Package gov.usgs.util

Class CryptoUtils

  • public class CryptoUtils
extends java.lang.Object
    Encryption and signing utilities.

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  CryptoUtils.Version
      Signature versions.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static int AES_128
      Number of bits for AES 128 bit key.
      static int AES_256
      Number of bits for AES 256 bit key.
      static java.lang.String AES_ALGORITHM
      Algorithm used by AES keys and ciphers.
      static int DSA_1024
      Number of bits for DSA 1024 bit key.
      static java.lang.String DSA_ALGORITHM
      Algorithm used by DSA keys.
      static java.lang.String DSA_SIGNATURE_ALGORITHM
      Algorithm used for signature with DSA key.
      static int RSA_2048
      Number of bits for RSA 2048 bit key.
      static int RSA_4096
      Number of bits for RSA 4096 bit key.
      static java.lang.String RSA_ALGORITHM
      Algorithm used by RSA keys and ciphers.
      static java.lang.String RSA_SIGNATURE_ALGORITHM
      Algorithm used for signature with RSA key.
      static java.lang.String SIGNATURE_V2_DSA_ALGORITHM
      v2 Algorithm for DSA signature
      static java.lang.String SIGNATURE_V2_RSA_ALGORITHM
      v2 Algorithm for RSA signature

    • Constructor Summary

      Constructors 
      Constructor Description
      CryptoUtils()  

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static void configureSignature​(java.security.Key key, CryptoUtils.Version version, java.security.Signature signature)  
      static byte[] convertPEMToDER​(java.lang.String string)
      Read a PEM format.
      static byte[] decrypt​(java.security.Key key, byte[] toDecrypt)
      A convenience method to decrypt a byte array.
      static byte[] encrypt​(java.security.Key key, byte[] toEncrypt)
      A convenience method to encrypt a byte array.
      static java.security.Key generateAESKey​(int bits)
      Generate a new symmetric encryption key.
      static java.security.KeyPair generateDSAKeyPair​(int bits)
      Generate a new asymmetric signature key pair.
      static java.security.KeyPair generateRSAKeyPair​(int bits)
      Generate a new asymmetric encryption key pair.
      static javax.crypto.Cipher getDecryptCipher​(java.security.Key key)
      Create and initialize a decrypting cipher using key.getAlgorithm as transformation.
      static javax.crypto.Cipher getEncryptCipher​(java.security.Key key)
      Create and initialize an encrypting cipher using key.getAlgorithm() as transformation.
      static java.security.Signature getSignature​(java.security.Key key, CryptoUtils.Version version)
      Create and configure a signature object based on key type.
      static void processCipherStream​(javax.crypto.Cipher cipher, java.io.InputStream in, java.io.OutputStream out)
      Process a data stream using a cipher.
      static java.security.cert.Certificate readCertificate​(byte[] bytes)
      Read a X509 encoded certificate.
      static byte[] readDERString​(java.nio.ByteBuffer buf)
      This method reads a DER encoded byte string from a ByteBuffer.
      static java.security.PrivateKey readOpenSSHPrivateKey​(byte[] bytes, java.lang.String password)
      Read an OpenSSH private key from a stream.
      static java.security.PublicKey readOpenSSHPublicKey​(byte[] bytes)
      Read an OpenSSH PublicKey from a stream.
      static java.security.PrivateKey readPrivateKey​(byte[] bytes)
      Read a PKCS#8 encoded private key.
      static java.security.PublicKey readPublicKey​(byte[] bytes)
      Read a X509 encoded public key.
      static java.lang.String sign​(java.security.PrivateKey privateKey, byte[] data)
      A convenience method that chooses a signature algorithm based on the key type.
      static java.lang.String sign​(java.security.PrivateKey privateKey, byte[] data, CryptoUtils.Version version)
      Generate a signature.
      static boolean verify​(java.security.PublicKey publicKey, byte[] data, java.lang.String allegedSignature)
      A convenience method that chooses a signature algorithm based on the key type.
      static boolean verify​(java.security.PublicKey publicKey, byte[] data, java.lang.String allegedSignature, CryptoUtils.Version version)
      Verify a signature.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Field Detail

      • AES_ALGORITHM

        public static final java.lang.String AES_ALGORITHM
        Algorithm used by AES keys and ciphers.
        See Also:
        Constant Field Values

      • AES_128

        public static final int AES_128
        Number of bits for AES 128 bit key.
        See Also:
        Constant Field Values

      • AES_256

        public static final int AES_256
        Number of bits for AES 256 bit key.
        See Also:
        Constant Field Values

      • DSA_ALGORITHM

        public static final java.lang.String DSA_ALGORITHM
        Algorithm used by DSA keys.
        See Also:
        Constant Field Values

