Package jadex.ipc.impl.security
Class SSecurity
java.lang.Object
jadex.ipc.impl.security.SSecurity
Class with static helper methods for security functions.
-
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final int
Argon2 iterations.static final int
Argon2 memory size in KiB.protected static final String
Default hash used for signatures.protected static boolean
Flag if the fallback warning has been issued before.protected static IEntropySource
Entropy source for seeding CSPRNGS.static boolean
Flag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures).protected static SecureRandom
Common secure random number source.protected static boolean
Enable this to test the seeding fallback, do not change, used by tests only. -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprotected static final byte[]
asn1ToBytes
(org.bouncycastle.asn1.ASN1Object obj) Shorthand for converting ANS1Objects to bytes.static final boolean
checkEntity
(org.bouncycastle.cert.X509CertificateHolder cert, String entityname) Check whether a certificate belongs to an entity, either as common name or as alt name.createCertificate
(String issuercert, String issuerkey, String subjectdn, String scheme, String schemeconf, String hashalg, int strength, int daysvalid) Generates a certificate that allows signing / authentication.createCertificateBySpecification
(String issuercert, String issuerkey, org.bouncycastle.asn1.x500.X500Name subject, String sigalg, String schemeconf, String digalg, int strength, int daysvalid, org.bouncycastle.asn1.x509.Extension... extensions) Creates a certificate using the given specification.createIntermediateCaCertificate
(String issuercert, String issuerkey, String subjectdn, int pathlen, String scheme, String schemeconf, String hashalg, int strength, int daysvalid) Generates a certificate for an intermediate CA.protected static final org.bouncycastle.crypto.AsymmetricCipherKeyPair
createKeyPair
(String alg, String algconf, int strength) Generate a key pair.createRootCaCertificate
(String subjectdn, int pathlen, String scheme, String schemeconf, String hashalg, int strength, int daysvalid) Generates a certificate for a root CA.createSelfSignedCertificate
(String subjectdn, String scheme, String schemeconf, String hashalg, int strength, int daysvalid) Generates a self-signed certificate that allows signing / authentication.static final PemKeyPair
Creates a random CA certificate for testing.static final PemKeyPair
Creates a random certificate for testing.static byte[]
deriveKeyFromPassword
(String pw, byte[] salt) Derive a key from a password via Argon2id.static byte[]
deriveKeyFromPassword
(String pw, byte[] salt, int keysize) Derive a key from a password via Argon2id.protected static final SecureRandom
Generates a secure PRNG.protected static final SecureRandom
Generates a fast secure PRNG.static final String
getCertSigAlg
(String cert) Gets the signatures algorithm supported by the key provided by a certificate.static final String
getCertSigAlg
(org.bouncycastle.cert.X509CertificateHolder cert) Gets the signatures algorithm supported by the key provided by a certificate.protected static final org.bouncycastle.cert.path.CertPathValidation[]
Gets the certificate chain validation rules.static String
getCommonName
(org.bouncycastle.asn1.x500.X500Name name) Returns the subject ID of a certificate.protected static final org.bouncycastle.operator.ContentVerifier
getDefaultVerifier
(org.bouncycastle.cert.X509CertificateHolder cert) Gets a verifier based on a certificate to identify the algorithm.static IEntropySource
Gets a secure entropy source from OS or otherwise.static final SecureRandom
Gets access to the common secure PRNG.static final String
getSigAlg
(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo spki) Gets the signatures algorithm supported by the key.protected static final org.bouncycastle.operator.ContentSigner
Gets a signer based on a private key to identify the algorithm.protected static final org.bouncycastle.operator.ContentVerifierProvider
getVerifierProvider
(Object keyinfo) Gets a verifier provider based on a certificate to identify the algorithm.static final boolean
isCaCertificate
(String cert) Tests if a certificate is a CA certificate.static final List
<org.bouncycastle.cert.X509CertificateHolder> Reads a certificate chain.static final org.bouncycastle.cert.X509CertificateHolder
Read a certificate from a PEM-encoded string.static final org.bouncycastle.asn1.pkcs.PrivateKeyInfo
Reads a private key from a PEM string.static final byte[]
signWithPEM
(byte[] msghash, InputStream pemcert, InputStream pemkey) Sign using a PEM-encoded X.509 certificate/key.static final boolean
verifyWithPEM
(byte[] msghash, byte[] token, String signingcert, LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain) Verify using a PEM-encoded X.509 certificate/key.static final String
writeCertificateAsPEM
(org.bouncycastle.cert.X509CertificateHolder cert) Writes a certificate as PEM-encoded string.static final byte[]
xor
(byte[] op1result, byte[] op2) XORs two byte arrays.
