org.symphonyoss.s2.common.crypto.cipher

Interface IAsymmetricCipherSuite

All Superinterfaces:

ICipherSuite

public interface IAsymmetricCipherSuite
extends ICipherSuite

A public key CipherSuite.

Author:

Bruce Skingle

Method Summary

Modifier and Type	Method and Description
org.bouncycastle.cert.X509AttributeCertificateHolder	createAttributeCert(X509Certificate clientCert, Date notBefore, Date notAfter, URL ocspUrl, PrivateKey caPrivKey, X509Certificate caCert, BigInteger serialNumber, String policyOid, URL policyUrl, String attributeId, String attributeValue) Generate an Attribute Certificate.
X509Certificate	createCert(org.bouncycastle.asn1.x509.GeneralName[] subjectAlternativeNames, org.bouncycastle.pkcs.PKCS10CertificationRequest csr, org.bouncycastle.asn1.x500.X500Name principal, Date notBefore, Date notAfter, URL ocspUrl, PrivateKey caPrivKey, X509Certificate caCert, BigInteger serialNumber, String policyOid, URL policyUrl, CertType certificateType) Generate an end user certificate from a CSR.
X509Certificate	createCert(org.bouncycastle.asn1.x509.GeneralName[] subjectAlternativeNames, PublicKey pubKey, org.bouncycastle.asn1.x500.X500Name principal, Date notBefore, Date notAfter, URL ocspUrl, PrivateKey caPrivKey, X509Certificate caCert, BigInteger serialNumber, String policyOid, URL policyUrl, CertType certificateType) Generate an end user certificate.
X509Certificate	createCert(String subjectRfc822AlternativeName, PublicKey pubKey, org.bouncycastle.asn1.x500.X500Name principal, Date notBefore, Date notAfter, URL ocspUrl, PrivateKey caPrivKey, X509Certificate caCert, BigInteger serialNumber, String policyOid, URL policyUrl, CertType certificateType) Generate an end user certificate.
org.bouncycastle.pkcs.PKCS10CertificationRequest	createCSR(org.bouncycastle.asn1.x500.X500Name subject, PublicKey publicKey, PrivateKey privateKey, org.bouncycastle.asn1.x509.GeneralName[] subjectAlternateNames)
X509Certificate	createMasterCert(PublicKey pubKey, PrivateKey privKey, org.bouncycastle.asn1.x500.X500Name principal, Date notBefore, Date notAfter, URL ocspUrl, BigInteger serialNumber) Generate a Master, self signed certificate.
X509Certificate	createSelfSignedCert(KeyPair keyPair, org.bouncycastle.asn1.x500.X500Name subject, int validDays) Create a self signed certificate for the given principal.
KeyPair	generateKeyPair()
AsymmetricCipher	getId() Get the unique ID for this cipher suite.
int	getKeySize(PrivateKey key)
int	getKeySize(PublicKey key)
String	getSignatureAlgorithm() Return the name of the SignatureAlgorithm used by this CipherSuite.
PrivateKey	privateKeyFromDER(String der)
String	privateKeyToDER(PrivateKey key)
PublicKey	publicKeyFromDER(String der)
String	publicKeyToDER(PublicKey key)
byte[]	sign(byte[] data, PrivateKey privateKey) Sign the given data.
String	sign(String data, PrivateKey privateKey) Sign the given data and return a base64 encoded string of the signature.
SecretKey	unwrap(byte[] cipherText, PrivateKey userPrivateKey, ISymmetricCipherSuite symmetricCipherSuite) Unwrap the given encrypted SecretKey
void	validateKey(KeyPair keyPair) Validate the given KeyPair and throw an exception if it is not suitable for use with this CipherSuite.
void	validateKey(PrivateKey key) Validate the given key and throw an exception if it is not suitable for use with this CipherSuite.
void	validateKey(PublicKey key) Validate the given key and throw an exception if it is not suitable for use with this CipherSuite.
void	verifySignature(byte[] encodedSignature, byte[] data, Certificate certificate)
void	verifySignature(byte[] encodedSignature, byte[] data, PublicKey publicKey)
byte[]	wrap(SecretKey key, PublicKey userKey) Wrap the given symmetric key by encrypting with the given user's public key.

