Package gov.usgs.util
Class CryptoUtils
java.lang.Object
gov.usgs.util.CryptoUtils
Encryption and signing utilities.
-
Nested Class Summary
Nested Classes -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final intNumber of bits for AES 128 bit key.static final intNumber of bits for AES 256 bit key.static final StringAlgorithm used by AES keys and ciphers.static final intNumber of bits for DSA 1024 bit key.static final StringAlgorithm used by DSA keys.static final StringAlgorithm used for signature with DSA key.static final intNumber of bits for RSA 2048 bit key.static final intNumber of bits for RSA 4096 bit key.static final StringAlgorithm used by RSA keys and ciphers.static final StringAlgorithm used for signature with RSA key.static final Stringv2 Algorithm for DSA signaturestatic final Stringv2 Algorithm for RSA signature -
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionstatic voidconfigureSignature(Key key, CryptoUtils.Version version, Signature signature) static byte[]convertPEMToDER(String string) Read a PEM format.static byte[]A convenience method to decrypt a byte array.static byte[]A convenience method to encrypt a byte array.static KeygenerateAESKey(int bits) Generate a new symmetric encryption key.static KeyPairgenerateDSAKeyPair(int bits) Generate a new asymmetric signature key pair.static KeyPairgenerateRSAKeyPair(int bits) Generate a new asymmetric encryption key pair.static CiphergetDecryptCipher(Key key) Create and initialize a decrypting cipher using key.getAlgorithm as transformation.static CiphergetEncryptCipher(Key key) Create and initialize an encrypting cipher using key.getAlgorithm() as transformation.static SignaturegetSignature(Key key, CryptoUtils.Version version) Create and configure a signature object based on key type.static voidprocessCipherStream(Cipher cipher, InputStream in, OutputStream out) Process a data stream using a cipher.static CertificatereadCertificate(byte[] bytes) Read a X509 encoded certificate.static byte[]readDERString(ByteBuffer buf) This method reads a DER encoded byte string from a ByteBuffer.static PrivateKeyreadOpenSSHPrivateKey(byte[] bytes, String password) Read an OpenSSH private key from a stream.static PublicKeyreadOpenSSHPublicKey(byte[] bytes) Read an OpenSSH PublicKey from a stream.static PrivateKeyreadPrivateKey(byte[] bytes) Read a PKCS#8 encoded private key.static PublicKeyreadPublicKey(byte[] bytes) Read a X509 encoded public key.static Stringsign(PrivateKey privateKey, byte[] data, CryptoUtils.Version version) Generate a signature.static booleanA convenience method that chooses a signature algorithm based on the key type.static booleanverify(PublicKey publicKey, byte[] data, String allegedSignature, CryptoUtils.Version version) Verify a signature.
-
Field Details
-
AES_ALGORITHM
Algorithm used by AES keys and ciphers.- See Also:
-
AES_128
public static final int AES_128Number of bits for AES 128 bit key.- See Also:
-
AES_256
public static final int AES_256Number of bits for AES 256 bit key.- See Also:
-
DSA_ALGORITHM
Algorithm used by DSA keys.- See Also:
-
DSA_SIGNATURE_ALGORITHM
Algorithm used for signature with DSA key.- See Also:
-
DSA_1024
public static final int DSA_1024Number of bits for DSA 1024 bit key.- See Also:
-
RSA_ALGORITHM
Algorithm used by RSA keys and ciphers.- See Also:
-
RSA_SIGNATURE_ALGORITHM
Algorithm used for signature with RSA key.- See Also:
-
RSA_2048
public static final int RSA_2048Number of bits for RSA 2048 bit key.- See Also:
-
RSA_4096
public static final int RSA_4096Number of bits for RSA 4096 bit key.- See Also:
-
SIGNATURE_V2_DSA_ALGORITHM
v2 Algorithm for DSA signature- See Also:
-
SIGNATURE_V2_RSA_ALGORITHM
v2 Algorithm for RSA signature- See Also:
-
-
Constructor Details
-
CryptoUtils
public CryptoUtils()
-
-
Method Details
-
processCipherStream
public static void processCipherStream(Cipher cipher, InputStream in, OutputStream out) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IOException Process a data stream using a cipher. If cipher is initialized to ENCRYPT_MODE, the input stream will be encrypted. If cipher is initialized to DECRYPT_MODE, the input stream will be decrypted.- Parameters:
cipher- an initialized cipher.in- the data to encrypt.out- where encrypted data is written.- Throws:
NoSuchAlgorithmException- if invalid encrypt/decrypt algorithmNoSuchPaddingException- on padding errorInvalidKeyException- if key is not RSA or DSA.IOException- if IO error occurs
-
getEncryptCipher
public static Cipher getEncryptCipher(Key key) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException Create and initialize an encrypting cipher using key.getAlgorithm() as transformation.- Parameters:
key- the key used to encrypt.- Returns:
- a cipher used to encrypt.
