Class RSACryptoScriptService

  • All Implemented Interfaces:
    org.xwiki.script.service.ScriptService

    @Component
    @Named("crypto.rsa")
    @Singleton
    public class RSACryptoScriptService
    extends Object
    implements org.xwiki.script.service.ScriptService
    Script service allowing a user to create keys pairs and issue certificates.
    Since:
    8.4RC1
    Version:
    $Id: 879616f3005d99e45782984188ca666b49d4c5b5 $
    • Field Summary

      Fields 
      Modifier and Type Field Description
      static String ROLEHINT
      The role hint of this component.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      boolean checkX509CertificateChainValidity​(Collection<org.xwiki.crypto.pkix.params.CertifiedPublicKey> chain)
      Check that an X509 certificate chain is complete and valid now.
      boolean checkX509CertificateChainValidity​(Collection<org.xwiki.crypto.pkix.params.CertifiedPublicKey> chain, Date date)
      Check that an X509 certificate chain is complete and is valid on a given date.
      byte[] cmsSign​(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, boolean embedContent)
      Generate a CMS (Cryptographic Message Syntax) signature for a given byte content.
      byte[] cmsSign​(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, org.xwiki.crypto.pkix.CertificateProvider certificateProvider, boolean embedContent)
      Generate a CMS (Cryptographic Message Syntax) signature for a given byte content.
      byte[] cmsSign​(byte[] data, org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair, org.xwiki.crypto.pkix.CertificateProvider certificateProvider, org.xwiki.crypto.signer.param.CMSSignedDataVerified existingSignature, boolean embedContent)
      Generate a CMS (Cryptographic Message Syntax) signature for a given byte content.
      org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify​(byte[] signature)
      Verify a CMS signature with embedded content and containing all the certificate required for validation.
      org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify​(byte[] signature, byte[] data)
      Verify a CMS signature without embedded content but containing all the certificate required for validation.
      org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify​(byte[] signature, byte[] data, org.xwiki.crypto.pkix.CertificateProvider certificateProvider)
      Verify a CMS signature without embedded content, and requiring external certificates to be validated.
      org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify​(byte[] signature, org.xwiki.crypto.pkix.CertificateProvider certificateProvider)
      Verify a CMS signature with embedded content, but requiring external certificates to be validated.
      org.xwiki.crypto.pkix.params.CertifiedKeyPair createCertifiedKeyPair​(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey certificate)
      Create a CertifiedKeyPair from a private key and a certificate.
      org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair()
      Generate a new RSA key pair.
      org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair​(int strength)
      Generate a new RSA key pair of given strength.
      org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair​(int strength, BigInteger publicExponent, int certainty)
      Build a new instance with all custom parameters.
      org.xwiki.crypto.pkix.params.CertifiedPublicKey issueCertificate​(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
      Create an end entity certificate.
      org.xwiki.crypto.pkix.params.CertifiedKeyPair issueCertificate​(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
      Create an end entity certificate.
      org.xwiki.crypto.pkix.params.CertifiedPublicKey issueCertificate​(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity, List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
      Create an end entity certificate.
      org.xwiki.crypto.pkix.params.CertifiedPublicKey issueIntermediateCertificate​(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey, org.xwiki.crypto.pkix.params.CertifiedPublicKey issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity)
      Create an intermediate CA certificate.
      org.xwiki.crypto.pkix.params.CertifiedKeyPair issueIntermediateCertificate​(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity)
      Create an intermediate CA certificate.
      org.xwiki.crypto.pkix.params.CertifiedPublicKey issueIntermediateCertificate​(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer, org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey, String dn, int validity)
      Create an intermediate CA certificate.
      org.xwiki.crypto.pkix.params.CertifiedKeyPair issueRootCACertificate​(org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair, String dn, int validity)
      Create a self-signed certificate for a Root CA.
    • Constructor Detail

