Class SSecurity


  • public class SSecurity
    extends java.lang.Object
    Class with static helper methods for security functions.
    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected static java.lang.String DEFAULT_SIGNATURE_HASH
      Default hash used for signatures.
      protected static boolean ENTROPY_FALLBACK_WARNING_DONE
      Flag if the fallback warning has been issued before.
      protected static IEntropySource ENTROPY_SOURCE
      Entropy source for seeding CSPRNGS.
      static boolean PARANOID_PRNG
      Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).
      protected static int SCRYPT_N
      SCrypt work factor / hardness for password strengthening.
      protected static int SCRYPT_P
      SCrypt parallelization.
      protected static int SCRYPT_R
      SCrypt block size.
      protected static java.security.SecureRandom SECURE_RANDOM
      Common secure random number source.
      protected static boolean TEST_ENTROPY_FALLBACK
      Enable this to test the seeding fallback, do not change, used by tests only.
    • Constructor Summary

      Constructors 
      Constructor Description
      SSecurity()  
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      protected static byte[] asn1ToBytes​(org.bouncycastle.asn1.ASN1Object obj)
      Shorthand for converting ANS1Objects to bytes.
      static boolean checkEntity​(org.bouncycastle.cert.X509CertificateHolder cert, java.lang.String entityname)
      Check whether a certificate belongs to an entity, either as common name or as alt name.
      static Tuple2<java.lang.String,​java.lang.String> createCertificate​(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
      Generates a certificate that allows signing / authentication.
      protected static Tuple2<java.lang.String,​java.lang.String> createCertificateBySpecification​(java.lang.String issuercert, java.lang.String issuerkey, org.bouncycastle.asn1.x500.X500Name subject, java.lang.String sigalg, java.lang.String schemeconf, java.lang.String digalg, int strength, int daysvalid, org.bouncycastle.asn1.x509.Extension... extensions)
      Creates a certificate using the given specification.
      static Tuple2<java.lang.String,​java.lang.String> createIntermediateCaCertificate​(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
      Generates a certificate for an intermediate CA.
      protected static org.bouncycastle.crypto.AsymmetricCipherKeyPair createKeyPair​(java.lang.String alg, java.lang.String algconf, int strength)
      Generate a key pair.
      static Tuple2<java.lang.String,​java.lang.String> createRootCaCertificate​(java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
      Generates a certificate for a root CA.
      static Tuple2<java.lang.String,​java.lang.String> createSelfSignedCertificate​(java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
      Generates a self-signed certificate that allows signing / authentication.
      static PemKeyPair createTestCACert()
      Creates a random CA certificate for testing.
      static PemKeyPair createTestCert​(PemKeyPair ca)
      Creates a random certificate for testing.
      static byte[] deriveKeyFromPassword​(java.lang.String pw, byte[] salt)
      Derive a key from a password via scrypt.
      protected static java.security.SecureRandom generateParanoidSecureRandom()
      Generates a secure PRNG.
      protected static java.security.SecureRandom generateSecureRandom()
      Generates a fast secure PRNG.
      static java.lang.String getCertSigAlg​(java.lang.String cert)
      Gets the signatures algorithm supported by the key provided by a certificate.
      static java.lang.String getCertSigAlg​(org.bouncycastle.cert.X509CertificateHolder cert)
      Gets the signatures algorithm supported by the key provided by a certificate.
      protected static org.bouncycastle.cert.path.CertPathValidation[] getChainValidationRules()
      Gets the certificate chain validation rules.
      static java.lang.String getCommonName​(org.bouncycastle.asn1.x500.X500Name name)
      Returns the subject ID of a certificate.
      protected static org.bouncycastle.operator.ContentVerifier getDefaultVerifier​(org.bouncycastle.cert.X509CertificateHolder cert)
      Gets a verifier based on a certificate to identify the algorithm.
      static IEntropySource getEntropySource()
      Gets a secure entropy source from OS or otherwise.
      static java.security.SecureRandom getSecureRandom()
      Gets access to the common secure PRNG.
      static java.lang.String getSigAlg​(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo spki)
      Gets the signatures algorithm supported by the key.
      protected static org.bouncycastle.operator.ContentSigner getSigner​(java.lang.String algospec, org.bouncycastle.asn1.pkcs.PrivateKeyInfo pki)
      Gets a signer based on a private key to identify the algorithm.
      protected static org.bouncycastle.operator.ContentVerifierProvider getVerifierProvider​(java.lang.Object keyinfo)
      Gets a verifier provider based on a certificate to identify the algorithm.
      static boolean isCaCertificate​(java.lang.String cert)
      Tests if a certificate is a CA certificate.
      static java.util.List<org.bouncycastle.cert.X509CertificateHolder> readCertificateChainFromPEM​(java.lang.String pem)
      Reads a certificate chain.
      static org.bouncycastle.cert.X509CertificateHolder readCertificateFromPEM​(java.lang.String pem)
      Read a certificate from a PEM-encoded string.
      static org.bouncycastle.asn1.pkcs.PrivateKeyInfo readPrivateKeyFromPEM​(java.lang.String pem)
      Reads a private key from a PEM string.
      static byte[] signWithPEM​(byte[] msghash, java.io.InputStream pemcert, java.io.InputStream pemkey)
      Sign using a PEM-encoded X.509 certificate/key.
      static boolean verifyWithPEM​(byte[] msghash, byte[] token, java.lang.String signingcert, java.util.LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain)
      Verify using a PEM-encoded X.509 certificate/key.
      static java.lang.String writeCertificateAsPEM​(org.bouncycastle.cert.X509CertificateHolder cert)
      Writes a certificate as PEM-encoded string.
      static byte[] xor​(byte[] op1result, byte[] op2)
      XORs two byte arrays.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Field Detail

