jadex.commons.security

Class SSecurity

java.lang.Object

jadex.commons.security.SSecurity

public class SSecurity
extends java.lang.Object

Class with static helper methods for security functions.

Field Summary

Fields

Modifier and Type	Field and Description
protected static java.lang.String	DEFAULT_SIGNATURE_HASH Default hash used for signatures.
protected static boolean	ENTROPY_FALLBACK_WARNING_DONE Flag if the fallback warning has been issued before.
protected static IEntropySource	ENTROPY_SOURCE Entropy source for seeding CSPRNGS.
static boolean	PARANOID_PRNG Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).
protected static java.security.SecureRandom	SECURE_RANDOM Common secure random number source.
protected static boolean	TEST_ENTROPY_FALLBACK Enable this to test the seeding fallback, do not change, used by tests only.

Constructor Summary

Constructors

Constructor and Description
SSecurity()

Method Summary

Modifier and Type	Method and Description
protected static byte[]	asn1ToBytes(ASN1Object obj) Shorthand for converting ANS1Objects to bytes.
static boolean	checkEntity(X509CertificateHolder cert, java.lang.String entityname) Check whether a certificate belongs to an entity, either as common name or as alt name.
static Tuple2<java.lang.String,java.lang.String>	createCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid) Generates a certificate that allows signing / authentication.
protected static Tuple2<java.lang.String,java.lang.String>	createCertificateBySpecification(java.lang.String issuercert, java.lang.String issuerkey, X500Name subject, java.lang.String sigalg, java.lang.String schemeconf, java.lang.String digalg, int strength, int daysvalid, Extension... extensions) Creates a certificate using the given specification.
static Tuple2<java.lang.String,java.lang.String>	createIntermediateCaCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid) Generates a certificate for an intermediate CA.
protected static AsymmetricCipherKeyPair	createKeyPair(java.lang.String alg, java.lang.String algconf, int strength) Generate a key pair.
static Tuple2<java.lang.String,java.lang.String>	createRootCaCertificate(java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid) Generates a certificate for a root CA.
static Tuple2<java.lang.String,java.lang.String>	createSelfSignedCertificate(java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid) Generates a self-signed certificate that allows signing / authentication.
static PemKeyPair	createTestCACert() Creates a random CA certificate for testing.
static PemKeyPair	createTestCert(PemKeyPair ca) Creates a random certificate for testing.
protected static java.security.SecureRandom	generateParanoidSecureRandom() Generates a secure PRNG.
protected static java.security.SecureRandom	generateSecureRandom() Generates a fast secure PRNG.
static java.lang.String	getCertSigAlg(java.lang.String cert) Gets the signatures algorithm supported by the key provided by a certificate.
static java.lang.String	getCertSigAlg(X509CertificateHolder cert) Gets the signatures algorithm supported by the key provided by a certificate.
protected static CertPathValidation[]	getChainValidationRules() Gets the certificate chain validation rules.
static java.lang.String	getCommonName(X500Name name) Returns the subject ID of a certificate.
protected static ContentVerifier	getDefaultVerifier(X509CertificateHolder cert) Gets a verifier based on a certificate to identify the algorithm.
static IEntropySource	getEntropySource() Gets a secure entropy source from OS or otherwise.
static java.security.SecureRandom	getSecureRandom() Gets access to the common secure PRNG.
static java.lang.String	getSigAlg(SubjectPublicKeyInfo spki) Gets the signatures algorithm supported by the key.
protected static ContentSigner	getSigner(java.lang.String algospec, PrivateKeyInfo pki) Gets a signer based on a private key to identify the algorithm.
protected static ContentVerifierProvider	getVerifierProvider(java.lang.Object keyinfo) Gets a verifier provider based on a certificate to identify the algorithm.
static boolean	isCaCertificate(java.lang.String cert) Tests if a certificate is a CA certificate.
static java.util.List<X509CertificateHolder>	readCertificateChainFromPEM(java.lang.String pem) Reads a certificate chain.
static X509CertificateHolder	readCertificateFromPEM(java.lang.String pem) Read a certificate from a PEM-encoded string.
static PrivateKeyInfo	readPrivateKeyFromPEM(java.lang.String pem) Reads a private key from a PEM string.
static byte[]	signWithPEM(byte[] msghash, java.io.InputStream pemcert, java.io.InputStream pemkey) Sign using a PEM-encoded X.509 certificate/key.
static boolean	verifyWithPEM(byte[] msghash, byte[] token, java.lang.String signingcert, java.util.LinkedHashSet<X509CertificateHolder> trustchain) Verify using a PEM-encoded X.509 certificate/key.
static java.lang.String	writeCertificateAsPEM(X509CertificateHolder cert) Writes a certificate as PEM-encoded string.
static byte[]	xor(byte[] op1result, byte[] op2) XORs two byte arrays.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_SIGNATURE_HASH

protected static final java.lang.String DEFAULT_SIGNATURE_HASH

Default hash used for signatures.

See Also:

Constant Field Values

PARANOID_PRNG

public static boolean PARANOID_PRNG

Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).

