com.ls.lars.security
Class PKIHandler

java.lang.Object
  |
  +--com.ls.lars.security.PKIHandler
All Implemented Interfaces:
IPKIHandler

public class PKIHandler
extends Object
implements IPKIHandler

This class gives the possibility to handle easily the Public Key Infrastructe (PKI) in a LARS environment. It uses basically the methods of IPKIUtil and adds the special requirements of the LARS environment. Beside the LARS Agents this class is also usable by Applets to communicate with LARS Agents.

Version:
$Revision: 1.10 $
Author:
Last modified by $Author: MFehrenbach $

Fields inherited from interface com.ls.lars.security.IPKIHandler
DATA_KEYS, DECRYPT, DECRYPT_VERIFY, ENCRYPT, ENCRYPTED, PKI_TYPES, SIGN, SIGN_ENCRYPT, SIGNATURE, VERIFY, VERIFY_FLAG, VERIFY_FLAG_FAILED, VERIFY_FLAG_SUCCESS, VERIFY_MESSAGE
 
Constructor Summary
PKIHandler()
          standard constructor
 
Method Summary
 void checkTheValidityOfCachedCertificate(byte[] oneCachedCertificate)
          Takes a byte array representation of a certificate, and checks it agains the current date.
 Map decryptMessage(Map contentMap)
          Decrypts a Message.
 Message decryptMessage(Message currentMessage)
          Decrypts a message.
 Message doReceivingPKIHandling(Message currentMessage)
          Does the PKI handling for incoming messages (decrypting and/or validating signatures of the given message-content).
 Message doSendingPKIHandling(Message currentMessage)
          Does the PKI handling for incoming messages (signing and/or encrypting of the given message-content).
 Map encryptMessage(Map contentHash, List dataKeys, byte[] publicKeyCertificate)
          encrypts the content or parts of the content of a message
 Map encryptMessage(Map contentHash, List dataKeys, String keyID)
          encrypts a message
 Message encryptMessage(Message currentMessage, List dataKeys)
          Encrypts a Message.
protected  byte[] getForeignPublicKeyCertificate(String keyID)
          Gets a certain public key certificate from the cache.
 ArrayList getInvalidPublicKeyCertificates(HashMap publicKeyCertificateCache)
          Gets the list of keys whose certificates are no longer valid.
 Date getNextCRLUpdateDate()
          Returns the date of next CRL update.
 byte[] getOwnPublicKeyCertificate()
          gets the PublicKey Certificate as byte-array.
 byte[] getPKICertificate(Map userData)
          Gets a certificate of a user.
 String getRegisteredPKIMessages()
          Gets all before registered message-services for trace-purposes.
 void setForeignPublicKeyCertificate(String keyID, String certificateFileName, String directoryName)
          Sets a Foreign Public Key Certificate.
 void setOwnPublicKeyCertificate(String certificateFileName, String directoryName)
          Sets the Public Key Certificate, Be aware: you cannot reset the own public key certificate after set it once!
 void setPKIMessage(String service, Integer pkiType, List dataKeys)
          Sets a message-service which later have to be signed, verified, encrypted, decrypted, signed and encrypted, and decrypted and verified (controlled by the pkiType).
 void setPKIProvider(String className)
          Loads the PKI-Provider by the given className.
 void setPrivateKey(String privateKeyFileName, String directoryName, String password)
          Sets the Private Key which is later used to encrypt or to sign data.
 void setPublicPKIServer(Map publicPKIServerParameters)
          Sets the parameters to get certificates/ public keys from a public PKI Server.
 Map signMessage(Map contentHash, List dataKeys)
          signs a message
 Message signMessage(Message currentMessage, List dataKeys)
          Signs a Message.
 Map verifyMessage(Map contentHash, byte[] publicKeyCertificate)
          Verifies a Message.
 Map verifyMessage(Map contentHash, String keyID)
          Verifies a message.
 Message verifyMessage(Message currentMessage)
          Verifies a Message.
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Constructor Detail

