Package jadex.commons.security
Class SSecurity
- java.lang.Object
-
- jadex.commons.security.SSecurity
-
public class SSecurity extends java.lang.ObjectClass with static helper methods for security functions.
-
-
Field Summary
Fields Modifier and Type Field Description protected static java.lang.StringDEFAULT_SIGNATURE_HASHDefault hash used for signatures.protected static booleanENTROPY_FALLBACK_WARNING_DONEFlag if the fallback warning has been issued before.protected static IEntropySourceENTROPY_SOURCEEntropy source for seeding CSPRNGS.static booleanPARANOID_PRNGFlag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).protected static intSCRYPT_NSCrypt work factor / hardness for password strengthening.protected static intSCRYPT_PSCrypt parallelization.protected static intSCRYPT_RSCrypt block size.protected static java.security.SecureRandomSECURE_RANDOMCommon secure random number source.protected static booleanTEST_ENTROPY_FALLBACKEnable this to test the seeding fallback, do not change, used by tests only.
-
Constructor Summary
Constructors Constructor Description SSecurity()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description protected static byte[]asn1ToBytes(org.bouncycastle.asn1.ASN1Object obj)Shorthand for converting ANS1Objects to bytes.static booleancheckEntity(org.bouncycastle.cert.X509CertificateHolder cert, java.lang.String entityname)Check whether a certificate belongs to an entity, either as common name or as alt name.static Tuple2<java.lang.String,java.lang.String>createCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)Generates a certificate that allows signing / authentication.protected static Tuple2<java.lang.String,java.lang.String>createCertificateBySpecification(java.lang.String issuercert, java.lang.String issuerkey, org.bouncycastle.asn1.x500.X500Name subject, java.lang.String sigalg, java.lang.String schemeconf, java.lang.String digalg, int strength, int daysvalid, org.bouncycastle.asn1.x509.Extension... extensions)Creates a certificate using the given specification.static Tuple2<java.lang.String,java.lang.String>createIntermediateCaCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)Generates a certificate for an intermediate CA.protected static org.bouncycastle.crypto.AsymmetricCipherKeyPaircreateKeyPair(java.lang.String alg, java.lang.String algconf, int strength)Generate a key pair.static Tuple2<java.lang.String,java.lang.String>createRootCaCertificate(java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)Generates a certificate for a root CA.static Tuple2<java.lang.String,java.lang.String>createSelfSignedCertificate(java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)Generates a self-signed certificate that allows signing / authentication.static PemKeyPaircreateTestCACert()Creates a random CA certificate for testing.static PemKeyPaircreateTestCert(PemKeyPair ca)Creates a random certificate for testing.static byte[]deriveKeyFromPassword(java.lang.String pw, byte[] salt)Derive a key from a password via scrypt.protected static java.security.SecureRandomgenerateParanoidSecureRandom()Generates a secure PRNG.protected static java.security.SecureRandomgenerateSecureRandom()Generates a fast secure PRNG.static java.lang.StringgetCertSigAlg(java.lang.String cert)Gets the signatures algorithm supported by the key provided by a certificate.static java.lang.StringgetCertSigAlg(org.bouncycastle.cert.X509CertificateHolder cert)Gets the signatures algorithm supported by the key provided by a certificate.protected static org.bouncycastle.cert.path.CertPathValidation[]getChainValidationRules()Gets the certificate chain validation rules.static java.lang.StringgetCommonName(org.bouncycastle.asn1.x500.X500Name name)Returns the subject ID of a certificate.protected static org.bouncycastle.operator.ContentVerifiergetDefaultVerifier(org.bouncycastle.cert.X509CertificateHolder cert)Gets a verifier based on a certificate to identify the algorithm.static