Package jadex.commons.security
Class SSecurity
- java.lang.Object
-
- jadex.commons.security.SSecurity
-
public class SSecurity extends java.lang.Object
Class with static helper methods for security functions.
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.lang.String
DEFAULT_SIGNATURE_HASH
Default hash used for signatures.protected static boolean
ENTROPY_FALLBACK_WARNING_DONE
Flag if the fallback warning has been issued before.protected static IEntropySource
ENTROPY_SOURCE
Entropy source for seeding CSPRNGS.static boolean
PARANOID_PRNG
Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).protected static int
SCRYPT_N
SCrypt work factor / hardness for password strengthening.protected static int
SCRYPT_P
SCrypt parallelization.protected static int
SCRYPT_R
SCrypt block size.protected static java.security.SecureRandom
SECURE_RANDOM
Common secure random number source.protected static boolean
TEST_ENTROPY_FALLBACK
Enable this to test the seeding fallback, do not change, used by tests only.
-
Constructor Summary
Constructors Constructor Description SSecurity()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description protected static byte[]
asn1ToBytes(org.bouncycastle.asn1.ASN1Object obj)
Shorthand for converting ANS1Objects to bytes.static boolean
checkEntity(org.bouncycastle.cert.X509CertificateHolder cert, java.lang.String entityname)
Check whether a certificate belongs to an entity, either as common name or as alt name.static Tuple2<java.lang.String,java.lang.String>
createCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate that allows signing / authentication.protected static Tuple2<java.lang.String,java.lang.String>
createCertificateBySpecification(java.lang.String issuercert, java.lang.String issuerkey, org.bouncycastle.asn1.x500.X500Name subject, java.lang.String sigalg, java.lang.String schemeconf, java.lang.String digalg, int strength, int daysvalid, org.bouncycastle.asn1.x509.Extension... extensions)
Creates a certificate using the given specification.static Tuple2<java.lang.String,java.lang.String>
createIntermediateCaCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate for an intermediate CA.protected static org.bouncycastle.crypto.AsymmetricCipherKeyPair
createKeyPair(java.lang.String alg, java.lang.String algconf, int strength)
Generate a key pair.static Tuple2<java.lang.String,java.lang.String>
createRootCaCertificate(java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate for a root CA.static Tuple2<java.lang.String,java.lang.String>
createSelfSignedCertificate(java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a self-signed certificate that allows signing / authentication.static PemKeyPair
createTestCACert()
Creates a random CA certificate for testing.static PemKeyPair
createTestCert(PemKeyPair ca)
Creates a random certificate for testing.static byte[]
deriveKeyFromPassword(java.lang.String pw, byte[] salt)
Derive a key from a password via scrypt.protected static java.security.SecureRandom
generateParanoidSecureRandom()
Generates a secure PRNG.protected static java.security.SecureRandom
generateSecureRandom()
Generates a fast secure PRNG.static java.lang.String
getCertSigAlg(java.lang.String cert)
Gets the signatures algorithm supported by the key provided by a certificate.static java.lang.String
getCertSigAlg(org.bouncycastle.cert.X509CertificateHolder cert)
Gets the signatures algorithm supported by the key provided by a certificate.protected static org.bouncycastle.cert.path.CertPathValidation[]
getChainValidationRules()
Gets the certificate chain validation rules.static java.lang.String
getCommonName(org.bouncycastle.asn1.x500.X500Name name)
Returns the subject ID of a certificate.protected static org.bouncycastle.operator.ContentVerifier
getDefaultVerifier(org.bouncycastle.cert.X509CertificateHolder cert)
Gets a verifier based on a certificate to identify the algorithm.static IEntropySource
getEntropySource()
