Package org.xwiki.crypto.script
Class RSACryptoScriptService
- java.lang.Object
-
- org.xwiki.crypto.script.RSACryptoScriptService
-
- All Implemented Interfaces:
org.xwiki.script.service.ScriptService
@Component @Named("crypto.rsa") @Singleton public class RSACryptoScriptService extends Object implements org.xwiki.script.service.ScriptService
Script service allowing a user to create keys pairs and issue certificates.- Since:
- 8.4RC1
- Version:
- $Id: 879616f3005d99e45782984188ca666b49d4c5b5 $
-
-
Constructor Summary
Constructors Constructor Description RSACryptoScriptService()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
checkX509CertificateChainValidity(Collection<org.xwiki.crypto.pkix.params.CertifiedPublicKey> chain)
Check that an X509 certificate chain is complete and valid now.boolean
checkX509CertificateChainValidity(Collection<org.xwiki.crypto.pkix.params.CertifiedPublicKey> chain, Date date)
Check that an X509 certificate chain is complete and is valid on a given date.byte[]
cmsSign(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, boolean embedContent)
Generate a CMS (Cryptographic Message Syntax) signature for a given byte content.byte[]
cmsSign(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, org.xwiki.crypto.pkix.CertificateProvider certificateProvider, boolean embedContent)
Generate a CMS (Cryptographic Message Syntax) signature for a given byte content.byte[]
cmsSign(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, org.xwiki.crypto.pkix.CertificateProvider certificateProvider, org.xwiki.crypto.signer.param.CMSSignedDataVerified existingSignature, boolean embedContent)
Generate a CMS (Cryptographic Message Syntax) signature for a given byte content.org.xwiki.crypto.signer.param.CMSSignedDataVerified
cmsVerify(byte[] signature)
Verify a CMS signature with embedded content and containing all the certificate required for validation.org.xwiki.crypto.signer.param.CMSSignedDataVerified
cmsVerify(byte[] signature, byte[] data)
Verify a CMS signature without embedded content but containing all the certificate required for validation.org.xwiki.crypto.signer.param.CMSSignedDataVerified
cmsVerify(byte[] signature, byte[] data, org.xwiki.crypto.pkix.CertificateProvider certificateProvider)
Verify a CMS signature without embedded content, and requiring external certificates to be validated.org.xwiki.crypto.signer.param.CMSSignedDataVerified
cmsVerify(byte[] signature, org.xwiki.crypto.pkix.CertificateProvider certificateProvider)
Verify a CMS signature with embedded content, but requiring external certificates to be validated.org.xwiki.crypto.pkix.params.CertifiedKeyPair
createCertifiedKeyPair(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey certificate)
Create a CertifiedKeyPair from a private key and a certificate.org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair
generateKeyPair()
Generate a new RSA key pair.org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair
generateKeyPair(int strength)
Generate a new RSA key pair of given strength.org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair
generateKeyPair(int strength, BigInteger publicExponent, int certainty)
Build a new instance with all custom parameters.org.xwiki.crypto.pkix.params.CertifiedPublicKey
issueCertificate(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
Create an end entity certificate.org.xwiki.crypto.pkix.params.CertifiedKeyPair
issueCertificate(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
Create an end entity certificate.org.xwiki.crypto.pkix.params.CertifiedPublicKey
issueCertificate(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
Create an end entity certificate.org.xwiki.crypto.pkix.params.CertifiedPublicKey
issueIntermediateCertificate(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity)
Create an intermediate CA certificate.org.xwiki.crypto.pkix.params.CertifiedKeyPair
issueIntermediateCertificate(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity)
Create an intermediate CA certificate.org.xwiki.crypto.pkix.params.CertifiedPublicKey
issueIntermediateCertificate(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity)
Create an intermediate CA certificate.org.xwiki.crypto.pkix.params.CertifiedKeyPair
issueRootCACertificate(org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity)
Create a self-signed certificate for a Root CA.
-
-
-
Field Detail
-
ROLEHINT
public static final String ROLEHINT
The role hint of this component.- See Also:
- Constant Field Values
-
-
Method Detail
-
generateKeyPair
public org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair()
Generate a new RSA key pair. The key strength will be 256. The key public exponent will be 0x10001. The probability a chosen prime could not be a real prime will be smaller than 2^-12.- Returns:
- an new asymmetric key pair.
-
generateKeyPair
public org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair(int strength)
Generate a new RSA key pair of given strength. The strength should be given in number of bytes, so for a 2048 bits key, you should use 256 (bytes) as the integer parameter. The minimum valid strength is 2. The key public exponent will be 0x10001. The probability a chosen prime could not be a real prime will be smaller than 2^-12.- Parameters:
strength
- the strength in bytes.- Returns:
- an new asymmetric key pair.