      • DEFAULT_SIGNATURE_HASH

        protected static final java.lang.String DEFAULT_SIGNATURE_HASH
        Default hash used for signatures.
        See Also:
        Constant Field Values
      • PARANOID_PRNG

        public static boolean PARANOID_PRNG
        Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).
      • SECURE_RANDOM

        protected static volatile java.security.SecureRandom SECURE_RANDOM
        Common secure random number source.
      • ENTROPY_SOURCE

        protected static volatile IEntropySource ENTROPY_SOURCE
        Entropy source for seeding CSPRNGS.
      • ENTROPY_FALLBACK_WARNING_DONE

        protected static boolean ENTROPY_FALLBACK_WARNING_DONE
        Flag if the fallback warning has been issued before.
      • TEST_ENTROPY_FALLBACK

        protected static boolean TEST_ENTROPY_FALLBACK
        Enable this to test the seeding fallback, do not change, used by tests only.
      • SCRYPT_N

        protected static final int SCRYPT_N
        SCrypt work factor / hardness for password strengthening.
        See Also:
        Constant Field Values
    • Constructor Detail

      • SSecurity

        public SSecurity()
    • Method Detail

      • getSecureRandom

        public static final java.security.SecureRandom getSecureRandom()
        Gets access to the common secure PRNG.
        Returns:
        Common secure PRNG.
      • getEntropySource

        public static IEntropySource getEntropySource()
        Gets a secure entropy source from OS or otherwise.
        Returns:
        Secure entropy source.
      • signWithPEM

        public static final byte[] signWithPEM​(byte[] msghash,
                                               java.io.InputStream pemcert,
                                               java.io.InputStream pemkey)
        Sign using a PEM-encoded X.509 certificate/key.
        Parameters:
        msghash - The message hash.
        pemcert - The PEM certificate.
        pemkey - The PEM key.
        Returns:
        Signature.
      • verifyWithPEM

        public static final boolean verifyWithPEM​(byte[] msghash,
                                                  byte[] token,
                                                  java.lang.String signingcert,
                                                  java.util.LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain)
        Verify using a PEM-encoded X.509 certificate/key.
        Parameters:
        msghash - The message hash.
        token - The authentication token.
        signingcert - The signing certificate.
        trustedpemcert - The PEM certificate trust anchor.
        Returns:
        True, if the certificate chain and signature is valid.
      • createSelfSignedCertificate

        public static final Tuple2<java.lang.String,​java.lang.String> createSelfSignedCertificate​(java.lang.String subjectdn,
                                                                                                        java.lang.String scheme,
                                                                                                        java.lang.String schemeconf,
                                                                                                        java.lang.String hashalg,
                                                                                                        int strength,
                                                                                                        int daysvalid)
        Generates a self-signed certificate that allows signing / authentication.
        Parameters:
        subjectdn - The CA subject identifier.
        scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.
        hashalg - Hash algorithm to use.
        strength - Strength of the key.
        daysvalid - Number of days valid.
        Returns:
        The certificate.
      • createCertificate