PKIHandler

public PKIHandler()
standard constructor
Method Detail

setPKIProvider

public void setPKIProvider(String className)
                    throws InvalidArgumentException,
                           BaseRuntimeException
Loads the PKI-Provider by the given className. The class must be accessible through the classpath.
Specified by:
setPKIProvider in interface IPKIHandler
Parameters:
className - the class-name of the wanted PKI-Provider (e.g. "com.ls.pki.BaltimorePKIUtil")
Throws:
InvalidArgumentException - If a uncorrect Argument caused an error
BaseRuntimeException - If something else goes wrong

setPrivateKey

public void setPrivateKey(String privateKeyFileName,
                          String directoryName,
                          String password)
                   throws InvalidArgumentException,
                          PKIBaseException
Sets the Private Key which is later used to encrypt or to sign data. Be aware: you cannot reset the private key after set it once!
Specified by:
setPrivateKey in interface IPKIHandler
Parameters:
privateKeyFileName - the file name of one's private key
directoryName - the directory name where the private key file resides.
password - the password to activate one's private key
Throws:
InvalidArgumentException - If an uncorrect argument caused an error
PKIBaseException - If a PKI error occurs

setOwnPublicKeyCertificate

public void setOwnPublicKeyCertificate(String certificateFileName,
                                       String directoryName)
                                throws InvalidArgumentException,
                                       PKIBaseException
Sets the Public Key Certificate, Be aware: you cannot reset the own public key certificate after set it once!
Specified by:
setOwnPublicKeyCertificate in interface IPKIHandler
Parameters:
certificateFileName - the file name of one's certificate (contains the public key)
directoryName - the directory name where the certificate file resides.
Throws:
InvalidArgumentException - If a uncorrect Argument caused an error
PKIBaseException - If something else goes wrong

getOwnPublicKeyCertificate

public byte[] getOwnPublicKeyCertificate()
                                  throws PKIBaseException
gets the PublicKey Certificate as byte-array. Before using this mehtod the public has to be set by method "setOwnPublicKeyCertificate".
Specified by:
getOwnPublicKeyCertificate in interface IPKIHandler
Returns:
the own PublicKey Certificate
Throws:
PKIBaseException - If a PKI error occurs (e.g. PublicKey Certificate wasn't set before)

setForeignPublicKeyCertificate

public void setForeignPublicKeyCertificate(String keyID,
                                           String certificateFileName,
                                           String directoryName)
                                    throws InvalidArgumentException,
                                           PKIBaseException
Sets a Foreign Public Key Certificate. Loads it from the File-System and put it into the PublicKeyCache.
Specified by:
setForeignPublicKeyCertificate in interface IPKIHandler
Parameters:
keyID - the id to access the public key certificate from the PublicKeyCache
certificateFileName - the file name of one's certificate (contains the public key)
directoryName - the directory name where the certificate file resides.
Throws:
InvalidArgumentException - If a uncorrect Argument caused an error
PKIBaseException - If a PKI error occurs

setPKIMessage

public void setPKIMessage(String service,
                          Integer pkiType,
                          List dataKeys)
                   throws InvalidArgumentException
Sets a message-service which later have to be signed, verified, encrypted, decrypted, signed and encrypted, and decrypted and verified (controlled by the pkiType).
Specified by:
setPKIMessage in interface IPKIHandler
Parameters:
service - the message-service
pkiType - controls what happens later with the corresponding service.
dataKeys - to specify which keys must be handled by the PKI-handler (only necessary for enryption and signing, if not specified (null) all contentHash-keys will be handled)
Throws:
InvalidArgumentException - If a uncorrect Argument caused an error -> pkiType doesn't exist or service already set

getRegisteredPKIMessages

public String getRegisteredPKIMessages()
Gets all before registered message-services for trace-purposes.
Specified by:
getRegisteredPKIMessages in interface IPKIHandler
Returns:
already set pki-services

doSendingPKIHandling

public Message doSendingPKIHandling(Message currentMessage)
                             throws PKIBaseException
Does the PKI handling for incoming messages (signing and/or encrypting of the given message-content).

PKI handling means:

Specified by:
doSendingPKIHandling in interface IPKIHandler
Parameters:
currentMessage - the original current message
Returns:
the modified message
Throws:
PKIBaseException - If a PKI error occurs

signMessage

public Message signMessage(Message currentMessage,
                           List dataKeys)
                    throws PKIBaseException
Signs a Message. This is a wrapper-method which gets the Map contentHash out of the com.ls.lars.Message
Parameters:
currentMessage - the original current message
dataKeys - the List of data-keys which have to be signed
Returns:
the modified current message
Throws:
PKIBaseException - If a PKI error occurs or the given message does not contain a Map as content

