All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.bouncycastle.jcajce.BCFKSLoadStoreParameter Maven / Gradle / Ivy

package org.bouncycastle.jcajce;

import java.io.InputStream;
import java.io.OutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;

import org.bouncycastle.crypto.util.PBKDF2Config;
import org.bouncycastle.crypto.util.PBKDFConfig;

/**
 * LoadStoreParameter to allow configuring of the PBKDF used to generate encryption keys for
 * use in the keystore.
 */
public class BCFKSLoadStoreParameter
    extends BCLoadStoreParameter
{
    public enum EncryptionAlgorithm
    {
        AES256_CCM,
        AES256_KWP
    }

    public enum MacAlgorithm
    {
        HmacSHA512,
        HmacSHA3_512
    }

    public enum SignatureAlgorithm
    {
        SHA512withDSA,
        SHA3_512withDSA,
        SHA512withECDSA,
        SHA3_512withECDSA,
        SHA512withRSA,
        SHA3_512withRSA
    }

    public interface CertChainValidator
    {
        /**
         * Return true if the passed in chain is valid, false otherwise.
         *
         * @param chain the certChain we know about, the end-entity is at position 0.
         * @return true if valid, false otherwise.
         */
         boolean isValid(X509Certificate[] chain);
    }

    public static class Builder
    {
        private final OutputStream out;
        private final InputStream in;
        private final KeyStore.ProtectionParameter protectionParameter;
        private final Key sigKey;

        private PBKDFConfig storeConfig = new PBKDF2Config.Builder()
                                                .withIterationCount(16384)
                                                .withSaltLength(64).withPRF(PBKDF2Config.PRF_SHA512).build();
        private EncryptionAlgorithm encAlg = EncryptionAlgorithm.AES256_CCM;
        private MacAlgorithm macAlg = MacAlgorithm.HmacSHA512;
        private SignatureAlgorithm sigAlg = SignatureAlgorithm.SHA512withECDSA;
        private X509Certificate[] certs = null;
        private CertChainValidator validator;


        /**
         * Base constructor for creating a LoadStoreParameter for initializing a key store.
         */
        public Builder()
        {
            this((OutputStream)null, (KeyStore.ProtectionParameter)null);
        }

        /**
         * Base constructor for storing to an OutputStream using a password.
         *
         * @param out OutputStream to write KeyStore to.
         * @param password the password to use to protect the KeyStore.
         */
        public Builder(OutputStream out, char[] password)
        {
            this(out, new KeyStore.PasswordProtection(password));
        }

        /**
         * Base constructor for storing to an OutputStream using a protection parameter.
         *
         * @param out OutputStream to write KeyStore to.
         * @param protectionParameter the protection parameter to use to protect the KeyStore.
         */
        public Builder(OutputStream out, KeyStore.ProtectionParameter protectionParameter)
        {
            this.in = null;
            this.out = out;
            this.protectionParameter = protectionParameter;
            this.sigKey = null;
        }

        /**
         * Base constructor for storing to an OutputStream using a protection parameter.
         *
         * @param out OutputStream to write KeyStore to.
         * @param sigKey the key used to protect the integrity of the key store.
         */
        public Builder(OutputStream out, PrivateKey sigKey)
        {
            this.in = null;
            this.out = out;
            this.protectionParameter = null;
            this.sigKey = sigKey;
        }

        /**
         * Base constructor for reading a KeyStore from an InputStream using a public key for validation.
         *
         * @param in InputStream to load KeyStore to.
         * @param sigKey the public key parameter to used to verify the KeyStore.
         */
        public Builder(InputStream in, PublicKey sigKey)
        {
            this.in = in;
            this.out = null;
            this.protectionParameter = null;
            this.sigKey = sigKey;
        }

        /**
         * Base constructor for reading a KeyStore from an InputStream using validation based on
         * encapsulated certificates in the KeyStore data.
         *
         * @param in InputStream to load KeyStore to.
         * @param validator the certificate chain validator to check the signing certificates.
         */
        public Builder(InputStream in, CertChainValidator validator)
        {
            this.in = in;
            this.out = null;
            this.protectionParameter = null;
            this.validator = validator;
            this.sigKey = null;
        }

        /**
         * Base constructor for reading a KeyStore from an InputStream using a password.
         *
         * @param in InputStream to read the KeyStore from.
         * @param password the password used to protect the KeyStore.
         */
        public Builder(InputStream in, char[] password)
        {
            this(in, new KeyStore.PasswordProtection(password));
        }

