issrg.security
Class DefaultSecurity

java.lang.Object
  issrg.security.DefaultVerifier
      issrg.security.DefaultSecurity

All Implemented Interfaces:

SessionOriented, Signer, Verifier, javax.security.auth.spi.LoginModule

Direct Known Subclasses:

MultiFileTypeSecurity, PKCS12Security

public abstract class DefaultSecurity
extends DefaultVerifier
implements Signer, SessionOriented

This is the default security class. It can sign and verify signatures on the given objects. The signing key should be provided as a part of PKCS#12 file (e.g. generated using openssl utility).

This default security supports:

• signing, given the file with the private key and the password


• signature verification, given the PKC


• validation of the PKCs, given the root CA PKC, and given certification path is not deeper than 1 hop (i.e. root CA->end-user)
In this case the PKCs of end-users are retrieved from a given PKCRepository

Sample key generation using openssl:

openssl x509 -newkey rsa:1024 -out pkc.1 -keyout sk.1 -outform DER

The above line will generate a self-signed PKC and will output a private RSA 1024-bit long key into sk.1 file. The PKC will be saved in pkc.1 file.

Field Summary

protected javax.security.auth.callback.CallbackHandler	ch
static java.lang.String	DEFAULT_FILE
static java.lang.String	DEFAULT_FILE_STRING Configuration variable for setting a default file to be used by the login method: "DefaultSecurity.DefaultFile".
static java.lang.String	DIGEST_ALGORITHM This variable specifies what digest algorithm to use to generate digital signatures.
protected java.lang.String	digestAlgorithm This variable specifies the digest algorithm used by the actual instance; the value is copied from DIGEST_ALGORITHM at instantiation time.
static java.util.Map	DSA_ALGORITHMS
static java.util.Map	KEY_ALGORITHMS This is a Map of Public Key cryptography algorithms supported.
static java.lang.String	LAST_FILE_STRING Configuration variable for setting the last file to be used by the login method: "DefaultSecurity.LastFile".
static java.lang.String	MD2_WITH_RSA_ALGORITHM This is the OID of the MD2 with RSA signature algorithm.
static java.lang.String	MD4_WITH_RSA_ALGORITHM This is the OID of the MD4 with RSA signature algorithm.
static java.lang.String	MD5_WITH_RSA_ALGORITHM This is the OID of the MD5 with RSA signature algorithm.
protected java.util.Map	options
static java.lang.String	PASSWORD_SHARES_INTEGER Configuration variable containing the number of password shares: "DefaultSecurity.PasswordShares"
static java.lang.String	PASSWORD_SHARES_STRING Configuration variable containing the prompt to be displayed before each password share is input (the number will be appended automatically): "DefaultSecurity.PasswordSharesPrompt"
static java.lang.String	PASSWORD_STORED This is the name under which we can store and retrieve the password for PKCS12 signing key.
static java.lang.String	PASSWORDS This is the name under which we can store and collect passwords
static java.lang.String	PROMPT_STRING Configuration variable containing the prompt to be displayed right before the file selection and passwords: "DefaultSecurity.Prompt"
static java.util.Map	RSA_ALGORITHMS
static java.lang.String	SHA1_WITH_DSA_ALGORITHM This is the OID of the SHA-1 with DSA signature algorithm.
static java.lang.String	SHA1_WITH_RSA_ALGORITHM This is the OID of the SHA-1 with RSA signature algorithm.
protected java.util.Map	sharedState
protected javax.security.auth.Subject	subj
static java.lang.String	TITLE_STRING Configuration variable containing the title to be displayed at the beginning of the authentication process: "DefaultSecurity.Title"

Constructor Summary

DefaultSecurity()

