Package dev.dsf.bpe.v2.service
Interface CryptoService
public interface CryptoService
Provides methods for:
- Creating and using RSA and ECDH key encapsulation mechanism
- Reading X509 certificates and private-keys (encrypted or not encrypted)
- Reading JKS and PKCS12 key-stores
- Creating JKS and PKCS12 key-stores based on trusted certificates or private-key and certificate chain
- Generating RSA (4096 bit), EC (secp256r1, secp384r1, secp521r1, X25519, X448) key-pairs
- Validating key-pairs to check if a private-key belongs to a public-key
- Validating certificates
- Creating
SSLContext
s based on a key-store with trusted certificates and/or a key-store with private-key and certificate chain
-
Nested Class Summary
Nested ClassesModifier and TypeInterfaceDescriptionstatic interface
Key encapsulation mechanism with encrypt and decrypt methods. -
Method Summary
Modifier and TypeMethodDescriptiondefault KeyStore
createKeyStoreForPrivateKeyAndCertificateChain
(PrivateKey key, char[] password, X509Certificate... chain) createKeyStoreForPrivateKeyAndCertificateChain
(PrivateKey key, char[] password, Collection<? extends X509Certificate> chain) default KeyStore
createKeyStoreForTrustedCertificates
(X509Certificate... certificates) createKeyStoreForTrustedCertificates
(Collection<? extends X509Certificate> certificates) createSSLContext
(KeyStore trustStore) createSSLContext
(KeyStore trustStore, KeyStore keyStore, char[] keyStorePassword) boolean
isCertificateExpired
(X509Certificate certificate) boolean
isClientCertificate
(X509Certificate certificate) boolean
isKeyPair
(PrivateKey privateKey, PublicKey publicKey) Checks if the given privateKey and publicKey match by checking if a generated signature can be verified for RSA, EC and EdDSA key pairs or a Diffie-Hellman key agreement produces the same secret key for a XDH key pair.boolean
isServerCertificate
(X509Certificate certificate) default X509Certificate
readCertificate
(Path pem) default List
<X509Certificate> readCertificates
(Path pem) readKeyStoreJks
(InputStream stream, char[] password) default KeyStore
readKeyStoreJks
(Path file, char[] password) readKeyStorePkcs12
(InputStream stream, char[] password) default KeyStore
readKeyStorePkcs12
(Path file, char[] password) default PrivateKey
readPrivateKey
(InputStream pem, char[] password) default PrivateKey
readPrivateKey
(Path pem) default PrivateKey
readPrivateKey
(Path pem, char[] password) default void
validateClientCertificate
(KeyStore trustStore, X509Certificate... certificateChain) void
validateClientCertificate
(KeyStore trustStore, Collection<? extends X509Certificate> certificateChain) default void
validateServerCertificate
(KeyStore trustStore, X509Certificate... certificateChain) void
validateServerCertificate
(KeyStore trustStore, Collection<? extends X509Certificate> certificateChain)
-
Method Details
-
createRsaKem
CryptoService.Kem createRsaKem()- Returns:
- key encapsulation mechanism with RSA key exchange using KDF2 SHA-512 for AES-256, use with RSA key pairs
-
createEcDhKem
CryptoService.Kem createEcDhKem()- Returns:
- key encapsulation mechanism with Diffie–Hellman key exchange for AES-256, use with elliptic curve key pairs like X25519, X448, secp256r1, secp384r1 and secp521r1
-
createKeyPairGeneratorRsa4096AndInitialize
KeyPairGenerator createKeyPairGeneratorRsa4096AndInitialize()- Returns:
- created and initialized RSA (4096 bit) key pair generator
- See Also:
-
createKeyPairGeneratorSecp256r1AndInitialize
KeyPairGenerator createKeyPairGeneratorSecp256r1AndInitialize()- Returns:
- created and initialized secp256r1 key pair generator
- See Also:
-
createKeyPairGeneratorSecp384r1AndInitialize
KeyPairGenerator createKeyPairGeneratorSecp384r1AndInitialize()- Returns:
- created and initialized secp384r1 key pair generator
- See Also:
-
createKeyPairGeneratorSecp521r1AndInitialize
KeyPairGenerator createKeyPairGeneratorSecp521r1AndInitialize()- Returns:
- created and initialized secp521r1 key pair generator
- See Also:
-
createKeyPairGeneratorX25519AndInitialize
KeyPairGenerator createKeyPairGeneratorX25519AndInitialize()- Returns:
- created and initialized x25519 key pair generator
- See Also:
-
createKeyPairGeneratorX448AndInitialize
KeyPairGenerator createKeyPairGeneratorX448AndInitialize()- Returns:
- created and initialized x448 key pair generator
- See Also:
-
readCertificate
- Parameters:
pem
- notnull
- Returns:
- certificate
- Throws:
IOException
- if the given file does not contain a pem encoded certificate, more than one or is not readable or parsable
-
readCertificate
- Parameters:
pem
- notnull
- Returns:
- certificate
- Throws:
IOException
- if the givenInputStream
does not contain a pem encoded certificate, more than one or is not readable or parsable
-
readCertificates
- Parameters:
pem
- notnull
- Returns:
- list of certificates
- Throws:
IOException
- if the given file does not contain pem encoded certificates or is not readable or one is not parsable
-
readCertificates
- Parameters:
pem
-- Returns:
- list of certificates
- Throws:
IOException
- if the givenInputStream
does not contain pem encoded certificates or is not readable or one is not parsable
-
readPrivateKey
- Parameters:
pem
- notnull
- Returns:
- private key
- Throws:
IOException
- if the given file does not contain a pem encoded, unencrypted private key, more than one or is not readable or parsable
-
readPrivateKey
- Parameters:
pem
- notnull
- Returns:
- private key
- Throws:
IOException
- if the givenInputStream
