Package com.inductiveautomation.ignition.common.util

Class SecurityUtils

  • public class SecurityUtils
extends java.lang.Object

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static byte[] asymmetricSign​(java.security.interfaces.RSAPrivateKey key, byte[] source, int offset, int length)
      Takes an RSAPrivateKey, byte array to be signed, an offset, and length to sign asymmetrically using SHA1 and returns a byte array containing the signature.
      static boolean asymmetricVerify​(java.security.interfaces.RSAPublicKey key, byte[] source, int offset, int length, byte[] signature, int sigOff, int sigLen)
      Verifies that the signature is valid based on the provided key and returns true if the it is valid, false if it is not.
      static java.lang.String certificateThumbprintToString​(byte[] buf)
      Takes a sha1 digest byte array and returns a formatted string hash of the encoded bytes for comparison purposes.
      static byte[] decryptDESede​(byte[] toDecrypt, byte[] keyBytes)
      Performs symmetric decryption using DESede.
      static byte[] decryptRSA​(byte[] source, java.security.Key key)
      Decrypts a byte array and RSA encrypted data using the supplied key.
      static byte[] encryptDESede​(byte[] toEncrypt, byte[] keyBytes)
      Performs symmetric encryption using DESede.
      static byte[] generateDESedKey()
      Generates a DESede Key
      static java.lang.String getCertificateThumbprint​(java.security.cert.X509Certificate certificate)
      Returns a to-stringed hash of the certificate encoded bytes.
      static byte[] getCertificateThumbprintBytes​(java.security.cert.X509Certificate certificate)
      Returns a hash of the certificate encoded bytes.
      static java.io.File getDefaultTrustStore()
      Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property or the ${JAVA_HOME}/lib /security/cacerts file.
      static java.io.File getDefaultTrustStoreBackup()
      Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property with '.bak' appended or the ${JAVA_HOME}/lib/security/cacerts.bak file.
      static org.python.bouncycastle.crypto.params.RSAKeyParameters getKeyParameter​(java.security.interfaces.RSAKey key)
      Returns a parameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher.
      static org.python.bouncycastle.crypto.params.RSAKeyParameters getPrivateKeyParameter​(java.security.interfaces.RSAPrivateKey key)
      Returns a RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPrivateKey.
      static org.python.bouncycastle.crypto.params.RSAKeyParameters getPublicKeyParameter​(java.security.interfaces.RSAPublicKey key)
      Returns an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPublicKey.
      static byte[] md5​(java.io.File file)
      Performs an md5 digest of a provided file and returns a byte array of the digest.
      static byte[] md5​(java.io.InputStream stream)
      Performs an md5 digest of a provided InputStream and returns a byte array of the digest.
      static java.util.List<java.security.cert.X509Certificate> parseX509Certificates​(byte[] input)
      Generates a List of X509Certificate objects and initializes them with the data read from the byte array input.
      static java.util.Map<java.lang.String,​java.security.cert.X509Certificate> parseX509Certificates​(java.io.File certificateDirectory)
      Generates a Map of filenames and X509Certificate objects and initializes them with the data read from the FileInputStream inputStreams of each file in the supplied directory.
      static java.util.List<java.security.cert.X509Certificate> parseX509Certificates​(java.io.InputStream inputStream)
      Generates a List of X509Certificate objects and initializes them with the data read from the InputStream inputStream.
      static byte[] sha1​(byte[] input)
      Performs a sha1 digest on the given input array, returning the digest as a byte array.
      static java.lang.String sha1String​(java.lang.String input)
      Performs a sha1 digest on the input string encoded as UTF-8, returns the digest as Base64-ed bytes.
      static java.lang.String sha256​(java.lang.String source)
      Performs a sha256 encryption on the provided String and returns a String representation of the encrypted data.
      static java.lang.String sha256PasswordSalt​(java.lang.String password)
      Returns a string containing the salted password
      static boolean sha256PasswordSaltVerify​(java.lang.String password, java.lang.String hashedPass)
      Verifies the salted password by comparing with the unsalted password and returning true if the password matches the salted version.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • getKeyParameter

        public static org.python.bouncycastle.crypto.params.RSAKeyParameters getKeyParameter​(java.security.interfaces.RSAKey key)
        Returns a parameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher. Either an RSAPublicKey or RSAPrivateKey can be passed and the subsequent RSAKeyParameters will be returned.
        Parameters:
        key - an RSAKey of type RSAPublicKey or RSAPrivateKey, must not be null
        Returns:
        an RSAKeyParameters object suitable for initializing a public or private Bouncy Castle RSAEngine asymmetric block cipher based on the type of RSAKey provided
        Throws:
        java.lang.ClassCastException - if the key is not an RSAPublicKey or RSAPrivateKey

      • getPublicKeyParameter

        public static org.python.bouncycastle.crypto.params.RSAKeyParameters getPublicKeyParameter​(java.security.interfaces.RSAPublicKey key)
        Returns an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPublicKey.
        Parameters:
        key - an RSAPublicKey object, must not be null
        Returns:
        an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher

      • getPrivateKeyParameter

        public static org.python.bouncycastle.crypto.params.RSAKeyParameters getPrivateKeyParameter​(java.security.interfaces.RSAPrivateKey key)
        Returns a RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPrivateKey. If the passed key is an RSAPrivateCrtKey it will return an RSAPrivateCrtKeyParameter.
        Parameters:
        key - an RSAPrivateKey object, must not be null
        Returns:
        an RSAKeyParameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher. If the passed key is an RSAPrivateCrtKey it will return an RSAPrivateCrtKeyParameter

      • sha1

        public static byte[] sha1​(byte[] input)
        Performs a sha1 digest on the given input array, returning the digest as a byte array.
        Parameters:
        input - a byte array of the input needing the digest, must not be null
        Returns:
        a byte array of the SHA1 digest

      • sha1String

        public static java.lang.String sha1String​(java.lang.String input)
        Performs a sha1 digest on the input string encoded as UTF-8, returns the digest as Base64-ed bytes.
        Parameters:
        input - a UTF-8 encoded String, must not be null
        Returns:
        the digest in a String of Base64 Encoded bytes
        Throws:
        java.lang.RuntimeException - if the passed String cannot be encoded due to String format issues

      • md5

        public static byte[] md5​(java.io.File file)
                  throws java.io.IOException
        Performs an md5 digest of a provided file and returns a byte array of the digest.
        Parameters:
        file - File needed to be digested, must not be null
        Returns:
        an md5 digest in a byte array
        Throws:
        java.io.IOException - if the File cannot be accessed or found

      • md5

        public static byte[] md5​(java.io.InputStream stream)
                  throws java.io.IOException
        Performs an md5 digest of a provided InputStream and returns a byte array of the digest.
        Parameters:
        stream - the InputStream that needs to be digested, must not be null
        Returns:
        the digest in a byte array
        Throws:
        java.io.IOException - if the InputStream cannot be accessed

      • parseX509Certificates

        public static java.util.List<java.security.cert.X509Certificate> parseX509Certificates​(byte[] input)
                                                                                throws java.security.cert.CertificateException
        Generates a List of X509Certificate objects and initializes them with the data read from the byte array input. The certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
        Parameters:
        input - a byte array containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed
        Returns:
        a List of X509Certificate objects
        Throws:
        java.security.cert.CertificateException - If the data in the byte array does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

      • parseX509Certificates

        public static java.util.List<java.security.cert.X509Certificate> parseX509Certificates​(java.io.InputStream inputStream)
                                                                                throws java.security.cert.CertificateException
        Generates a List of X509Certificate objects and initializes them with the data read from the InputStream inputStream. the certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
        Parameters:
        inputStream - an InputStream containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed
        Returns:
        a List of X509Certificate objects
        Throws:
        java.security.cert.CertificateException - If the data in the stream does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

      • parseX509Certificates

        public static java.util.Map<java.lang.String,​java.security.cert.X509Certificate> parseX509Certificates​(java.io.File certificateDirectory)
        Generates a Map of filenames and X509Certificate objects and initializes them with the data read from the FileInputStream inputStreams of each file in the supplied directory. Nested directories are not searched. The certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
        Parameters:
        certificateDirectory - a File containing DER encoded binary or PEM encoded ASCII certificate files, must not be null and must be a directory.
        Returns:
        a Map of filenames to X509Certificate objects. If an IOExecption or CertificateException is thrown while reading the file null will be returned for the certificate in the map.

      • asymmetricSign

        public static byte[] asymmetricSign​(java.security.interfaces.RSAPrivateKey key,
                                    byte[] source,
                                    int offset,
                                    int length)
                             throws java.lang.Exception
        Takes an RSAPrivateKey, byte array to be signed, an offset, and length to sign asymmetrically using SHA1 and returns a byte array containing the signature.
        Parameters:
        key - an RSAPrivateKey that will be used to sign the byte array, must not be null
        source - the byte array used to generate the signature, must not be null
        offset - the specified offset, must not be null
        length - the specified length, must not be null
        Returns:
        a byte array containing the signature
        Throws:
        java.lang.Exception - if unable to generate a signature

      • asymmetricVerify

        public static boolean asymmetricVerify​(java.security.interfaces.RSAPublicKey key,
                                       byte[] source,
                                       int offset,
                                       int length,
                                       byte[] signature,
                                       int sigOff,
                                       int sigLen)
        Verifies that the signature is valid based on the provided key and returns true if the it is valid, false if it is not.
        Parameters:
        key - an used to verify the signature, must not be null
        source - a byte array of the source data, must not be null
        offset - the offset of the source data, must not be null
        length - the length of the source data, must not be null
        signature - a byte array of the signature, must not be null
        sigOff - the signatures offset, must not be null
        sigLen - the signature length, must not be null
        Returns:
        true if the signature can be verified against the provided data, false if it cannot

