Package nl.nikhef.jgridstart

Class CertificatePair

java.lang.Object

java.util.Dictionary<K,V>

java.util.Hashtable<Object,Object>

java.util.Properties

nl.nikhef.jgridstart.CertificatePair

All Implemented Interfaces:

ItemSelectable, Serializable, Cloneable, Map<Object,Object>

public class CertificatePair
extends Properties
implements ItemSelectable

Class containing everything related to a grid certificate.

Each instance is directly bound to a ~/.globus/xxx directory containing the relevant files (or another base directory, which is the CertificateStore). This is at least a private key, and usually a certificate. A log can be expected as well (this class logs all actions to it) and a certificate signing request can be present too.

This class provides actions like request, revoke, import, export, etc.

This class is also a child of Properties. One can set and get any property desired, but some are specifically reserved and queried directly from the certificate and/or certificate signing request. Please see getProperty(java.lang.String). When the object is loaded, properties found in the file indicated by getPropertiesFile() are set. On destruction, the properties are written back as to provide transparent presistency. When a property shouldn't be written, one can set the property name with .volatile appended to true to make the property not persistent, e.g. with

   foo.html=>b<hi there>/b<
   foo.html.volatile=true
 

the variable foo.html is not saved back to the properties file.

After some more thinking this could actually involve a Java KeyStore as a custom backend for ~/.globus containing just a private key and a certificate. Then custom extensions can retrieve the CSR and other info. This would allow one to use other types of 'definitive' storage as well, like using a PKCS#12 certificate instead of userkey.pem and certificate.pem for jGlobus, as mentioned on a mailing-list. For now I'll keep it as it is.

Author:

wvengen

See Also:

Serialized Form

Field Summary

Fields

Modifier and Type	Field	Description
protected X509Certificate	cert	The certificate.
protected File	path	The directory that represents this CertificatePair.
protected PKCS10CertificationRequest	req	If no certificate exists we can get info from the CSR

Fields inherited from class java.util.Properties

defaults

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	CertificatePair()	Create new empty certificate pair
	CertificatePair(File f)	New certificate pair of a directory

Method Summary

Modifier and Type	Method	Description
void	addItemListener(ItemListener l)
void	check(boolean checkPriv)	Run certificate checks.
void	clear()	Reset the contents to this object to the empty state
void	downloadCertificate()	Download the certificate from the certificate authority
boolean	equals(Object other)	Test equality.
void	exportTo(File dst)	Export the certificate and private key to a file using private key password.
void	exportTo(File dst, char[] pw)	Export the certificate and private key to a file.
protected void	exportToPEM(File dst, char[] pw)	Export the certificate and private key to a PEM file.
protected void	exportToPKCS(File dst, char[] pw)	Export the certificate and private key to a PKCS#12 file.
static CertificatePair	generateRequest(File dst, Properties p)	Generate a new private key+CSR pair, request password.
static CertificatePair	generateRequest(File dst, Properties p, char[] pw)	Generate a new private key+CSR pair with specified password.
protected CA	getCA()	Return the correct CA for this CertificatePair.
File	getCertFile()	return the File containing the certificate, or null if no certificate is loaded.
X509Certificate	getCertificate()	Return the certificate.
protected Date	getCompareDate()	returns either the notBefore date of the certificate or the date from the directory (e.g.
PKCS10CertificationRequest	getCSR()	Return the certificate signing request (CSR).
File	getCSRFile()	return the File containing the certificate request, or null if no certificate is loaded.
String	getIssuerPrincipalValue(String id)
String	getIssuerPrincipalValue(DERObjectIdentifier id)
File	getKeyFile()	return the File containing the private key, or null if no certificate is loaded
File	getPath()	get the source of this certificate, if any
protected String	getPrincipalValue(String id, boolean where)	Get a principal value from the certificate issuer/subject by string.
protected String	getPrincipalValue(DERObjectIdentifier id, boolean where)	Return a value of a principal of the certificate issuer/subject.
protected PrivateKey	getPrivateKey()	Return decrypted private key from specified file.
protected static PrivateKey	getPrivateKey(File keyFile)	Return the decrypted private key.
protected File	getPropertiesFile()	Return the File containing the additional properties.
String	getProperty(String key)	Return the value of a property.
protected String	getPropertyHtml(String key)	Return a property in html format, or null if not defined.
File[]	getRelatedFiles()	Return list of existing certificate-related files.
static String[]	getRelatedFilesPossible()	Return list of certificate-related filenames.
Object[]	getSelectedObjects()
String	getSubjectPrincipalValue(String id)
String	getSubjectPrincipalValue(DERObjectIdentifier id)
static CertificatePair	importFrom(File src, File dst)	Import a CertificatePair from a keystore into a (new) directory.
static CertificatePair	importFrom(File src, File dst, char[] dstpw)	Import a CertificatePair from a keystore into a (new) directory.
protected void	importFromDirectory(File src, char[] dstpw)	Import from Globus-type directory.
protected void	importFromPEM(File src, char[] dstpw)	Import key and certificate from a PEM file.
protected void	importFromPKCS(File src, char[] dstpw)	Import from PKCS.
boolean	isCertificationRequestProcessed()	See if the certificate can be downloaded from the certificate authority.
protected void	load(File f)	Load a certificate from a directory
protected void	notifyChanged()	notify itemlisteners that the item was changed
boolean	refresh()	Refresh an item from disk and update its status from online sources.
void	removeItemListener(ItemListener l)
Object	setProperty(String name, String value)
void	store()	Store the properties in the file indicated by getPropertiesFile().
String	toString()
void	uploadRequest()	Upload the certificate signing request to its certificate authority

