Package dev.dsf.bpe.v2.service

Interface CryptoService

public interface CryptoService

Provides methods for:

• Creating and using RSA and ECDH key encapsulation mechanism
• Reading X509 certificates and private-keys (encrypted or not encrypted)
• Reading JKS and PKCS12 key-stores
• Creating JKS and PKCS12 key-stores based on trusted certificates or private-key and certificate chain
• Generating RSA (4096 bit), EC (secp256r1, secp384r1, secp521r1, X25519, X448) key-pairs
• Validating key-pairs to check if a private-key belongs to a public-key
• Validating certificates
• Creating SSLContexts based on a key-store with trusted certificates and/or a key-store with private-key and certificate chain

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static interface	CryptoService.Kem	Key encapsulation mechanism with encrypt and decrypt methods.

Method Summary

Modifier and Type	Method	Description
CryptoService.Kem	createEcDhKem()
KeyPairGenerator	createKeyPairGeneratorRsa4096AndInitialize()
KeyPairGenerator	createKeyPairGeneratorSecp256r1AndInitialize()
KeyPairGenerator	createKeyPairGeneratorSecp384r1AndInitialize()
KeyPairGenerator	createKeyPairGeneratorSecp521r1AndInitialize()
KeyPairGenerator	createKeyPairGeneratorX25519AndInitialize()
KeyPairGenerator	createKeyPairGeneratorX448AndInitialize()
default KeyStore	createKeyStoreForPrivateKeyAndCertificateChain(PrivateKey key, char[] password, X509Certificate... chain)
KeyStore	createKeyStoreForPrivateKeyAndCertificateChain(PrivateKey key, char[] password, Collection<? extends X509Certificate> chain)
default KeyStore	createKeyStoreForTrustedCertificates(X509Certificate... certificates)
KeyStore	createKeyStoreForTrustedCertificates(Collection<? extends X509Certificate> certificates)
CryptoService.Kem	createRsaKem()
SSLContext	createSSLContext(KeyStore trustStore)
SSLContext	createSSLContext(KeyStore trustStore, KeyStore keyStore, char[] keyStorePassword)
boolean	isCertificateExpired(X509Certificate certificate)
boolean	isClientCertificate(X509Certificate certificate)
boolean	isKeyPair(PrivateKey privateKey, PublicKey publicKey)	Checks if the given privateKey and publicKey match by checking if a generated signature can be verified for RSA, EC and EdDSA key pairs or a Diffie-Hellman key agreement produces the same secret key for a XDH key pair.
boolean	isServerCertificate(X509Certificate certificate)
X509Certificate	readCertificate(InputStream pem)
default X509Certificate	readCertificate(Path pem)
List<X509Certificate>	readCertificates(InputStream pem)
default List<X509Certificate>	readCertificates(Path pem)
KeyStore	readKeyStoreJks(InputStream stream, char[] password)
default KeyStore	readKeyStoreJks(Path file, char[] password)
KeyStore	readKeyStorePkcs12(InputStream stream, char[] password)
default KeyStore	readKeyStorePkcs12(Path file, char[] password)
default PrivateKey	readPrivateKey(InputStream pem)
PrivateKey	readPrivateKey(InputStream pem, char[] password)
default PrivateKey	readPrivateKey(Path pem)
default PrivateKey	readPrivateKey(Path pem, char[] password)
default void	validateClientCertificate(KeyStore trustStore, X509Certificate... certificateChain)
void	validateClientCertificate(KeyStore trustStore, Collection<? extends X509Certificate> certificateChain)
default void	validateServerCertificate(KeyStore trustStore, X509Certificate... certificateChain)
void	validateServerCertificate(KeyStore trustStore, Collection<? extends X509Certificate> certificateChain)

Method Details

createRsaKem

CryptoService.Kem createRsaKem()

Returns:

key encapsulation mechanism with RSA key exchange using KDF2 SHA-512 for AES-256, use with RSA key pairs

createEcDhKem

CryptoService.Kem createEcDhKem()

Returns:

key encapsulation mechanism with Diffie–Hellman key exchange for AES-256, use with elliptic curve key pairs like X25519, X448, secp256r1, secp384r1 and secp521r1

createKeyPairGeneratorRsa4096AndInitialize

KeyPairGenerator createKeyPairGeneratorRsa4096AndInitialize()

Returns:

created and initialized RSA (4096 bit) key pair generator

See Also:

• KeyPairGenerator.generateKeyPair()

createKeyPairGeneratorSecp256r1AndInitialize

KeyPairGenerator createKeyPairGeneratorSecp256r1AndInitialize()