signMessage

public Map signMessage(Map contentHash,
                       List dataKeys)
                throws PKIBaseException
signs a message
Parameters:
contentHash - the original contentHash
dataKeys - The List of data-keys which have to be signed. If it is null, all keys in the contentHash are signed.
Returns:
the modified contentHash
Throws:
PKIBaseException - If a PKI error occurs

encryptMessage

public Message encryptMessage(Message currentMessage,
                              List dataKeys)
                       throws PKIBaseException
Encrypts a Message. This is a wrapper-method which gets the Map contentHash and the keyID for the public key certificate out of com.ls.lars.Message
Parameters:
currentMessage - the original current message
dataKeys - the list of data-keys which have to be signed
Returns:
the modified current message
Throws:
PKIBaseException - If a PKI-error occurs or the given message does not contain a Map as content

encryptMessage

public Map encryptMessage(Map contentHash,
                          List dataKeys,
                          String keyID)
                   throws PKIBaseException
encrypts a message
Parameters:
contentHash - the original contentHash
dataKeys - the list of data-keys which have to be signed
keyID - the id to access the public key certificate from the PublicKeyCache
Returns:
the modified contentHash
Throws:
PKIBaseException - If a PKI-error occurs

encryptMessage

public Map encryptMessage(Map contentHash,
                          List dataKeys,
                          byte[] publicKeyCertificate)
                   throws PKIBaseException
encrypts the content or parts of the content of a message
Parameters:
contentHash - the original contentHash
dataKeys - the list of data-keys which have to be signed
publicKeyCertificate - the needed publicKeyCertificate as byte-array
Returns:
the modified contentHash
Throws:
PKIBaseException - If a PKI-error occurs

doReceivingPKIHandling

public Message doReceivingPKIHandling(Message currentMessage)
                               throws PKIBaseException
Does the PKI handling for incoming messages (decrypting and/or validating signatures of the given message-content).

PKI handling means:

Specified by:
doReceivingPKIHandling in interface IPKIHandler
Parameters:
currentMessage - the original current message
Returns:
the modified message
Throws:
PKIBaseException - If a PKI error occurs

decryptMessage

public Message decryptMessage(Message currentMessage)
                       throws PKIBaseException
Decrypts a message. This is a wrapper-method which gets the Map contentHash out of the com.ls.lars.Message.
Parameters:
currentMessage - the current message
Returns:
the modified message
Throws:
PKIBaseException - If a PKI-error occurs

decryptMessage

public Map decryptMessage(Map contentMap)
                   throws PKIBaseException
Decrypts a Message. The contentHash should contain a key encrypted (please use the constant ENCRYPTED). The value of this key is decrypted, XML-parsed and put into the contentHash.
Parameters:
contentMap - contains the data to decrypt
Returns:
map which contains the decrypted data
Throws:
PKIBaseException - If a PKI-error occurs

verifyMessage

public Message verifyMessage(Message currentMessage)
                      throws PKIBaseException
Verifies a Message. This is a wrapper-method which gets the Map contentHash and the keyID for the public key certificate out of com.ls.lars.Message. The contentHash of the message should contain the keys 'signature' (please use constant SIGNATURE) and 'data_keys' (please use constant DATA_KEYS). During the signature verification the keys 'verify_message' (use constant VERIFY_MESSAGE) with a detailed trace message and the key 'verify_flag' (use constant VERIFY_FLAG) which indicates if the verification was successfull or not will be inserted.

Be aware: if the signature verification fails, the message's service is changed to 'signature_not_valid_service'

Parameters:
currentMessage - the original current message
Returns:
the modified current message
Throws:
PKIBaseException - If a PKI-error occurs

verifyMessage

public Map verifyMessage(Map contentHash,
                         String keyID)
                  throws PKIBaseException
Verifies a message. The contentHash of the message should contain the keys 'signature' (please use constant SIGNATURE) and 'data_keys' (please use constant DATA_KEYS). During the signature verification the keys 'verify_message' (use constant VERIFY_MESSAGE) with a detailed trace message and the key 'verify_flag' (use constant VERIFY_FLAG) which indicates if the verification was successfull or not will be inserted.
Parameters:
contentHash - the original contentHash
keyID - the id to access the public key certificate from the PublicKeyCache
Returns:
the modified contentHash
Throws:
PKIBaseException - If a PKI-error occurs