IEntropySourcegetEntropySource()Gets a secure entropy source from OS or otherwise.static java.security.SecureRandomgetSecureRandom()Gets access to the common secure PRNG.static java.lang.StringgetSigAlg(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo spki)Gets the signatures algorithm supported by the key.protected static org.bouncycastle.operator.ContentSignergetSigner(java.lang.String algospec, org.bouncycastle.asn1.pkcs.PrivateKeyInfo pki)Gets a signer based on a private key to identify the algorithm.protected static org.bouncycastle.operator.ContentVerifierProvidergetVerifierProvider(java.lang.Object keyinfo)Gets a verifier provider based on a certificate to identify the algorithm.static booleanisCaCertificate(java.lang.String cert)Tests if a certificate is a CA certificate.static java.util.List<org.bouncycastle.cert.X509CertificateHolder>readCertificateChainFromPEM(java.lang.String pem)Reads a certificate chain.static org.bouncycastle.cert.X509CertificateHolderreadCertificateFromPEM(java.lang.String pem)Read a certificate from a PEM-encoded string.static org.bouncycastle.asn1.pkcs.PrivateKeyInforeadPrivateKeyFromPEM(java.lang.String pem)Reads a private key from a PEM string.static byte[]signWithPEM(byte[] msghash, java.io.InputStream pemcert, java.io.InputStream pemkey)Sign using a PEM-encoded X.509 certificate/key.static booleanverifyWithPEM(byte[] msghash, byte[] token, java.lang.String signingcert, java.util.LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain)Verify using a PEM-encoded X.509 certificate/key.static java.lang.StringwriteCertificateAsPEM(org.bouncycastle.cert.X509CertificateHolder cert)Writes a certificate as PEM-encoded string.static byte[]xor(byte[] op1result, byte[] op2)XORs two byte arrays.
-
-
-
Field Detail
-
DEFAULT_SIGNATURE_HASH
protected static final java.lang.String DEFAULT_SIGNATURE_HASH
Default hash used for signatures.- See Also:
- Constant Field Values
-
PARANOID_PRNG
public static boolean PARANOID_PRNG
Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).
-
SECURE_RANDOM
protected static volatile java.security.SecureRandom SECURE_RANDOM
Common secure random number source.
-
ENTROPY_SOURCE
protected static volatile IEntropySource ENTROPY_SOURCE
Entropy source for seeding CSPRNGS.
-
ENTROPY_FALLBACK_WARNING_DONE
protected static boolean ENTROPY_FALLBACK_WARNING_DONE
Flag if the fallback warning has been issued before.
-
TEST_ENTROPY_FALLBACK
protected static boolean TEST_ENTROPY_FALLBACK
Enable this to test the seeding fallback, do not change, used by tests only.
-
SCRYPT_N
protected static final int SCRYPT_N
SCrypt work factor / hardness for password strengthening.- See Also:
- Constant Field Values
-
SCRYPT_R
protected static final int SCRYPT_R
SCrypt block size.- See Also:
- Constant Field Values
-
SCRYPT_P
protected static final int SCRYPT_P
SCrypt parallelization.- See Also:
- Constant Field Values
-
-
Method Detail
-
getSecureRandom
public static final java.security.SecureRandom getSecureRandom()
Gets access to the common secure PRNG.- Returns:
- Common secure PRNG.
-
getEntropySource
public static IEntropySource getEntropySource()
Gets a secure entropy source from OS or otherwise.- Returns:
- Secure entropy source.
-
signWithPEM
public static final byte[] signWithPEM(byte[] msghash, java.io.InputStream pemcert, java.io.InputStream pemkey)Sign using a PEM-encoded X.509 certificate/key.- Parameters:
msghash- The message hash.pemcert- The PEM certificate.pemkey- The PEM key.- Returns:
- Signature.
-
verifyWithPEM
public static final boolean verifyWithPEM(byte[] msghash, byte[] token, java.lang.String signingcert, java.util.LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain)Verify using a PEM-encoded X.509 certificate/key.- Parameters:
msghash- The message hash.token- The authentication token.signingcert- The signing certificate.trustedpemcert- The PEM certificate trust anchor.- Returns:
- True, if the certificate chain and signature is valid.
