Package ghidra.net
Class ApplicationKeyManagerUtils
- java.lang.Object
-
- ghidra.net.ApplicationKeyManagerUtils
-
public class ApplicationKeyManagerUtils extends java.lang.Object
ApplicationKeyManagerUtils
provides public methods for utilizing the application PKI key management, including access to trusted issuers (i.e., CA certificates), token signing and validation, and the ability to generate keystores for testing or when a self-signed certificate will suffice.
-
-
Field Summary
Fields Modifier and Type Field Description static java.lang.String
BEGIN_CERT
static java.lang.String
END_CERT
static java.lang.String
RSA_TYPE
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static java.security.KeyStore.PrivateKeyEntry
createKeyEntry(java.lang.String alias, java.lang.String dn, int durationDays, java.security.KeyStore.PrivateKeyEntry caEntry, java.io.File keyFile, java.lang.String keystoreType, char[] protectedPassphrase)
Generate a newX509Certificate
with RSAKeyPair
and create/update aKeyStore
optionally backed by a keyFile.static java.security.KeyStore
createKeyStore(java.lang.String alias, java.lang.String dn, int durationDays, java.security.KeyStore.PrivateKeyEntry caEntry, java.io.File keyFile, java.lang.String keystoreType, char[] protectedPassphrase)
Generate a newX509Certificate
with RSAKeyPair
and create/update aKeyStore
optionally backed by a keyFile.static void
exportX509Certificates(java.security.cert.Certificate[] certificates, java.io.File outFile)
Export X.509 certificates to the specified outFile.static SignedToken
getSignedToken(java.security.Principal[] authorities, byte[] token)
Sign the supplied token byte array using an installed certificate from one of the specified authoritiesstatic javax.security.auth.x500.X500Principal[]
getTrustedIssuers()
Returns a list of trusted issuers (i.e., CA certificates) as established by theApplicationTrustManagerFactory
.static boolean
isMySignature(java.security.Principal[] authorities, byte[] token, byte[] signature)
Verify that the specified sigBytes reflect my signature of the specified token.static void
validateClient(java.security.cert.X509Certificate[] certChain, java.lang.String authType)
Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.
-
-
-
Field Detail
-
RSA_TYPE
public static final java.lang.String RSA_TYPE
- See Also:
- Constant Field Values
-
BEGIN_CERT
public static final java.lang.String BEGIN_CERT
- See Also:
- Constant Field Values
-
END_CERT
public static final java.lang.String END_CERT
- See Also:
- Constant Field Values
-
-
Method Detail
-
getSignedToken
public static SignedToken getSignedToken(java.security.Principal[] authorities, byte[] token) throws java.security.NoSuchAlgorithmException, java.security.SignatureException, java.security.cert.CertificateException
Sign the supplied token byte array using an installed certificate from one of the specified authorities- Parameters:
authorities
- trusted certificate authoritiestoken
- token byte array- Returns:
- signed token object
- Throws:
java.security.NoSuchAlgorithmException
- algorithym associated within signing certificate not foundjava.security.SignatureException
- failed to generate SignedTokenjava.security.cert.CertificateException
- error associated with signing certificate
-
isMySignature
public static boolean isMySignature(java.security.Principal[] authorities, byte[] token, byte[] signature) throws java.security.NoSuchAlgorithmException, java.security.SignatureException, java.security.cert.CertificateException
Verify that the specified sigBytes reflect my signature of the specified token.- Parameters:
authorities
- trusted certificate authoritiestoken
- byte array tokensignature
- token signature- Returns:
- true if signature is my signature
- Throws:
java.security.NoSuchAlgorithmException
- algorithym associated within signing certificate not foundjava.security.SignatureException
- failed to generate SignedTokenjava.security.cert.CertificateException
- error associated with signing certificate
-
getTrustedIssuers
public static javax.security.auth.x500.X500Principal[] getTrustedIssuers() throws java.security.cert.CertificateException
Returns a list of trusted issuers (i.e., CA certificates) as established by theApplicationTrustManagerFactory
.- Returns:
- array of trusted Certificate Authorities
- Throws:
java.security.cert.CertificateException
- if failed to properly initialize trust manager due to CA certificate error(s).
-
validateClient
public static void validateClient(java.security.cert.X509Certificate[] certChain, java.lang.String authType) throws java.security.cert.CertificateException
Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.- Parameters:
certChain
- X509 certificate chainauthType
- authentication type (i.e., "RSA")- Throws:
java.security.cert.CertificateException
- if certificate validation fails
-
exportX509Certificates
public static void exportX509Certificates(java.security.cert.Certificate[] certificates, java.io.File outFile) throws java.io.IOException, java.security.cert.CertificateEncodingException
Export X.509 certificates to the specified outFile.- Parameters:
certificates
- certificates to be storedoutFile
- output file- Throws:
java.io.IOException
- if error occurs writing to outFilejava.security.cert.CertificateEncodingException
- if error occurs while encoding certificate data
-
createKeyStore
public static final java.security.KeyStore createKeyStore(java.lang.String alias, java.lang.String dn, int durationDays, java.security.KeyStore.PrivateKeyEntry caEntry, java.io.File keyFile, java.lang.String keystoreType, char[] protectedPassphrase) throws java.security.KeyStoreException
Generate a newX509Certificate
with RSAKeyPair
and create/update aKeyStore
optionally backed by a keyFile.- Parameters:
alias
- entry alias with keystoredn
- distinguished name (e.g., "CN=Ghidra Test, O=Ghidra, OU=Test, C=US" )durationDays
- number of days which generated certificate should remain validcaEntry
- optional CA private key entry. If null, a self-signed CA certificate will be generated.keyFile
- optional file to load/store resultingKeyStore
(may be null)keystoreType
- support keystore type (e.g., "JKS", "PKCS12")protectedPassphrase
- key and keystore protection password- Returns:
- keystore containing newly generated certification with key pair
- Throws:
java.security.KeyStoreException
- if error occurs while updating keystore
-
createKeyEntry
public static final java.security.KeyStore.PrivateKeyEntry createKeyEntry(java.lang.String alias, java.lang.String dn, int durationDays, java.security.KeyStore.PrivateKeyEntry caEntry, java.io.File keyFile, java.lang.String keystoreType, char[] protectedPassphrase) throws java.security.KeyStoreException
Generate a newX509Certificate
with RSAKeyPair
and create/update aKeyStore
optionally backed by a keyFile.- Parameters:
alias
- entry alias with keystoredn
- distinguished name (e.g., "CN=Ghidra Test, O=Ghidra, OU=Test, C=US" )durationDays
- number of days which generated certificate should remain validcaEntry
- optional CA private key entry. If null, a self-signed CA certificate will be generated.keyFile
- optional file to load/store resultingKeyStore
(may be null)keystoreType
- support keystore type (e.g., "JKS", "PKCS12")protectedPassphrase
- key and keystore protection password- Returns:
- newly generated keystore entry with key pair
- Throws:
java.security.KeyStoreException
- if error occurs while updating keystore
-
-