issrg.security
Class DefaultSecurity

java.lang.Object
  extended by issrg.security.DefaultVerifier
      extended by issrg.security.DefaultSecurity
All Implemented Interfaces:
SessionOriented, Signer, Verifier, javax.security.auth.spi.LoginModule
Direct Known Subclasses:
MultiFileTypeSecurity, PKCS12Security

public abstract class DefaultSecurity
extends DefaultVerifier
implements Signer, SessionOriented

This is the default security class. It can sign and verify signatures on the given objects. The signing key should be provided as a part of PKCS#12 file (e.g. generated using openssl utility).

This default security supports:

Sample key generation using openssl:

openssl x509 -newkey rsa:1024 -out pkc.1 -keyout sk.1 -outform DER

The above line will generate a self-signed PKC and will output a private RSA 1024-bit long key into sk.1 file. The PKC will be saved in pkc.1 file.


Field Summary
protected  javax.security.auth.callback.CallbackHandler ch
           
static java.lang.String DEFAULT_FILE
           
static java.lang.String DEFAULT_FILE_STRING
          Configuration variable for setting a default file to be used by the login method: "DefaultSecurity.DefaultFile".
static java.lang.String DIGEST_ALGORITHM
          This variable specifies what digest algorithm to use to generate digital signatures.
protected  java.lang.String digestAlgorithm
          This variable specifies the digest algorithm used by the actual instance; the value is copied from DIGEST_ALGORITHM at instantiation time.
static java.util.Map DSA_ALGORITHMS
           
static java.util.Map KEY_ALGORITHMS
          This is a Map of Public Key cryptography algorithms supported.
static java.lang.String LAST_FILE_STRING
          Configuration variable for setting the last file to be used by the login method: "DefaultSecurity.LastFile".
static java.lang.String MD2_WITH_RSA_ALGORITHM
          This is the OID of the MD2 with RSA signature algorithm.
static java.lang.String MD4_WITH_RSA_ALGORITHM
          This is the OID of the MD4 with RSA signature algorithm.
static java.lang.String MD5_WITH_RSA_ALGORITHM
          This is the OID of the MD5 with RSA signature algorithm.
protected  java.util.Map options
           
static java.lang.String PASSWORD_SHARES_INTEGER
          Configuration variable containing the number of password shares: "DefaultSecurity.PasswordShares"
static java.lang.String PASSWORD_SHARES_STRING
          Configuration variable containing the prompt to be displayed before each password share is input (the number will be appended automatically): "DefaultSecurity.PasswordSharesPrompt"
static java.lang.String PASSWORD_STORED
          This is the name under which we can store and retrieve the password for PKCS12 signing key.
static java.lang.String PASSWORDS
          This is the name under which we can store and collect passwords
static java.lang.String PROMPT_STRING
          Configuration variable containing the prompt to be displayed right before the file selection and passwords: "DefaultSecurity.Prompt"
static java.util.Map RSA_ALGORITHMS
           
static java.lang.String SHA1_WITH_DSA_ALGORITHM
          This is the OID of the SHA-1 with DSA signature algorithm.
static java.lang.String SHA1_WITH_RSA_ALGORITHM
          This is the OID of the SHA-1 with RSA signature algorithm.
protected  java.util.Map sharedState
           
protected  javax.security.auth.Subject subj
           
static java.lang.String TITLE_STRING
          Configuration variable containing the title to be displayed at the beginning of the authentication process: "DefaultSecurity.Title"
 
Constructor Summary
DefaultSecurity()
           