-
createSelfSignedCertificate
public static final Tuple2<java.lang.String,java.lang.String> createSelfSignedCertificate(java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a self-signed certificate that allows signing / authentication.- Parameters:
subjectdn- The CA subject identifier.scheme- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg- Hash algorithm to use.strength- Strength of the key.daysvalid- Number of days valid.- Returns:
- The certificate.
-
createCertificate
public static final Tuple2<java.lang.String,java.lang.String> createCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate that allows signing / authentication.- Parameters:
issuercert- Certificate of the parent CA.issuerkey- Key of the parent CA.subjectdn- The CA subject identifier.scheme- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg- Hash algorithm to use.strength- Strength of the key.daysvalid- Number of days valid.- Returns:
- The certificate.
-
createIntermediateCaCertificate
public static final Tuple2<java.lang.String,java.lang.String> createIntermediateCaCertificate(java.lang.String issuercert, java.lang.String issuerkey, java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate for an intermediate CA.- Parameters:
issuercert- Certificate of the parent CA.issuerkey- Key of the parent CA.subjectdn- The CA subject identifier.pathlen- Allowed path length for the intermediate CA (0 = no intermediate CA certificate children).scheme- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg- Hash algorithm to use.strength- Strength of the key.daysvalid- Number of days valid.- Returns:
- The certificate.
-
createRootCaCertificate
public static final Tuple2<java.lang.String,java.lang.String> createRootCaCertificate(java.lang.String subjectdn, int pathlen, java.lang.String scheme, java.lang.String schemeconf, java.lang.String hashalg, int strength, int daysvalid)
Generates a certificate for a root CA.- Parameters:
subjectdn- The CA subject identifier.scheme- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg- Hash algorithm to use.strength- Strength of the key.daysvalid- Number of days valid.- Returns:
- The certificate.
-
createTestCACert
public static final PemKeyPair createTestCACert()
Creates a random CA certificate for testing.
-
createTestCert
public static final PemKeyPair createTestCert(PemKeyPair ca)
Creates a random certificate for testing.
-
xor
public static final byte[] xor(byte[] op1result, byte[] op2)XORs two byte arrays.- Parameters:
op1result- First array and output array.op2- Second array.- Returns:
- Modified first array.
-
readCertificateFromPEM
public static final org.bouncycastle.cert.X509CertificateHolder readCertificateFromPEM(java.lang.String pem)
Read a certificate from a PEM-encoded string.- Parameters:
pem- The PEM-encoded string.- Returns:
- The certificate.
-
readCertificateChainFromPEM
public static final java.util.List<org.bouncycastle.cert.X509CertificateHolder> readCertificateChainFromPEM(java.lang.String pem)
Reads a certificate chain.- Parameters:
pem- PEM of the chain.- Returns:
- The chain, starting with the leaf.
-
getCommonName
public static java.lang.String getCommonName(org.bouncycastle.asn1.x500.X500Name name)
Returns the subject ID of a certificate.- Parameters:
cert- The certificate.- Returns:
- The subject ID.
-
checkEntity
public static final boolean checkEntity(org.bouncycastle.cert.X509CertificateHolder cert, java.lang.String entityname)Check whether a certificate belongs to an entity, either as common name or as alt name.- Parameters:
cert- The certificate.entityname- The entity name.- Returns:
- True, if the certificate belongs, false otherwise.
-
writeCertificateAsPEM
public static final java.lang.String writeCertificateAsPEM(org.bouncycastle.cert.X509CertificateHolder cert)
Writes a certificate as PEM-encoded string.- Parameters:
cert- The certificate.- Returns:
- Encoded string.
-
readPrivateKeyFromPEM
public static final org.bouncycastle.asn1.pkcs.PrivateKeyInfo readPrivateKeyFromPEM(java.lang.String pem)
Reads a private key from a PEM string.- Parameters:
pem- The PEM-encoded string.- Returns:
- The private key.
-
isCaCertificate
public static final boolean isCaCertificate(java.lang.String cert)
Tests if a certificate is a CA certificate.- Parameters:
cert- The certificate.- Returns:
- True, if CA certificate.
