com.google.api.client.util

Class SecurityUtils

java.lang.Object

com.google.api.client.util.SecurityUtils

public final class SecurityUtils
extends Object

Utilities related to Java security.

Since:

1.14

Author:

Yaniv Inbar

Method Summary

Modifier and Type	Method and Description
static KeyStore	createMtlsKeyStore(InputStream certAndKey) Beta Create a keystore for mutual TLS with the certificate and private key provided.
static KeyStore	getDefaultKeyStore() Returns the default key store using KeyStore.getDefaultType().
static Signature	getEs256SignatureAlgorithm() Returns the SHA-256 with ECDSA signature algorithm
static KeyStore	getJavaKeyStore() Returns the Java KeyStore (JKS).
static KeyStore	getPkcs12KeyStore() Returns the PKCS12 key store.
static PrivateKey	getPrivateKey(KeyStore keyStore, String alias, String keyPass) Returns the private key from the key store.
static KeyFactory	getRsaKeyFactory() Returns the RSA key factory.
static Signature	getSha1WithRsaSignatureAlgorithm() Returns the SHA-1 with RSA signature algorithm.
static Signature	getSha256WithRsaSignatureAlgorithm() Returns the SHA-256 with RSA signature algorithm.
static CertificateFactory	getX509CertificateFactory() Returns the X.509 certificate factory.
static void	loadKeyStore(KeyStore keyStore, InputStream keyStream, String storePass) Loads a key store from a stream.
static void	loadKeyStoreFromCertificates(KeyStore keyStore, CertificateFactory certificateFactory, InputStream certificateStream) Loads a key store with certificates generated from the specified stream using CertificateFactory.generateCertificates(InputStream).
static PrivateKey	loadPrivateKeyFromKeyStore(KeyStore keyStore, InputStream keyStream, String storePass, String alias, String keyPass) Retrieves a private key from the specified key store stream and specified key store.
static byte[]	sign(Signature signatureAlgorithm, PrivateKey privateKey, byte[] contentBytes) Signs content using a private key.
static boolean	verify(Signature signatureAlgorithm, PublicKey publicKey, byte[] signatureBytes, byte[] contentBytes) Verifies the signature of signed content based on a public key.
static X509Certificate	verify(Signature signatureAlgorithm, X509TrustManager trustManager, List<String> certChainBase64, byte[] signatureBytes, byte[] contentBytes) Verifies the signature of signed content based on a certificate chain.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getDefaultKeyStore

public static KeyStore getDefaultKeyStore()
                                   throws KeyStoreException

Returns the default key store using KeyStore.getDefaultType().

Throws:

KeyStoreException

getJavaKeyStore

public static KeyStore getJavaKeyStore()
                                throws KeyStoreException

Returns the Java KeyStore (JKS).

Throws:

KeyStoreException

getPkcs12KeyStore

public static KeyStore getPkcs12KeyStore()
                                  throws KeyStoreException

Returns the PKCS12 key store.

Throws:

KeyStoreException

loadKeyStore

public static void loadKeyStore(KeyStore keyStore,
                                InputStream keyStream,
                                String storePass)
                         throws IOException,
                                GeneralSecurityException

Loads a key store from a stream.

Example usage:

 KeyStore keyStore = SecurityUtils.getJavaKeyStore();
 SecurityUtils.loadKeyStore(keyStore, new FileInputStream("certs.jks"), "password");
 

Parameters:

keyStore - key store

keyStream - input stream to the key store stream (closed at the end of this method in a finally block)

storePass - password protecting the key store file

Throws:

IOException

GeneralSecurityException

getPrivateKey

public static PrivateKey getPrivateKey(KeyStore keyStore,
                                       String alias,
                                       String keyPass)
                                throws GeneralSecurityException

Returns the private key from the key store.

Parameters:

keyStore - key store

alias - alias under which the key is stored

keyPass - password protecting the key

Returns:

private key

Throws:

GeneralSecurityException

loadPrivateKeyFromKeyStore

public static PrivateKey loadPrivateKeyFromKeyStore(KeyStore keyStore,
                                                    InputStream keyStream,
                                                    String storePass,
                                                    String alias,
                                                    String keyPass)
                                             throws IOException,
                                                    GeneralSecurityException

Retrieves a private key from the specified key store stream and specified key store.

