Package com.google.api.client.util

Class SecurityUtils

  • public final class SecurityUtils
extends java.lang.Object
    Utilities related to Java security.
    Since:
    1.14

    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      private SecurityUtils()  

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static java.security.KeyStore createMtlsKeyStore​(java.io.InputStream certAndKey)
      Beta
      Create a keystore for mutual TLS with the certificate and private key provided.
      static java.security.KeyStore getDefaultKeyStore()
      Returns the default key store using KeyStore.getDefaultType().
      static java.security.Signature getEs256SignatureAlgorithm()
      Returns the SHA-256 with ECDSA signature algorithm
      static java.security.KeyStore getJavaKeyStore()
      Returns the Java KeyStore (JKS).
      static java.security.KeyStore getPkcs12KeyStore()
      Returns the PKCS12 key store.
      static java.security.PrivateKey getPrivateKey​(java.security.KeyStore keyStore, java.lang.String alias, java.lang.String keyPass)
      Returns the private key from the key store.
      static java.security.KeyFactory getRsaKeyFactory()
      Returns the RSA key factory.
      static java.security.Signature getSha1WithRsaSignatureAlgorithm()
      Returns the SHA-1 with RSA signature algorithm.
      static java.security.Signature getSha256WithRsaSignatureAlgorithm()
      Returns the SHA-256 with RSA signature algorithm.
      static java.security.cert.CertificateFactory getX509CertificateFactory()
      Returns the X.509 certificate factory.
      static void loadKeyStore​(java.security.KeyStore keyStore, java.io.InputStream keyStream, java.lang.String storePass)
      Loads a key store from a stream.
      static void loadKeyStoreFromCertificates​(java.security.KeyStore keyStore, java.security.cert.CertificateFactory certificateFactory, java.io.InputStream certificateStream)
      Loads a key store with certificates generated from the specified stream using CertificateFactory.generateCertificates(InputStream).
      static java.security.PrivateKey loadPrivateKeyFromKeyStore​(java.security.KeyStore keyStore, java.io.InputStream keyStream, java.lang.String storePass, java.lang.String alias, java.lang.String keyPass)
      Retrieves a private key from the specified key store stream and specified key store.
      static byte[] sign​(java.security.Signature signatureAlgorithm, java.security.PrivateKey privateKey, byte[] contentBytes)
      Signs content using a private key.
      static boolean verify​(java.security.Signature signatureAlgorithm, java.security.PublicKey publicKey, byte[] signatureBytes, byte[] contentBytes)
      Verifies the signature of signed content based on a public key.
      static java.security.cert.X509Certificate verify​(java.security.Signature signatureAlgorithm, javax.net.ssl.X509TrustManager trustManager, java.util.List<java.lang.String> certChainBase64, byte[] signatureBytes, byte[] contentBytes)
      Verifies the signature of signed content based on a certificate chain.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • SecurityUtils

        private SecurityUtils()

    • Method Detail

      • getDefaultKeyStore

        public static java.security.KeyStore getDefaultKeyStore()
                                                 throws java.security.KeyStoreException
        Returns the default key store using KeyStore.getDefaultType().
        Throws:
        java.security.KeyStoreException

      • getJavaKeyStore

        public static java.security.KeyStore getJavaKeyStore()
                                              throws java.security.KeyStoreException
        Returns the Java KeyStore (JKS).
        Throws:
        java.security.KeyStoreException

      • getPkcs12KeyStore

        public static java.security.KeyStore getPkcs12KeyStore()
                                                throws java.security.KeyStoreException
        Returns the PKCS12 key store.
        Throws:
        java.security.KeyStoreException

      • loadKeyStore

        public static void loadKeyStore​(java.security.KeyStore keyStore,
                                java.io.InputStream keyStream,
                                java.lang.String storePass)
                         throws java.io.IOException,
                                java.security.GeneralSecurityException
        Loads a key store from a stream.

        Example usage: 

         KeyStore keyStore = SecurityUtils.getJavaKeyStore();
 SecurityUtils.loadKeyStore(keyStore, new FileInputStream("certs.jks"), "password");
        Parameters:
        keyStore - key store
        keyStream - input stream to the key store stream (closed at the end of this method in a finally block)
        storePass - password protecting the key store file
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException

      • getPrivateKey

        public static java.security.PrivateKey getPrivateKey​(java.security.KeyStore keyStore,
                                                     java.lang.String alias,
                                                     java.lang.String keyPass)
                                              throws java.security.GeneralSecurityException
        Returns the private key from the key store.
        Parameters:
        keyStore - key store
        alias - alias under which the key is stored
        keyPass - password protecting the key
        Returns:
        private key
        Throws:
        java.security.GeneralSecurityException

      • loadPrivateKeyFromKeyStore

        public static java.security.PrivateKey loadPrivateKeyFromKeyStore​(java.security.KeyStore keyStore,
                                                                  java.io.InputStream keyStream,
                                                                  java.lang.String storePass,
                                                                  java.lang.String alias,
                                                                  java.lang.String keyPass)
                                                           throws java.io.IOException,
                                                                  java.security.GeneralSecurityException
        Retrieves a private key from the specified key store stream and specified key store.
        Parameters:
        keyStore - key store
        keyStream - input stream to the key store (closed at the end of this method in a finally block)
        storePass - password protecting the key store file
        alias - alias under which the key is stored
        keyPass - password protecting the key
        Returns:
        key from the key store
        Throws:
        java.io.IOException
        java.security.GeneralSecurityException

