ItemSelectable
, Serializable
, Cloneable
, Map<Object,Object>
public class CertificatePair extends Properties implements ItemSelectable
Each instance is directly bound to a ~/.globus/xxx directory
containing the relevant files (or another base directory, which is the
CertificateStore
). This is at least a private key, and usually a
certificate. A log can be expected as well (this class logs all actions to
it) and a certificate signing request can be present too.
This class provides actions like request, revoke, import, export, etc.
This class is also a child of Properties. One can set and get any property
desired, but some are specifically reserved and queried directly from the
certificate and/or certificate signing request. Please see getProperty(java.lang.String)
.
When the object is loaded, properties found in the file indicated by
getPropertiesFile()
are set. On destruction, the properties are written back
as to provide transparent presistency. When a property shouldn't be written,
one can set the property name with .volatile
appended to true
to make the property not persistent, e.g. with
foo.html=>b<hi there>/b<
foo.html.volatile=true
the variable foo.html
is not saved back to the properties file.
After some more thinking this could actually involve a Java KeyStore as a custom backend for ~/.globus containing just a private key and a certificate. Then custom extensions can retrieve the CSR and other info. This would allow one to use other types of 'definitive' storage as well, like using a PKCS#12 certificate instead of userkey.pem and certificate.pem for jGlobus, as mentioned on a mailing-list. For now I'll keep it as it is.
Modifier and Type | Field | Description |
---|---|---|
protected X509Certificate |
cert |
The certificate.
|
protected File |
path |
The directory that represents this CertificatePair.
|
protected PKCS10CertificationRequest |
req |
If no certificate exists we can get info from the CSR
|
defaults
Modifier | Constructor | Description |
---|---|---|
protected |
CertificatePair() |
Create new empty certificate pair
|
|
CertificatePair(File f) |
New certificate pair of a directory
|
Modifier and Type | Method | Description |
---|---|---|
void |
addItemListener(ItemListener l) |
|
void |
check(boolean checkPriv) |
Run certificate checks.
|
void |
clear() |
Reset the contents to this object to the empty state
|
void |
downloadCertificate() |
Download the certificate from the certificate authority
|
boolean |
equals(Object other) |
Test equality.
|
void |
exportTo(File dst) |
Export the certificate and private key to a file using private key password.
|
void |
exportTo(File dst,
char[] pw) |
Export the certificate and private key to a file.
|
protected void |
exportToPEM(File dst,
char[] pw) |
Export the certificate and private key to a PEM file.
|
protected void |
exportToPKCS(File dst,
char[] pw) |
Export the certificate and private key to a PKCS#12 file.
|
static CertificatePair |
generateRequest(File dst,
Properties p) |
Generate a new private key+CSR pair, request password.
|
static CertificatePair |
generateRequest(File dst,
Properties p,
char[] pw) |
Generate a new private key+CSR pair with specified password.
|
protected CA |
getCA() |
Return the correct CA for this CertificatePair.
|
File |
getCertFile() |
return the File containing the certificate, or null if no certificate is
loaded.
|
X509Certificate |
getCertificate() |
Return the certificate.
|
protected Date |
getCompareDate() |
returns either the notBefore date of the certificate or the date from
the directory (e.g.
|
PKCS10CertificationRequest |
getCSR() |
Return the certificate signing request (CSR).
|
File |
getCSRFile() |
return the File containing the certificate request, or null if no
certificate is loaded.
|
String |
getIssuerPrincipalValue(String id) |
|
String |
getIssuerPrincipalValue(DERObjectIdentifier id) |
|
File |
getKeyFile() |
return the File containing the private key, or null if no certificate is
loaded
|
File |
getPath() |
get the source of this certificate, if any
|
protected String |
getPrincipalValue(String id,
boolean where) |
Get a principal value from the certificate issuer/subject by string.