-
getCertSigAlg
public static final java.lang.String getCertSigAlg(java.lang.String cert)
Gets the signatures algorithm supported by the key provided by a certificate.- Parameters:
cert- The certificate.- Returns:
- The signature algorithm.
-
getCertSigAlg
public static final java.lang.String getCertSigAlg(org.bouncycastle.cert.X509CertificateHolder cert)
Gets the signatures algorithm supported by the key provided by a certificate.- Parameters:
cert- The certificate.- Returns:
- The signature algorithm.
-
getSigAlg
public static final java.lang.String getSigAlg(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo spki)
Gets the signatures algorithm supported by the key.- Parameters:
spki- The subject key info.- Returns:
- The signature algorithm.
-
getChainValidationRules
protected static final org.bouncycastle.cert.path.CertPathValidation[] getChainValidationRules()
Gets the certificate chain validation rules.- Returns:
- The rules.
-
generateSecureRandom
protected static final java.security.SecureRandom generateSecureRandom()
Generates a fast secure PRNG. The setup attempts to prepare a PRNG that is fast and secure.- Returns:
- Secure PRNG.
-
generateParanoidSecureRandom
protected static final java.security.SecureRandom generateParanoidSecureRandom()
Generates a secure PRNG. The setup attempts to prepare a PRNG that avoids relying on a single approach.- Returns:
- Secure PRNG.
-
createCertificateBySpecification
protected static final Tuple2<java.lang.String,java.lang.String> createCertificateBySpecification(java.lang.String issuercert, java.lang.String issuerkey, org.bouncycastle.asn1.x500.X500Name subject, java.lang.String sigalg, java.lang.String schemeconf, java.lang.String digalg, int strength, int daysvalid, org.bouncycastle.asn1.x509.Extension... extensions)
Creates a certificate using the given specification.- Parameters:
issuercert- Certificate of the issuer (CA).issuerkey- Key of the issuer (CA).subject- Subject of the certificate.sigalg- Signature scheme / certificate key algorithm to use, e.g. RSA, DSA, ECDSA.schemeconf- Additional scheme configuration, may be null.digalg- Hash algorithm to use for certificate signature.strength- Strength of the key.daysvalid- Number of days valid.extensions- Certificate extensions.- Returns:
- Generated Certificate and private key as PEM-encoded strings.
-
createKeyPair
protected static final org.bouncycastle.crypto.AsymmetricCipherKeyPair createKeyPair(java.lang.String alg, java.lang.String algconf, int strength)Generate a key pair.- Parameters:
alg- Algorithm to use, e.g. RSA, DSA, ECDSA.strength- Strength of the key pair.- Returns:
- The generated key pair.
-
getSigner
protected static final org.bouncycastle.operator.ContentSigner getSigner(java.lang.String algospec, org.bouncycastle.asn1.pkcs.PrivateKeyInfo pki)Gets a signer based on a private key to identify the algorithm.- Parameters:
pki- The private key.- Returns:
- A content signer.
-
getDefaultVerifier
protected static final org.bouncycastle.operator.ContentVerifier getDefaultVerifier(org.bouncycastle.cert.X509CertificateHolder cert)
Gets a verifier based on a certificate to identify the algorithm.- Parameters:
cert- The certificate.- Returns:
- A content verifier.
-
getVerifierProvider
protected static final org.bouncycastle.operator.ContentVerifierProvider getVerifierProvider(java.lang.Object keyinfo)
Gets a verifier provider based on a certificate to identify the algorithm.- Parameters:
keyinfo- The certificate or key info.- Returns:
- The content verifier provider.
-
asn1ToBytes
protected static final byte[] asn1ToBytes(org.bouncycastle.asn1.ASN1Object obj)
Shorthand for converting ANS1Objects to bytes.- Parameters:
obj- The object.- Returns:
- Encoded bytes.
-
deriveKeyFromPassword
public static byte[] deriveKeyFromPassword(java.lang.String pw, byte[] salt)Derive a key from a password via scrypt.- Parameters:
pw- The password.salt- The salt.- Returns:
- The key.
-
-