Class SecurityUtils

public final class SecurityUtils

Utilities related to Java security.

Inheritance

java.lang.Object > SecurityUtils

Static Methods

createMtlsKeyStore(InputStream certAndKey)

public static KeyStore createMtlsKeyStore(InputStream certAndKey)

Beta
Create a keystore for mutual TLS with the certificate and private key provided.

Parameter
NameDescription
certAndKeyInputStream

Certificate and private key input stream. The stream should contain one certificate and one unencrypted private key. If there are multiple certificates, only the first certificate will be used.

Returns
TypeDescription
KeyStore

keystore for mutual TLS.

Exceptions
TypeDescription
GeneralSecurityException
IOException

getDefaultKeyStore()

public static KeyStore getDefaultKeyStore()

Returns the default key store using KeyStore#getDefaultType().

Returns
TypeDescription
KeyStore
Exceptions
TypeDescription
KeyStoreException

getEs256SignatureAlgorithm()

public static Signature getEs256SignatureAlgorithm()

Returns the SHA-256 with ECDSA signature algorithm

Returns
TypeDescription
Signature
Exceptions
TypeDescription
NoSuchAlgorithmException

getJavaKeyStore()

public static KeyStore getJavaKeyStore()

Returns the Java KeyStore (JKS).

Returns
TypeDescription
KeyStore
Exceptions
TypeDescription
KeyStoreException

getPkcs12KeyStore()

public static KeyStore getPkcs12KeyStore()

Returns the PKCS12 key store.

Returns
TypeDescription
KeyStore
Exceptions
TypeDescription
KeyStoreException

getPrivateKey(KeyStore keyStore, String alias, String keyPass)

public static PrivateKey getPrivateKey(KeyStore keyStore, String alias, String keyPass)

Returns the private key from the key store.

Parameters
NameDescription
keyStoreKeyStore

key store

aliasString

alias under which the key is stored

keyPassString

password protecting the key

Returns
TypeDescription
PrivateKey

private key

Exceptions
TypeDescription
GeneralSecurityException

getRsaKeyFactory()

public static KeyFactory getRsaKeyFactory()

Returns the RSA key factory.

Returns
TypeDescription
KeyFactory
Exceptions
TypeDescription
NoSuchAlgorithmException

getSha1WithRsaSignatureAlgorithm()

public static Signature getSha1WithRsaSignatureAlgorithm()

Returns the SHA-1 with RSA signature algorithm.

Returns
TypeDescription
Signature
Exceptions
TypeDescription
NoSuchAlgorithmException

getSha256WithRsaSignatureAlgorithm()

public static Signature getSha256WithRsaSignatureAlgorithm()

Returns the SHA-256 with RSA signature algorithm.

Returns
TypeDescription
Signature
Exceptions
TypeDescription
NoSuchAlgorithmException

getX509CertificateFactory()

public static CertificateFactory getX509CertificateFactory()

Returns the X.509 certificate factory.

Returns
TypeDescription
CertificateFactory
Exceptions
TypeDescription
CertificateException

loadKeyStore(KeyStore keyStore, InputStream keyStream, String storePass)

public static void loadKeyStore(KeyStore keyStore, InputStream keyStream, String storePass)

Loads a key store from a stream.

Example usage:

KeyStore keyStore = SecurityUtils.getJavaKeyStore(); SecurityUtils.loadKeyStore(keyStore, new FileInputStream("certs.jks"), "password");

Parameters
NameDescription
keyStoreKeyStore

key store

keyStreamInputStream

input stream to the key store stream (closed at the end of this method in a finally block)

storePassString

password protecting the key store file

Exceptions
TypeDescription
IOException
GeneralSecurityException

loadKeyStoreFromCertificates(KeyStore keyStore, CertificateFactory certificateFactory, InputStream certificateStream)

public static void loadKeyStoreFromCertificates(KeyStore keyStore, CertificateFactory certificateFactory, InputStream certificateStream)

Loads a key store with certificates generated from the specified stream using CertificateFactory#generateCertificates(InputStream).

For each certificate, KeyStore#setCertificateEntry(String, Certificate) is called with an alias that is the string form of incrementing non-negative integers starting with 0 (0, 1, 2, 3, ...).

Example usage:

KeyStore keyStore = SecurityUtils.getJavaKeyStore(); SecurityUtils.loadKeyStoreFromCertificates(keyStore, SecurityUtils.getX509CertificateFactory(), new FileInputStream(pemFile));

Parameters
NameDescription
keyStoreKeyStore

key store (for example #getJavaKeyStore())

certificateFactoryCertificateFactory

certificate factory (for example #getX509CertificateFactory())

certificateStreamInputStream

certificate stream

Exceptions
TypeDescription
GeneralSecurityException

loadPrivateKeyFromKeyStore(KeyStore keyStore, InputStream keyStream, String storePass, String alias, String keyPass)

public static PrivateKey loadPrivateKeyFromKeyStore(KeyStore keyStore, InputStream keyStream, String storePass, String alias, String keyPass)

Retrieves a private key from the specified key store stream and specified key store.

Parameters
NameDescription
keyStoreKeyStore

key store

keyStreamInputStream

input stream to the key store (closed at the end of this method in a finally block)

storePassString

password protecting the key store file

aliasString

alias under which the key is stored

keyPassString

password protecting the key

Returns
TypeDescription
PrivateKey

key from the key store

Exceptions
TypeDescription
IOException
GeneralSecurityException

sign(Signature signatureAlgorithm, PrivateKey privateKey, byte[] contentBytes)

public static byte[] sign(Signature signatureAlgorithm, PrivateKey privateKey, byte[] contentBytes)

Signs content using a private key.

Parameters
NameDescription
signatureAlgorithmSignature

signature algorithm

privateKeyPrivateKey

private key

contentBytesbyte[]

content to sign

Returns
TypeDescription
byte[]

signed content

Exceptions
TypeDescription
InvalidKeyException
SignatureException

verify(Signature signatureAlgorithm, PublicKey publicKey, byte[] signatureBytes, byte[] contentBytes)

public static boolean verify(Signature signatureAlgorithm, PublicKey publicKey, byte[] signatureBytes, byte[] contentBytes)

Verifies the signature of signed content based on a public key.

Parameters
NameDescription
signatureAlgorithmSignature

signature algorithm

publicKeyPublicKey

public key

signatureBytesbyte[]

signature bytes

contentBytesbyte[]

content bytes

Returns
TypeDescription
boolean

whether the signature was verified

Exceptions
TypeDescription
InvalidKeyException
SignatureException

verify(Signature signatureAlgorithm, X509TrustManager trustManager, List<String> certChainBase64, byte[] signatureBytes, byte[] contentBytes)

public static X509Certificate verify(Signature signatureAlgorithm, X509TrustManager trustManager, List<String> certChainBase64, byte[] signatureBytes, byte[] contentBytes)

Verifies the signature of signed content based on a certificate chain.

Parameters
NameDescription
signatureAlgorithmSignature

signature algorithm

trustManagerX509TrustManager

trust manager used to verify the certificate chain

certChainBase64List<String>

Certificate chain used for verification. The certificates must be base64 encoded DER, the leaf certificate must be the first element.

signatureBytesbyte[]

signature bytes

contentBytesbyte[]

content bytes

Returns
TypeDescription
X509Certificate

The signature certificate if the signature could be verified, null otherwise.

Exceptions
TypeDescription
InvalidKeyException
SignatureException