SECURE_RANDOM

protected static volatile java.security.SecureRandom SECURE_RANDOM

Common secure random number source.

ENTROPY_SOURCE

protected static volatile IEntropySource ENTROPY_SOURCE

Entropy source for seeding CSPRNGS.

ENTROPY_FALLBACK_WARNING_DONE

protected static boolean ENTROPY_FALLBACK_WARNING_DONE

Flag if the fallback warning has been issued before.

TEST_ENTROPY_FALLBACK

protected static boolean TEST_ENTROPY_FALLBACK

Enable this to test the seeding fallback, do not change, used by tests only.

Constructor Detail

SSecurity

public SSecurity()

Method Detail

getSecureRandom

public static final java.security.SecureRandom getSecureRandom()

Gets access to the common secure PRNG.

Returns:

Common secure PRNG.

getEntropySource

public static IEntropySource getEntropySource()

Gets a secure entropy source from OS or otherwise.

Returns:

Secure entropy source.

signWithPEM

public static final byte[] signWithPEM(byte[] msghash,
                                       java.io.InputStream pemcert,
                                       java.io.InputStream pemkey)

Sign using a PEM-encoded X.509 certificate/key.

Parameters:

msghash - The message hash.

pemcert - The PEM certificate.

pemkey - The PEM key.

Returns:

Signature.

verifyWithPEM

public static final boolean verifyWithPEM(byte[] msghash,
                                          byte[] token,
                                          java.lang.String signingcert,
                                          java.util.LinkedHashSet<X509CertificateHolder> trustchain)

Verify using a PEM-encoded X.509 certificate/key.

Parameters:

msghash - The message hash.

token - The authentication token.

signingcert - The signing certificate.

trustedpemcert - The PEM certificate trust anchor.

Returns:

True, if the certificate chain and signature is valid.

createSelfSignedCertificate

public static final Tuple2<java.lang.String,java.lang.String> createSelfSignedCertificate(java.lang.String subjectdn,
                                                                                          java.lang.String scheme,
                                                                                          java.lang.String schemeconf,
                                                                                          java.lang.String hashalg,
                                                                                          int strength,
                                                                                          int daysvalid)

Generates a self-signed certificate that allows signing / authentication.

Parameters:

subjectdn - The CA subject identifier.

scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.

hashalg - Hash algorithm to use.

strength - Strength of the key.

daysvalid - Number of days valid.

Returns:

The certificate.

createCertificate

public static final Tuple2<java.lang.String,java.lang.String> createCertificate(java.lang.String issuercert,
                                                                                java.lang.String issuerkey,
                                                                                java.lang.String subjectdn,
                                                                                java.lang.String scheme,
                                                                                java.lang.String schemeconf,
                                                                                java.lang.String hashalg,
                                                                                int strength,
                                                                                int daysvalid)

Generates a certificate that allows signing / authentication.

Parameters:

issuercert - Certificate of the parent CA.

issuerkey - Key of the parent CA.

subjectdn - The CA subject identifier.

scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.

hashalg - Hash algorithm to use.

strength - Strength of the key.

daysvalid - Number of days valid.

Returns:

The certificate.

createIntermediateCaCertificate

public static final Tuple2<java.lang.String,java.lang.String> createIntermediateCaCertificate(java.lang.String issuercert,
                                                                                              java.lang.String issuerkey,
                                                                                              java.lang.String subjectdn,
                                                                                              int pathlen,
                                                                                              java.lang.String scheme,
                                                                                              java.lang.String schemeconf,
                                                                                              java.lang.String hashalg,
                                                                                              int strength,
                                                                                              int daysvalid)

Generates a certificate for an intermediate CA.

Parameters:

issuercert - Certificate of the parent CA.

issuerkey - Key of the parent CA.

subjectdn - The CA subject identifier.

pathlen - Allowed path length for the intermediate CA (0 = no intermediate CA certificate children).

scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.

hashalg - Hash algorithm to use.

strength - Strength of the key.

daysvalid - Number of days valid.

Returns:

The certificate.

createRootCaCertificate

public static final Tuple2<java.lang.String,java.lang.String> createRootCaCertificate(java.lang.String subjectdn,
                                                                                      int pathlen,
                                                                                      java.lang.String scheme,
                                                                                      java.lang.String schemeconf,
                                                                                      java.lang.String hashalg,
                                                                                      int strength,
                                                                                      int daysvalid)

Generates a certificate for a root CA.

Parameters:

subjectdn - The CA subject identifier.

scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.

hashalg - Hash algorithm to use.

strength - Strength of the key.

daysvalid - Number of days valid.

Returns:

The certificate.

createTestCACert

public static final PemKeyPair createTestCACert()

Creates a random CA certificate for testing.

createTestCert

public static final PemKeyPair createTestCert(PemKeyPair ca)

Creates a random certificate for testing.

xor

public static final byte[] xor(byte[] op1result,
                               byte[] op2)

XORs two byte arrays.

Parameters:

op1result - First array and output array.

op2 - Second array.

Returns:

Modified first array.

readCertificateFromPEM

public static final X509CertificateHolder readCertificateFromPEM(java.lang.String pem)

Read a certificate from a PEM-encoded string.