|
protected String |
getPrincipalValue(DERObjectIdentifier id,
boolean where) |
Return a value of a principal of the certificate issuer/subject.
|
protected PrivateKey |
getPrivateKey() |
Return decrypted private key from specified file.
|
protected static PrivateKey |
getPrivateKey(File keyFile) |
Return the decrypted private key.
|
protected File |
getPropertiesFile() |
Return the File containing the additional properties.
|
String |
getProperty(String key) |
Return the value of a property.
|
protected String |
getPropertyHtml(String key) |
Return a property in html format, or null if not defined.
|
File[] |
getRelatedFiles() |
Return list of existing certificate-related files.
|
static String[] |
getRelatedFilesPossible() |
Return list of certificate-related filenames.
|
Object[] |
getSelectedObjects() |
|
String |
getSubjectPrincipalValue(String id) |
|
String |
getSubjectPrincipalValue(DERObjectIdentifier id) |
|
static CertificatePair |
importFrom(File src,
File dst) |
Import a CertificatePair from a keystore into a (new) directory.
|
static CertificatePair |
importFrom(File src,
File dst,
char[] dstpw) |
Import a CertificatePair from a keystore into a (new) directory.
|
protected void |
importFromDirectory(File src,
char[] dstpw) |
Import from Globus-type directory.
|
protected void |
importFromPEM(File src,
char[] dstpw) |
Import key and certificate from a PEM file.
|
protected void |
importFromPKCS(File src,
char[] dstpw) |
Import from PKCS.
|
boolean |
isCertificationRequestProcessed() |
See if the certificate can be downloaded from the certificate authority.
|
protected void |
load(File f) |
Load a certificate from a directory
|
protected void |
notifyChanged() |
notify itemlisteners that the item was changed
|
boolean |
refresh() |
Refresh an item from disk and update its status from online sources.
|
void |
removeItemListener(ItemListener l) |
|
Object |
setProperty(String name,
String value) |
|
void |
store() |
Store the properties in the file indicated by
getPropertiesFile() . |
String |
toString() |
|
void |
uploadRequest() |
Upload the certificate signing request to its certificate authority
|
finalize, getClass, notify, notifyAll, wait, wait, wait
clone, compute, computeIfAbsent, computeIfPresent, contains, containsKey, containsValue, elements, entrySet, forEach, get, getOrDefault, getProperty, hashCode, isEmpty, keys, keySet, list, list, load, load, loadFromXML, merge, propertyNames, put, putAll, putIfAbsent, rehash, remove, remove, replace, replace, replaceAll, save, size, store, store, storeToXML, storeToXML, storeToXML, stringPropertyNames, values
protected File path
protected X509Certificate cert
protected PKCS10CertificationRequest req
protected CertificatePair()
public CertificatePair(File f) throws IOException, CertificateCheck.CertificateCheckException
public String getProperty(String key)
Usually this just returns the
value set by setProperty(java.lang.String, java.lang.String)
, but there are some cases where the
value is taken directly from the certificate or certificate
signing request.
true
if the certificate is valid, null
otherwisetrue
when certificate will expires within the warning period,
which is set by the property jgridstart.renewal.warndays.true
when certificate respectively CSR are presentsubject.o
for
a comma-separated list of subject organisations; see
getSubjectPrincipalValue(org.bouncycastle.asn1.DERObjectIdentifier)
.true
when child keys can be presenttrue
when they are defined in the extended key usagevalid
, warning
,
renew
or error
..html
to get an html representation.
If no html representation is present, it just returns the same as the
property without .html
.getProperty
in class Properties
key
- property to get the value ofprotected String getPropertyHtml(String key)
public Object setProperty(String name, String value)
On setting a property, all ItemListener
s are notified using
notifyChanged() if the value is different from the old one.
setProperty
in class Properties
public void clear()
protected void load(File f) throws IOException
IOException
public void store() throws FileNotFoundException, IOException
getPropertiesFile()
.
