info.pppc.base.security

Class AbstractCertificate

java.lang.Object

info.pppc.base.security.AbstractCertificate

All Implemented Interfaces:

ICertificate

Direct Known Subclasses:

ECCCertificate, RSACertificate

public abstract class AbstractCertificate
extends java.lang.Object
implements ICertificate

A general abstraction for all different types of certificates (e.g. RSA or ECC). All certificates must inherit from this abstraction.
Main methods, like getting the fingerprint or encryption and decryption are already implemented here, only some certificate specific attributes must be added to inherit successfully from this abstraction.

If you create a new certificate type, don't forget to add the new certificate type also to the CertificateFactory.

Author:

WA

Field Summary

Fields inherited from interface info.pppc.base.security.ICertificate

AES_ENCRYPTION_MODE, CERTIFICATE_TYPE, DIGEST_TYPE, HMAC_ALGORITHM, RSA_ENCRYPTION_MODE

Constructor Summary

Constructors

Constructor and Description
AbstractCertificate(byte[] certificateBytes, byte[] privateKey) Creates a new certificate abstraction, needs the bytes of the certificate.

Method Summary

Methods

Modifier and Type	Method and Description
static AbstractCertificate	createCertificate(byte[] certificate) Creates a new certificate based on the given byte-array (which contains only the public key in DER format).
static AbstractCertificate	createCertificate(byte[] certificate, byte[] key) Creates a new certificate based on the given byte-array (which contains only the public key in DER format) and the certificates key (also as byte-array in DER format).
byte[]	decrypt(byte[] encryptedMessage) Decrypts a message, so that the plain text is accessible.
byte[]	encrypt(byte[] message) Encrypts a message, so that it can only be read by the owner of the corresponding private key of this certificate.
abstract boolean	equals(java.lang.Object obj) Every certificate type has to implement a comparison operator.
java.util.Date	getEndDate() Returns the time after that the certificate is invalid.
byte[]	getFingerprint() Gets the SHA-1 fingerprint of the certificate.
abstract java.lang.String	getIssuer() Get the issuer of the certificate
abstract IPublicKey	getPublicKey() Get the public key of the certificate
abstract byte[]	getSignature() Get the signature of the issuer of this certificate.
abstract byte[]	getSignedPart() Returns the part of the certificate, that was signed by the issuer.
java.util.Date	getStartDate() Returns the time from which the certificate is valid.
abstract java.lang.String	getSubject() Get the subject of the certificate.
int	hashCode() Returns a hash code for the certificate.
boolean	hasPrivateKey() Can be used to check if the device owns the corresponding private key of this certificate.
boolean	isValidRegardingStartAndEndDate() Validates the start and end date of a certificate.
byte[]	sign(byte[] toSign) Signs a given byte array.
byte[][]	toByteArray() Get the certificate as byte array (DER encoded), contains also the private key as byte array, if it does exist.
java.lang.String	toString() Convert the bytes of the certificate to a BASE64-encoded string.
static boolean	verifyCACertificateSignature(AbstractCertificate caCertificate) Verifies a given CA root certificate.
static boolean	verifyCertificate(AbstractCertificate[] certificate, IKeyStore keystore) Verifies a given certificate and returns true if the certificate can be trusted, because it is either Is stored in the given keystore One of the given intermediate certificates is stored in the keystore Its given root certificate is stored in the keystore.
boolean	verifyCertificate(IKeyStore keystore) Verify if the certificate is trusted or issued by a trusted CA.
boolean	verifySignature(byte[] message, byte[] signature) Verifies a signature which was created with the private key of this certificate (only needs the public key for verification).

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Constructor Detail

AbstractCertificate

public AbstractCertificate(byte[] certificateBytes,
                   byte[] privateKey)
                    throws java.io.IOException

Creates a new certificate abstraction, needs the bytes of the certificate.

