org.globus.gsi.bc
Class BouncyCastleUtil

java.lang.Object
  extended by org.globus.gsi.bc.BouncyCastleUtil

public class BouncyCastleUtil
extends Object

A collection of various utility functions.


Constructor Summary
BouncyCastleUtil()
           
 
Method Summary
static DERObject duplicate(DERObject obj)
          Replicates a given DERObject.
static BasicConstraints getBasicConstraints(X509Extension ext)
          Creates a BasicConstraints object from given extension.
static int getCertificateType(TBSCertificateStructure crt)
          Returns certificate type of the given TBS certificate.
static int getCertificateType(TBSCertificateStructure crt, TrustedCertificates trustedCerts)
          Returns certificate type of the given certificate.
static int getCertificateType(X509Certificate cert)
          Returns certificate type of the given certificate.
static int getCertificateType(X509Certificate cert, TrustedCertificates trustedCerts)
          Returns certificate type of the given certificate.
static DERObject getExtensionObject(X509Extension ext)
          Extracts the value of a certificate extension.
static byte[] getExtensionValue(byte[] certExtValue)
          Retrieves the actual value of the X.509 extension.
static String getIdentity(X509Certificate cert)
          Returns the subject DN of the given certificate in the Globus format.
static String getIdentity(X509Certificate[] chain)
          Finds the identity certificate in the given chain and returns the subject DN of that certificate in the Globus format.
static X509Certificate getIdentityCertificate(X509Certificate[] chain)
          Finds the identity certificate in the given chain.
static boolean[] getKeyUsage(X509Extension ext)
          Gets a boolean array representing bits of the KeyUsage extension.
static ProxyCertInfo getProxyCertInfo(TBSCertificateStructure crt)
           
static ProxyCertInfo getProxyCertInfo(X509Extension ext)
          Creates a ProxyCertInfo object from given extension.
static int getProxyPathConstraint(TBSCertificateStructure crt)
           
static int getProxyPathConstraint(X509Certificate cert)
           
static TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert)
          Extracts the TBS certificate from the given certificate.
static byte[] toByteArray(DERObject obj)
          Converts given DERObject into a DER-encoded byte array.
static DERObject toDERObject(byte[] data)
          Converts the DER-encoded byte array into a DERObject.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

BouncyCastleUtil

public BouncyCastleUtil()
Method Detail

toByteArray

public static byte[] toByteArray(DERObject obj)
                          throws IOException
Converts given DERObject into a DER-encoded byte array.

Parameters:
obj - DERObject to convert.
Returns:
the DER-encoded byte array
Throws:
IOException - if conversion fails

toDERObject

public static DERObject toDERObject(byte[] data)
                             throws IOException
Converts the DER-encoded byte array into a DERObject.

Parameters:
data - the DER-encoded byte array to convert.
Returns:
the DERObject.
Throws:
IOException - if conversion fails

duplicate

public static DERObject duplicate(DERObject obj)
                           throws IOException
Replicates a given DERObject.

Parameters:
obj - the DERObject to replicate.
Returns:
a copy of the DERObject.
Throws:
IOException - if replication fails

getTBSCertificateStructure

public static TBSCertificateStructure getTBSCertificateStructure(X509Certificate cert)
                                                          throws CertificateEncodingException,
                                                                 IOException
Extracts the TBS certificate from the given certificate.

Parameters:
cert - the X.509 certificate to extract the TBS certificate from.
Returns:
the TBS certificate
Throws:
IOException - if extraction fails.
CertificateEncodingException - if extraction fails.

getExtensionObject

public static DERObject getExtensionObject(X509Extension ext)
                                    throws IOException
Extracts the value of a certificate extension.

Parameters:
ext - the certificate extension to extract the value from.
Throws:
IOException - if extraction fails.

getCertificateType

public static int getCertificateType(X509Certificate cert,
                                     TrustedCertificates trustedCerts)
                              throws CertificateException
Returns certificate type of the given certificate. Please see getCertificateType for details for determining the certificate type.

Parameters:
cert - the certificate to get the type of.
trustedCerts - the trusted certificates to double check the GSIConstants.EEC certificate against.
Returns:
the certificate type as determined by getCertificateType.
Throws:
CertificateException - if something goes wrong.

getCertificateType

public static int getCertificateType(X509Certificate cert)
                              throws CertificateException
Returns certificate type of the given certificate. Please see getCertificateType for details for determining the certificate type.

