org.xdi.oxauth.model.crypto.OxAuthCryptoProvider の継承関係図

org.xdi.oxauth.model.crypto.OxAuthCryptoProvider 連携図

公開メンバ関数
	OxAuthCryptoProvider () throws Exception

	OxAuthCryptoProvider (String keyStoreFile, String keyStoreSecret, String dnName) throws Exception

JSONObject	generateKey (SignatureAlgorithm signatureAlgorithm, Long expirationTime) throws Exception

String	sign (String signingInput, String alias, String sharedSecret, SignatureAlgorithm signatureAlgorithm) throws Exception

boolean	verifySignature (String signingInput, String encodedSignature, String alias, JSONObject jwks, String sharedSecret, SignatureAlgorithm signatureAlgorithm) throws Exception

boolean	deleteKey (String alias) throws Exception

PublicKey	getPublicKey (String alias)

PrivateKey	getPrivateKey (String alias) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException

X509Certificate	generateV3Certificate (KeyPair keyPair, String issuer, String signatureAlgorithm, Long expirationTime) throws CertIOException, OperatorCreationException, CertificateException

List< String >	getKeyAliases () throws KeyStoreException

SignatureAlgorithm	getSignatureAlgorithm (String alias) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException

String	getKeyId (JSONWebKeySet jsonWebKeySet, SignatureAlgorithm signatureAlgorithm, Use use) throws Exception

JwksRequestParam	getJwksRequestParam (JSONObject jwkJsonObject) throws JSONException

PublicKey	getPublicKey (String alias, JSONObject jwks) throws Exception

静的公開メンバ関数
static JSONObject	generateJwks (int keyRegenerationInterval, int idTokenLifeTime, AppConfiguration configuration) throws Exception

限定公開メンバ関数
void	checkKeyExpiration (String alias, Long expirationTime)

非公開メンバ関数
String	getJWKSValue (JSONObject jwks, String node) throws JSONException

void	checkKeyExpiration (String alias)

非公開変数類
KeyStore	keyStore

String	keyStoreFile

String	keyStoreSecret

String	dnName

静的非公開変数類
static final Logger	LOG = Logger.getLogger(OxAuthCryptoProvider.class)

詳解

著者: Javier Rojas Blum; Yuriy Movchan

バージョン: September 10, 2018

構築子と解体子

◆ OxAuthCryptoProvider() [1/2]

org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.OxAuthCryptoProvider ( ) throws Exception

inline

                                                    {
         this(null, null, null);
     }

◆ OxAuthCryptoProvider() [2/2]

org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.OxAuthCryptoProvider	(	String	keyStoreFile,
		String	keyStoreSecret,
		String	dnName
	)		throws Exception

inline

                                                                                                             {
         if (!Util.isNullOrEmpty(keyStoreFile) && !Util.isNullOrEmpty(keyStoreSecret) /* && !Util.isNullOrEmpty(dnName) */) {
             this.keyStoreFile = keyStoreFile;
             this.keyStoreSecret = keyStoreSecret;
             this.dnName = dnName;
 
             keyStore = KeyStore.getInstance("JKS");
             try {
                 File f = new File(keyStoreFile);
                 if (!f.exists()) {
                     keyStore.load(null, keyStoreSecret.toCharArray());
                     FileOutputStream fos = new FileOutputStream(keyStoreFile);
                     keyStore.store(fos, keyStoreSecret.toCharArray());
                     fos.close();
                 }
                 final InputStream is = new FileInputStream(keyStoreFile);
                 keyStore.load(is, keyStoreSecret.toCharArray());
             } catch (Exception e) {
                 LOG.error(e.getMessage(), e);
             }
         }
     }

関数詳解

◆ checkKeyExpiration() [1/2]

void org.xdi.oxauth.model.crypto.AbstractCryptoProvider.checkKeyExpiration	(	String	alias,
		Long	expirationTime
	)

inlineprotectedinherited

                                                                          {
         try {
             Date expirationDate = new Date(expirationTime);
             SimpleDateFormat ft = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
             Date today = new Date();
             long DateDiff = expirationTime - today.getTime();
             long expiresIn = DateDiff / (24 * 60 * 60 * 1000);
             if (expiresIn <= 0) {
                 LOG.warn("\nWARNING! Expired Key with alias: " + alias
                         + "\n\tExpires On: " + ft.format(expirationDate)
                         + "\n\tToday's Date: " + ft.format(today));
             } else if (expiresIn <= 100) {
                 LOG.warn("\nWARNING! Key with alias: " + alias
                         + "\n\tExpires In: " + expiresIn + " days"
                         + "\n\tExpires On: " + ft.format(expirationDate)
                         + "\n\tToday's Date: " + ft.format(today));
             }
         } catch (Exception e) {
             e.printStackTrace();
         }
     }

◆ checkKeyExpiration() [2/2]

void org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.checkKeyExpiration ( String alias )

inlineprivate

                                                   {
         try {
             Date expirationDate = ((X509Certificate) keyStore.getCertificate(alias)).getNotAfter();
             checkKeyExpiration(alias, expirationDate.getTime());
         } catch (KeyStoreException e) {
             e.printStackTrace();
         }
     }

◆ deleteKey()

boolean org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.deleteKey ( String alias ) throws Exception

inline

                                                             {
         keyStore.deleteEntry(alias);
         FileOutputStream stream = new FileOutputStream(keyStoreFile);
         keyStore.store(stream, keyStoreSecret.toCharArray());
         return true;
     }

◆ generateJwks()

static JSONObject org.xdi.oxauth.model.crypto.AbstractCryptoProvider.generateJwks	(	int	keyRegenerationInterval,
		int	idTokenLifeTime,
		AppConfiguration	configuration
	)		throws Exception

inlinestaticinherited

                                                                                                                                              {
         JSONArray keys = new JSONArray();
 
         GregorianCalendar expirationTime = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
         expirationTime.add(GregorianCalendar.HOUR, keyRegenerationInterval);
         expirationTime.add(GregorianCalendar.SECOND, idTokenLifeTime);
 
         AbstractCryptoProvider cryptoProvider = CryptoProviderFactory.getCryptoProvider(configuration);
 
         try {
             keys.put(cryptoProvider.generateKey(SignatureAlgorithm.RS256, expirationTime.getTimeInMillis()));
         } catch (Exception ex) {
         }
 
         try {
             keys.put(cryptoProvider.generateKey(SignatureAlgorithm.RS384, expirationTime.getTimeInMillis()));
         } catch (Exception ex) {
         }
 
         try {
             keys.put(cryptoProvider.generateKey(SignatureAlgorithm.RS512, expirationTime.getTimeInMillis()));
         } catch (Exception ex) {
         }
 
         try {
             keys.put(cryptoProvider.generateKey(SignatureAlgorithm.ES256, expirationTime.getTimeInMillis()));
         } catch (Exception ex) {
         }
 
         try {
             keys.put(cryptoProvider.generateKey(SignatureAlgorithm.ES384, expirationTime.getTimeInMillis()));
         } catch (Exception ex) {
         }
 
         try {
             keys.put(cryptoProvider.generateKey(SignatureAlgorithm.ES512, expirationTime.getTimeInMillis()));
         } catch (Exception ex) {
         }
 
         JSONObject jsonObject = new JSONObject();
         jsonObject.put(JSON_WEB_KEY_SET, keys);
 
         return jsonObject;
     }

◆ generateKey()

