Package org.openmuc.jeebus.ship.node

Class KeyManagement

  • public class KeyManagement
extends java.lang.Object
    everything related to key management and key encryption

    • Field Detail

      • log

        protected static final org.slf4j.Logger log

    • Constructor Detail

      • KeyManagement

        public KeyManagement​(java.lang.String pathToKeyStore,
                     java.lang.String alias,
                     char[] keyStorePassphrase,
                     char[] keyPairPassphrase,
                     java.lang.String distinguishedName,
                     int days)
              throws java.security.KeyStoreException,
                     java.security.NoSuchProviderException,
                     java.io.IOException,
                     java.security.cert.CertificateException,
                     java.security.NoSuchAlgorithmException,
                     java.security.UnrecoverableKeyException
        Creates a new key store, key pair and certificate and stores it in the specified path. Should the path already contain a key store with a valid key pair and certificate, then the key store will be loaded instead.
        Parameters:
        pathToKeyStore - path where the key store exists or should be created, a temporary key store will be created and will not be stored should the path be null
        alias - the alias for either the existing key pair or for the key pair to be created
        keyStorePassphrase - passphrase for the key store
        keyPairPassphrase - passphrase for the key pair to be generated
        distinguishedName - X.509 Distinguished Name, eg "CN=Test, L=London, C=GB". For IoT devices, usually the DeviceID
        days - how many days the certificate should be valid for
        Throws:
        java.security.KeyStoreException - if a KeyStoreSpi implementation for the specified type is not available from the specified provider
        java.security.NoSuchProviderException - if the specified provider is not registered in the security provider list
        java.io.IOException - if there is an I/O or format problem with the keystore data, if a password is required but not given, or if the given password was incorrect
        java.security.cert.CertificateException - if any of the certificates in the keystore could not be loaded
        java.security.NoSuchAlgorithmException - if the appropriate data integrity algorithm could not be found
        java.security.UnrecoverableKeyException - if the key cannot be recovered (e.g., the given password is wrong).

    • Method Detail

      • generateSki

        public static org.bouncycastle.asn1.x509.SubjectKeyIdentifier generateSki​(java.security.PublicKey publicKey)

      • parseSkiToString

        public static java.lang.String parseSkiToString​(org.bouncycastle.asn1.x509.SubjectKeyIdentifier ski)
        returns the hex string that represents the SKI value
        Parameters:
        ski - SubjectKeyIdentifier value
        Returns:
        SKI value as hex string in lower case

      • isValidSki

        public static boolean isValidSki​(java.lang.String ski)
        checks if a given string represents a valid SKI. Note that this method removes whitespaces prior to checking
        Parameters:
        ski - the string to check
        Returns:
        true if the string only uses hex digits and has a length of exactly 40

      • addBCProvider

        public static void addBCProvider()
        adds provider only if it's not already in the JVM

      • addTrustedSki

        public static void addTrustedSki​(java.lang.String ski,
                                 java.lang.Integer trustLevel)
        adds the given SKI to the trusted list if it was not added already. This method does not override previous entries. For an override remove the previous entry with removeTrustedSki before adding it again with the new trust level.
        Parameters:
        ski - the SKI to be added to the trusted SKIs list
        trustLevel - the trust level of the SKI to be added

      • setTrustedSkiAuthenticated

        public static void setTrustedSkiAuthenticated​(java.lang.String ski)

      • removeTrustedSki

        public static boolean removeTrustedSki​(java.lang.String ski)
        removes a ski from the trustedSkis map
        Parameters:
        ski - the ski to remove
        Returns:
        true if the map contained the ski, otherwise false

      • getTrustedSkis

        public static java.util.Map<java.lang.String,​SkiManagementInfo> getTrustedSkis()

      • clearTrustedSkis

        public static void clearTrustedSkis()

      • loadKeyStore

        public void loadKeyStore()
                  throws java.security.KeyStoreException,
                         java.security.NoSuchProviderException,
                         java.security.cert.CertificateException,
                         java.io.IOException,
                         java.security.NoSuchAlgorithmException
        Throws:
        java.security.KeyStoreException
        java.security.NoSuchProviderException
        java.security.cert.CertificateException
        java.io.IOException
        java.security.NoSuchAlgorithmException

      • storeKeyPairInKeyStore

        public void storeKeyPairInKeyStore​(java.lang.String alias)
                            throws java.security.KeyStoreException
        Throws:
        java.security.KeyStoreException

      • storeSymKeyInKeyStore

        public void storeSymKeyInKeyStore​(java.lang.String alias)
                           throws java.security.NoSuchProviderException,
                                  java.security.KeyStoreException,
                                  java.security.cert.CertificateException,
                                  java.security.NoSuchAlgorithmException,
                                  java.io.IOException
        Throws:
        java.security.NoSuchProviderException
        java.security.KeyStoreException
        java.security.cert.CertificateException
        java.security.NoSuchAlgorithmException
        java.io.IOException

      • createCertificate

        public CertificateInfo createCertificate​(java.security.KeyPair keyPair,
                                         java.lang.String distinguishedName,
                                         int days,
                                         CertificateInfo issuer)
                                  throws org.bouncycastle.operator.OperatorCreationException,
                                         java.security.cert.CertificateException,
                                         java.io.IOException
        generates a self-signed X.509 Certificate
        Parameters:
        keyPair - passphrase for the key pair to be generated
        distinguishedName - the X.509 Distinguished Name, eg "CN=TEst, L=London, C=GB". For IoT devices, usually the DeviceID
        days - how many days the Certificate is valid for
        issuer - certificate content, consists of privateKey and X509Certificate
        Returns:
        A self-signed certificate
        Throws:
        org.bouncycastle.operator.OperatorCreationException - if certificate generation goes wrong
        org.bouncycastle.cert.CertIOException - if certificate generation goes wrong
        java.security.cert.CertificateException - if certificate generation goes wrong
        java.io.IOException

      • getOwnSki

        public org.bouncycastle.asn1.x509.SubjectKeyIdentifier getOwnSki()

      • getOwnSkiAsStr

        public java.lang.String getOwnSkiAsStr()

      • getKeyPair

        public java.security.KeyPair getKeyPair()

      • setKeyPair

        public void setKeyPair​(java.security.KeyPair keyPair)

      • getPathToKeyStoreFile

        public java.lang.String getPathToKeyStoreFile()

      • setPathToKeyStoreFile

        public void setPathToKeyStoreFile​(java.lang.String pathToKeyStore)

      • getKs

        public java.security.KeyStore getKs()

      • setKs

        public void setKs​(java.security.KeyStore ks)

      • getKeyStorePass

        public char[] getKeyStorePass()

      • setKeyStorePass

        public void setKeyStorePass​(char[] keyStorePass)

      • getKeyPairPass

        public char[] getKeyPairPass()

      • setKeyPairPass

        public void setKeyPairPass​(char[] keyPairPass)