Package com.inductiveautomation.ignition.common.util

Class SecurityUtils

java.lang.Object
com.inductiveautomation.ignition.common.util.SecurityUtils
public class SecurityUtils extends Object

  • Method Summary

    Modifier and Type
    Method
    Description
    static boolean
    asymmetricVerify(RSAPublicKey key, byte[] source, int offset, int length, byte[] signature, int sigOff, int sigLen)
    Verifies that the signature is valid based on the provided key and returns true if it is valid, false if it is not.
    static boolean
    certificateIsCa(X509Certificate certificate)
    Check if certificate's BasicConstraints and KeyUsage extensions indicate it is a CA.
    static boolean
    certificateIsSelfSigned(X509Certificate cert)
    Verifies that the given cert is signed with its own public key and that the subject and issuer are the same.
    static String
    certificateThumbprintToString(byte[] buf)
    Takes a byte array and returns a formatted string hash of the encoded bytes for comparison purposes.
    static String
    getCertificateThumbprint(X509Certificate certificate)
    Returns a to-stringed hash of the certificate encoded bytes.
    static byte[]
    getCertificateThumbprintBytes(X509Certificate certificate)
    Returns a hash of the certificate encoded bytes.
    static File
    getDefaultTrustStore()
    Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property or the ${JAVA_HOME}/lib /security/cacerts file.
    static File
    getDefaultTrustStoreBackup()
    Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property with '.bak' appended or the ${JAVA_HOME}/lib/security/cacerts.bak file.
    static org.python.bouncycastle.crypto.params.RSAKeyParameters
    getPublicKeyParameter(RSAPublicKey key)
    Returns an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPublicKey.
    static byte[]
    md5(File file)
    Performs an md5 digest of a provided file and returns a byte array of the digest.
    static byte[]
    md5(InputStream stream)
    Performs an md5 digest of a provided InputStream and returns a byte array of the digest.
    static List<X509Certificate>
    parseX509Certificates(byte[] input)
    Generates a List of X509Certificate objects and initializes them with the data read from the byte array input.
    static Map<String,X509Certificate>
    parseX509Certificates(File certificateDirectory)
    Generates a Map of filenames and X509Certificate objects and initializes them with the data read from the FileInputStream inputStreams of each file in the supplied directory.
    static List<X509Certificate>
    parseX509Certificates(InputStream inputStream)
    Generates a List of X509Certificate objects and initializes them with the data read from the InputStream inputStream.
    static byte[]
    sha1(byte[] input)
    Performs a sha1 digest on the given input array, returning the digest as a byte array.
    static String
    sha1String(String input)
    Performs a sha1 digest on the input string encoded as UTF-8, returns the digest as Base64-ed bytes.
    static String
    sha256(String source)
    Performs a sha256 encryption on the provided String and returns a String representation of the encrypted data.
    static String
    sha256PasswordSalt(String password)
    Returns a string containing the salted password
    static boolean
    sha256PasswordSaltVerify(String password, String hashedPass)
    Verifies the salted password by comparing with the unsalted password and returning true if the password matches the salted version.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Method Details

    • getPublicKeyParameter

      public static org.python.bouncycastle.crypto.params.RSAKeyParameters getPublicKeyParameter(RSAPublicKey key)
      Returns an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPublicKey.
      Parameters:
      key - an RSAPublicKey object, must not be null
      Returns:
      an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher

    • sha1

      public static byte[] sha1(byte[] input)
      Performs a sha1 digest on the given input array, returning the digest as a byte array.
      Parameters:
      input - a byte array of the input needing the digest, must not be null
      Returns:
      a byte array of the SHA1 digest

    • sha1String

      public static String sha1String(String input)
      Performs a sha1 digest on the input string encoded as UTF-8, returns the digest as Base64-ed bytes.
      Parameters:
      input - a UTF-8 encoded String, must not be null
      Returns:
      the digest in a String of Base64 Encoded bytes
      Throws:
      RuntimeException - if the passed String cannot be encoded due to String format issues

    • md5

      public static byte[] md5(File file) throws IOException
      Performs an md5 digest of a provided file and returns a byte array of the digest.
      Parameters:
      file - File needed to be digested, must not be null
      Returns:
      an md5 digest in a byte array
      Throws:
      IOException - if the File cannot be accessed or found

    • md5

      public static byte[] md5(InputStream stream) throws IOException
      Performs an md5 digest of a provided InputStream and returns a byte array of the digest.
      Parameters:
      stream - the InputStream that needs to be digested, must not be null
      Returns:
      the digest in a byte array
      Throws:
      IOException - if the InputStream cannot be accessed

    • parseX509Certificates

      public static List<X509Certificate> parseX509Certificates(byte[] input) throws CertificateException
      Generates a List of X509Certificate objects and initializes them with the data read from the byte array input. The certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
      Parameters:
      input - a byte array containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed
      Returns:
      a List of X509Certificate objects
      Throws:
      CertificateException - If the data in the byte array does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

