public final class SecurityUtils extends Object
Modifier and Type | Method and Description |
---|---|
static KeyStore |
createMtlsKeyStore(InputStream certAndKey)
Beta Create a keystore for mutual TLS with the certificate and private key provided. |
static KeyStore |
getDefaultKeyStore()
Returns the default key store using
KeyStore.getDefaultType() . |
static Signature |
getEs256SignatureAlgorithm()
Returns the SHA-256 with ECDSA signature algorithm
|
static KeyStore |
getJavaKeyStore()
Returns the Java KeyStore (JKS).
|
static KeyStore |
getPkcs12KeyStore()
Returns the PKCS12 key store.
|
static PrivateKey |
getPrivateKey(KeyStore keyStore,
String alias,
String keyPass)
Returns the private key from the key store.
|
static KeyFactory |
getRsaKeyFactory()
Returns the RSA key factory.
|
static Signature |
getSha1WithRsaSignatureAlgorithm()
Returns the SHA-1 with RSA signature algorithm.
|
static Signature |
getSha256WithRsaSignatureAlgorithm()
Returns the SHA-256 with RSA signature algorithm.
|
static CertificateFactory |
getX509CertificateFactory()
Returns the X.509 certificate factory.
|
static void |
loadKeyStore(KeyStore keyStore,
InputStream keyStream,
String storePass)
Loads a key store from a stream.
|
static void |
loadKeyStoreFromCertificates(KeyStore keyStore,
CertificateFactory certificateFactory,
InputStream certificateStream)
Loads a key store with certificates generated from the specified stream using
CertificateFactory.generateCertificates(InputStream) . |
static PrivateKey |
loadPrivateKeyFromKeyStore(KeyStore keyStore,
InputStream keyStream,
String storePass,
String alias,
String keyPass)
Retrieves a private key from the specified key store stream and specified key store.
|
static byte[] |
sign(Signature signatureAlgorithm,
PrivateKey privateKey,
byte[] contentBytes)
Signs content using a private key.
|
static boolean |
verify(Signature signatureAlgorithm,
PublicKey publicKey,
byte[] signatureBytes,
byte[] contentBytes)
Verifies the signature of signed content based on a public key.
|
static X509Certificate |
verify(Signature signatureAlgorithm,
X509TrustManager trustManager,
List<String> certChainBase64,
byte[] signatureBytes,
byte[] contentBytes)
Verifies the signature of signed content based on a certificate chain.
|
public static KeyStore getDefaultKeyStore() throws KeyStoreException
KeyStore.getDefaultType()
.KeyStoreException
public static KeyStore getJavaKeyStore() throws KeyStoreException
KeyStoreException
public static KeyStore getPkcs12KeyStore() throws KeyStoreException
KeyStoreException
public static void loadKeyStore(KeyStore keyStore, InputStream keyStream, String storePass) throws IOException, GeneralSecurityException
Example usage:
KeyStore keyStore = SecurityUtils.getJavaKeyStore(); SecurityUtils.loadKeyStore(keyStore, new FileInputStream("certs.jks"), "password");
keyStore
- key storekeyStream
- input stream to the key store stream (closed at the end of this method in a
finally block)storePass
- password protecting the key store fileIOException
GeneralSecurityException
public static PrivateKey getPrivateKey(KeyStore keyStore, String alias, String keyPass) throws GeneralSecurityException
keyStore
- key storealias
- alias under which the key is storedkeyPass
- password protecting the keyGeneralSecurityException
public static PrivateKey loadPrivateKeyFromKeyStore(KeyStore keyStore, InputStream keyStream, String storePass, String alias, String keyPass) throws IOException, GeneralSecurityException
keyStore
- key storekeyStream
- input stream to the key store (closed at the end of this method in a finally
block)storePass
- password protecting the key store filealias
- alias under which the key is storedkeyPass
- password protecting the keyIOException
GeneralSecurityException
public static KeyFactory getRsaKeyFactory() throws NoSuchAlgorithmException
NoSuchAlgorithmException
public static Signature getSha1WithRsaSignatureAlgorithm() throws NoSuchAlgorithmException
NoSuchAlgorithmException
public static Signature getSha256WithRsaSignatureAlgorithm() throws NoSuchAlgorithmException
NoSuchAlgorithmException
public static Signature getEs256SignatureAlgorithm() throws NoSuchAlgorithmException
NoSuchAlgorithmException
public static byte[] sign(Signature signatureAlgorithm, PrivateKey privateKey, byte[] contentBytes) throws InvalidKeyException, SignatureException
signatureAlgorithm
- signature algorithmprivateKey
- private keycontentBytes
- content to signInvalidKeyException
SignatureException
public static boolean verify(Signature signatureAlgorithm, PublicKey publicKey, byte[] signatureBytes, byte[] contentBytes) throws InvalidKeyException, SignatureException
signatureAlgorithm
- signature algorithmpublicKey
- public keysignatureBytes
- signature bytescontentBytes
- content bytesInvalidKeyException
SignatureException
public static X509Certificate verify(Signature signatureAlgorithm, X509TrustManager trustManager, List<String> certChainBase64, byte[] signatureBytes, byte[] contentBytes) throws InvalidKeyException, SignatureException
signatureAlgorithm
- signature algorithmtrustManager
- trust manager used to verify the certificate chaincertChainBase64
- Certificate chain used for verification. The certificates must be base64
encoded DER, the leaf certificate must be the first element.signatureBytes
- signature bytescontentBytes
- content bytesInvalidKeyException
SignatureException
public static CertificateFactory getX509CertificateFactory() throws CertificateException
CertificateException
public static void loadKeyStoreFromCertificates(KeyStore keyStore, CertificateFactory certificateFactory, InputStream certificateStream) throws GeneralSecurityException
CertificateFactory.generateCertificates(InputStream)
.
For each certificate, KeyStore.setCertificateEntry(String, Certificate)
is called
with an alias that is the string form of incrementing non-negative integers starting with 0 (0,
1, 2, 3, ...).
Example usage:
KeyStore keyStore = SecurityUtils.getJavaKeyStore(); SecurityUtils.loadKeyStoreFromCertificates(keyStore, SecurityUtils.getX509CertificateFactory(), new FileInputStream(pemFile));
keyStore
- key store (for example getJavaKeyStore()
)certificateFactory
- certificate factory (for example getX509CertificateFactory()
)certificateStream
- certificate streamGeneralSecurityException
@Beta public static KeyStore createMtlsKeyStore(InputStream certAndKey) throws GeneralSecurityException, IOException
Beta
certAndKey
- Certificate and private key input stream. The stream should contain one
certificate and one unencrypted private key. If there are multiple certificates, only the
first certificate will be used.GeneralSecurityException
IOException
Copyright © 2011–2023 Google. All rights reserved.