Java源码示例:com.google.api.client.util.SecurityUtils
示例1
/**
* Verifies the signature of the content.
*
* <p>Currently only {@code "RS256"} and {@code "ES256"} algorithms are verified, but others may
* be added in the future. For any other algorithm it returns {@code false}.
*
* @param publicKey public key
* @return whether the algorithm is recognized and it is verified
* @throws GeneralSecurityException
*/
public final boolean verifySignature(PublicKey publicKey) throws GeneralSecurityException {
String algorithm = getHeader().getAlgorithm();
if ("RS256".equals(algorithm)) {
return SecurityUtils.verify(
SecurityUtils.getSha256WithRsaSignatureAlgorithm(),
publicKey,
signatureBytes,
signedContentBytes);
} else if ("ES256".equals(algorithm)) {
return SecurityUtils.verify(
SecurityUtils.getEs256SignatureAlgorithm(),
publicKey,
DerEncoder.encode(signatureBytes),
signedContentBytes);
} else {
return false;
}
}
示例2
/**
* Signs a given JWS header and payload based on the given private key using RSA and SHA-256 as
* described in <a
* href="http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-11#appendix-A.2">JWS using
* RSA SHA-256</a>.
*
* @param privateKey private key
* @param jsonFactory JSON factory
* @param header JWS header
* @param payload JWS payload
* @return signed JWS string
* @since 1.14 (since 1.7 as com.google.api.client.auth.jsontoken.RsaSHA256Signer)
*/
public static String signUsingRsaSha256(
PrivateKey privateKey,
JsonFactory jsonFactory,
JsonWebSignature.Header header,
JsonWebToken.Payload payload)
throws GeneralSecurityException, IOException {
String content =
Base64.encodeBase64URLSafeString(jsonFactory.toByteArray(header))
+ "."
+ Base64.encodeBase64URLSafeString(jsonFactory.toByteArray(payload));
byte[] contentBytes = StringUtils.getBytesUtf8(content);
byte[] signature =
SecurityUtils.sign(
SecurityUtils.getSha256WithRsaSignatureAlgorithm(), privateKey, contentBytes);
return content + "." + Base64.encodeBase64URLSafeString(signature);
}
示例3
public static GoogleCredential buildCredential(CloudCredential gcpCredential, HttpTransport httpTransport) throws IOException, GeneralSecurityException {
String credentialJson = getServiceAccountCredentialJson(gcpCredential);
if (isNotEmpty(credentialJson)) {
return GoogleCredential.fromStream(new ByteArrayInputStream(Base64.decodeBase64(credentialJson)), httpTransport, JSON_FACTORY)
.createScoped(SCOPES);
} else {
try {
PrivateKey pk = SecurityUtils.loadPrivateKeyFromKeyStore(SecurityUtils.getPkcs12KeyStore(),
new ByteArrayInputStream(Base64.decodeBase64(getServiceAccountPrivateKey(gcpCredential))), "notasecret", "privatekey", "notasecret");
return new GoogleCredential.Builder().setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(getServiceAccountId(gcpCredential))
.setServiceAccountScopes(SCOPES)
.setServiceAccountPrivateKey(pk)
.build();
} catch (IOException e) {
throw new CredentialVerificationException("Can not read private key", e);
}
}
}
示例4
@Override
public byte[] sign(byte[] payload) throws IOException {
try {
return SecurityUtils.sign(SecurityUtils.getSha256WithRsaSignatureAlgorithm(),
privateKey, payload);
} catch (GeneralSecurityException e) {
throw new IOException(e);
}
}
示例5
/**
* {@link Beta} <br>
* Verifies the signature of the content using the certificate chain embedded in the signature.
*
* <p>Currently only {@code "RS256"} and {@code "ES256"} algorithms are verified, but others may
* be added in the future. For any other algorithm it returns {@code null}.
*
* <p>The leaf certificate of the certificate chain must be an SSL server certificate.
