com.inductiveautomation.ignition.common.util

Class SecurityUtils

java.lang.Object

com.inductiveautomation.ignition.common.util.SecurityUtils

public class SecurityUtils
extends java.lang.Object

Constructor Summary

Constructors

Constructor and Description
SecurityUtils()

Method Summary

Modifier and Type	Method and Description
static byte[]	asymmetricSign(java.security.interfaces.RSAPrivateKey key, byte[] source, int offset, int length) Takes an RSAPrivateKey, byte array to be signed, an offset, and length to sign asymmetrically using SHA1 and returns a byte array containing the signature.
static boolean	asymmetricVerify(java.security.interfaces.RSAPublicKey key, byte[] source, int offset, int length, byte[] signature, int sigOff, int sigLen) Verifies that the signature is valid based on the provided key and returns true if the it is valid, false if it is not.
static java.lang.String	certificateThumbprintToString(byte[] buf) Takes a sha1 digest byte array and returns a formatted string hash of the encoded bytes for comparison purposes.
static byte[]	decryptDESede(byte[] toDecrypt, byte[] keyBytes) Performs symmetric decryption using DESede.
static byte[]	decryptRSA(byte[] source, java.security.Key key) Decrypts a byte array and RSA encrypted data using the supplied key.
static byte[]	encryptDESede(byte[] toEncrypt, byte[] keyBytes) Performs symmetric encryption using DESede.
static byte[]	generateDESedKey() Generates a DESede Key
static java.lang.String	getCertificateThumbprint(java.security.cert.X509Certificate certificate) Returns a to-stringed hash of the certificate encoded bytes.
static byte[]	getCertificateThumbprintBytes(java.security.cert.X509Certificate certificate) Returns a hash of the certificate encoded bytes.
static org.bouncycastle.crypto.params.RSAKeyParameters	getKeyParameter(java.security.interfaces.RSAKey key) Returns a parameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher.
static org.bouncycastle.crypto.params.RSAKeyParameters	getPrivateKeyParameter(java.security.interfaces.RSAPrivateKey key) Returns a RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPrivateKey.
static org.bouncycastle.crypto.params.RSAKeyParameters	getPublicKeyParameter(java.security.interfaces.RSAPublicKey key) Returns an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPublicKey.
static byte[]	md5(java.io.File file) Performs an md5 digest of a provided file and returns a byte array of the digest.
static byte[]	md5(java.io.InputStream stream) Performs an md5 digest of a provided InputStream and returns a byte array of the digest.
static java.security.cert.X509Certificate	parseX509Certificate(byte[] input) Generates an X509Certificate object and initializes it with the data read from the byte array input.
static java.util.List<java.security.cert.X509Certificate>	parseX509Certificates(byte[] input) Generates a List of X509Certificate objects and initializes them with the data read from the byte array input.
static java.util.List<java.security.cert.X509Certificate>	parseX509Certificates(java.io.InputStream inputStream) Generates a List of X509Certificate objects and initializes them with the data read from the InputStream inputStream.
static byte[]	sha1(byte[] input) Performs a sha1 digest on the given input array, returning the digest as a byte array.
static java.lang.String	sha1String(java.lang.String input) Performs a sha1 digest on the input string encoded as UTF-8, returns the digest as Base64-ed bytes.
static java.lang.String	sha256(java.lang.String source) Performs a sha256 encryption on the provided String and returns a String representation of the encrypted data.
static java.lang.String	sha256PasswordSalt(java.lang.String password) Returns a string containing the salted password
static boolean	sha256PasswordSaltVerify(java.lang.String password, java.lang.String hashedPass) Verifies the salted password by comparing with the unsalted password and returning true if the password matches the salted version.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SecurityUtils

public SecurityUtils()

Method Detail

getKeyParameter

public static org.bouncycastle.crypto.params.RSAKeyParameters getKeyParameter(java.security.interfaces.RSAKey key)

Returns a parameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher. Either an RSAPublicKey or RSAPrivateKey can be passed and the subsequent RSAKeyParameters will be returned.

Parameters:

key - an RSAKey of type RSAPublicKey or RSAPrivateKey, must not be null

Returns:

an RSAKeyParameters object suitable for initializing a public or private Bouncy Castle RSAEngine asymmetric block cipher based on the type of RSAKey provided

Throws:

java.lang.ClassCastException - if the key is not an RSAPublicKey or RSAPrivateKey

getPublicKeyParameter

public static org.bouncycastle.crypto.params.RSAKeyParameters getPublicKeyParameter(java.security.interfaces.RSAPublicKey key)

Returns an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPublicKey.