Methods inherited from interface java.util.Map

Methods inherited from class java.lang.Object

finalize, getClass, notify, notifyAll, wait, wait, wait

Methods inherited from class java.util.Properties

clone, compute, computeIfAbsent, computeIfPresent, contains, containsKey, containsValue, elements, entrySet, forEach, get, getOrDefault, getProperty, hashCode, isEmpty, keys, keySet, list, list, load, load, loadFromXML, merge, propertyNames, put, putAll, putIfAbsent, rehash, remove, remove, replace, replace, replaceAll, save, size, store, store, storeToXML, storeToXML, storeToXML, stringPropertyNames, values

Field Detail

path

protected File path

The directory that represents this CertificatePair.

cert

protected X509Certificate cert

The certificate. It is cached because it contains most important info.

req

protected PKCS10CertificationRequest req

If no certificate exists we can get info from the CSR

Constructor Detail

CertificatePair

protected CertificatePair()

Create new empty certificate pair

CertificatePair

public CertificatePair(File f)
                throws IOException,
                       CertificateCheck.CertificateCheckException

New certificate pair of a directory

Throws:

IOException

CertificateCheck.CertificateCheckException

Method Detail

getProperty

public String getProperty(String key)

Return the value of a property.

Usually this just returns the value set by setProperty(java.lang.String, java.lang.String), but there are some cases where the value is taken directly from the certificate or certificate signing request.

valid

is true if the certificate is valid, null otherwise

valid.notafter, valid.notbefore

localised validity interval

valid.notafter.remaining

Number of days until certificate expires

valid.notafter.warning

is true when certificate will expires within the warning period, which is set by the property jgridstart.renewal.warndays.

cert, request

is true when certificate respectively CSR are present

subject, issuer

dinstinguished name in certificate or else CSR, in slash-notation. Specific fields can be requested as well, e.g. subject.o for a comma-separated list of subject organisations; see getSubjectPrincipalValue(org.bouncycastle.asn1.DERObjectIdentifier).

cert.serial

certificate serial number, when certificate is present

path

filesystem path of the directory the certificate and pair live in

usage

is true when child keys can be present

usage.any, usage.serverauth, usage.clientauth, usage.codesigning,

usage.emailprotection, usage.timestamping, usage.ocspsigning are true when they are defined in the extended key usage

modulus, modulus.first20

the public key's modulus, and its first 20 characters

keysize, keyalgname, sigalgname

Cryptographic properties of the certificate: size of the key (in bits), algorithm name of the key (usually "RSA"), signature algorithm name (see Signature Algorithms).

org

the certificate's (or request's) organisation; this is the last last organisation RDN, optionally with one or more organisation-unit RDNs appended (separated by a comma).

state.icon

Icon for certificate state, one of valid, warning, renew or error.

ca_supported

if the this certificate is issued by the CA jGridstart is connected to.

You can postfix each property with .html to get an html representation. If no html representation is present, it just returns the same as the property without .html.

