/** * Extracts {@link X509Certificate} properties from the given {@code cert} * * @param cert * the x509 certificate * @return x509 certificate related properties as map */ public static Map<String, String> getCertificateInfoProperties(X509Certificate cert) { Map<String, String> certificateInfo = new HashMap<>(); certificateInfo.put(COMMON_NAME_KEY, CertificateUtil.getCommonName(cert.getSubjectDN())); certificateInfo.put(ISSUER_NAME_KEY, CertificateUtil.getCommonName(cert.getIssuerDN())); certificateInfo.put(SERIAL_KEY, getSerialNumber(cert)); certificateInfo.put(FINGERPRINT_KEY, CertificateUtil.computeCertificateThumbprint(cert)); certificateInfo.put(VALID_SINCE_KEY, Long.toString(cert.getNotBefore().getTime())); certificateInfo.put(VALID_TO_KEY, Long.toString(cert.getNotAfter().getTime())); return certificateInfo; }
public static String generateSelfLink(SslTrustCertificateState body) { AssertUtil.assertNotEmpty(body.certificate, "certificate"); return CertificateUtil.generatePureFingerPrint( CertificateUtil.createCertificateChain(body.certificate)); }
/** * Create a ServiceClient instance using the given TrustManager and KeyManager * * @param trustManager * @param keyManager * @return */ public static ServiceClient createServiceClient(TrustManager trustManager, KeyManager keyManager) { return createServiceClient(CertificateUtil.createSSLContext( trustManager, keyManager)); }
/** * Get a KeyManager configured with the given private key and certificate */ public static KeyManager[] getKeyManagers(String alias, String clientKey, String clientCert) { if (clientCert == null) { return null; } KeyStore keyStore = createEmptyKeyStore(); setKeyEntry(keyStore, alias, clientKey, clientCert); return getKeyManagers(keyStore); }
/** * Create a TrustManager for the given PEM encoded certificate */ public static TrustManager[] getTrustManagers(String alias, String trustedCert) { if (trustedCert == null) { return null; } KeyStore trustStore = createEmptyKeyStore(); setCertificateEntry(trustStore, alias, trustedCert); return getTrustManagers(trustStore); }
/** * Set a key entry in a key store */ private static void setKeyEntry(KeyStore keyStore, String alias, String clientKey, String clientCert) { X509Certificate[] clientCertificates = CertificateUtil.createCertificateChain(clientCert); PrivateKey key = CertificateUtil.createKeyPair(clientKey).getPrivate(); try { keyStore.setKeyEntry(alias, key, EMPTY, clientCertificates); } catch (KeyStoreException e) { throw new RuntimeException("Failed to set key entry", e); } }
private void validateCertProperties(SslTrustCertificateState state) throws Exception { assertEquals(HTTPS_HOST_COM, state.origin); X509Certificate[] certificates = CertificateUtil.createCertificateChain(state.certificate); for (X509Certificate cert : certificates) { cert.checkValidity(); assertEquals(cert.getNotAfter(), new Date(TimeUnit.MICROSECONDS .toMillis(state.documentExpirationTimeMicros))); assertEquals(CertificateUtil.getCommonName(cert.getSubjectDN()), state.commonName); assertEquals(CertificateUtil.getCommonName(cert.getIssuerDN()), state.issuerName); assertEquals(cert.getSerialNumber().toString(), state.serial); assertEquals(CertificateUtil.computeCertificateThumbprint(cert), state.fingerprint); assertEquals(cert.getNotBefore().getTime(), state.validSince); assertEquals(cert.getNotAfter().getTime(), state.validTo); } } }
public void putDelegate(String alias, String certificate) { X509TrustManager delegateTrustManager = (X509TrustManager) CertificateUtil .getTrustManagers(alias, certificate)[0]; this.delegatingTrustManager.putDelegate(alias, delegateTrustManager); }
public static void populateCertificateProperties(SslTrustCertificateState state, X509Certificate cert) { state.documentExpirationTimeMicros = TimeUnit.MILLISECONDS .toMicros(cert.getNotAfter().getTime()); state.commonName = CertificateUtil.getCommonName(cert.getSubjectDN()); state.issuerName = CertificateUtil.getCommonName(cert.getIssuerDN()); state.serial = cert.getSerialNumber() == null ? null : cert.getSerialNumber() .toString(); state.fingerprint = CertificateUtil.computeCertificateThumbprint(cert); state.validSince = cert.getNotBefore().getTime(); state.validTo = cert.getNotAfter().getTime(); } }
/** * Set a certificate entry in a trust store */ public static void setCertificateEntry(KeyStore trustStore, String alias, String trustedCert) { X509Certificate[] certificates = CertificateUtil.createCertificateChain(trustedCert); for (X509Certificate certificate : certificates) { String certAlias = alias + "_" + CertificateUtil.getCommonName(certificate.getSubjectDN()); try { trustStore.setCertificateEntry(certAlias, certificate); } catch (KeyStoreException e) { throw new RuntimeException("Failed to set certificate entry", e); } } }