This file is written with permissions so that only the user can read it, because it may contain personal information.
FileNotFoundException
IOException
public static CertificatePair importFrom(File src, File dst, char[] dstpw) throws IOException, PasswordCancelledException, CertificateCheck.CertificateCheckException, GeneralSecurityException
src
- File to import fromdst
- Directory to import into. On success, this directory could be
passed later to create a new CertificatePair which is equal to
the one returned by this method.dstpw
- password to use for private key storage, or null
to use
same password as import passwordIOException
PasswordCancelledException
CertificateCheck.CertificateCheckException
GeneralSecurityException
public static CertificatePair importFrom(File src, File dst) throws IOException, PasswordCancelledException, CertificateCheck.CertificateCheckException, GeneralSecurityException
src
- File to import fromdst
- Directory to import into. On success, this directory could be
passed later to create a new CertificatePair which is equal to
the one returned by this method.IOException
PasswordCancelledException
CertificateCheck.CertificateCheckException
GeneralSecurityException
protected void importFromPEM(File src, char[] dstpw) throws IOException, GeneralSecurityException, PasswordCancelledException, CertificateCheck.CertificateCheckException
This may possibly overwrite the current data.
src
- PEM file to import fromIOException
GeneralSecurityException
PasswordCancelledException
CertificateCheck.CertificateCheckException
protected void importFromPKCS(File src, char[] dstpw) throws IOException, PasswordCancelledException, GeneralSecurityException, CertificateCheck.CertificateCheckException
If multiple key/certificate entries are found, only the first one is imported.
src
- file to import fromdstpw
- password for new private keym or null
to use same as import passwordIOException
PasswordCancelledException
GeneralSecurityException
CertificateCheck.CertificateCheckException
protected void importFromDirectory(File src, char[] dstpw) throws IOException, CertificateCheck.CertificateCheckException, NoSuchAlgorithmException
src
- directory to import fromdstpw
- password for new private key or null
to use same as import passwordIOException
CertificateCheck.CertificateCheckException
NoSuchAlgorithmException
public void exportTo(File dst, char[] pw) throws IOException, GeneralSecurityException, CertificateCheck.CertificateCheckException
Type is detected from the filename.
dst
- destination to export TooManyListenersException
pw
- password to encrypt exported key with, or null
to use private key passwordIOException
GeneralSecurityException
CertificateCheck.CertificateCheckException
public void exportTo(File dst) throws PasswordCancelledException, IOException, GeneralSecurityException, CertificateCheck.CertificateCheckException
Type is detected from the filename, password is taken from private key when required.
dst
- destination to export TooManyListenersException
PasswordCancelledException
IOException
GeneralSecurityException
CertificateCheck.CertificateCheckException
protected void exportToPKCS(File dst, char[] pw) throws IOException, GeneralSecurityException, PasswordCancelledException, CertificateCheck.CertificateCheckException
protected void exportToPEM(File dst, char[] pw) throws IOException, CertificateCheck.CertificateCheckException
This is quite simple, since it just concatenates the existing
files from its .globus
directory; no password is needed.
public static CertificatePair generateRequest(File dst, Properties p, char[] pw) throws IOException, GeneralSecurityException, PasswordCancelledException, CAException
Details are taken from properties as follows, based on "Grid Certificate Profile" revision 0.26, http://www.ogf.org/documents/GFD.125.pdf.
Details of the certificate are specified by the supplied
Properties. Currently only the property subject
is used, which dictates the subject (DN) to use, as well as the optional
property keysize
, to override the keysize to use. If the keysize
is not specified, the system property jgridstart.keysize
is used.