Overrides:

getProperty in class Properties

Parameters:

key - property to get the value of

Returns:

value of the property, or null if not found.

getPropertyHtml

protected String getPropertyHtml(String key)

Return a property in html format, or null if not defined.

setProperty

public Object setProperty(String name,
                          String value)

On setting a property, all ItemListeners are notified using notifyChanged() if the value is different from the old one.

Overrides:

setProperty in class Properties

clear

public void clear()

Reset the contents to this object to the empty state

Specified by:

clear in interface Map<Object,Object>

Overrides:

clear in class Properties

load

protected void load(File f)
             throws IOException

Load a certificate from a directory

Throws:

IOException

store

public void store()
           throws FileNotFoundException,
                  IOException

Store the properties in the file indicated by getPropertiesFile().

This file is written with permissions so that only the user can read it, because it may contain personal information.

Throws:

FileNotFoundException

IOException

importFrom

public static CertificatePair importFrom(File src,
                                         File dst,
                                         char[] dstpw)
                                  throws IOException,
                                         PasswordCancelledException,
                                         CertificateCheck.CertificateCheckException,
                                         GeneralSecurityException

Import a CertificatePair from a keystore into a (new) directory.

Parameters:

src - File to import from

dst - Directory to import into. On success, this directory could be passed later to create a new CertificatePair which is equal to the one returned by this method.

dstpw - password to use for private key storage, or null to use same password as import password

Returns:

a new CertificatePair representing the newly imported pair.

Throws:

IOException

PasswordCancelledException

CertificateCheck.CertificateCheckException

GeneralSecurityException

importFrom

public static CertificatePair importFrom(File src,
                                         File dst)
                                  throws IOException,
                                         PasswordCancelledException,
                                         CertificateCheck.CertificateCheckException,
                                         GeneralSecurityException

Import a CertificatePair from a keystore into a (new) directory.

Parameters:

src - File to import from

dst - Directory to import into. On success, this directory could be passed later to create a new CertificatePair which is equal to the one returned by this method.

Returns:

a new CertificatePair representing the newly imported pair.

Throws:

IOException

PasswordCancelledException

CertificateCheck.CertificateCheckException

GeneralSecurityException

importFromPEM

protected void importFromPEM(File src,
                             char[] dstpw)
                      throws IOException,
                             GeneralSecurityException,
                             PasswordCancelledException,
                             CertificateCheck.CertificateCheckException

Import key and certificate from a PEM file.

This may possibly overwrite the current data.

Parameters:

src - PEM file to import from

Throws:

IOException

GeneralSecurityException

PasswordCancelledException

CertificateCheck.CertificateCheckException

importFromPKCS

protected void importFromPKCS(File src,
                              char[] dstpw)
                       throws IOException,
                              PasswordCancelledException,
                              GeneralSecurityException,
                              CertificateCheck.CertificateCheckException

Import from PKCS.

If multiple key/certificate entries are found, only the first one is imported.

Parameters:

src - file to import from

dstpw - password for new private keym or null to use same as import password

Throws:

IOException

PasswordCancelledException

GeneralSecurityException

CertificateCheck.CertificateCheckException

importFromDirectory

protected void importFromDirectory(File src,
                                   char[] dstpw)
                            throws IOException,
                                   CertificateCheck.CertificateCheckException,
                                   NoSuchAlgorithmException

Import from Globus-type directory.

Parameters:

src - directory to import from

dstpw - password for new private key or null to use same as import password

Throws:

IOException

CertificateCheck.CertificateCheckException

NoSuchAlgorithmException

exportTo

public void exportTo(File dst,
                     char[] pw)
              throws IOException,
                     GeneralSecurityException,
                     CertificateCheck.CertificateCheckException

Export the certificate and private key to a file.

Type is detected from the filename.

Parameters:

dst - destination to export TooManyListenersException

pw - password to encrypt exported key with, or null to use private key password

Throws:

IOException

GeneralSecurityException

CertificateCheck.CertificateCheckException

exportTo

public void exportTo(File dst)
              throws PasswordCancelledException,
                     IOException,
                     GeneralSecurityException,
                     CertificateCheck.CertificateCheckException

Export the certificate and private key to a file using private key password.

Type is detected from the filename, password is taken from private key when required.

