Package ghidra.net

Class ApplicationKeyManagerUtils

  • public class ApplicationKeyManagerUtils
extends java.lang.Object
    ApplicationKeyManagerUtils provides public methods for utilizing the application PKI key management, including access to trusted issuers (i.e., CA certificates), token signing and validation, and the ability to generate keystores for testing or when a self-signed certificate will suffice.

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static java.lang.String BEGIN_CERT  
      static java.lang.String END_CERT  
      static java.lang.String RSA_TYPE  

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.security.KeyStore.PrivateKeyEntry createKeyEntry​(java.lang.String alias, java.lang.String dn, int durationDays, java.security.KeyStore.PrivateKeyEntry caEntry, java.io.File keyFile, java.lang.String keystoreType, char[] protectedPassphrase)
      Generate a new X509Certificate with RSA KeyPair and create/update a KeyStore optionally backed by a keyFile.
      static java.security.KeyStore createKeyStore​(java.lang.String alias, java.lang.String dn, int durationDays, java.security.KeyStore.PrivateKeyEntry caEntry, java.io.File keyFile, java.lang.String keystoreType, char[] protectedPassphrase)
      Generate a new X509Certificate with RSA KeyPair and create/update a KeyStore optionally backed by a keyFile.
      static void exportX509Certificates​(java.security.cert.Certificate[] certificates, java.io.File outFile)
      Export X.509 certificates to the specified outFile.
      static SignedToken getSignedToken​(java.security.Principal[] authorities, byte[] token)
      Sign the supplied token byte array using an installed certificate from one of the specified authorities
      static javax.security.auth.x500.X500Principal[] getTrustedIssuers()
      Returns a list of trusted issuers (i.e., CA certificates) as established by the ApplicationTrustManagerFactory.
      static boolean isMySignature​(java.security.Principal[] authorities, byte[] token, byte[] signature)
      Verify that the specified sigBytes reflect my signature of the specified token.
      static void validateClient​(java.security.cert.X509Certificate[] certChain, java.lang.String authType)
      Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • getSignedToken

        public static SignedToken getSignedToken​(java.security.Principal[] authorities,
                                         byte[] token)
                                  throws java.security.NoSuchAlgorithmException,
                                         java.security.SignatureException,
                                         java.security.cert.CertificateException
        Sign the supplied token byte array using an installed certificate from one of the specified authorities
        Parameters:
        authorities - trusted certificate authorities
        token - token byte array
        Returns:
        signed token object
        Throws:
        java.security.NoSuchAlgorithmException - algorithym associated within signing certificate not found
        java.security.SignatureException - failed to generate SignedToken
        java.security.cert.CertificateException - error associated with signing certificate

      • isMySignature

        public static boolean isMySignature​(java.security.Principal[] authorities,
                                    byte[] token,
                                    byte[] signature)
                             throws java.security.NoSuchAlgorithmException,
                                    java.security.SignatureException,
                                    java.security.cert.CertificateException
        Verify that the specified sigBytes reflect my signature of the specified token.
        Parameters:
        authorities - trusted certificate authorities
        token - byte array token
        signature - token signature
        Returns:
        true if signature is my signature
        Throws:
        java.security.NoSuchAlgorithmException - algorithym associated within signing certificate not found
        java.security.SignatureException - failed to generate SignedToken
        java.security.cert.CertificateException - error associated with signing certificate

      • getTrustedIssuers

        public static javax.security.auth.x500.X500Principal[] getTrustedIssuers()
                                                                  throws java.security.cert.CertificateException
        Returns a list of trusted issuers (i.e., CA certificates) as established by the ApplicationTrustManagerFactory.
        Returns:
        array of trusted Certificate Authorities
        Throws:
        java.security.cert.CertificateException - if failed to properly initialize trust manager due to CA certificate error(s).

      • validateClient

        public static void validateClient​(java.security.cert.X509Certificate[] certChain,
                                  java.lang.String authType)
                           throws java.security.cert.CertificateException
        Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.
        Parameters:
        certChain - X509 certificate chain
        authType - authentication type (i.e., "RSA")
        Throws:
        java.security.cert.CertificateException - if certificate validation fails

      • exportX509Certificates

        public static void exportX509Certificates​(java.security.cert.Certificate[] certificates,
                                          java.io.File outFile)
                                   throws java.io.IOException,
                                          java.security.cert.CertificateEncodingException
        Export X.509 certificates to the specified outFile.
        Parameters:
        certificates - certificates to be stored
        outFile - output file
        Throws:
        java.io.IOException - if error occurs writing to outFile
        java.security.cert.CertificateEncodingException - if error occurs while encoding certificate data

      • createKeyStore

        public static final java.security.KeyStore createKeyStore​(java.lang.String alias,
                                                          java.lang.String dn,
                                                          int durationDays,
                                                          java.security.KeyStore.PrivateKeyEntry caEntry,
                                                          java.io.File keyFile,
                                                          java.lang.String keystoreType,
                                                          char[] protectedPassphrase)
                                                   throws java.security.KeyStoreException
        Generate a new X509Certificate with RSA KeyPair and create/update a KeyStore optionally backed by a keyFile.
        Parameters:
        alias - entry alias with keystore
        dn - distinguished name (e.g., "CN=Ghidra Test, O=Ghidra, OU=Test, C=US" )
        durationDays - number of days which generated certificate should remain valid
        caEntry - optional CA private key entry. If null, a self-signed CA certificate will be generated.
        keyFile - optional file to load/store resulting KeyStore (may be null)
        keystoreType - support keystore type (e.g., "JKS", "PKCS12")
        protectedPassphrase - key and keystore protection password
        Returns:
        keystore containing newly generated certification with key pair
        Throws:
        java.security.KeyStoreException - if error occurs while updating keystore

      • createKeyEntry

        public static final java.security.KeyStore.PrivateKeyEntry createKeyEntry​(java.lang.String alias,
                                                                          java.lang.String dn,
                                                                          int durationDays,
                                                                          java.security.KeyStore.PrivateKeyEntry caEntry,
                                                                          java.io.File keyFile,
                                                                          java.lang.String keystoreType,
                                                                          char[] protectedPassphrase)
                                                                   throws java.security.KeyStoreException
        Generate a new X509Certificate with RSA KeyPair and create/update a KeyStore optionally backed by a keyFile.
        Parameters:
        alias - entry alias with keystore
        dn - distinguished name (e.g., "CN=Ghidra Test, O=Ghidra, OU=Test, C=US" )
        durationDays - number of days which generated certificate should remain valid
        caEntry - optional CA private key entry. If null, a self-signed CA certificate will be generated.
        keyFile - optional file to load/store resulting KeyStore (may be null)
        keystoreType - support keystore type (e.g., "JKS", "PKCS12")
        protectedPassphrase - key and keystore protection password
        Returns:
        newly generated keystore entry with key pair
        Throws:
        java.security.KeyStoreException - if error occurs while updating keystore