org.aselect.server.crypto
Class CryptoEngine

java.lang.Object
  extended by org.aselect.server.crypto.CryptoEngine

public class CryptoEngine
extends java.lang.Object

This class contains crypto-related (helper) methods. It is thread-safe.

Author:
Alfa & Ariss

Method Summary
 byte[] decryptTGT(java.lang.String sEncTgt)
          Decrypt a TGT using the configured encryption algorithm (cipher).
 java.lang.String encryptTGT(byte[] baData)
          Encrypt a TGT using the configured encryption algorithm (cipher).
 java.lang.String generateSignature(java.lang.String sAuthsp, java.lang.String sData)
          Generate a signature using the authsp-specific private key.
 java.lang.String getAuthSPSpecificCertId(java.lang.String sAuthsp)
          Retrieve the optional configured AuthSP specific Certificate ID.
static CryptoEngine getHandle()
          Return a reference to the CryptoEngine object.
 void init()
          Initialize the CryptoEngine.
static void nextRandomBytes(byte[] baRandom)
          Generate random bytes.
 void signRequest(java.util.Hashtable htRequest)
          Sign a request.
 void stop()
          Stops the CryptoEngine and performs cleanup.
 boolean verifyApplicationSignature(java.security.PublicKey oPublicKey, java.lang.String sData, java.lang.String sSignature)
          Verify a signature generated by an application.
 boolean verifyCrossASelectSignature(java.security.PublicKey oPublicKey, java.lang.String sData, java.lang.String sSignature)
          Verify a signature generated by a remote cross A-Select Server.
 boolean verifyPrivilegedSignature(java.lang.String sAlias, java.lang.String sData, java.lang.String sSignature)
          Verify a signature generated by a privileged application.
 boolean verifySignature(java.lang.String sAlias, java.lang.String sData, java.lang.String sSignature)
          Verify a signature generated by an authsp.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Method Detail

getHandle

public static CryptoEngine getHandle()
Return a reference to the CryptoEngine object.

Returns:
The CryptoEngine object

init

public void init()
          throws ASelectException
Initialize the CryptoEngine.

Description:
This method reads the crypto-configuration and initializes the CryptoEngine. It should be called from the ASelectConfigManager.

Throws:
ASelectException - if initialization fails

verifyPrivilegedSignature

public boolean verifyPrivilegedSignature(java.lang.String sAlias,
                                         java.lang.String sData,
                                         java.lang.String sSignature)
Verify a signature generated by a privileged application.

Description:
This method verifies a signature generated over a block of data by a "privileged application", which is simply an application acting as an authsp. It is used to verify signatures attached to a "create_tgt" API call.

Parameters:
sAlias - The id of the privileged application, which is also the alias under which the application public key is stored in the keystore.
sData - The data to be verified
sSignature - The data's signature
Returns:
true if verification was succesful, false otherwise

verifySignature

public boolean verifySignature(java.lang.String sAlias,
                               java.lang.String sData,
                               java.lang.String sSignature)
Verify a signature generated by an authsp.

Description:
This method verifies a signature generated over a block of data by an authsp. It is typically used to verify the authenticity of a response from an authsp.

Parameters:
sAlias - The id of the authsp, which is also the alias under which the authsp's public key is stored in the keystore.
sData - The data to be verified
sSignature - The data's signature
Returns:
true if verification was succesful, false otherwise

verifyCrossASelectSignature

public boolean verifyCrossASelectSignature(java.security.PublicKey oPublicKey,
                                           java.lang.String sData,
                                           java.lang.String sSignature)
Verify a signature generated by a remote cross A-Select Server.

Description:
This method verifies a signature generated over a block of data by a cross A-Select Server. It is typically used to verify the authenticity of a response from a remote A-Select Server.

Parameters:
oPublicKey - The A-Select Server's public key
sData - The data to be verified
sSignature - The data's signature
Returns:
true if verification was succesful, false otherwise

verifyApplicationSignature

public boolean verifyApplicationSignature(java.security.PublicKey oPublicKey,
                                          java.lang.String sData,
                                          java.lang.String sSignature)
Verify a signature generated by an application.

Description:
This method verifies a signature generated over a block of data by an application. It is used to verify the authenticity of an application request.

Parameters:
oPublicKey - The application's public key
sData - The data to be verified
sSignature - The data's signature
Returns:
true if verification was succesful, false otherwise

generateSignature

public java.lang.String generateSignature(java.lang.String sAuthsp,
                                          java.lang.String sData)
Generate a signature using the authsp-specific private key.

Description:
This method generates a signature over a block of data that is to be sent to an authsp.

Parameters:
sAuthsp - The id of the authsp, or null to use the default signing key.
sData - The data to be signed.
Returns:
The base64 encoded signature

encryptTGT

public java.lang.String encryptTGT(byte[] baData)
                            throws ASelectException
Encrypt a TGT using the configured encryption algorithm (cipher).

Parameters:
baData - A byte array representing the TGT
Returns:
A String representation of the encrypted TGT
Throws:
ASelectException - If encrypting fails.

decryptTGT

public byte[] decryptTGT(java.lang.String sEncTgt)
                  throws ASelectException
Decrypt a TGT using the configured encryption algorithm (cipher).

Parameters:
sEncTgt - A String representation of the encrypted TGT
Returns:
A byte array containing the decrypted TGT
Throws:
ASelectException - If decrypting fails.

getAuthSPSpecificCertId

public java.lang.String getAuthSPSpecificCertId(java.lang.String sAuthsp)
Retrieve the optional configured AuthSP specific Certificate ID.

Description:
Retrieve the AuthSP specific Certificate ID if it is configured, otherwise the default certificate ID is returned.

Concurrency issues:
-

Preconditions:
sAuthsp != null

Postconditions:
-

Parameters:
sAuthsp - The AuthSP name.
Returns:
The certificate ID of the AuthSP.

stop

public void stop()
Stops the CryptoEngine and performs cleanup.
Postconditions:
Do not use the CryptoEngine after calling this method.


nextRandomBytes

public static void nextRandomBytes(byte[] baRandom)
                            throws java.lang.Exception
Generate random bytes.

Description:
This method generates n random bytes, where n is the size of the passed byte array. It uses the configured SecureRandom object to generate this data.

Parameters:
baRandom - A byte array that will hold the random bytes upon completion of this method
Throws:
java.lang.Exception

signRequest

public void signRequest(java.util.Hashtable htRequest)
                 throws ASelectException
Sign a request.

Description:
This method is used in a cross A-Select environment to Generate a Signature for a request to a remote A-Select server.

Note: All request parameters are first sorted in the natural ordening of the parameter names. The signature is created over all appended parameter values in this order.

Concurrency issues:
-

Preconditions:
htRequest should contain all parameters that are send to the remote A-Select Server.

Postconditions:
htRequest will contain an additional "signature" parameter containg the generated signature of the request.

Parameters:
htRequest - The request that should be signed.
Throws:
ASelectException - If signing fails.


Copyright © 2008 SURFnet BV. All Rights Reserved.