Parameters:

dst - destination to export TooManyListenersException

Throws:

PasswordCancelledException

IOException

GeneralSecurityException

CertificateCheck.CertificateCheckException

exportToPKCS

protected void exportToPKCS(File dst,
                            char[] pw)
                     throws IOException,
                            GeneralSecurityException,
                            PasswordCancelledException,
                            CertificateCheck.CertificateCheckException

Export the certificate and private key to a PKCS#12 file.

Throws:

IOException

GeneralSecurityException

PasswordCancelledException

CertificateCheck.CertificateCheckException

exportToPEM

protected void exportToPEM(File dst,
                           char[] pw)
                    throws IOException,
                           CertificateCheck.CertificateCheckException

Export the certificate and private key to a PEM file.

This is quite simple, since it just concatenates the existing files from its .globus directory; no password is needed.

Throws:

IOException

CertificateCheck.CertificateCheckException

generateRequest

public static CertificatePair generateRequest(File dst,
                                              Properties p,
                                              char[] pw)
                                       throws IOException,
                                              GeneralSecurityException,
                                              PasswordCancelledException,
                                              CAException

Generate a new private key+CSR pair with specified password.

Details are taken from properties as follows, based on "Grid Certificate Profile" revision 0.26, http://www.ogf.org/documents/GFD.125.pdf.

Details of the certificate are specified by the supplied Properties. Currently only the property subject is used, which dictates the subject (DN) to use, as well as the optional property keysize, to override the keysize to use. If the keysize is not specified, the system property jgridstart.keysize is used. The same holds for the optional properties sigalgname and keyalgname.

Parameters:

dst - Destination directory (subdir of a store)

p - Properties according to which to generate request

pw - Password to use, or null to ask from user via PasswordCache

Returns:

newly created CertificatePair

Throws:

IOException

GeneralSecurityException

PasswordCancelledException

CAException

generateRequest

public static CertificatePair generateRequest(File dst,
                                              Properties p)
                                       throws GeneralSecurityException,
                                              IOException,
                                              PasswordCancelledException,
                                              CAException

Generate a new private key+CSR pair, request password.

Throws:

GeneralSecurityException

IOException

PasswordCancelledException

CAException

See Also:

generateRequest(File, Properties)

uploadRequest

public void uploadRequest()
                   throws GeneralSecurityException,
                          IOException,
                          CAException

Upload the certificate signing request to its certificate authority

Throws:

GeneralSecurityException

IOException

CAException

isCertificationRequestProcessed

public boolean isCertificationRequestProcessed()
                                        throws GeneralSecurityException,
                                               CAException

See if the certificate can be downloaded from the certificate authority.

Also sets the property request.processed accordingly.

Throws:

GeneralSecurityException

CAException

downloadCertificate

public void downloadCertificate()
                         throws IOException,
                                CertificateCheck.CertificateCheckException,
                                CAException,
                                GeneralSecurityException

Download the certificate from the certificate authority

Throws:

IOException

CertificateCheck.CertificateCheckException

CAException

GeneralSecurityException

getCA

protected CA getCA()
            throws GeneralSecurityException,
                   CAException

Return the correct CA for this CertificatePair. Currently this is fixed, but eventually it should be possible to have certificates with different CA's.

Throws:

GeneralSecurityException

CAException

getPath

public File getPath()

get the source of this certificate, if any

getKeyFile

public File getKeyFile()

return the File containing the private key, or null if no certificate is loaded

getCSRFile

public File getCSRFile()

return the File containing the certificate request, or null if no certificate is loaded. The file need not exist.

getCertFile

public File getCertFile()

return the File containing the certificate, or null if no certificate is loaded. The file need not exist.

getPropertiesFile

protected File getPropertiesFile()

Return the File containing the additional properties.

If no certificate is loaded, null is returned. The file need not exist yet.

getPrivateKey

protected PrivateKey getPrivateKey()
                            throws IOException,
                                   PasswordCancelledException

Return decrypted private key from specified file.

The decryption password is requested from the user when required using PasswordCache. When the password is incorrect, the user is asked the password up to three times, after which a exception is thrown.

Throws:

IOException

PasswordCancelledException

getPrivateKey

protected static PrivateKey getPrivateKey(File keyFile)
                                   throws IOException,
                                          PasswordCancelledException

Return the decrypted private key.

