Class CertificateUtils


  • public class CertificateUtils
    extends Object
    Utility methods for working with Certificate instances.
    Author:
    Guus der Kinderen, guus.der.kinderen@gmail.com
    • Constructor Detail

      • CertificateUtils

        public CertificateUtils()
    • Method Detail

      • filterValid

        public static Set<X509Certificate> filterValid​(X509Certificate... certificates)
        Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate. This method returns all certificates from the input for which X509Certificate.checkValidity() returns true. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.
        Parameters:
        certificates - An array of certificates (possibly empty, possibly null).
        Returns:
        A Set of valid certificates (possibly empty, but never null).
      • filterValid

        public static Set<X509Certificate> filterValid​(Collection<X509Certificate> certificates)
        Returns all valid certificates from the provided input, where validity references the notBefore and notAfter dates of each certificate. This method returns all certificates from the input for which X509Certificate.checkValidity() returns true. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.
        Parameters:
        certificates - A Collection of certificates (possibly empty, possibly null).
        Returns:
        A Set of valid certificates (possibly empty, but never null).
      • toTrustAnchors

        public static Set<TrustAnchor> toTrustAnchors​(X509Certificate... certificates)
        Transforms an array of certificates into TrustAnchor instances. This method does not set the nameConstraints parameter of the generated TrustAnchors. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.
        Parameters:
        certificates - An array of certificates (possibly empty, possibly null).
        Returns:
        A Set of valid certificates (possibly empty, but never null).
      • toTrustAnchors

        public static Set<TrustAnchor> toTrustAnchors​(Collection<X509Certificate> certificates)
        Transforms a collection of certificates into TrustAnchor instances. This method does not set the nameConstraints parameter of the generated TrustAnchors. The return value of this method is a Set, which means that duplicate certificates in the input are implicitly being removed from the result.
        Parameters:
        certificates - An array of certificates (possibly empty, possibly null).
        Returns:
        A Set of valid certificates (possibly empty, but never null).
      • order

        public static List<X509Certificate> order​(Collection<X509Certificate> certificates)
                                           throws CertificateException
        Orders certificates, starting from the entity to be validated and progressing back toward the CA root. This implementation matches "issuers" to "subjects" of certificates in such a way that "issuer" value of a certificate matches the "subject" value of the next certificate. When certificates are provided that do not belong to the same chain, a CertificateException is thrown.
        Parameters:
        certificates - an unordered collection of certificates (cannot be null).
        Returns:
        An ordered list of certificates (possibly empty, but never null).
        Throws:
        CertificateException - if there were multiple CA root certs
      • identifyEndEntityCertificate

        public static X509Certificate identifyEndEntityCertificate​(Collection<X509Certificate> chain)
                                                            throws CertificateException
        Identifies the End Entity (or 'target') certificate in a chain. In an ordered chain, this is the certificate on the opposite end of the CA / Root Certificate. This implementation can work with incomplete and unordered chains, as long as the provided certificates are all part of the same chain (or chain segment). Each certificate in the chain is expected to have issued another certificate from the chain, except for one. That one certificate is returned. When ordering the chain fails (for example, when the collection of certificates do not belong to one linear list) the first certificate from the chain is returned.
        Parameters:
        chain - The chain (possibly incomplete or unordered, but not null, empty or malformed).
        Returns:
        The end entity certificate (never null).
        Throws:
        CertificateException - When no valid chain was provided.
      • findValidPointInTime

        public static Date findValidPointInTime​(X509Certificate... chain)
        Attempts to find a point in time on which each of the certificates in the chain will pass X509Certificate.checkValidity(Date)
        Parameters:
        chain - The chain for which to find a valid point in time (cannot be null, or empty).
        Returns:
        A date on which all certificates in the chain are valid, or null of no such date is available.