-
generateKeyPair
public org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair(int strength, BigInteger publicExponent, int certainty)
Build a new instance with all custom parameters. The strength should be given in number of bytes, so for a 2048 bits key, you should use 256 (bytes) as the integer parameter. The minimum valid strength is 2. The exponent should be an odd number. The probability a chosen prime could not be a real prime will be smaller than 2^certainty.- Parameters:
strength
- the key strength in bytes.publicExponent
- the public exponent.certainty
- certainty for prime evaluation.- Returns:
- an new asymmetric key pair.
-
createCertifiedKeyPair
public org.xwiki.crypto.pkix.params.CertifiedKeyPair createCertifiedKeyPair(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey certificate)
Create a CertifiedKeyPair from a private key and a certificate.- Parameters:
privateKey
- the private key.certificate
- the certified public key.- Returns:
- a certified key pair.
-
issueRootCACertificate
public org.xwiki.crypto.pkix.params.CertifiedKeyPair issueRootCACertificate(org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity) throws IOException, GeneralSecurityException
Create a self-signed certificate for a Root CA.- Parameters:
keyPair
- the keypair to issue the certificate for and used for signing it.dn
- the distinguished name for the new the certificate.validity
- the validity of the certificate from now in days.- Returns:
- a certified public key.
- Throws:
IOException
- in case on error while reading the public key.GeneralSecurityException
- in case of error.
-
issueIntermediateCertificate
public org.xwiki.crypto.pkix.params.CertifiedKeyPair issueIntermediateCertificate(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity) throws IOException, GeneralSecurityException
Create an intermediate CA certificate.- Parameters:
issuer
- the certified keypair for issuing the certificatekeyPair
- the keyPair of the public key to certifydn
- the distinguished name for the new the certificate.validity
- the validity of the certificate from now in days.- Returns:
- a certified keypair.
- Throws:
IOException
- in case on error while reading the public key.GeneralSecurityException
- in case of error.
-
issueIntermediateCertificate
public org.xwiki.crypto.pkix.params.CertifiedPublicKey issueIntermediateCertificate(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity) throws IOException, GeneralSecurityException
Create an intermediate CA certificate.- Parameters:
privateKey
- the private key for signing the certificateissuer
- the certificate of the issuer of the certificatepublicKey
- the public key to certifydn
- the distinguished name for the new the certificate.validity
- the validity of the certificate from now in days.- Returns:
- a certified public key.
- Throws:
IOException
- in case on error while reading the public key.GeneralSecurityException
- in case of error.
-
issueIntermediateCertificate
public org.xwiki.crypto.pkix.params.CertifiedPublicKey issueIntermediateCertificate(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity) throws IOException, GeneralSecurityException
Create an intermediate CA certificate.- Parameters:
issuer
- the certified keypair for issuing the certificatepublicKey
- the public key to certifydn
- the distinguished name for the new the certificate.validity
- the validity of the certificate from now in days.- Returns:
- a certified public key.
- Throws:
IOException
- in case on error while reading the public key.GeneralSecurityException
- in case of error.
-
issueCertificate
public org.xwiki.crypto.pkix.params.CertifiedKeyPair issueCertificate(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName) throws IOException, GeneralSecurityException
Create an end entity certificate.- Parameters:
issuer
- the certified keypair for issuing the certificatekeyPair
- the keyPair of the public key to certifydn
- the distinguished name for the new the certificate.validity
- the validity of the certificate from now in days.subjectAltName
- the alternative names for the certificate- Returns:
- a certified keypair.
- Throws:
IOException
- in case on error while reading the public key.GeneralSecurityException
- in case of error.
-
issueCertificate
public org.xwiki.crypto.pkix.params.CertifiedPublicKey issueCertificate(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName) throws IOException, GeneralSecurityException
Create an end entity certificate.- Parameters:
privateKey
- the private key for signing the certificateissuer
- the certificate of the issuer of the certificatepublicKey
- the public key to certifydn
- the distinguished name for the new the certificate.validity
- the validity of the certificate from now in days.subjectAltName
- the alternative names for the certificate- Returns:
- a certified public key.
- Throws:
IOException
- in case on error while reading the public key.GeneralSecurityException
- in case of error.
-
issueCertificate
public org.xwiki.crypto.pkix.params.CertifiedPublicKey issueCertificate(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName) throws IOException, GeneralSecurityException
Create an end entity certificate. By default, the key can be used for encryption and signing. If the end entity contains some alternate subject names of type X509Rfc822Name a extended email protection usage is added. If the end entity contains some alternate subject names of type X509DnsName or X509IpAddress extended server and client authentication usages are added.- Parameters:
issuer
- the keypair for issuing the certificatepublicKey
- the public key to certifydn
- the distinguished name for the new the certificate.validity
- the validity of the certificate from now in days.subjectAltName
- the alternative names for the certificate- Returns:
- a certified public key.
