Package org.openmuc.jeebus.ship.node

Class KeyManagement

  • public class KeyManagement
extends java.lang.Object
    everything related to key management and key encryption

    • Field Summary

      Fields 
      Modifier and Type Field Description
      protected static org.slf4j.Logger log  

    • Constructor Summary

      Constructors 
      Constructor Description
      KeyManagement​(java.lang.String pathToKeyStore, java.lang.String alias, char[] keyStorePassphrase, char[] keyPairPassphrase, java.lang.String distinguishedName, int days)
      Creates a new key store, key pair and certificate and stores it in the specified path.

    • Field Detail

      • log

        protected static final org.slf4j.Logger log

    • Constructor Detail

      • KeyManagement

        public KeyManagement​(java.lang.String pathToKeyStore,
                     java.lang.String alias,
                     char[] keyStorePassphrase,
                     char[] keyPairPassphrase,
                     java.lang.String distinguishedName,
                     int days)
              throws java.security.KeyStoreException,
                     java.security.NoSuchProviderException,
                     java.io.IOException,
                     java.security.cert.CertificateException,
                     java.security.NoSuchAlgorithmException,
                     java.security.UnrecoverableKeyException
        Creates a new key store, key pair and certificate and stores it in the specified path. Should the path already contain a key store with a valid key pair and certificate, then the key store will be loaded instead.
        Parameters:
        pathToKeyStore - path where the key store exists or should be created, a temporary key store will be created and will not be stored should the path be null
        alias - the alias for either the existing key pair or for the key pair to be created
        keyStorePassphrase - passphrase for the key store
        keyPairPassphrase - passphrase for the key pair to be generated
        distinguishedName - X.509 Distinguished Name, eg "CN=Test, L=London, C=GB". For IoT devices, usually the DeviceID
        days - how many days the certificate should be valid for
        Throws:
        java.security.KeyStoreException - if a KeyStoreSpi implementation for the specified type is not available from the specified provider
        java.security.NoSuchProviderException - if the specified provider is not registered in the security provider list
        java.io.IOException - if there is an I/O or format problem with the keystore data, if a password is required but not given, or if the given password was incorrect
        java.security.cert.CertificateException - if any of the certificates in the keystore could not be loaded
        java.security.NoSuchAlgorithmException - if the appropriate data integrity algorithm could not be found
        java.security.UnrecoverableKeyException - if the key cannot be recovered (e.g., the given password is wrong).

    • Method Detail

      • generateSki

        public static org.bouncycastle.asn1.x509.SubjectKeyIdentifier generateSki​(java.security.PublicKey publicKey)

      • encodeSkiAsString

        public static java.lang.String encodeSkiAsString​(org.bouncycastle.asn1.x509.SubjectKeyIdentifier ski)
        returns the hex string that represents the SKI value
        Parameters:
        ski - SubjectKeyIdentifier value
        Returns:
        SKI value as hex string in lower case

      • isValidSki

        public static boolean isValidSki​(java.lang.String ski)
        checks if a given string represents a valid SKI. Note that this method removes whitespaces prior to checking
        Parameters:
        ski - the string to check
        Returns:
        true if the string only uses hex digits and has a length of exactly 40

      • addBCProvider

        public static void addBCProvider()
        adds provider only if it's not already in the JVM

      • addTrustedSki

        public static void addTrustedSki​(java.lang.String ski,
                                 java.lang.Integer trustLevel)
        adds the given SKI to the trusted list if it was not added already. This method does not override previous entries. For an override remove the previous entry with removeTrustedSki before adding it again with the new trust level.
        Parameters:
        ski - the SKI to be added to the trusted SKIs list
        trustLevel - the trust level of the SKI to be added

      • setTrustedSkiAuthenticated

        public static void setTrustedSkiAuthenticated​(java.lang.String ski)

      • removeTrustedSki

        public static boolean removeTrustedSki​(java.lang.String ski)
        removes a ski from the trustedSkis map
        Parameters:
        ski - the ski to remove
        Returns:
        true if the map contained the ski, otherwise false

      • getTrustedSkis

        public static java.util.Map<java.lang.String,​SkiManagementInfo> getTrustedSkis()

      • clearTrustedSkis

        public static void clearTrustedSkis()

      • storeSymKeyInKeyStore

        @Deprecated
public void storeSymKeyInKeyStore​(java.lang.String alias)
                           throws java.security.NoSuchProviderException,
                                  java.security.KeyStoreException,
                                  java.security.cert.CertificateException,
                                  java.security.NoSuchAlgorithmException,
                                  java.io.IOException
        Deprecated.
        We are not sure what the symmetric key methods are for. Maybe this logic concerns SHIP 1.1.0. As they are used nowhere right now, they may change or be removed in the future.

        TODO: figure this out.

        Throws:
        java.security.NoSuchProviderException
        java.security.KeyStoreException
        java.security.cert.CertificateException
        java.security.NoSuchAlgorithmException
        java.io.IOException

      • createCertificate

        public CertificateInfo createCertificate​(java.security.KeyPair keyPair,
                                         java.lang.String distinguishedName,
                                         int days,
                                         CertificateInfo issuer)
        generates a self-signed X.509 Certificate
        Parameters:
        keyPair - passphrase for the key pair to be generated
        distinguishedName - the X.509 Distinguished Name, eg "CN=TEst, L=London, C=GB". For IoT devices, usually the DeviceID
        days - how many days the Certificate is valid for
        issuer - certificate content, consists of privateKey and X509Certificate
        Returns:
        A self-signed certificate

      • getOwnSki

        public org.bouncycastle.asn1.x509.SubjectKeyIdentifier getOwnSki()

      • getOwnSkiAsStr

        public java.lang.String getOwnSkiAsStr()