Class KeyUtils


  • public final class KeyUtils
    extends java.lang.Object
    Utility class for keys
    • Field Detail

      • RSA_ALGORITHM

        public static final java.lang.String RSA_ALGORITHM
        Name of algorithm for RSA keys to be used when calling security provider
        See Also:
        Constant Field Values
      • DEFAULT_RSA_PUBLIC_EXPONENT

        public static final java.math.BigInteger DEFAULT_RSA_PUBLIC_EXPONENT
        The most commonly used RSA public key exponent
      • DSS_ALGORITHM

        public static final java.lang.String DSS_ALGORITHM
        Name of algorithm for DSS keys to be used when calling security provider
        See Also:
        Constant Field Values
      • EC_ALGORITHM

        public static final java.lang.String EC_ALGORITHM
        Name of algorithm for EC keys to be used when calling security provider
        See Also:
        Constant Field Values
      • STRICTLY_PROHIBITED_FILE_PERMISSION

        public static final java.util.Set<java.nio.file.attribute.PosixFilePermission> STRICTLY_PROHIBITED_FILE_PERMISSION
        The Set of PosixFilePermission not allowed if strict permissions are enforced on key files
      • KEY_FINGERPRINT_FACTORY_PROP

        public static final java.lang.String KEY_FINGERPRINT_FACTORY_PROP
        System property that can be used to control the default fingerprint factory used for keys. If not set the DEFAULT_FINGERPRINT_DIGEST_FACTORY is used
        See Also:
        Constant Field Values
      • RSA_SHA512_KEY_TYPE_ALIAS

        public static final java.lang.String RSA_SHA512_KEY_TYPE_ALIAS
        See Also:
        Constant Field Values
      • DEFAULT_DIGEST_HOLDER

        private static final java.util.concurrent.atomic.AtomicReference<DigestFactory> DEFAULT_DIGEST_HOLDER
      • BY_KEY_TYPE_DECODERS_MAP

        private static final java.util.Map<java.lang.String,​PublicKeyEntryDecoder<?,​?>> BY_KEY_TYPE_DECODERS_MAP
      • BY_KEY_CLASS_DECODERS_MAP

        private static final java.util.Map<java.lang.Class<?>,​PublicKeyEntryDecoder<?,​?>> BY_KEY_CLASS_DECODERS_MAP
      • KEY_TYPE_ALIASES

        private static final java.util.Map<java.lang.String,​java.lang.String> KEY_TYPE_ALIASES
    • Constructor Detail

      • KeyUtils

        private KeyUtils()
    • Method Detail

      • validateStrictKeyFilePermissions

        public static java.util.AbstractMap.SimpleImmutableEntry<java.lang.String,​java.lang.Object> validateStrictKeyFilePermissions​(java.nio.file.Path path,
                                                                                                                                           java.nio.file.LinkOption... options)
                                                                                                                                    throws java.io.IOException

        Checks if a path has strict permissions

        • The path may not have PosixFilePermission.OTHERS_EXECUTE permission

        • (For Unix) The path may not have group or others permissions

        • (For Unix) If the path is a file, then its folder may not have group or others permissions

        • The path must be owned by current user.

        • (For Unix) The path may be owned by root.

        • (For Unix) If the path is a file, then its folder must also have valid owner.

        Parameters:
        path - The Path to be checked - ignored if null or does not exist
        options - The LinkOptions to use to query the file's permissions
        Returns:
        The violated permission as AbstractMap.SimpleImmutableEntry where key is a message and value is the offending object PosixFilePermission or String for owner - null if no violations detected
        Throws:
        java.io.IOException - If failed to retrieve the permissions
        See Also:
        STRICTLY_PROHIBITED_FILE_PERMISSION
      • generateKeyPair

        public static java.security.KeyPair generateKeyPair​(java.lang.String keyType,
                                                            int keySize)
                                                     throws java.security.GeneralSecurityException
        Parameters:
        keyType - The key type - OpenSSH name - e.g., ssh-rsa, ssh-dss
        keySize - The key size (in bits)
        Returns:
        A KeyPair of the specified type and size
        Throws:
        java.security.GeneralSecurityException - If failed to generate the key pair
        See Also:
        getPublicKeyEntryDecoder(String), KeyEntryResolver.generateKeyPair(int)
      • cloneKeyPair