*
* @param trustManager trust manager used to verify the X509 certificate chain embedded in this
* message
* @return the signature certificate if the signature could be verified, null otherwise
* @throws GeneralSecurityException
* @since 1.19.1
*/
@Beta
public final X509Certificate verifySignature(X509TrustManager trustManager)
throws GeneralSecurityException {
List<String> x509Certificates = getHeader().getX509Certificates();
if (x509Certificates == null || x509Certificates.isEmpty()) {
return null;
}
String algorithm = getHeader().getAlgorithm();
if ("RS256".equals(algorithm)) {
return SecurityUtils.verify(
SecurityUtils.getSha256WithRsaSignatureAlgorithm(),
trustManager,
x509Certificates,
signatureBytes,
signedContentBytes);
} else if ("ES256".equals(algorithm)) {
return SecurityUtils.verify(
SecurityUtils.getEs256SignatureAlgorithm(),
trustManager,
x509Certificates,
DerEncoder.encode(signatureBytes),
signedContentBytes);
} else {
return null;
}
}
示例6
public static Analytics buildClient(GoogleAnalytics googleAnalytics) {
Analytics analytics;
try {
PrivateKey privateKey= SecurityUtils.loadPrivateKeyFromKeyStore(
SecurityUtils.getPkcs12KeyStore(), new ByteArrayInputStream(googleAnalytics.getServiceAccountP12FileContent()),
"notasecret", "privatekey", "notasecret");
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
JsonFactory jsonFactory = JacksonFactory.getDefaultInstance();
Set<String> scopes = new HashSet<>();
scopes.add(AnalyticsScopes.ANALYTICS_READONLY);
final GoogleCredential credential = new GoogleCredential.Builder().setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountId(googleAnalytics.getServiceAccountId())
.setServiceAccountScopes(scopes)
.setServiceAccountPrivateKey(privateKey)
.build();
HttpRequestInitializer httpRequestInitializer = new HttpRequestInitializer() {
@Override
public void initialize(HttpRequest httpRequest) throws IOException {
credential.initialize(httpRequest);
httpRequest.setConnectTimeout(3 * 60000); // 3 minutes connect timeout
httpRequest.setReadTimeout(3 * 60000); // 3 minutes read timeout
}
};
analytics = new Analytics.Builder(httpTransport, jsonFactory, httpRequestInitializer)
.setApplicationName("WallRide")
.build();
} catch (Exception e) {
logger.warn("Failed to synchronize with Google Analytics", e);
throw new GoogleAnalyticsException(e);
}
return analytics;
}
示例7
private static PrivateKey privateKeyFromPkcs8(String privateKeyPem) throws IOException {
Reader reader = new StringReader(privateKeyPem);
Section section = PemReader.readFirstSectionAndClose(reader, "PRIVATE KEY");
if (section == null) {
throw new IOException("Invalid PKCS8 data.");
}
byte[] bytes = section.getBase64DecodedBytes();
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(bytes);
try {
KeyFactory keyFactory = SecurityUtils.getRsaKeyFactory();
return keyFactory.generatePrivate(keySpec);
} catch (NoSuchAlgorithmException | InvalidKeySpecException exception) {
throw new IOException("Unexpected exception reading PKCS data", exception);
}
}
示例8
/**
* Forces a refresh of the public certificates downloaded from {@link #getPublicCertsEncodedUrl}.
*
* <p>
* This method is automatically called from {@link #getPublicKeys()} if the public keys have not
* yet been initialized or if the expiration time is very close, so normally this doesn't need to
* be called. Only call this method to explicitly force the public keys to be updated.
