certtools.java

用来生成java证书

        // as the behavior in BC 1.35, it changed from SN to SERIALNUMBER in BC 1.36
        // We must be backwards compatible
        X509Name.DefaultSymbols.put(X509Name.SN, "SN");
        
        // We hard specify the system security provider in a few cases (see SYSTEM_SECURITY_PROVIDER). 
        // If the SUN provider does not exist, we will always use BC.
        Provider p = Security.getProvider(CertTools.SYSTEM_SECURITY_PROVIDER);
        if (p == null) {
        	log.debug("SUN security provider does not exist, using BC as system default provider.");
        	SYSTEM_SECURITY_PROVIDER = "BC";
        }
        
    }

    /** Check if parameters have been set correctly during pre-process, otherwise log an error and
     * set default values. Mostly used to be able to do JUnit testing
     */
    private static void checkImplicitParams() {
        if (StringUtils.contains(IMPLICITLYCA_Q, "ecdsa.implicitlyca.q")) {
        	log.info("IMPLICITLYCA_Q not set, using default.");
        	IMPLICITLYCA_Q = "883423532389192164791648750360308885314476597252960362792450860609699839";
        }
        if (StringUtils.contains(IMPLICITLYCA_A, "ecdsa.implicitlyca.a")) {
        	log.info("IMPLICITLYCA_A not set, using default.");
        	IMPLICITLYCA_A = "7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc";
        }
        if (StringUtils.contains(IMPLICITLYCA_B, "ecdsa.implicitlyca.b")) {
        	log.info("IMPLICITLYCA_B not set, using default.");
        	IMPLICITLYCA_B = "6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a";
        }
        if (StringUtils.contains(IMPLICITLYCA_G, "ecdsa.implicitlyca.g")) {
        	log.info("IMPLICITLYCA_G not set, using default.");
        	IMPLICITLYCA_G = "020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf";
        }
        if (StringUtils.contains(IMPLICITLYCA_N, "ecdsa.implicitlyca.n")) {
        	log.info("IMPLICITLYCA_N not set, using default.");
        	IMPLICITLYCA_N = "883423532389192164791648750360308884807550341691627752275345424702807307";
        }
    }
    
    /**
     * Reads a certificate in PEM-format from a file. The file may contain other things,
     * the first certificate in the file is read.
     *
     * @param certFile the file containing the certificate in PEM-format
     * @return Ordered Collection of X509Certificate, first certificate first, or empty Collection
     * @exception IOException if the filen cannot be read.
     * @exception CertificateException if the filen does not contain a correct certificate.
     */
    public static Collection getCertsFromPEM(String certFile) throws IOException, CertificateException {
        log.debug(">getCertfromPEM: certFile=" + certFile);
        InputStream inStrm = null;
        Collection certs;
		try {
			inStrm = new FileInputStream(certFile);
			certs = getCertsFromPEM(inStrm);
		} finally {
			if (inStrm != null) inStrm.close();
		}
        log.debug("<getCertfromPEM: certFile=" + certFile);
        return certs;
    }

    /**
     * Reads a certificate in PEM-format from an InputStream. The stream may contain other things,
     * the first certificate in the stream is read.
     *
     * @param certFile the input stream containing the certificate in PEM-format
     * @return Ordered Collection of Certificate, first certificate first, or empty Collection
     * @exception IOException if the stream cannot be read.
     * @exception CertificateException if the stream does not contain a correct certificate.
     */
    public static Collection getCertsFromPEM(InputStream certstream)
    throws IOException, CertificateException {
        log.debug(">getCertfromPEM:");
        ArrayList ret = new ArrayList();
        String beginKey = "-----BEGIN CERTIFICATE-----";
        String endKey = "-----END CERTIFICATE-----";
        String beginKeyTrust = "-----BEGIN TRUSTED CERTIFICATE-----";
        String endKeyTrust = "-----END TRUSTED CERTIFICATE-----";
        BufferedReader bufRdr = null;
        ByteArrayOutputStream ostr = null;
        PrintStream opstr = null;
		try {
			bufRdr = new BufferedReader(new InputStreamReader(certstream));
			while (bufRdr.ready()) {
				ostr = new ByteArrayOutputStream();
				opstr = new PrintStream(ostr);
				String temp;
				while ((temp = bufRdr.readLine()) != null
						&& !(temp.equals(beginKey) || temp.equals(beginKeyTrust)))
					continue;
				if (temp == null) {
					if (ret.size() == 0) {
						// There was no certificate in the file
						throw new IOException("Error in " + certstream.toString() + ", missing " + beginKey + " boundary");											
					} else {
						// There were certificates, but some blank lines or something in the end
						// anyhow, the file has ended so we can break here.
						break;
					}
				}
				while ((temp = bufRdr.readLine()) != null
						&& !(temp.equals(endKey) || temp.equals(endKeyTrust)))
					opstr.print(temp);
				if (temp == null)
					throw new IOException("Error in " + certstream.toString()
							+ ", missing " + endKey + " boundary");
				opstr.close();