verifyMessage

public Map verifyMessage(Map contentHash,
                         byte[] publicKeyCertificate)
                  throws PKIBaseException
Verifies a Message. The contentHash of the message should contain the keys 'signature' (please use constant SIGNATURE) and 'data_keys' (please use constant DATA_KEYS). During the signature verification the keys 'verify_message' (use constant VERIFY_MESSAGE) with a detailed trace message and the key 'verify_flag' (use constant VERIFY_FLAG) which indicates if the verification was successfull or not will be inserted.
Parameters:
contentHash - the original contentHash
publicKeyCertificate - the needed publicKeyCertificate as byte-array
Returns:
the modified contentHash
Throws:
PKIBaseException - If a PKI-error occurs

getForeignPublicKeyCertificate

protected byte[] getForeignPublicKeyCertificate(String keyID)
                                         throws PKIBaseException,
                                                InvalidArgumentException
Gets a certain public key certificate from the cache. If the key is not cached, a PKIBaseException is thrown. This method should be overwritten to do additional things if there is no public key certificate for the given keyID in the Cache.
Parameters:
keyID - to get the corresponding public key certificate from cache
Returns:
the searched PublicKey Certificate
Throws:
PKIBaseException - if ... never thrown by this implementation
InvalidArgumentException - If the cache hasn't got an entry for the specified keyID

checkTheValidityOfCachedCertificate

public void checkTheValidityOfCachedCertificate(byte[] oneCachedCertificate)
                                         throws PKIBaseException
Takes a byte array representation of a certificate, and checks it agains the current date. If OK, nothing is returned, if not, exception will be thrown. Wrapper for the corresponding method in IPKIUtil.
Specified by:
checkTheValidityOfCachedCertificate in interface IPKIHandler
Parameters:
oneCachedCertificate - a byte array representation of a certificate
Throws:
PKIBaseException - If the certificate's validity has expired or if it will be valid in future, but not now

setPublicPKIServer

public void setPublicPKIServer(Map publicPKIServerParameters)
                        throws PKIBaseException,
                               InvalidArgumentException
Sets the parameters to get certificates/ public keys from a public PKI Server. Wrapper for the corresponding method in IPKIUtil.
Specified by:
setPublicPKIServer in interface IPKIHandler
Parameters:
publicPKIServerParameters - Map which contains the needed Parameters (needed parameters for Baltimore: String hostName, String port, String userNamePKIServer, String passwordPKIServer, String CACertificateFileName, String directoryName)
Throws:
PKIBaseException - If a PKI-error occurs
InvalidArgumentException - If publicPKIServerParameters isn't correctly filled

getPKICertificate

public byte[] getPKICertificate(Map userData)
                         throws PKIBaseException,
                                InvalidArgumentException
Gets a certificate of a user. The user is specified within the given userData-HashMap. Before the method setPublicPKIServer(...) has to be called. Wrapper for the corresponding method in IPKIUtil.
Specified by:
getPKICertificate in interface IPKIHandler
Parameters:
userData - contains the needed userData to specify the user. For instance CN=John Smith,OU=Development,O=Living Systems,C=DE.
Returns:
IPKIUtil.getPKICertificate(Map)
Throws:
PKIBaseException - If a PKI-error occurs
InvalidArgumentException - If thrown by this.pkiUtil.getPKICertificate(userData)
See Also:
setPKIProvider(java.lang.String)

getInvalidPublicKeyCertificates

public ArrayList getInvalidPublicKeyCertificates(HashMap publicKeyCertificateCache)
                                          throws PKIBaseException
Gets the list of keys whose certificates are no longer valid. This method can only be called after the LDAP server parameters have been set. Wrapper for the corresponding method in IPKIUtil.
Specified by:
getInvalidPublicKeyCertificates in interface IPKIHandler
Parameters:
publicKeyCertificateCache - the cache of public key certificate
Returns:
a list of keys whose certificates are no longer valid (IPKIUtil.getInvalidPublicKeyCertificates(java.util.HashMap)
Throws:
PKIBaseException - If a PKI-error occurs
See Also:
setPKIProvider(java.lang.String)

getNextCRLUpdateDate

public Date getNextCRLUpdateDate()
                          throws PKIBaseException
Returns the date of next CRL update. Wrapper for the corresponding method in IPKIUtil.
Specified by:
getNextCRLUpdateDate in interface IPKIHandler
Returns:
IPKIUtil.getNextCRLUpdateDate()
Throws:
PKIBaseException - If LDAP exception happens
See Also:
setPKIProvider(java.lang.String)