        public static java.security.KeyPair cloneKeyPair​(java.lang.String keyType,
                                                         java.security.KeyPair kp)
                                                  throws java.security.GeneralSecurityException
        Performs a deep-clone of the original KeyPair - i.e., creates new public/private keys that are clones of the original one
        Parameters:
        keyType - The key type - OpenSSH name - e.g., ssh-rsa, ssh-dss
        kp - The KeyPair to clone - ignored if null
        Returns:
        The cloned instance
        Throws:
        java.security.GeneralSecurityException - If failed to clone the pair
      • registerPublicKeyEntryDecoderForKeyType

        public static PublicKeyEntryDecoder<?,​?> registerPublicKeyEntryDecoderForKeyType​(java.lang.String keyType,
                                                                                               PublicKeyEntryDecoder<?,​?> decoder)
        Parameters:
        keyType - The key (never null/empty) key type
        decoder - The (never null) decoder to register
        Returns:
        The previously registered decoder for this key type - null if none
      • unregisterPublicKeyEntryDecoderKeyTypes

        public static java.util.NavigableSet<java.lang.String> unregisterPublicKeyEntryDecoderKeyTypes​(PublicKeyEntryDecoder<?,​?> decoder)
        Unregisters the specified decoder for all the types it supports
        Parameters:
        decoder - The (never null) decoder to unregister
        Returns:
        The case insensitive NavigableSet of all the effectively un-registered key types out of all the supported ones.
        See Also:
        unregisterPublicKeyEntryDecoderForKeyType(String)
      • unregisterPublicKeyEntryDecoderForKeyType

        public static PublicKeyEntryDecoder<?,​?> unregisterPublicKeyEntryDecoderForKeyType​(java.lang.String keyType)
        Unregister the decoder registered for the specified key type
        Parameters:
        keyType - The key (never null/empty) key type
        Returns:
        The unregistered PublicKeyEntryDecoder - null if none registered for this key type
      • getPublicKeyEntryDecoder

        public static PublicKeyEntryDecoder<?,​?> getPublicKeyEntryDecoder​(java.lang.String keyType)
        Parameters:
        keyType - The OpenSSH key type string - e.g., ssh-rsa, ssh-dss - ignored if null/empty
        Returns:
        The registered PublicKeyEntryDecoder or {code null} if not found
      • getPublicKeyEntryDecoder

        public static PublicKeyEntryDecoder<?,​?> getPublicKeyEntryDecoder​(java.security.KeyPair kp)
        Parameters:
        kp - The KeyPair to examine - ignored if null
        Returns:
        The matching PublicKeyEntryDecoder provided both the public and private keys have the same decoder - null if no match found
        See Also:
        getPublicKeyEntryDecoder(Key)
      • getPublicKeyEntryDecoder

        public static PublicKeyEntryDecoder<?,​?> getPublicKeyEntryDecoder​(java.lang.Class<?> keyType)
        Parameters:
        keyType - The key Class - ignored if null or not a Key compatible type
        Returns:
        The registered PublicKeyEntryDecoder or {code null} if no match found
      • setDefaultFingerPrintFactory

        public static void setDefaultFingerPrintFactory​(DigestFactory f)
        Parameters:
        f - The DigestFactory of Digests to be used - may not be null
      • getFingerPrint

        public static java.lang.String getFingerPrint​(java.security.PublicKey key)
        Parameters:
        key - the public key - ignored if null
        Returns:
        the fingerprint or null if no key. Note: if exception encountered then returns the exception's simple class name
        See Also:
        getFingerPrint(Factory, PublicKey)
      • getFingerPrint

        public static java.lang.String getFingerPrint​(java.lang.String password)
        Parameters:
        password - The String to digest - ignored if null/empty, otherwise its UTF-8 representation is used as input for the fingerprint
        Returns:
        The fingerprint - null if null/empty input. Note: if exception encountered then returns the exception's simple class name
        See Also:
        getFingerPrint(String, Charset)
      • getFingerPrint