Method Summary

boolean	abort() This method aborts the current log in process.
boolean	commit() This method confirms that the identity of the user must be accepted by the authentication mechanism, as per JAAS specification.
java.lang.String	getDigestAlgorithm() This method returns the default Digest Algorithm used by this object when signing.
protected abstract FilenameCallback	getFilenameCallback(java.lang.String filename) This method returns a FilenameCallback that prompts for implementation-specific type of files.
java.security.PrivateKey	getPrivateKey() This method returns the PrivateKey of the logged in user.
protected java.security.Signature	getSignature() This method returns the current Signature implementation that will be used by sign method.
java.lang.String	getSigningAlgorithmID() This method returns the signing Algorithm Identifier, which is a combination of the default hashing algorithm and the encryption algorithm of the Private Key.
java.security.cert.X509Certificate	getVerificationCertificate() The method returns the verification certificate of just signed in user.
void	initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) This method prepares the Login Module for logging in the specified subject using the given callback handlers and the maps of configuration parameters.
boolean	isLoggedIn() This method checks whether any user has logged in.
boolean	login() This method logs the user in by authenticating him against a file.
abstract void	login(java.lang.String filename, char[] password) This method logs in using a single password.
protected void	login(java.lang.String filename, char[][] ps) This method logs in using multiple password shares.
boolean	logout() Logs the user out by removing his secret key.
void	setDigestAlgorithm(java.lang.String da) This method sets the Digest Algorithm to be used to produce hash of the to-be-signed data.
void	setPrivateKey(java.security.PrivateKey pk) This method sets the PrivateKey of the logged in user.
protected void	setSignature(java.security.Signature sig) This method should be called by the login method to set the Signature implementation.
byte[]	sign(byte[] toBeSigned) This method signs the data using the secret key of the logged in user.

Methods inherited from class issrg.security.DefaultVerifier

getPKCRepository, getRootCAs, getVerificationCertificates, setPKCRepository, setRootCA, setRootCA, setRootCAs, setRootCAs, verify, verifyByRoot

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_FILE_STRING

public static final java.lang.String DEFAULT_FILE_STRING

Configuration variable for setting a default file to be used by the login method: "DefaultSecurity.DefaultFile".

See Also:

Constant Field Values

LAST_FILE_STRING

public static final java.lang.String LAST_FILE_STRING

Configuration variable for setting the last file to be used by the login method: "DefaultSecurity.LastFile".

See Also:

Constant Field Values

PROMPT_STRING

public static final java.lang.String PROMPT_STRING

Configuration variable containing the prompt to be displayed right before the file selection and passwords: "DefaultSecurity.Prompt"

See Also:

Constant Field Values

TITLE_STRING

public static final java.lang.String TITLE_STRING

Configuration variable containing the title to be displayed at the beginning of the authentication process: "DefaultSecurity.Title"

See Also:

Constant Field Values

PASSWORD_SHARES_INTEGER

public static final java.lang.String PASSWORD_SHARES_INTEGER

Configuration variable containing the number of password shares: "DefaultSecurity.PasswordShares"

See Also:

Constant Field Values

PASSWORD_SHARES_STRING

public static final java.lang.String PASSWORD_SHARES_STRING

Configuration variable containing the prompt to be displayed before each password share is input (the number will be appended automatically): "DefaultSecurity.PasswordSharesPrompt"

See Also:

Constant Field Values

DEFAULT_FILE

public static final java.lang.String DEFAULT_FILE

See Also:

Constant Field Values

DIGEST_ALGORITHM

public static java.lang.String DIGEST_ALGORITHM

This variable specifies what digest algorithm to use to generate digital signatures. This will be concatenated with "with" and the encryption algorithm of the private key. The default setting is "SHA1", so the signature algorithm is going to be "SHA1withRSA" or "SHA1withDSA", depending on the private key.

digestAlgorithm

protected java.lang.String digestAlgorithm

This variable specifies the digest algorithm used by the actual instance; the value is copied from DIGEST_ALGORITHM at instantiation time.

DSA_ALGORITHMS

public static java.util.Map DSA_ALGORITHMS

RSA_ALGORITHMS

public static java.util.Map RSA_ALGORITHMS

KEY_ALGORITHMS

public static java.util.Map KEY_ALGORITHMS

This is a Map of Public Key cryptography algorithms supported. Each entry contains a Map of digest algorithm identifiers.