JSONObject org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.generateKey	(	SignatureAlgorithm	signatureAlgorithm,
		Long	expirationTime
	)		throws Exception

inline

                                                                                                                {
 
         KeyPairGenerator keyGen = null;
 
         if (signatureAlgorithm == null) {
             throw new RuntimeException("The signature algorithm parameter cannot be null");
         } else if (SignatureAlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily())) {
             keyGen = KeyPairGenerator.getInstance(signatureAlgorithm.getFamily().toString(), "BC");
             keyGen.initialize(2048, new SecureRandom());
         } else if (SignatureAlgorithmFamily.EC.equals(signatureAlgorithm.getFamily())) {
             ECGenParameterSpec eccgen = new ECGenParameterSpec(signatureAlgorithm.getCurve().getAlias());
             keyGen = KeyPairGenerator.getInstance(signatureAlgorithm.getFamily().toString(), "BC");
             keyGen.initialize(eccgen, new SecureRandom());
         } else {
             throw new RuntimeException("The provided signature algorithm parameter is not supported");
         }
 
         // Generate the key
         KeyPair keyPair = keyGen.generateKeyPair();
         java.security.PrivateKey pk = keyPair.getPrivate();
 
         // Java API requires a certificate chain
         X509Certificate cert = generateV3Certificate(keyPair, dnName, signatureAlgorithm.getAlgorithm(), expirationTime);
         X509Certificate[] chain = new X509Certificate[1];
         chain[0] = cert;
 
         String alias = UUID.randomUUID().toString();
 
         keyStore.setKeyEntry(alias, pk, keyStoreSecret.toCharArray(), chain);
         FileOutputStream stream = new FileOutputStream(keyStoreFile);
         keyStore.store(stream, keyStoreSecret.toCharArray());
 
         PublicKey publicKey = keyPair.getPublic();
 
         JSONObject jsonObject = new JSONObject();
         jsonObject.put(KEY_TYPE, signatureAlgorithm.getFamily());
         jsonObject.put(KEY_ID, alias);
         jsonObject.put(KEY_USE, Use.SIGNATURE);
         jsonObject.put(ALGORITHM, signatureAlgorithm.getName());
         jsonObject.put(EXPIRATION_TIME, expirationTime);
         if (publicKey instanceof RSAPublicKey) {
             RSAPublicKey rsaPublicKey = (RSAPublicKey) publicKey;
             jsonObject.put(MODULUS, Base64Util.base64urlencodeUnsignedBigInt(rsaPublicKey.getModulus()));
             jsonObject.put(EXPONENT, Base64Util.base64urlencodeUnsignedBigInt(rsaPublicKey.getPublicExponent()));
         } else if (publicKey instanceof ECPublicKey) {
             ECPublicKey ecPublicKey = (ECPublicKey) publicKey;
             jsonObject.put(CURVE, signatureAlgorithm.getCurve());
             jsonObject.put(X, Base64Util.base64urlencodeUnsignedBigInt(ecPublicKey.getW().getAffineX()));
             jsonObject.put(Y, Base64Util.base64urlencodeUnsignedBigInt(ecPublicKey.getW().getAffineY()));
         }
         JSONArray x5c = new JSONArray();
         x5c.put(Base64.encodeBase64String(cert.getEncoded()));
         jsonObject.put(CERTIFICATE_CHAIN, x5c);
 
         return jsonObject;
     }

◆ generateV3Certificate()

X509Certificate org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.generateV3Certificate	(	KeyPair	keyPair,
		String	issuer,
		String	signatureAlgorithm,
		Long	expirationTime
	)		throws CertIOException, OperatorCreationException, CertificateException

inline

                                                                                                                                                                                                          {
         PrivateKey privateKey = keyPair.getPrivate();
         PublicKey publicKey = keyPair.getPublic();
 
         // Signers name
         X500Name issuerName = new X500Name(issuer);
 
         // Subjects name - the same as we are self signed.
         X500Name subjectName = new X500Name(issuer);
 
         // Serial
         BigInteger serial = new BigInteger(256, new SecureRandom());
 
         // Not before
         Date notBefore = new Date(System.currentTimeMillis() - 10000);
         Date notAfter = new Date(expirationTime);
 