        /**
         * Base constructor for reading a KeyStore from an InputStream using a password.
         *
         * @param in InputStream to read the KeyStore from.
         * @param protectionParameter  the protection parameter used to protect the KeyStore.
         */
        public Builder(InputStream in, KeyStore.ProtectionParameter protectionParameter)
        {
            this.in = in;
            this.out = null;
            this.protectionParameter = protectionParameter;
            this.sigKey = null;
        }

        /**
         * Configure the PBKDF to use for protecting the KeyStore.
         *
         * @param storeConfig the PBKDF config to use for protecting the KeyStore.
         * @return the current Builder instance.
         */
        public Builder withStorePBKDFConfig(PBKDFConfig storeConfig)
        {
            this.storeConfig = storeConfig;
            return this;
        }

        /**
         * Configure the encryption algorithm to use for protecting the KeyStore and its keys.
         *
         * @param encAlg the PBKDF config to use for protecting the KeyStore and its keys.
         * @return the current Builder instance.
         */
        public Builder withStoreEncryptionAlgorithm(EncryptionAlgorithm encAlg)
        {
            this.encAlg = encAlg;
            return this;
        }

        /**
         * Configure the MAC algorithm to use for protecting the KeyStore.
         *
         * @param macAlg the PBKDF config to use for protecting the KeyStore.
         * @return the current Builder instance.
         */
        public Builder withStoreMacAlgorithm(MacAlgorithm macAlg)
        {
            this.macAlg = macAlg;
            return this;
        }


        /**
         * Add a valid certificate chain where certs[0] is the end-entity matching the
         * private key we are using to sign the key store.
         *
         * @param certs an array of X509 certificates.
         * @return the current Builder instance.
         */
        public Builder withCertificates(X509Certificate[] certs)
        {
            X509Certificate[] tmp = new X509Certificate[certs.length];
            System.arraycopy(certs, 0, tmp, 0, tmp.length);
            this.certs = tmp;

            return this;
        }

        /**
         * Configure the signature algorithm to use for protecting the KeyStore.
         *
         * @param sigAlg the signature config to use for protecting the KeyStore.
         * @return the current Builder instance.
         */
        public Builder withStoreSignatureAlgorithm(SignatureAlgorithm sigAlg)
        {
            this.sigAlg = sigAlg;

            return this;
        }

        /**
         * Build and return a BCFKSLoadStoreParameter.
         *
         * @return a new BCFKSLoadStoreParameter.
         */
        public BCFKSLoadStoreParameter build()
        {
            return new BCFKSLoadStoreParameter(this);
        }
    }

    private final PBKDFConfig storeConfig;
    private final EncryptionAlgorithm encAlg;
    private final MacAlgorithm macAlg;
    private final SignatureAlgorithm sigAlg;
    private final Key sigKey;
    private final X509Certificate[] certificates;
    private final CertChainValidator validator;

    private BCFKSLoadStoreParameter(Builder bldr)
    {
        super(bldr.in, bldr.out, bldr.protectionParameter);

        this.storeConfig = bldr.storeConfig;
        this.encAlg = bldr.encAlg;
        this.macAlg = bldr.macAlg;
        this.sigAlg = bldr.sigAlg;
        this.sigKey = bldr.sigKey;
        this.certificates = bldr.certs;
        this.validator = bldr.validator;
    }

    /**
     * Return the PBKDF used for generating the HMAC and store encryption keys.
     *
     * @return the PBKDF to use for deriving HMAC and store encryption keys.
     */
    public PBKDFConfig getStorePBKDFConfig()
    {
        return storeConfig;
    }

    /**
     * Return encryption algorithm used to secure the store and its entries.
     *
     * @return the encryption algorithm to use.
     */
    public EncryptionAlgorithm getStoreEncryptionAlgorithm()
    {
        return encAlg;
    }

    /**
     * Return mac algorithm used to protect the integrity of the store and its contents.
     *
     * @return the mac algorithm to use.
     */
    public MacAlgorithm getStoreMacAlgorithm()
    {
        return macAlg;
    }

    /**
     * Return signature algorithm used to protect the integrity of the store and its contents.
     *
     * @return the signature algorithm to use.
     */
    public SignatureAlgorithm getStoreSignatureAlgorithm()
    {
        return sigAlg;
    }

    public Key getStoreSignatureKey()
    {
        return sigKey;
    }

    public X509Certificate[] getStoreCertificates()
    {
        return certificates;
    }

    public CertChainValidator getCertChainValidator()
    {
        return validator;
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy