Package io.confluent.security.auth.mtls

Class CaCertificatesUtils

java.lang.Object
io.confluent.security.auth.mtls.CaCertificatesUtils
public class CaCertificatesUtils extends Object

  • Method Details

    • x509CertificatesFromPem

      public static X509Certificate[] x509CertificatesFromPem(String pem) throws CertificateException, IOException
      Parse PEM encoded certificates to X509Certificate objects.
      Parameters:
      pem - PEM encoded certificates
      Returns:
      X509Certificate objects
      Throws:
      CertificateException - if the certificate cannot be parsed
      IOException - if an I/O error occurs

    • x509CertificatesFromPemFile

      public static X509Certificate[] x509CertificatesFromPemFile(Path pemFile) throws CertificateException, IOException
      Parse PEM encoded certificates from a file to X509Certificate objects
      Parameters:
      pemFile - Path to the PEM file
      Returns:
      X509Certificate objects
      Throws:
      CertificateException - if the certificate cannot be parsed
      IOException - if an I/O error occurs

    • isCertificateAuthority

      public static boolean isCertificateAuthority(X509Certificate cert)
      Whether the certificate is a CA certificate
      Parameters:
      cert - X509Certificate
      Returns:
      true if the certificate is a CA certificate, false otherwise

    • x509CrlFromPem

      public static X509CRL x509CrlFromPem(String pem) throws CertificateException, IOException, CRLException
      Parse PEM encoded CRL to X509CRL object
      Parameters:
      pem - PEM encoded CRL
      Returns:
      X509CRL object
      Throws:
      CertificateException - if the CRL cannot be parsed
      IOException - if an I/O error occurs
      CRLException - if the CRL is invalid

    • x509CrlToPem

      public static String x509CrlToPem(X509CRL crl) throws CRLException
      Convert X509CRL to PEM format
      Parameters:
      crl - X509CRL object
      Returns:
      PEM encoded CRL
      Throws:
      CRLException - if the CRL cannot be encoded

    • isSelfSigned

      public static boolean isSelfSigned(Certificate cert)
      checks if the given Certificate is self-signed.
      Parameters:
      cert - Certificate
      Returns:
      true if the certificate is self-signed, false otherwise
      Throws:
      IllegalArgumentException - if the certificate is null

    • findSigningCert

      public static Certificate findSigningCert(Certificate signedCert, Collection<Certificate> certificates)
      Find signing cert of a given certificate in a collection of certificates. Return null if there is no signing cert in the collection or the certificate is self-signed
      Parameters:
      signedCert - certificate to find the signing cert for, must not be null
      certificates - collection of CA certificates which might sign the signedCert, must not be null
      Returns:
      signing certificate or null if not found
      Throws:
      IllegalArgumentException - if signedCert is null
      IllegalArgumentException - if certificates are null

    • buildCertChain

      public static Certificate[] buildCertChain(Certificate[] clientChain, Map<String,Set<Certificate>> providerToCaCertsMapping)
      Builds a complete certificate chain from the given client certificate chain, and CA certificates for all providers. Client chain is converted to a valid chain and extra certificates not belonging to the chain are dropped.
      Parameters:
      clientChain - partial cert chain must not be null or empty, and the first certificate must be the leaf cert
      providerToCaCertsMapping - map of providers to list of CA certificate for each provider
      Returns:
      a valid certificate chain (complete if CA provider can be matched, otherwise incomplete)
      Throws:
      IllegalArgumentException - if cert is null
      IllegalArgumentException - if provider to CA certs map is null