Parameters:

keyStore - key store

keyStream - input stream to the key store (closed at the end of this method in a finally block)

storePass - password protecting the key store file

alias - alias under which the key is stored

keyPass - password protecting the key

Returns:

key from the key store

Throws:

IOException

GeneralSecurityException

getRsaKeyFactory

public static KeyFactory getRsaKeyFactory()
                                   throws NoSuchAlgorithmException

Returns the RSA key factory.

Throws:

NoSuchAlgorithmException

getSha1WithRsaSignatureAlgorithm

public static Signature getSha1WithRsaSignatureAlgorithm()
                                                  throws NoSuchAlgorithmException

Returns the SHA-1 with RSA signature algorithm.

Throws:

NoSuchAlgorithmException

getSha256WithRsaSignatureAlgorithm

public static Signature getSha256WithRsaSignatureAlgorithm()
                                                    throws NoSuchAlgorithmException

Returns the SHA-256 with RSA signature algorithm.

Throws:

NoSuchAlgorithmException

getEs256SignatureAlgorithm

public static Signature getEs256SignatureAlgorithm()
                                            throws NoSuchAlgorithmException

Returns the SHA-256 with ECDSA signature algorithm

Throws:

NoSuchAlgorithmException

sign

public static byte[] sign(Signature signatureAlgorithm,
                          PrivateKey privateKey,
                          byte[] contentBytes)
                   throws InvalidKeyException,
                          SignatureException

Signs content using a private key.

Parameters:

signatureAlgorithm - signature algorithm

privateKey - private key

contentBytes - content to sign

Returns:

signed content

Throws:

InvalidKeyException

SignatureException

verify

public static boolean verify(Signature signatureAlgorithm,
                             PublicKey publicKey,
                             byte[] signatureBytes,
                             byte[] contentBytes)
                      throws InvalidKeyException,
                             SignatureException

Verifies the signature of signed content based on a public key.

Parameters:

signatureAlgorithm - signature algorithm

publicKey - public key

signatureBytes - signature bytes

contentBytes - content bytes

Returns:

whether the signature was verified

Throws:

InvalidKeyException

SignatureException

verify

public static X509Certificate verify(Signature signatureAlgorithm,
                                     X509TrustManager trustManager,
                                     List<String> certChainBase64,
                                     byte[] signatureBytes,
                                     byte[] contentBytes)
                              throws InvalidKeyException,
                                     SignatureException

Verifies the signature of signed content based on a certificate chain.

Parameters:

signatureAlgorithm - signature algorithm

trustManager - trust manager used to verify the certificate chain

certChainBase64 - Certificate chain used for verification. The certificates must be base64 encoded DER, the leaf certificate must be the first element.

signatureBytes - signature bytes

contentBytes - content bytes

Returns:

The signature certificate if the signature could be verified, null otherwise.

Throws:

InvalidKeyException

SignatureException

Since:

1.19.1.

getX509CertificateFactory

public static CertificateFactory getX509CertificateFactory()
                                                    throws CertificateException

Returns the X.509 certificate factory.

Throws:

CertificateException

loadKeyStoreFromCertificates

public static void loadKeyStoreFromCertificates(KeyStore keyStore,
                                                CertificateFactory certificateFactory,
                                                InputStream certificateStream)
                                         throws GeneralSecurityException

Loads a key store with certificates generated from the specified stream using CertificateFactory.generateCertificates(InputStream).

For each certificate, KeyStore.setCertificateEntry(String, Certificate) is called with an alias that is the string form of incrementing non-negative integers starting with 0 (0, 1, 2, 3, ...).

Example usage:

 KeyStore keyStore = SecurityUtils.getJavaKeyStore();
 SecurityUtils.loadKeyStoreFromCertificates(keyStore, SecurityUtils.getX509CertificateFactory(),
 new FileInputStream(pemFile));
 

Parameters:

keyStore - key store (for example getJavaKeyStore())

certificateFactory - certificate factory (for example getX509CertificateFactory())

certificateStream - certificate stream

Throws:

GeneralSecurityException

createMtlsKeyStore

@Beta
public static KeyStore createMtlsKeyStore(InputStream certAndKey)
                                         throws GeneralSecurityException,
                                                IOException

Beta
Create a keystore for mutual TLS with the certificate and private key provided.

Parameters:

certAndKey - Certificate and private key input stream. The stream should contain one certificate and one unencrypted private key. If there are multiple certificates, only the first certificate will be used.

Returns:

keystore for mutual TLS.

Throws:

GeneralSecurityException

IOException

Since:

1.38