Parameters:

certificateBytes - The bytes of the certificate (so it can be accessed properly)

Throws:

java.io.IOException

Method Detail

getPublicKey

public abstract IPublicKey getPublicKey()

Get the public key of the certificate

Specified by:

getPublicKey in interface ICertificate

Returns:

The public key of the certificate or null, if no public key exists

getSubject

public abstract java.lang.String getSubject()

Get the subject of the certificate.

Specified by:

getSubject in interface ICertificate

Returns:

The subject (name) of the certificate as X509Name

getIssuer

public abstract java.lang.String getIssuer()

Get the issuer of the certificate

Specified by:

getIssuer in interface ICertificate

Returns:

The issuer of the certificate as X509Name

verifyCertificate

public boolean verifyCertificate(IKeyStore keystore)

Verify if the certificate is trusted or issued by a trusted CA.
The result is not cached and reevaluated every time this method is called. You can use the is trusted method instead, to get a cached value.

Specified by:

verifyCertificate in interface ICertificate

Parameters:

-

Returns:

True, if the certificate is trusted, false otherwise.

getFingerprint

public final byte[] getFingerprint()

Gets the SHA-1 fingerprint of the certificate.

Specified by:

getFingerprint in interface ICertificate

Returns:

The SHA-1 fingerprint of the certificate (160 bit = 20 byte)

Throws:

java.io.IOException - This exception is thrown if the certificate is stored in a file and cannot properly accessed.

sign

public byte[] sign(byte[] toSign)

Signs a given byte array. First creates the SHA-1-Hash and then signs it. Returns the signed SHA-1 hash value.

This is only possible, if the device also has the private key!

Specified by:

sign in interface ICertificate

Parameters:

toSign - The byte array which should be hashed and signed

Returns:

The signature for the SHA-1 hash of the given byte array. Returns null, if the device does not know the private key for this certificate.

verifySignature

public boolean verifySignature(byte[] message,
                      byte[] signature)

Verifies a signature which was created with the private key of this certificate (only needs the public key for verification).

Specified by:

verifySignature in interface ICertificate

Parameters:

message - The message which was signed

signature - The signature of the message

Returns:

True if the signature is valid and was created by the subject of this certificate

encrypt

public byte[] encrypt(byte[] message)

Encrypts a message, so that it can only be read by the owner of the corresponding private key of this certificate.
Please ensure, that this message contains some "randomness", e.g. at least the current date and time.

Specified by:

encrypt in interface ICertificate

Parameters:

message - The message which should be encrypted

Returns:

A message encrypted with the public key of this certificate, if the certificate contains the public key; null, if not or if an IOException occurred

decrypt

public byte[] decrypt(byte[] encryptedMessage)

Decrypts a message, so that the plain text is accessible.

Specified by:

decrypt in interface ICertificate

Parameters:

encryptedMessage - A message which was encrypted using the public key of this certificate

Returns:

The plain text of the message, if the certificate contains the private key; null, if not or if an IOException occurred

Throws:

java.io.IOException

hasPrivateKey

public boolean hasPrivateKey()

Can be used to check if the device owns the corresponding private key of this certificate.

Specified by:

hasPrivateKey in interface ICertificate

Returns:

True, if the private key exists, false otherwise

toString

public java.lang.String toString()

Convert the bytes of the certificate to a BASE64-encoded string.

Specified by:

toString in interface ICertificate

Overrides:

toString in class java.lang.Object

Returns:

The certificate as Hex-encoded string!

toByteArray

public byte[][] toByteArray()

Get the certificate as byte array (DER encoded), contains also the private key as byte array, if it does exist.

Specified by:

toByteArray in interface ICertificate

Returns:

The certificate ([0]) and the private key ([1]) as byte array. [1] can be null.

equals

public abstract boolean equals(java.lang.Object obj)

Every certificate type has to implement a comparison operator. Usually an certificate equals another one, if ALL fields are identical. This method must returns true, if the certificate equal each other.