      • RSACryptoScriptService

        public RSACryptoScriptService()
    • Method Detail

      • generateKeyPair

        public org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair()
        Generate a new RSA key pair. The key strength will be 256. The key public exponent will be 0x10001. The probability a chosen prime could not be a real prime will be smaller than 2^-12.
        Returns:
        an new asymmetric key pair.
      • generateKeyPair

        public org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair​(int strength)
        Generate a new RSA key pair of given strength. The strength should be given in number of bytes, so for a 2048 bits key, you should use 256 (bytes) as the integer parameter. The minimum valid strength is 2. The key public exponent will be 0x10001. The probability a chosen prime could not be a real prime will be smaller than 2^-12.
        Parameters:
        strength - the strength in bytes.
        Returns:
        an new asymmetric key pair.
      • generateKeyPair

        public org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair generateKeyPair​(int strength,
                                                                                           BigInteger publicExponent,
                                                                                           int certainty)
        Build a new instance with all custom parameters. The strength should be given in number of bytes, so for a 2048 bits key, you should use 256 (bytes) as the integer parameter. The minimum valid strength is 2. The exponent should be an odd number. The probability a chosen prime could not be a real prime will be smaller than 2^certainty.
        Parameters:
        strength - the key strength in bytes.
        publicExponent - the public exponent.
        certainty - certainty for prime evaluation.
        Returns:
        an new asymmetric key pair.
      • createCertifiedKeyPair

        public org.xwiki.crypto.pkix.params.CertifiedKeyPair createCertifiedKeyPair​(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey,
                                                                                    org.xwiki.crypto.pkix.params.CertifiedPublicKey certificate)
        Create a CertifiedKeyPair from a private key and a certificate.
        Parameters:
        privateKey - the private key.
        certificate - the certified public key.
        Returns:
        a certified key pair.
      • issueRootCACertificate

        public org.xwiki.crypto.pkix.params.CertifiedKeyPair issueRootCACertificate​(org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair,
                                                                                    String dn,
                                                                                    int validity)
                                                                             throws IOException,
                                                                                    GeneralSecurityException
        Create a self-signed certificate for a Root CA.
        Parameters:
        keyPair - the keypair to issue the certificate for and used for signing it.
        dn - the distinguished name for the new the certificate.
        validity - the validity of the certificate from now in days.
        Returns:
        a certified public key.
        Throws:
        IOException - in case on error while reading the public key.
        GeneralSecurityException - in case of error.
      • issueIntermediateCertificate

        public org.xwiki.crypto.pkix.params.CertifiedKeyPair issueIntermediateCertificate​(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer,
                                                                                          org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair,
                                                                                          String dn,
                                                                                          int validity)
                                                                                   throws IOException,
                                                                                          GeneralSecurityException
        Create an intermediate CA certificate.
        Parameters:
        issuer - the certified keypair for issuing the certificate
        keyPair - the keyPair of the public key to certify
        dn - the distinguished name for the new the certificate.
        validity - the validity of the certificate from now in days.
        Returns:
        a certified keypair.
        Throws:
        IOException - in case on error while reading the public key.
        GeneralSecurityException - in case of error.
      • issueIntermediateCertificate

        public org.xwiki.crypto.pkix.params.CertifiedPublicKey issueIntermediateCertificate​(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey,
                                                                                            org.xwiki.crypto.pkix.params.CertifiedPublicKey issuer,
                                                                                            org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey,
                                                                                            String dn,
                                                                                            int validity)
                                                                                     throws IOException,
                                                                                            GeneralSecurityException
        Create an intermediate CA certificate.
        Parameters:
        privateKey - the private key for signing the certificate
        issuer - the certificate of the issuer of the certificate
        publicKey - the public key to certify
        dn - the distinguished name for the new the certificate.
        validity - the validity of the certificate from now in days.
        Returns:
        a certified public key.
        Throws:
        IOException - in case on error while reading the public key.
        GeneralSecurityException - in case of error.
      • issueIntermediateCertificate

        public org.xwiki.crypto.pkix.params.CertifiedPublicKey issueIntermediateCertificate​(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer,
                                                                                            org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey,
                                                                                            String dn,
                                                                                            int validity)
                                                                                     throws IOException,
                                                                                            GeneralSecurityException
        Create an intermediate CA certificate.
        Parameters:
        issuer - the certified keypair for issuing the certificate
        publicKey - the public key to certify
        dn - the distinguished name for the new the certificate.
        validity - the validity of the certificate from now in days.
        Returns:
        a certified public key.
        Throws:
        IOException - in case on error while reading the public key.
        GeneralSecurityException - in case of error.
      • issueCertificate