Parameters:

key - an RSAPublicKey object, must not be null

Returns:

an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher

getPrivateKeyParameter

public static org.bouncycastle.crypto.params.RSAKeyParameters getPrivateKeyParameter(java.security.interfaces.RSAPrivateKey key)

Returns a RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPrivateKey. If the passed key is an RSAPrivateCrtKey it will return an RSAPrivateCrtKeyParameter.

Parameters:

key - an RSAPrivateKey object, must not be null

Returns:

an RSAKeyParameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher. If the passed key is an RSAPrivateCrtKey it will return an RSAPrivateCrtKeyParameter

sha1

public static byte[] sha1(byte[] input)

Performs a sha1 digest on the given input array, returning the digest as a byte array.

Parameters:

input - a byte array of the input needing the digest, must not be null

Returns:

a byte array of the SHA1 digest

sha1String

public static java.lang.String sha1String(java.lang.String input)

Performs a sha1 digest on the input string encoded as UTF-8, returns the digest as Base64-ed bytes.

Parameters:

input - a UTF-8 encoded String, must not be null

Returns:

the digest in a String of Base64 Encoded bytes

Throws:

java.lang.RuntimeException - if the passed String cannot be encoded due to String format issues

md5

public static byte[] md5(java.io.File file)
                  throws java.io.IOException

Performs an md5 digest of a provided file and returns a byte array of the digest.

Parameters:

file - File needed to be digested, must not be null

Returns:

an md5 digest in a byte array

Throws:

java.io.IOException - if the File cannot be accessed or found

md5

public static byte[] md5(java.io.InputStream stream)
                  throws java.io.IOException

Performs an md5 digest of a provided InputStream and returns a byte array of the digest.

Parameters:

stream - the InputStream that needs to be digested, must not be null

Returns:

the digest in a byte array

Throws:

java.io.IOException - if the InputStream cannot be accessed

parseX509Certificate

public static java.security.cert.X509Certificate parseX509Certificate(byte[] input)
                                                               throws java.security.cert.CertificateException

Generates an X509Certificate object and initializes it with the data read from the byte array input. The certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.

Parameters:

input - a byte array containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed

Returns:

an X509Certificate

Throws:

java.security.cert.CertificateException - If the data in the byte array does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

parseX509Certificates

public static java.util.List<java.security.cert.X509Certificate> parseX509Certificates(byte[] input)
                                                                                throws java.security.cert.CertificateException

Generates a List of X509Certificate objects and initializes them with the data read from the byte array input. The certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.

Parameters:

input - a byte array containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed

Returns:

a List of X509Certificate objects

Throws:

java.security.cert.CertificateException - If the data in the byte array does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

parseX509Certificates

public static java.util.List<java.security.cert.X509Certificate> parseX509Certificates(java.io.InputStream inputStream)
                                                                                throws java.security.cert.CertificateException

Generates a List of X509Certificate objects and initializes them with the data read from the InputStream inputStream. the certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.

Parameters:

inputStream - an InputStream containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed

Returns:

a List of X509Certificate objects

Throws:

java.security.cert.CertificateException - If the data in the stream does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

asymmetricSign

public static byte[] asymmetricSign(java.security.interfaces.RSAPrivateKey key,
                                    byte[] source,
                                    int offset,
                                    int length)
                             throws java.lang.Exception

Takes an RSAPrivateKey, byte array to be signed, an offset, and length to sign asymmetrically using SHA1 and returns a byte array containing the signature.

Parameters:

key - an RSAPrivateKey that will be used to sign the byte array, must not be null

source - the byte array used to generate the signature, must not be null

offset - the specified offset, must not be null

length - the specified length, must not be null

Returns:

a byte array containing the signature

Throws:

java.lang.Exception - if unable to generate a signature

asymmetricVerify

public static boolean asymmetricVerify(java.security.interfaces.RSAPublicKey key,
                                       byte[] source,
                                       int offset,
                                       int length,
                                       byte[] signature,
                                       int sigOff,
                                       int sigLen)

Verifies that the signature is valid based on the provided key and returns true if the it is valid, false if it is not.