Gets a secure entropy source from OS or otherwise.static java.security.SecureRandom
getSecureRandom()
Gets access to the common secure PRNG.static java.lang.String
getSigAlg(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo spki)
Gets the signatures algorithm supported by the key.protected static org.bouncycastle.operator.ContentSigner
getSigner(java.lang.String algospec, org.bouncycastle.asn1.pkcs.PrivateKeyInfo pki)
Gets a signer based on a private key to identify the algorithm.protected static org.bouncycastle.operator.ContentVerifierProvider
getVerifierProvider(java.lang.Object keyinfo)
Gets a verifier provider based on a certificate to identify the algorithm.static boolean
isCaCertificate(java.lang.String cert)
Tests if a certificate is a CA certificate.static java.util.List<org.bouncycastle.cert.X509CertificateHolder>
readCertificateChainFromPEM(java.lang.String pem)
Reads a certificate chain.static org.bouncycastle.cert.X509CertificateHolder
readCertificateFromPEM(java.lang.String pem)
Read a certificate from a PEM-encoded string.static org.bouncycastle.asn1.pkcs.PrivateKeyInfo
readPrivateKeyFromPEM(java.lang.String pem)
Reads a private key from a PEM string.static byte[]
signWithPEM(byte[] msghash, java.io.InputStream pemcert, java.io.InputStream pemkey)
Sign using a PEM-encoded X.509 certificate/key.static boolean
verifyWithPEM(byte[] msghash, byte[] token, java.lang.String signingcert, java.util.LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain)
Verify using a PEM-encoded X.509 certificate/key.static java.lang.String
writeCertificateAsPEM(org.bouncycastle.cert.X509CertificateHolder cert)
Writes a certificate as PEM-encoded string.static byte[]
xor(byte[] op1result, byte[] op2)
XORs two byte arrays.
-
-
-
Field Detail
-
DEFAULT_SIGNATURE_HASH
protected static final java.lang.String DEFAULT_SIGNATURE_HASH
Default hash used for signatures.- See Also:
- Constant Field Values
-
PARANOID_PRNG
public static boolean PARANOID_PRNG
Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).
-
SECURE_RANDOM
protected static volatile java.security.SecureRandom SECURE_RANDOM
Common secure random number source.
-
ENTROPY_SOURCE
protected static volatile IEntropySource ENTROPY_SOURCE
Entropy source for seeding CSPRNGS.
-
ENTROPY_FALLBACK_WARNING_DONE
protected static boolean ENTROPY_FALLBACK_WARNING_DONE
Flag if the fallback warning has been issued before.
-
TEST_ENTROPY_FALLBACK
protected static boolean TEST_ENTROPY_FALLBACK
Enable this to test the seeding fallback, do not change, used by tests only.
-
SCRYPT_N
protected static final int SCRYPT_N
SCrypt work factor / hardness for password strengthening.- See Also:
- Constant Field Values
-
SCRYPT_R
protected static final int SCRYPT_R
SCrypt block size.- See Also:
- Constant Field Values
-
SCRYPT_P
protected static final int SCRYPT_P
SCrypt parallelization.- See Also:
- Constant Field Values
-
-
Method Detail
-
getSecureRandom
public static final java.security.SecureRandom getSecureRandom()
Gets access to the common secure PRNG.- Returns:
- Common secure PRNG.
-
getEntropySource
public static IEntropySource getEntropySource()
Gets a secure entropy source from OS or otherwise.- Returns:
- Secure entropy source.
-
signWithPEM
public static final byte[] signWithPEM(byte[] msghash, java.io.InputStream pemcert, java.io.InputStream pemkey)
Sign using a PEM-encoded X.509 certificate/key.- Parameters:
msghash
- The message hash.pemcert
- The PEM certificate.pemkey
- The PEM key.- Returns:
- Signature.
-
verifyWithPEM
public static final boolean verifyWithPEM(byte[] msghash, byte[] token, java.lang.String signingcert, java.util.LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain)
Verify using a PEM-encoded X.509 certificate/key.- Parameters:
msghash
- The message hash.token
- The authentication token.signingcert
- The signing certificate.trustedpemcert
- The PEM certificate trust anchor.- Returns:
- True, if the certificate chain and signature is valid.