does not contain a pem encoded, unencrypted private key, more than one or is not readable or parsable
-
readPrivateKey
- Parameters:
pem
- notnull
password
- if key encrypted notnull
- Returns:
- private key
- Throws:
IOException
- if the given file does not contain a pem encoded private key, more than one or is not readable or parsable
-
readPrivateKey
- Parameters:
pem
- notnull
password
- if key encrypted notnull
- Returns:
- private key
- Throws:
IOException
- if the givenInputStream
does not contain a pem encoded private key, more than one or is not readable or parsable
-
isKeyPair
Checks if the given privateKey and publicKey match by checking if a generated signature can be verified for RSA, EC and EdDSA key pairs or a Diffie-Hellman key agreement produces the same secret key for a XDH key pair. If the privateKey is aRSAPrivateCrtKey
and the publicKey is aRSAPublicKey
modulus and public-exponent will be compared.- Parameters:
privateKey
- may benull
publicKey
- may benull
- Returns:
true
if the given keys are notnull
and match
-
isCertificateExpired
- Parameters:
certificate
- notnull
- Returns:
true
if the given certificate not-after field is afterZonedDateTime.now()
-
isClientCertificate
- Parameters:
certificate
- notnull
- Returns:
true
if given certificate has extended key usage extension "TLS Web Client Authentication"
-
isServerCertificate
- Parameters:
certificate
- notnull
- Returns:
true
if given certificate has extended key usage extension "TLS Web Server Authentication"
-
validateClientCertificate
default void validateClientCertificate(KeyStore trustStore, X509Certificate... certificateChain) throws CertificateException - Parameters:
trustStore
- notnull
certificateChain
- notnull
- Throws:
CertificateException
- if the the given certificate or certificate chain is not trusted as a client certificate by a PKIX trust manager created for the given trust store
-
validateClientCertificate
void validateClientCertificate(KeyStore trustStore, Collection<? extends X509Certificate> certificateChain) throws CertificateException - Parameters:
trustStore
- notnull
certificateChain
- notnull
- Throws:
CertificateException
- if the the given certificate or certificate chain is not trusted as a client certificate by a PKIX trust manager created for the given trust store
-
validateServerCertificate
default void validateServerCertificate(KeyStore trustStore, X509Certificate... certificateChain) throws CertificateException - Parameters:
trustStore
- notnull
certificateChain
- notnull
- Throws:
CertificateException
- if the the given certificate or certificate chain is not trusted as a server certificate by a PKIX trust manager created for the given trust store
-
validateServerCertificate
void validateServerCertificate(KeyStore trustStore, Collection<? extends X509Certificate> certificateChain) throws CertificateException - Parameters:
trustStore
- notnull
certificateChain
- notnull
- Throws:
CertificateException
- if the the given certificate or certificate chain is not trusted as a server certificate by a PKIX trust manager created for the given trust store
-
createKeyStoreForPrivateKeyAndCertificateChain
default KeyStore createKeyStoreForPrivateKeyAndCertificateChain(PrivateKey key, char[] password, X509Certificate... chain) - Parameters:
key
- notnull
password
- notnull
chain
- notnull
, at least one- Returns:
- jks
KeyStore
for the given key and chain
-
createKeyStoreForPrivateKeyAndCertificateChain
KeyStore createKeyStoreForPrivateKeyAndCertificateChain(PrivateKey key, char[] password, Collection<? extends X509Certificate> chain) - Parameters:
key
- notnull
password
- notnull
chain
- notnull
, at least one- Returns:
- jks
KeyStore
for the given key and chain
-
createKeyStoreForTrustedCertificates
- Parameters:
certificates
- notnull
, at least one- Returns:
- jks
KeyStore
for the given certificates
-
createKeyStoreForTrustedCertificates
- Parameters:
certificates
- notnull
, at least one- Returns:
- jks
KeyStore
for the given certificates
-
readKeyStoreJks
- Parameters:
file
- notnull
password
- if notnull
used to check the integrity of the keystore- Returns:
- jks
KeyStore
- Throws:
IOException
- See Also:
-
readKeyStoreJks
- Parameters:
stream
- notnull
password
- if notnull
used to check the integrity of the keystore- Returns:
- jks
KeyStore
- Throws:
IOException
- See Also:
-
readKeyStorePkcs12
- Parameters:
file
- notnull
password
- if notnull
used to check the integrity of the keystore- Returns:
- pkcs12
KeyStore
- Throws:
IOException
- See Also:
-
readKeyStorePkcs12
- Parameters:
stream
- notnull
password
- if notnull
used to check the integrity of the keystore- Returns:
- pkcs12
KeyStore
- Throws:
IOException
- See Also:
-
createSSLContext
SSLContext createSSLContext(KeyStore trustStore) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException - Parameters:
trustStore
- notnull
- Returns:
SSLContext
withTrustManager
for the given trustStore- Throws:
KeyStoreException
NoSuchAlgorithmException
UnrecoverableKeyException
KeyManagementException
-
createSSLContext
SSLContext createSSLContext(KeyStore trustStore, KeyStore keyStore, char[] keyStorePassword) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException - Parameters:
trustStore
- notnull
keyStore
- notnull
keyStorePassword
- notnull
- Returns:
SSLContext
withTrustManager
for the given trustStore andKeyManager
for the given keyStore / keyStorePassword- Throws:
KeyStoreException
NoSuchAlgorithmException
UnrecoverableKeyException
KeyManagementException
-