Methods inherited from interface org.symphonyoss.s2.common.crypto.cipher.ICipherSuite

getCipher, getKeyAlgorithm, getKeySize

Method Detail

getId

AsymmetricCipher getId()

Get the unique ID for this cipher suite.

Returns:

The unique ID of this cipher suite.

validateKey

void validateKey(KeyPair keyPair)
          throws InvalidKeyException

Validate the given KeyPair and throw an exception if it is not suitable for use with this CipherSuite.

Parameters:

keyPair - A KeyPair to validate.

Throws:

InvalidKeyException - If the given KeyPair is incompatible with the current CipherSuite.

validateKey

void validateKey(PrivateKey key)
          throws InvalidKeyException

Validate the given key and throw an exception if it is not suitable for use with this CipherSuite.

Parameters:

key - A key to validate.

Throws:

InvalidKeyException - If the given KeyPair is incompatible with the current CipherSuite.

validateKey

void validateKey(PublicKey key)
          throws InvalidKeyException

Validate the given key and throw an exception if it is not suitable for use with this CipherSuite.

Parameters:

key - A key to validate.

Throws:

InvalidKeyException - If the given KeyPair is incompatible with the current CipherSuite.

getSignatureAlgorithm

String getSignatureAlgorithm()

Return the name of the SignatureAlgorithm used by this CipherSuite.

Returns:

The name of the SignatureAlgorithm used by this CipherSuite.

createCSR

org.bouncycastle.pkcs.PKCS10CertificationRequest createCSR(org.bouncycastle.asn1.x500.X500Name subject,
                                                           PublicKey publicKey,
                                                           PrivateKey privateKey,
                                                           org.bouncycastle.asn1.x509.GeneralName[] subjectAlternateNames)
                                                    throws org.bouncycastle.operator.OperatorCreationException,
                                                           IOException

Throws:

org.bouncycastle.operator.OperatorCreationException

IOException

generateKeyPair

KeyPair generateKeyPair()

createSelfSignedCert

X509Certificate createSelfSignedCert(KeyPair keyPair,
                                     org.bouncycastle.asn1.x500.X500Name subject,
                                     int validDays)
                              throws InvalidKeyException

Create a self signed certificate for the given principal.

Parameters:

keyPair - The public key to be associate with the certificate and the private key to sign the certificate with.

subject - Subject principal.

validDays - Number of days from now for which the certificate will be valid.

Returns:

A self signed X509v1 certificate.

Throws:

InvalidKeyException - If the given keys are incompatible with this CipherSuite.

sign

byte[] sign(byte[] data,
            PrivateKey privateKey)
     throws InvalidKeyException

Sign the given data.

Parameters:

data - Data to be signed

privateKey - Signing key.

Returns:

Encoded bytes of signature

Throws:

InvalidKeyException - If the given keys are incompatible with this CipherSuite.

sign

String sign(String data,
            PrivateKey privateKey)
     throws InvalidKeyException

Sign the given data and return a base64 encoded string of the signature.

Parameters:

data - Data to be signed

privateKey - Private signing key.

Returns:

Base64 encoded bytes of signature as a String

Throws:

InvalidKeyException - If the given keys are incompatible with this CipherSuite.

verifySignature

void verifySignature(byte[] encodedSignature,
                     byte[] data,
                     Certificate certificate)
              throws SignatureVerificationException

Throws:

SignatureVerificationException

verifySignature

void verifySignature(byte[] encodedSignature,
                     byte[] data,
                     PublicKey publicKey)
              throws SignatureVerificationException

Throws:

SignatureVerificationException

createMasterCert

X509Certificate createMasterCert(PublicKey pubKey,
                                 PrivateKey privKey,
                                 org.bouncycastle.asn1.x500.X500Name principal,
                                 Date notBefore,
                                 Date notAfter,
                                 URL ocspUrl,
                                 BigInteger serialNumber)

Generate a Master, self signed certificate.