        public static java.lang.String getFingerPrint​(java.lang.String password,
                                                      java.nio.charset.Charset charset)
        Parameters:
        password - The String to digest - ignored if null/empty
        charset - The Charset to use in order to convert the string to its byte representation to use as input for the fingerprint
        Returns:
        The fingerprint - null if null/empty input. Note: if exception encountered then returns the exception's simple class name
        See Also:
        getFingerPrint(Factory, String, Charset), getDefaultFingerPrintFactory()
      • getFingerPrint

        public static java.lang.String getFingerPrint​(Factory<? extends Digest> f,
                                                      java.security.PublicKey key)
        Parameters:
        f - The Factory to create the Digest to use
        key - the public key - ignored if null
        Returns:
        the fingerprint or null if no key. Note: if exception encountered then returns the exception's simple class name
        See Also:
        getFingerPrint(Digest, PublicKey)
      • getFingerPrint

        public static java.lang.String getFingerPrint​(Digest d,
                                                      java.security.PublicKey key)
        Parameters:
        d - The Digest to use
        key - the public key - ignored if null
        Returns:
        the fingerprint or null if no key. Note: if exception encountered then returns the exception's simple class name
        See Also:
        DigestUtils.getFingerPrint(Digest, byte[], int, int)
      • getRawFingerprint

        public static byte[] getRawFingerprint​(java.security.PublicKey key)
                                        throws java.lang.Exception
        Throws:
        java.lang.Exception
      • getRawFingerprint

        public static byte[] getRawFingerprint​(Factory<? extends Digest> f,
                                               java.security.PublicKey key)
                                        throws java.lang.Exception
        Throws:
        java.lang.Exception
      • getRawFingerprint

        public static byte[] getRawFingerprint​(Digest d,
                                               java.security.PublicKey key)
                                        throws java.lang.Exception
        Throws:
        java.lang.Exception
      • getFingerPrint

        public static java.lang.String getFingerPrint​(Factory<? extends Digest> f,
                                                      java.lang.String s)
        Parameters:
        f - The Factory to create the Digest to use
        s - The String to digest - ignored if null/empty, otherwise its UTF-8 representation is used as input for the fingerprint
        Returns:
        The fingerprint - null if null/empty input. Note: if exception encountered then returns the exception's simple class name
        See Also:
        getFingerPrint(Digest, String, Charset)
      • getFingerPrint

        public static java.lang.String getFingerPrint​(Factory<? extends Digest> f,
                                                      java.lang.String s,
                                                      java.nio.charset.Charset charset)
        Parameters:
        f - The Factory to create the Digest to use
        s - The String to digest - ignored if null/empty
        charset - The Charset to use in order to convert the string to its byte representation to use as input for the fingerprint
        Returns:
        The fingerprint - null if null/empty input Note: if exception encountered then returns the exception's simple class name
        See Also:
        DigestUtils.getFingerPrint(Digest, String, Charset)
      • getFingerPrint

        public static java.lang.String getFingerPrint​(Digest d,
                                                      java.lang.String s)
        Parameters:
        d - The Digest to use
        s - The String to digest - ignored if null/empty, otherwise its UTF-8 representation is used as input for the fingerprint
        Returns:
        The fingerprint - null if null/empty input. Note: if exception encountered then returns the exception's simple class name
        See Also:
        DigestUtils.getFingerPrint(Digest, String, Charset)
      • getFingerPrint

        public static java.lang.String getFingerPrint​(Digest d,
                                                      java.lang.String s,
                                                      java.nio.charset.Charset charset)
        Parameters:
        d - The Digest to use to calculate the fingerprint
        s - The string to digest - ignored if null/empty
        charset - The Charset to use in order to convert the string to its byte representation to use as input for the fingerprint
        Returns:
        The fingerprint - null if null/empty input. Note: if exception encountered then returns the exception's simple class name
        See Also:
        DigestUtils.getFingerPrint(Digest, String, Charset)
      • checkFingerPrint

