Class X509CertificateUtil

java.lang.Object

de.xima.fc.cryptography.BouncyCastleSupport

de.xima.fc.certificate.ms.impl.util.X509CertificateUtil

public final class X509CertificateUtil
extends BouncyCastleSupport

Utility class for working with X.509 certificates.

Method Summary

Modifier and Type	Method	Description
static X509Certificate	convertCertificate(Certificate certificate)	Convert a Certificate object to an X509Certificate object.
static boolean	doesPrivateKeyMatchCertificate(X509Certificate cert, PrivateKey privateKey)	Verifies if a private key matches a certificate
static void	exportToDER(X509Certificate cert, OutputStream out)	Export certificate in DER format (binary)
static void	exportToPEM(List<X509Certificate> certChain, OutputStream out)	Export certificate chain in PEM format
static void	exportToPKCS7(List<X509Certificate> certChain, OutputStream out)	Export certificate chain as PKCS#7 format.
static List<X509CertificateSANEntry>	extractSANs(X509Certificate certificate)	Extracts all Subject Alternative Names from an X.509 certificate.
static byte[]	generateCsr(X509Certificate cert, PrivateKey signingKey, String signatureAlgoName)	Generates a CSR (Certificate Signing Request) for a given certificate and private key.
static X509CertificateDetails	getCertificateDetails(X509Certificate x509Certificate)	Get the details of a certificate.
static ECertificateType	getCertificateType(X509Certificate certificate)	Get the type of a certificate (root, intermediate, or end-entity).
static List<String>	getCrlDistributionPoints(X509Certificate cert)	Extracts CRL distribution points from a certificate
static String	getFingerprint(X509Certificate x509Certificate)	Get the SHA-256 fingerprint of the certificate.
static boolean	isSelfSigned(X509Certificate certificate)	Checks if a certificate is self-signed.
static X509Certificate	loadCertificate(byte[] certificateBytes)	Load a certificate from an input stream.
static X509Certificate	loadCertificate(InputStream certStream)	Load a certificate from an input stream.
static X509Certificate	renewCertificate(X509Certificate certificate, KeyPair newKeyPair, Duration validity, CertificateBundle issuer)	Renew an existing certificate by creating a new certificate with the same subject and issuer, but with a new serial and validity period.
static boolean	validate(X509Certificate certificate)
static boolean	verify(X509Certificate signedCert, X509Certificate signingCert)	Verify that one certificate was signed using the private key that corresponds to the public key of a second certificate.

Methods inherited from class BouncyCastleSupport

buildSignedCertificate, createCMSContentEncryptorBuilder, createContentSigner, createJceKeyTransRecipientInfoGenerator, createKeyFactory, createKeyPairGenerator, createKeyStore, createOpenSSLPKCS8DecryptorProviderBuilder, createPEMKeyConverter, createSignature, createX509CertificateConverter, createX509CertificateFactory

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

convertCertificate

public static X509Certificate convertCertificate(Certificate certificate)
                                          throws FcCertificateManagementException

Convert a Certificate object to an X509Certificate object.

Parameters:

certificate - The Certificate object

Returns:

The converted X509Certificate object

Throws:

FcCertificateManagementException - A problem occurred during the conversion

doesPrivateKeyMatchCertificate

public static boolean doesPrivateKeyMatchCertificate(X509Certificate cert,
 PrivateKey privateKey)

Verifies if a private key matches a certificate

Parameters:

cert - The X509Certificate to check

privateKey - The private key to verify against the certificate

Returns:

true if the private key matches the certificate, false otherwise

exportToDER

public static void exportToDER(X509Certificate cert,
 OutputStream out)
                        throws IOException,
FcCertificateManagementException

Export certificate in DER format (binary)

Parameters:

cert - The certificate to export

out - The output stream to write the DER formatted certificate to

Throws:

IOException

FcCertificateManagementException

exportToPEM

public static void exportToPEM(List<X509Certificate> certChain,
 OutputStream out)
                        throws IOException

Export certificate chain in PEM format

Parameters:

certChain - The certificate chain to export

out - The output stream to write the PEM formatted certificates to

Throws:

IOException

exportToPKCS7

public static void exportToPKCS7(List<X509Certificate> certChain,
 OutputStream out)
                          throws IOException,
FcCertificateManagementException

Export certificate chain as PKCS#7 format.

