Package ghidra.net
Class ApplicationKeyManagerUtils
java.lang.Object
ghidra.net.ApplicationKeyManagerUtils
ApplicationKeyManagerUtils
provides public methods for utilizing
the application PKI key management, including access to trusted issuers
(i.e., CA certificates), token signing and validation, and the ability to
generate keystores for testing or when a self-signed certificate will
suffice.-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
static final String
static final String[]
static final FileNameExtensionFilter
static final String
-
Method Summary
Modifier and TypeMethodDescriptionstatic final KeyStore.PrivateKeyEntry
createKeyEntry
(String alias, String dn, int durationDays, KeyStore.PrivateKeyEntry caEntry, File keyFile, String keystoreType, Collection<String> subjectAlternativeNames, char[] protectedPassphrase) Generate a newX509Certificate
with RSAKeyPair
and create/update aKeyStore
optionally backed by a keyFile.static final KeyStore
createKeyStore
(String alias, String dn, int durationDays, KeyStore.PrivateKeyEntry caEntry, File keyFile, String keystoreType, Collection<String> subjectAlternativeNames, char[] protectedPassphrase) Generate a newX509Certificate
with RSAKeyPair
and create/update aKeyStore
optionally backed by a keyFile.static void
exportX509Certificates
(Certificate[] certificates, File outFile) Export X.509 certificates to the specified outFile.static SignedToken
getSignedToken
(Principal[] authorities, byte[] token) Sign the supplied token byte array using an installed certificate from one of the specified authoritiesstatic X500Principal[]
Returns a list of trusted issuers (i.e., CA certificates) as established by theApplicationTrustManagerFactory
.static boolean
isMySignature
(Principal[] authorities, byte[] token, byte[] signature) Verify that the specified sigBytes reflect my signature of the specified token.static void
validateClient
(X509Certificate[] certChain, String authType) Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.
-
Field Details
-
RSA_TYPE
- See Also:
-
BEGIN_CERT
- See Also:
-
END_CERT
- See Also:
-
PKCS_FILE_EXTENSIONS
-
PKCS_FILENAME_FILTER
-
-
Method Details
-
getSignedToken
public static SignedToken getSignedToken(Principal[] authorities, byte[] token) throws NoSuchAlgorithmException, SignatureException, CertificateException Sign the supplied token byte array using an installed certificate from one of the specified authorities- Parameters:
authorities
- trusted certificate authoritiestoken
- token byte array- Returns:
- signed token object
- Throws:
NoSuchAlgorithmException
- algorithym associated within signing certificate not foundSignatureException
- failed to generate SignedTokenCertificateException
- error associated with signing certificate
-
isMySignature
public static boolean isMySignature(Principal[] authorities, byte[] token, byte[] signature) throws NoSuchAlgorithmException, SignatureException, CertificateException Verify that the specified sigBytes reflect my signature of the specified token.- Parameters:
authorities
- trusted certificate authoritiestoken
- byte array tokensignature
- token signature- Returns:
- true if signature is my signature
- Throws:
NoSuchAlgorithmException
- algorithym associated within signing certificate not foundSignatureException
- failed to generate SignedTokenCertificateException
- error associated with signing certificate
-
getTrustedIssuers
Returns a list of trusted issuers (i.e., CA certificates) as established by theApplicationTrustManagerFactory
.- Returns:
- array of trusted Certificate Authorities
- Throws:
CertificateException
- if failed to properly initialize trust manager due to CA certificate error(s).
-
validateClient
public static void validateClient(X509Certificate[] certChain, String authType) throws CertificateException Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.- Parameters:
certChain
- X509 certificate chainauthType
- authentication type (i.e., "RSA")- Throws:
CertificateException
- if certificate validation fails
-
exportX509Certificates
public static void exportX509Certificates(Certificate[] certificates, File outFile) throws IOException, CertificateEncodingException Export X.509 certificates to the specified outFile.- Parameters:
certificates
- certificates to be storedoutFile
- output file- Throws:
IOException
- if error occurs writing to outFileCertificateEncodingException
- if error occurs while encoding certificate data
-
createKeyStore
public static final KeyStore createKeyStore(String alias, String dn, int durationDays, KeyStore.PrivateKeyEntry caEntry, File keyFile, String keystoreType, Collection<String> subjectAlternativeNames, char[] protectedPassphrase) throws KeyStoreException Generate a newX509Certificate
with RSAKeyPair
and create/update aKeyStore
optionally backed by a keyFile.- Parameters:
alias
- entry alias with keystoredn
- distinguished name (e.g., "CN=Ghidra Test, O=Ghidra, OU=Test, C=US" )durationDays
- number of days which generated certificate should remain validcaEntry
- optional CA private key entry. If null, a self-signed CA certificate will be generated.keyFile
- optional file to load/store resultingKeyStore
(may be null)keystoreType
- support keystore type (e.g., "JKS", "PKCS12")subjectAlternativeNames
- an optional list of subject alternative names to be included in certificate (may be null)protectedPassphrase
- key and keystore protection password- Returns:
- keystore containing newly generated certification with key pair
- Throws:
KeyStoreException
- if error occurs while updating keystore
-
createKeyEntry
public static final KeyStore.PrivateKeyEntry createKeyEntry(String alias, String dn, int durationDays, KeyStore.PrivateKeyEntry caEntry, File keyFile, String keystoreType, Collection<String> subjectAlternativeNames, char[] protectedPassphrase) throws KeyStoreException Generate a newX509Certificate
with RSAKeyPair
and create/update aKeyStore
optionally backed by a keyFile.- Parameters:
alias
- entry alias with keystoredn
- distinguished name (e.g., "CN=Ghidra Test, O=Ghidra, OU=Test, C=US" )durationDays
- number of days which generated certificate should remain validcaEntry
- optional CA private key entry. If null, a self-signed CA certificate will be generated.keyFile
- optional file to load/store resultingKeyStore
(may be null)keystoreType
- support keystore type (e.g., "JKS", "PKCS12")subjectAlternativeNames
- an optional list of subject alternative names to be included in certificate (may be null)protectedPassphrase
- key and keystore protection password- Returns:
- newly generated keystore entry with key pair
- Throws:
KeyStoreException
- if error occurs while updating keystore
-