com.ls.lars.security
Class PKIHandler

java.lang.Object
  |
  +--com.ls.lars.security.PKIHandler

All Implemented Interfaces:

IPKIHandler

public class PKIHandler

extends Object

implements IPKIHandler

This class gives the possibility to handle easily the Public Key Infrastructe (PKI) in a LARS environment. It uses basically the methods of IPKIUtil and adds the special requirements of the LARS environment. Beside the LARS Agents this class is also usable by Applets to communicate with LARS Agents.

Version:

$Revision: 1.10 $

Author:

Last modified by $Author: MFehrenbach $

Fields inherited from interface com.ls.lars.security.IPKIHandler

DATA_KEYS, DECRYPT, DECRYPT_VERIFY, ENCRYPT, ENCRYPTED, PKI_TYPES, SIGN, SIGN_ENCRYPT, SIGNATURE, VERIFY, VERIFY_FLAG, VERIFY_FLAG_FAILED, VERIFY_FLAG_SUCCESS, VERIFY_MESSAGE

Constructor Summary

PKIHandler()
standard constructor

Method Summary

void	checkTheValidityOfCachedCertificate(byte[] oneCachedCertificate) Takes a byte array representation of a certificate, and checks it agains the current date.
Map	decryptMessage(Map contentMap) Decrypts a Message.
Message	decryptMessage(Message currentMessage) Decrypts a message.
Message	doReceivingPKIHandling(Message currentMessage) Does the PKI handling for incoming messages (decrypting and/or validating signatures of the given message-content).
Message	doSendingPKIHandling(Message currentMessage) Does the PKI handling for incoming messages (signing and/or encrypting of the given message-content).
Map	encryptMessage(Map contentHash, List dataKeys, byte[] publicKeyCertificate) encrypts the content or parts of the content of a message
Map	encryptMessage(Map contentHash, List dataKeys, String keyID) encrypts a message
Message	encryptMessage(Message currentMessage, List dataKeys) Encrypts a Message.
protected byte[]	getForeignPublicKeyCertificate(String keyID) Gets a certain public key certificate from the cache.
ArrayList	getInvalidPublicKeyCertificates(HashMap publicKeyCertificateCache) Gets the list of keys whose certificates are no longer valid.
Date	getNextCRLUpdateDate() Returns the date of next CRL update.
byte[]	getOwnPublicKeyCertificate() gets the PublicKey Certificate as byte-array.
byte[]	getPKICertificate(Map userData) Gets a certificate of a user.
String	getRegisteredPKIMessages() Gets all before registered message-services for trace-purposes.
void	setForeignPublicKeyCertificate(String keyID, String certificateFileName, String directoryName) Sets a Foreign Public Key Certificate.
void	setOwnPublicKeyCertificate(String certificateFileName, String directoryName) Sets the Public Key Certificate, Be aware: you cannot reset the own public key certificate after set it once!
void	setPKIMessage(String service, Integer pkiType, List dataKeys) Sets a message-service which later have to be signed, verified, encrypted, decrypted, signed and encrypted, and decrypted and verified (controlled by the pkiType).
void	setPKIProvider(String className) Loads the PKI-Provider by the given className.
void	setPrivateKey(String privateKeyFileName, String directoryName, String password) Sets the Private Key which is later used to encrypt or to sign data.
void	setPublicPKIServer(Map publicPKIServerParameters) Sets the parameters to get certificates/ public keys from a public PKI Server.
Map	signMessage(Map contentHash, List dataKeys) signs a message
Message	signMessage(Message currentMessage, List dataKeys) Signs a Message.
Map	verifyMessage(Map contentHash, byte[] publicKeyCertificate) Verifies a Message.
Map	verifyMessage(Map contentHash, String keyID) Verifies a message.
Message	verifyMessage(Message currentMessage) Verifies a Message.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

PKIHandler

public PKIHandler()

standard constructor

Method Detail

setPKIProvider

public void setPKIProvider(String className)
                    throws InvalidArgumentException,
                           BaseRuntimeException

Loads the PKI-Provider by the given className. The class must be accessible through the classpath.

Specified by:

setPKIProvider in interface IPKIHandler

Parameters:

className - the class-name of the wanted PKI-Provider (e.g. "com.ls.pki.BaltimorePKIUtil")

Throws:

InvalidArgumentException - If a uncorrect Argument caused an error

BaseRuntimeException - If something else goes wrong

setPrivateKey

public void setPrivateKey(String privateKeyFileName,
                          String directoryName,
                          String password)
                   throws InvalidArgumentException,
                          PKIBaseException

Sets the Private Key which is later used to encrypt or to sign data. Be aware: you cannot reset the private key after set it once!

