org.nuxeo.common.codec

Class Crypto

java.lang.Object

org.nuxeo.common.codec.Crypto

Direct Known Subclasses:

Crypto.NoOp

public class Crypto
extends Object

Supported algorithms (name, keysize):

• AES/ECB/PKCS5Padding (128)
• DES/ECB/PKCS5Padding (64)

Since:

7.4

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	Crypto.NoOp

Field Summary

Fields

Modifier and Type	Field and Description
static String	AES
static String	AES_ECB_PKCS5PADDING
protected static Pattern	CRYPTO_PATTERN
static String	DEFAULT_ALGO
static String	DES
static String	DES_ECB_PKCS5PADDING
static String[]	IMPLEMENTED_ALGOS

Constructor Summary

Constructors

Constructor and Description
Crypto(byte[] secretKey)
Crypto(Map<String,SecretKey> secretKeys) Initialize cryptography with a map of SecretKey.
Crypto(Map<String,SecretKey> secretKeys, char[] digest) Initialize cryptography with a map of SecretKey.
Crypto(String keystorePath, char[] keystorePass, String keyAlias, char[] keyPass) Initialize cryptography with a keystore.

Method Summary

Modifier and Type	Method and Description
void	clear() Clear sensible values.
byte[]	decrypt(String strToDecrypt) The method returns either the decrypted strToDecrypt, either the strToDecrypt itself if it is not recognized as a crypted string or if the decryption fails.
String	encrypt(byte[] bytesToEncrypt)
String	encrypt(String algorithm, byte[] bytesToEncrypt)
static byte[]	getBytes(char[] chars) Utility method to get byte[] from char[] since it is recommended to store passwords in char[] rather than in String. The default charset of this Java virtual machine is used.
static char[]	getChars(byte[] bytes) Utility method to get char[] from bytes[] since it is recommended to store passwords in char[] rather than in String. The default charset of this Java virtual machine is used.
static Map<String,SecretKey>	getKeysFromKeyStore(String keystorePath, char[] keystorePass, String keyAlias, char[] keyPass) Extract secret keys from a keystore looking for keyAlias + algorithm
protected SecretKey	getSecretKey(String algorithm, byte[] key)
byte[]	getSHA1Digest(byte[] key)
byte[]	getSHA1DigestOrEmpty(byte[] bytes)
static boolean	isEncrypted(String value)
static void	setKeyInKeyStore(String keystorePath, char[] keystorePass, String keyAlias, char[] keyPass, SecretKey key) Store a key in a keystore. The keystore is created if it doesn't exist.
boolean	verifyKey(byte[] candidateDigest) Test the given candidateDigest against the configured digest.
boolean	verifyKey(char[] candidateDigest) Test the given candidateDigest against the configured digest.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CRYPTO_PATTERN

protected static final Pattern CRYPTO_PATTERN

AES

public static final String AES

See Also:

Constant Field Values

AES_ECB_PKCS5PADDING

public static final String AES_ECB_PKCS5PADDING

See Also:

Constant Field Values

DES

public static final String DES

See Also:

Constant Field Values

DES_ECB_PKCS5PADDING

public static final String DES_ECB_PKCS5PADDING

See Also:

Constant Field Values

IMPLEMENTED_ALGOS

public static final String[] IMPLEMENTED_ALGOS

DEFAULT_ALGO

public static final String DEFAULT_ALGO

See Also:

Constant Field Values

Constructor Detail

Crypto

public Crypto(byte[] secretKey)

Crypto

public Crypto(Map<String,SecretKey> secretKeys)

Initialize cryptography with a map of SecretKey.

Parameters:

secretKeys - Map of SecretKey per algorithm

Crypto

public Crypto(Map<String,SecretKey> secretKeys,
              char[] digest)

Initialize cryptography with a map of SecretKey.

Parameters:

digest - Digest for later use by verifyKey(byte[])

secretKeys - Map of SecretKey per algorithm

Crypto

public Crypto(String keystorePath,
              char[] keystorePass,
              String keyAlias,
              char[] keyPass)
       throws GeneralSecurityException,
              IOException

Initialize cryptography with a keystore.

