Package ghidra.net

Class ApplicationKeyManagerUtils

  • public class ApplicationKeyManagerUtils
extends java.lang.Object
    ApplicationKeyManagerUtils provides public methods for utilizing the application PKI key management, including access to trusted issuers (i.e., CA certificates), token signing and validation, and the ability to generate keystores for testing or when a self-signed certificate will suffice.

    NOTE: This class makes direct use of classes within the sun.security.x509 package thus breaking portability. While this is not preferred, the ability to generate X.509 certificates and keystores appears to be absent from the standard java/javax packages.

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.security.KeyStore createKeyStore​(java.io.File keyFile, java.lang.String keystoreType, char[] protectedPassphrase, java.lang.String alias, sun.security.x509.CertificateExtensions certExtensions, java.lang.String dn, java.security.KeyStore.PrivateKeyEntry caSignerKeyEntry, int durationDays)
      Generate self-signed PKI X509 keystore containing both a signing key/cert and an encrypting key/cert.
      static void exportKeystore​(java.security.KeyStore keystore, java.io.File outFile, char[] password)
      Export all X.509 certificates contained within keystore to the specified outFile.
      static void exportX509Certificates​(java.security.KeyStore keystore, java.io.File outFile)
      Export all X.509 certificates contained within keystore to the specified outFile.
      static SignedToken getSignedToken​(java.security.Principal[] authorities, byte[] token)
      Sign the supplied token byte array using an installed certificate from one of the specified authorities
      static javax.security.auth.x500.X500Principal[] getTrustedIssuers()
      Returns a list of trusted issuers (i.e., CA certificates) as established by the ApplicationTrustManagerFactory.
      static boolean isMySignature​(java.security.Principal[] authorities, byte[] token, byte[] signature)
      Verify that the specified sigBytes reflect my signature of the specified token.
      static void validateClient​(java.security.cert.X509Certificate[] certChain, java.lang.String authType)
      Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • DEFAULT_SIGNING_ALGORITHM

        public static final java.lang.String DEFAULT_SIGNING_ALGORITHM
        See Also:
        Constant Field Values

      • DEFAULT_AUTH_TYPE

        public static final java.lang.String DEFAULT_AUTH_TYPE
        See Also:
        Constant Field Values

    • Method Detail

      • getSignedToken

        public static SignedToken getSignedToken​(java.security.Principal[] authorities,
                                         byte[] token)
                                  throws java.security.NoSuchAlgorithmException,
                                         java.security.SignatureException,
                                         java.security.cert.CertificateException
        Sign the supplied token byte array using an installed certificate from one of the specified authorities
        Parameters:
        authorities - trusted certificate authorities
        token - token byte array
        Returns:
        signed token object
        Throws:
        java.security.NoSuchAlgorithmException
        java.security.SignatureException
        java.security.cert.CertificateException

      • isMySignature

        public static boolean isMySignature​(java.security.Principal[] authorities,
                                    byte[] token,
                                    byte[] signature)
                             throws java.security.NoSuchAlgorithmException,
                                    java.security.SignatureException,
                                    java.security.cert.CertificateException
        Verify that the specified sigBytes reflect my signature of the specified token.
        Parameters:
        authorities - trusted certificate authorities
        token - byte array token
        signature - token signature
        Returns:
        true if signature is my signature
        Throws:
        java.security.NoSuchAlgorithmException
        java.security.SignatureException
        java.security.cert.CertificateException

      • getTrustedIssuers

        public static javax.security.auth.x500.X500Principal[] getTrustedIssuers()
                                                                  throws java.security.cert.CertificateException
        Returns a list of trusted issuers (i.e., CA certificates) as established by the ApplicationTrustManagerFactory.
        Throws:
        java.security.cert.CertificateException

      • validateClient

        public static void validateClient​(java.security.cert.X509Certificate[] certChain,
                                  java.lang.String authType)
                           throws java.security.cert.CertificateException
        Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.
        Parameters:
        certChain - X509 certificate chain
        authType - authentication type (i.e., "RSA")
        Throws:
        java.security.cert.CertificateException

      • createKeyStore

        public static java.security.KeyStore createKeyStore​(java.io.File keyFile,
                                                    java.lang.String keystoreType,
                                                    char[] protectedPassphrase,
                                                    java.lang.String alias,
                                                    sun.security.x509.CertificateExtensions certExtensions,
                                                    java.lang.String dn,
                                                    java.security.KeyStore.PrivateKeyEntry caSignerKeyEntry,
                                                    int durationDays)
                                             throws java.security.KeyStoreException
        Generate self-signed PKI X509 keystore containing both a signing key/cert and an encrypting key/cert. Default certificte extension specifies key usage of Signing which is appropriate for SSL DHE or ECDHE cipher suites.
        Parameters:
        keyFile - keystore file or null if not to be stored
        keystoreType - keystore type (e.g., "JKS", "PKCS12")
        protectedPassphrase - passphrase for protecting key and keystore
        alias - for key/cert
        certExtensions - specifies certificate extensions to be set or null for default key usage extension. Only a single alias may be specified when this argument is not null.
        dn - distinguished name for principal key holder
        caSignerKeyEntry - certificate issuer/authority (CA) private key entry or null for self-signed
        durationDays - number of days from now when certificate shall expire
        Returns:
        newly generated keystore
        Throws:
        java.security.KeyStoreException - error occurred generating keystore

      • exportX509Certificates

        public static void exportX509Certificates​(java.security.KeyStore keystore,
                                          java.io.File outFile)
                                   throws java.io.IOException,
                                          java.security.KeyStoreException,
                                          java.security.cert.CertificateEncodingException
        Export all X.509 certificates contained within keystore to the specified outFile.
        Parameters:
        keystore -
        outFile - output file
        Throws:
        java.io.IOException
        java.security.KeyStoreException
        java.security.cert.CertificateEncodingException

      • exportKeystore

        public static void exportKeystore​(java.security.KeyStore keystore,
                                  java.io.File outFile,
                                  char[] password)
                           throws java.io.IOException,
                                  java.security.KeyStoreException,
                                  java.security.NoSuchAlgorithmException,
                                  java.security.cert.CertificateException
        Export all X.509 certificates contained within keystore to the specified outFile.
        Parameters:
        keystore -
        outFile - output file
        password - keystore password
        Throws:
        java.security.cert.CertificateException
        java.security.NoSuchAlgorithmException
        java.io.FileNotFoundException
        java.security.KeyStoreException
        java.security.cert.CertificateEncodingException
        java.io.IOException