				byte[] certbuf = Base64.decode(ostr.toByteArray());
				ostr.close();
				// Phweeew, were done, now decode the cert from file back to Certificate object
				Certificate cert = getCertfromByteArray(certbuf);
				ret.add(cert);
			}
		} finally {
			if (bufRdr != null) bufRdr.close();
			if (opstr != null) opstr.close();
			if (ostr != null) ostr.close();
		}        
		log.debug("<getcertfromPEM:" + ret.size());
        return ret;
    } // getCertsFromPEM

   /** Converts a regular array of certificates into an ArrayList, using the provided provided.
    * 
    * @param certs Certificate[] of certificates to convert
    * @param provider provider for example "SUN" or "BC", use null for the default provider (BC)
    * @return An ArrayList of certificates in the same order as the passed in array
    * @throws NoSuchProviderException 
    * @throws CertificateException 
    */
    public static ArrayList getCertCollectionFromArray(Certificate[] certs, String provider) throws CertificateException, NoSuchProviderException {
    	if (log.isDebugEnabled()) {
    		log.debug(">getCertCollectionFromArray: "+provider);
    	}
    	ArrayList ret = new ArrayList();
    	String prov = provider;
    	if (prov == null) {
    		prov = "BC";
    	}
    	for (int i=0; i < certs.length; i++) {
    		Certificate cert = certs[i];
    		Certificate newcert = getCertfromByteArray(cert.getEncoded(), prov);
    		ret.add(newcert);    		
    	}
    	if (log.isDebugEnabled()) {
    		log.debug("<getCertCollectionFromArray: "+ret.size());
    	}
    	return ret;
    }
    
    /**
     * Returns a certificate in PEM-format.
     *
     * @param certs Collection of Certificate to convert to PEM
     * @return byte array containing PEM certificate
     * @exception CertificateException if the stream does not contain a correct certificate.
     */
    public static byte[] getPEMFromCerts(Collection certs)
    throws CertificateException {
        String beginKey = "-----BEGIN CERTIFICATE-----";
        String endKey = "-----END CERTIFICATE-----";
        ByteArrayOutputStream ostr = new ByteArrayOutputStream();
        PrintStream opstr = new PrintStream(ostr);
        Iterator iter = certs.iterator();
        while (iter.hasNext()) {
            Certificate cert = (Certificate)iter.next();
            byte[] certbuf = Base64.encode(cert.getEncoded());
            opstr.println("Subject: "+CertTools.getSubjectDN(cert));
            opstr.println("Issuer: "+CertTools.getIssuerDN(cert));
            opstr.println(beginKey);
            opstr.println(new String(certbuf));
            opstr.println(endKey);
        }
        opstr.close();
        byte[] ret = ostr.toByteArray();
        return ret;
    }

    /**
     * Returns a CRL in PEM-format.
     *
     * @param crlbytes the der encoded crl bytes to convert to PEM
     * @return byte array containing PEM CRL
     * @exception IOException if the stream cannot be read.
     */
    public static byte[] getPEMFromCrl(byte[] crlbytes) {
    	String beginKey = "-----BEGIN X509 CRL-----";
    	String endKey = "-----END X509 CRL-----";
    	ByteArrayOutputStream ostr = new ByteArrayOutputStream();
    	PrintStream opstr = new PrintStream(ostr);
    	byte[] crlb64 = Base64.encode(crlbytes);
    	opstr.println(beginKey);
    	opstr.println(new String(crlb64));
    	opstr.println(endKey);
    	opstr.close();
    	byte[] ret = ostr.toByteArray();
    	return ret;
    }

