Class X509CertificateUtils

    • Method Detail

      • hasMatchingIssuerAndSubject

        public static boolean hasMatchingIssuerAndSubject​(X509Certificate cert)
        Checks if the issuer DN and the subject DN of the specified X.509 certificate match. The matched DNs are not normalised.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        Returns:
        true if the issuer DN and and subject DN match, else false.
      • isSelfIssued

        public static boolean isSelfIssued​(X509Certificate cert)
        Checks if the specified X.509 certificate is self-issued, i.e. it has a matching issuer and subject, and the public key can be used to successfully validate the certificate's digital signature.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        Returns:
        true if the X.509 certificate is self-issued, else false.
      • isSelfSigned

        public static boolean isSelfSigned​(X509Certificate cert)
        Checks if the specified X.509 certificate is self-signed, i.e. the public key can be used to successfully validate the certificate's digital signature.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        Returns:
        true if the X.509 certificate is self-signed, else false.
      • hasValidSignature

        public static boolean hasValidSignature​(X509Certificate cert,
                                                PublicKey pubKey)
        Validates the signature of a X.509 certificate with the specified public key.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        pubKey - The public key to use for the validation. Must not be null.
        Returns:
        true if the signature is valid, else false.
      • publicKeyMatches

        public static boolean publicKeyMatches​(X509Certificate cert,
                                               PublicKey pubKey)
        Returns true if the public key of the X.509 certificate matches the specified public key.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        pubKey - The public key to compare. Must not be null.
        Returns:
        true if the two public keys match, else false.
      • generate

        public static X509Certificate generate​(Issuer issuer,
                                               Subject subject,
                                               Date nbf,
                                               Date exp,
                                               PublicKey certKey,
                                               PrivateKey signingKey)
                                        throws org.bouncycastle.operator.OperatorCreationException,
                                               IOException
        Generates a new X.509 certificate. The certificate is provisioned with a 64-bit random serial number.

        Signing algorithm:

        • For RSA signing keys: SHA256withRSA
        • For EC signing keys: SHA256withECDSA
        Parameters:
        issuer - The issuer. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
        subject - The subject. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
        nbf - Date before which the certificate is not valid. Must not be null.
        exp - Date after which the certificate is not valid. Must not be null.
        certKey - The public key to include in the certificate. Must not be null.
        signingKey - The signing private key. Must not be null.
        Returns:
        The X.509 certificate.
        Throws:
        org.bouncycastle.operator.OperatorCreationException - On a generation exception.
        IOException - On a byte buffer exception.
      • generateSelfSigned

        public static X509Certificate generateSelfSigned​(Issuer issuer,
                                                         Date nbf,
                                                         Date exp,
                                                         PublicKey certKey,
                                                         PrivateKey signingKey)
                                                  throws org.bouncycastle.operator.OperatorCreationException,
                                                         IOException
        Generates a new self-signed and self-issued X.509 certificate. The certificate is provisioned with a 64-bit random serial number.

        Signing algorithm:

        • For RSA signing keys: SHA256withRSA
        • For EC signing keys: SHA256withECDSA
        Parameters:
        issuer - The issuer, also used to set the subject. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
        nbf - Date before which the certificate is not valid. Must not be null.
        exp - Date after which the certificate is not valid. Must not be null.
        certKey - The public key to include in the certificate. Must not be null.
        signingKey - The signing private key. Must not be null.
        Returns:
        The X.509 certificate.
        Throws:
        org.bouncycastle.operator.OperatorCreationException - On a generation exception.
        IOException - On a byte buffer exception.