      • getRsaKeyFactory

        public static java.security.KeyFactory getRsaKeyFactory()
                                                 throws java.security.NoSuchAlgorithmException
        Returns the RSA key factory.
        Throws:
        java.security.NoSuchAlgorithmException

      • getSha1WithRsaSignatureAlgorithm

        public static java.security.Signature getSha1WithRsaSignatureAlgorithm()
                                                                throws java.security.NoSuchAlgorithmException
        Returns the SHA-1 with RSA signature algorithm.
        Throws:
        java.security.NoSuchAlgorithmException

      • getSha256WithRsaSignatureAlgorithm

        public static java.security.Signature getSha256WithRsaSignatureAlgorithm()
                                                                  throws java.security.NoSuchAlgorithmException
        Returns the SHA-256 with RSA signature algorithm.
        Throws:
        java.security.NoSuchAlgorithmException

      • getEs256SignatureAlgorithm

        public static java.security.Signature getEs256SignatureAlgorithm()
                                                          throws java.security.NoSuchAlgorithmException
        Returns the SHA-256 with ECDSA signature algorithm
        Throws:
        java.security.NoSuchAlgorithmException

      • sign

        public static byte[] sign​(java.security.Signature signatureAlgorithm,
                          java.security.PrivateKey privateKey,
                          byte[] contentBytes)
                   throws java.security.InvalidKeyException,
                          java.security.SignatureException
        Signs content using a private key.
        Parameters:
        signatureAlgorithm - signature algorithm
        privateKey - private key
        contentBytes - content to sign
        Returns:
        signed content
        Throws:
        java.security.InvalidKeyException
        java.security.SignatureException

      • verify

        public static boolean verify​(java.security.Signature signatureAlgorithm,
                             java.security.PublicKey publicKey,
                             byte[] signatureBytes,
                             byte[] contentBytes)
                      throws java.security.InvalidKeyException,
                             java.security.SignatureException
        Verifies the signature of signed content based on a public key.
        Parameters:
        signatureAlgorithm - signature algorithm
        publicKey - public key
        signatureBytes - signature bytes
        contentBytes - content bytes
        Returns:
        whether the signature was verified
        Throws:
        java.security.InvalidKeyException
        java.security.SignatureException

      • verify

        public static java.security.cert.X509Certificate verify​(java.security.Signature signatureAlgorithm,
                                                        javax.net.ssl.X509TrustManager trustManager,
                                                        java.util.List<java.lang.String> certChainBase64,
                                                        byte[] signatureBytes,
                                                        byte[] contentBytes)
                                                 throws java.security.InvalidKeyException,
                                                        java.security.SignatureException
        Verifies the signature of signed content based on a certificate chain.
        Parameters:
        signatureAlgorithm - signature algorithm
        trustManager - trust manager used to verify the certificate chain
        certChainBase64 - Certificate chain used for verification. The certificates must be base64 encoded DER, the leaf certificate must be the first element.
        signatureBytes - signature bytes
        contentBytes - content bytes
        Returns:
        The signature certificate if the signature could be verified, null otherwise.
        Throws:
        java.security.InvalidKeyException
        java.security.SignatureException
        Since:
        1.19.1.

      • getX509CertificateFactory

        public static java.security.cert.CertificateFactory getX509CertificateFactory()
                                                                       throws java.security.cert.CertificateException
        Returns the X.509 certificate factory.
        Throws:
        java.security.cert.CertificateException

      • loadKeyStoreFromCertificates

        public static void loadKeyStoreFromCertificates​(java.security.KeyStore keyStore,
                                                java.security.cert.CertificateFactory certificateFactory,
                                                java.io.InputStream certificateStream)
                                         throws java.security.GeneralSecurityException
        Loads a key store with certificates generated from the specified stream using CertificateFactory.generateCertificates(InputStream).

        For each certificate, KeyStore.setCertificateEntry(String, Certificate) is called with an alias that is the string form of incrementing non-negative integers starting with 0 (0, 1, 2, 3, ...).

        Example usage: 

         KeyStore keyStore = SecurityUtils.getJavaKeyStore();
 SecurityUtils.loadKeyStoreFromCertificates(keyStore, SecurityUtils.getX509CertificateFactory(),
 new FileInputStream(pemFile));
        Parameters:
        keyStore - key store (for example getJavaKeyStore())
        certificateFactory - certificate factory (for example getX509CertificateFactory())
        certificateStream - certificate stream
        Throws:
        java.security.GeneralSecurityException

      • createMtlsKeyStore

        @Beta
public static java.security.KeyStore createMtlsKeyStore​(java.io.InputStream certAndKey)
                                                 throws java.security.GeneralSecurityException,
                                                        java.io.IOException
        Beta
        Create a keystore for mutual TLS with the certificate and private key provided.
        Parameters:
        certAndKey - Certificate and private key input stream. The stream should contain one certificate and one unencrypted private key. If there are multiple certificates, only the first certificate will be used.
        Returns:
        keystore for mutual TLS.
        Throws:
        java.security.GeneralSecurityException
        java.io.IOException
        Since:
        1.38