The decryption password is requested from the user when required using PasswordCache. When the password is incorrect, the user is asked the password up to three times, after which a exception is thrown.

Throws:

IOException

PasswordCancelledException

getCertificate

public X509Certificate getCertificate()
                               throws IOException

Return the certificate.

Returns or null if not present.

Throws:

IOException

getCSR

public PKCS10CertificationRequest getCSR()
                                  throws IOException

Return the certificate signing request (CSR).

Returns null if not present

Throws:

IOException

getRelatedFilesPossible

public static String[] getRelatedFilesPossible()

Return list of certificate-related filenames.

Often a user stores additional files in the ~/.globus directory. This method returns the filenames of files that belong to this certificate and should be kept together.

getRelatedFiles

public File[] getRelatedFiles()

Return list of existing certificate-related files.

Returns all files related to this certificate in this directory.

refresh

public boolean refresh()
                throws GeneralSecurityException,
                       CAException

Refresh an item from disk and update its status from online sources.

Returns:

whether the refresh was successful or no

Throws:

GeneralSecurityException

CAException

check

public void check(boolean checkPriv)
           throws CertificateCheck.CertificateCheckException

Run certificate checks.

Parameters:

checkPriv - True to check private key as well, requires private key password. You can safely test this if the private key password is still known to be in the PasswordCache

Throws:

CertificateCheck.CertificateCheckException

getPrincipalValue

protected String getPrincipalValue(DERObjectIdentifier id,
                                   boolean where)

Return a value of a principal of the certificate issuer/subject.

This is taken from the certificate when present. If that fails, the CSR is attempted. If that fails as well, null is returned. The value returned is meant for display purposes.

TODO document behaviour when id==null

Parameters:

id - one of X509Certificate.* (O, CN, ...)

where - true for subject, false for issuer

Returns:

string with value of requested principal, or null if not available. If multiple entries are present, these are concatenated using ', '.

getSubjectPrincipalValue

public String getSubjectPrincipalValue(DERObjectIdentifier id)

getIssuerPrincipalValue

public String getIssuerPrincipalValue(DERObjectIdentifier id)

getPrincipalValue

protected String getPrincipalValue(String id,
                                   boolean where)

Get a principal value from the certificate issuer/subject by string.

The string is matched with X509Name.DefaultLookUp, see getSubjectPrincipalValue(org.bouncycastle.asn1.DERObjectIdentifier) for details.

Apart from this some special string ids are provided:

x-email

email address, one of the several fields

x-dn-slash or x-dn

string of the whole subject or issuer distinguished name, parts separated by '/'

x-dn-comma

string of the whole subject or issuer distinguished name, parts separated by ','

x-hash

openssl hash of subject dn, see CryptoUtils.getSubjectHash(java.security.cert.X509Certificate)

Parameters:

id - name as present in X509Name.DefaultLookup

where - true for subject, false for issuer

getSubjectPrincipalValue

public String getSubjectPrincipalValue(String id)

getIssuerPrincipalValue

public String getIssuerPrincipalValue(String id)

toString

public String toString()

Overrides:

toString in class Properties

equals

public boolean equals(Object other)

Test equality.

A CertificatePair object only equals another object if it is a CertificatePair as well, and if the certificates are equal. If no certificate is present, the CSR is compared instead. If no CSR is present either, the path is compared.

Ideally the private key would be checked as well, but that requires a password.

Specified by:

equals in interface Map<Object,Object>

Overrides:

equals in class Properties

getCompareDate

protected Date getCompareDate()

returns either the notBefore date of the certificate or the date from the directory (e.g. for a new request).

addItemListener

public void addItemListener(ItemListener l)

Specified by:

addItemListener in interface ItemSelectable

See Also:

ItemSelectable.addItemListener(java.awt.event.ItemListener)

getSelectedObjects

public Object[] getSelectedObjects()

Specified by:

getSelectedObjects in interface ItemSelectable

See Also:

ItemSelectable.getSelectedObjects()

removeItemListener

public void removeItemListener(ItemListener l)

Specified by:

removeItemListener in interface ItemSelectable

See Also:

ItemSelectable.removeItemListener(java.awt.event.ItemListener)

notifyChanged

protected void notifyChanged()

notify itemlisteners that the item was changed