-
createSelfSignedCertificate
public static final Tuple2<java.lang.String,java.lang.String> createSelfSignedCertificate(java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a self-signed certificate that allows signing / authentication.- Parameters:
subjectdn
- The CA subject identifier.scheme
- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg
- Hash algorithm to use.strength
- Strength of the key.daysvalid
- Number of days valid.- Returns:
- The certificate.
-
createCertificate
public static final Tuple2<java.lang.String,java.lang.String> createCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate that allows signing / authentication.- Parameters:
issuercert
- Certificate of the parent CA.issuerkey
- Key of the parent CA.subjectdn
- The CA subject identifier.scheme
- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg
- Hash algorithm to use.strength
- Strength of the key.daysvalid
- Number of days valid.- Returns:
- The certificate.
-
createIntermediateCaCertificate
public static final Tuple2<java.lang.String,java.lang.String> createIntermediateCaCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate for an intermediate CA.- Parameters:
issuercert
- Certificate of the parent CA.issuerkey
- Key of the parent CA.subjectdn
- The CA subject identifier.pathlen
- Allowed path length for the intermediate CA (0 = no intermediate CA certificate children).scheme
- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg
- Hash algorithm to use.strength
- Strength of the key.daysvalid
- Number of days valid.- Returns:
- The certificate.
-
createRootCaCertificate
public static final Tuple2<java.lang.String,java.lang.String> createRootCaCertificate(java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate for a root CA.- Parameters:
subjectdn
- The CA subject identifier.scheme
- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg
- Hash algorithm to use.strength
- Strength of the key.daysvalid
- Number of days valid.- Returns:
- The certificate.
-
createTestCACert
public static final PemKeyPair createTestCACert()
Creates a random CA certificate for testing.
-
createTestCert
public static final PemKeyPair createTestCert(PemKeyPair ca)
Creates a random certificate for testing.
-
xor
public static final byte[] xor(byte[] op1result, byte[] op2)
XORs two byte arrays.- Parameters:
op1result
- First array and output array.op2
- Second array.- Returns:
- Modified first array.
-
readCertificateFromPEM
public static final org.bouncycastle.cert.X509CertificateHolder readCertificateFromPEM(java.lang.String pem)
Read a certificate from a PEM-encoded string.- Parameters:
pem
- The PEM-encoded string.- Returns:
- The certificate.
-
readCertificateChainFromPEM
public static final java.util.List<org.bouncycastle.cert.X509CertificateHolder> readCertificateChainFromPEM(java.lang.String pem)
Reads a certificate chain.- Parameters:
pem
- PEM of the chain.- Returns:
- The chain, starting with the leaf.
-
getCommonName
public static java.lang.String getCommonName(org.bouncycastle.asn1.x500.X500Name name)
Returns the subject ID of a certificate.- Parameters:
cert
- The certificate.- Returns:
- The subject ID.
-
checkEntity
public static final boolean checkEntity(org.bouncycastle.cert.X509CertificateHolder cert, java.lang.String entityname)
Check whether a certificate belongs to an entity, either as common name or as alt name.- Parameters:
cert
- The certificate.entityname
- The entity name.- Returns:
- True, if the certificate belongs, false otherwise.
-
writeCertificateAsPEM
public static final java.lang.String writeCertificateAsPEM(org.bouncycastle.cert.X509CertificateHolder cert)
Writes a certificate as PEM-encoded string.- Parameters:
cert
- The certificate.- Returns:
- Encoded string.
-
readPrivateKeyFromPEM
public static final org.bouncycastle.asn1.pkcs.PrivateKeyInfo readPrivateKeyFromPEM(java.lang.String pem)
Reads a private key from a PEM string.- Parameters:
pem
- The PEM-encoded string.- Returns:
- The private key.
-
isCaCertificate
public static final boolean isCaCertificate(java.lang.String cert)
Tests if a certificate is a CA certificate.- Parameters:
cert
- The certificate.- Returns:
- True, if CA certificate.
-
getCertSigAlg
public static final java.lang.String getCertSigAlg(java.lang.String cert)
Gets the signatures algorithm supported by the key provided by a certificate.- Parameters:
cert
- The certificate.- Returns:
- The signature algorithm.