        public static final Tuple2<java.lang.String,​java.lang.String> createCertificate​(java.lang.String issuercert,
                                                                                              java.lang.String issuerkey,
                                                                                              java.lang.String subjectdn,
                                                                                              java.lang.String scheme,
                                                                                              java.lang.String schemeconf,
                                                                                              java.lang.String hashalg,
                                                                                              int strength,
                                                                                              int daysvalid)
        Generates a certificate that allows signing / authentication.
        Parameters:
        issuercert - Certificate of the parent CA.
        issuerkey - Key of the parent CA.
        subjectdn - The CA subject identifier.
        scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.
        hashalg - Hash algorithm to use.
        strength - Strength of the key.
        daysvalid - Number of days valid.
        Returns:
        The certificate.
      • createIntermediateCaCertificate

        public static final Tuple2<java.lang.String,​java.lang.String> createIntermediateCaCertificate​(java.lang.String issuercert,
                                                                                                            java.lang.String issuerkey,
                                                                                                            java.lang.String subjectdn,
                                                                                                            int pathlen,
                                                                                                            java.lang.String scheme,
                                                                                                            java.lang.String schemeconf,
                                                                                                            java.lang.String hashalg,
                                                                                                            int strength,
                                                                                                            int daysvalid)
        Generates a certificate for an intermediate CA.
        Parameters:
        issuercert - Certificate of the parent CA.
        issuerkey - Key of the parent CA.
        subjectdn - The CA subject identifier.
        pathlen - Allowed path length for the intermediate CA (0 = no intermediate CA certificate children).
        scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.
        hashalg - Hash algorithm to use.
        strength - Strength of the key.
        daysvalid - Number of days valid.
        Returns:
        The certificate.
      • createRootCaCertificate

        public static final Tuple2<java.lang.String,​java.lang.String> createRootCaCertificate​(java.lang.String subjectdn,
                                                                                                    int pathlen,
                                                                                                    java.lang.String scheme,
                                                                                                    java.lang.String schemeconf,
                                                                                                    java.lang.String hashalg,
                                                                                                    int strength,
                                                                                                    int daysvalid)
        Generates a certificate for a root CA.
        Parameters:
        subjectdn - The CA subject identifier.
        scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.
        hashalg - Hash algorithm to use.
        strength - Strength of the key.
        daysvalid - Number of days valid.
        Returns:
        The certificate.
      • createTestCACert

        public static final PemKeyPair createTestCACert()
        Creates a random CA certificate for testing.
      • createTestCert

        public static final PemKeyPair createTestCert​(PemKeyPair ca)
        Creates a random certificate for testing.
      • xor

        public static final byte[] xor​(byte[] op1result,
                                       byte[] op2)
        XORs two byte arrays.
        Parameters:
        op1result - First array and output array.
        op2 - Second array.
        Returns:
        Modified first array.
      • readCertificateFromPEM

        public static final org.bouncycastle.cert.X509CertificateHolder readCertificateFromPEM​(java.lang.String pem)
        Read a certificate from a PEM-encoded string.
        Parameters:
        pem - The PEM-encoded string.
        Returns:
        The certificate.
      • readCertificateChainFromPEM

        public static final java.util.List<org.bouncycastle.cert.X509CertificateHolder> readCertificateChainFromPEM​(java.lang.String pem)
        Reads a certificate chain.
        Parameters:
        pem - PEM of the chain.
        Returns:
        The chain, starting with the leaf.
      • getCommonName

        public static java.lang.String getCommonName​(org.bouncycastle.asn1.x500.X500Name name)
        Returns the subject ID of a certificate.
        Parameters:
        cert - The certificate.
        Returns:
        The subject ID.
      • checkEntity

        public static final boolean checkEntity​(org.bouncycastle.cert.X509CertificateHolder cert,
                                                java.lang.String entityname)
        Check whether a certificate belongs to an entity, either as common name or as alt name.
        Parameters:
        cert - The certificate.
        entityname - The entity name.
        Returns:
        True, if the certificate belongs, false otherwise.
      • writeCertificateAsPEM

        public static final java.lang.String writeCertificateAsPEM​(org.bouncycastle.cert.X509CertificateHolder cert)
        Writes a certificate as PEM-encoded string.
        Parameters:
        cert - The certificate.
        Returns:
        Encoded string.
      • readPrivateKeyFromPEM

        public static final org.bouncycastle.asn1.pkcs.PrivateKeyInfo readPrivateKeyFromPEM​(java.lang.String pem)
        Reads a private key from a PEM string.
        Parameters:
        pem - The PEM-encoded string.
        Returns:
        The private key.
      • isCaCertificate

        public static final boolean isCaCertificate​(java.lang.String cert)
        Tests if a certificate is a CA certificate.
        Parameters:
        cert - The certificate.
        Returns:
        True, if CA certificate.
      • getCertSigAlg

