public final class SecurityUtils
Utilities related to Java security.
Static Methods
createMtlsKeyStore(InputStream certAndKey)
public static KeyStore createMtlsKeyStore(InputStream certAndKey)
Beta
Create a keystore for mutual TLS with the certificate and private key provided.
Parameter | |
---|---|
Name | Description |
certAndKey |
InputStream Certificate and private key input stream. The stream should contain one certificate and one unencrypted private key. If there are multiple certificates, only the first certificate will be used. |
Returns | |
---|---|
Type | Description |
KeyStore |
keystore for mutual TLS. |
Exceptions | |
---|---|
Type | Description |
GeneralSecurityException |
|
IOException |
getDefaultKeyStore()
public static KeyStore getDefaultKeyStore()
Returns the default key store using KeyStore#getDefaultType().
Returns | |
---|---|
Type | Description |
KeyStore |
Exceptions | |
---|---|
Type | Description |
KeyStoreException |
getEs256SignatureAlgorithm()
public static Signature getEs256SignatureAlgorithm()
Returns the SHA-256 with ECDSA signature algorithm
Returns | |
---|---|
Type | Description |
Signature |
Exceptions | |
---|---|
Type | Description |
NoSuchAlgorithmException |
getJavaKeyStore()
public static KeyStore getJavaKeyStore()
Returns the Java KeyStore (JKS).
Returns | |
---|---|
Type | Description |
KeyStore |
Exceptions | |
---|---|
Type | Description |
KeyStoreException |
getPkcs12KeyStore()
public static KeyStore getPkcs12KeyStore()
Returns the PKCS12 key store.
Returns | |
---|---|
Type | Description |
KeyStore |
Exceptions | |
---|---|
Type | Description |
KeyStoreException |
getPrivateKey(KeyStore keyStore, String alias, String keyPass)
public static PrivateKey getPrivateKey(KeyStore keyStore, String alias, String keyPass)
Returns the private key from the key store.
Parameters | |
---|---|
Name | Description |
keyStore |
KeyStore key store |
alias |
String alias under which the key is stored |
keyPass |
String password protecting the key |
Returns | |
---|---|
Type | Description |
PrivateKey |
private key |
Exceptions | |
---|---|
Type | Description |
GeneralSecurityException |
getRsaKeyFactory()
public static KeyFactory getRsaKeyFactory()
Returns the RSA key factory.
Returns | |
---|---|
Type | Description |
KeyFactory |
Exceptions | |
---|---|
Type | Description |
NoSuchAlgorithmException |
getSha1WithRsaSignatureAlgorithm()
public static Signature getSha1WithRsaSignatureAlgorithm()
Returns the SHA-1 with RSA signature algorithm.
Returns | |
---|---|
Type | Description |
Signature |
Exceptions | |
---|---|
Type | Description |
NoSuchAlgorithmException |
getSha256WithRsaSignatureAlgorithm()
public static Signature getSha256WithRsaSignatureAlgorithm()
Returns the SHA-256 with RSA signature algorithm.
Returns | |
---|---|
Type | Description |
Signature |
Exceptions | |
---|---|
Type | Description |
NoSuchAlgorithmException |
getX509CertificateFactory()
public static CertificateFactory getX509CertificateFactory()
Returns the X.509 certificate factory.
Returns | |
---|---|
Type | Description |
CertificateFactory |
Exceptions | |
---|---|
Type | Description |
CertificateException |
loadKeyStore(KeyStore keyStore, InputStream keyStream, String storePass)
public static void loadKeyStore(KeyStore keyStore, InputStream keyStream, String storePass)
Loads a key store from a stream.
Example usage:
KeyStore keyStore = SecurityUtils.getJavaKeyStore(); SecurityUtils.loadKeyStore(keyStore, new FileInputStream("certs.jks"), "password");
Parameters | |
---|---|
Name | Description |
keyStore |
KeyStore key store |
keyStream |
InputStream input stream to the key store stream (closed at the end of this method in a finally block) |
storePass |
String password protecting the key store file |
Exceptions | |
---|---|
Type | Description |
IOException |
|
GeneralSecurityException |
loadKeyStoreFromCertificates(KeyStore keyStore, CertificateFactory certificateFactory, InputStream certificateStream)
public static void loadKeyStoreFromCertificates(KeyStore keyStore, CertificateFactory certificateFactory, InputStream certificateStream)
Loads a key store with certificates generated from the specified stream using CertificateFactory#generateCertificates(InputStream).