SHA1_WITH_DSA_ALGORITHM

public static final java.lang.String SHA1_WITH_DSA_ALGORITHM

This is the OID of the SHA-1 with DSA signature algorithm.

See Also:

Constant Field Values

SHA1_WITH_RSA_ALGORITHM

public static final java.lang.String SHA1_WITH_RSA_ALGORITHM

This is the OID of the SHA-1 with RSA signature algorithm.

See Also:

Constant Field Values

MD5_WITH_RSA_ALGORITHM

public static final java.lang.String MD5_WITH_RSA_ALGORITHM

This is the OID of the MD5 with RSA signature algorithm.

See Also:

Constant Field Values

MD4_WITH_RSA_ALGORITHM

public static final java.lang.String MD4_WITH_RSA_ALGORITHM

This is the OID of the MD4 with RSA signature algorithm.

See Also:

Constant Field Values

MD2_WITH_RSA_ALGORITHM

public static final java.lang.String MD2_WITH_RSA_ALGORITHM

This is the OID of the MD2 with RSA signature algorithm.

See Also:

Constant Field Values

PASSWORD_STORED

public static final java.lang.String PASSWORD_STORED

This is the name under which we can store and retrieve the password for PKCS12 signing key.

See Also:

Constant Field Values

PASSWORDS

public static final java.lang.String PASSWORDS

This is the name under which we can store and collect passwords

See Also:

Constant Field Values

subj

protected javax.security.auth.Subject subj

ch

protected javax.security.auth.callback.CallbackHandler ch

sharedState

protected java.util.Map sharedState

options

protected java.util.Map options

Constructor Detail

DefaultSecurity

public DefaultSecurity()
                throws SecurityException

Throws:

SecurityException

Method Detail

getVerificationCertificate

public java.security.cert.X509Certificate getVerificationCertificate()
                                                              throws SecurityException

The method returns the verification certificate of just signed in user. If no user has signed in, an exception is thrown.

Specified by:

getVerificationCertificate in interface Signer

Returns:

the X509 PKC of the signer

Throws:

SecurityException - if the certificate cannot be returned (for example, a session is not open, or the certificate is not available)

sign

public byte[] sign(byte[] toBeSigned)
            throws SecurityException

This method signs the data using the secret key of the logged in user. If no user has been logged in, a SecurityException is thrown.

Specified by:

sign in interface Signer

Parameters:

toBeSigned - - the byte array for which a digital signature must be generated

Returns:

byte array of the digital signature

Throws:

SecurityException - if there was a problem when signing the data

isLoggedIn

public boolean isLoggedIn()

This method checks whether any user has logged in.

Specified by:

isLoggedIn in interface SessionOriented

Returns:

true, if some user has logged in (login was called successfully, logout has not been called yet); false otherwise

getPrivateKey

public java.security.PrivateKey getPrivateKey()

This method returns the PrivateKey of the logged in user.

Returns:

PrivateKey of the logged in user, or null if no user is logged in

setPrivateKey

public void setPrivateKey(java.security.PrivateKey pk)

This method sets the PrivateKey of the logged in user. This does not change the key stored on a device or in a keystore file.

Normally you should not use this method, if a user has been logged in.

Parameters:

pk - - the PrivateKey to use for signing and decryption for the logged in user

logout

public boolean logout()

Logs the user out by removing his secret key. The rootCA remains the same, and can be used for signature verification purposes.

Specified by:

logout in interface javax.security.auth.spi.LoginModule

Returns:

true, as logging out always succeeds

abort

public boolean abort()

This method aborts the current log in process. This is equivalent to calling logout()

Specified by:

abort in interface javax.security.auth.spi.LoginModule

Returns:

true; always succeeds

commit

public boolean commit()

This method confirms that the identity of the user must be accepted by the authentication mechanism, as per JAAS specification.