        public static java.util.AbstractMap.SimpleImmutableEntry<java.lang.Boolean,​java.lang.String> checkFingerPrint​(java.lang.String expected,
                                                                                                                            java.security.PublicKey key)
        Parameters:
        expected - The expected fingerprint if null or empty then returns a failure with the default fingerprint.
        key - the PublicKey - if null then returns null.
        Returns:
        SimpleImmutableEntry - key is success indicator, value is actual fingerprint, null if no key.
        See Also:
        getDefaultFingerPrintFactory(), checkFingerPrint(String, Factory, PublicKey)
      • checkFingerPrint

        public static java.util.AbstractMap.SimpleImmutableEntry<java.lang.Boolean,​java.lang.String> checkFingerPrint​(java.lang.String expected,
                                                                                                                            Factory<? extends Digest> f,
                                                                                                                            java.security.PublicKey key)
        Parameters:
        expected - The expected fingerprint if null or empty then returns a failure with the default fingerprint.
        f - The Factory to be used to generate the default Digest for the key
        key - the PublicKey - if null then returns null.
        Returns:
        SimpleImmutableEntry - key is success indicator, value is actual fingerprint, null if no key.
      • checkFingerPrint

        public static java.util.AbstractMap.SimpleImmutableEntry<java.lang.Boolean,​java.lang.String> checkFingerPrint​(java.lang.String expected,
                                                                                                                            Digest d,
                                                                                                                            java.security.PublicKey key)
        Parameters:
        expected - The expected fingerprint if null or empty then returns a failure with the default fingerprint.
        d - The Digest to be used to generate the default fingerprint for the key
        key - the PublicKey - if null then returns null.
        Returns:
        SimpleImmutableEntry - key is success indicator, value is actual fingerprint, null if no key.
      • getKeyType

        public static java.lang.String getKeyType​(java.security.KeyPair kp)
        Parameters:
        kp - a key pair - ignored if null. If the private key is non-null then it is used to determine the type, otherwise the public one is used.
        Returns:
        the key type or null if cannot determine it
        See Also:
        getKeyType(Key)
      • getKeyType

        public static java.lang.String getKeyType​(java.security.Key key)
        Parameters:
        key - a public or private key
        Returns:
        the key type or null if cannot determine it
      • getAllEquivalentKeyTypes

        public static java.util.List<java.lang.String> getAllEquivalentKeyTypes​(java.lang.String keyType)
        Parameters:
        keyType - A key type name - ignored if null/empty
        Returns:
        A List of they canonical key name and all its aliases
        See Also:
        getCanonicalKeyType(String)
      • getCanonicalKeyType

        public static java.lang.String getCanonicalKeyType​(java.lang.String keyType)
        Parameters:
        keyType - The available key-type - ignored if null/empty
        Returns:
        The canonical key type - same as input if no alias registered for the provided key type
        See Also:
        RSA_SHA256_KEY_TYPE_ALIAS, RSA_SHA512_KEY_TYPE_ALIAS
      • getRegisteredKeyTypeAliases

        public static java.util.NavigableSet<java.lang.String> getRegisteredKeyTypeAliases()
        Returns:
        A case insensitive NavigableSet of the currently registered key type "aliases".
        See Also:
        getCanonicalKeyType(String)
      • registerCanonicalKeyTypes

        public static java.util.List<java.lang.String> registerCanonicalKeyTypes​(java.lang.String keyType,
                                                                                 java.util.Collection<java.lang.String> aliases)
        Registers a collection of aliases to a canonical key type
        Parameters:
        keyType - The (never null/empty) canonical name
        aliases - The (never null/empty) aliases
        Returns:
        A List of the replaced aliases - empty if no previous aliases for the canonical name
      • unregisterCanonicalKeyTypeAlias

        public static java.lang.String unregisterCanonicalKeyTypeAlias​(java.lang.String alias)
        Parameters:
        alias - The alias to unregister (ignored if null/empty)
        Returns:
        The associated canonical key type - null if alias not registered
      • getKeySize

        public static int getKeySize​(java.security.Key key)
        Determines the key size in bits
        Parameters:
        key - The Key to examine - ignored if null
        Returns:
        The key size - non-positive value if cannot determine it
      • findMatchingKey

