Package com.nimbusds.oauth2.sdk.util
Class X509CertificateUtils
- java.lang.Object
-
- com.nimbusds.oauth2.sdk.util.X509CertificateUtils
-
public final class X509CertificateUtils extends Object
X.509 certificate utilities.
-
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static X509Certificate
generate(Issuer issuer, Subject subject, Date nbf, Date exp, PublicKey certKey, PrivateKey signingKey)
Generates a new X.509 certificate.static X509Certificate
generateSelfSigned(Issuer issuer, Date nbf, Date exp, PublicKey certKey, PrivateKey signingKey)
Generates a new self-signed and self-issued X.509 certificate.static boolean
hasMatchingIssuerAndSubject(X509Certificate cert)
Checks if the issuer DN and the subject DN of the specified X.509 certificate match.static boolean
hasValidSignature(X509Certificate cert, PublicKey pubKey)
Validates the signature of a X.509 certificate with the specified public key.static boolean
isSelfIssued(X509Certificate cert)
Checks if the specified X.509 certificate is self-issued, i.e.static boolean
isSelfSigned(X509Certificate cert)
Checks if the specified X.509 certificate is self-signed, i.e.static boolean
publicKeyMatches(X509Certificate cert, PublicKey pubKey)
Returnstrue
if the public key of the X.509 certificate matches the specified public key.
-
-
-
Method Detail
-
hasMatchingIssuerAndSubject
public static boolean hasMatchingIssuerAndSubject(X509Certificate cert)
Checks if the issuer DN and the subject DN of the specified X.509 certificate match. The matched DNs are not normalised.- Parameters:
cert
- The X.509 certificate. Must not benull
.- Returns:
true
if the issuer DN and and subject DN match, elsefalse
.
-
isSelfIssued
public static boolean isSelfIssued(X509Certificate cert)
Checks if the specified X.509 certificate is self-issued, i.e. it has a matching issuer and subject, and the public key can be used to successfully validate the certificate's digital signature.- Parameters:
cert
- The X.509 certificate. Must not benull
.- Returns:
true
if the X.509 certificate is self-issued, elsefalse
.
-
isSelfSigned
public static boolean isSelfSigned(X509Certificate cert)
Checks if the specified X.509 certificate is self-signed, i.e. the public key can be used to successfully validate the certificate's digital signature.- Parameters:
cert
- The X.509 certificate. Must not benull
.- Returns:
true
if the X.509 certificate is self-signed, elsefalse
.
-
hasValidSignature
public static boolean hasValidSignature(X509Certificate cert, PublicKey pubKey)
Validates the signature of a X.509 certificate with the specified public key.- Parameters:
cert
- The X.509 certificate. Must not benull
.pubKey
- The public key to use for the validation. Must not benull
.- Returns:
true
if the signature is valid, elsefalse
.
-
publicKeyMatches
public static boolean publicKeyMatches(X509Certificate cert, PublicKey pubKey)
Returnstrue
if the public key of the X.509 certificate matches the specified public key.- Parameters:
cert
- The X.509 certificate. Must not benull
.pubKey
- The public key to compare. Must not benull
.- Returns:
true
if the two public keys match, elsefalse
.
-
generate
public static X509Certificate generate(Issuer issuer, Subject subject, Date nbf, Date exp, PublicKey certKey, PrivateKey signingKey) throws org.bouncycastle.operator.OperatorCreationException, IOException
Generates a new X.509 certificate. The certificate is provisioned with a 64-bit random serial number.Signing algorithm:
- For RSA signing keys: SHA256withRSA
- For EC signing keys: SHA256withECDSA
- Parameters:
issuer
- The issuer. Will be prepended bycn=
in the certificate to ensure a valid Distinguished Name (DN). Must not benull
.subject
- The subject. Will be prepended bycn=
in the certificate to ensure a valid Distinguished Name (DN). Must not benull
.nbf
- Date before which the certificate is not valid. Must not benull
.exp
- Date after which the certificate is not valid. Must not benull
.certKey
- The public key to include in the certificate. Must not benull
.signingKey
- The signing private key. Must not benull
.- Returns:
- The X.509 certificate.
- Throws:
org.bouncycastle.operator.OperatorCreationException
- On a generation exception.IOException
- On a byte buffer exception.
-
generateSelfSigned
public static X509Certificate generateSelfSigned(Issuer issuer, Date nbf, Date exp, PublicKey certKey, PrivateKey signingKey) throws org.bouncycastle.operator.OperatorCreationException, IOException
Generates a new self-signed and self-issued X.509 certificate. The certificate is provisioned with a 64-bit random serial number.Signing algorithm:
- For RSA signing keys: SHA256withRSA
- For EC signing keys: SHA256withECDSA
- Parameters:
issuer
- The issuer, also used to set the subject. Will be prepended bycn=
in the certificate to ensure a valid Distinguished Name (DN). Must not benull
.nbf
- Date before which the certificate is not valid. Must not benull
.exp
- Date after which the certificate is not valid. Must not benull
.certKey
- The public key to include in the certificate. Must not benull
.signingKey
- The signing private key. Must not benull
.- Returns:
- The X.509 certificate.
- Throws:
org.bouncycastle.operator.OperatorCreationException
- On a generation exception.IOException
- On a byte buffer exception.
-
-