edu.internet2.middleware.shibboleth.common.util
Class DataSealer

java.lang.Object
  extended by edu.internet2.middleware.shibboleth.common.util.DataSealer

public class DataSealer
extends Object

Applies a MAC to time-limited information and encrypts with a symmetric key.


Field Summary
private  String cipherAlgorithm
          Encryption algorithm to use.
private  SecretKey cipherKey
          Key used for encryption.
private  String cipherKeyAlias
          Keystore alias for the encryption key.
private  String cipherKeyPassword
          Password for encryption key.
private  String keystorePassword
          Password for keystore.
private  String keystorePath
          Path to keystore.
private  String keystoreType
          Tye of keystore to use for access to keys.
private static org.slf4j.Logger log
          Class logger.
private  String macAlgorithm
          MAC algorithm to use.
private  SecretKey macKey
          Key used for MAC.
private  String macKeyAlias
          Keystore alias for the MAC key.
private  String macKeyPassword
          Password for MAC key.
private  SecureRandom random
          Source of secure random data.
 
Constructor Summary
DataSealer()
           
 
Method Summary
 String getCipherAlgorithm()
          Returns the encryption algorithm.
 SecretKey getCipherKey()
          Returns the encryption key.
 String getCipherKeyAlias()
          Returns the encryption key alias.
 String getCipherKeyPassword()
          Returns the encryption key password.
 String getKeystorePassword()
          Returns the keystore password.
 String getKeystorePath()
          Returns the keystore path.
 String getKeystoreType()
          Returns the keystore type.
private static byte[] getLongBytes(long longValue)
          Convert a long value into a byte array.
private static byte[] getMAC(Mac mac, String data, long exp)
          Compute a MAC over a string, prefixed by an expiration time.
 String getMacAlgorithm()
          Returns the MAC algorithm.
 SecretKey getMacKey()
          Returns the MAC key, if different from the encryption key.
 String getMacKeyAlias()
          Returns the MAC key alias.
 String getMacKeyPassword()
          Returns the MAC key password.
 SecureRandom getRandom()
          Returns the pseudorandom generator.
 void init()
          Initialization method used after setting all relevant bean properties.
private  void loadKeys()
          Load keys based on bean properties.
 void setCipherAlgorithm(String alg)
          Sets the encryption algorithm.
 void setCipherKey(SecretKey key)
          Sets the encryption key.
 void setCipherKeyAlias(String alias)
          Sets the encryption key alias.
 void setCipherKeyPassword(String password)
          Sets the encryption key password.
 void setKeystorePassword(String password)
          Sets the keystore password.
 void setKeystorePath(String path)
          Sets the keystore path.
 void setKeystoreType(String type)
          Sets the keystore type.
 void setMacAlgorithm(String alg)
          Sets the MAC key algorithm.
 void setMacKey(SecretKey key)
          Sets the MAC key.
 void setMacKeyAlias(String alias)
          Sets the MAC key alias.
 void setMacKeyPassword(String password)
          Sets the MAC key password.
 void setRandom(SecureRandom r)
          Sets the pseudorandom generator.
private  void testEncryption()
          Run a test over the configured bean properties.
 String unwrap(String wrapped)
          Decrypts and verifies an encrypted bundle of MAC'd data, and returns it.
 String wrap(String data, long exp)
          Encodes data into a cryptographic blob: [IV][HMAC][exp][data] where: [IV] = the Initialization Vector; byte-array [HMAC] = the HMAC; byte array [exp] = expiration time of the data; 8 bytes; Big-endian [data] = the principal; a UTF-8-encoded string The bytes are then GZIP'd.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

log

private static org.slf4j.Logger log
Class logger.


cipherKey

private SecretKey cipherKey
Key used for encryption.


macKey

private SecretKey macKey
Key used for MAC.


random

private SecureRandom random
Source of secure random data.


keystoreType

private String keystoreType
Tye of keystore to use for access to keys.


keystorePath

private String keystorePath
Path to keystore.


keystorePassword

private String keystorePassword
Password for keystore.


cipherKeyAlias

private String cipherKeyAlias
Keystore alias for the encryption key.


cipherKeyPassword

private String cipherKeyPassword
Password for encryption key.


cipherAlgorithm

private String cipherAlgorithm
Encryption algorithm to use.


macKeyAlias

private String macKeyAlias
Keystore alias for the MAC key.


macKeyPassword

private String macKeyPassword
Password for MAC key.


macAlgorithm

private String macAlgorithm
MAC algorithm to use.

Constructor Detail

DataSealer

public DataSealer()
Method Detail

init

public void init()
          throws DataSealerException
Initialization method used after setting all relevant bean properties.

Throws:
DataSealerException - if initialization fails

getCipherKey

public SecretKey getCipherKey()
Returns the encryption key.