 
Method Summary
 boolean abort()
          This method aborts the current log in process.
 boolean commit()
          This method confirms that the identity of the user must be accepted by the authentication mechanism, as per JAAS specification.
 java.lang.String getDigestAlgorithm()
          This method returns the default Digest Algorithm used by this object when signing.
protected abstract  FilenameCallback getFilenameCallback(java.lang.String filename)
          This method returns a FilenameCallback that prompts for implementation-specific type of files.
 java.security.PrivateKey getPrivateKey()
          This method returns the PrivateKey of the logged in user.
protected  java.security.Signature getSignature()
          This method returns the current Signature implementation that will be used by sign method.
 java.lang.String getSigningAlgorithmID()
          This method returns the signing Algorithm Identifier, which is a combination of the default hashing algorithm and the encryption algorithm of the Private Key.
 java.security.cert.X509Certificate getVerificationCertificate()
          The method returns the verification certificate of just signed in user.
 void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options)
          This method prepares the Login Module for logging in the specified subject using the given callback handlers and the maps of configuration parameters.
 boolean isLoggedIn()
          This method checks whether any user has logged in.
 boolean login()
          This method logs the user in by authenticating him against a file.
abstract  void login(java.lang.String filename, char[] password)
          This method logs in using a single password.
protected  void login(java.lang.String filename, char[][] ps)
          This method logs in using multiple password shares.
 boolean logout()
          Logs the user out by removing his secret key.
 void setDigestAlgorithm(java.lang.String da)
          This method sets the Digest Algorithm to be used to produce hash of the to-be-signed data.
 void setPrivateKey(java.security.PrivateKey pk)
          This method sets the PrivateKey of the logged in user.
protected  void setSignature(java.security.Signature sig)
          This method should be called by the login method to set the Signature implementation.
 byte[] sign(byte[] toBeSigned)
          This method signs the data using the secret key of the logged in user.
 
Methods inherited from class issrg.security.DefaultVerifier
getPKCRepository, getRootCAs, getVerificationCertificates, setPKCRepository, setRootCA, setRootCA, setRootCAs, setRootCAs, verify, verifyByRoot
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

DEFAULT_FILE_STRING

public static final java.lang.String DEFAULT_FILE_STRING
Configuration variable for setting a default file to be used by the login method: "DefaultSecurity.DefaultFile".

See Also:
Constant Field Values

LAST_FILE_STRING

public static final java.lang.String LAST_FILE_STRING
Configuration variable for setting the last file to be used by the login method: "DefaultSecurity.LastFile".

See Also:
Constant Field Values

PROMPT_STRING

public static final java.lang.String PROMPT_STRING
Configuration variable containing the prompt to be displayed right before the file selection and passwords: "DefaultSecurity.Prompt"

See Also:
Constant Field Values

TITLE_STRING

public static final java.lang.String TITLE_STRING
Configuration variable containing the title to be displayed at the beginning of the authentication process: "DefaultSecurity.Title"

See Also:
Constant Field Values

PASSWORD_SHARES_INTEGER

public static final java.lang.String PASSWORD_SHARES_INTEGER
Configuration variable containing the number of password shares: "DefaultSecurity.PasswordShares"

See Also:
Constant Field Values

PASSWORD_SHARES_STRING

public static final java.lang.String PASSWORD_SHARES_STRING
Configuration variable containing the prompt to be displayed before each password share is input (the number will be appended automatically): "DefaultSecurity.PasswordSharesPrompt"

See Also:
Constant Field Values

DEFAULT_FILE

public static final java.lang.String DEFAULT_FILE
See Also:
Constant Field Values

DIGEST_ALGORITHM

public static java.lang.String DIGEST_ALGORITHM
This variable specifies what digest algorithm to use to generate digital signatures. This will be concatenated with "with" and the encryption algorithm of the private key. The default setting is "SHA1", so the signature algorithm is going to be "SHA1withRSA" or "SHA1withDSA", depending on the private key.


digestAlgorithm

protected java.lang.String digestAlgorithm
This variable specifies the digest algorithm used by the actual instance; the value is copied from DIGEST_ALGORITHM at instantiation time.


DSA_ALGORITHMS

public static java.util.Map DSA_ALGORITHMS

RSA_ALGORITHMS

public static java.util.Map RSA_ALGORITHMS

KEY_ALGORITHMS

public static java.util.Map KEY_ALGORITHMS
This is a Map of Public Key cryptography algorithms supported. Each entry contains a Map of digest algorithm identifiers.


