Package io.bdeploy.common.security

Class SecurityHelper

java.lang.Object

io.bdeploy.common.security.SecurityHelper

public class SecurityHelper
extends Object

Encapsulates certificate and token handling for mutual authentication.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	CERT_ALIAS
static final String	ROOT_ALIAS

Method Summary

Modifier and Type	Method	Description
static SecretKeySpec	createSecretKey(char[] password)
<T> String	createSignaturePack(T payload, Path keystore, char[] passphrase)	Creates a new encoded and signed token for this server.
<T> String	createSignaturePack(T payload, KeyStore keystore, char[] passphrase)	Creates a new encoded and signed token for this server.
<T> String	createToken(T payload, KeyStore ks, char[] passphrase)	Create a valid security token suitable for HTTPS traffic verification.
static String	decrypt(String data, SecretKeySpec key)
static String	encrypt(String data, SecretKeySpec key)
static SecurityHelper	getInstance()
<T> T	getSelfVerifiedPayloadFromPack(String token, Class<T> clazz)	Accepts a token in String form, extracts the payload from it (see createSignaturePack(Object, Path, char[])) and verifies that the enclosed signature is valid for the decoded payload using the enclosed public certificate.
String	getSignedToken(KeyStore ks, char[] passphrase)	Retrieve the signed token for authentication against a server using this helper to decode the token.
String	getTokenFromPack(String pack)	Extract the pure token (required for HTTPS authentication) from a signature pack.
<T> T	getVerifiedPayload(String token, Class<T> clazz, KeyStore ks)	Accepts a token in String form, extracts the payload from it (see createSignaturePack(Object, Path, char[])) and verifies that the enclosed signature is valid for the decoded payload.
void	importSignaturePack(String pack, Path keystore, char[] passphrase)	Loads a KeyStore from the given Path or creates one if it does not exist, imports the signature pack and saves the KeyStore afterwards back to the given Path.
void	importSignaturePack(String pack, KeyStore ks, char[] passphrase)	Accepts an encoded and signed token and imports the enclosed security relevant information into the given (JCEKS) keystore.
KeyStore	loadPrivateKeyStore(InputStream is, char[] passphrase)
KeyStore	loadPrivateKeyStore(Path keystore, char[] passphrase)	Load and return a PKCS12 formatted keystore.
KeyStore	loadPublicKeyStore(InputStream is, char[] passphrase)
KeyStore	loadPublicKeyStore(Path keystore, char[] passphrase)	Load and return (create on demand) a JCEKS formatted keystore.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

ROOT_ALIAS

public static final String ROOT_ALIAS

See Also:

• Constant Field Values

CERT_ALIAS

public static final String CERT_ALIAS

See Also:

• Constant Field Values

Method Details

getInstance

public static SecurityHelper getInstance()

createSecretKey

public static SecretKeySpec createSecretKey(char[] password)
                                     throws GeneralSecurityException

Parameters:

password - the password for the key

Returns:

a secret key which can be used for encryption and decryption of passwords

Throws:

GeneralSecurityException

encrypt

public static String encrypt(String data,
 SecretKeySpec key)
                      throws GeneralSecurityException

Parameters:

data - the data to encrypt

key - the key to use to encrypt

Returns:

the encrypted data

Throws:

GeneralSecurityException

decrypt

public static String decrypt(String data,
 SecretKeySpec key)
                      throws GeneralSecurityException

Parameters:

data - the encrypted data

key - the key to use to decrypt the data

Returns:

the decrypted data

Throws:

GeneralSecurityException

createSignaturePack

public <T> String createSignaturePack(T payload,
 KeyStore keystore,
 char[] passphrase)
                               throws GeneralSecurityException

Creates a new encoded and signed token for this server.

To generate an appropriate self signed certificate in a (PKCS12) keystore, use this:

   openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 17800 -out cert.pem
   openssl pkcs12 -inkey key.pem  -in cert.pem -export -out certstore.p12
 

Parameters:

payload - the payload to sign. will be serialized and encoded in the final signed token

keystore - the keystore containing the private key. The keystore must be in PKCS12 format and contain exactly one entry, which is the private X.509 certificate.

passphrase - the passphrase for both the keystore and the certificate within.

Returns:

an encoded and signed token containing all security relevant information for a client to connect to this server.

Throws:

GeneralSecurityException

createSignaturePack

public <T> String createSignaturePack(T payload,
 Path keystore,
 char[] passphrase)
                               throws GeneralSecurityException,
IOException

Creates a new encoded and signed token for this server.