/** * Create a SSLContext for a given trusted certificate and client key and certificate */ public static SSLContext createSSLContext(String trustedCert, String clientKey, String clientCert) { try { SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init( CertificateUtil.getKeyManagers("client", clientKey, clientCert), CertificateUtil.getTrustManagers("server", trustedCert), null); return ctx; } catch (NoSuchAlgorithmException | KeyManagementException e) { throw new RuntimeException("Failed to create SSLContext", e); } }
private void validateStateOnStart(SslTrustCertificateState state) throws Exception { assertNotEmpty(state.certificate, "certificate"); state.certificate = state.certificate.trim(); X509Certificate[] certificates = CertificateUtil.createCertificateChain(state.certificate); CertificateUtil.validateCertificateChain(certificates); // Populate the certificate properties based on the first (end server) certificate X509Certificate endCertificate = certificates[0]; SslTrustCertificateState.populateCertificateProperties(state, endCertificate); }
/** * Serialize the content of a .crt file to X509 certificate chain */ public static X509Certificate[] fromFile(File certFile) { try { String content = new String(Files.readAllBytes(certFile.toPath())); return CertificateUtil.createCertificateChain(content); } catch (Exception e) { return null; } }
/** * Returns certificate thumbprint with no colon characters and lower-cased for the first * certificate in the chain. */ public static String generatePureFingerPrint(X509Certificate[] certificateChain) { return generatePureFingerPrint(certificateChain[0]); }
X509ExtendedKeyManager delegateKeyManager; delegateKeyManager = (X509ExtendedKeyManager) CertificateUtil .getKeyManagers("default", clientKey, clientCert)[0]; keytManagers = new KeyManager[]{delegateKeyManager};
private Operation createClientCredentials(String caCert, String caKey) { X509Certificate caCertificate = CertificateUtil.createCertificate(caCert); KeyPair caKeyPair = CertificateUtil.createKeyPair(caKey); AuthCredentialsServiceState authCredentials = new AuthCredentialsServiceState(); authCredentials.documentSelfLink = ManagementUriParts.AUTH_CREDENTIALS_CLIENT_LINK; authCredentials.type = AuthCredentialsType.PublicKey.name(); authCredentials.userEmail = "core"; CertChainKeyPair signedForClient = CertificateUtil.generateSignedForClient("computeClient", caCertificate, caKeyPair.getPrivate()); authCredentials.publicKey = CertificateUtilExtended.toPEMformat( signedForClient.getCertificate(), getHost()); authCredentials.privateKey = CertificateUtilExtended.toPEMFormat( signedForClient.getPrivateKey(), getHost()); return Operation.createPost(this, AuthCredentialsService.FACTORY_LINK) .addPragmaDirective(Operation.PRAGMA_DIRECTIVE_FORCE_INDEX_UPDATE) .setBody(authCredentials); }
/** * Retrieve the {@link ThumbprintAlgorithm#DEFAULT} thumbprint of a X.509 certificate. * * @param cert * certificate * @return the thumbprint corresponding to the certificate; {@code not-null} value * @throws IllegalStateException * if an error occur while getting the encoded form of the certificates * @throws IllegalArgumentException * if an error occur while getting the encoded form of the certificates */ public static String computeCertificateThumbprint(X509Certificate cert) { return computeCertificateThumbprint(cert, ThumbprintAlgorithm.DEFAULT); }
/** * Serialize Certificate chain in PEM format */ public static String toPEMformat(X509Certificate[] certificateChain) { StringWriter sw = new StringWriter(); for (X509Certificate certificate : certificateChain) { sw.append(toPEMformat(certificate)); } return sw.toString(); }
/** * @return {@link CertificateInfoServiceErrorResponse} for the untrusted certificate or {@code * null} if the resolver was not called or the certificate is trusted */ public CertificateInfoServiceErrorResponse getCertificateInfoServiceErrorResponse() { if (this.connectionCertificates.isEmpty()) { return null; } X509Certificate[] chain = getCertificateChain(); String certificate = CertificateUtil.toPEMformat(chain); Map<String, String> certProps = CertificateUtil.getCertificateInfoProperties(chain[0]); CertificateInfo certificateInfo = CertificateInfo.of(certificate, certProps); CertificateException certException = getCertificateException(); return CertificateInfoServiceErrorResponse.create( certificateInfo, Operation.STATUS_CODE_UNAVAILABLE, CertificateInfoServiceErrorResponse.ERROR_CODE_UNTRUSTED_CERTIFICATE, certException.getCause()); }
CertificateUtil.validateCertificateChain(certificateChain);