Class SSecurity

java.lang.Object
jadex.ipc.impl.security.SSecurity

public class SSecurity extends Object
Class with static helper methods for security functions.
  • Field Details

    • ARGON_MEM

      public static final int ARGON_MEM
      Argon2 memory size in KiB.
      See Also:
    • ARGON_IT

      public static final int ARGON_IT
      Argon2 iterations.
      See Also:
    • DEFAULT_SIGNATURE_HASH

      protected static final String DEFAULT_SIGNATURE_HASH
      Default hash used for signatures.
      See Also:
    • PARANOID_PRNG

      public static boolean PARANOID_PRNG
      Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).
    • SECURE_RANDOM

      protected static volatile SecureRandom SECURE_RANDOM
      Common secure random number source.
    • ENTROPY_SOURCE

      protected static volatile IEntropySource ENTROPY_SOURCE
      Entropy source for seeding CSPRNGS.
    • ENTROPY_FALLBACK_WARNING_DONE

      protected static boolean ENTROPY_FALLBACK_WARNING_DONE
      Flag if the fallback warning has been issued before.
    • TEST_ENTROPY_FALLBACK

      protected static boolean TEST_ENTROPY_FALLBACK
      Enable this to test the seeding fallback, do not change, used by tests only.
  • Constructor Details

    • SSecurity

      public SSecurity()
  • Method Details

    • getSecureRandom

      public static final SecureRandom getSecureRandom()
      Gets access to the common secure PRNG.
      Returns:
      Common secure PRNG.
    • getEntropySource

      public static IEntropySource getEntropySource()
      Gets a secure entropy source from OS or otherwise.
      Returns:
      Secure entropy source.
    • signWithPEM

      public static final byte[] signWithPEM(byte[] msghash, InputStream pemcert, InputStream pemkey)
      Sign using a PEM-encoded X.509 certificate/key.
      Parameters:
      msghash - The message hash.
      pemcert - The PEM certificate.
      pemkey - The PEM key.
      Returns:
      Signature.
    • verifyWithPEM

      public static final boolean verifyWithPEM(byte[] msghash, byte[] token, String signingcert, LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain)
      Verify using a PEM-encoded X.509 certificate/key.
      Parameters:
      msghash - The message hash.
      token - The authentication token.
      signingcert - The signing certificate.
      trustedpemcert - The PEM certificate trust anchor.
      Returns:
      True, if the certificate chain and signature is valid.
    • createSelfSignedCertificate

      public static final jadex.common.Tuple2<String,String> createSelfSignedCertificate(String subjectdn, String scheme, String schemeconf, String hashalg, int strength, int daysvalid)
      Generates a self-signed certificate that allows signing / authentication.
      Parameters:
      subjectdn - The CA subject identifier.
      scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.
      hashalg - Hash algorithm to use.
      strength - Strength of the key.
      daysvalid - Number of days valid.
      Returns:
      The certificate.
    • createCertificate

      public static final jadex.common.Tuple2<String,String> createCertificate(String issuercert, String issuerkey, String subjectdn, String scheme, String schemeconf, String hashalg, int strength, int daysvalid)
      Generates a certificate that allows signing / authentication.
      Parameters:
      issuercert - Certificate of the parent CA.
      issuerkey - Key of the parent CA.
      subjectdn - The CA subject identifier.
      scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.
      hashalg - Hash algorithm to use.
      strength - Strength of the key.
      daysvalid - Number of days valid.
      Returns:
      The certificate.
    • createIntermediateCaCertificate

      public static final jadex.common.Tuple2<String,String> createIntermediateCaCertificate(String issuercert, String issuerkey, String subjectdn, int pathlen, String scheme, String schemeconf, String hashalg, int strength, int daysvalid)
      Generates a certificate for an intermediate CA.
      Parameters:
      issuercert - Certificate of the parent CA.
      issuerkey - Key of the parent CA.
      subjectdn - The CA subject identifier.
      pathlen - Allowed path length for the intermediate CA (0 = no intermediate CA certificate children).
      scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.
      hashalg - Hash algorithm to use.
      strength - Strength of the key.
      daysvalid - Number of days valid.
      Returns:
      The certificate.
    • createRootCaCertificate

      public static final jadex.common.Tuple2<String,String> createRootCaCertificate(String subjectdn, int pathlen, String scheme, String schemeconf, String hashalg, int strength, int daysvalid)
      Generates a certificate for a root CA.
      Parameters:
      subjectdn - The CA subject identifier.
      scheme - Signature scheme to use, e.g. RSA, DSA, ECDSA.
      hashalg - Hash algorithm to use.
      strength - Strength of the key.
      daysvalid - Number of days valid.
      Returns:
      The certificate.
    • createTestCACert

      public static final PemKeyPair createTestCACert()
      Creates a random CA certificate for testing.
    • createTestCert

      public static final PemKeyPair createTestCert(PemKeyPair ca)
      Creates a random certificate for testing.
    • xor

      public static final byte[] xor(byte[] op1result, byte[] op2)
      XORs two byte arrays.
      Parameters:
      op1result - First array and output array.
      op2 - Second array.
      Returns:
      Modified first array.
    • readCertificateFromPEM

      public static final org.bouncycastle.cert.X509CertificateHolder readCertificateFromPEM(String pem)
      Read a certificate from a PEM-encoded string.
      Parameters:
      pem - The PEM-encoded string.
      Returns:
      The certificate.
    • readCertificateChainFromPEM

      public static final List<org.bouncycastle.cert.X509CertificateHolder> readCertificateChainFromPEM(String pem)
      Reads a certificate chain.
      Parameters:
      pem - PEM of the chain.
      Returns:
      The chain, starting with the leaf.
    • getCommonName

