Package ghidra.net

Class ApplicationKeyManagerUtils

java.lang.Object
ghidra.net.ApplicationKeyManagerUtils
public class ApplicationKeyManagerUtils extends Object
ApplicationKeyManagerUtils provides public methods for utilizing the application PKI key management, including access to trusted issuers (i.e., CA certificates), token signing and validation, and the ability to generate keystores for testing or when a self-signed certificate will suffice.

  • Field Details

  • Method Details

    • getSignedToken

      public static SignedToken getSignedToken(Principal[] authorities, byte[] token) throws NoSuchAlgorithmException, SignatureException, CertificateException
      Sign the supplied token byte array using an installed certificate from one of the specified authorities
      Parameters:
      authorities - trusted certificate authorities
      token - token byte array
      Returns:
      signed token object
      Throws:
      NoSuchAlgorithmException - algorithym associated within signing certificate not found
      SignatureException - failed to generate SignedToken
      CertificateException - error associated with signing certificate

    • isMySignature

      public static boolean isMySignature(Principal[] authorities, byte[] token, byte[] signature) throws NoSuchAlgorithmException, SignatureException, CertificateException
      Verify that the specified sigBytes reflect my signature of the specified token.
      Parameters:
      authorities - trusted certificate authorities
      token - byte array token
      signature - token signature
      Returns:
      true if signature is my signature
      Throws:
      NoSuchAlgorithmException - algorithym associated within signing certificate not found
      SignatureException - failed to generate SignedToken
      CertificateException - error associated with signing certificate

    • getTrustedIssuers

      public static X500Principal[] getTrustedIssuers() throws CertificateException
      Returns a list of trusted issuers (i.e., CA certificates) as established by the ApplicationTrustManagerFactory.
      Returns:
      array of trusted Certificate Authorities
      Throws:
      CertificateException - if failed to properly initialize trust manager due to CA certificate error(s).

    • validateClient

      public static void validateClient(X509Certificate[] certChain, String authType) throws CertificateException
      Validate a client certificate ensuring that it is not expired and is trusted based upon the active trust managers.
      Parameters:
      certChain - X509 certificate chain
      authType - authentication type (i.e., "RSA")
      Throws:
      CertificateException - if certificate validation fails

    • exportX509Certificates

      public static void exportX509Certificates(Certificate[] certificates, File outFile) throws IOException, CertificateEncodingException
      Export X.509 certificates to the specified outFile.
      Parameters:
      certificates - certificates to be stored
      outFile - output file
      Throws:
      IOException - if error occurs writing to outFile
      CertificateEncodingException - if error occurs while encoding certificate data

    • createKeyStore

      public static final KeyStore createKeyStore(String alias, String dn, int durationDays, KeyStore.PrivateKeyEntry caEntry, File keyFile, String keystoreType, Collection<String> subjectAlternativeNames, char[] protectedPassphrase) throws KeyStoreException
      Generate a new X509Certificate with RSA KeyPair and create/update a KeyStore optionally backed by a keyFile.
      Parameters:
      alias - entry alias with keystore
      dn - distinguished name (e.g., "CN=Ghidra Test, O=Ghidra, OU=Test, C=US" )
      durationDays - number of days which generated certificate should remain valid
      caEntry - optional CA private key entry. If null, a self-signed CA certificate will be generated.
      keyFile - optional file to load/store resulting KeyStore (may be null)
      keystoreType - support keystore type (e.g., "JKS", "PKCS12")
      subjectAlternativeNames - an optional list of subject alternative names to be included in certificate (may be null)
      protectedPassphrase - key and keystore protection password
      Returns:
      keystore containing newly generated certification with key pair
      Throws:
      KeyStoreException - if error occurs while updating keystore

    • createKeyEntry

      public static final KeyStore.PrivateKeyEntry createKeyEntry(String alias, String dn, int durationDays, KeyStore.PrivateKeyEntry caEntry, File keyFile, String keystoreType, Collection<String> subjectAlternativeNames, char[] protectedPassphrase) throws KeyStoreException
      Generate a new X509Certificate with RSA KeyPair and create/update a KeyStore optionally backed by a keyFile.
      Parameters:
      alias - entry alias with keystore
      dn - distinguished name (e.g., "CN=Ghidra Test, O=Ghidra, OU=Test, C=US" )
      durationDays - number of days which generated certificate should remain valid
      caEntry - optional CA private key entry. If null, a self-signed CA certificate will be generated.
      keyFile - optional file to load/store resulting KeyStore (may be null)
      keystoreType - support keystore type (e.g., "JKS", "PKCS12")
      subjectAlternativeNames - an optional list of subject alternative names to be included in certificate (may be null)
      protectedPassphrase - key and keystore protection password
      Returns:
      newly generated keystore entry with key pair
      Throws:
      KeyStoreException - if error occurs while updating keystore