        public static final java.lang.String getCertSigAlg​(java.lang.String cert)
        Gets the signatures algorithm supported by the key provided by a certificate.
        Parameters:
        cert - The certificate.
        Returns:
        The signature algorithm.
      • getCertSigAlg

        public static final java.lang.String getCertSigAlg​(org.bouncycastle.cert.X509CertificateHolder cert)
        Gets the signatures algorithm supported by the key provided by a certificate.
        Parameters:
        cert - The certificate.
        Returns:
        The signature algorithm.
      • getSigAlg

        public static final java.lang.String getSigAlg​(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo spki)
        Gets the signatures algorithm supported by the key.
        Parameters:
        spki - The subject key info.
        Returns:
        The signature algorithm.
      • getChainValidationRules

        protected static final org.bouncycastle.cert.path.CertPathValidation[] getChainValidationRules()
        Gets the certificate chain validation rules.
        Returns:
        The rules.
      • generateSecureRandom

        protected static final java.security.SecureRandom generateSecureRandom()
        Generates a fast secure PRNG. The setup attempts to prepare a PRNG that is fast and secure.
        Returns:
        Secure PRNG.
      • generateParanoidSecureRandom

        protected static final java.security.SecureRandom generateParanoidSecureRandom()
        Generates a secure PRNG. The setup attempts to prepare a PRNG that avoids relying on a single approach.
        Returns:
        Secure PRNG.
      • createCertificateBySpecification

        protected static final Tuple2<java.lang.String,​java.lang.String> createCertificateBySpecification​(java.lang.String issuercert,
                                                                                                                java.lang.String issuerkey,
                                                                                                                org.bouncycastle.asn1.x500.X500Name subject,
                                                                                                                java.lang.String sigalg,
                                                                                                                java.lang.String schemeconf,
                                                                                                                java.lang.String digalg,
                                                                                                                int strength,
                                                                                                                int daysvalid,
                                                                                                                org.bouncycastle.asn1.x509.Extension... extensions)
        Creates a certificate using the given specification.
        Parameters:
        issuercert - Certificate of the issuer (CA).
        issuerkey - Key of the issuer (CA).
        subject - Subject of the certificate.
        sigalg - Signature scheme / certificate key algorithm to use, e.g. RSA, DSA, ECDSA.
        schemeconf - Additional scheme configuration, may be null.
        digalg - Hash algorithm to use for certificate signature.
        strength - Strength of the key.
        daysvalid - Number of days valid.
        extensions - Certificate extensions.
        Returns:
        Generated Certificate and private key as PEM-encoded strings.
      • createKeyPair

        protected static final org.bouncycastle.crypto.AsymmetricCipherKeyPair createKeyPair​(java.lang.String alg,
                                                                                             java.lang.String algconf,
                                                                                             int strength)
        Generate a key pair.
        Parameters:
        alg - Algorithm to use, e.g. RSA, DSA, ECDSA.
        strength - Strength of the key pair.
        Returns:
        The generated key pair.
      • getSigner

        protected static final org.bouncycastle.operator.ContentSigner getSigner​(java.lang.String algospec,
                                                                                 org.bouncycastle.asn1.pkcs.PrivateKeyInfo pki)
        Gets a signer based on a private key to identify the algorithm.
        Parameters:
        pki - The private key.
        Returns:
        A content signer.
      • getDefaultVerifier

        protected static final org.bouncycastle.operator.ContentVerifier getDefaultVerifier​(org.bouncycastle.cert.X509CertificateHolder cert)
        Gets a verifier based on a certificate to identify the algorithm.
        Parameters:
        cert - The certificate.
        Returns:
        A content verifier.
      • getVerifierProvider

        protected static final org.bouncycastle.operator.ContentVerifierProvider getVerifierProvider​(java.lang.Object keyinfo)
        Gets a verifier provider based on a certificate to identify the algorithm.
        Parameters:
        keyinfo - The certificate or key info.
        Returns:
        The content verifier provider.
      • asn1ToBytes

        protected static final byte[] asn1ToBytes​(org.bouncycastle.asn1.ASN1Object obj)
        Shorthand for converting ANS1Objects to bytes.
        Parameters:
        obj - The object.
        Returns:
        Encoded bytes.
      • deriveKeyFromPassword

        public static byte[] deriveKeyFromPassword​(java.lang.String pw,
                                                   byte[] salt)
        Derive a key from a password via scrypt.
        Parameters:
        pw - The password.
        salt - The salt.
        Returns:
        The key.