Specified by:

equals in interface ICertificate

Overrides:

equals in class java.lang.Object

Parameters:

obj - The object of the type CertificateAbstraction that should be compared to the current certificate

Returns:

True, if the current certificate and the given certificate are equal, false otherwise

See Also:

Object.equals(java.lang.Object)

getSignedPart

public abstract byte[] getSignedPart()

Returns the part of the certificate, that was signed by the issuer. In combination with the signature (and the certificate of the issuer), the authenticity of this certificate can be checked by anyone.

Specified by:

getSignedPart in interface ICertificate

Returns:

The part of the certificate, that was signed by the certificate issuer.

getSignature

public abstract byte[] getSignature()

Get the signature of the issuer of this certificate. This is usually a signature about the signed part of the certificate.

Specified by:

getSignature in interface ICertificate

Returns:

The signature of this certificate.

See Also:

getSignedPart()

verifyCACertificateSignature

public static boolean verifyCACertificateSignature(AbstractCertificate caCertificate)

Verifies a given CA root certificate. Does not verify the current trust status, only the signature.

Parameters:

caCertificate - A byte array containing a CA root certificate.

Returns:

True, if the given certificate is a valid CA root certificate, false otherwise.

hashCode

public final int hashCode()

Returns a hash code for the certificate. The hash code is computed from the actual byte sequence of the certificate.

Specified by:

hashCode in interface ICertificate

Overrides:

hashCode in class java.lang.Object

Returns:

The hash code of the certificate.

getStartDate

public final java.util.Date getStartDate()

Returns the time from which the certificate is valid. The certificate is invalid before this time.

Specified by:

getStartDate in interface ICertificate

Returns:

A Date object containing the start date of this certificate

See Also:

getEndDate()

getEndDate

public final java.util.Date getEndDate()

Returns the time after that the certificate is invalid.

Specified by:

getEndDate in interface ICertificate

Returns:

A Date object containing the end date of this certificate

See Also:

getStartDate()

createCertificate

public static AbstractCertificate createCertificate(byte[] certificate)
                                             throws java.io.IOException

Creates a new certificate based on the given byte-array (which contains only the public key in DER format).

Parameters:

certificate - The certificate in DER format.

Returns:

The abstract certificate object that was created using the given byte-array.

Throws:

java.io.IOException - If the byte-array is malformed or this type of certificate is not supported.

createCertificate

public static AbstractCertificate createCertificate(byte[] certificate,
                                    byte[] key)
                                             throws java.io.IOException

Creates a new certificate based on the given byte-array (which contains only the public key in DER format) and the certificates key (also as byte-array in DER format).

Parameters:

certificate - The certificate in DER format.

key - The key of the certificate in DER format. Can be null if the key is not known.

Returns:

The abstract certificate object that was created using the given byte-array.

Throws:

java.io.IOException - If one of the byte-arrays is malformed or this type of certificate/key is not supported.

isValidRegardingStartAndEndDate

public final boolean isValidRegardingStartAndEndDate()

Validates the start and end date of a certificate. If the current time is between both of these timestamps, the certificate is valid and true is returned.

Specified by:

isValidRegardingStartAndEndDate in interface ICertificate

Returns:

True, if the certificate is valid regarding start and end date, false otherwise.

verifyCertificate

public static boolean verifyCertificate(AbstractCertificate[] certificate,
                        IKeyStore keystore)

Verifies a given certificate and returns true if the certificate can be trusted, because it is either

• Is stored in the given keystore
• One of the given intermediate certificates is stored in the keystore
• Its given root certificate is stored in the keystore.

If the certificate chain is broken or any of the certificates is invalid, then the method will return false.

Parameters:

certificate - A chain of certificates that should be verified. The first certificate should point to the actual certificate that shall be validated, the remaining certificates should be the path to the top of the hierarchy. Given that the certificates of the hierarchy are installed in the key store, they do not have to be specified as parameter in order to successfully validate the certificate.

keystore - The keystore that should be used for validation.

Returns:

The true, if the certificate exists or false otherwise.