Specified by:

setPrivateKey in interface IPKIHandler

Parameters:

privateKeyFileName - the file name of one's private key

directoryName - the directory name where the private key file resides.

password - the password to activate one's private key

Throws:

InvalidArgumentException - If an uncorrect argument caused an error

PKIBaseException - If a PKI error occurs

setOwnPublicKeyCertificate

public void setOwnPublicKeyCertificate(String certificateFileName,
                                       String directoryName)
                                throws InvalidArgumentException,
                                       PKIBaseException

Sets the Public Key Certificate, Be aware: you cannot reset the own public key certificate after set it once!

Specified by:

setOwnPublicKeyCertificate in interface IPKIHandler

Parameters:

certificateFileName - the file name of one's certificate (contains the public key)

directoryName - the directory name where the certificate file resides.

Throws:

InvalidArgumentException - If a uncorrect Argument caused an error

PKIBaseException - If something else goes wrong

getOwnPublicKeyCertificate

public byte[] getOwnPublicKeyCertificate()
                                  throws PKIBaseException

gets the PublicKey Certificate as byte-array. Before using this mehtod the public has to be set by method "setOwnPublicKeyCertificate".

Specified by:

getOwnPublicKeyCertificate in interface IPKIHandler

Returns:

the own PublicKey Certificate

Throws:

PKIBaseException - If a PKI error occurs (e.g. PublicKey Certificate wasn't set before)

setForeignPublicKeyCertificate

public void setForeignPublicKeyCertificate(String keyID,
                                           String certificateFileName,
                                           String directoryName)
                                    throws InvalidArgumentException,
                                           PKIBaseException

Sets a Foreign Public Key Certificate. Loads it from the File-System and put it into the PublicKeyCache.

Specified by:

setForeignPublicKeyCertificate in interface IPKIHandler

Parameters:

keyID - the id to access the public key certificate from the PublicKeyCache

certificateFileName - the file name of one's certificate (contains the public key)

directoryName - the directory name where the certificate file resides.

Throws:

InvalidArgumentException - If a uncorrect Argument caused an error

PKIBaseException - If a PKI error occurs

setPKIMessage

public void setPKIMessage(String service,
                          Integer pkiType,
                          List dataKeys)
                   throws InvalidArgumentException

Sets a message-service which later have to be signed, verified, encrypted, decrypted, signed and encrypted, and decrypted and verified (controlled by the pkiType).

Specified by:

setPKIMessage in interface IPKIHandler

Parameters:

service - the message-service

pkiType - controls what happens later with the corresponding service.

dataKeys - to specify which keys must be handled by the PKI-handler (only necessary for enryption and signing, if not specified (null) all contentHash-keys will be handled)

Throws:

InvalidArgumentException - If a uncorrect Argument caused an error -> pkiType doesn't exist or service already set

getRegisteredPKIMessages

public String getRegisteredPKIMessages()

Gets all before registered message-services for trace-purposes.

Specified by:

getRegisteredPKIMessages in interface IPKIHandler

Returns:

already set pki-services

doSendingPKIHandling

public Message doSendingPKIHandling(Message currentMessage)
                             throws PKIBaseException

Does the PKI handling for incoming messages (signing and/or encrypting of the given message-content).

PKI handling means:

• check whether the current service has to be handled
• doing the PKI-handling if necessary
• returning of the modified message (which is actually the reference on the given message)

Specified by:

doSendingPKIHandling in interface IPKIHandler

Parameters:

currentMessage - the original current message

Returns:

the modified message

Throws:

PKIBaseException - If a PKI error occurs

signMessage

public Message signMessage(Message currentMessage,
                           List dataKeys)
                    throws PKIBaseException

Signs a Message. This is a wrapper-method which gets the Map contentHash out of the com.ls.lars.Message

Parameters:

currentMessage - the original current message

dataKeys - the List of data-keys which have to be signed

Returns:

the modified current message

Throws:

PKIBaseException - If a PKI error occurs or the given message does not contain a Map as content

signMessage

public Map signMessage(Map contentHash,
                       List dataKeys)
                throws PKIBaseException

signs a message

Parameters:

contentHash - the original contentHash

dataKeys - The List of data-keys which have to be signed. If it is null, all keys in the contentHash are signed.