-
Field Details
-
ARGON_MEM
public static final int ARGON_MEMArgon2 memory size in KiB.- See Also:
-
ARGON_IT
public static final int ARGON_ITArgon2 iterations.- See Also:
-
DEFAULT_SIGNATURE_HASH
Default hash used for signatures.- See Also:
-
PARANOID_PRNG
public static boolean PARANOID_PRNGFlag if the paranoid/hedged-mode PRNG should be used (much slower, but guarded against single-point failures). -
SECURE_RANDOM
Common secure random number source. -
ENTROPY_SOURCE
Entropy source for seeding CSPRNGS. -
ENTROPY_FALLBACK_WARNING_DONE
protected static boolean ENTROPY_FALLBACK_WARNING_DONEFlag if the fallback warning has been issued before. -
TEST_ENTROPY_FALLBACK
protected static boolean TEST_ENTROPY_FALLBACKEnable this to test the seeding fallback, do not change, used by tests only.
-
-
Constructor Details
-
SSecurity
public SSecurity()
-
-
Method Details
-
getSecureRandom
Gets access to the common secure PRNG.- Returns:
- Common secure PRNG.
-
getEntropySource
Gets a secure entropy source from OS or otherwise.- Returns:
- Secure entropy source.
-
signWithPEM
Sign using a PEM-encoded X.509 certificate/key.- Parameters:
msghash
- The message hash.pemcert
- The PEM certificate.pemkey
- The PEM key.- Returns:
- Signature.
-
verifyWithPEM
public static final boolean verifyWithPEM(byte[] msghash, byte[] token, String signingcert, LinkedHashSet<org.bouncycastle.cert.X509CertificateHolder> trustchain) Verify using a PEM-encoded X.509 certificate/key.- Parameters:
msghash
- The message hash.token
- The authentication token.signingcert
- The signing certificate.trustedpemcert
- The PEM certificate trust anchor.- Returns:
- True, if the certificate chain and signature is valid.
-
createSelfSignedCertificate
public static final jadex.common.Tuple2<String,String> createSelfSignedCertificate(String subjectdn, String scheme, String schemeconf, String hashalg, int strength, int daysvalid) Generates a self-signed certificate that allows signing / authentication.- Parameters:
subjectdn
- The CA subject identifier.scheme
- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg
- Hash algorithm to use.strength
- Strength of the key.daysvalid
- Number of days valid.- Returns:
- The certificate.
-
createCertificate
public static final jadex.common.Tuple2<String,String> createCertificate(String issuercert, String issuerkey, String subjectdn, String scheme, String schemeconf, String hashalg, int strength, int daysvalid) Generates a certificate that allows signing / authentication.- Parameters:
issuercert
- Certificate of the parent CA.issuerkey
- Key of the parent CA.subjectdn
- The CA subject identifier.scheme
- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg
- Hash algorithm to use.strength
- Strength of the key.daysvalid
- Number of days valid.- Returns:
- The certificate.
-
createIntermediateCaCertificate
public static final jadex.common.Tuple2<String,String> createIntermediateCaCertificate(String issuercert, String issuerkey, String subjectdn, int pathlen, String scheme, String schemeconf, String hashalg, int strength, int daysvalid) Generates a certificate for an intermediate CA.- Parameters:
issuercert
- Certificate of the parent CA.issuerkey
- Key of the parent CA.subjectdn
- The CA subject identifier.pathlen
- Allowed path length for the intermediate CA (0 = no intermediate CA certificate children).scheme
- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg
- Hash algorithm to use.strength
- Strength of the key.daysvalid
- Number of days valid.- Returns:
- The certificate.
-
createRootCaCertificate
public static final jadex.common.Tuple2<String,String> createRootCaCertificate(String subjectdn, int pathlen, String scheme, String schemeconf, String hashalg, int strength, int daysvalid) Generates a certificate for a root CA.- Parameters:
subjectdn
- The CA subject identifier.scheme
- Signature scheme to use, e.g. RSA, DSA, ECDSA.hashalg
- Hash algorithm to use.strength
- Strength of the key.daysvalid
- Number of days valid.- Returns:
- The certificate.
-
createTestCACert
Creates a random CA certificate for testing. -
createTestCert
Creates a random certificate for testing. -
xor
public static final byte[] xor(byte[] op1result, byte[] op2) XORs two byte arrays.- Parameters:
op1result
- First array and output array.op2
- Second array.- Returns:
- Modified first array.
-
readCertificateFromPEM
Read a certificate from a PEM-encoded string.- Parameters:
pem
- The PEM-encoded string.- Returns:
- The certificate.
-
readCertificateChainFromPEM
public static final List<org.bouncycastle.cert.X509CertificateHolder> readCertificateChainFromPEM(String pem) Reads a certificate chain.- Parameters:
pem
- PEM of the chain.- Returns:
- The chain, starting with the leaf.