- Throws:
NoSuchAlgorithmException- on invalid algorithmNoSuchPaddingException- on invalid paddingInvalidKeyException- if key is not RSA or DSA.
-
getDecryptCipher
public static Cipher getDecryptCipher(Key key) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException Create and initialize a decrypting cipher using key.getAlgorithm as transformation.- Parameters:
key- the key used to decrypt.- Returns:
- a cipher used to decrypt.
- Throws:
NoSuchAlgorithmException- on invalid algorithmNoSuchPaddingException- on invalid paddingInvalidKeyException- if key is not RSA or DSA.
-
getSignature
public static Signature getSignature(Key key, CryptoUtils.Version version) throws InvalidKeyException, NoSuchAlgorithmException, SignatureException Create and configure a signature object based on key type.- Parameters:
key- Key used to sign/verify.version- SIGNATURE_V1 or SIGNATURE_V2- Returns:
- Configured Signature object
- Throws:
InvalidKeyException- if key is not RSA or DSA.NoSuchAlgorithmException- on invalid algorithmSignatureException- on signature error
-
configureSignature
public static void configureSignature(Key key, CryptoUtils.Version version, Signature signature) throws InvalidAlgorithmParameterException - Parameters:
key- Key used to sign/verify.version- SIGNATURE_V1 or SIGNATURE_V2signature- A signature- Throws:
InvalidAlgorithmParameterException- on invalid or inappropriate algorithm parameters
-
sign
public static String sign(PrivateKey privateKey, byte[] data, CryptoUtils.Version version) throws InvalidAlgorithmParameterException, InvalidKeyException, NoSuchAlgorithmException, SignatureException Generate a signature.- Parameters:
privateKey- private key to use, should be acceptable by signature instance.data- data/hash to sign.version- the signature version.- Returns:
- signature as hex encoded string.
- Throws:
InvalidAlgorithmParameterException- on invalid or inappropriate algorithm parametersNoSuchAlgorithmException- on invalid algorithmInvalidKeyException- if key is not RSA or DSA.SignatureException- on signature error
-
verify
public static boolean verify(PublicKey publicKey, byte[] data, String allegedSignature) throws InvalidAlgorithmParameterException, InvalidKeyException, NoSuchAlgorithmException, SignatureException A convenience method that chooses a signature algorithm based on the key type. Works with DSA and RSA keys.- Parameters:
publicKey- public key corresponding to private key that generated signature.data- data/hash to verifyallegedSignature- to try and verify with- Returns:
- boolean
- Throws:
InvalidAlgorithmParameterException- on invalid or inappropriate algorithm parametersInvalidKeyException- if key is not RSA or DSA.NoSuchAlgorithmException- on invalid algorithmSignatureException- on signature error
-
verify
public static boolean verify(PublicKey publicKey, byte[] data, String allegedSignature, CryptoUtils.Version version) throws InvalidAlgorithmParameterException, InvalidKeyException, NoSuchAlgorithmException, SignatureException Verify a signature.- Parameters:
publicKey- public key corresponding to private key that generated signature.data- the data/hash that was signed.allegedSignature- the signature being verified.version- signature version.- Returns:
- true if computed signature matches allegedSignature.