Returns:

the modified contentHash

Throws:

PKIBaseException - If a PKI error occurs

encryptMessage

public Message encryptMessage(Message currentMessage,
                              List dataKeys)
                       throws PKIBaseException

Encrypts a Message. This is a wrapper-method which gets the Map contentHash and the keyID for the public key certificate out of com.ls.lars.Message

Parameters:

currentMessage - the original current message

dataKeys - the list of data-keys which have to be signed

Returns:

the modified current message

Throws:

PKIBaseException - If a PKI-error occurs or the given message does not contain a Map as content

encryptMessage

public Map encryptMessage(Map contentHash,
                          List dataKeys,
                          String keyID)
                   throws PKIBaseException

encrypts a message

Parameters:

contentHash - the original contentHash

dataKeys - the list of data-keys which have to be signed

keyID - the id to access the public key certificate from the PublicKeyCache

Returns:

the modified contentHash

Throws:

PKIBaseException - If a PKI-error occurs

encryptMessage

public Map encryptMessage(Map contentHash,
                          List dataKeys,
                          byte[] publicKeyCertificate)
                   throws PKIBaseException

encrypts the content or parts of the content of a message

Parameters:

contentHash - the original contentHash

dataKeys - the list of data-keys which have to be signed

publicKeyCertificate - the needed publicKeyCertificate as byte-array

Returns:

the modified contentHash

Throws:

PKIBaseException - If a PKI-error occurs

doReceivingPKIHandling

public Message doReceivingPKIHandling(Message currentMessage)
                               throws PKIBaseException

Does the PKI handling for incoming messages (decrypting and/or validating signatures of the given message-content).

PKI handling means:

• check whether the current service has to be handled
• doing the PKI-handling if necessary
• returning of the modified message (which is actually the reference on the given message)

Specified by:

doReceivingPKIHandling in interface IPKIHandler

Parameters:

currentMessage - the original current message

Returns:

the modified message

Throws:

PKIBaseException - If a PKI error occurs

decryptMessage

public Message decryptMessage(Message currentMessage)
                       throws PKIBaseException

Decrypts a message. This is a wrapper-method which gets the Map contentHash out of the com.ls.lars.Message.

Parameters:

currentMessage - the current message

Returns:

the modified message

Throws:

PKIBaseException - If a PKI-error occurs

decryptMessage

public Map decryptMessage(Map contentMap)
                   throws PKIBaseException

Decrypts a Message. The contentHash should contain a key encrypted (please use the constant ENCRYPTED). The value of this key is decrypted, XML-parsed and put into the contentHash.

Parameters:

contentMap - contains the data to decrypt

Returns:

map which contains the decrypted data

Throws:

PKIBaseException - If a PKI-error occurs

verifyMessage

public Message verifyMessage(Message currentMessage)
                      throws PKIBaseException

Verifies a Message. This is a wrapper-method which gets the Map contentHash and the keyID for the public key certificate out of com.ls.lars.Message. The contentHash of the message should contain the keys 'signature' (please use constant SIGNATURE) and 'data_keys' (please use constant DATA_KEYS). During the signature verification the keys 'verify_message' (use constant VERIFY_MESSAGE) with a detailed trace message and the key 'verify_flag' (use constant VERIFY_FLAG) which indicates if the verification was successfull or not will be inserted.

Be aware: if the signature verification fails, the message's service is changed to 'signature_not_valid_service'

Parameters:

currentMessage - the original current message

Returns:

the modified current message

Throws:

PKIBaseException - If a PKI-error occurs

verifyMessage

public Map verifyMessage(Map contentHash,
                         String keyID)
                  throws PKIBaseException

Verifies a message. The contentHash of the message should contain the keys 'signature' (please use constant SIGNATURE) and 'data_keys' (please use constant DATA_KEYS). During the signature verification the keys 'verify_message' (use constant VERIFY_MESSAGE) with a detailed trace message and the key 'verify_flag' (use constant VERIFY_FLAG) which indicates if the verification was successfull or not will be inserted.