For each certificate, KeyStore#setCertificateEntry(String, Certificate) is called with an alias that is the string form of incrementing non-negative integers starting with 0 (0, 1, 2, 3, ...).
Example usage:
KeyStore keyStore = SecurityUtils.getJavaKeyStore(); SecurityUtils.loadKeyStoreFromCertificates(keyStore, SecurityUtils.getX509CertificateFactory(), new FileInputStream(pemFile));
Parameters | |
---|---|
Name | Description |
keyStore |
KeyStore key store (for example #getJavaKeyStore()) |
certificateFactory |
CertificateFactory certificate factory (for example #getX509CertificateFactory()) |
certificateStream |
InputStream certificate stream |
Exceptions | |
---|---|
Type | Description |
GeneralSecurityException |
loadPrivateKeyFromKeyStore(KeyStore keyStore, InputStream keyStream, String storePass, String alias, String keyPass)
public static PrivateKey loadPrivateKeyFromKeyStore(KeyStore keyStore, InputStream keyStream, String storePass, String alias, String keyPass)
Retrieves a private key from the specified key store stream and specified key store.
Parameters | |
---|---|
Name | Description |
keyStore |
KeyStore key store |
keyStream |
InputStream input stream to the key store (closed at the end of this method in a finally block) |
storePass |
String password protecting the key store file |
alias |
String alias under which the key is stored |
keyPass |
String password protecting the key |
Returns | |
---|---|
Type | Description |
PrivateKey |
key from the key store |
Exceptions | |
---|---|
Type | Description |
IOException |
|
GeneralSecurityException |
sign(Signature signatureAlgorithm, PrivateKey privateKey, byte[] contentBytes)
public static byte[] sign(Signature signatureAlgorithm, PrivateKey privateKey, byte[] contentBytes)
Signs content using a private key.
Parameters | |
---|---|
Name | Description |
signatureAlgorithm |
Signature signature algorithm |
privateKey |
PrivateKey private key |
contentBytes |
byte[] content to sign |
Returns | |
---|---|
Type | Description |
byte[] |
signed content |
Exceptions | |
---|---|
Type | Description |
InvalidKeyException |
|
SignatureException |
verify(Signature signatureAlgorithm, PublicKey publicKey, byte[] signatureBytes, byte[] contentBytes)
public static boolean verify(Signature signatureAlgorithm, PublicKey publicKey, byte[] signatureBytes, byte[] contentBytes)
Verifies the signature of signed content based on a public key.
Parameters | |
---|---|
Name | Description |
signatureAlgorithm |
Signature signature algorithm |
publicKey |
PublicKey public key |
signatureBytes |
byte[] signature bytes |
contentBytes |
byte[] content bytes |
Returns | |
---|---|
Type | Description |
boolean |
whether the signature was verified |
Exceptions | |
---|---|
Type | Description |
InvalidKeyException |
|
SignatureException |
verify(Signature signatureAlgorithm, X509TrustManager trustManager, List<String> certChainBase64, byte[] signatureBytes, byte[] contentBytes)
public static X509Certificate verify(Signature signatureAlgorithm, X509TrustManager trustManager, List<String> certChainBase64, byte[] signatureBytes, byte[] contentBytes)
Verifies the signature of signed content based on a certificate chain.
Parameters | |
---|---|
Name | Description |
signatureAlgorithm |
Signature signature algorithm |
trustManager |
X509TrustManager trust manager used to verify the certificate chain |
certChainBase64 |
List<String> Certificate chain used for verification. The certificates must be base64 encoded DER, the leaf certificate must be the first element. |
signatureBytes |
byte[] signature bytes |
contentBytes |
byte[] content bytes |
Returns | |
---|---|
Type | Description |
X509Certificate |
The signature certificate if the signature could be verified, null otherwise. |
Exceptions | |
---|---|
Type | Description |
InvalidKeyException |
|
SignatureException |