         // Create the certificate - version 3
         JcaX509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(issuerName, serial, notBefore, notAfter, subjectName, publicKey);
 
         ASN1EncodableVector purposes = new ASN1EncodableVector();
         purposes.add(KeyPurposeId.id_kp_serverAuth);
         purposes.add(KeyPurposeId.id_kp_clientAuth);
         purposes.add(KeyPurposeId.anyExtendedKeyUsage);
 
         ASN1ObjectIdentifier extendedKeyUsage = new ASN1ObjectIdentifier("2.5.29.37").intern();
         builder.addExtension(extendedKeyUsage, false, new DERSequence(purposes));
 
         ContentSigner signer = new JcaContentSignerBuilder(signatureAlgorithm).setProvider("BC").build(privateKey);
         X509CertificateHolder holder = builder.build(signer);
         X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(holder);
 
         return cert;
     }

◆ getJwksRequestParam()

JwksRequestParam org.xdi.oxauth.model.crypto.AbstractCryptoProvider.getJwksRequestParam ( JSONObject jwkJsonObject ) throws JSONException

inlineinherited

                                                                                                {
         JwksRequestParam jwks = new JwksRequestParam();
         jwks.setKeyRequestParams(new ArrayList<KeyRequestParam>());
 
         KeyRequestParam key = new KeyRequestParam();
         key.setAlg(jwkJsonObject.getString(ALGORITHM));
         key.setKid(jwkJsonObject.getString(KEY_ID));
         key.setUse(jwkJsonObject.getString(KEY_USE));
         key.setKty(jwkJsonObject.getString(KEY_TYPE));
 
         key.setN(jwkJsonObject.optString(MODULUS));
         key.setE(jwkJsonObject.optString(EXPONENT));
 
         key.setCrv(jwkJsonObject.optString(CURVE));
         key.setX(jwkJsonObject.optString(X));
         key.setY(jwkJsonObject.optString(Y));
 
         jwks.getKeyRequestParams().add(key);
 
         return jwks;
     }

◆ getJWKSValue()

String org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.getJWKSValue	(	JSONObject	jwks,
		String	node
	)		throws JSONException

inlineprivate

                                                                                    {
         try {
             return jwks.getString(node);
         } catch (Exception ex) {
             JSONObject publicKey = jwks.getJSONObject(PUBLIC_KEY);
             return publicKey.getString(node);
         }
     }

◆ getKeyAliases()

List<String> org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.getKeyAliases ( ) throws KeyStoreException

inline

                                                                  {
         return Collections.list(this.keyStore.aliases());
     }

◆ getKeyId()

String org.xdi.oxauth.model.crypto.AbstractCryptoProvider.getKeyId	(	JSONWebKeySet	jsonWebKeySet,
		SignatureAlgorithm	signatureAlgorithm,
		Use	use
	)		throws Exception

inlineinherited

                                                                                                                          {
         for (JSONWebKey key : jsonWebKeySet.getKeys()) {
             if (signatureAlgorithm == key.getAlg() && (use == null || use == key.getUse())) {
                 return key.getKid();
             }
         }
 
         return null;
     }

◆ getPrivateKey()

PrivateKey org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.getPrivateKey ( String alias ) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException

inline

                                                                                           {
         if (Util.isNullOrEmpty(alias)) {
             return null;
         }
 
         Key key = keyStore.getKey(alias, keyStoreSecret.toCharArray());
         if (key == null) {
             return null;
         }
         PrivateKey privateKey = (PrivateKey) key;
 
         checkKeyExpiration(alias);
 
         return privateKey;
     }

◆ getPublicKey() [1/2]

PublicKey org.xdi.oxauth.model.crypto.AbstractCryptoProvider.getPublicKey	(	String	alias,
		JSONObject	jwks
	)		throws Exception

inlineinherited

                                                                                   {
         java.security.PublicKey publicKey = null;
 