Returns:

created and initialized secp256r1 key pair generator

See Also:

• KeyPairGenerator.generateKeyPair()

createKeyPairGeneratorSecp384r1AndInitialize

KeyPairGenerator createKeyPairGeneratorSecp384r1AndInitialize()

Returns:

created and initialized secp384r1 key pair generator

See Also:

• KeyPairGenerator.generateKeyPair()

createKeyPairGeneratorSecp521r1AndInitialize

KeyPairGenerator createKeyPairGeneratorSecp521r1AndInitialize()

Returns:

created and initialized secp521r1 key pair generator

See Also:

• KeyPairGenerator.generateKeyPair()

createKeyPairGeneratorX25519AndInitialize

KeyPairGenerator createKeyPairGeneratorX25519AndInitialize()

Returns:

created and initialized x25519 key pair generator

See Also:

• KeyPairGenerator.generateKeyPair()

createKeyPairGeneratorX448AndInitialize

KeyPairGenerator createKeyPairGeneratorX448AndInitialize()

Returns:

created and initialized x448 key pair generator

See Also:

• KeyPairGenerator.generateKeyPair()

readCertificate

default X509Certificate readCertificate(Path pem)
                                 throws IOException

Parameters:

pem - not null

Returns:

certificate

Throws:

IOException - if the given file does not contain a pem encoded certificate, more than one or is not readable or parsable

readCertificate

X509Certificate readCertificate(InputStream pem)
                         throws IOException

Parameters:

pem - not null

Returns:

certificate

Throws:

IOException - if the given InputStream does not contain a pem encoded certificate, more than one or is not readable or parsable

readCertificates

default List<X509Certificate> readCertificates(Path pem)
                                        throws IOException

Parameters:

pem - not null

Returns:

list of certificates

Throws:

IOException - if the given file does not contain pem encoded certificates or is not readable or one is not parsable

readCertificates

List<X509Certificate> readCertificates(InputStream pem)
                                throws IOException

Parameters:

pem -

Returns:

list of certificates

Throws:

IOException - if the given InputStream does not contain pem encoded certificates or is not readable or one is not parsable

readPrivateKey

default PrivateKey readPrivateKey(Path pem)
                           throws IOException

Parameters:

pem - not null

Returns:

private key

Throws:

IOException - if the given file does not contain a pem encoded, unencrypted private key, more than one or is not readable or parsable

readPrivateKey

default PrivateKey readPrivateKey(InputStream pem)
                           throws IOException

Parameters:

pem - not null

Returns:

private key

Throws:

IOException - if the given InputStream does not contain a pem encoded, unencrypted private key, more than one or is not readable or parsable

readPrivateKey

default PrivateKey readPrivateKey(Path pem,
 char[] password)
                           throws IOException

Parameters:

pem - not null

password - if key encrypted not null

Returns:

private key

Throws:

IOException - if the given file does not contain a pem encoded private key, more than one or is not readable or parsable

readPrivateKey

PrivateKey readPrivateKey(InputStream pem,
 char[] password)
                   throws IOException

Parameters:

pem - not null

password - if key encrypted not null

Returns:

private key

Throws:

IOException - if the given InputStream does not contain a pem encoded private key, more than one or is not readable or parsable

isKeyPair

boolean isKeyPair(PrivateKey privateKey,
 PublicKey publicKey)

Checks if the given privateKey and publicKey match by checking if a generated signature can be verified for RSA, EC and EdDSA key pairs or a Diffie-Hellman key agreement produces the same secret key for a XDH key pair. If the privateKey is a RSAPrivateCrtKey and the publicKey is a RSAPublicKey modulus and public-exponent will be compared.

Parameters:

privateKey - may be null

publicKey - may be null

Returns:

true if the given keys are not null and match

isCertificateExpired

boolean isCertificateExpired(X509Certificate certificate)

Parameters:

certificate - not null

Returns:

true if the given certificate not-after field is after ZonedDateTime.now()

isClientCertificate

boolean isClientCertificate(X509Certificate certificate)

Parameters:

certificate - not null

Returns:

true if given certificate has extended key usage extension "TLS Web Client Authentication"

isServerCertificate

boolean isServerCertificate(X509Certificate certificate)

Parameters:

certificate - not null

Returns:

true if given certificate has extended key usage extension "TLS Web Server Authentication"

validateClientCertificate

default void validateClientCertificate(KeyStore trustStore,
 X509Certificate... certificateChain)
                                throws CertificateException

