net.cnri.cert

Class CertUtil

java.lang.Object

net.cnri.cert.CertUtil

public class CertUtil
extends java.lang.Object

A utility class for an unused method of storing group membership certificates in handles. A handle a/b is a member of g/h if a/b has a handle value 10320/membercert.g/h with a signed X.509 V2 attribute certificate indicating group membership. Using such a handle type makes it simple to query a handle to check a particular message while staying within small UDP packets, even if a member is a member of many groups. Subgrouping intended to work similarly: g/h is a subgroup of x/y if g/h has a handle value of type 10320/membercert.x/y indicating "membership". (Perhaps better to separate membership and subgrouping?) In general to check membership requires creating chains of groups.

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	CertUtil.GroupChain A chain of subgroups, whose head is the super-most group.

Field Summary

Fields

Modifier and Type	Field and Description
static java.lang.String	GROUP_OID OID for the group membership attribute for X.509 V2 Attribute Certificates
static java.lang.String	MEMBER_CERT_TYPE_PREFIX Prefix of handle value types indicating group membership; append the group handle
static java.lang.String	SUBGROUP_CERT_TYPE_PREFIX Prefix of handle value types indicating subgrouping; append the supergroup handle

Constructor Summary

Constructors

Constructor and Description
CertUtil()

Method Summary

Methods

Modifier and Type	Method and Description
static java.util.List<CertUtil.GroupChain>	allGroups(net.handle.hdllib.HandleResolver resolver, java.lang.String memberHandle) Return all groups to which memberHandle belongs, together with their subgroup chains.
static java.util.List<CertUtil.GroupChain>	allGroups(net.handle.hdllib.HandleResolver resolver, java.lang.String memberHandle, java.util.List<java.lang.String> initialGroups) Return all groups to which memberHandle belongs via one of the initialGroups, together with their subgroup chains.
static boolean	checkGroupChain(net.handle.hdllib.HandleResolver resolver, java.lang.String memberHandle, CertUtil.GroupChain groups) Check whether memberHandle is a member of the groups in the subgroup chain groups, and that all certificates are signed and valid.
static boolean	checkGroupMembershipCertificate(byte[] encodedCert, java.lang.String memberHandle, java.lang.String groupHandle, java.util.List<java.security.PublicKey> pubKeys) Check to see if an encoded Attribute Certificate asserts that memberHandle is a member of groupHandle, and is signed by one of the input public keys
static java.security.cert.X509Certificate	createClientCert(net.handle.hdllib.Resolver resolver, java.lang.String individualID, java.security.PrivateKey privKey, java.security.PublicKey pubKey, int validDays) Generate an X509 certificate that can be used to
static byte[]	createGroupMembershipCertificate(java.math.BigInteger serialNumber, java.lang.String memberHandle, java.lang.String groupHandle, java.util.Date notBefore, java.util.Date notAfter, java.security.PublicKey pubKey, java.security.PrivateKey privKey) Create a group membership certificate and sign it with the input private key.
static void	main(java.lang.String[] args)
static boolean	matchHandle(java.security.Principal[] principals, java.lang.String handle) Check to see if any of the input principals is an X509 name whose UID matches the handle
static org.bouncycastle.jce.X509Principal	principalForHandle(java.lang.String handle) Convert a handle into an X509 principal (using the UID attribute)
static java.security.PublicKey[]	resolvePublicKeys(net.handle.hdllib.HandleResolver resolver, java.lang.String clientID) Securely resolve a public key for the given handle

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

GROUP_OID

public static final java.lang.String GROUP_OID

OID for the group membership attribute for X.509 V2 Attribute Certificates

See Also:

Constant Field Values

MEMBER_CERT_TYPE_PREFIX

public static final java.lang.String MEMBER_CERT_TYPE_PREFIX

Prefix of handle value types indicating group membership; append the group handle

See Also:

Constant Field Values

SUBGROUP_CERT_TYPE_PREFIX

public static final java.lang.String SUBGROUP_CERT_TYPE_PREFIX

Prefix of handle value types indicating subgrouping; append the supergroup handle

See Also:

Constant Field Values

Constructor Detail

CertUtil

public CertUtil()

Method Detail

principalForHandle

public static org.bouncycastle.jce.X509Principal principalForHandle(java.lang.String handle)

Convert a handle into an X509 principal (using the UID attribute)

matchHandle

public static boolean matchHandle(java.security.Principal[] principals,
                  java.lang.String handle)

Check to see if any of the input principals is an X509 name whose UID matches the handle

checkGroupMembershipCertificate

public static boolean checkGroupMembershipCertificate(byte[] encodedCert,
                                      java.lang.String memberHandle,
                                      java.lang.String groupHandle,
                                      java.util.List<java.security.PublicKey> pubKeys)

Check to see if an encoded Attribute Certificate asserts that memberHandle is a member of groupHandle, and is signed by one of the input public keys

createGroupMembershipCertificate

public static byte[] createGroupMembershipCertificate(java.math.BigInteger serialNumber,
                                      java.lang.String memberHandle,
                                      java.lang.String groupHandle,
                                      java.util.Date notBefore,
                                      java.util.Date notAfter,
                                      java.security.PublicKey pubKey,
                                      java.security.PrivateKey privKey)
                                               throws java.security.InvalidKeyException,
                                                      java.security.cert.CertificateEncodingException,
                                                      java.security.SignatureException

Create a group membership certificate and sign it with the input private key. The pubKey argument, if non-null, is hashed in the X.509 standard AuthorityKeyIdentifier extension.

Throws:

java.security.InvalidKeyException

java.security.cert.CertificateEncodingException

java.security.SignatureException

createClientCert

public static java.security.cert.X509Certificate createClientCert(net.handle.hdllib.Resolver resolver,
                                                  java.lang.String individualID,
                                                  java.security.PrivateKey privKey,
                                                  java.security.PublicKey pubKey,
                                                  int validDays)
                                                           throws java.lang.Exception

Generate an X509 certificate that can be used to

Throws:

java.lang.Exception

resolvePublicKeys

public static java.security.PublicKey[] resolvePublicKeys(net.handle.hdllib.HandleResolver resolver,
                                          java.lang.String clientID)

Securely resolve a public key for the given handle

allGroups

public static java.util.List<CertUtil.GroupChain> allGroups(net.handle.hdllib.HandleResolver resolver,
                                            java.lang.String memberHandle)

Return all groups to which memberHandle belongs, together with their subgroup chains.

allGroups

public static java.util.List<CertUtil.GroupChain> allGroups(net.handle.hdllib.HandleResolver resolver,
                                            java.lang.String memberHandle,
                                            java.util.List<java.lang.String> initialGroups)

Return all groups to which memberHandle belongs via one of the initialGroups, together with their subgroup chains.

checkGroupChain

public static boolean checkGroupChain(net.handle.hdllib.HandleResolver resolver,
                      java.lang.String memberHandle,
                      CertUtil.GroupChain groups)
                               throws net.handle.hdllib.HandleException

Check whether memberHandle is a member of the groups in the subgroup chain groups, and that all certificates are signed and valid.

Throws:

net.handle.hdllib.HandleException

main

public static void main(java.lang.String[] args)
                 throws java.lang.Exception

Throws:

java.lang.Exception