        public org.xwiki.crypto.pkix.params.CertifiedKeyPair issueCertificate​(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer,
                                                                              org.xwiki.crypto.params.cipher.asymmetric.AsymmetricKeyPair keyPair,
                                                                              String dn,
                                                                              int validity,
                                                                              List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
                                                                       throws IOException,
                                                                              GeneralSecurityException
        Create an end entity certificate.
        Parameters:
        issuer - the certified keypair for issuing the certificate
        keyPair - the keyPair of the public key to certify
        dn - the distinguished name for the new the certificate.
        validity - the validity of the certificate from now in days.
        subjectAltName - the alternative names for the certificate
        Returns:
        a certified keypair.
        Throws:
        IOException - in case on error while reading the public key.
        GeneralSecurityException - in case of error.
      • issueCertificate

        public org.xwiki.crypto.pkix.params.CertifiedPublicKey issueCertificate​(org.xwiki.crypto.params.cipher.asymmetric.PrivateKeyParameters privateKey,
                                                                                org.xwiki.crypto.pkix.params.CertifiedPublicKey issuer,
                                                                                org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey,
                                                                                String dn,
                                                                                int validity,
                                                                                List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
                                                                         throws IOException,
                                                                                GeneralSecurityException
        Create an end entity certificate.
        Parameters:
        privateKey - the private key for signing the certificate
        issuer - the certificate of the issuer of the certificate
        publicKey - the public key to certify
        dn - the distinguished name for the new the certificate.
        validity - the validity of the certificate from now in days.
        subjectAltName - the alternative names for the certificate
        Returns:
        a certified public key.
        Throws:
        IOException - in case on error while reading the public key.
        GeneralSecurityException - in case of error.
      • issueCertificate

        public org.xwiki.crypto.pkix.params.CertifiedPublicKey issueCertificate​(org.xwiki.crypto.pkix.params.CertifiedKeyPair issuer,
                                                                                org.xwiki.crypto.params.cipher.asymmetric.PublicKeyParameters publicKey,
                                                                                String dn,
                                                                                int validity,
                                                                                List<org.xwiki.crypto.pkix.params.x509certificate.extension.X509GeneralName> subjectAltName)
                                                                         throws IOException,
                                                                                GeneralSecurityException
        Create an end entity certificate. By default, the key can be used for encryption and signing. If the end entity contains some alternate subject names of type X509Rfc822Name a extended email protection usage is added. If the end entity contains some alternate subject names of type X509DnsName or X509IpAddress extended server and client authentication usages are added.
        Parameters:
        issuer - the keypair for issuing the certificate
        publicKey - the public key to certify
        dn - the distinguished name for the new the certificate.
        validity - the validity of the certificate from now in days.
        subjectAltName - the alternative names for the certificate
        Returns:
        a certified public key.
        Throws:
        IOException - in case on error while reading the public key.
        GeneralSecurityException - in case of error.
      • cmsSign

        public byte[] cmsSign​(byte[] data,
                              org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair,
                              boolean embedContent)
                       throws GeneralSecurityException
        Generate a CMS (Cryptographic Message Syntax) signature for a given byte content. The resulting signature might contains the content itself.
        Parameters:
        data - the data to be signed
        keyPair - the certified key pair used for signing
        embedContent - if true, the signed content is embedded with the signature.
        Returns:
        the resulting signature encoded ASN.1 and in accordance with RFC 3852.
        Throws:
        GeneralSecurityException - on error.
      • cmsSign

        public byte[] cmsSign​(byte[] data,
                              org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair,
                              org.xwiki.crypto.pkix.CertificateProvider certificateProvider,
                              boolean embedContent)
                       throws GeneralSecurityException
        Generate a CMS (Cryptographic Message Syntax) signature for a given byte content. The resulting signature might contains the content itself and the certificate chain of the key used to sign.
        Parameters:
        data - the data to be signed
        keyPair - the certified key pair used for signing
        certificateProvider - Optionally, a certificate provider for obtaining the chain of certificate to embed. If null, no certificate are embedded with the signature.
        embedContent - if true, the signed content is embedded with the signature.
        Returns:
        the resulting signature encoded ASN.1 and in accordance with RFC 3852.
        Throws:
        GeneralSecurityException - on error.
      • cmsSign

        public byte[] cmsSign​(byte[] data,
                              org.xwiki.crypto.pkix.params.CertifiedKeyPair keyPair,
                              org.xwiki.crypto.pkix.CertificateProvider certificateProvider,
                              org.xwiki.crypto.signer.param.CMSSignedDataVerified existingSignature,
                              boolean embedContent)
                       throws GeneralSecurityException
        Generate a CMS (Cryptographic Message Syntax) signature for a given byte content. The resulting signature might contains the content itself and the certificate chain of the key used to sign.
        Parameters:
        data - the data to be signed
        keyPair - the certified key pair used for signing
        certificateProvider - Optionally, a certificate provider for obtaining the chain of certificate to embed. If null, no certificate are embedded with the signature.
        existingSignature - if not null, a existing signature on the same data that should be kept.
        embedContent - if true, the signed content is embedded with the signature.
        Returns:
        the resulting signature encoded ASN.1 and in accordance with RFC 3852.
        Throws:
        GeneralSecurityException - on error.
      • cmsVerify

        public org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify​(byte[] signature)
                                                                      throws GeneralSecurityException
        Verify a CMS signature with embedded content and containing all the certificate required for validation.
        Parameters:
        signature - the CMS signature to verify. The signature should have the signed content embedded as well as all the certificates for the signers.
        Returns:
        result of the verification.
        Throws:
        GeneralSecurityException - on error.
      • cmsVerify

        public org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify​(byte[] signature,
                                                                             byte[] data)
                                                                      throws GeneralSecurityException
        Verify a CMS signature without embedded content but containing all the certificate required for validation.
        Parameters:
        signature - the CMS signature to verify.
        data - the content to verify the signature against, or null of the content is embedded in the signature.
        Returns:
        a the result of the verification.
        Throws:
        GeneralSecurityException - on error.
      • cmsVerify

        public org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify​(byte[] signature,
                                                                             org.xwiki.crypto.pkix.CertificateProvider certificateProvider)
                                                                      throws GeneralSecurityException
        Verify a CMS signature with embedded content, but requiring external certificates to be validated.
        Parameters:
        signature - the CMS signature to verify.
        certificateProvider - Optionally, a certificate provider for obtaining the chain of certificate for verifying the signatures. If null, certificat should all be embedded in the signature.
        Returns:
        a the result of the verification.
        Throws:
        GeneralSecurityException - on error.
      • cmsVerify

        public org.xwiki.crypto.signer.param.CMSSignedDataVerified cmsVerify​(byte[] signature,
                                                                             byte[] data,
                                                                             org.xwiki.crypto.pkix.CertificateProvider certificateProvider)
                                                                      throws GeneralSecurityException
        Verify a CMS signature without embedded content, and requiring external certificates to be validated.
        Parameters:
        signature - the CMS signature to verify.
        data - the content to verify the signature against, or null of the content is embedded in the signature.
        certificateProvider - Optionally, a certificate provider for obtaining the chain of certificate for verifying the signatures. If null, certificat should all be embedded in the signature.
        Returns:
        a the result of the verification.
        Throws:
        GeneralSecurityException - on error.
      • checkX509CertificateChainValidity

        public boolean checkX509CertificateChainValidity​(Collection<org.xwiki.crypto.pkix.params.CertifiedPublicKey> chain)
        Check that an X509 certificate chain is complete and valid now.
        Parameters:
        chain - the ordered chain of certificate starting from root CA.
        Returns:
        true if the chain is a X509 certificate chain complete and valid on the given date.
      • checkX509CertificateChainValidity

        public boolean checkX509CertificateChainValidity​(Collection<org.xwiki.crypto.pkix.params.CertifiedPublicKey> chain,
                                                         Date date)
        Check that an X509 certificate chain is complete and is valid on a given date.
        Parameters:
        chain - the ordered chain of certificate starting from root CA.
        date - the date to check the validity for, or null to check for now.
        Returns:
        true if the chain is a X509 certificate chain complete and valid on the given date.