Package com.inductiveautomation.ignition.common.util

Class SecurityUtils

java.lang.Object
com.inductiveautomation.ignition.common.util.SecurityUtils
public class SecurityUtils extends Object

  • Method Summary

    Modifier and Type
    Method
    Description
    static byte[]
    asymmetricSign(RSAPrivateKey key, byte[] source, int offset, int length)
    Takes an RSAPrivateKey, byte array to be signed, an offset, and length to sign asymmetrically using SHA1 and returns a byte array containing the signature.
    static boolean
    asymmetricVerify(RSAPublicKey key, byte[] source, int offset, int length, byte[] signature, int sigOff, int sigLen)
    Verifies that the signature is valid based on the provided key and returns true if the it is valid, false if it is not.
    static boolean
    certificateIsCa(X509Certificate certificate)
    Check if certificate's BasicConstraints and KeyUsage extensions indicate it is a CA.
    static boolean
    certificateIsSelfSigned(X509Certificate cert)
    Verifies that the given cert is signed with its own public key and that the subject and issuer are the same.
    static String
    certificateThumbprintToString(byte[] buf)
    Takes a sha1 digest byte array and returns a formatted string hash of the encoded bytes for comparison purposes.
    static byte[]
    decryptDESede(byte[] toDecrypt, byte[] keyBytes)
    Performs symmetric decryption using DESede.
    static byte[]
    decryptRSA(byte[] source, Key key)
    Decrypts a byte array and RSA encrypted data using the supplied key.
    static byte[]
    encryptDESede(byte[] toEncrypt, byte[] keyBytes)
    Performs symmetric encryption using DESede.
    static byte[]
    generateDESedKey()
    Generates a DESede Key
    static String
    getCertificateThumbprint(X509Certificate certificate)
    Returns a to-stringed hash of the certificate encoded bytes.
    static byte[]
    getCertificateThumbprintBytes(X509Certificate certificate)
    Returns a hash of the certificate encoded bytes.
    static File
    getDefaultTrustStore()
    Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property or the ${JAVA_HOME}/lib /security/cacerts file.
    static File
    getDefaultTrustStoreBackup()
    Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property with '.bak' appended or the ${JAVA_HOME}/lib/security/cacerts.bak file.
    static org.python.bouncycastle.crypto.params.RSAKeyParameters
    getKeyParameter(RSAKey key)
    Returns a parameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher.
    static org.python.bouncycastle.crypto.params.RSAKeyParameters
    getPrivateKeyParameter(RSAPrivateKey key)
    Returns a RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPrivateKey.
    static org.python.bouncycastle.crypto.params.RSAKeyParameters
    getPublicKeyParameter(RSAPublicKey key)
    Returns an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPublicKey.
    static byte[]
    md5(File file)
    Performs an md5 digest of a provided file and returns a byte array of the digest.
    static byte[]
    md5(InputStream stream)
    Performs an md5 digest of a provided InputStream and returns a byte array of the digest.
    static List<X509Certificate>
    parseX509Certificates(byte[] input)
    Generates a List of X509Certificate objects and initializes them with the data read from the byte array input.
    static Map<String,X509Certificate>
    parseX509Certificates(File certificateDirectory)
    Generates a Map of filenames and X509Certificate objects and initializes them with the data read from the FileInputStream inputStreams of each file in the supplied directory.
    static List<X509Certificate>
    parseX509Certificates(InputStream inputStream)
    Generates a List of X509Certificate objects and initializes them with the data read from the InputStream inputStream.
    static byte[]
    sha1(byte[] input)
    Performs a sha1 digest on the given input array, returning the digest as a byte array.
    static String
    sha1String(String input)
    Performs a sha1 digest on the input string encoded as UTF-8, returns the digest as Base64-ed bytes.
    static String
    sha256(String source)
    Performs a sha256 encryption on the provided String and returns a String representation of the encrypted data.
    static String
    sha256PasswordSalt(String password)
    Returns a string containing the salted password
    static boolean
    sha256PasswordSaltVerify(String password, String hashedPass)
    Verifies the salted password by comparing with the unsalted password and returning true if the password matches the salted version.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Method Details

    • getKeyParameter

      public static org.python.bouncycastle.crypto.params.RSAKeyParameters getKeyParameter(RSAKey key)
      Returns a parameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher. Either an RSAPublicKey or RSAPrivateKey can be passed and the subsequent RSAKeyParameters will be returned.
      Parameters:
      key - an RSAKey of type RSAPublicKey or RSAPrivateKey, must not be null
      Returns:
      an RSAKeyParameters object suitable for initializing a public or private Bouncy Castle RSAEngine asymmetric block cipher based on the type of RSAKey provided
      Throws:
      ClassCastException - if the key is not an RSAPublicKey or RSAPrivateKey

    • getPublicKeyParameter

      public static org.python.bouncycastle.crypto.params.RSAKeyParameters getPublicKeyParameter(RSAPublicKey key)
      Returns an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPublicKey.
      Parameters:
      key - an RSAPublicKey object, must not be null
      Returns:
      an RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher

    • getPrivateKeyParameter

      public static org.python.bouncycastle.crypto.params.RSAKeyParameters getPrivateKeyParameter(RSAPrivateKey key)
      Returns a RSAKeyParameters object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher when given an RSAPrivateKey. If the passed key is an RSAPrivateCrtKey it will return an RSAPrivateCrtKeyParameter.
      Parameters:
      key - an RSAPrivateKey object, must not be null
      Returns:
      an RSAKeyParameter object suitable for initializing a Bouncy Castle RSAEngine asymmetric block cipher. If the passed key is an RSAPrivateCrtKey it will return an RSAPrivateCrtKeyParameter

    • sha1

      public static byte[] sha1(byte[] input)
      Performs a sha1 digest on the given input array, returning the digest as a byte array.
      Parameters:
      input - a byte array of the input needing the digest, must not be null
      Returns:
      a byte array of the SHA1 digest

    • sha1String

      public static String sha1String(String input)
      Performs a sha1 digest on the input string encoded as UTF-8, returns the digest as Base64-ed bytes.
      Parameters:
      input - a UTF-8 encoded String, must not be null
      Returns:
      the digest in a String of Base64 Encoded bytes
      Throws:
      RuntimeException - if the passed String cannot be encoded due to String format issues

    • md5

      public static byte[] md5(File file) throws IOException
      Performs an md5 digest of a provided file and returns a byte array of the digest.
      Parameters:
      file - File needed to be digested, must not be null
      Returns:
      an md5 digest in a byte array
      Throws:
      IOException - if the File cannot be accessed or found

    • md5

      public static byte[] md5(InputStream stream) throws IOException
      Performs an md5 digest of a provided InputStream and returns a byte array of the digest.
      Parameters:
      stream - the InputStream that needs to be digested, must not be null
      Returns:
      the digest in a byte array
      Throws:
      IOException - if the InputStream cannot be accessed

    • parseX509Certificates

      public static List<X509Certificate> parseX509Certificates(byte[] input) throws CertificateException
      Generates a List of X509Certificate objects and initializes them with the data read from the byte array input. The certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
      Parameters:
      input - a byte array containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed
      Returns:
      a List of X509Certificate objects
      Throws:
      CertificateException - If the data in the byte array does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

    • parseX509Certificates

      public static List<X509Certificate> parseX509Certificates(InputStream inputStream) throws CertificateException
      Generates a List of X509Certificate objects and initializes them with the data read from the InputStream inputStream. the certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
      Parameters:
      inputStream - an InputStream containing DER encoded binary or PEM encoded ASCII, must not be null and must be properly formed
      Returns:
      a List of X509Certificate objects
      Throws:
      CertificateException - If the data in the stream does not contain an inherent end-of-certificate marker (other than EOF) and there is trailing data after the certificate is parsed, a CertificateException is thrown.

    • parseX509Certificates

      public static Map<String,X509Certificate> parseX509Certificates(File certificateDirectory)
      Generates a Map of filenames and X509Certificate objects and initializes them with the data read from the FileInputStream inputStreams of each file in the supplied directory. Nested directories are not searched. The certificate provided in the byte array containing DER encoded binary or PEM encoded ASCII. If the certificate is provided in Base64 encoding, it must be bounded at the beginning by -----BEGIN CERTIFICATE-----, and must be bounded at the end by -----END CERTIFICATE-----.
      Parameters:
      certificateDirectory - a File containing DER encoded binary or PEM encoded ASCII certificate files, must not be null and must be a directory.
      Returns:
      a Map of filenames to X509Certificate objects. If an IOExecption or CertificateException is thrown while reading the file null will be returned for the certificate in the map.

    • asymmetricSign

      public static byte[] asymmetricSign(RSAPrivateKey key, byte[] source, int offset, int length) throws Exception
      Takes an RSAPrivateKey, byte array to be signed, an offset, and length to sign asymmetrically using SHA1 and returns a byte array containing the signature.
      Parameters:
      key - an RSAPrivateKey that will be used to sign the byte array, must not be null
      source - the byte array used to generate the signature, must not be null
      offset - the specified offset, must not be null
      length - the specified length, must not be null
      Returns:
      a byte array containing the signature
      Throws:
      Exception - if unable to generate a signature

    • asymmetricVerify

      public static boolean asymmetricVerify(RSAPublicKey key, byte[] source, int offset, int length, byte[] signature, int sigOff, int sigLen)
      Verifies that the signature is valid based on the provided key and returns true if the it is valid, false if it is not.
      Parameters:
      key - an used to verify the signature, must not be null
      source - a byte array of the source data, must not be null
      offset - the offset of the source data, must not be null
      length - the length of the source data, must not be null
      signature - a byte array of the signature, must not be null
      sigOff - the signatures offset, must not be null
      sigLen - the signature length, must not be null
      Returns:
      true if the signature can be verified against the provided data, false if it cannot

    • decryptRSA

      public static byte[] decryptRSA(byte[] source, Key key) throws Exception
      Decrypts a byte array and RSA encrypted data using the supplied key. Note: Does not perform any data validation.
      Parameters:
      source - a byte array containing the data to decrypt, must not be null
      key - the Key to use for decryption, must not be null
      Returns:
      a byte array containing the decrypted data, must not be null
      Throws:
      Exception - if the Key is invalid, the block size is incorrect, or the padding is bad