Specified by:

commit in interface javax.security.auth.spi.LoginModule

Returns:

true, as this method always succeeds

initialize

public void initialize(javax.security.auth.Subject subject,
                       javax.security.auth.callback.CallbackHandler callbackHandler,
                       java.util.Map sharedState,
                       java.util.Map options)

This method prepares the Login Module for logging in the specified subject using the given callback handlers and the maps of configuration parameters. See JAAS specification for more details.

Specified by:

initialize in interface javax.security.auth.spi.LoginModule

Parameters:

subject - - the Subject that should be populated with the data about the user that logs in

callbackHandler - - the CallbackHandler to be used to display the user input controls

sharedState - - the Map of settings shared between multiple LoginModule instances, or between the login attempts on the same LoginModule

options - - the options configuring the behaviour of this LoginModule

login

public boolean login()
              throws javax.security.auth.login.LoginException

This method logs the user in by authenticating him against a file. This is done by prompting for the file name and the password to it. If these match, the user is logged in. The method uses JAAS CallbackHandler to display the prompts and collect the information from the user.

Upon successful authentication the Public Credentials of the Subject (provided via initialize) are set to contain the X.509 PKC of the user obtained from the file; the Private Credentials of the Subject are set to contain the PrivateKey from the file, and the reference to this DefaultSecurity object; the SubjectDN from the PKC is added to the set of Principals of the Subject.

The file is remembered in the sharedState map, and will be reused for subsequent invocations of this method.

Specified by:

login in interface javax.security.auth.spi.LoginModule

Throws:

javax.security.auth.login.LoginException - if the object is not in the right state, an exception occured during some operation, or if authentication failed

login

protected void login(java.lang.String filename,
                     char[][] ps)
              throws SecurityException

This method logs in using multiple password shares. The implementation may transform the multiple shares into a single password, or maybe the other way round - the single-password login method will split the single password into shares, depending on underlying security device.

Throws:

SecurityException

setSignature

protected void setSignature(java.security.Signature sig)

This method should be called by the login method to set the Signature implementation. The Signature is instantiated once, to save time during sign process.

Parameters:

sig - - the Signature implementation to be used by sign method

getSignature

protected java.security.Signature getSignature()

This method returns the current Signature implementation that will be used by sign method.

Returns:

Signature object that is used to sign the data, or null, if no Signature implementation was provided (e.g. no user is logged in)

getFilenameCallback

protected abstract FilenameCallback getFilenameCallback(java.lang.String filename)

This method returns a FilenameCallback that prompts for implementation-specific type of files.

Parameters:

filename - - the default file to be prompted by CallbackHandler

Returns:

FilenameCallback to be used to prompt for files

login

public abstract void login(java.lang.String filename,
                           char[] password)
                    throws SecurityException

This method logs in using a single password.

Parameters:

filename - - the file containing the encrypted Private Key of the user

password - - the password to be used to decrypt the key

Throws:

SecurityException

getSigningAlgorithmID

public java.lang.String getSigningAlgorithmID()
                                       throws SecurityException

This method returns the signing Algorithm Identifier, which is a combination of the default hashing algorithm and the encryption algorithm of the Private Key.

Specified by:

getSigningAlgorithmID in interface Signer

Returns:

the AlgorithmID of the signing algorithm

Throws:

SecurityException - if no user was logged in, or the Algorithm ID is not known (e.g. obscure hashing algorithm has been set, or the Private Key cannot be used to generate digital signatures)

getDigestAlgorithm

public java.lang.String getDigestAlgorithm()

This method returns the default Digest Algorithm used by this object when signing. The supported methods are "SHA1" and "MD5". The default one is "SHA1", which is deemed stronger than "MD5", but you can change this by using setDigestAlgorithm.

Returns:

the Digest Algorithm used by this object to compute the hash of the to-be-signed data

setDigestAlgorithm

public void setDigestAlgorithm(java.lang.String da)

This method sets the Digest Algorithm to be used to produce hash of the to-be-signed data. The methods that are currently supported are "MD5" and "SHA1". "SHA1" is used by default as it is widely believed to be more secure than "MD5".

Parameters:

da - - the name of the Digest Algorithm