      • DSA_SIGNATURE_ALGORITHM

        public static final java.lang.String DSA_SIGNATURE_ALGORITHM
        Algorithm used for signature with DSA key.
        See Also:
        Constant Field Values

      • DSA_1024

        public static final int DSA_1024
        Number of bits for DSA 1024 bit key.
        See Also:
        Constant Field Values

      • RSA_ALGORITHM

        public static final java.lang.String RSA_ALGORITHM
        Algorithm used by RSA keys and ciphers.
        See Also:
        Constant Field Values

      • RSA_SIGNATURE_ALGORITHM

        public static final java.lang.String RSA_SIGNATURE_ALGORITHM
        Algorithm used for signature with RSA key.
        See Also:
        Constant Field Values

      • RSA_2048

        public static final int RSA_2048
        Number of bits for RSA 2048 bit key.
        See Also:
        Constant Field Values

      • RSA_4096

        public static final int RSA_4096
        Number of bits for RSA 4096 bit key.
        See Also:
        Constant Field Values

      • SIGNATURE_V2_DSA_ALGORITHM

        public static final java.lang.String SIGNATURE_V2_DSA_ALGORITHM
        v2 Algorithm for DSA signature
        See Also:
        Constant Field Values

      • SIGNATURE_V2_RSA_ALGORITHM

        public static final java.lang.String SIGNATURE_V2_RSA_ALGORITHM
        v2 Algorithm for RSA signature
        See Also:
        Constant Field Values

    • Constructor Detail

      • CryptoUtils

        public CryptoUtils()

    • Method Detail

      • processCipherStream

        public static void processCipherStream​(javax.crypto.Cipher cipher,
                                       java.io.InputStream in,
                                       java.io.OutputStream out)
                                throws java.security.NoSuchAlgorithmException,
                                       javax.crypto.NoSuchPaddingException,
                                       java.security.InvalidKeyException,
                                       java.io.IOException
        Process a data stream using a cipher. If cipher is initialized to ENCRYPT_MODE, the input stream will be encrypted. If cipher is initialized to DECRYPT_MODE, the input stream will be decrypted.
        Parameters:
        cipher - an initialized cipher.
        in - the data to encrypt.
        out - where encrypted data is written.
        Throws:
        java.security.NoSuchAlgorithmException - if invalid encrypt/decrypt algorithm
        javax.crypto.NoSuchPaddingException - on padding error
        java.security.InvalidKeyException - if key is not RSA or DSA.
        java.io.IOException - if IO error occurs

      • getEncryptCipher

        public static javax.crypto.Cipher getEncryptCipher​(java.security.Key key)
                                            throws java.security.NoSuchAlgorithmException,
                                                   javax.crypto.NoSuchPaddingException,
                                                   java.security.InvalidKeyException
        Create and initialize an encrypting cipher using key.getAlgorithm() as transformation.
        Parameters:
        key - the key used to encrypt.
        Returns:
        a cipher used to encrypt.
        Throws:
        java.security.NoSuchAlgorithmException - on invalid algorithm
        javax.crypto.NoSuchPaddingException - on invalid padding
        java.security.InvalidKeyException - if key is not RSA or DSA.

      • getDecryptCipher

        public static javax.crypto.Cipher getDecryptCipher​(java.security.Key key)
                                            throws java.security.NoSuchAlgorithmException,
                                                   javax.crypto.NoSuchPaddingException,
                                                   java.security.InvalidKeyException
        Create and initialize a decrypting cipher using key.getAlgorithm as transformation.
        Parameters:
        key - the key used to decrypt.
        Returns:
        a cipher used to decrypt.
        Throws:
        java.security.NoSuchAlgorithmException - on invalid algorithm
        javax.crypto.NoSuchPaddingException - on invalid padding
        java.security.InvalidKeyException - if key is not RSA or DSA.

      • getSignature

        public static java.security.Signature getSignature​(java.security.Key key,
                                                   CryptoUtils.Version version)
                                            throws java.security.InvalidKeyException,
                                                   java.security.NoSuchAlgorithmException,
                                                   java.security.SignatureException
        Create and configure a signature object based on key type.
        Parameters:
        key - Key used to sign/verify.
        version - SIGNATURE_V1 or SIGNATURE_V2
        Returns:
        Configured Signature object
        Throws:
        java.security.InvalidKeyException - if key is not RSA or DSA.
        java.security.NoSuchAlgorithmException - on invalid algorithm
        java.security.SignatureException - on signature error

      • configureSignature

        public static void configureSignature​(java.security.Key key,
                                      CryptoUtils.Version version,
                                      java.security.Signature signature)
                               throws java.security.InvalidAlgorithmParameterException
        Parameters:
        key - Key used to sign/verify.
        version - SIGNATURE_V1 or SIGNATURE_V2
        signature - A signature
        Throws:
        java.security.InvalidAlgorithmParameterException - on invalid or inappropriate algorithm parameters

      • sign

        public static java.lang.String sign​(java.security.PrivateKey privateKey,
                                    byte[] data)
                             throws java.security.InvalidAlgorithmParameterException,
                                    java.security.InvalidKeyException,
                                    java.security.NoSuchAlgorithmException,
                                    java.security.SignatureException
        A convenience method that chooses a signature algorithm based on the key type. Works with DSA and RSA keys.
        Parameters:
        privateKey - a private key
        data - data to sign
        Returns:
        signature as hex encoded string
        Throws:
        java.security.InvalidAlgorithmParameterException - on invalid or inappropriate algorithm parameters
        java.security.InvalidKeyException - if key is not RSA or DSA.
        java.security.NoSuchAlgorithmException - on invalid algorithm
        java.security.SignatureException - on signature error

      • sign

        public static java.lang.String sign​(java.security.PrivateKey privateKey,
                                    byte[] data,
                                    CryptoUtils.Version version)
                             throws java.security.InvalidAlgorithmParameterException,
                                    java.security.InvalidKeyException,
                                    java.security.NoSuchAlgorithmException,
                                    java.security.SignatureException
        Generate a signature.
        Parameters:
        privateKey - private key to use, should be acceptable by signature instance.
        data - data/hash to sign.
        version - the signature version.
        Returns:
        signature as hex encoded string.
        Throws:
        java.security.InvalidAlgorithmParameterException - on invalid or inappropriate algorithm parameters
        java.security.NoSuchAlgorithmException - on invalid algorithm
        java.security.InvalidKeyException - if key is not RSA or DSA.
        java.security.SignatureException - on signature error

      • verify

        public static boolean verify​(java.security.PublicKey publicKey,
                             byte[] data,
                             java.lang.String allegedSignature)
                      throws java.security.InvalidAlgorithmParameterException,
                             java.security.InvalidKeyException,
                             java.security.NoSuchAlgorithmException,
                             java.security.SignatureException
        A convenience method that chooses a signature algorithm based on the key type. Works with DSA and RSA keys.
        Parameters:
        publicKey - public key corresponding to private key that generated signature.
        data - data/hash to verify
        allegedSignature - to try and verify with
        Returns:
        boolean
        Throws:
        java.security.InvalidAlgorithmParameterException - on invalid or inappropriate algorithm parameters
        java.security.InvalidKeyException - if key is not RSA or DSA.
        java.security.NoSuchAlgorithmException - on invalid algorithm
        java.security.SignatureException - on signature error

      • verify

        public static boolean verify​(java.security.PublicKey publicKey,
                             byte[] data,
                             java.lang.String allegedSignature,
                             CryptoUtils.Version version)
                      throws java.security.InvalidAlgorithmParameterException,
                             java.security.InvalidKeyException,
                             java.security.NoSuchAlgorithmException,
                             java.security.SignatureException
        Verify a signature.
        Parameters:
        publicKey - public key corresponding to private key that generated signature.
        data - the data/hash that was signed.
        allegedSignature - the signature being verified.
        version - signature version.
        Returns:
        true if computed signature matches allegedSignature.
        Throws:
        java.security.InvalidAlgorithmParameterException - on invalid or inappropriate algorithm parameters
        java.security.NoSuchAlgorithmException - on invalid algorithm
        java.security.InvalidKeyException - if key is not RSA or DSA.
        java.security.SignatureException - on signature error

      • encrypt

        public static byte[] encrypt​(java.security.Key key,
                             byte[] toEncrypt)
                      throws java.security.InvalidKeyException,
                             java.security.NoSuchAlgorithmException,
                             javax.crypto.NoSuchPaddingException,
                             java.lang.IllegalArgumentException,
                             java.io.IOException
        A convenience method to encrypt a byte array.
        Parameters:
        key - a key that can be used to encrypt.
        toEncrypt - the data to encrypt.
        Returns:
        encrypted byte array.
        Throws:
        java.security.InvalidKeyException - if key is not RSA or DSA.
        java.security.NoSuchAlgorithmException - on invalid algorithm
        javax.crypto.NoSuchPaddingException - on invalid padding
        java.lang.IllegalArgumentException - on illegal args passed to function
        java.io.IOException - on IO error

      • decrypt

        public static byte[] decrypt​(java.security.Key key,
                             byte[] toDecrypt)
                      throws java.security.InvalidKeyException,
                             java.security.NoSuchAlgorithmException,
                             javax.crypto.NoSuchPaddingException,
                             java.lang.IllegalArgumentException,
                             java.io.IOException
        A convenience method to decrypt a byte array.
        Parameters:
        key - a key that can be used to decrypt.
        toDecrypt - the data to decrypt.
        Returns:
        decrypted byte array.
        Throws:
        java.security.InvalidKeyException - if key is not RSA or DSA.
        java.security.NoSuchAlgorithmException - on invalid algorithm
        javax.crypto.NoSuchPaddingException - on invalid padding
        java.lang.IllegalArgumentException - on illegal args passed to function
        java.io.IOException - on IO error

      • generateAESKey

        public static java.security.Key generateAESKey​(int bits)
                                        throws java.security.NoSuchAlgorithmException
        Generate a new symmetric encryption key.
        Parameters:
        bits - how many bits. This should be AES_128 or AES256.
        Returns:
        generated AES key.
        Throws:
        java.security.NoSuchAlgorithmException - on invalid algorithm

      • generateRSAKeyPair

        public static java.security.KeyPair generateRSAKeyPair​(int bits)
                                                throws java.security.NoSuchAlgorithmException
        Generate a new asymmetric encryption key pair.
        Parameters:
        bits - how many bits. Must be a valid RSA size.
        Returns:
        generated RSA key pair.
        Throws:
        java.security.NoSuchAlgorithmException - on invalid algorithm

      • generateDSAKeyPair

        public static java.security.KeyPair generateDSAKeyPair​(int bits)
                                                throws java.security.NoSuchAlgorithmException
        Generate a new asymmetric signature key pair.
        Parameters:
        bits - how many bits. Must be a valid DSA size.
        Returns:
        generated DSA key pair.
        Throws:
        java.security.NoSuchAlgorithmException - on invalid algorithm

      • readCertificate

        public static java.security.cert.Certificate readCertificate​(byte[] bytes)
                                                      throws java.security.cert.CertificateException,
                                                             java.io.IOException
        Read a X509 encoded certificate. May be DER or PEM encoded.
        Parameters:
        bytes - the certificate data as a byte array.
        Returns:
        parsed certificate.
        Throws:
        java.security.cert.CertificateException - on certificate issue
        java.io.IOException - on IO error

      • readPublicKey

        public static java.security.PublicKey readPublicKey​(byte[] bytes)
                                             throws java.io.IOException,
                                                    java.security.NoSuchAlgorithmException
        Read a X509 encoded public key. May be DER or PEM encoded.
        Parameters:
        bytes - the key data as a byte array.
        Returns:
        parsed public key.
        Throws:
        java.io.IOException - on IO error
        java.security.NoSuchAlgorithmException - on invalid algorithm

      • readPrivateKey

        public static java.security.PrivateKey readPrivateKey​(byte[] bytes)
                                               throws java.io.IOException,
                                                      java.security.NoSuchAlgorithmException
        Read a PKCS#8 encoded private key. May be DER or PEM encoded.
        Parameters:
        bytes - the key data as a byte array.
        Returns:
        parsed private key.
        Throws:
        java.io.IOException - on IO error
        java.security.NoSuchAlgorithmException - on invalid algorithm

      • readOpenSSHPrivateKey

        public static java.security.PrivateKey readOpenSSHPrivateKey​(byte[] bytes,
                                                             java.lang.String password)
                                                      throws java.io.IOException,
                                                             java.security.NoSuchAlgorithmException,
                                                             java.security.spec.InvalidKeySpecException
        Read an OpenSSH private key from a stream.
        Parameters:
        bytes - the byte array containing an OpenSSH private key.
        password - password if the key is encrypted.
        Returns:
        decoded PrivateKey.
        Throws:
        java.io.IOException - on IO error
        java.security.spec.InvalidKeySpecException - when key has invalid specifications
        java.security.NoSuchAlgorithmException - on invalid algorithm

      • readOpenSSHPublicKey

        public static java.security.PublicKey readOpenSSHPublicKey​(byte[] bytes)
                                                    throws java.io.IOException,
                                                           java.security.spec.InvalidKeySpecException,
                                                           java.security.NoSuchAlgorithmException
        Read an OpenSSH PublicKey from a stream.
        Parameters:
        bytes - bytes to read.
        Returns:
        a publicKey
        Throws:
        java.io.IOException - on IO error
        java.security.NoSuchAlgorithmException - on invalid algorithm
        java.security.spec.InvalidKeySpecException - when key has invalid specifications

      • readDERString

        public static byte[] readDERString​(java.nio.ByteBuffer buf)
        This method reads a DER encoded byte string from a ByteBuffer. A DER encoded string has length = 4 bytes big-endian integer
        string = length bytes
        Parameters:
        buf - buffer containing DER encoded bytes.
        Returns:
        bytes the decoded bytes.

      • convertPEMToDER

        public static byte[] convertPEMToDER​(java.lang.String string)
                              throws java.io.IOException
        Read a PEM format. This does not currently support encrypted PEM formats.
        Parameters:
        string - string containing PEM formatted data.
        Returns:
        DER formatted data.
        Throws:
        java.io.IOException - on IO error