- Throws:
IOException
- in case on error while reading the public key.GeneralSecurityException
- in case of error.
-
cmsSign
public byte[] cmsSign(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, boolean embedContent) throws GeneralSecurityException
Generate a CMS (Cryptographic Message Syntax) signature for a given byte content. The resulting signature might contains the content itself.- Parameters:
data
- the data to be signedkeyPair
- the certified key pair used for signingembedContent
- if true, the signed content is embedded with the signature.- Returns:
- the resulting signature encoded ASN.1 and in accordance with RFC 3852.
- Throws:
GeneralSecurityException
- on error.
-
cmsSign
public byte[] cmsSign(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, org.xwiki.crypto.pkix.CertificateProvider certificateProvider, boolean embedContent) throws GeneralSecurityException
Generate a CMS (Cryptographic Message Syntax) signature for a given byte content. The resulting signature might contains the content itself and the certificate chain of the key used to sign.- Parameters:
data
- the data to be signedkeyPair
- the certified key pair used for signingcertificateProvider
- Optionally, a certificate provider for obtaining the chain of certificate to embed. If null, no certificate are embedded with the signature.embedContent
- if true, the signed content is embedded with the signature.- Returns:
- the resulting signature encoded ASN.1 and in accordance with RFC 3852.
- Throws:
GeneralSecurityException
- on error.
-
cmsSign
public byte[] cmsSign(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, org.xwiki.crypto.pkix.CertificateProvider certificateProvider, org.xwiki.crypto.signer.param.CMSSignedDataVerified existingSignature, boolean embedContent) throws GeneralSecurityException
Generate a CMS (Cryptographic Message Syntax) signature for a given byte content. The resulting signature might contains the content itself and the certificate chain of the key used to sign.- Parameters:
data
- the data to be signedkeyPair
- the certified key pair used for signingcertificateProvider
- Optionally, a certificate provider for obtaining the chain of certificate to embed. If null, no certificate are embedded with the signature.existingSignature
- if not null, a existing signature on the same data that should be kept.embedContent
- if true, the signed content is embedded with the signature.- Returns:
- the resulting signature encoded ASN.1 and in accordance with RFC 3852.
- Throws:
GeneralSecurityException
- on error.
-
cmsVerify
public org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify(byte[] signature) throws GeneralSecurityException
Verify a CMS signature with embedded content and containing all the certificate required for validation.- Parameters:
signature
- the CMS signature to verify. The signature should have the signed content embedded as well as all the certificates for the signers.- Returns:
- result of the verification.
- Throws:
GeneralSecurityException
- on error.
-
cmsVerify
public org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify(byte[] signature, byte[] data) throws GeneralSecurityException
Verify a CMS signature without embedded content but containing all the certificate required for validation.- Parameters:
signature
- the CMS signature to verify.data
- the content to verify the signature against, or null of the content is embedded in the signature.- Returns:
- a the result of the verification.
- Throws:
GeneralSecurityException
- on error.
-
cmsVerify
public org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify(byte[] signature, org.xwiki.crypto.pkix.CertificateProvider certificateProvider) throws GeneralSecurityException
Verify a CMS signature with embedded content, but requiring external certificates to be validated.- Parameters:
signature
- the CMS signature to verify.certificateProvider
- Optionally, a certificate provider for obtaining the chain of certificate for verifying the signatures. If null, certificat should all be embedded in the signature.- Returns:
- a the result of the verification.
- Throws:
GeneralSecurityException
- on error.
-
cmsVerify
public org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify(byte[] signature, byte[] data, org.xwiki.crypto.pkix.CertificateProvider certificateProvider) throws GeneralSecurityException
Verify a CMS signature without embedded content, and requiring external certificates to be validated.- Parameters:
signature
- the CMS signature to verify.data
- the content to verify the signature against, or null of the content is embedded in the signature.certificateProvider
- Optionally, a certificate provider for obtaining the chain of certificate for verifying the signatures. If null, certificat should all be embedded in the signature.- Returns:
- a the result of the verification.
- Throws:
GeneralSecurityException
- on error.
-
checkX509CertificateChainValidity
public boolean checkX509CertificateChainValidity(Collection<org.xwiki.crypto.pkix.params.CertifiedPublicKey> chain)
Check that an X509 certificate chain is complete and valid now.- Parameters:
chain
- the ordered chain of certificate starting from root CA.- Returns:
- true if the chain is a X509 certificate chain complete and valid on the given date.
-
checkX509CertificateChainValidity
public boolean checkX509CertificateChainValidity(Collection<org.xwiki.crypto.pkix.params.CertifiedPublicKey> chain, Date date)
Check that an X509 certificate chain is complete and is valid on a given date.- Parameters:
chain
- the ordered chain of certificate starting from root CA.date
- the date to check the validity for, or null to check for now.- Returns:
- true if the chain is a X509 certificate chain complete and valid on the given date.
-
-