Class CipherUtil


  • public class CipherUtil
    extends java.lang.Object
    The cipher utility provides functions to create a master key using PBKDF2, a derived key using SHA256, and to create a Cipher from a derived key. It furthermore offers a method to programmatically enable the unlimited strength crypto policies.
    • Constructor Summary

      Constructors 
      Constructor Description
      CipherUtil()  
    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static SaltedSecretKey createDerivedKey​(byte[] inputKeyMaterial, byte[] inputSalt, java.lang.String outputKeyAlgorithm, int outputKeySize)
      Creates a derived key from the given input key material (raw byte array) and an input salt and wraps the key in a SecretKeySpec using the given output key algorithm and output key size.
      static SaltedSecretKey createDerivedKey​(javax.crypto.SecretKey inputKey, byte[] inputSalt, CipherSpec outputCipherSpec)
      Creates a derived key from the given SecretKey an input salt and wraps the key in a SecretKeySpec using the given CipherSpec.
      static SaltedSecretKey createMasterKey​(java.lang.String password)  
      static SaltedSecretKey createMasterKey​(java.lang.String password, byte[] salt)  
      static java.lang.String createRandomAlphabeticString​(int size)
      Generates a random string the given length.
      static byte[] createRandomArray​(int size)
      Creates a random array of bytes using the default SecureRandom implementation of the currently active JVM.
      static javax.net.ssl.SSLContext createSSLContext​(java.security.KeyStore keyStore, java.security.KeyStore trustStore)
      Creates an SSL context, given a key store and a trust store.
      static byte[] decrypt​(java.io.InputStream fromInputStream, SaltedSecretKey masterKey)  
      static void enableUnlimitedStrength()
      Attempts to programmatically enable the unlimited strength Java crypto extension using the reflection API.
      static void encrypt​(java.io.InputStream plaintextInputStream, java.io.OutputStream ciphertextOutputStream, java.util.List<CipherSpec> cipherSpecs, SaltedSecretKey masterKey)  
      static byte[] encrypt​(java.io.InputStream plaintextInputStream, java.util.List<CipherSpec> cipherSuites, SaltedSecretKey masterKey)  
      static java.security.KeyPair generateRsaKeyPair()
      Generates a 2048-bit RSA key pair.
      static java.security.cert.X509Certificate generateSelfSignedCertificate​(java.lang.String commonName, java.security.KeyPair keyPair)
      Generates a self-signed certificate, given a public/private key pair.
      static void init()
      Initializes the crypto provider ("Bouncy Castle") and tests whether the unlimited strength policy has been enabled.
      static boolean isEncrypted​(java.io.File file)  
      static SaltedSecretKey toSaltedSecretKey​(byte[] secretKeyBytes, byte[] saltBytes, java.lang.String algorithm)  
      static javax.crypto.SecretKey toSecretKey​(byte[] secretKeyBytes, java.lang.String algorithm)  
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Method Detail

      • init

        public static void init()
        Initializes the crypto provider ("Bouncy Castle") and tests whether the unlimited strength policy has been enabled. Unlimited crypto allows for stronger crypto algorithms such as AES-256 or Twofish-256.

        The method is called in the static block of this class and hence initialized whenever then class is used.

        See Also:
        Java Cryptography Extension (JCE) Unlimited Strength
      • enableUnlimitedStrength

        public static void enableUnlimitedStrength()
                                            throws CipherException
        Attempts to programmatically enable the unlimited strength Java crypto extension using the reflection API.

        This class tries to set the property isRestricted of the class javax.crypto.JceSecurity to false -- effectively disabling the artificial limitations (and the disallowed algorithms).

        Note: Be aware that enabling the unlimited strength extension needs to be acknowledged by the end-user to avoid legal issues!