-
getCertSigAlg
public static final java.lang.String getCertSigAlg(org.bouncycastle.cert.X509CertificateHolder cert)
Gets the signatures algorithm supported by the key provided by a certificate.- Parameters:
cert
- The certificate.- Returns:
- The signature algorithm.
-
getSigAlg
public static final java.lang.String getSigAlg(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo spki)
Gets the signatures algorithm supported by the key.- Parameters:
spki
- The subject key info.- Returns:
- The signature algorithm.
-
getChainValidationRules
protected static final org.bouncycastle.cert.path.CertPathValidation[] getChainValidationRules()
Gets the certificate chain validation rules.- Returns:
- The rules.
-
generateSecureRandom
protected static final java.security.SecureRandom generateSecureRandom()
Generates a fast secure PRNG. The setup attempts to prepare a PRNG that is fast and secure.- Returns:
- Secure PRNG.
-
generateParanoidSecureRandom
protected static final java.security.SecureRandom generateParanoidSecureRandom()
Generates a secure PRNG. The setup attempts to prepare a PRNG that avoids relying on a single approach.- Returns:
- Secure PRNG.
-
createCertificateBySpecification
protected static final Tuple2<java.lang.String,java.lang.String> createCertificateBySpecification(java.lang.String issuercert, java.lang.String issuerkey, org.bouncycastle.asn1.x500.X500Name subject, java.lang.String sigalg, java.lang.String schemeconf, java.lang.String digalg, int strength, int daysvalid, org.bouncycastle.asn1.x509.Extension... extensions)
Creates a certificate using the given specification.- Parameters:
issuercert
- Certificate of the issuer (CA).issuerkey
- Key of the issuer (CA).subject
- Subject of the certificate.sigalg
- Signature scheme / certificate key algorithm to use, e.g. RSA, DSA, ECDSA.schemeconf
- Additional scheme configuration, may be null.digalg
- Hash algorithm to use for certificate signature.strength
- Strength of the key.daysvalid
- Number of days valid.extensions
- Certificate extensions.- Returns:
- Generated Certificate and private key as PEM-encoded strings.
-
createKeyPair
protected static final org.bouncycastle.crypto.AsymmetricCipherKeyPair createKeyPair(java.lang.String alg, java.lang.String algconf, int strength)
Generate a key pair.- Parameters:
alg
- Algorithm to use, e.g. RSA, DSA, ECDSA.strength
- Strength of the key pair.- Returns:
- The generated key pair.
-
getSigner
protected static final org.bouncycastle.operator.ContentSigner getSigner(java.lang.String algospec, org.bouncycastle.asn1.pkcs.PrivateKeyInfo pki)
Gets a signer based on a private key to identify the algorithm.- Parameters:
pki
- The private key.- Returns:
- A content signer.
-
getDefaultVerifier
protected static final org.bouncycastle.operator.ContentVerifier getDefaultVerifier(org.bouncycastle.cert.X509CertificateHolder cert)
Gets a verifier based on a certificate to identify the algorithm.- Parameters:
cert
- The certificate.- Returns:
- A content verifier.
-
getVerifierProvider
protected static final org.bouncycastle.operator.ContentVerifierProvider getVerifierProvider(java.lang.Object keyinfo)
Gets a verifier provider based on a certificate to identify the algorithm.- Parameters:
keyinfo
- The certificate or key info.- Returns:
- The content verifier provider.
-
asn1ToBytes
protected static final byte[] asn1ToBytes(org.bouncycastle.asn1.ASN1Object obj)
Shorthand for converting ANS1Objects to bytes.- Parameters:
obj
- The object.- Returns:
- Encoded bytes.
-
deriveKeyFromPassword
public static byte[] deriveKeyFromPassword(java.lang.String pw, byte[] salt)
Derive a key from a password via scrypt.- Parameters:
pw
- The password.salt
- The salt.- Returns:
- The key.
-
-