Parameters:

pubKey - Public key for principal.

privKey - Private key for principal, used to sign the certificate.

principal - The subject of the certificate.

notBefore - Validity start date.

notAfter - Validity end date.

ocspUrl - If non-null then this is added as the OCSP URL for the certificate.

serialNumber - Certificate serial number, should be unique for this CA.

Returns:

A self signed X509v3 certificate signing certificate.

createCert

X509Certificate createCert(String subjectRfc822AlternativeName,
                           PublicKey pubKey,
                           org.bouncycastle.asn1.x500.X500Name principal,
                           Date notBefore,
                           Date notAfter,
                           URL ocspUrl,
                           PrivateKey caPrivKey,
                           X509Certificate caCert,
                           BigInteger serialNumber,
                           String policyOid,
                           URL policyUrl,
                           CertType certificateType)
                    throws InvalidKeyException

Generate an end user certificate.

Parameters:

subjectRfc822AlternativeName - If non-null then this is added as the subject's email address

pubKey - Public key for principal.

principal - The subject of the certificate.

notBefore - Validity start date.

notAfter - Validity end date.

ocspUrl - If non-null then this is added as the OCSP URL for the certificate.

caPrivKey - Private key for the CA, used to sign the certificate.

caCert - The certificate relating to the caPrivKey

serialNumber - Certificate serial number, should be unique for this CA.

policyOid - Optional OID for certificate policy, needs policyUrl as well.

policyUrl - Optional URL for certificate policy, needs policyOid as well.

certificateType - Type of certificate required, one of UserEncryption, UserSigning or Server

Returns:

An X509v3 user or server certificate signed by the given CA.

Throws:

InvalidKeyException - If the given keys are incompatible with this CipherSuite.

createCert

X509Certificate createCert(org.bouncycastle.asn1.x509.GeneralName[] subjectAlternativeNames,
                           PublicKey pubKey,
                           org.bouncycastle.asn1.x500.X500Name principal,
                           Date notBefore,
                           Date notAfter,
                           URL ocspUrl,
                           PrivateKey caPrivKey,
                           X509Certificate caCert,
                           BigInteger serialNumber,
                           String policyOid,
                           URL policyUrl,
                           CertType certificateType)
                    throws InvalidKeyException

Generate an end user certificate.

Parameters:

subjectAlternativeNames - If non-null then this array of GeneralName is added as the subject's alternative names.

pubKey - Public key for principal.

principal - The subject of the certificate.

notBefore - Validity start date.

notAfter - Validity end date.

ocspUrl - If non-null then this is added as the OCSP URL for the certificate.

caPrivKey - Private key for the CA, used to sign the certificate.

caCert - The certificate relating to the caPrivKey

serialNumber - Certificate serial number, should be unique for this CA.

policyOid - Optional OID for certificate policy, needs policyUrl as well.

policyUrl - Optional URL for certificate policy, needs policyOid as well.

certificateType - Type of certificate required, one of UserEncryption, UserSigning or Server

Returns:

An X509v3 user or server certificate signed by the given CA.

Throws:

InvalidKeyException - If the given keys are incompatible with this CipherSuite.

createCert

X509Certificate createCert(org.bouncycastle.asn1.x509.GeneralName[] subjectAlternativeNames,
                           org.bouncycastle.pkcs.PKCS10CertificationRequest csr,
                           org.bouncycastle.asn1.x500.X500Name principal,
                           Date notBefore,
                           Date notAfter,
                           URL ocspUrl,
                           PrivateKey caPrivKey,
                           X509Certificate caCert,
                           BigInteger serialNumber,
                           String policyOid,
                           URL policyUrl,
                           CertType certificateType)
                    throws InvalidKeyException,
                           SignatureVerificationException

Generate an end user certificate from a CSR. If principal is null then the name and subjectAlternativeNames from the CSR are used, otherwise they are ignored. The validity of the CSR is checked regardless.