        Throws:
        CipherException - If the unlimited strength policy cannot be enabled.
        See Also:
        Java Cryptography Extension (JCE) Unlimited Strength
      • createRandomArray

        public static byte[] createRandomArray​(int size)
        Creates a random array of bytes using the default SecureRandom implementation of the currently active JVM. The returned array can be used as a basis for secret keys, IVs or salts.
        Parameters:
        size - Size of the returned array (in bytes)
        Returns:
        Returns a random byte array (using a secure pseudo random generator)
      • createRandomAlphabeticString

        public static java.lang.String createRandomAlphabeticString​(int size)
        Generates a random string the given length. Only uses characters A-Z/a-z (in order to always create valid serialized vector clock representations).
      • createDerivedKey

        public static SaltedSecretKey createDerivedKey​(javax.crypto.SecretKey inputKey,
                                                       byte[] inputSalt,
                                                       CipherSpec outputCipherSpec)
                                                throws java.security.spec.InvalidKeySpecException,
                                                       java.security.NoSuchAlgorithmException,
                                                       java.security.NoSuchProviderException
        Creates a derived key from the given SecretKey an input salt and wraps the key in a SecretKeySpec using the given CipherSpec.

        This method simply uses the createDerivedKey() method using the encoded input key and the algorithm and key size given by the cipher spec.

        Parameters:
        inputKey - The source key to derive the new key from
        inputSalt - Input salt used to generate the new key (a non-secret random value!)
        outputCipherSpec - Defines the algorithm and key size of the new output key
        Returns:
        Returns a derived key (including the given input salt)
        Throws:
        java.security.spec.InvalidKeySpecException
        java.security.NoSuchAlgorithmException
        java.security.NoSuchProviderException
      • createDerivedKey

        public static SaltedSecretKey createDerivedKey​(byte[] inputKeyMaterial,
                                                       byte[] inputSalt,
                                                       java.lang.String outputKeyAlgorithm,
                                                       int outputKeySize)
                                                throws java.security.spec.InvalidKeySpecException,
                                                       java.security.NoSuchAlgorithmException,
                                                       java.security.NoSuchProviderException
        Creates a derived key from the given input key material (raw byte array) and an input salt and wraps the key in a SecretKeySpec using the given output key algorithm and output key size.

        The algorithm used to derive the new key from the input key material (IKM) is the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) (see RFC 5869)

        Parameters:
        inputKeyMaterial - The input key material as raw data bytes, e.g. determined from Key.getEncoded()
        inputSalt - Input salt used to generate the new key (a non-secret random value!)
        outputKeyAlgorithm - Defines the algorithm of the new output key (for SecretKeySpec.getAlgorithm())
        outputKeySize - Defines the key size of the new output key
        Returns:
        Returns a new pseudorandom key derived from the input key material using HKDF
        Throws:
        java.security.spec.InvalidKeySpecException
        java.security.NoSuchAlgorithmException
        java.security.NoSuchProviderException
        See Also:
        RFC 5869
      • toSecretKey

        public static javax.crypto.SecretKey toSecretKey​(byte[] secretKeyBytes,
                                                         java.lang.String algorithm)
      • isEncrypted

        public static boolean isEncrypted​(java.io.File file)
                                   throws java.io.IOException
        Throws:
        java.io.IOException
      • generateRsaKeyPair

        public static java.security.KeyPair generateRsaKeyPair()
                                                        throws java.security.NoSuchAlgorithmException,
                                                               CipherException,
                                                               java.security.NoSuchProviderException
        Generates a 2048-bit RSA key pair.
        Throws:
        java.security.NoSuchAlgorithmException
        CipherException
        java.security.NoSuchProviderException
      • generateSelfSignedCertificate

        public static java.security.cert.X509Certificate generateSelfSignedCertificate​(java.lang.String commonName,
                                                                                       java.security.KeyPair keyPair)
                                                                                throws org.bouncycastle.operator.OperatorCreationException,
                                                                                       java.security.cert.CertificateException,
                                                                                       java.security.InvalidKeyException,
                                                                                       java.security.NoSuchAlgorithmException,
                                                                                       java.security.NoSuchProviderException,
                                                                                       java.security.SignatureException
        Generates a self-signed certificate, given a public/private key pair.
        Throws:
        org.bouncycastle.operator.OperatorCreationException
        java.security.cert.CertificateException
        java.security.InvalidKeyException
        java.security.NoSuchAlgorithmException
        java.security.NoSuchProviderException
        java.security.SignatureException
        See Also:
        Original source of this method
      • createSSLContext

        public static javax.net.ssl.SSLContext createSSLContext​(java.security.KeyStore keyStore,
                                                                java.security.KeyStore trustStore)
                                                         throws java.lang.Exception
        Creates an SSL context, given a key store and a trust store.
        Throws:
        java.lang.Exception