SHA1_WITH_DSA_ALGORITHM

public static final java.lang.String SHA1_WITH_DSA_ALGORITHM
This is the OID of the SHA-1 with DSA signature algorithm.

See Also:
Constant Field Values

SHA1_WITH_RSA_ALGORITHM

public static final java.lang.String SHA1_WITH_RSA_ALGORITHM
This is the OID of the SHA-1 with RSA signature algorithm.

See Also:
Constant Field Values

MD5_WITH_RSA_ALGORITHM

public static final java.lang.String MD5_WITH_RSA_ALGORITHM
This is the OID of the MD5 with RSA signature algorithm.

See Also:
Constant Field Values

MD4_WITH_RSA_ALGORITHM

public static final java.lang.String MD4_WITH_RSA_ALGORITHM
This is the OID of the MD4 with RSA signature algorithm.

See Also:
Constant Field Values

MD2_WITH_RSA_ALGORITHM

public static final java.lang.String MD2_WITH_RSA_ALGORITHM
This is the OID of the MD2 with RSA signature algorithm.

See Also:
Constant Field Values

PASSWORD_STORED

public static final java.lang.String PASSWORD_STORED
This is the name under which we can store and retrieve the password for PKCS12 signing key.

See Also:
Constant Field Values

PASSWORDS

public static final java.lang.String PASSWORDS
This is the name under which we can store and collect passwords

See Also:
Constant Field Values

subj

protected javax.security.auth.Subject subj

ch

protected javax.security.auth.callback.CallbackHandler ch

sharedState

protected java.util.Map sharedState

options

protected java.util.Map options
Constructor Detail

DefaultSecurity

public DefaultSecurity()
                throws SecurityException
Throws:
SecurityException
Method Detail

getVerificationCertificate

public java.security.cert.X509Certificate getVerificationCertificate()
                                                              throws SecurityException
The method returns the verification certificate of just signed in user. If no user has signed in, an exception is thrown.

Specified by:
getVerificationCertificate in interface Signer
Returns:
the X509 PKC of the signer
Throws:
SecurityException - if the certificate cannot be returned (for example, a session is not open, or the certificate is not available)

sign

public byte[] sign(byte[] toBeSigned)
            throws SecurityException
This method signs the data using the secret key of the logged in user. If no user has been logged in, a SecurityException is thrown.

Specified by:
sign in interface Signer
Parameters:
toBeSigned - - the byte array for which a digital signature must be generated
Returns:
byte array of the digital signature
Throws:
SecurityException - if there was a problem when signing the data

isLoggedIn

public boolean isLoggedIn()
This method checks whether any user has logged in.

Specified by:
isLoggedIn in interface SessionOriented
Returns:
true, if some user has logged in (login was called successfully, logout has not been called yet); false otherwise

getPrivateKey

public java.security.PrivateKey getPrivateKey()
This method returns the PrivateKey of the logged in user.

Returns:
PrivateKey of the logged in user, or null if no user is logged in

setPrivateKey

public void setPrivateKey(java.security.PrivateKey pk)
This method sets the PrivateKey of the logged in user. This does not change the key stored on a device or in a keystore file.

Normally you should not use this method, if a user has been logged in.

Parameters:
pk - - the PrivateKey to use for signing and decryption for the logged in user

logout

public boolean logout()
Logs the user out by removing his secret key. The rootCA remains the same, and can be used for signature verification purposes.

Specified by:
logout in interface javax.security.auth.spi.LoginModule
Returns:
true, as logging out always succeeds

abort

public boolean abort()
This method aborts the current log in process. This is equivalent to calling logout()

Specified by:
abort in interface javax.security.auth.spi.LoginModule
Returns:
true; always succeeds

commit

public boolean commit()
This method confirms that the identity of the user must be accepted by the authentication mechanism, as per JAAS specification.