* </p>
*/
public GooglePublicKeysManager refresh() throws GeneralSecurityException, IOException {
lock.lock();
try {
publicKeys = new ArrayList<PublicKey>();
// HTTP request to public endpoint
CertificateFactory factory = SecurityUtils.getX509CertificateFactory();
HttpResponse certsResponse = transport.createRequestFactory()
.buildGetRequest(new GenericUrl(publicCertsEncodedUrl)).execute();
expirationTimeMilliseconds =
clock.currentTimeMillis() + getCacheTimeInSec(certsResponse.getHeaders()) * 1000;
// parse each public key in the JSON response
JsonParser parser = jsonFactory.createJsonParser(certsResponse.getContent());
JsonToken currentToken = parser.getCurrentToken();
// token is null at start, so get next token
if (currentToken == null) {
currentToken = parser.nextToken();
}
Preconditions.checkArgument(currentToken == JsonToken.START_OBJECT);
try {
while (parser.nextToken() != JsonToken.END_OBJECT) {
parser.nextToken();
String certValue = parser.getText();
X509Certificate x509Cert = (X509Certificate) factory.generateCertificate(
new ByteArrayInputStream(StringUtils.getBytesUtf8(certValue)));
publicKeys.add(x509Cert.getPublicKey());
}
publicKeys = Collections.unmodifiableList(publicKeys);
} finally {
parser.close();
}
return this;
} finally {
lock.unlock();
}
}
示例9
/**
* Returns the key store for trusted root certificates to use for Google APIs.
*
* <p>Value is cached, so subsequent access is fast.
*
* @since 1.14
*/
public static synchronized KeyStore getCertificateTrustStore()
throws IOException, GeneralSecurityException {
if (certTrustStore == null) {
certTrustStore = SecurityUtils.getJavaKeyStore();
InputStream keyStoreStream = GoogleUtils.class.getResourceAsStream("google.jks");
SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret");
}
return certTrustStore;
}
示例10
public void testComputeSignature() throws GeneralSecurityException {
OAuthRsaSigner signer = new OAuthRsaSigner();
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
signer.privateKey = keyPairGenerator.genKeyPair().getPrivate();
byte[] expected = SecurityUtils.sign(
SecurityUtils.getSha1WithRsaSignatureAlgorithm(), signer.privateKey,
StringUtils.getBytesUtf8("foo"));
assertEquals(Base64.encodeBase64String(expected), signer.computeSignature("foo"));
}
示例11
public Certificate getCertfificate() throws IOException, CertificateException {
byte[] bytes = getDer();
ByteArrayInputStream bis = new ByteArrayInputStream(bytes);
return SecurityUtils.getX509CertificateFactory().generateCertificate(bis);
}
示例12
/** Returns a new sample RSA private key that matches {@link #newRsaPublicKey()}. */
public static RSAPrivateKey newRsaPrivateKey() throws GeneralSecurityException {
KeyFactory keyFactory = SecurityUtils.getRsaKeyFactory();
KeySpec keySpec = new PKCS8EncodedKeySpec(ENCODED_PRIVATE_KEY);
return (RSAPrivateKey) keyFactory.generatePrivate(keySpec);
}
示例13
/** Returns a new sample RSA public key that matches {@link #newRsaPrivateKey()}. */
public static RSAPublicKey newRsaPublicKey() throws GeneralSecurityException {
KeyFactory keyFactory = SecurityUtils.getRsaKeyFactory();
KeySpec keySpec = new X509EncodedKeySpec(ENCODED_PUBLIC_KEY);
return (RSAPublicKey) keyFactory.generatePublic(keySpec);
}
示例14
public String computeSignature(String signatureBaseString) throws GeneralSecurityException {
Signature signer = SecurityUtils.getSha1WithRsaSignatureAlgorithm();
byte[] data = StringUtils.getBytesUtf8(signatureBaseString);
return Base64.encodeBase64String(SecurityUtils.sign(signer, privateKey, data));
}
示例15
/**
* Sets the SSL socket factory based on root certificates in a Java KeyStore.
*
* <p>Example usage:
*
* <pre>
* trustCertificatesFromJavaKeyStore(new FileInputStream("certs.jks"), "password");
* </pre>
*
* @param keyStoreStream input stream to the key store (closed at the end of this method in a
* finally block)
* @param storePass password protecting the key store file
* @since 1.14
*/
public Builder trustCertificatesFromJavaKeyStore(InputStream keyStoreStream, String storePass)
throws GeneralSecurityException, IOException {
KeyStore trustStore = SecurityUtils.getJavaKeyStore();
SecurityUtils.loadKeyStore(trustStore, keyStoreStream, storePass);
return trustCertificates(trustStore);
}
示例16
/**
* Sets the SSL socket factory based root certificates generated from the specified stream using
* {@link CertificateFactory#generateCertificates(InputStream)}.
*
* <p>Example usage:
*
* <pre>
* trustCertificatesFromStream(new FileInputStream("certs.pem"));
* </pre>
*
* @param certificateStream certificate stream
* @since 1.14
*/
public Builder trustCertificatesFromStream(InputStream certificateStream)
throws GeneralSecurityException, IOException {
KeyStore trustStore = SecurityUtils.getJavaKeyStore();
trustStore.load(null, null);
SecurityUtils.loadKeyStoreFromCertificates(
trustStore, SecurityUtils.getX509CertificateFactory(), certificateStream);
return trustCertificates(trustStore);
}
示例17
/**
* Sets the SSL socket factory based on root certificates in a Java KeyStore.
*
* <p>Example usage:
*
* <pre>
* trustCertificatesFromJavaKeyStore(new FileInputStream("certs.jks"), "password");
* </pre>
*
* @param keyStoreStream input stream to the key store (closed at the end of this method in a
* finally block)
* @param storePass password protecting the key store file
* @since 1.14
*/
public Builder trustCertificatesFromJavaKeyStore(InputStream keyStoreStream, String storePass)
throws GeneralSecurityException, IOException {
KeyStore trustStore = SecurityUtils.getJavaKeyStore();
SecurityUtils.loadKeyStore(trustStore, keyStoreStream, storePass);
return trustCertificates(trustStore);
}
示例18
/**
* Sets the SSL socket factory based root certificates generated from the specified stream using
* {@link CertificateFactory#generateCertificates(InputStream)}.
*
* <p>Example usage:
*
* <pre>
* trustCertificatesFromStream(new FileInputStream("certs.pem"));
* </pre>
*
* @param certificateStream certificate stream
* @since 1.14
*/
public Builder trustCertificatesFromStream(InputStream certificateStream)
throws GeneralSecurityException, IOException {
KeyStore trustStore = SecurityUtils.getJavaKeyStore();
trustStore.load(null, null);
SecurityUtils.loadKeyStoreFromCertificates(
trustStore, SecurityUtils.getX509CertificateFactory(), certificateStream);
return trustCertificates(trustStore);
}
示例19
/**
* Sets the private key to use with the service account flow or {@code null} for none.
*
* <p>
* Overriding is only supported for the purpose of calling the super implementation and changing
* the return type, but nothing else.
* </p>
*
* @param p12FileInputStream input stream to the p12 file. This file is closed at the end of
* this method in a finally block.
*/
public Builder setServiceAccountPrivateKeyFromP12File(InputStream p12FileInputStream)
throws GeneralSecurityException, IOException {
serviceAccountPrivateKey = SecurityUtils.loadPrivateKeyFromKeyStore(
SecurityUtils.getPkcs12KeyStore(), p12FileInputStream, "notasecret",
"privatekey", "notasecret");
return this;
}
示例20
/**
* {@link Beta} <br/>
* Sets the private key to use with the service account flow or {@code null} for none.
*
* <p>
* Overriding is only supported for the purpose of calling the super implementation and changing
* the return type, but nothing else.
* </p>
*
* @param pemFile input stream to the PEM file (closed at the end of this method in a finally
* block)
* @since 1.13
*/
@Beta
public Builder setServiceAccountPrivateKeyFromPemFile(File pemFile)
throws GeneralSecurityException, IOException {
byte[] bytes = PemReader.readFirstSectionAndClose(new FileReader(pemFile), "PRIVATE KEY")
.getBase64DecodedBytes();
serviceAccountPrivateKey =
SecurityUtils.getRsaKeyFactory().generatePrivate(new PKCS8EncodedKeySpec(bytes));
return this;
}