- Throws:
InvalidAlgorithmParameterException- on invalid or inappropriate algorithm parametersNoSuchAlgorithmException- on invalid algorithmInvalidKeyException- if key is not RSA or DSA.SignatureException- on signature error
-
encrypt
public static byte[] encrypt(Key key, byte[] toEncrypt) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalArgumentException, IOException A convenience method to encrypt a byte array.- Parameters:
key- a key that can be used to encrypt.toEncrypt- the data to encrypt.- Returns:
- encrypted byte array.
- Throws:
InvalidKeyException- if key is not RSA or DSA.NoSuchAlgorithmException- on invalid algorithmNoSuchPaddingException- on invalid paddingIllegalArgumentException- on illegal args passed to functionIOException- on IO error
-
decrypt
public static byte[] decrypt(Key key, byte[] toDecrypt) throws InvalidKeyException, NoSuchAlgorithmException, NoSuchPaddingException, IllegalArgumentException, IOException A convenience method to decrypt a byte array.- Parameters:
key- a key that can be used to decrypt.toDecrypt- the data to decrypt.- Returns:
- decrypted byte array.
- Throws:
InvalidKeyException- if key is not RSA or DSA.NoSuchAlgorithmException- on invalid algorithmNoSuchPaddingException- on invalid paddingIllegalArgumentException- on illegal args passed to functionIOException- on IO error
-
generateAESKey
Generate a new symmetric encryption key.- Parameters:
bits- how many bits. This should be AES_128 or AES256.- Returns:
- generated AES key.
- Throws:
NoSuchAlgorithmException- on invalid algorithm
-
generateRSAKeyPair
Generate a new asymmetric encryption key pair.- Parameters:
bits- how many bits. Must be a valid RSA size.- Returns:
- generated RSA key pair.
- Throws:
NoSuchAlgorithmException- on invalid algorithm
-
generateDSAKeyPair
Generate a new asymmetric signature key pair.- Parameters:
bits- how many bits. Must be a valid DSA size.- Returns:
- generated DSA key pair.
- Throws:
NoSuchAlgorithmException- on invalid algorithm
-
readCertificate
Read a X509 encoded certificate. May be DER or PEM encoded.- Parameters:
bytes- the certificate data as a byte array.- Returns:
- parsed certificate.
- Throws:
CertificateException- on certificate issueIOException- on IO error
-
readPublicKey
Read a X509 encoded public key. May be DER or PEM encoded.- Parameters:
bytes- the key data as a byte array.- Returns:
- parsed public key.
- Throws:
IOException- on IO errorNoSuchAlgorithmException- on invalid algorithm
-
readPrivateKey
Read a PKCS#8 encoded private key. May be DER or PEM encoded.- Parameters:
bytes- the key data as a byte array.- Returns:
- parsed private key.
- Throws:
IOException- on IO errorNoSuchAlgorithmException- on invalid algorithm
-
readOpenSSHPrivateKey
public static PrivateKey readOpenSSHPrivateKey(byte[] bytes, String password) throws IOException, NoSuchAlgorithmException, InvalidKeySpecException Read an OpenSSH private key from a stream.- Parameters:
bytes- the byte array containing an OpenSSH private key.password- password if the key is encrypted.- Returns:
- decoded PrivateKey.
- Throws:
IOException- on IO errorInvalidKeySpecException- when key has invalid specificationsNoSuchAlgorithmException- on invalid algorithm
-
readOpenSSHPublicKey
public static PublicKey readOpenSSHPublicKey(byte[] bytes) throws IOException, InvalidKeySpecException, NoSuchAlgorithmException Read an OpenSSH PublicKey from a stream.- Parameters:
bytes- bytes to read.- Returns:
- a publicKey
- Throws:
IOException- on IO errorNoSuchAlgorithmException- on invalid algorithmInvalidKeySpecException- when key has invalid specifications
-
readDERString
This method reads a DER encoded byte string from a ByteBuffer. A DER encoded string has length = 4 bytes big-endian integer
string = length bytes- Parameters:
buf- buffer containing DER encoded bytes.- Returns:
- bytes the decoded bytes.
-
convertPEMToDER
Read a PEM format. This does not currently support encrypted PEM formats.- Parameters:
string- string containing PEM formatted data.- Returns:
- DER formatted data.
- Throws:
IOException- on IO error
-