Package com.nimbusds.oauth2.sdk.util

Class X509CertificateUtils

    • Method Detail

      • hasMatchingIssuerAndSubject

        public static boolean hasMatchingIssuerAndSubject​(X509Certificate cert)
        Checks if the issuer DN and the subject DN of the specified X.509 certificate match. The matched DNs are not normalised.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        Returns:
        true if the issuer DN and and subject DN match, else false.

      • isSelfIssued

        public static boolean isSelfIssued​(X509Certificate cert)
        Checks if the specified X.509 certificate is self-issued, i.e. it has a matching issuer and subject, and the public key can be used to successfully validate the certificate's digital signature.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        Returns:
        true if the X.509 certificate is self-issued, else false.

      • isSelfSigned

        public static boolean isSelfSigned​(X509Certificate cert)
        Checks if the specified X.509 certificate is self-signed, i.e. the public key can be used to successfully validate the certificate's digital signature.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        Returns:
        true if the X.509 certificate is self-signed, else false.

      • hasValidSignature

        public static boolean hasValidSignature​(X509Certificate cert,
                                        PublicKey pubKey)
        Validates the signature of a X.509 certificate with the specified public key.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        pubKey - The public key to use for the validation. Must not be null.
        Returns:
        true if the signature is valid, else false.

      • publicKeyMatches

        public static boolean publicKeyMatches​(X509Certificate cert,
                                       PublicKey pubKey)
        Returns true if the public key of the X.509 certificate matches the specified public key.
        Parameters:
        cert - The X.509 certificate. Must not be null.
        pubKey - The public key to compare. Must not be null.
        Returns:
        true if the two public keys match, else false.

      • generate

        public static X509Certificate generate​(Issuer issuer,
                                       Subject subject,
                                       Date nbf,
                                       Date exp,
                                       PublicKey certKey,
                                       PrivateKey signingKey)
                                throws org.bouncycastle.operator.OperatorCreationException,
                                       IOException
        Generates a new X.509 certificate. The certificate is provisioned with a 64-bit random serial number.

        Signing algorithm:

        • For RSA signing keys: SHA256withRSA
        • For EC signing keys: SHA256withECDSA
        Parameters:
        issuer - The issuer. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
        subject - The subject. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
        nbf - Date before which the certificate is not valid. Must not be null.
        exp - Date after which the certificate is not valid. Must not be null.
        certKey - The public key to include in the certificate. Must not be null.
        signingKey - The signing private key. Must not be null.
        Returns:
        The X.509 certificate.
        Throws:
        org.bouncycastle.operator.OperatorCreationException - On a generation exception.
        IOException - On a byte buffer exception.

      • generateSelfSigned

        public static X509Certificate generateSelfSigned​(Issuer issuer,
                                                 Date nbf,
                                                 Date exp,
                                                 PublicKey certKey,
                                                 PrivateKey signingKey)
                                          throws org.bouncycastle.operator.OperatorCreationException,
                                                 IOException
        Generates a new self-signed and self-issued X.509 certificate. The certificate is provisioned with a 64-bit random serial number.

        Signing algorithm:

        • For RSA signing keys: SHA256withRSA
        • For EC signing keys: SHA256withECDSA
        Parameters:
        issuer - The issuer, also used to set the subject. Will be prepended by cn= in the certificate to ensure a valid Distinguished Name (DN). Must not be null.
        nbf - Date before which the certificate is not valid. Must not be null.
        exp - Date after which the certificate is not valid. Must not be null.
        certKey - The public key to include in the certificate. Must not be null.
        signingKey - The signing private key. Must not be null.
        Returns:
        The X.509 certificate.
        Throws:
        org.bouncycastle.operator.OperatorCreationException - On a generation exception.
        IOException - On a byte buffer exception.