Parameters:

certChain - The certificate chain to export

out - The output stream to write the PKCS7 formatted certificates to

Throws:

IOException

FcCertificateManagementException

extractSANs

public static List<X509CertificateSANEntry> extractSANs(X509Certificate certificate)
                                                 throws CertificateException

Extracts all Subject Alternative Names from an X.509 certificate.

Parameters:

certificate - The X.509 certificate to extract SANs from

Returns:

List of SANEntry objects representing all SANs found

Throws:

CertificateException - if certificate processing fails

generateCsr

public static byte[] generateCsr(X509Certificate cert,
 PrivateKey signingKey,
 String signatureAlgoName)
                          throws FcCertificateManagementException

Generates a CSR (Certificate Signing Request) for a given certificate and private key.

Parameters:

cert - The X509Certificate to generate the CSR for

signingKey - The private key to sign the CSR with

signatureAlgoName - The name of the signature algorithm to sign the CSR with

Returns:

The generated CSR in DER format (byte[])

Throws:

FcCertificateManagementException - If there was an error generating the CSR

getCertificateDetails

public static X509CertificateDetails getCertificateDetails(X509Certificate x509Certificate)
                                                    throws CertificateException

Get the details of a certificate.

Parameters:

x509Certificate - The X509Certificate to get details for

Returns:

The details of the certificate

Throws:

CertificateEncodingException - If there was an error encoding the certificate

CertificateException

getCertificateType

public static ECertificateType getCertificateType(X509Certificate certificate)

Get the type of a certificate (root, intermediate, or end-entity).

Parameters:

certificate - The certificate to check

Returns:

The type of the certificate

getCrlDistributionPoints

public static List<String> getCrlDistributionPoints(X509Certificate cert)
                                             throws FcCertificateManagementException

Extracts CRL distribution points from a certificate

Throws:

FcCertificateManagementException

getFingerprint

public static String getFingerprint(X509Certificate x509Certificate)
                             throws CertificateEncodingException

Get the SHA-256 fingerprint of the certificate.

Parameters:

x509Certificate - The X509Certificate to get the fingerprint for

Returns:

The SHA-256 fingerprint of the certificate

Throws:

CertificateEncodingException - If there was an error encoding the certificate

isSelfSigned

public static boolean isSelfSigned(X509Certificate certificate)

Checks if a certificate is self-signed.

Parameters:

certificate - The certificate to check

loadCertificate

public static X509Certificate loadCertificate(byte[] certificateBytes)
                                       throws FcCertificateManagementException

Load a certificate from an input stream.

Parameters:

certificateBytes - The byte array containing the certificate

Returns:

The loaded certificate and whether it is trusted

Throws:

FcCertificateManagementException - If there was an error loading the certificate

loadCertificate

public static X509Certificate loadCertificate(InputStream certStream)
                                       throws FcCertificateManagementException

Load a certificate from an input stream.

Parameters:

certStream - The input stream containing the certificate

Returns:

The loaded certificate and whether it is trusted

Throws:

FcCertificateManagementException - If there was an error loading the certificate

renewCertificate

public static X509Certificate renewCertificate(X509Certificate certificate,
 KeyPair newKeyPair,
 Duration validity,
 CertificateBundle issuer)
                                        throws FcCertificateManagementException

Renew an existing certificate by creating a new certificate with the same subject and issuer, but with a new serial and validity period.

Parameters:

certificate - The certificate to renew

newKeyPair - The new key pair to use for the renewed certificate

validity - The new validity period

issuer - The issuer of the renewed certificate. Must be the same as the subject of the signingKey certificate.

Returns:

The renewed certificate

Throws:

FcCertificateManagementException - If there was an error renewing the certificate

validate

public static boolean validate(X509Certificate certificate)

verify

public static boolean verify(X509Certificate signedCert,
 X509Certificate signingCert)

Verify that one certificate was signed using the private key that corresponds to the public key of a second certificate.

Parameters:

signedCert - The signed certificate

signingCert - The signing certificate

Returns:

True if the signature is valid, false otherwise