Parameters:

trustStore - not null

certificateChain - not null

Throws:

CertificateException - if the the given certificate or certificate chain is not trusted as a client certificate by a PKIX trust manager created for the given trust store

validateClientCertificate

void validateClientCertificate(KeyStore trustStore,
 Collection<? extends X509Certificate> certificateChain)
                        throws CertificateException

Parameters:

trustStore - not null

certificateChain - not null

Throws:

CertificateException - if the the given certificate or certificate chain is not trusted as a client certificate by a PKIX trust manager created for the given trust store

validateServerCertificate

default void validateServerCertificate(KeyStore trustStore,
 X509Certificate... certificateChain)
                                throws CertificateException

Parameters:

trustStore - not null

certificateChain - not null

Throws:

CertificateException - if the the given certificate or certificate chain is not trusted as a server certificate by a PKIX trust manager created for the given trust store

validateServerCertificate

void validateServerCertificate(KeyStore trustStore,
 Collection<? extends X509Certificate> certificateChain)
                        throws CertificateException

Parameters:

trustStore - not null

certificateChain - not null

Throws:

CertificateException - if the the given certificate or certificate chain is not trusted as a server certificate by a PKIX trust manager created for the given trust store

createKeyStoreForPrivateKeyAndCertificateChain

default KeyStore createKeyStoreForPrivateKeyAndCertificateChain(PrivateKey key,
 char[] password,
 X509Certificate... chain)

Parameters:

key - not null

password - not null

chain - not null, at least one

Returns:

jks KeyStore for the given key and chain

createKeyStoreForPrivateKeyAndCertificateChain

KeyStore createKeyStoreForPrivateKeyAndCertificateChain(PrivateKey key,
 char[] password,
 Collection<? extends X509Certificate> chain)

Parameters:

key - not null

password - not null

chain - not null, at least one

Returns:

jks KeyStore for the given key and chain

createKeyStoreForTrustedCertificates

default KeyStore createKeyStoreForTrustedCertificates(X509Certificate... certificates)

Parameters:

certificates - not null, at least one

Returns:

jks KeyStore for the given certificates

createKeyStoreForTrustedCertificates

KeyStore createKeyStoreForTrustedCertificates(Collection<? extends X509Certificate> certificates)

Parameters:

certificates - not null, at least one

Returns:

jks KeyStore for the given certificates

readKeyStoreJks

default KeyStore readKeyStoreJks(Path file,
 char[] password)
                          throws IOException

Parameters:

file - not null

password - if not null used to check the integrity of the keystore

Returns:

jks KeyStore

Throws:

IOException

See Also:

• KeyStore.load(InputStream, char[])

readKeyStoreJks

KeyStore readKeyStoreJks(InputStream stream,
 char[] password)
                  throws IOException

Parameters:

stream - not null

password - if not null used to check the integrity of the keystore

Returns:

jks KeyStore

Throws:

IOException

See Also:

• KeyStore.load(InputStream, char[])

readKeyStorePkcs12

default KeyStore readKeyStorePkcs12(Path file,
 char[] password)
                             throws IOException

Parameters:

file - not null

password - if not null used to check the integrity of the keystore

Returns:

pkcs12 KeyStore

Throws:

IOException

See Also:

• KeyStore.load(InputStream, char[])

readKeyStorePkcs12

KeyStore readKeyStorePkcs12(InputStream stream,
 char[] password)
                     throws IOException

Parameters:

stream - not null

password - if not null used to check the integrity of the keystore

Returns:

pkcs12 KeyStore

Throws:

IOException

See Also:

• KeyStore.load(InputStream, char[])

createSSLContext

SSLContext createSSLContext(KeyStore trustStore)
                     throws KeyStoreException,
NoSuchAlgorithmException,
UnrecoverableKeyException,
KeyManagementException

Parameters:

trustStore - not null

Returns:

SSLContext with TrustManager for the given trustStore

Throws:

KeyStoreException

NoSuchAlgorithmException

UnrecoverableKeyException

KeyManagementException

createSSLContext

SSLContext createSSLContext(KeyStore trustStore,
 KeyStore keyStore,
 char[] keyStorePassword)
                     throws KeyStoreException,
NoSuchAlgorithmException,
UnrecoverableKeyException,
KeyManagementException

Parameters:

trustStore - not null

keyStore - not null

keyStorePassword - not null

Returns:

SSLContext with TrustManager for the given trustStore and KeyManager for the given keyStore / keyStorePassword

Throws:

KeyStoreException

NoSuchAlgorithmException

UnrecoverableKeyException

KeyManagementException