org.freshcookies.security.cert
Class Trustee

java.lang.Object
  extended by org.freshcookies.security.cert.Trustee

public class Trustee
extends java.lang.Object

Utility class that performs common certificate trust operations, such as writing to disk, updating the trust database and printing verbose certficate info.

This class requires privileges to run with a SecurityManager. At a mimumum, this ProtectionDomain and preceding callers must be granted the following permissions:

In addition, if the method saveCertificate(X509Certificate) is called, this ProtectionDomain and all preceding callers must also be granted these additional permissions:

The commit() method requires that this ProtectionDomain and all preceding callers be granted these additional permisions:

None of the methods in this class perform their actions inside doPrivileged blocks, so all SecurityException errors are propagated to callers.


Constructor Summary
Trustee()
          Constructs a new Trustee instance, and initializes the system certificate authority (CA) keystore and SSL trust manager.
 
Method Summary
 boolean commit()
          Writes the trust store to disk.
static java.lang.String getAlias(java.security.cert.X509Certificate cert)
          Calculates an alias for a certificate by trying the common name, organizational unit, DC and serial number in succession.
static java.lang.String getCertificateInfo(java.security.cert.X509Certificate cert)
          Returns a string containing verbose certificate information.
 void saveCertificate(java.security.cert.X509Certificate cert)
          Saves an X.509 certificate as a binary file in the current directory.
 boolean trustCACertificate(java.security.cert.X509Certificate cert)
           Adds a supplied CA certificate to the system certificate trust store as a "trusted CA certificate".
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

Trustee

public Trustee()
Constructs a new Trustee instance, and initializes the system certificate authority (CA) keystore and SSL trust manager.

Throws:
java.lang.SecurityException - when the SecurityManager is running, and the current policy does not grant this ProtectionDomain and preceding callers all of the following permissions:
  • java.util.PropertyPermission "javax.net.ssl.trustStore", "read"
  • java.util.PropertyPermission "java.home" "read"
  • java.io.FilePermission "${java.home}/lib/security/cacerts", "read"
Method Detail

getAlias

public static java.lang.String getAlias(java.security.cert.X509Certificate cert)
Calculates an alias for a certificate by trying the common name, organizational unit, DC and serial number in succession.

Parameters:
cert - the certificate
Returns:
the alias

getCertificateInfo

public static java.lang.String getCertificateInfo(java.security.cert.X509Certificate cert)
Returns a string containing verbose certificate information. The format is identical to that produced by the J2SE keytool program.

Parameters:
cert - the certificate to examine

trustCACertificate

public boolean trustCACertificate(java.security.cert.X509Certificate cert)
                           throws java.security.KeyStoreException

Adds a supplied CA certificate to the system certificate trust store as a "trusted CA certificate". This is equivalent to the following command-line action:

keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -file certificate

Note: a useful argument for debugging is -Djavax.net.debug=all.

Parameters:
cert - the certificate to add to the trust store
Returns:
true if successfully added; false if not
Throws:
java.security.KeyStoreException - if the CA alias ould not be added to the trust store

commit

public boolean commit()
Writes the trust store to disk. The caller must have write access to the systemwide trust store.

Returns:
true if the commit succeeds; false if not
Throws:
java.lang.SecurityException - when the SecurityManager is running, and the current policy does not grant this ProtectionDomain and preceding callers all of the following permissions:
  • java.lang.RuntimePermission "writeFileDescriptor"
  • java.io.FilePermission "${java.home}/lib/security/cacerts", "write"

saveCertificate

public void saveCertificate(java.security.cert.X509Certificate cert)
                     throws java.io.IOException,
                            java.security.cert.CertificateEncodingException
Saves an X.509 certificate as a binary file in the current directory. The name of the file is calculated by taking the certificate's common name and appending the suffix .cer. This suffix is sufficiently cross-platform that Mac OS X and Windows users alike can simply double-click on the file to install it using the respective certificate management tool.

Parameters:
cert - the certificate to save
Throws:
java.io.IOException - if the file could not be written
java.security.cert.CertificateEncodingException - if the certificate could not be properly encoded
java.lang.SecurityException - when the SecurityManager is running, and the current policy does not grant this ProtectionDomain and preceding callers all of the following permissions:
  • java.lang.RuntimePermission "writeFileDescriptor"
  • java.io.FilePermission "${user.dir}/*.cer", "write"