      public static String getCommonName(org.bouncycastle.asn1.x500.X500Name name)
      Returns the subject ID of a certificate.
      Parameters:
      cert - The certificate.
      Returns:
      The subject ID.
    • checkEntity

      public static final boolean checkEntity(org.bouncycastle.cert.X509CertificateHolder cert, String entityname)
      Check whether a certificate belongs to an entity, either as common name or as alt name.
      Parameters:
      cert - The certificate.
      entityname - The entity name.
      Returns:
      True, if the certificate belongs, false otherwise.
    • writeCertificateAsPEM

      public static final String writeCertificateAsPEM(org.bouncycastle.cert.X509CertificateHolder cert)
      Writes a certificate as PEM-encoded string.
      Parameters:
      cert - The certificate.
      Returns:
      Encoded string.
    • readPrivateKeyFromPEM

      public static final org.bouncycastle.asn1.pkcs.PrivateKeyInfo readPrivateKeyFromPEM(String pem)
      Reads a private key from a PEM string.
      Parameters:
      pem - The PEM-encoded string.
      Returns:
      The private key.
    • isCaCertificate

      public static final boolean isCaCertificate(String cert)
      Tests if a certificate is a CA certificate.
      Parameters:
      cert - The certificate.
      Returns:
      True, if CA certificate.
    • getCertSigAlg

      public static final String getCertSigAlg(String cert)
      Gets the signatures algorithm supported by the key provided by a certificate.
      Parameters:
      cert - The certificate.
      Returns:
      The signature algorithm.
    • getCertSigAlg

      public static final String getCertSigAlg(org.bouncycastle.cert.X509CertificateHolder cert)
      Gets the signatures algorithm supported by the key provided by a certificate.
      Parameters:
      cert - The certificate.
      Returns:
      The signature algorithm.
    • getSigAlg

      public static final String getSigAlg(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo spki)
      Gets the signatures algorithm supported by the key.
      Parameters:
      spki - The subject key info.
      Returns:
      The signature algorithm.
    • getChainValidationRules

      protected static final org.bouncycastle.cert.path.CertPathValidation[] getChainValidationRules()
      Gets the certificate chain validation rules.
      Returns:
      The rules.
    • generateSecureRandom

      protected static final SecureRandom generateSecureRandom()
      Generates a fast secure PRNG. The setup attempts to prepare a PRNG that is fast and secure.
      Returns:
      Secure PRNG.
    • generateParanoidSecureRandom

      protected static final SecureRandom generateParanoidSecureRandom()
      Generates a secure PRNG. The setup attempts to prepare a PRNG that avoids relying on a single approach.
      Returns:
      Secure PRNG.
    • createCertificateBySpecification

      protected static final jadex.common.Tuple2<String,String> createCertificateBySpecification(String issuercert, String issuerkey, org.bouncycastle.asn1.x500.X500Name subject, String sigalg, String schemeconf, String digalg, int strength, int daysvalid, org.bouncycastle.asn1.x509.Extension... extensions)
      Creates a certificate using the given specification.
      Parameters:
      issuercert - Certificate of the issuer (CA).
      issuerkey - Key of the issuer (CA).
      subject - Subject of the certificate.
      sigalg - Signature scheme / certificate key algorithm to use, e.g. RSA, DSA, ECDSA.
      schemeconf - Additional scheme configuration, may be null.
      digalg - Hash algorithm to use for certificate signature.
      strength - Strength of the key.
      daysvalid - Number of days valid.
      extensions - Certificate extensions.
      Returns:
      Generated Certificate and private key as PEM-encoded strings.
    • createKeyPair

      protected static final org.bouncycastle.crypto.AsymmetricCipherKeyPair createKeyPair(String alg, String algconf, int strength)
      Generate a key pair.
      Parameters:
      alg - Algorithm to use, e.g. RSA, DSA, ECDSA.
      strength - Strength of the key pair.
      Returns:
      The generated key pair.
    • getSigner

      protected static final org.bouncycastle.operator.ContentSigner getSigner(String algospec, org.bouncycastle.asn1.pkcs.PrivateKeyInfo pki)
      Gets a signer based on a private key to identify the algorithm.
      Parameters:
      pki - The private key.
      Returns:
      A content signer.
    • getDefaultVerifier

      protected static final org.bouncycastle.operator.ContentVerifier getDefaultVerifier(org.bouncycastle.cert.X509CertificateHolder cert)
      Gets a verifier based on a certificate to identify the algorithm.
      Parameters:
      cert - The certificate.
      Returns:
      A content verifier.
    • getVerifierProvider

      protected static final org.bouncycastle.operator.ContentVerifierProvider getVerifierProvider(Object keyinfo)
      Gets a verifier provider based on a certificate to identify the algorithm.
      Parameters:
      keyinfo - The certificate or key info.
      Returns:
      The content verifier provider.
    • asn1ToBytes

      protected static final byte[] asn1ToBytes(org.bouncycastle.asn1.ASN1Object obj)
      Shorthand for converting ANS1Objects to bytes.
      Parameters:
      obj - The object.
      Returns:
      Encoded bytes.
    • deriveKeyFromPassword

      public static byte[] deriveKeyFromPassword(String pw, byte[] salt)
      Derive a key from a password via Argon2id.
      Parameters:
      pw - The password.
      salt - The salt.
      Returns:
      The key.
    • deriveKeyFromPassword

      public static byte[] deriveKeyFromPassword(String pw, byte[] salt, int keysize)
      Derive a key from a password via Argon2id.
      Parameters:
      pw - The password.
      salt - The salt.
      Returns:
      The key.