      • decryptRSA

        public static byte[] decryptRSA​(byte[] source,
                                java.security.Key key)
                         throws java.lang.Exception
        Decrypts a byte array and RSA encrypted data using the supplied key. Note: Does not perform any data validation.
        Parameters:
        source - a byte array containing the data to decrypt, must not be null
        key - the Key to use for decryption, must not be null
        Returns:
        a byte array containing the decrypted data, must not be null
        Throws:
        java.lang.Exception - if the Key is invalid, the block size is incorrect, or the padding is bad

      • encryptDESede

        public static byte[] encryptDESede​(byte[] toEncrypt,
                                   byte[] keyBytes)
                            throws java.lang.Exception
        Performs symmetric encryption using DESede. Uses ECB mode and PKCS5 padding.
        Parameters:
        toEncrypt - A byte array to encrypt. Must not be null
        keyBytes - The key to use. must be 24 bytes long
        Returns:
        a byte array containing the encrypted data
        Throws:
        java.lang.Exception - if the key is invalid, the block size is incorrect, or the padding is bad

      • decryptDESede

        public static byte[] decryptDESede​(byte[] toDecrypt,
                                   byte[] keyBytes)
                            throws java.lang.Exception
        Performs symmetric decryption using DESede. Uses ECB mode and PKCS5 padding.
        Parameters:
        toDecrypt - a byte[] to decrypt. Must not be null
        keyBytes - The key to use. must be 24 bytes long
        Returns:
        a byte array containing the decrypted data
        Throws:
        java.lang.Exception - if the key is invalid, the block size is incorrect, or the padding is bad

      • generateDESedKey

        public static byte[] generateDESedKey()
                               throws java.lang.Exception
        Generates a DESede Key
        Returns:
        a byte array containing the DESede key
        Throws:
        java.lang.Exception - if key generation fails

      • getCertificateThumbprint

        public static java.lang.String getCertificateThumbprint​(java.security.cert.X509Certificate certificate)
                                                 throws java.lang.Exception
        Returns a to-stringed hash of the certificate encoded bytes. Each certificate's hash is unique, and so certificates can be compared using their hashes to check equality.
        Parameters:
        certificate - the X509Certificate whose thumbprint is needed, must not be null
        Returns:
        a stringed hash of the certificate
        Throws:
        java.lang.Exception - if the certificate is invalid or the String cannot be built

      • certificateThumbprintToString

        public static java.lang.String certificateThumbprintToString​(byte[] buf)
                                                      throws java.lang.Exception
        Takes a sha1 digest byte array and returns a formatted string hash of the encoded bytes for comparison purposes.
        Parameters:
        buf - a byte array containing a sha1 digest, must not be null
        Returns:
        a Stringed hash of the byte array. If buf is null, "[ ]=null" will be returned.
        Throws:
        java.lang.Exception - if the byte array cannot be formatted

      • getCertificateThumbprintBytes

        public static byte[] getCertificateThumbprintBytes​(java.security.cert.X509Certificate certificate)
                                            throws java.security.cert.CertificateEncodingException
        Returns a hash of the certificate encoded bytes. Each certificate's hash is unique, and so certificates can be compared using their hashes to check equality.
        Parameters:
        certificate - the X509Certificate to be hashed, must not be null
        Returns:
        a byte array containing the hash of the certificate
        Throws:
        java.security.cert.CertificateEncodingException - if the certificate cannot be encoded

      • sha256

        public static java.lang.String sha256​(java.lang.String source)
        Performs a sha256 encryption on the provided String and returns a String representation of the encrypted data. The String should be encoded as UTF-8.
        Parameters:
        source - the String to be encrypted, if null the String "" will be used
        Returns:
        a String of encrypted data

      • sha256PasswordSalt

        public static java.lang.String sha256PasswordSalt​(@Nonnull
                                                  java.lang.String password)
        Returns a string containing the salted password
        Parameters:
        password - the password to be salted, must not be null
        Returns:
        a String containing the salted password

      • sha256PasswordSaltVerify

        public static boolean sha256PasswordSaltVerify​(java.lang.String password,
                                               java.lang.String hashedPass)
        Verifies the salted password by comparing with the unsalted password and returning true if the password matches the salted version.
        Parameters:
        password - the unsalted password to compare against the salted password
        hashedPass - the salted password, must not be null
        Returns:
        true if the password matches the hashed password thus confirming the identity and false if the password does not match.

      • getDefaultTrustStore

        public static java.io.File getDefaultTrustStore()
        Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property or the ${JAVA_HOME}/lib /security/cacerts file.

      • getDefaultTrustStoreBackup

        public static java.io.File getDefaultTrustStoreBackup()
        Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property with '.bak' appended or the ${JAVA_HOME}/lib/security/cacerts.bak file.