Parameters:
cert - the certificate to get the type of.
Returns:
the certificate type as determined by getCertificateType.
Throws:
CertificateException - if something goes wrong.

getCertificateType

public static int getCertificateType(TBSCertificateStructure crt,
                                     TrustedCertificates trustedCerts)
                              throws CertificateException,
                                     IOException
Returns certificate type of the given certificate. This function calls getCertificateType to get the certificate type. In case the certificate type was initially determined as GSIConstants.EEC it is checked against the trusted certificate list to see if it really is a CA certificate. If the certificate is present in the trusted certificate list the certificate type is changed to GSIConstants.CA. Otherwise, it is left as it is (This is useful in cases where a valid CA certificate does not have a BasicConstraints extension)

Parameters:
crt - the certificate to get the type of.
trustedCerts - the trusted certificates to double check the GSIConstants.EEC certificate against. If null, a default set of trusted certificate will be loaded from a standard location.
Returns:
the certificate type. The certificate type is determined by rules described above.
Throws:
IOException - if something goes wrong.
CertificateException - for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when the ProxyCertInfo extension is not marked as critical.

getCertificateType

public static int getCertificateType(TBSCertificateStructure crt)
                              throws CertificateException,
                                     IOException
Returns certificate type of the given TBS certificate.
The certificate type is GSIConstants.CA only if the certificate contains a BasicConstraints extension and it is marked as CA.
A certificate is a GSI-2 proxy when the subject DN of the certificate ends with "CN=proxy" (certificate type GSIConstants.GSI_2_PROXY) or "CN=limited proxy" (certificate type GSIConstants.LIMITED_PROXY) component and the issuer DN of the certificate matches the subject DN without the last proxy CN component.
A certificate is a GSI-3 proxy when the subject DN of the certificate ends with a CN component, the issuer DN of the certificate matches the subject DN without the last CN component and the certificate contains ProxyCertInfo critical extension. The certificate type is GSIConstants.GSI_3_IMPERSONATION_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.IMPERSONATION OID. The certificate type is GSIConstants.GSI_3_LIMITED_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.LIMITED OID. The certificate type is GSIConstants.GSI_3_INDEPENDENT_PROXY if the policy language of the ProxyCertInfo extension is set to ProxyPolicy.INDEPENDENT OID. The certificate type is GSIConstants.GSI_3_RESTRICTED_PROXY if the policy language of the ProxyCertInfo extension is set to any other OID then the above.
The certificate type is GSIConstants.EEC if the certificate is not a CA certificate or a GSI-2 or GSI-3 proxy.

Parameters:
crt - the TBS certificate to get the type of.
Returns:
the certificate type. The certificate type is determined by rules described above.
Throws:
IOException - if something goes wrong.
CertificateException - for proxy certificates, if the issuer DN of the certificate does not match the subject DN of the certificate without the last CN component. Also, for GSI-3 proxies when the ProxyCertInfo extension is not marked as critical.

getKeyUsage

public static boolean[] getKeyUsage(X509Extension ext)
                             throws IOException
Gets a boolean array representing bits of the KeyUsage extension.

Throws:
IOException - if failed to extract the KeyUsage extension value.
See Also:
X509Certificate.getKeyUsage()

getBasicConstraints

public static BasicConstraints getBasicConstraints(X509Extension ext)
                                            throws IOException
Creates a BasicConstraints object from given extension.

Parameters:
ext - the extension.
Returns:
the BasicConstraints object.
Throws:
IOException - if something fails.

getProxyCertInfo

public static ProxyCertInfo getProxyCertInfo(X509Extension ext)
                                      throws IOException
Creates a ProxyCertInfo object from given extension.

Parameters:
ext - the extension.
Returns:
the ProxyCertInfo object.
Throws:
IOException - if something fails.

getIdentity

public static String getIdentity(X509Certificate cert)
Returns the subject DN of the given certificate in the Globus format.

Parameters:
cert - the certificate to get the subject of. The certificate must be of X509CertificateObject type.
Returns:
the subject DN of the certificate in the Globus format.

getIdentity

public static String getIdentity(X509Certificate[] chain)
                          throws CertificateException
Finds the identity certificate in the given chain and returns the subject DN of that certificate in the Globus format.

Parameters:
chain - the certificate chain to find the identity certificate in. The certificates must be of X509CertificateObject type.
Returns:
the subject DN of the identity certificate in the Globus format.
Throws:
CertificateException - if something goes wrong.

getIdentityCertificate

public static X509Certificate getIdentityCertificate(X509Certificate[] chain)
                                              throws CertificateException
Finds the identity certificate in the given chain. The identity certificate is the first certificate in the chain that is not an impersonation proxy (full or limited)

Parameters:
chain - the certificate chain to find the identity certificate in.
Returns:
the identity certificate.
Throws:
CertificateException - if something goes wrong.

getExtensionValue

public static byte[] getExtensionValue(byte[] certExtValue)
                                throws IOException
Retrieves the actual value of the X.509 extension.

Parameters:
certExtValue - the DER-encoded OCTET string value of the extension.
Returns:
the decoded/actual value of the extension (the octets).
Throws:
IOException

getProxyPathConstraint

public static int getProxyPathConstraint(X509Certificate cert)
                                  throws IOException,
                                         CertificateEncodingException
Throws:
IOException
CertificateEncodingException

getProxyPathConstraint

public static int getProxyPathConstraint(TBSCertificateStructure crt)
                                  throws IOException
Throws:
IOException

getProxyCertInfo

public static ProxyCertInfo getProxyCertInfo(TBSCertificateStructure crt)
                                      throws IOException
Throws:
IOException