Package org.syncany.crypto
Class CipherUtil
- java.lang.Object
-
- org.syncany.crypto.CipherUtil
-
public class CipherUtil extends java.lang.Object
The cipher utility provides functions to create a master key using PBKDF2, a derived key using SHA256, and to create aCipher
from a derived key. It furthermore offers a method to programmatically enable the unlimited strength crypto policies.
-
-
Constructor Summary
Constructors Constructor Description CipherUtil()
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static SaltedSecretKey
createDerivedKey(byte[] inputKeyMaterial, byte[] inputSalt, java.lang.String outputKeyAlgorithm, int outputKeySize)
Creates a derived key from the given input key material (raw byte array) and an input salt and wraps the key in aSecretKeySpec
using the given output key algorithm and output key size.static SaltedSecretKey
createDerivedKey(javax.crypto.SecretKey inputKey, byte[] inputSalt, CipherSpec outputCipherSpec)
Creates a derived key from the givenSecretKey
an input salt and wraps the key in aSecretKeySpec
using the givenCipherSpec
.static SaltedSecretKey
createMasterKey(java.lang.String password)
static SaltedSecretKey
createMasterKey(java.lang.String password, byte[] salt)
static java.lang.String
createRandomAlphabeticString(int size)
Generates a random string the given length.static byte[]
createRandomArray(int size)
Creates a random array of bytes using the defaultSecureRandom
implementation of the currently active JVM.static javax.net.ssl.SSLContext
createSSLContext(java.security.KeyStore keyStore, java.security.KeyStore trustStore)
Creates an SSL context, given a key store and a trust store.static byte[]
decrypt(java.io.InputStream fromInputStream, SaltedSecretKey masterKey)
static void
enableUnlimitedStrength()
Attempts to programmatically enable the unlimited strength Java crypto extension using the reflection API.static void
encrypt(java.io.InputStream plaintextInputStream, java.io.OutputStream ciphertextOutputStream, java.util.List<CipherSpec> cipherSpecs, SaltedSecretKey masterKey)
static byte[]
encrypt(java.io.InputStream plaintextInputStream, java.util.List<CipherSpec> cipherSuites, SaltedSecretKey masterKey)
static java.security.KeyPair
generateRsaKeyPair()
Generates a 2048-bit RSA key pair.static java.security.cert.X509Certificate
generateSelfSignedCertificate(java.lang.String commonName, java.security.KeyPair keyPair)
Generates a self-signed certificate, given a public/private key pair.static void
init()
Initializes the crypto provider ("Bouncy Castle") and tests whether the unlimited strength policy has been enabled.static boolean
isEncrypted(java.io.File file)
static SaltedSecretKey
toSaltedSecretKey(byte[] secretKeyBytes, byte[] saltBytes, java.lang.String algorithm)
static javax.crypto.SecretKey
toSecretKey(byte[] secretKeyBytes, java.lang.String algorithm)
-
-
-
Constructor Detail
-
CipherUtil
public CipherUtil()
-
-
Method Detail
-
init
public static void init()
Initializes the crypto provider ("Bouncy Castle") and tests whether the unlimited strength policy has been enabled. Unlimited crypto allows for stronger crypto algorithms such as AES-256 or Twofish-256.The method is called in the
static
block of this class and hence initialized whenever then class is used.
-
enableUnlimitedStrength
public static void enableUnlimitedStrength() throws CipherException
Attempts to programmatically enable the unlimited strength Java crypto extension using the reflection API.This class tries to set the property
isRestricted
of the classjavax.crypto.JceSecurity
tofalse
-- effectively disabling the artificial limitations (and the disallowed algorithms).Note: Be aware that enabling the unlimited strength extension needs to be acknowledged by the end-user to avoid legal issues!
- Throws:
CipherException
- If the unlimited strength policy cannot be enabled.- See Also:
- Java Cryptography Extension (JCE) Unlimited Strength
-
createRandomArray
public static byte[] createRandomArray(int size)
Creates a random array of bytes using the defaultSecureRandom
implementation of the currently active JVM. The returned array can be used as a basis for secret keys, IVs or salts.- Parameters:
size
- Size of the returned array (in bytes)- Returns:
- Returns a random byte array (using a secure pseudo random generator)
-
createRandomAlphabeticString
public static java.lang.String createRandomAlphabeticString(int size)
Generates a random string the given length. Only uses characters A-Z/a-z (in order to always create valid serialized vector clock representations).
