Class BouncyCastleUtil

java.lang.Object
org.globus.gsi.bc.BouncyCastleUtil

public class BouncyCastleUtil extends Object
A collection of various utility functions.
  • Field Details

    • i18n

      private static I18n i18n
  • Constructor Details

    • BouncyCastleUtil

      public BouncyCastleUtil()
  • Method Details

    • toByteArray

      public static byte[] toByteArray(org.bouncycastle.asn1.ASN1Primitive obj) throws IOException
      Converts given DERObject into a DER-encoded byte array.
      Parameters:
      obj - DERObject to convert.
      Returns:
      the DER-encoded byte array
      Throws:
      IOException - if conversion fails
    • toASN1Primitive

      public static org.bouncycastle.asn1.ASN1Primitive toASN1Primitive(byte[] data) throws IOException
      Converts the DER-encoded byte array into a DERObject.
      Parameters:
      data - the DER-encoded byte array to convert.
      Returns:
      the DERObject.
      Throws:
      IOException - if conversion fails
    • duplicate

      public static org.bouncycastle.asn1.ASN1Primitive duplicate(org.bouncycastle.asn1.ASN1Primitive obj) throws IOException
      Replicates a given DERObject.
      Parameters:
      obj - the DERObject to replicate.
      Returns:
      a copy of the DERObject.
      Throws:
      IOException - if replication fails
    • getTBSCertificateStructure

      public static org.bouncycastle.asn1.x509.TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert) throws CertificateEncodingException, IOException
      Extracts the TBS certificate from the given certificate.
      Parameters:
      cert - the X.509 certificate to extract the TBS certificate from.
      Returns:
      the TBS certificate
      Throws:
      IOException - if extraction fails.
      CertificateEncodingException - if extraction fails.
    • getExtensionObject

      public static org.bouncycastle.asn1.ASN1Primitive getExtensionObject(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException
      Extracts the value of a certificate extension.
      Parameters:
      ext - the certificate extension to extract the value from.
      Throws:
      IOException - if extraction fails.
    • getCertificateType

      public static GSIConstants.CertificateType getCertificateType(X509Certificate cert, TrustedCertificates trustedCerts) throws CertificateException
      Deprecated.
      Returns certificate type of the given certificate. Please see getCertificateType for details for determining the certificate type.
      Parameters:
      cert - the certificate to get the type of.
      trustedCerts - the trusted certificates to double check the GSIConstants.EEC certificate against.
      Returns:
      the certificate type as determined by getCertificateType.
      Throws:
      CertificateException - if something goes wrong.
    • getCertificateType

      public static GSIConstants.CertificateType getCertificateType(X509Certificate cert, CertStore trustedCerts) throws CertificateException
      Returns the certificate type of the given certificate. Please see getCertificateType for details for determining the certificate type.
      Parameters:
      cert - the certificate to get the type of.
      trustedCerts - the trusted certificates to double check the GSIConstants.EEC certificate against.
      Returns:
      the certificate type as determined by getCertificateType.
      Throws:
      CertificateException - if something goes wrong.
    • getCertificateType

      public static GSIConstants.CertificateType getCertificateType(X509Certificate cert) throws CertificateException
      Returns certificate type of the given certificate. Please see getCertificateType for details for determining the certificate type.
      Parameters:
      cert - the certificate to get the type of.
      Returns:
      the certificate type as determined by getCertificateType.
      Throws:
      CertificateException - if something goes wrong.
    • getCertificateType

      public static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt, TrustedCertificates trustedCerts) throws CertificateException, IOException
      Throws:
      CertificateException
      IOException
    • getCertificateType