Parameters:

key - an used to verify the signature, must not be null

source - a byte array of the source data, must not be null

offset - the offset of the source data, must not be null

length - the length of the source data, must not be null

signature - a byte array of the signature, must not be null

sigOff - the signatures offset, must not be null

sigLen - the signature length, must not be null

Returns:

true if the signature can be verified against the provided data, false if it cannot

decryptRSA

public static byte[] decryptRSA(byte[] source,
                                java.security.Key key)
                         throws java.lang.Exception

Decrypts a byte array and RSA encrypted data using the supplied key. Note: Does not perform any data validation.

Parameters:

source - a byte array containing the data to decrypt, must not be null

key - the Key to use for decryption, must not be null

Returns:

a byte array containing the decrypted data, must not be null

Throws:

java.lang.Exception - if the Key is invalid, the block size is incorrect, or the padding is bad

encryptDESede

public static byte[] encryptDESede(byte[] toEncrypt,
                                   byte[] keyBytes)
                            throws java.lang.Exception

Performs symmetric encryption using DESede. Uses ECB mode and PKCS5 padding.

Parameters:

toEncrypt - A byte array to encrypt. Must not be null

keyBytes - The key to use. must be 24 bytes long

Returns:

a byte array containing the encrypted data

Throws:

java.lang.Exception - if the key is invalid, the block size is incorrect, or the padding is bad

decryptDESede

public static byte[] decryptDESede(byte[] toDecrypt,
                                   byte[] keyBytes)
                            throws java.lang.Exception

Performs symmetric decryption using DESede. Uses ECB mode and PKCS5 padding.

Parameters:

toDecrypt - a byte[] to decrypt. Must not be null

keyBytes - The key to use. must be 24 bytes long

Returns:

a byte array containing the decrypted data

Throws:

java.lang.Exception - if the key is invalid, the block size is incorrect, or the padding is bad

generateDESedKey

public static byte[] generateDESedKey()
                               throws java.lang.Exception

Generates a DESede Key

Returns:

a byte array containing the DESede key

Throws:

java.lang.Exception - if key generation fails

getCertificateThumbprint

public static java.lang.String getCertificateThumbprint(java.security.cert.X509Certificate certificate)
                                                 throws java.lang.Exception

Returns a to-stringed hash of the certificate encoded bytes. Each certificate's hash is unique, and so certificates can be compared using their hashes to check equality.

Parameters:

certificate - the X509Certificate whose thumbprint is needed, must not be null

Returns:

a stringed hash of the certificate

Throws:

java.lang.Exception - if the certificate is invalid or the String cannot be built

certificateThumbprintToString

public static java.lang.String certificateThumbprintToString(byte[] buf)
                                                      throws java.lang.Exception

Takes a sha1 digest byte array and returns a formatted string hash of the encoded bytes for comparison purposes.

Parameters:

buf - a byte array containing a sha1 digest, must not be null

Returns:

a Stringed hash of the byte array. If buf is null, "[ ]=null" will be returned.

Throws:

java.lang.Exception - if the byte array cannot be formatted

getCertificateThumbprintBytes

public static byte[] getCertificateThumbprintBytes(java.security.cert.X509Certificate certificate)
                                            throws java.security.cert.CertificateEncodingException

Returns a hash of the certificate encoded bytes. Each certificate's hash is unique, and so certificates can be compared using their hashes to check equality.

Parameters:

certificate - the X509Certificate to be hashed, must not be null

Returns:

a byte array containing the hash of the certificate

Throws:

java.security.cert.CertificateEncodingException - if the certificate cannot be encoded

sha256

public static java.lang.String sha256(java.lang.String source)

Performs a sha256 encryption on the provided String and returns a String representation of the encrypted data. The String should be encoded as UTF-8.

Parameters:

source - the String to be encrypted, if null the String "" will be used

Returns:

a String of encrypted data

sha256PasswordSalt

public static java.lang.String sha256PasswordSalt(java.lang.String password)

Returns a string containing the salted password

Parameters:

password - the password to be salted, must not be null

Returns:

a String containing the salted password

sha256PasswordSaltVerify

public static boolean sha256PasswordSaltVerify(java.lang.String password,
                                               java.lang.String hashedPass)

Verifies the salted password by comparing with the unsalted password and returning true if the password matches the salted version.

Parameters:

password - the unsalted password to compare against the salted password

hashedPass - the salted password, must not be null

Returns:

true if the password matches the hashed password thus confirming the identity and false if the password does not match.