-
getCommonName
Returns the subject ID of a certificate.- Parameters:
cert
- The certificate.- Returns:
- The subject ID.
-
checkEntity
public static final boolean checkEntity(org.bouncycastle.cert.X509CertificateHolder cert, String entityname) Check whether a certificate belongs to an entity, either as common name or as alt name.- Parameters:
cert
- The certificate.entityname
- The entity name.- Returns:
- True, if the certificate belongs, false otherwise.
-
writeCertificateAsPEM
Writes a certificate as PEM-encoded string.- Parameters:
cert
- The certificate.- Returns:
- Encoded string.
-
readPrivateKeyFromPEM
Reads a private key from a PEM string.- Parameters:
pem
- The PEM-encoded string.- Returns:
- The private key.
-
isCaCertificate
Tests if a certificate is a CA certificate.- Parameters:
cert
- The certificate.- Returns:
- True, if CA certificate.
-
getCertSigAlg
Gets the signatures algorithm supported by the key provided by a certificate.- Parameters:
cert
- The certificate.- Returns:
- The signature algorithm.
-
getCertSigAlg
Gets the signatures algorithm supported by the key provided by a certificate.- Parameters:
cert
- The certificate.- Returns:
- The signature algorithm.
-
getSigAlg
Gets the signatures algorithm supported by the key.- Parameters:
spki
- The subject key info.- Returns:
- The signature algorithm.
-
getChainValidationRules
protected static final org.bouncycastle.cert.path.CertPathValidation[] getChainValidationRules()Gets the certificate chain validation rules.- Returns:
- The rules.
-
generateSecureRandom
Generates a fast secure PRNG. The setup attempts to prepare a PRNG that is fast and secure.- Returns:
- Secure PRNG.
-
generateParanoidSecureRandom
Generates a secure PRNG. The setup attempts to prepare a PRNG that avoids relying on a single approach.- Returns:
- Secure PRNG.
-
createCertificateBySpecification
protected static final jadex.common.Tuple2<String,String> createCertificateBySpecification(String issuercert, String issuerkey, org.bouncycastle.asn1.x500.X500Name subject, String sigalg, String schemeconf, String digalg, int strength, int daysvalid, org.bouncycastle.asn1.x509.Extension... extensions) Creates a certificate using the given specification.- Parameters:
issuercert
- Certificate of the issuer (CA).issuerkey
- Key of the issuer (CA).subject
- Subject of the certificate.sigalg
- Signature scheme / certificate key algorithm to use, e.g. RSA, DSA, ECDSA.schemeconf
- Additional scheme configuration, may be null.digalg
- Hash algorithm to use for certificate signature.strength
- Strength of the key.daysvalid
- Number of days valid.extensions
- Certificate extensions.- Returns:
- Generated Certificate and private key as PEM-encoded strings.
-
createKeyPair
protected static final org.bouncycastle.crypto.AsymmetricCipherKeyPair createKeyPair(String alg, String algconf, int strength) Generate a key pair.- Parameters:
alg
- Algorithm to use, e.g. RSA, DSA, ECDSA.strength
- Strength of the key pair.- Returns:
- The generated key pair.
-
getSigner
protected static final org.bouncycastle.operator.ContentSigner getSigner(String algospec, org.bouncycastle.asn1.pkcs.PrivateKeyInfo pki) Gets a signer based on a private key to identify the algorithm.- Parameters:
pki
- The private key.- Returns:
- A content signer.
-
getDefaultVerifier
protected static final org.bouncycastle.operator.ContentVerifier getDefaultVerifier(org.bouncycastle.cert.X509CertificateHolder cert) Gets a verifier based on a certificate to identify the algorithm.- Parameters:
cert
- The certificate.- Returns:
- A content verifier.
-
getVerifierProvider
protected static final org.bouncycastle.operator.ContentVerifierProvider getVerifierProvider(Object keyinfo) Gets a verifier provider based on a certificate to identify the algorithm.- Parameters:
keyinfo
- The certificate or key info.- Returns:
- The content verifier provider.
-
asn1ToBytes
protected static final byte[] asn1ToBytes(org.bouncycastle.asn1.ASN1Object obj) Shorthand for converting ANS1Objects to bytes.- Parameters:
obj
- The object.- Returns:
- Encoded bytes.
-
deriveKeyFromPassword
Derive a key from a password via Argon2id.- Parameters:
pw
- The password.salt
- The salt.- Returns:
- The key.
-
deriveKeyFromPassword
Derive a key from a password via Argon2id.- Parameters:
pw
- The password.salt
- The salt.- Returns:
- The key.
-