    • encryptDESede

      public static byte[] encryptDESede(byte[] toEncrypt, byte[] keyBytes) throws Exception
      Performs symmetric encryption using DESede. Uses ECB mode and PKCS5 padding.
      Parameters:
      toEncrypt - A byte array to encrypt. Must not be null
      keyBytes - The key to use. must be 24 bytes long
      Returns:
      a byte array containing the encrypted data
      Throws:
      Exception - if the key is invalid, the block size is incorrect, or the padding is bad

    • decryptDESede

      public static byte[] decryptDESede(byte[] toDecrypt, byte[] keyBytes) throws Exception
      Performs symmetric decryption using DESede. Uses ECB mode and PKCS5 padding.
      Parameters:
      toDecrypt - a byte[] to decrypt. Must not be null
      keyBytes - The key to use. must be 24 bytes long
      Returns:
      a byte array containing the decrypted data
      Throws:
      Exception - if the key is invalid, the block size is incorrect, or the padding is bad

    • generateDESedKey

      public static byte[] generateDESedKey() throws Exception
      Generates a DESede Key
      Returns:
      a byte array containing the DESede key
      Throws:
      Exception - if key generation fails

    • getCertificateThumbprint

      public static String getCertificateThumbprint(X509Certificate certificate) throws Exception
      Returns a to-stringed hash of the certificate encoded bytes. Each certificate's hash is unique, and so certificates can be compared using their hashes to check equality.
      Parameters:
      certificate - the X509Certificate whose thumbprint is needed, must not be null
      Returns:
      a stringed hash of the certificate
      Throws:
      Exception - if the certificate is invalid or the String cannot be built

    • certificateThumbprintToString

      public static String certificateThumbprintToString(byte[] buf) throws Exception
      Takes a sha1 digest byte array and returns a formatted string hash of the encoded bytes for comparison purposes.
      Parameters:
      buf - a byte array containing a sha1 digest, must not be null
      Returns:
      a Stringed hash of the byte array. If buf is null, "[ ]=null" will be returned.
      Throws:
      Exception - if the byte array cannot be formatted

    • getCertificateThumbprintBytes

      public static byte[] getCertificateThumbprintBytes(X509Certificate certificate) throws CertificateEncodingException
      Returns a hash of the certificate encoded bytes. Each certificate's hash is unique, and so certificates can be compared using their hashes to check equality.
      Parameters:
      certificate - the X509Certificate to be hashed, must not be null
      Returns:
      a byte array containing the hash of the certificate
      Throws:
      CertificateEncodingException - if the certificate cannot be encoded

    • sha256

      public static String sha256(String source)
      Performs a sha256 encryption on the provided String and returns a String representation of the encrypted data. The String should be encoded as UTF-8.
      Parameters:
      source - the String to be encrypted, if null the String "" will be used
      Returns:
      a String of encrypted data

    • sha256PasswordSalt

      public static String sha256PasswordSalt(@Nonnull String password)
      Returns a string containing the salted password
      Parameters:
      password - the password to be salted, must not be null
      Returns:
      a String containing the salted password

    • sha256PasswordSaltVerify

      public static boolean sha256PasswordSaltVerify(String password, String hashedPass)
      Verifies the salted password by comparing with the unsalted password and returning true if the password matches the salted version.
      Parameters:
      password - the unsalted password to compare against the salted password
      hashedPass - the salted password, must not be null
      Returns:
      true if the password matches the hashed password thus confirming the identity and false if the password does not match.

    • getDefaultTrustStore

      public static File getDefaultTrustStore()
      Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property or the ${JAVA_HOME}/lib /security/cacerts file.

    • getDefaultTrustStoreBackup

      public static File getDefaultTrustStoreBackup()
      Grabs the default trust store set on using the 'javax.net.ssl.trustStore' property with '.bak' appended or the ${JAVA_HOME}/lib/security/cacerts.bak file.

    • certificateIsSelfSigned

      public static boolean certificateIsSelfSigned(X509Certificate cert) throws Exception
      Verifies that the given cert is signed with its own public key and that the subject and issuer are the same.
      Returns:
      true if a given X509Certificate is self-signed.
      Throws:
      Exception

    • certificateIsCa

      public static boolean certificateIsCa(X509Certificate certificate)

      Check if certificate's BasicConstraints and KeyUsage extensions indicate it is a CA.

      Following is the truth table for this method:

      Basic Constraints Key Usage Result
      Missing Missing true
      Missing keyCertSign set true
      Missing keyCertSign unset false
      CA flag set Missing true
      CA flag set keyCertSign set true
      CA flag set keyCertSign unset false
      CA flag unset Missing false
      CA flag unset keyCertSign set false
      CA flag unset keyCertSign unset false
      Parameters:
      certificate - the X509Certificate to check.
      Returns:
      true if certificate's BasicConstraints and KeyUsage extensions indicate it is a CA.