not encrypted.ksPassword
- password which is used to encrypt the private key in the keystore.
Can not be null.
DEFAULT_KEYSTORE_ALIAS
of the JKS type. If password is != null then it is also
used to crypt the key in the keystore. If it is null then #
IOException
- if input can not be read or parsedpublic static KeyStore loadPEMKeystore(InputStream is, PasswordFinder pf, char[] ksPassword) throws IOException
loadPEMKeystore(InputStream, char[], char[])
but this version allows for providing input
key's encryption password only when needed. Input stream is always closed afterwards.
is
- input stream to read frompf
- implementation will be used to get the password needed to decrypt the private key
from the PEM keystore. Won't be used if the key happens to be unencrypted.ksPassword
- password which is used to encrypt the private key in the keystore.
Can not be null.
DEFAULT_KEYSTORE_ALIAS
of the JKS type. If password is != null then it is also
used to crypt the key in the keystore. If it is null then #
IOException
- if input can not be read or parsedpublic static void saveCertificate(OutputStream os, X509Certificate cert, CertificateUtils.Encoding format) throws IOException
os
- where to write the encoded certificate tocert
- certificate to saveformat
- format to use
IOException
- if the data can not be writtenpublic static void savePrivateKey(OutputStream os, PrivateKey pk, CertificateUtils.Encoding format, String encryptionAlg, char[] encryptionPassword) throws IOException, IllegalArgumentException
savePrivateKey(OutputStream, PrivateKey, Encoding, String, char[], boolean)
with
the last argument equal to false
IOException
IllegalArgumentException
public static void savePrivateKey(OutputStream os, PrivateKey pk, CertificateUtils.Encoding format, String encryptionAlg, char[] encryptionPassword, boolean opensslLegacyFormat) throws IOException, IllegalArgumentException
os
- where to write the encoded key topk
- key to saveformat
- format to useencryptionAlg
- encryption algorithm to be used.
Use null if output must not be encrypted.
For PKCS8 output see PKCS8Generator
constants for available names.
For the legacy openssl format, one can use the
algorithm names composed from 3 parts glued with hyphen. The first part determines algorithm,
one of AES, DES, BF and RC2. The second part determines key bits and is used for AES and
optionally for RC2. For AES it is possible to use values
128, 192 and 256. For RC2 64, 40 can be used or nothing - then value 128 is used.
The last part determines the block mode: CFB, ECB, OFB, EDE and CBC. Additionally EDE3
can be used in combination with DES to use DES3 with EDE. Examples:
AES-192-ECB or DES-EDE3.encryptionPassword
- encryption password to be used.opensslLegacyFormat
- if true the key is saved in the legacy openssl format. Otherwise a
PKCS #8 is used.
IOException
- if the data can not be written
IllegalArgumentException
- if encryptionAlg is unsupportedpublic static void saveCertificateChain(OutputStream os, X509Certificate[] chain, CertificateUtils.Encoding format) throws IOException
os
- where to write the encoded certificate tochain
- certificate chain to saveformat
- format to use
IOException
- if the data can not be writtenpublic static void savePEMKeystore(OutputStream os, KeyStore ks, String alias, String encryptionAlg, char[] keyPassword, char[] encryptionPassword) throws IOException, KeyStoreException, IllegalArgumentException, UnrecoverableKeyException, NoSuchAlgorithmException
savePEMKeystore(OutputStream, KeyStore, String, String, char[], char[], boolean)
with the last argument equal to false.
IOException
KeyStoreException
IllegalArgumentException
UnrecoverableKeyException
NoSuchAlgorithmException
public static void savePEMKeystore(OutputStream os, X509Credential toSave, String encryptionAlg, char[] encryptionPassword, boolean opensslLegacyFormat) throws IOException, KeyStoreException, IllegalArgumentException, UnrecoverableKeyException, NoSuchAlgorithmException
savePEMKeystore(OutputStream, KeyStore, String, String, char[], char[], boolean)
.
This method allows for usinf the CANL X509Credential
instead of low level
KeyStore
as argument.
IOException
KeyStoreException
IllegalArgumentException
UnrecoverableKeyException
NoSuchAlgorithmException
public static void savePEMKeystore(OutputStream os, KeyStore ks, String alias, String encryptionAlg, char[] keyPassword, char[] encryptionPassword, boolean opensslLegacyFormat) throws IOException, KeyStoreException, IllegalArgumentException, UnrecoverableKeyException, NoSuchAlgorithmException
os
- where to write the encoded data toks
- keystore to read fromalias
- alias of the private key entry in the keystorekeyPassword
- password of the private key in the keystoreencryptionAlg
- encryption algorithm to be used.
See savePrivateKey(OutputStream, PrivateKey, Encoding, String, char[], boolean)
documentation
for details about allowed values.encryptionPassword
- encryption password to be used.opensslLegacyFormat
- if true the key is saved in the legacy openssl format. Otherwise a
PKCS #8 is used.
IOException
- if the data can not be written
KeyStoreException
- if the provided alias does not exist in the keystore
or if it does not correspond to the private key entry.
IllegalArgumentException
- if encriptionAlg is unsupported or alias is wrong
NoSuchAlgorithmException
UnrecoverableKeyException
public static PasswordFinder getPF(char[] password)
|
||||||||||
PREV CLASS NEXT CLASS | FRAMES NO FRAMES | |||||||||
SUMMARY: NESTED | FIELD | CONSTR | METHOD | DETAIL: FIELD | CONSTR | METHOD |