    /**
     * Creates Certificate from byte[], can be either an X509 certificate or a CVCCertificate
     *
     * @param cert byte array containing certificate in binary (DER) format
     * @param provider provider for example "SUN" or "BC", use null for the default provider (BC)
     *
     * @return Certificate
     *
     * @throws CertificateException if the byte array does not contain a proper certificate.
     * @throws IOException if the byte array cannot be read.
     */
    public static Certificate getCertfromByteArray(byte[] cert, String provider)
        throws CertificateException {
        //log.debug(">getCertfromByteArray:");
        Certificate ret = null;
        String prov = provider;
        if (provider == null) {
        	prov = "BC";
        }
        try {
            CertificateFactory cf = CertTools.getCertificateFactory(prov);
            ret = cf.generateCertificate(new ByteArrayInputStream(cert));        	
        } catch (CertificateException e) {
        	log.debug("Certificate exception trying to read X509Certificate.");
        }
        if (ret == null) {
        	// We could not create an X509Certificate, see if it is a CVC certificate instead
            try {
            	CVCertificate parsedObject = CertificateParser.parseCertificate(cert);
            	ret = new CardVerifiableCertificate(parsedObject);
			} catch (ParseException e) {
	        	log.info("Certificate exception trying to read CVCCertificate: ", e);
			} catch (ConstructionException e) {
	        	log.info("Certificate exception trying to read CVCCertificate: ", e);
			} catch (IllegalArgumentException e) {
	        	log.info("Certificate exception trying to read CVCCertificate: ", e);
			}

        }
        //log.debug("<getCertfromByteArray:");
        return ret;
    } // getCertfromByteArray
    
    public static Certificate getCertfromByteArray(byte[] cert)
        throws CertificateException {
    	return getCertfromByteArray(cert, "BC");
    }

    /**
     * Creates X509CRL from byte[].
     *
     * @param crl byte array containing CRL in DER-format
     *
     * @return X509CRL
     *
     * @throws IOException if the byte array can not be read.
     * @throws CertificateException if the byte array does not contain a correct CRL.
     * @throws CRLException if the byte array does not contain a correct CRL.
     */
    public static X509CRL getCRLfromByteArray(byte[] crl)
        throws IOException, CRLException {
        log.debug(">getCRLfromByteArray:");

        if (crl == null) {
            throw new IOException("Cannot read byte[] that is 'null'!");
        }

        CertificateFactory cf = CertTools.getCertificateFactory();
        X509CRL x509crl = (X509CRL) cf.generateCRL(new ByteArrayInputStream(crl));
        log.debug("<getCRLfromByteArray:");

        return x509crl;
    } // getCRLfromByteArray

    /**
     * Checks if a certificate is self signed by verifying if subject and issuer are the same.
     *
     * @param cert the certificate that skall be checked.
     *
     * @return boolean true if the certificate has the same issuer and subject, false otherwise.
     */
    public static boolean isSelfSigned(Certificate cert) {
        log.debug(">isSelfSigned: cert: " + CertTools.getIssuerDN(cert) + "\n" +
            CertTools.getSubjectDN(cert));

        boolean ret = CertTools.getSubjectDN(cert).equals(CertTools.getIssuerDN(cert));
        log.debug("<isSelfSigned:" + ret);

        return ret;
    } // isSelfSigned

    /**
     * Checks if a certificate is a CA certificate according to BasicConstraints (X.509), or role (CVC).
     * If there is no basic constraints extension on a X.509 certificate, false is returned.
     *
     * @param cert the certificate that skall be checked.
     *
     * @return boolean true if the certificate belongs to a CA.
     */
    public static boolean isCA(Certificate cert) {
        log.debug(">isCA");
        boolean ret = false;
        if (cert instanceof X509Certificate) {
			X509Certificate x509cert = (X509Certificate)cert;
            if (x509cert.getBasicConstraints() > -1)  {