Parameters:

subjectAlternativeNames - If non-null then this array of GeneralName is added as the subject's alternative names.

csr - A Certificate Signing Request

principal - The subject of the certificate, if null then the subject in the CSR is used.

notBefore - Validity start date.

notAfter - Validity end date.

ocspUrl - If non-null then this is added as the OCSP URL for the certificate.

caPrivKey - Private key for the CA, used to sign the certificate.

caCert - The certificate relating to the caPrivKey

serialNumber - Certificate serial number, should be unique for this CA.

policyOid - Optional OID for certificate policy, needs policyUrl as well.

policyUrl - Optional URL for certificate policy, needs policyOid as well.

certificateType - Type of certificate required, one of UserEncryption, UserSigning or Server

Returns:

An X509v3 user or server certificate signed by the given CA.

Throws:

InvalidKeyException - If the given keys are incompatible with this CipherSuite.

SignatureVerificationException - If the CSR signature is not valid or cannot ve verified.

createAttributeCert

org.bouncycastle.cert.X509AttributeCertificateHolder createAttributeCert(X509Certificate clientCert,
                                                                         Date notBefore,
                                                                         Date notAfter,
                                                                         URL ocspUrl,
                                                                         PrivateKey caPrivKey,
                                                                         X509Certificate caCert,
                                                                         BigInteger serialNumber,
                                                                         String policyOid,
                                                                         URL policyUrl,
                                                                         String attributeId,
                                                                         String attributeValue)

Generate an Attribute Certificate.

Parameters:

clientCert - User certificate for which this attribute applies.

notBefore - Validity start date.

notAfter - Validity end date.

ocspUrl - If non-null then this is added as the OCSP URL for the certificate.

caPrivKey - Private key for the CA, used to sign the certificate.

caCert - The certificate relating to the caPrivKey

serialNumber - Certificate serial number, should be unique for this CA.

policyOid - Optional OID for certificate policy, needs policyUrl as well.

policyUrl - Optional URL for certificate policy, needs policyOid as well.

attributeId - OID of the attribute.

attributeValue - Value of the attribute.

Returns:

An X509v2 Attribute certificate

wrap

byte[] wrap(SecretKey key,
            PublicKey userKey)
     throws GeneralSecurityException

Wrap the given symmetric key by encrypting with the given user's public key.

Parameters:

key - Key to be wrapped.

userKey - Public key of user for whom it is wrapped. Only they can unwrap using their secret key.

Returns:

ciphertext of wrapped key.

Throws:

GeneralSecurityException

unwrap

SecretKey unwrap(byte[] cipherText,
                 PrivateKey userPrivateKey,
                 ISymmetricCipherSuite symmetricCipherSuite)
          throws GeneralSecurityException

Unwrap the given encrypted SecretKey

Parameters:

cipherText - Encrypted key to be unwrapped.

userPrivateKey - Wrapping key.

symmetricCipherSuite - Wrapping cipherSuite

Returns:

The SecretKey.

Throws:

GeneralSecurityException

publicKeyToDER

String publicKeyToDER(PublicKey key)
               throws IOException,
                      GeneralSecurityException

Throws:

IOException

GeneralSecurityException

publicKeyFromDER

PublicKey publicKeyFromDER(String der)
                    throws IOException,
                           GeneralSecurityException

Throws:

IOException

GeneralSecurityException

privateKeyToDER

String privateKeyToDER(PrivateKey key)
                throws IOException,
                       GeneralSecurityException

Throws:

IOException

GeneralSecurityException

privateKeyFromDER

PrivateKey privateKeyFromDER(String der)
                      throws IOException,
                             GeneralSecurityException

Throws:

IOException

GeneralSecurityException

getKeySize

int getKeySize(PublicKey key)
        throws InvalidKeyException

Throws:

InvalidKeyException

getKeySize

int getKeySize(PrivateKey key)
        throws InvalidKeyException

Throws:

InvalidKeyException