    • parseX509Certificates

      public static List<X509Certificate> parseX509Certificates(InputStream inputStream) throws CertificateException
      Generates a List of X509Certificate objects and initializes them with the data read from the InputStream inputStream. the certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
      Parameters:
      inputStream - an InputStream containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed
      Returns:
      a List of X509Certificate objects
      Throws:
      CertificateException - If the data in the stream does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

    • parseX509Certificates

      public static Map<String,X509Certificate> parseX509Certificates(File certificateDirectory)
      Generates a Map of filenames and X509Certificate objects and initializes them with the data read from the FileInputStream inputStreams of each file in the supplied directory. Nested directories are not searched. The certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
      Parameters:
      certificateDirectory - a File containing DER encoded binary or PEM encoded ASCII certificate files, must not be null and must be a directory.
      Returns:
      a Map of filenames to X509Certificate objects. If an IOExecption or CertificateException is thrown while reading the file null will be returned for the certificate in the map.

    • asymmetricVerify

      public static boolean asymmetricVerify(RSAPublicKey key, byte[] source, int offset, int length, byte[] signature, int sigOff, int sigLen)
      Verifies that the signature is valid based on the provided key and returns true if it is valid, false if it is not.
      Parameters:
      key - an RSAPublicKey used to verify the signature, must not be null
      source - a byte array of the source data, must not be null
      offset - the offset of the source data, must not be null
      length - the length of the source data, must not be null
      signature - a byte array of the signature, must not be null
      sigOff - the signatures offset, must not be null
      sigLen - the signature length, must not be null
      Returns:
      true if the signature can be verified against the provided data, false if it cannot

    • getCertificateThumbprint

      public static String getCertificateThumbprint(X509Certificate certificate) throws Exception
      Returns a to-stringed hash of the certificate encoded bytes. Each certificate's hash is unique, and so certificates can be compared using their hashes to check equality.
      Parameters:
      certificate - the X509Certificate whose thumbprint is needed, must not be null
      Returns:
      a stringed hash of the certificate
      Throws:
      Exception - if the certificate is invalid or the String cannot be built

    • certificateThumbprintToString

      public static String certificateThumbprintToString(@Nullable byte[] buf)
      Takes a byte array and returns a formatted string hash of the encoded bytes for comparison purposes.
      Parameters:
      buf - a byte array containing a sha1 digest, must not be null
      Returns:
      a Stringed hash of the byte array. If buf is null, "[ ]=null" will be returned.

    • getCertificateThumbprintBytes

      public static byte[] getCertificateThumbprintBytes(X509Certificate certificate) throws CertificateEncodingException
      Returns a hash of the certificate encoded bytes. Each certificate's hash is unique, and so certificates can be compared using their hashes to check equality.
      Parameters:
      certificate - the X509Certificate to be hashed, must not be null
      Returns:
      a byte array containing the hash of the certificate
      Throws:
      CertificateEncodingException - if the certificate cannot be encoded

    • sha256

      public static String sha256(String source)
      Performs a sha256 encryption on the provided String and returns a String representation of the encrypted data. The String should be encoded as UTF-8.
      Parameters:
      source - the String to be encrypted, if null the String "" will be used
      Returns:
      a String of encrypted data

    • sha256PasswordSalt

      public static String sha256PasswordSalt(@Nonnull String password)
      Returns a string containing the salted password
      Parameters:
      password - the password to be salted, must not be null
      Returns:
      a String containing the salted password

    • sha256PasswordSaltVerify

      public static boolean sha256PasswordSaltVerify(String password, String hashedPass)
      Verifies the salted password by comparing with the unsalted password and returning true if the password matches the salted version.
      Parameters:
      password - the unsalted password to compare against the salted password
      hashedPass - the salted password, must not be null
      Returns:
      true if the password matches the hashed password thus confirming the identity and false if the password does not match.

    • getDefaultTrustStore

      public static File getDefaultTrustStore()
      Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property or the ${JAVA_HOME}/lib /security/cacerts file.

    • getDefaultTrustStoreBackup

      public static File getDefaultTrustStoreBackup()
      Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property with '.bak' appended or the ${JAVA_HOME}/lib/security/cacerts.bak file.

    • certificateIsSelfSigned

      public static boolean certificateIsSelfSigned(X509Certificate cert) throws Exception
      Verifies that the given cert is signed with its own public key and that the subject and issuer are the same.
      Returns:
      true if a given X509Certificate is self-signed.
      Throws:
      Exception

    • certificateIsCa

      public static boolean certificateIsCa(X509Certificate certificate)

      Check if certificate's BasicConstraints and KeyUsage extensions indicate it is a CA.

      Following is the truth table for this method:

      Basic Constraints Key Usage Result
      Missing Missing true
      Missing keyCertSign set true
      Missing keyCertSign unset false
      CA flag set Missing true
      CA flag set keyCertSign set true
      CA flag set keyCertSign unset false
      CA flag unset Missing false
      CA flag unset keyCertSign set false
      CA flag unset keyCertSign unset false
      Parameters:
      certificate - the X509Certificate to check.
      Returns:
      true if certificate's BasicConstraints and KeyUsage extensions indicate it is a CA.