The same holds for the optional properties sigalgname
and
keyalgname
.
dst
- Destination directory (subdir of a store)p
- Properties according to which to generate requestpw
- Password to use, or null
to ask from user via PasswordCache
IOException
GeneralSecurityException
PasswordCancelledException
CAException
public static CertificatePair generateRequest(File dst, Properties p) throws GeneralSecurityException, IOException, PasswordCancelledException, CAException
public void uploadRequest() throws GeneralSecurityException, IOException, CAException
public boolean isCertificationRequestProcessed() throws GeneralSecurityException, CAException
Also sets the property request.processed
accordingly.
GeneralSecurityException
CAException
public void downloadCertificate() throws IOException, CertificateCheck.CertificateCheckException, CAException, GeneralSecurityException
protected CA getCA() throws GeneralSecurityException, CAException
GeneralSecurityException
CAException
public File getPath()
public File getKeyFile()
public File getCSRFile()
public File getCertFile()
protected File getPropertiesFile()
If no certificate is loaded, null
is returned. The file need not exist yet.
protected PrivateKey getPrivateKey() throws IOException, PasswordCancelledException
The decryption password is requested from the user when required
using PasswordCache
. When the password is incorrect, the user is
asked the password up to three times, after which a exception is thrown.
protected static PrivateKey getPrivateKey(File keyFile) throws IOException, PasswordCancelledException
The decryption password is requested from the user when required
using PasswordCache
. When the password is incorrect, the user is
asked the password up to three times, after which a exception is thrown.
public X509Certificate getCertificate() throws IOException
Returns or null
if not present.
IOException
public PKCS10CertificationRequest getCSR() throws IOException
Returns null
if not present
IOException
public static String[] getRelatedFilesPossible()
Often a user stores additional files in the ~/.globus directory. This method returns the filenames of files that belong to this certificate and should be kept together.
public File[] getRelatedFiles()
Returns all files related to this certificate in this directory.
public boolean refresh() throws GeneralSecurityException, CAException
GeneralSecurityException
CAException
public void check(boolean checkPriv) throws CertificateCheck.CertificateCheckException
checkPriv
- True to check private key as well, requires private key password.
You can safely test this if the private key password is still
known to be in the PasswordCache
CertificateCheck.CertificateCheckException
protected String getPrincipalValue(DERObjectIdentifier id, boolean where)
This is taken from the certificate when present. If that fails, the CSR is
attempted. If that fails as well, null
is returned. The value returned is
meant for display purposes.
TODO document behaviour when id==null
id
- one of X509Certificate.* (O, CN, ...)where
- true for subject, false for issuerpublic String getSubjectPrincipalValue(DERObjectIdentifier id)
public String getIssuerPrincipalValue(DERObjectIdentifier id)
protected String getPrincipalValue(String id, boolean where)
The string is matched with X509Name.DefaultLookUp
, see
getSubjectPrincipalValue(org.bouncycastle.asn1.DERObjectIdentifier)
for details.
Apart from this some special string ids are provided:
x-email
x-dn-slash
or x-dn
'/'
x-dn-comma
','
x-hash
CryptoUtils.getSubjectHash(java.security.cert.X509Certificate)
id
- name as present in X509Name.DefaultLookupwhere
- true for subject, false for issuerpublic String toString()
toString
in class Properties
public boolean equals(Object other)
A CertificatePair object only equals another object if it is a CertificatePair as well, and if the certificates are equal. If no certificate is present, the CSR is compared instead. If no CSR is present either, the path is compared.
Ideally the private key would be checked as well, but that requires a password.
protected Date getCompareDate()
public void addItemListener(ItemListener l)
addItemListener
in interface ItemSelectable
ItemSelectable.addItemListener(java.awt.event.ItemListener)
public Object[] getSelectedObjects()
getSelectedObjects
in interface ItemSelectable
ItemSelectable.getSelectedObjects()
public void removeItemListener(ItemListener l)
removeItemListener
in interface ItemSelectable
ItemSelectable.removeItemListener(java.awt.event.ItemListener)
protected void notifyChanged()
Copyright © 2010-2018 Nikhef / Stichting FOM. All Rights Reserved.