-
createDerivedKey
public static SaltedSecretKey createDerivedKey(javax.crypto.SecretKey inputKey, byte[] inputSalt, CipherSpec outputCipherSpec) throws java.security.spec.InvalidKeySpecException, java.security.NoSuchAlgorithmException, java.security.NoSuchProviderException
Creates a derived key from the givenSecretKey
an input salt and wraps the key in aSecretKeySpec
using the givenCipherSpec
.This method simply uses the
createDerivedKey()
method using the encoded input key and the algorithm and key size given by the cipher spec.- Parameters:
inputKey
- The source key to derive the new key frominputSalt
- Input salt used to generate the new key (a non-secret random value!)outputCipherSpec
- Defines the algorithm and key size of the new output key- Returns:
- Returns a derived key (including the given input salt)
- Throws:
java.security.spec.InvalidKeySpecException
java.security.NoSuchAlgorithmException
java.security.NoSuchProviderException
-
createDerivedKey
public static SaltedSecretKey createDerivedKey(byte[] inputKeyMaterial, byte[] inputSalt, java.lang.String outputKeyAlgorithm, int outputKeySize) throws java.security.spec.InvalidKeySpecException, java.security.NoSuchAlgorithmException, java.security.NoSuchProviderException
Creates a derived key from the given input key material (raw byte array) and an input salt and wraps the key in aSecretKeySpec
using the given output key algorithm and output key size.The algorithm used to derive the new key from the input key material (IKM) is the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) (see RFC 5869)
- Parameters:
inputKeyMaterial
- The input key material as raw data bytes, e.g. determined fromKey.getEncoded()
inputSalt
- Input salt used to generate the new key (a non-secret random value!)outputKeyAlgorithm
- Defines the algorithm of the new output key (forSecretKeySpec.getAlgorithm()
)outputKeySize
- Defines the key size of the new output key- Returns:
- Returns a new pseudorandom key derived from the input key material using HKDF
- Throws:
java.security.spec.InvalidKeySpecException
java.security.NoSuchAlgorithmException
java.security.NoSuchProviderException
- See Also:
- RFC 5869
-
toSecretKey
public static javax.crypto.SecretKey toSecretKey(byte[] secretKeyBytes, java.lang.String algorithm)
-
toSaltedSecretKey
public static SaltedSecretKey toSaltedSecretKey(byte[] secretKeyBytes, byte[] saltBytes, java.lang.String algorithm)
-
createMasterKey
public static SaltedSecretKey createMasterKey(java.lang.String password) throws CipherException
- Throws:
CipherException
-
createMasterKey
public static SaltedSecretKey createMasterKey(java.lang.String password, byte[] salt) throws CipherException
- Throws:
CipherException
-
isEncrypted
public static boolean isEncrypted(java.io.File file) throws java.io.IOException
- Throws:
java.io.IOException
-
encrypt
public static void encrypt(java.io.InputStream plaintextInputStream, java.io.OutputStream ciphertextOutputStream, java.util.List<CipherSpec> cipherSpecs, SaltedSecretKey masterKey) throws CipherException
- Throws:
CipherException
-
encrypt
public static byte[] encrypt(java.io.InputStream plaintextInputStream, java.util.List<CipherSpec> cipherSuites, SaltedSecretKey masterKey) throws CipherException
- Throws:
CipherException
-
decrypt
public static byte[] decrypt(java.io.InputStream fromInputStream, SaltedSecretKey masterKey) throws CipherException
- Throws:
CipherException
-
generateRsaKeyPair
public static java.security.KeyPair generateRsaKeyPair() throws java.security.NoSuchAlgorithmException, CipherException, java.security.NoSuchProviderException
Generates a 2048-bit RSA key pair.- Throws:
java.security.NoSuchAlgorithmException
CipherException
java.security.NoSuchProviderException
-
generateSelfSignedCertificate
public static java.security.cert.X509Certificate generateSelfSignedCertificate(java.lang.String commonName, java.security.KeyPair keyPair) throws org.bouncycastle.operator.OperatorCreationException, java.security.cert.CertificateException, java.security.InvalidKeyException, java.security.NoSuchAlgorithmException, java.security.NoSuchProviderException, java.security.SignatureException
Generates a self-signed certificate, given a public/private key pair.- Throws:
org.bouncycastle.operator.OperatorCreationException
java.security.cert.CertificateException
java.security.InvalidKeyException
java.security.NoSuchAlgorithmException
java.security.NoSuchProviderException
java.security.SignatureException
- See Also:
- Original source of this method
-
createSSLContext
public static javax.net.ssl.SSLContext createSSLContext(java.security.KeyStore keyStore, java.security.KeyStore trustStore) throws java.lang.Exception
Creates an SSL context, given a key store and a trust store.- Throws:
java.lang.Exception
-
-