Parameters:

contentHash - the original contentHash

keyID - the id to access the public key certificate from the PublicKeyCache

Returns:

the modified contentHash

Throws:

PKIBaseException - If a PKI-error occurs

verifyMessage

public Map verifyMessage(Map contentHash,
                         byte[] publicKeyCertificate)
                  throws PKIBaseException

Verifies a Message. The contentHash of the message should contain the keys 'signature' (please use constant SIGNATURE) and 'data_keys' (please use constant DATA_KEYS). During the signature verification the keys 'verify_message' (use constant VERIFY_MESSAGE) with a detailed trace message and the key 'verify_flag' (use constant VERIFY_FLAG) which indicates if the verification was successfull or not will be inserted.

Parameters:

contentHash - the original contentHash

publicKeyCertificate - the needed publicKeyCertificate as byte-array

Returns:

the modified contentHash

Throws:

PKIBaseException - If a PKI-error occurs

getForeignPublicKeyCertificate

protected byte[] getForeignPublicKeyCertificate(String keyID)
                                         throws PKIBaseException,
                                                InvalidArgumentException

Gets a certain public key certificate from the cache. If the key is not cached, a PKIBaseException is thrown. This method should be overwritten to do additional things if there is no public key certificate for the given keyID in the Cache.

Parameters:

keyID - to get the corresponding public key certificate from cache

Returns:

the searched PublicKey Certificate

Throws:

PKIBaseException - if ... never thrown by this implementation

InvalidArgumentException - If the cache hasn't got an entry for the specified keyID

checkTheValidityOfCachedCertificate

public void checkTheValidityOfCachedCertificate(byte[] oneCachedCertificate)
                                         throws PKIBaseException

Takes a byte array representation of a certificate, and checks it agains the current date. If OK, nothing is returned, if not, exception will be thrown. Wrapper for the corresponding method in IPKIUtil.

Specified by:

checkTheValidityOfCachedCertificate in interface IPKIHandler

Parameters:

oneCachedCertificate - a byte array representation of a certificate

Throws:

PKIBaseException - If the certificate's validity has expired or if it will be valid in future, but not now

setPublicPKIServer

public void setPublicPKIServer(Map publicPKIServerParameters)
                        throws PKIBaseException,
                               InvalidArgumentException

Sets the parameters to get certificates/ public keys from a public PKI Server. Wrapper for the corresponding method in IPKIUtil.

Specified by:

setPublicPKIServer in interface IPKIHandler

Parameters:

publicPKIServerParameters - Map which contains the needed Parameters (needed parameters for Baltimore: String hostName, String port, String userNamePKIServer, String passwordPKIServer, String CACertificateFileName, String directoryName)

Throws:

PKIBaseException - If a PKI-error occurs

InvalidArgumentException - If publicPKIServerParameters isn't correctly filled

getPKICertificate

public byte[] getPKICertificate(Map userData)
                         throws PKIBaseException,
                                InvalidArgumentException

Gets a certificate of a user. The user is specified within the given userData-HashMap. Before the method setPublicPKIServer(...) has to be called. Wrapper for the corresponding method in IPKIUtil.

Specified by:

getPKICertificate in interface IPKIHandler

Parameters:

userData - contains the needed userData to specify the user. For instance CN=John Smith,OU=Development,O=Living Systems,C=DE.

Returns:

IPKIUtil.getPKICertificate(Map)

Throws:

PKIBaseException - If a PKI-error occurs

InvalidArgumentException - If thrown by this.pkiUtil.getPKICertificate(userData)

See Also:

setPKIProvider(java.lang.String)

getInvalidPublicKeyCertificates

public ArrayList getInvalidPublicKeyCertificates(HashMap publicKeyCertificateCache)
                                          throws PKIBaseException

Gets the list of keys whose certificates are no longer valid. This method can only be called after the LDAP server parameters have been set. Wrapper for the corresponding method in IPKIUtil.

Specified by:

getInvalidPublicKeyCertificates in interface IPKIHandler

Parameters:

publicKeyCertificateCache - the cache of public key certificate

Returns:

a list of keys whose certificates are no longer valid (IPKIUtil.getInvalidPublicKeyCertificates(java.util.HashMap)

Throws:

PKIBaseException - If a PKI-error occurs

See Also:

setPKIProvider(java.lang.String)

getNextCRLUpdateDate

public Date getNextCRLUpdateDate()
                          throws PKIBaseException

Returns the date of next CRL update. Wrapper for the corresponding method in IPKIUtil.

Specified by:

getNextCRLUpdateDate in interface IPKIHandler

Returns:

IPKIUtil.getNextCRLUpdateDate()

Throws:

PKIBaseException - If LDAP exception happens

See Also:

setPKIProvider(java.lang.String)