Specified by:
commit in interface javax.security.auth.spi.LoginModule
Returns:
true, as this method always succeeds

initialize

public void initialize(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map sharedState,
                       java.util.Map options)
This method prepares the Login Module for logging in the specified subject using the given callback handlers and the maps of configuration parameters. See JAAS specification for more details.

Specified by:
initialize in interface javax.security.auth.spi.LoginModule
Parameters:
subject - - the Subject that should be populated with the data about the user that logs in
callbackHandler - - the CallbackHandler to be used to display the user input controls
sharedState - - the Map of settings shared between multiple LoginModule instances, or between the login attempts on the same LoginModule
options - - the options configuring the behaviour of this LoginModule

login

public boolean login()
              throws javax.security.auth.login.LoginException
This method logs the user in by authenticating him against a file. This is done by prompting for the file name and the password to it. If these match, the user is logged in. The method uses JAAS CallbackHandler to display the prompts and collect the information from the user.

Upon successful authentication the Public Credentials of the Subject (provided via initialize) are set to contain the X.509 PKC of the user obtained from the file; the Private Credentials of the Subject are set to contain the PrivateKey from the file, and the reference to this DefaultSecurity object; the SubjectDN from the PKC is added to the set of Principals of the Subject.

The file is remembered in the sharedState map, and will be reused for subsequent invocations of this method.

Specified by:
login in interface javax.security.auth.spi.LoginModule
Throws:
javax.security.auth.login.LoginException - if the object is not in the right state, an exception occured during some operation, or if authentication failed

login

protected void login(java.lang.String filename,
                     char[][] ps)
              throws SecurityException
This method logs in using multiple password shares. The implementation may transform the multiple shares into a single password, or maybe the other way round - the single-password login method will split the single password into shares, depending on underlying security device.

Throws:
SecurityException

setSignature

protected void setSignature(java.security.Signature sig)
This method should be called by the login method to set the Signature implementation. The Signature is instantiated once, to save time during sign process.

Parameters:
sig - - the Signature implementation to be used by sign method

getSignature

protected java.security.Signature getSignature()
This method returns the current Signature implementation that will be used by sign method.

Returns:
Signature object that is used to sign the data, or null, if no Signature implementation was provided (e.g. no user is logged in)

getFilenameCallback

protected abstract FilenameCallback getFilenameCallback(java.lang.String filename)
This method returns a FilenameCallback that prompts for implementation-specific type of files.

Parameters:
filename - - the default file to be prompted by CallbackHandler
Returns:
FilenameCallback to be used to prompt for files

login

public abstract void login(java.lang.String filename,
                           char[] password)
                    throws SecurityException
This method logs in using a single password.

Parameters:
filename - - the file containing the encrypted Private Key of the user
password - - the password to be used to decrypt the key
Throws:
SecurityException

getSigningAlgorithmID

public java.lang.String getSigningAlgorithmID()
                                       throws SecurityException
This method returns the signing Algorithm Identifier, which is a combination of the default hashing algorithm and the encryption algorithm of the Private Key.

Specified by:
getSigningAlgorithmID in interface Signer
Returns:
the AlgorithmID of the signing algorithm
Throws:
SecurityException - if no user was logged in, or the Algorithm ID is not known (e.g. obscure hashing algorithm has been set, or the Private Key cannot be used to generate digital signatures)

getDigestAlgorithm

public java.lang.String getDigestAlgorithm()
This method returns the default Digest Algorithm used by this object when signing. The supported methods are "SHA1" and "MD5". The default one is "SHA1", which is deemed stronger than "MD5", but you can change this by using setDigestAlgorithm.

Returns:
the Digest Algorithm used by this object to compute the hash of the to-be-signed data

setDigestAlgorithm

public void setDigestAlgorithm(java.lang.String da)
This method sets the Digest Algorithm to be used to produce hash of the to-be-signed data. The methods that are currently supported are "MD5" and "SHA1". "SHA1" is used by default as it is widely believed to be more secure than "MD5".

Parameters:
da - - the name of the Digest Algorithm