        public static java.security.PublicKey findMatchingKey​(java.security.PublicKey key,
                                                              java.security.PublicKey... keySet)
        Parameters:
        key - The PublicKey to be checked - ignored if null
        keySet - The keys to be searched - ignored if null/empty
        Returns:
        The matching PublicKey from the keys or null if no match found
        See Also:
        compareKeys(PublicKey, PublicKey)
      • findMatchingKey

        public static java.security.PublicKey findMatchingKey​(java.security.PublicKey key,
                                                              java.util.Collection<? extends java.security.PublicKey> keySet)
        Parameters:
        key - The PublicKey to be checked - ignored if null
        keySet - The keys to be searched - ignored if null/empty
        Returns:
        The matching PublicKey from the keys or null if no match found
        See Also:
        compareKeys(PublicKey, PublicKey)
      • compareKeyPairs

        public static boolean compareKeyPairs​(java.security.KeyPair k1,
                                              java.security.KeyPair k2)
      • compareKeys

        public static boolean compareKeys​(java.security.PublicKey k1,
                                          java.security.PublicKey k2)
      • recoverPublicKey

        public static java.security.PublicKey recoverPublicKey​(java.security.PrivateKey key)
                                                        throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException
      • compareKeys

        public static boolean compareKeys​(java.security.PrivateKey k1,
                                          java.security.PrivateKey k2)
      • compareRSAKeys

        public static boolean compareRSAKeys​(java.security.interfaces.RSAPublicKey k1,
                                             java.security.interfaces.RSAPublicKey k2)
      • compareRSAKeys

        public static boolean compareRSAKeys​(java.security.interfaces.RSAPrivateKey k1,
                                             java.security.interfaces.RSAPrivateKey k2)
      • recoverRSAPublicKey

        public static java.security.interfaces.RSAPublicKey recoverRSAPublicKey​(java.security.interfaces.RSAPrivateKey privateKey)
                                                                         throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException
      • recoverFromRSAPrivateCrtKey

        public static java.security.interfaces.RSAPublicKey recoverFromRSAPrivateCrtKey​(java.security.interfaces.RSAPrivateCrtKey rsaKey)
                                                                                 throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException
      • recoverRSAPublicKey

        public static java.security.interfaces.RSAPublicKey recoverRSAPublicKey​(java.math.BigInteger p,
                                                                                java.math.BigInteger q,
                                                                                java.math.BigInteger publicExponent)
                                                                         throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException
      • recoverRSAPublicKey

        public static java.security.interfaces.RSAPublicKey recoverRSAPublicKey​(java.math.BigInteger modulus,
                                                                                java.math.BigInteger publicExponent)
                                                                         throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException
      • compareDSAKeys

        public static boolean compareDSAKeys​(java.security.interfaces.DSAPublicKey k1,
                                             java.security.interfaces.DSAPublicKey k2)
      • compareDSAKeys

        public static boolean compareDSAKeys​(java.security.interfaces.DSAPrivateKey k1,
                                             java.security.interfaces.DSAPrivateKey k2)
      • compareDSAParams

        public static boolean compareDSAParams​(java.security.interfaces.DSAParams p1,
                                               java.security.interfaces.DSAParams p2)
      • recoverDSAPublicKey

        public static java.security.interfaces.DSAPublicKey recoverDSAPublicKey​(java.security.interfaces.DSAPrivateKey privateKey)
                                                                         throws java.security.GeneralSecurityException
        Throws:
        java.security.GeneralSecurityException
      • compareECKeys

        public static boolean compareECKeys​(java.security.interfaces.ECPrivateKey k1,
                                            java.security.interfaces.ECPrivateKey k2)
      • compareECKeys

        public static boolean compareECKeys​(java.security.interfaces.ECPublicKey k1,
                                            java.security.interfaces.ECPublicKey k2)
      • compareECParams

        public static boolean compareECParams​(java.security.spec.ECParameterSpec s1,
                                              java.security.spec.ECParameterSpec s2)