         JSONArray webKeys = jwks.getJSONArray(JSON_WEB_KEY_SET);
         for (int i = 0; i < webKeys.length(); i++) {
             JSONObject key = webKeys.getJSONObject(i);
             if (alias.equals(key.getString(KEY_ID))) {
                 SignatureAlgorithmFamily family = null;
                 if (key.has(ALGORITHM)) {
                     SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.fromString(key.optString(ALGORITHM));
                     family = signatureAlgorithm.getFamily();
                 } else if (key.has(KEY_TYPE)) {
                     family = SignatureAlgorithmFamily.fromString(key.getString(KEY_TYPE));
                 }
 
                 if (SignatureAlgorithmFamily.RSA.equals(family)) {
                     publicKey = new RSAPublicKeyImpl(
                             new BigInteger(1, Base64Util.base64urldecode(key.getString(MODULUS))),
                             new BigInteger(1, Base64Util.base64urldecode(key.getString(EXPONENT))));
                 } else if (SignatureAlgorithmFamily.EC.equals(family)) {
                     ECEllipticCurve curve = ECEllipticCurve.fromString(key.optString(CURVE));
                     AlgorithmParameters parameters = AlgorithmParameters.getInstance(SignatureAlgorithmFamily.EC.toString());
                     parameters.init(new ECGenParameterSpec(curve.getAlias()));
                     ECParameterSpec ecParameters = parameters.getParameterSpec(ECParameterSpec.class);
 
                     publicKey = KeyFactory.getInstance(SignatureAlgorithmFamily.EC.toString()).generatePublic(new ECPublicKeySpec(
                             new ECPoint(
                                     new BigInteger(1, Base64Util.base64urldecode(key.getString(X))),
                                     new BigInteger(1, Base64Util.base64urldecode(key.getString(Y)))
                             ), ecParameters));
                 }
 
                 if (key.has(EXPIRATION_TIME)) {
                     checkKeyExpiration(alias, key.getLong(EXPIRATION_TIME));
                 }
             }
         }
 
         return publicKey;
     }

◆ getPublicKey() [2/2]

PublicKey org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.getPublicKey ( String alias )

inline

                                                 {
         PublicKey publicKey = null;
 
         try {
             if (Util.isNullOrEmpty(alias)) {
                 return null;
             }
 
             java.security.cert.Certificate certificate = keyStore.getCertificate(alias);
             if (certificate == null) {
                 return null;
             }
             publicKey = certificate.getPublicKey();
 
             checkKeyExpiration(alias);
         } catch (KeyStoreException e) {
             e.printStackTrace();
         }
 
         return publicKey;
     }

◆ getSignatureAlgorithm()

SignatureAlgorithm org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.getSignatureAlgorithm ( String alias ) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException

inline

                                                                                                                                                 {
         Certificate[] chain = keyStore.getCertificateChain(alias);
         if ((chain == null) || chain.length == 0) {
             return null;
         }
 
         X509Certificate cert = (X509Certificate) chain[0];
 
         String sighAlgName = cert.getSigAlgName();
 
         for (SignatureAlgorithm sa : SignatureAlgorithm.values()) {
             if (sighAlgName.equalsIgnoreCase(sa.getAlgorithm())) {
                 return sa;
             }
         }
 
         return null;
     }

◆ sign()

String org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.sign	(	String	signingInput,
		String	alias,
		String	sharedSecret,
		SignatureAlgorithm	signatureAlgorithm
	)		throws Exception

inline

                                                                                                                                        {
         if (signatureAlgorithm == SignatureAlgorithm.NONE) {
             return "";
         } else if (SignatureAlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
             SecretKey secretKey = new SecretKeySpec(sharedSecret.getBytes(Util.UTF8_STRING_ENCODING), signatureAlgorithm.getAlgorithm());
             Mac mac = Mac.getInstance(signatureAlgorithm.getAlgorithm());
             mac.init(secretKey);
             byte[] sig = mac.doFinal(signingInput.getBytes());
             return Base64Util.base64urlencode(sig);
         } else { // EC or RSA
             PrivateKey privateKey = getPrivateKey(alias);
 
             Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm(), "BC");
             //Signature signature = Signature.getInstance(signatureAlgorithm.getAlgorithm());
             signature.initSign(privateKey);
             signature.update(signingInput.getBytes());
 
             return Base64Util.base64urlencode(signature.sign());
         }
     }

◆ verifySignature()

boolean org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.verifySignature	(	String	signingInput,
		String	encodedSignature,
		String	alias,
		JSONObject	jwks,
		String	sharedSecret,
		SignatureAlgorithm	signatureAlgorithm
	)		throws Exception

inline

                                                                                                                                                                                              {
         boolean verified = false;
 
         if (signatureAlgorithm == SignatureAlgorithm.NONE) {
             return Util.isNullOrEmpty(encodedSignature);
         } else if (SignatureAlgorithmFamily.HMAC.equals(signatureAlgorithm.getFamily())) {
             String expectedSignature = sign(signingInput, null, sharedSecret, signatureAlgorithm);
             return expectedSignature.equals(encodedSignature);
         } else { // EC or RSA
             PublicKey publicKey = null;
 
             try {
                 if (jwks == null) {
                     publicKey = getPublicKey(alias);
                 } else {
                     publicKey = getPublicKey(alias, jwks);
                 }
                 if (publicKey == null) {
                     return false;
                 }
 
                 byte[] signature = Base64Util.base64urldecode(encodedSignature);
 
                 Signature verifier = Signature.getInstance(signatureAlgorithm.getAlgorithm(), "BC");
                 //Signature verifier = Signature.getInstance(signatureAlgorithm.getAlgorithm());
                 verifier.initVerify(publicKey);
                 verifier.update(signingInput.getBytes());
                 verified = verifier.verify(signature);
             } catch (NoSuchAlgorithmException e) {
                 LOG.error(e.getMessage(), e);
                 verified = false;
             } catch (SignatureException e) {
                 LOG.error(e.getMessage(), e);
                 verified = false;
             } catch (InvalidKeyException e) {
                 LOG.error(e.getMessage(), e);
                 verified = false;
             } catch (Exception e) {
                 LOG.error(e.getMessage(), e);
                 verified = false;
             }
         }
 
         return verified;
     }

メンバ詳解

◆ dnName

String org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.dnName

private

◆ keyStore

KeyStore org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.keyStore

private

◆ keyStoreFile

String org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.keyStoreFile

private

◆ keyStoreSecret

String org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.keyStoreSecret

private

◆ LOG

final Logger org.xdi.oxauth.model.crypto.OxAuthCryptoProvider.LOG = Logger.getLogger(OxAuthCryptoProvider.class)

staticprivate

このクラス詳解は次のファイルから抽出されました:

D:/AppData/OpenId/gluu/src/oxAuth/Model/src/main/java/org/xdi/oxauth/model/crypto/OxAuthCryptoProvider.java

公開メンバ関数

静的公開メンバ関数

限定公開メンバ関数

非公開メンバ関数

非公開変数類

静的非公開変数類

詳解

構築子と解体子

◆ OxAuthCryptoProvider() [1/2]

◆ OxAuthCryptoProvider() [2/2]

関数詳解

◆ checkKeyExpiration() [1/2]

◆ checkKeyExpiration() [2/2]

◆ deleteKey()

◆ generateJwks()

◆ generateKey()

◆ generateV3Certificate()

◆ getJwksRequestParam()

◆ getJWKSValue()

◆ getKeyAliases()

◆ getKeyId()

◆ getPrivateKey()

◆ getPublicKey() [1/2]

◆ getPublicKey() [2/2]

◆ getSignatureAlgorithm()

◆ sign()

◆ verifySignature()

メンバ詳解

◆ dnName

◆ keyStore

◆ keyStoreFile

◆ keyStoreSecret

◆ LOG