Parameters:

pem - The PEM-encoded string.

Returns:

The certificate.

readCertificateChainFromPEM

public static final java.util.List<X509CertificateHolder> readCertificateChainFromPEM(java.lang.String pem)

Reads a certificate chain.

Parameters:

pem - PEM of the chain.

Returns:

The chain, starting with the leaf.

getCommonName

public static java.lang.String getCommonName(X500Name name)

Returns the subject ID of a certificate.

Parameters:

cert - The certificate.

Returns:

The subject ID.

checkEntity

public static final boolean checkEntity(X509CertificateHolder cert,
                                        java.lang.String entityname)

Check whether a certificate belongs to an entity, either as common name or as alt name.

Parameters:

cert - The certificate.

entityname - The entity name.

Returns:

True, if the certificate belongs, false otherwise.

writeCertificateAsPEM

public static final java.lang.String writeCertificateAsPEM(X509CertificateHolder cert)

Writes a certificate as PEM-encoded string.

Parameters:

cert - The certificate.

Returns:

Encoded string.

readPrivateKeyFromPEM

public static final PrivateKeyInfo readPrivateKeyFromPEM(java.lang.String pem)

Reads a private key from a PEM string.

Parameters:

pem - The PEM-encoded string.

Returns:

The private key.

isCaCertificate

public static final boolean isCaCertificate(java.lang.String cert)

Tests if a certificate is a CA certificate.

Parameters:

cert - The certificate.

Returns:

True, if CA certificate.

getCertSigAlg

public static final java.lang.String getCertSigAlg(java.lang.String cert)

Gets the signatures algorithm supported by the key provided by a certificate.

Parameters:

cert - The certificate.

Returns:

The signature algorithm.

getCertSigAlg

public static final java.lang.String getCertSigAlg(X509CertificateHolder cert)

Gets the signatures algorithm supported by the key provided by a certificate.

Parameters:

cert - The certificate.

Returns:

The signature algorithm.

getSigAlg

public static final java.lang.String getSigAlg(SubjectPublicKeyInfo spki)

Gets the signatures algorithm supported by the key.

Parameters:

spki - The subject key info.

Returns:

The signature algorithm.

getChainValidationRules

protected static final CertPathValidation[] getChainValidationRules()

Gets the certificate chain validation rules.

Returns:

The rules.

generateSecureRandom

protected static final java.security.SecureRandom generateSecureRandom()

Generates a fast secure PRNG. The setup attempts to prepare a PRNG that is fast and secure.

Returns:

Secure PRNG.

generateParanoidSecureRandom

protected static final java.security.SecureRandom generateParanoidSecureRandom()

Generates a secure PRNG. The setup attempts to prepare a PRNG that avoids relying on a single approach.

Returns:

Secure PRNG.

createCertificateBySpecification

protected static final Tuple2<java.lang.String,java.lang.String> createCertificateBySpecification(java.lang.String issuercert,
                                                                                                  java.lang.String issuerkey,
                                                                                                  X500Name subject,
                                                                                                  java.lang.String sigalg,
                                                                                                  java.lang.String schemeconf,
                                                                                                  java.lang.String digalg,
                                                                                                  int strength,
                                                                                                  int daysvalid,
                                                                                                  Extension... extensions)

Creates a certificate using the given specification.

Parameters:

issuercert - Certificate of the issuer (CA).

issuerkey - Key of the issuer (CA).

subject - Subject of the certificate.

sigalg - Signature scheme / certificate key algorithm to use, e.g. RSA, DSA, ECDSA.

schemeconf - Additional scheme configuration, may be null.

digalg - Hash algorithm to use for certificate signature.

strength - Strength of the key.

daysvalid - Number of days valid.

extensions - Certificate extensions.

Returns:

Generated Certificate and private key as PEM-encoded strings.

createKeyPair

protected static final AsymmetricCipherKeyPair createKeyPair(java.lang.String alg,
                                                             java.lang.String algconf,
                                                             int strength)

Generate a key pair.

Parameters:

alg - Algorithm to use, e.g. RSA, DSA, ECDSA.

strength - Strength of the key pair.

Returns:

The generated key pair.

getSigner

protected static final ContentSigner getSigner(java.lang.String algospec,
                                               PrivateKeyInfo pki)

Gets a signer based on a private key to identify the algorithm.

Parameters:

pki - The private key.

Returns:

A content signer.

getDefaultVerifier

protected static final ContentVerifier getDefaultVerifier(X509CertificateHolder cert)

Gets a verifier based on a certificate to identify the algorithm.

Parameters:

cert - The certificate.

Returns:

A content verifier.

getVerifierProvider

protected static final ContentVerifierProvider getVerifierProvider(java.lang.Object keyinfo)

Gets a verifier provider based on a certificate to identify the algorithm.

Parameters:

keyinfo - The certificate or key info.

Returns:

The content verifier provider.

asn1ToBytes

protected static final byte[] asn1ToBytes(ASN1Object obj)

Shorthand for converting ANS1Objects to bytes.

Parameters:

obj - The object.

Returns:

Encoded bytes.