Returns:
the encryption key

getMacKey

public SecretKey getMacKey()
Returns the MAC key, if different from the encryption key.

Returns:
the MAC key

getRandom

public SecureRandom getRandom()
Returns the pseudorandom generator.

Returns:
the pseudorandom generator

getKeystoreType

public String getKeystoreType()
Returns the keystore type.

Returns:
the keystore type.

getKeystorePath

public String getKeystorePath()
Returns the keystore path.

Returns:
the keystore path

getKeystorePassword

public String getKeystorePassword()
Returns the keystore password.

Returns:
the keystore password

getCipherKeyAlias

public String getCipherKeyAlias()
Returns the encryption key alias.

Returns:
the encryption key alias

getCipherKeyPassword

public String getCipherKeyPassword()
Returns the encryption key password.

Returns:
the encryption key password

getCipherAlgorithm

public String getCipherAlgorithm()
Returns the encryption algorithm.

Returns:
the encryption algorithm

getMacKeyAlias

public String getMacKeyAlias()
Returns the MAC key alias.

Returns:
the MAC key alias

getMacKeyPassword

public String getMacKeyPassword()
Returns the MAC key password.

Returns:
the MAC key password

getMacAlgorithm

public String getMacAlgorithm()
Returns the MAC algorithm.

Returns:
the MAC algorithm

setCipherKey

public void setCipherKey(SecretKey key)
Sets the encryption key.

Parameters:
key - the encryption key to set

setMacKey

public void setMacKey(SecretKey key)
Sets the MAC key.

Parameters:
key - the MAC key to set

setRandom

public void setRandom(SecureRandom r)
Sets the pseudorandom generator.

Parameters:
r - the pseudorandom generator to set

setKeystoreType

public void setKeystoreType(String type)
Sets the keystore type.

Parameters:
type - the keystore type to set

setKeystorePath

public void setKeystorePath(String path)
Sets the keystore path.

Parameters:
path - the keystore path to set

setKeystorePassword

public void setKeystorePassword(String password)
Sets the keystore password.

Parameters:
password - the keystore password to set

setCipherKeyAlias

public void setCipherKeyAlias(String alias)
Sets the encryption key alias.

Parameters:
alias - the encryption key alias to set

setCipherKeyPassword

public void setCipherKeyPassword(String password)
Sets the encryption key password.

Parameters:
password - the encryption key password to set

setCipherAlgorithm

public void setCipherAlgorithm(String alg)
Sets the encryption algorithm.

Parameters:
alg - the encryption algorithm to set

setMacKeyAlias

public void setMacKeyAlias(String alias)
Sets the MAC key alias.

Parameters:
alias - the MAC key alias to set

setMacKeyPassword

public void setMacKeyPassword(String password)
Sets the MAC key password.

Parameters:
password - the the MAC key password to set

setMacAlgorithm

public void setMacAlgorithm(String alg)
Sets the MAC key algorithm.

Parameters:
alg - the MAC algorithm to set

unwrap

public String unwrap(String wrapped)
              throws DataSealerException
Decrypts and verifies an encrypted bundle of MAC'd data, and returns it.

Parameters:
wrapped - the encoded blob
Returns:
the decrypted data, if it's unexpired
Throws:
DataSealerException - if the data cannot be unwrapped and verified

wrap

public String wrap(String data,
                   long exp)
            throws DataSealerException
Encodes data into a cryptographic blob: [IV][HMAC][exp][data] where: [IV] = the Initialization Vector; byte-array [HMAC] = the HMAC; byte array [exp] = expiration time of the data; 8 bytes; Big-endian [data] = the principal; a UTF-8-encoded string The bytes are then GZIP'd. The IV is pre-pended to this byte stream, and the result is Base32-encoded. We don't need to encode the IV or MAC's lengths. They can be obtained from Cipher.getBlockSize() and Mac.getMacLength(), respectively.

Parameters:
data - the data to wrap
exp - expiration time
Returns:
the encoded blob
Throws:
DataSealerException - if the wrapping operation fails

testEncryption

private void testEncryption()
                     throws DataSealerException
Run a test over the configured bean properties.

Throws:
DataSealerException - if the test fails

getMAC

private static byte[] getMAC(Mac mac,
                             String data,
                             long exp)
Compute a MAC over a string, prefixed by an expiration time.

Parameters:
mac - MAC object to use
data - data to hash
exp - timestamp to prefix the data with
Returns:
the resulting MAC

getLongBytes

private static byte[] getLongBytes(long longValue)
Convert a long value into a byte array.

Parameters:
longValue - value to convert
Returns:
a byte array

loadKeys

private void loadKeys()
               throws GeneralSecurityException,
                      IOException
Load keys based on bean properties.

Throws:
GeneralSecurityException - if the keys fail due to a security-related issue
IOException - if the load process fails


Copyright © 1999-2012. All Rights Reserved.