To generate an appropriate self signed certificate in a (PKCS12) keystore, use this:

   openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 17800 -out cert.pem
   openssl pkcs12 -inkey key.pem  -in cert.pem -export -out certstore.p12
 

Parameters:

payload - the payload to sign. will be serialized and encoded in the final signed token

keystore - the keystore containing the private key. The keystore must be in PKCS12 format and contain exactly one entry, which is the private X.509 certificate.

passphrase - the passphrase for both the keystore and the certificate within.

Returns:

an encoded and signed token containing all security relevant information for a client to connect to this server.

Throws:

GeneralSecurityException

IOException

createToken

public <T> String createToken(T payload,
 KeyStore ks,
 char[] passphrase)

Create a valid security token suitable for HTTPS traffic verification. Used to pass to clients connecting and authorizing to use APIs.

Parameters:

payload - the token payload.

ks - the keystore.

passphrase - the passphrase.

Returns:

a signed token

getVerifiedPayload

public <T> T getVerifiedPayload(String token,
 Class<T> clazz,
 KeyStore ks)
                         throws GeneralSecurityException

Accepts a token in String form, extracts the payload from it (see createSignaturePack(Object, Path, char[])) and verifies that the enclosed signature is valid for the decoded payload.

Parameters:

token - the encoded payload and signature.

clazz - the Class of the payload - used for de-serialization.

ks - the keystore containing the private key and certificate

Returns:

the signed payload, if the signature is valid.

Throws:

GeneralSecurityException

getSelfVerifiedPayloadFromPack

public <T> T getSelfVerifiedPayloadFromPack(String token,
 Class<T> clazz)
                                     throws GeneralSecurityException,
IOException

Accepts a token in String form, extracts the payload from it (see createSignaturePack(Object, Path, char[])) and verifies that the enclosed signature is valid for the decoded payload using the enclosed public certificate.

This does NOT verify that the enclosed signature is valid against a present private key.

Parameters:

token - the encoded payload and signature.

clazz - the Class of the payload - used for de-serialization.

Returns:

the signed payload, if the signature is valid.

Throws:

GeneralSecurityException

IOException

getTokenFromPack

public String getTokenFromPack(String pack)

Extract the pure token (required for HTTPS authentication) from a signature pack.

importSignaturePack

public void importSignaturePack(String pack,
 KeyStore ks,
 char[] passphrase)
                         throws GeneralSecurityException,
IOException

Accepts an encoded and signed token and imports the enclosed security relevant information into the given (JCEKS) keystore. The keystore is created if it does not exist.

Parameters:

pack - the token/signature pack in String form

ks - the keystore to use.

passphrase - the passphrase used to decode and encode the keystore.

Throws:

GeneralSecurityException

IOException

importSignaturePack

public void importSignaturePack(String pack,
 Path keystore,
 char[] passphrase)
                         throws GeneralSecurityException,
IOException

Loads a KeyStore from the given Path or creates one if it does not exist, imports the signature pack and saves the KeyStore afterwards back to the given Path.

Throws:

GeneralSecurityException

IOException

See Also:

• importSignaturePack(String, KeyStore, char[])

getSignedToken

public String getSignedToken(KeyStore ks,
 char[] passphrase)
                      throws GeneralSecurityException

Retrieve the signed token for authentication against a server using this helper to decode the token.

Parameters:

ks - the public keystore

passphrase - the passphrase for the keystore

Returns:

an encoded token which can be sent to the server.

Throws:

GeneralSecurityException

loadPrivateKeyStore

public KeyStore loadPrivateKeyStore(Path keystore,
 char[] passphrase)
                             throws GeneralSecurityException,
IOException

Load and return a PKCS12 formatted keystore.

Throws:

GeneralSecurityException

IOException

loadPrivateKeyStore

public KeyStore loadPrivateKeyStore(InputStream is,
 char[] passphrase)
                             throws GeneralSecurityException,
IOException

Throws:

GeneralSecurityException

IOException

See Also:

• loadPrivateKeyStore(Path, char[])

loadPublicKeyStore

public KeyStore loadPublicKeyStore(Path keystore,
 char[] passphrase)
                            throws GeneralSecurityException,
IOException

Load and return (create on demand) a JCEKS formatted keystore.

Throws:

GeneralSecurityException

IOException

loadPublicKeyStore

public KeyStore loadPublicKeyStore(InputStream is,
 char[] passphrase)
                            throws GeneralSecurityException,
IOException

Throws:

GeneralSecurityException

IOException

See Also:

• loadPublicKeyStore(Path, char[])