Parameters:

keystorePath - Path to the keystore.

keystorePass - Keystore password. It is also used to generate the digest for verifyKey(byte[])

keyAlias - Key alias prefix. It is suffixed with the algorithm.

keyPass - Key password

Throws:

IOException

GeneralSecurityException

Method Detail

getSecretKey

protected SecretKey getSecretKey(String algorithm,
                                 byte[] key)
                          throws NoSuchAlgorithmException

Throws:

NoSuchAlgorithmException

getSHA1Digest

public byte[] getSHA1Digest(byte[] key)
                     throws NoSuchAlgorithmException

Throws:

NoSuchAlgorithmException

getSHA1DigestOrEmpty

public byte[] getSHA1DigestOrEmpty(byte[] bytes)

encrypt

public String encrypt(byte[] bytesToEncrypt)
               throws GeneralSecurityException

Throws:

GeneralSecurityException

encrypt

public String encrypt(String algorithm,
                      byte[] bytesToEncrypt)
               throws GeneralSecurityException

Parameters:

algorithm - cipher transformation of the form "algorithm/mode/padding" or "algorithm". See the Cipher section in the Java Cryptography Architecture Standard Algorithm Name Documentation.

Throws:

NoSuchPaddingException - if algorithm contains a padding scheme that is not available.

NoSuchAlgorithmException - if algorithm is in an invalid or not supported format.

GeneralSecurityException

decrypt

public byte[] decrypt(String strToDecrypt)

The method returns either the decrypted strToDecrypt, either the strToDecrypt itself if it is not recognized as a crypted string or if the decryption fails. The return value is a byte array for security purpose, it is your responsibility to convert it then to a String or not (use of char[] is recommended).

Returns:

the decrypted strToDecrypt as an array of bytes, never null

See Also:

getChars(byte[])

clear

public void clear()

Clear sensible values. That makes the current object unusable.

verifyKey

public boolean verifyKey(byte[] candidateDigest)

Test the given candidateDigest against the configured digest. In case of failure, the secret data is destroyed and the object is made unusable.
Use that method to check if some code is allowed to request that Crypto object.

Returns:

true if candidateDigest matches the one used on creation.

See Also:

clear(), verifyKey(char[])

verifyKey

public boolean verifyKey(char[] candidateDigest)

Test the given candidateDigest against the configured digest. In case of failure, the secret data is destroyed and the object is made unusable.
Use that method to check if some code is allowed to request that Crypto object.

Returns:

true if candidateDigest matches the one used on creation.

See Also:

clear(), verifyKey(byte[])

getBytes

public static byte[] getBytes(char[] chars)

Utility method to get byte[] from char[] since it is recommended to store passwords in char[] rather than in String.
The default charset of this Java virtual machine is used. There can be conversion issue with unmappable characters: they will be replaced with the charset's default replacement string.

Parameters:

chars - char array to convert

Returns:

the byte array converted from chars using the default charset.

getChars

public static char[] getChars(byte[] bytes)

Utility method to get char[] from bytes[] since it is recommended to store passwords in char[] rather than in String.
The default charset of this Java virtual machine is used. There can be conversion issue with unmappable characters: they will be replaced with the charset's default replacement string.

Parameters:

bytes - byte array to convert

Returns:

the char array converted from bytes using the default charset.

isEncrypted

public static boolean isEncrypted(String value)

Returns:

true if the given value is encrypted

getKeysFromKeyStore

public static Map<String,SecretKey> getKeysFromKeyStore(String keystorePath,
                                                        char[] keystorePass,
                                                        String keyAlias,
                                                        char[] keyPass)
                                                 throws GeneralSecurityException,
                                                        IOException

Extract secret keys from a keystore looking for keyAlias + algorithm

Parameters:

keystorePath - Path to the keystore

keystorePass - Keystore password

keyAlias - Key alias prefix. It is suffixed with the algorithm.

keyPass - Key password

Throws:

GeneralSecurityException

IOException

See Also:

IMPLEMENTED_ALGOS

setKeyInKeyStore

public static void setKeyInKeyStore(String keystorePath,
                                    char[] keystorePass,
                                    String keyAlias,
                                    char[] keyPass,
                                    SecretKey key)
                             throws GeneralSecurityException,
                                    IOException

Store a key in a keystore.
The keystore is created if it doesn't exist.

Parameters:

keystorePath - Path to the keystore

keystorePass - Keystore password

keyAlias - Key alias prefix. It must be suffixed with the algorithm (Key.getAlgorithm() is fine).

keyPass - Key password

Throws:

GeneralSecurityException

IOException

See Also:

IMPLEMENTED_ALGOS