      private static GSIConstants.CertificateType getCertificateType(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws CertificateException, IOException
      Returns certificate type of the given TBS certificate.
      The certificate type is GSIConstants.CA only if the certificate contains a BasicConstraints extension and it is marked as CA.
      A certificate is a GSI-2 proxy when the subject DN of the certificate ends with "CN=proxy" (certificate type GSIConstants.GSI_2_PROXY) or "CN=limited proxy" (certificate type GSIConstants.LIMITED_PROXY) component and the issuer DN of the certificate matches the subject DN without the last proxy CN component.
      A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a CN component, the issuer DN of the certificate matches the subject DN without the last CN component and the certificate contains ProxyCertInfo critical extension. The certificate type is GSIConstants.GSI_3_IMPERSONATION_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.IMPERSONATION OID. The certificate type is GSIConstants.GSI_3_LIMITED_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.LIMITED OID. The certificate type is GSIConstants.GSI_3_INDEPENDENT_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.INDEPENDENT OID. The certificate type is GSIConstants.GSI_3_RESTRICTED_PROXY if the policy language of the ProxyCertInfo extension is set to any other OID then the above.
      The certificate type is GSIConstants.EEC if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.
      Parameters:
      crt - the TBS certificate to get the type of.
      Returns:
      the certificate type. The certificate type is determined by rules described above.
      Throws:
      IOException - if something goes wrong.
      CertificateException - for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when the ProxyCertInfo extension is not marked as critical.
    • getKeyUsage

      public static boolean[] getKeyUsage(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException
      Gets a boolean array representing bits of the KeyUsage extension.
      Throws:
      IOException - if failed to extract the KeyUsage extension value.
      See Also:
    • getProxyCertInfo

      public static ProxyCertInfo getProxyCertInfo(org.bouncycastle.asn1.x509.X509Extension ext) throws IOException
      Creates a ProxyCertInfo object from given extension.
      Parameters:
      ext - the extension.
      Returns:
      the ProxyCertInfo object.
      Throws:
      IOException - if something fails.
    • getIdentity

      public static String getIdentity(X509Certificate cert)
      Returns the subject DN of the given certificate in the Globus format.
      Parameters:
      cert - the certificate to get the subject of. The certificate must be of X509CertificateObject type.
      Returns:
      the subject DN of the certificate in the Globus format.
    • getIdentityPrefix

      public static String getIdentityPrefix(X509Certificate cert)
    • getIdentity

      public static String getIdentity(X509Certificate[] chain) throws CertificateException
      Finds the identity certificate in the given chain and returns the subject DN of that certificate in the Globus format.
      Parameters:
      chain - the certificate chain to find the identity certificate in. The certificates must be of X509CertificateObject type.
      Returns:
      the subject DN of the identity certificate in the Globus format.
      Throws:
      CertificateException - if something goes wrong.
    • getIdentityCertificate

      public static X509Certificate getIdentityCertificate(X509Certificate[] chain) throws CertificateException
      Finds the identity certificate in the given chain. The identity certificate is the first certificate in the chain that is not an impersonation proxy (full or limited)
      Parameters:
      chain - the certificate chain to find the identity certificate in.
      Returns:
      the identity certificate.
      Throws:
      CertificateException - if something goes wrong.
    • getExtensionValue

      public static byte[] getExtensionValue(byte[] certExtValue) throws IOException
      Retrieves the actual value of the X.509 extension.
      Parameters:
      certExtValue - the DER-encoded OCTET string value of the extension.
      Returns:
      the decoded/actual value of the extension (the octets).
      Throws:
      IOException
    • getExtensionValue

      public static byte[] getExtensionValue(X509Certificate cert, String oid) throws IOException
      Returns the actual value of the extension.
      Parameters:
      cert - the certificate that contains the extensions to retrieve.
      oid - the oid of the extension to retrieve.
      Returns:
      the actual value of the extension (not octet string encoded)
      Throws:
      IOException - if decoding the extension fails.
    • getProxyPathConstraint

      public static int getProxyPathConstraint(X509Certificate cert) throws IOException, CertificateEncodingException
      Throws:
      IOException
      CertificateEncodingException
    • getProxyPathConstraint

      public static int getProxyPathConstraint(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException
      Throws:
      IOException
    • getProxyCertInfo

      public static ProxyCertInfo getProxyCertInfo(org.bouncycastle.asn1.x509.TBSCertificateStructure crt) throws IOException
      Throws:
      IOException